31 August 2011

Consent in EU data processing

The Article 29 Working Party has produced a 38 page Opinion (15/2011) [PDF] on the definition of 'consent' in relation to the European Data Protection Directive and e-Privacy Directive.

The Working Party is an independent European advisory body on data protection and privacy. It was established under Article 29 of Directive 95/46/EC. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.

Last year the European Commission stated, in examining 'ways of clarifying and strengthening the rules on consent', that
When informed consent is required, the current rules provide that the individual's consent for processing his or her personal data should be a 'freely given specific and informed indication of his or her wishes by which the individual signifies his or her agreement to this data processing. However, these conditions are currently interpreted differently in Member States, ranging from a general requirement of written consent to the acceptance of implicit consent.

Moreover, in the online environment - given the opacity of privacy policies - it is often more difficult for individuals to be aware of their rights and give informed consent. This is even more complicated by the fact that, in some cases, it is not even clear what would constitute freely given, specific and informed consent to data processing, such as in the case of behavioural advertising, where internet browser settings are considered by some, but not by others, to deliver the user's consent.

Clarification concerning the conditions for the data subject's consent should therefore be provided, in order to always guarantee informed consent and ensure that the individual is fully aware that he or she is consenting, and to what data processing, in line with Article 8 of the EU Charter of Fundamental Rights. Clarity on key concepts can also favour the development of self-regulatory initiatives to develop practical solutions consistent with EU law.
The Opinion confirms that consent should be freely given, specific and informed, giving individuals enough detail to make a decision about how their personal data will be used. Where explicit consent is required to process sensitive personal data (such as health records) the Opinion indicates that an individual must expressly agree - whether orally or in writing - to the processing of the personal data. Consent on the basis of an individual's inaction is not sufficient. Individuals should also be able to withdraw their consent, preventing any further processing of their personal data.

The Working Party states that -
The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive and in the e-Privacy Directive. Drawing on the experience of the members of the Article 29 Working Party, the Opinion provides numerous examples of valid and invalid consent, focusing on its key elements such as the meaning of "indication", "freely given", "specific", "unambiguous", "explicit", "informed" etc.

The Opinion further clarifies some aspects related to the notion of consent. For example, the timing as to when consent must be obtained, how the right to object differs from consent, etc.

Consent is one of several legal grounds to process personal data. It has an important role, but this does not exclude the possibility, depending on the context, of other legal grounds perhaps being more appropriate from both the controller’s and from the data subject’s perspective. If it is correctly used, consent is a tool giving the data subject control over the processing of his data. If incorrectly used, the data subject’s control becomes illusory and consent constitutes an inappropriate basis for processing.

This Opinion is partly issued in response to a request from the Commission in the context of the ongoing review of the Data Protection Directive. It therefore contains recommendations for consideration in the review. Those recommendations include:
i) clarifying the meaning of “unambiguous” consent and explaining that only consent that is based on statements or actions to signify agreement constitutes valid consent;

ii) requiring data controllers to put in place mechanisms to demonstrate consent (within a general accountability obligation);

iii) adding an explicit requirement regarding the quality and accessibility of the information forming the basis for consent, and

iv) a number of suggestions regarding minors and others lacking legal capacity.
The Working Party comments -
Article 2 (h) of Directive 95/46/EC defines consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". Article 7 of the Directive, which sets forth the legal basis for processing personal data, sets out unambiguous consent as one of the legal grounds. Article 8 requires explicit consent as a legal ground to process sensitive data. Article 26.1 of Directive 95/46/EC and various provisions of the ePrivacy Directive require consent to carry out specific data processing activities within their scope of application. The points developed in this opinion aim at clarifying the various elements of this legal framework in an effort to make it easier to apply by stakeholders in general.

Elements/observations of general nature

• Consent is one of the six legal grounds to process personal data (one of five for sensitive data); it is an important ground as it gives some control to the data subject with regard to the processing of his data. The relevance of consent as an enabler of the individual’s autonomy and self-determination relies on its use in the right context and with the necessary elements.

