The EU's Article 29 Working Party has issued an Opinion on the definition of "consent" in which it examines the individual elements and requirements for consent to be valid under the Data Protection Directive (95/46/EC) and the e-Privacy Directive (2002/58/EC). The Opinion also includes recommendations for improving the concept of consent in the context of the ongoing review of the Data Protection Directive.
The Opinion provides practical examples of valid and invalid consent, and analyses the meaning of key concepts such as "freely given", "specific", "informed", "explicit", and "unambiguous". The Opinion further clarifies some aspects relating to the notion of consent, such as the timing as to when consent must be obtained and how the right to object differs from consent.
Some of the key conclusions of the Article 29 Working Party are:
- For consent to be valid, it must be freely given. This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Due to the element of subordination in the employment context, careful assessment must be given as to whether employees are free to consent.
- Consent must be specific. Blanket consent without determination of the exact purposes does not meet the threshold. This requires the use of specific consent clauses, separated from the general terms of conditions of the contract.
- Consent must be informed. This requires, firstly, the use of clear language so that data subjects understand what they are consenting to and for what purposes. Secondly the information must be provided directly to individuals, so that it cannot be overlooked. It is not sufficient for it to be merely available somewhere.
- Explicit consent to process sensitive data requires the data subject to take some positive action, either oral or in writing. Therefore explicit or express consent cannot be obtained by the presence of a pre-ticked box.
- For non-sensitive data consent must be unambiguous. This requires the use of mechanisms to obtain consent that leave no doubt as to the individual's intention to provide consent.
- Consent based on an individual's inaction or silence does not normally constitute valid consent. The use of default settings which the data subject is required to modify in order to reject the processing, such as the use of pre-ticked boxes, do not meet the requirements for unambiguous consent. The data subject should be given the opportunity to make a decision and express it, for instance by ticking the box himself.
- Reliance on consent does not relieve the data controller of his obligation to comply with other requirements of the data protection legal framework, such as the principle of proportionality.
- Consent should be given before the processing of personal data starts, or before any further use of the data for purposes not covered by an initial consent, where there is no other legal ground for the processing.
To view the Opinion please click here.