The gold standard for consent
This article was first published in Data Protection Law & Policy in July 2011.
Irrespective of whether one agrees or disagrees with the Article 29 Working Party’s Opinion on the definition of consent, the Working Party should at least be praised for taking a clear cut line on this issue. Never before has the group of EU data protection authorities carried out such a detailed assessment of one of the legal grounds for the use of personal information. If there was ever any doubt as to where the regulators stood in terms of the conditions for obtaining individuals’ consent, that is no longer the case. Whether their assessment is entirely correct is a different matter and deserving of debate.
Here are the bottom lines of the Working Party’s Opinion:
- Consent has to be given before the processing starts.
- Consent differs from the right to object – basically, just allowing people to opt out is not good enough.
- Consent based on an individual’s inaction or silence would normally not constitute valid consent, especially in an online context.
- A situation of subordination often prevents consent to be free.
- Blanket consent without specifying and separating each purpose of the processing is not acceptable.
- The mere availability of information is not good enough for consent to be informed – the information should be provided directly to individuals.
- Consent must always be unambiguous so that there is no reasonable doubt about the individual’s intention.
- Evidence of consent should be created and retained, so that consent is verifiable.
- And finally, the measures used to ensure that consent is verifiable should be put at the disposal of the data protection authority upon request.
To summarise, this is the gold standard for consent and anything below that is simply not enough. There is no middle ground. No wavering for the sake of pragmatism. As far as the EU data protection authorities are concerned, consent is basically a rock solid prior opt-in. Anything less will not cut it. But there is one problem with this stance: data protection is not mathematics. Privacy and data protection compliance always involve a balance of interests, and this balancing exercise does not come across in the Opinion. In other words, the Working Party’s approach is just too dogmatic. Wherever there is room for legal interpretation, the Opinion invariably chooses the most conservative approach.
There are three aspects of the Opinion where this approach is particularly extreme. The first is that, whilst the Working Party briefly concedes that consent can be reasonably concluded from behaviour, its position is that only some kind of positive action will qualify as proper consent. However, this ignores that in the real world ascertaining consent is a matter of assessing the level of certainty arising from an individual’s behaviour. The onus of this should of course be on the data controller, but there will be situations where it may be perfectly reasonable to accept someone’s passive behaviour as consent – particularly when the use of that person’s information is within their expectations and ultimate control.
Another extreme position adopted by the Working Party is in respect of the requirement for all consent to be unambiguous and for that unambiguity to be based on express or unmistakable actions. Because the standard sought by the Working Party is so high, there is no room for such consent to be implied – at least not in an online environment. This results in another extreme assessment of the requirement for consent in the specific situation regarding the use of Internet cookies under the e-privacy directive. In this respect, the Working Party demands both prior and express consent, irrespective of the uses made of those cookies.
The outcome is somewhat disproportionate. The e-privacy directive itself distinguishes between different purposes for which third parties may wish to store or gain access to information stored in the terminal equipment of an Internet user. These purposes will range from the legitimate – in particular, cookies – to those involving an unwarranted privacy intrusion, such as spyware or viruses. Therefore, a balanced and realistic assessment of the requirement for consent should take those differences into account and aim not just for a blind gold standard, but for the right and reasonable standard. Even if it is at the expense of complete legal certainty.