• Generally speaking, the legal framework of Directive 95/46/EC applies whenever consent is sought, independently of whether this happens off-line or on-line. For example, the same rules apply when a bricks and mortar retailer seeks sign up for a loyalty card scheme via a paper form, as would be the case if it did this through its Internet site. In addition, the ePrivacy Directive specifies certain data processing operations which are subject to consent: they mostly relate to the processing of data in connection with the provision of publicly available electronic communication services. The requirements for consent to be valid within Directive 2002/58/EC are the same as under Directive 95/46/EC.

• Situations where data controllers use consent as a legal ground to process personal data should not be confused with situations where the controller bases the processing on other legal grounds which entail an individual right to object. For example, this may be the case when the processing relies on the 'legitimate interests' of the data controller ex Article 7(f) of Directive 95/46/EC, yet the individual has the right to object ex Article 14(a) of Directive 95/46/EC. Another example is when a data controller sends e-mail communications to existing clients in order to promote the data controller's own or similar products or services, however, individuals have a right to object under Article 13.2 of Directive 2002/58/EC. In both cases, the data subject has the right to object to the processing, this is not the same as consent.

• Reliance on consent to process personal data does not relieve the data controller from his obligation to meet the other requirements of the data protection legal framework, for example, to comply with the principle of proportionality under Article 6.1(c), security of the processing ex Article 17, etc.

• Valid consent presupposes individuals' capacity to consent. Rules regarding the capacity to consent are not harmonised and may therefore vary from Member State to Member State.

• Individuals who have consented should be able to withdraw their consent, preventing further processing of their data. This is confirmed also under the ePrivacy Directive for specific data processing operations based on consent, such as the processing of location data other than traffic data.

• Consent must be provided before the processing of personal data starts, but it can also be required in the course of a processing, where there is a new purpose. This is stressed in various provisions of Directive 2002/58/EC, either through the requirement "prior" (e.g. Article 6.3) or through the wording of the provisions (e.g. Article 5.3).

Specific elements of the legal framework related to consent

• For consent to be valid, it must be freely given. This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Data processing operations in the employment environment where there is an element of subordination, as well as in the context of government services such as health may require careful assessment of whether individuals are free to consent.

• Consent must be specific. Blanket consent without determination of the exact purposes does not meet the threshold. Rather than inserting the information in the general conditions of the contract, this calls for the use of specific consent clauses, separated from the general terms and conditions.

• Consent must be informed. Articles 10 and 11 of the Directive lists the type of information that must necessarily be provided to individuals. In any event, the information provided must be sufficient to guarantee that individuals can make well informed decisions about the processing of their personal data. The need for consent to be "informed" translates into two additional requirements. First, the way in which the information is given must ensure the use of appropriate language so that data subjects understand what they are consenting to and for what purposes. This is contextual. The use of overly complicated legal or technical jargon would not meet the requirements of the law. Second, the information provided to users should be clear and sufficiently conspicuous so that users cannot overlook it. The information must be provided directly to individuals. It is not enough for it to be merely available somewhere.

• As to how consent must be provided, Article 8.2(a) requires explicit consent to process sensitive data, meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent.

• For data other than sensitive data, Article 7(a) requires consent to be unambiguous. "Unambiguous" calls for the use of mechanisms to obtain consent that leave no doubt as to the individual's intention to provide consent. In practical terms, this requirement enables data controllers to use different types of mechanisms to seek consent, ranging from statements to indicate agreement (express consent), to mechanisms that rely on actions that aim at indicating agreement.

• Consent based on an individual's inaction or silence would normally not constitute valid consent, especially in an on-line context. This is an issue that arises in particular with regard to the use of default settings which the data subject is required to modify in order to reject the processing. For example, this is the case with the use of pre-ticked boxes or Internet browser settings that are set by default to collect data.
It concludes that -
The Working Party considers that the current data protection framework contains a wellthought out set of rules that establish the conditions for consent to be valid in order to legitimise data processing operations. These apply in both the off- and on-line environments. More particularly:

The framework successfully achieves the balancing of a number of concerns. On the one hand, it ensures that only true, informed, consent is deemed as such. In this regard, Article 2(h) explicitly requiring consent to be freely given, specific and informed, is relevant and satisfactory. On the other hand, this requirement is not a straight jacket but it rather provides sufficient flexibility, avoiding technologically specific rules. This is illustrated in the same Article 2(h) where it defines consent as any indication of the individual’s wishes. This provides sufficient leeway in terms of the ways in which such an indication can be provided. Articles 7 and 8, requiring respectively unambiguous and explicit consent, capture well the need for a balance between the two concerns, giving flexibility and avoiding overly rigid structures while guaranteeing protection. The result is a framework which, if properly applied and implemented, is capable of keeping pace with the wide variety of data processing operations that often result from technological developments.

