On 13 July 2011, the Article 29 Working Party published Opinion 15/2011 on the definition of consent (WP 187) for the purposes of processing personal data in the European Union. The opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive (95/46/EC) and the amended e-Privacy Directive (2002/58/EC).
The Working Party finds that the concept of consent in the existing framework of the European data protection regime is fit for purpose as a well thought-out means of legitimising data processing. The Working Party notes that it does this by making sure that consent is to be given freely, based on satisfactory information and with an inherent flexibility in the collection process chosen by the data controller. The Working Party also notes, however, that the lack of consistency in implementation across EU Member States has created a situation in which there are different approaches to what constitutes consent and how it can be obtained.
The Opinion concludes with a number of recommendations for consideration as part of the wider review of the European data protection regime currently in process. The Working Party continues to favour a conservative approach to consent, including explicit transparent disclosures by data controllers and the requirement for unambiguous proof of acceptance by the data subject. Some practitioners see the Working Party’s approach as impractical, however, as it does not refer to proportionality in consent.
A Timely Review of the Date Protection Regime
In anticipation of the revision of the existing European data protection framework due to be launched by the European Commission in the latter part of 2011, the Commission published a communication in late 2010 on “a comprehensive approach on personal data protection in the European Union”. In a speech entitled “Your data, your rights: Safeguarding your privacy in a connected world” delivered in March 2011, Vice- President of the European Commission, EU Justice Commissioner Viviane Reding, expanded on the issues raised in the communication. Commissioner Reding set out four pillars for data protection policy in Europe: i) the right to be forgotten, ii) transparency, iii) privacy by default, and iv) protection regardless of data location. In early July 2011, the European Parliament adopted a resolution calling for stronger rules on personal data protection, echoing Commissioner Reding’s position and identifying a number of areas that can be improved in light of changing use of technology and patterns of data sharing.
The Working Party’s Opinion is therefore a timely and provocative piece that addresses a fundamental issue underlying the current European regime.
Consent and Personal Data
Although commonly known as the Data Protection Directive, the full title of Directive 95/46/EC is the Directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. The full title is indicative of the balance that must be maintained in Europe between the rights of the individual and the rights of those processing data about the individual.
Although consent is not a legal notion specific to data protection, in the Data Protection Directive consent is used both as a general ground for lawfulness of processing (Article 7) and as a specific ground in certain contexts, e.g. the possibility of using consent to legitimise the processing of sensitive data (Article 8).
The Data Protection Directive sets out six separate criteria that may be relied on for making data processing legitimate. The first criterion listed is that “the data subject has unambiguously given his consent” (Article 7). The list continues with other grounds, all of which are based on necessity and include contractual requirements, legal obligations and personal safety. Although central to an effective data protection regime, the Working Party does not see the fact that the consent option is listed first in Article 7 as a reason for it to be given any preferential status as the ground for finding lawfulness. In fact, in some instances, it is clear that other grounds would be far more suitable for this purpose.
The Working Party is keen to stress that consent should not be seen as a cure-all for lawful processing. The Working Party’s concerns are twofold: what scope for processing does consent provide and how is consent actually achieved? The choice of the most appropriate legal ground for lawful processing is not always obvious. For example, under Article 7(b), the processing must be necessary to perform a contract or take steps at the request of the data subject prior to entering a contract. Therefore, a data controller relying on Article 7(b) as a legal ground to legitimise processing cannot extend it to justify processing beyond what is necessary to conclude the contract. Any additional processing will need to be legitimised with the specific consent to which Article 7(a) applies. If moving from the ground of necessity to that of consent, it will be up to the data controller to show that he had in place the requisite consent prior to undertaking the additional processing.
The Working Party acknowledges that the legal grounds for legitimising processing are not mutually exclusive and that in some transactions a number of legal grounds could apply at the same time. For example, in the scenario of buying a car, a number of different grounds could be applied at different stages to legitimise the data processing: Article 7(b) to process data necessary to buy the car; Article 7(c) to process the car’s registration; Article 7(f) for client management services, e.g., having the car serviced by an affiliate; and Article 7(a) to transfer the data to third parties for their own marketing activities.
An individual giving consent to the processing of their personal information does not release the data controller from its obligations to comply with the requirements on fairness, necessity and proportionality (Article 6). Therefore, data controllers must be clear when seeking to obtain consent what the scope of the processing will be. If there is any deviation or expansion of the processing covered by the consent then further consent will be required if no other Article 7 criteria are applicable. In addition, as consent must be given freely, it must remain subject to revocation by the individual concerned at any time and, once revoked, no further processing of the individual’s data should be undertaken.
