Any US company that receives data about individuals living in the European Union must be familiar with the basic principles of consent and data protection within the EU to avoid costly mistakes that are easily made in obtaining consent, should the validity of such consent be challenged by the EU data protection agencies. While certain exemptions may apply that allow receipt of data into the US without consent, companies need to analyze their receipt of such data in light of the new consent opinion discussed below.
The constant collection, processing and transfer of personal data broadly defined in the EU as any information relating to an identified or identifiable person,  has become an overwhelming feature of modern society, both on-line and off-line. Contrary to law in the US, in the EU, obtaining the consent of the individual (the “data subject”) has always played a key role in the European Union’s data protection efforts.
The Article 29 Data Protection Working Party, an independent European advisory body on data protection and privacy, issued an opinion in July, 2011 addressing the consent principles currently in place as well as providing insight into a possible and likely expansion of consent requirements. (The opinion was published, coincidentally or not, immediately after the expiration of the deadline which requires EU member states to transpose the so-called “Cookie Directive" which serves the purpose of ensuring that a data processor obtain the individual’s consent each and every time a cookie is placed on a computer.)
Consent by the data subject is just one of various legal grounds permitting the processing of personal data within the EU member states and the transfer of such information to third countries which possess an inadequate level of data protection. The EU still considers the United State’s data protection standards to be insufficient and US companies must therefore rely on various exemptions, including consent, in order to import any personal data from the European Union.
The Working Party’s opinion scrutinizes the current practice of using default settings to create consent by silence or inactivity and ultimately concludes that a silent consent by accepting the default setting of a pre-ticked box should not qualify as unambiguous. If this opinion prevails, which is very probable due to the frequent reliance on Working Party opinions by the legislature as well as the courts, the current opt-out mechanisms will no longer suffice as a method of establishing valid consent.
To avoid any unpleasant surprises further down the road when a data protection agency scrutinizes the validity of the consent in place, companies should carefully consider the following:
- Consent does not negate a data processor’s general obligation to adhere to the principles of proportionality, data quality, fairness and necessity. Regardless of the subject’s consent, excessive data collection is never permissible!
- Consent is to be viewed in relation with other processing and transfer exemptions and companies must evaluate whether other grounds exist for the lawful collection and transfer of data. The most appropriate legal ground should be chosen for justification of the transaction and used in the right context. The Working Party suggests that consent often may not be available if other grounds exist. If the processing/transfer could have been performed based on a different ground, asking an individual for his consent could be considered misleading or inherently unfair.
- For data transfers to a non-EU country, consent can only be requested for one distinct transaction. It cannot provide an adequate long-term framework for repeated or structural data transfers.
- An employee’s consent will not be considered valid if it was not possible for the employee to refuse without a real or potential relevant prejudice arising from not consenting. This holds true even if the request for consent was made as a condition of employment. The rationale for such an expansion can be found in the fact that nearly all employers now impose the same or similar pre-employment condition of consent. Consent can always be withdrawn. With the exception of the processing of location data under the e-Privacy Directive, there is no specific provision explicitly allowing for the withdrawal of consent. Such a right has nonetheless been uniformly accepted through case law and Working Party opinions. The current opinion expands on this concept and suggests as a matter of best practices that data processors regularly review the data subjects’ choices and approach the data subject to offer an option for confirming or withdrawing the consent.
- The complexity of data processing places a burden on data controllers to put in place procedures that show consent has been verifiably obtained from the data subject.
When processing sensitive personal data such as health records or data related to a person’s age, race, religion, political beliefs, etc., the consent must be explicit. The data subject must take some positive action to signify consent and must be free not to consent. This requires an active response, which can either be oral or in writing. While the question of whether passive or silent consent can be unambiguous remains to be fully determined, there is absolutely no doubt that an opt-out process, such as the presence of a pre-ticked box, clearly fails the requirements for explicit consent. To obtain explicit consent, a data processor must provide an opt-in method to elicit a positive statement from the individual.
Attribution for the citations in this post are as follows: © European Union, http://eur-lex-europa.eu. Only European Union legislation printed in the paper edition of the Official Journal of the European Union is deemed authentic.