In practice however, establishing when consent is needed and more particularly the requirements for valid consent, including how to apply them concretely, is not always easy because of a lack of uniformity across Member States. Implementation at national level has resulted in different approaches. More specific shortcomings were identified during the discussions in the Article 29 Working Party that led to this Opinion, further described below.

Possible changes

• The notion of unambiguous consent is helpful for setting up a system that is not overly rigid but provides strong protection. While it has the potential to lead to a reasonable system, unfortunately, its meaning is often misunderstood or simply ignored. While the indications and examples developed above should contribute to enhancing the legal certainty and protection of individuals' rights when consent is used as a legal basis, the above situation seems to call for some amendments.

• More particularly, the Article 29 Working Party considers that the wording itself ("unambiguous") would benefit from further clarification as a part of the revision of the general data protection framework. Clarification should aim at emphasizing that unambiguous consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. At the same time it should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent. This is especially true in the on-line environment.

• In addition to the clarification described above, the Article 29 Working Party suggests the following:
i. First, include in the definition of consent of Article 2(h) the word “unambiguous” (or equivalent) in order to reinforce the notion that only consent that is based on statements or actions to signify agreement constitutes valid consent. In addition to adding clarity, this would align the concept of consent under Article 2(h) with the requirements for valid consent under Article 7. Moreover, the meaning of the word “unambiguous” could be further explained in a recital of the future legal framework.

ii. Second, in the context of a general accountability obligation, the controllers should be in a position to demonstrate that consent has been obtained. Indeed, if the burden of proof is reinforced so that data controllers are required to demonstrate that they have effectively obtained the consent of the data subject, they will be compelled to put in place standard practices and mechanisms to seek and prove unambiguous consent. The type of mechanisms will depend on the context and should take into account the facts and circumstances of the processing, more particularly its risks.
• The Article 29 Working Party is not convinced that the legal framework should require explicit consent as a general rule for all types of processing operations, including those currently covered by Article 7 of the Directive. It considers that unambiguous consent which encompasses explicit consent but also consent resulting from unambiguous actions should remain the required standard. This choice gives more flexibility to data controllers to collect consent and the overall procedure may be quicker and more user friendly.

• Several aspects of the legal framework that apply to consent are deduced from the wording, legal history or have been developed through case law and Article 29 Working Party Opinions. It would provide more legal certainty if such aspects were expressly built in the new data protection legislative framework. The following points could be taken into account:
i. The inclusion of an express clause setting up the right of individuals to withdraw their consent.

ii. The reinforcement of the notion that consent must be given before the processing starts, or before any further use of the data for purposes not covered by an initial consent, where there is no other legal ground for the processing.

iii. The inclusion of explicit requirements regarding the quality (obligation to provide information on data processing in a manner which is easy to understand, in clear and plain language) and accessibility of the information (obligation for the information to be conspicuous, prominent and directly accessible). This is vital for enabling individuals to make informed decisions.
• Finally, with regard to individuals lacking legal capacity, provisions ensuring enhanced protection could be foreseen, including:
i. Clarifications as to the circumstances in which consent is required from parents or representatives of an incapable individual, including the age threshold below which such consent would be mandatory.

ii. Laying down the obligation to use age verification mechanisms, which may vary depending on circumstances such as the age of children, the type of processing, whether particularly risky, and whether the information will be kept by the data controller or made available to third parties;

iii. A requirement for information to be adapted to children insofar as this would make it easier for children to understand what it means when data from them are collected, and thus deliver consent;

iv. Specific safeguards identifying data processing activities, such as behavioural advertising, where consent should not be a possible basis to legitimise the processing of personal data.