In order to be valid, consent must be informed: the individual must be provided with all necessary information covering the substantive elements of the proposed processing. Consent should be obtained before the related processing begins. In general, consent may be obtained by an “indication” (Article 2(h)); although this needs to be unambiguous and explicit in relation to sensitive personal data. What is not clear from the current legislation is whether or not in a general scenario passive, rather than active, indication is sufficient. As it has previously held (see Working Paper 114), the Working Party believes strongly that a request for consent must imply a need for action indicating consent. This is quite separate from the individual having the additional right to object to any processing once it has begun. The Working Party contends that were a data controller to rely on silence or an absence of behaviour to justify consent, then it will be problematic for the data controller to verify whether the silence or inaction was intended to reflect consent.
It is noted that consent must be “freely given” and that to be able to give consent the individual must have a real, exercisable choice. In some scenarios, such as that of an employment relationship, where an employee is requested to consent to the processing of his data, it is very unlikely that agreement will be valid consent if there is a real or potential relevant prejudice that arises from not consenting.
The Working Party notes that blanket consent is not valid as it does not inform the individual of the exact purpose of the processing. To be valid, consent must set out clearly the scope and consequences of the processing in language that is clear and understandable to the intended audience.
If consent is the ground relied on for legitimising processing then it is critical that the individual be informed in sufficient detail about how his data will be used. This information must be provided in a clearly visible, prominent and comprehensive form. In agreement with the Information Commissioner, which is the United Kingdom’s regulator, the Working Party suggests that as communication to the individual is critical, the use of layered notices breaking up the amount of information should be given, so that critical elements are set out in terse bullet points, prominently or proactively communicated, with more detail being provided in longer format documents, which may, in an online example, be linked to by hypertext links.
With regard to scope and communication, it is clear that the Working Party is looking to the data controllers to undertake assessments of their requirements on a risk basis, taking into account the types of data they are processing, any third party sharing, or international transfers. The greater the potential risk arising from the processing, the more specific and prominent the information relating to consent has to be.
Consent does not have to be recordable to be valid. It is, however, to the data controller’s advantage if it can show that consent has been given actively.
The E-Privacy Directive
Under the e-Privacy Directive, advance consent from users to the placement of cookies and similar technologies on their computers and other devices is required. In June 2010, in its Opinion on behavioural advertising, the Working Party called for businesses to adopt opt-in mechanisms for cookie placement associated with online advertising. This conservative position is re-iterated in Opinion 15/2011. Member States have struggled, however, with whether an online browser setting would be sufficient to demonstrate such consent. The Working Party’s position remains that any browser-based consent solution requires the default setting of the browser to be one of non-acceptance and non-transmission of third party cookies and for the browser to require users to actively change the settings, whether at their own instigation or by way of a wizard at first install or update.
Recommendations and reforms
In addressing the issue of how consent can be obtained, the Working Party proposes including in the revised framework a requirement that consent is not only informed and given freely but also “unambiguous”. In this instance, unambiguous means that the data controller needs to use “mechanisms that leave no doubt of the data subject's intention to consent”. This means that anyone processing personal data using consent as the grounds for lawful processing will bear the burden of proof in demonstrating that they do so only after effectively obtaining the individual’s consent. In an online environment, the easiest method of achieving this would be to have a tick-box requirement, as many other mechanisms, such as notices reached by hypertext link, or default privacy settings that allow data sharing may not meet the requirement of unambiguity for valid consent.
The Working Party does not go as far as seeking a general revision requiring explicit consent as a rule for all types of processing operations. Instead, it notes that unambiguous consent, which encompasses explicit consent, should be the standard. This should provide more flexibility to data controllers in determining how to obtain consent. However, consent resulting from unambiguous actions must also be acceptable. For example, if somebody is told that a film will be shot in a certain location at a certain time and they appear at the location at that time, then their consent to be included in the filming can be ascertained from their actions.
The Opinion also finds that several aspects of the legal framework applying to consent have no basis in current European legislation but have developed through case law and previous Opinions given by the Working Party. The Working Party suggests that, where possible, steps should be made to include drafting in the revised legislation covering three key areas: i) the right of individuals to withdraw consent, ii) the notion that consent must be obtained prior to processing commencing where there is no other legal ground for processing, and iii) explicit requirements setting out the quality and accessibility of language used to obtain consent. The last of these enshrines in legislation the practical consideration that clear and plain language must be used and must be suitable for its intended audience. Failure to comply with any of these requirements will result in consent not being achieved.
In addition, the Working Party addresses the specific issue of enhanced protection for those lacking legal capacity, such as minors and the incapacitated. Legislation should clearly set out the circumstances in which parental or equivalent consent is required, and the ages (if any) at which such consent would be mandatory.
The Working Party’s Opinion does not contain any real surprises. In the past, the Working Party has been criticised for being too conservative on data protection issues and for setting out positions that are commercially impractical. Similar comments are likely to follow this Opinion, especially with regard to the lack of proportionality in the need for active indication of consent. It should, however, be noted that the Opinion does set out clearly what is expected from those seeking to obtain consent, how that may best be evidenced and, more importantly for many, it sets out clear guidance on when consent should be used and when it cannot be used, as a ground for achieving lawful processing.