The Meaning of “Consent” in the EU Data Protection Framework: A New Article 29 Working Party Opinion
On July 13, 2011, the Article 29 Data Protection Working Party (hereafter Article 29 WP ) adopted Opinion 15/2011 on the Definition of Consent.
A. GOAL of the ARTICLE 29 WP OPINION
This opinion aims to clarify the existing legal requirements and illustrate how they work in practice. At the same time, in doing so, it provides a reflection on whether the existing framework remains suitable in the light of the many new ways of processing personal data or whether changes to it may be necessary. Consent is also one of the subjects about which the Commission has asked for input in the context of the review of Directive 95/46/EC.
B.“VALID CONSENT” DIRECTIVES
The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive (Directive 95/46/EC) and in the e-Privacy Directive (Directive 2002/58/EC.)
Concerning the overlap between the two directives, the Article 29 WO states: “The general conditions for consent to be valid, as foreseen in Directive 95/46/EC, apply both in the off-line and in the on-line world. Directive 2002/58/EC specifies these conditions for some explicitly identified on-line services, always in the light of the general conditions of the Data Protection Directive.”
C. CONSENT AS LEGAL BASIS TO PROCESS PERSONAL DATA
According to the Directive, personal data cannot be handled at all, except on the basis of a very limited list mentioned in articles 7 and 8 of the Directive.
One legal basis that gives a data controller the right to “process” personal data is unambiguous consent by the data subject.” (Article 7. (a) Directive 95/46/EC).
There are 5 other legal grounds for processing personal data.
The processing of sensitive personal data requires explicit consent. (Article 8.2(a) Directive 95/46/EC).
There are 4 other legal grounds for processing sensitive personal data.
D. GENERAL PRINCIPLES OF VALID CONSENT
Article 29 WP:
- • Valid consent presupposes individuals’ capacity to consent. Rules regarding the capacity to consent are not harmonized and may therefore vary from Member State to Member State.
- • Individuals who have consented should be able to withdraw their consent, preventing further processing of their data. This is confirmed also under the ePrivacy Directive for specific data processing operations based on consent, such as the processing of location data other than traffic data.
- • Consent must be provided before the processing of personal data starts, but it can also be required in the course of a processing, where there is a new purpose. This is stressed in various provisions of Directive 2002/58/EC, either through the requirement “prior” (e.g. Article 6.3) or through the wording of the provisions (e.g. Article 5.3).
E. DEFINITIONS OF CONSENT IN THE DATA PROTECTION DIRECTIVE (Directive 95/46/EC).
Article 2 (h) of Directive 95/46/EC defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
Article 7 of the Directive, which sets forth the legal basis for processing personal data, sets out unambiguous consent as one of the legal grounds.
Article 8 requires explicit consent as a legal ground to process sensitive data.
Article 26.1 of Directive 95/46/EC and various provisions of the ePrivacy Directive require consent to carry out specific data processing activities within their scope of application.
Article 2 (h) of Directive 95/46/EC
defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
a. Consent may be “any…indication of his wishes”
Article 29 WP: “The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller. The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action).”
Example: Bluetooth advertising boards
There is a developing advertising tool consisting of boards sending messages asking for the establishment of a Bluetooth connection to send ads to people passing nearby. The messages are sent to people that have activated their Bluetooth devices on their mobiles. The sole activation of the Bluetooth function does not constitute a valid consent (i.e. the Bluetooth function could be activated for other purposes). On the other hand, when someone is informed about the service and approaches a few centimeters from the board with his or her mobile, there is, normally speaking, an indication of a wish: this shows which people are really interested in getting the ads. Only those people should be considered as having consented, and only they should receive the messages on their phones.
b. Consent must be FREELY given:
Article 29 WP: “This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Data processing operations in the employment environment where there is an element of subordination, as well as in the context of government services such as health may require careful assessment of whether individuals are free to consent.”
Example – Electronic health records
In many Member States there is a move to create an electronic summary of patients’ health records. This will allow healthcare providers to access key information wherever the patient needs treatment. – In the first scenario, the creation of the summary record is absolutely voluntary, and the patient will still receive treatment whether or not he or she has consented to the creation of a summary record. In this case consent for the creation of the summary record is freely given because the patient will suffer no disadvantage if consent is not given or is withheld.
- In the second scenario, there is a moderate financial incentive to choose the e-health record. Patients refusing the e-health record do not suffer disadvantage in the sense that the costs do not change for them. It could be considered here as well that they are free to consent or not to the new system.
- In the third scenario, patients refusing the e-health system have to pay a substantial extra cost compared to the previous tariff system and the processing of their file is considerably delayed. This signifies a clear disadvantage for those not consenting, with the purpose to bring all citizens within the e-health system in a scheduled deadline. Consent is therefore not sufficiently free. One should therefore also examine the existence of other legitimate grounds to process the personal data or examine the application of Article 8.3 of Directive 95/46/EC.
Free consent in the context of employment:
Article 29 WP: “where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent…. An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid. The situation is even clearer cut where, as is often the case, all employers impose the same or a similar condition of employment.”
When the public authority is the data controller:
Article 29 WP:
“..when a public authority is the data controller, the legal ground for legitimising the processing will be the compliance with a legal obligation ex Article 7(c), or the performance of a task of public interest ex Article 7(e), rather than consent.”
Example: PNR data
The question of whether the consent of passengers can be validly used to legitimise the transfer of booking details (“PNR data”) by European airlines to the US authorities has been discussed. The Working Party considers that passengers’ consent cannot be given freely as the airlines are obliged to send the data before the flight departure, and passengers therefore have no real choice if they wish to fly.21 The legal basis here is not the consent of the passenger but, rather in accordance with Article 7(c), the obligations foreseen in the international agreement between the EU and the US on the processing and transfer of Passenger Name Record (PNR) data.
c. Consent must be SPECIFIC :
Article 29 WP: “Blanket consent without determination of the exact purposes does not meet the threshold. Rather than inserting the information in the general conditions of the contract, this calls for the use of specific consent clauses, separated from the general terms and conditions.”
Also: “specific consent may be needed for processing beyond what is necessary for the performance of the contract.”
Example: social networks
The social network service offers the possibility to use external applications. The user is, in practice, often prevented from using an application if he does not consent to the transmission of his data to the developer of the application for a variety of purposes, including behavioural advertising and reselling to third parties. Considering that the application can run without it being necessary that any data is transferred to the developer of the application, the WP encourages granularity while obtaining the consent of the user, i.e. obtaining separate consent from the user for the transmission of his data to the developer for these various purposes. Different mechanisms, such as pop-up boxes, could be used to offer the user the possibility to select the use of data to which he agrees (transfer to the developer; added value services; behavioural advertising; transfer to third parties; etc).
d. Consent must be INFORMED:
Article 29 WP: “Articles 10 and 11 of the Directive lists the type of information that must necessarily be provided to individuals. In any event, the information provided must be sufficient to guarantee that individuals can make well informed decisions about the processing of their personal data. The need for consent to be “informed” translates into two additional requirements. First, the way in which the information is given must ensure the use of appropriate language so that data subjects understand what they are consenting to and for what purposes. This is contextual. The use of overly complicated legal or technical jargon would not meet the requirements of the law. Second, the information provided to users should be clear and sufficiently conspicuous so that users cannot overlook it. The information must be provided directly to individuals. It is not enough for it to be merely available somewhere.”
Example: crime mapping
Some police forces are considering publishing maps, or releasing other data, showing where particular types of crime took place. Usually safeguards built into the process mean that no personal data about the victims of crime is published, because crime is only linked to relatively broad geographical regions. However, some police forces want to pin-point crime more exactly, where the victim of a crime consents to this. In such a case it becomes possible to link more precisely the data subject with the place where a crime has been committed. However, the victim is not specifically told that identifiable information about him/her will be published openly on the internet and how this information can be used. Consent is therefore not valid in this case because victims may not fully understand the extent to which information about them is being published.
According to the Directive, personal data cannot be handled at all, except on the basis of a very limited list mentioned in articles 7 and 8 of the Directive, as mentioned above.
One legal basis that gives a data controller the right to “process” personal data is “unambiguous consent by the data subject.” (Article 7.(a) Directive 95/46/EC).
Article 29 WP: “Unambiguous” calls for the use of mechanisms to obtain consent that leave no doubt as to the individual’s intention to provide consent. In practical terms, this requirement enables data controllers to use different types of mechanisms to seek consent, ranging from statements to indicate agreement (express consent), to mechanisms that rely on actions that aim at indicating agreement.
Example: on-line game
An on-line game provider requires players to provide age, name and address for the purposes of participating in the on-line game (distribution of players among ages and addresses). The website features a notice, accessible through a link (although access to such notice is not necessary to participate in the game), which indicates that by using the website (and thus providing information) players are consenting to their data being processed to deliver them marketing information, by the on-line game provider and by third parties.
Accessing and participating in the game is not tantamount to giving unambiguous consent to the further processing of their personal information for purposes other than the participation in the game. Participation in the game does not imply the individuals’ intent to consent to processing other than what is necessary to play. This type of behaviour does not constitute an unambiguous indication of the individual’s wish to have his/her data used for marketing purposes.
Example: default privacy settings
The default settings of a social network, which users do not necessarily need to access to use it, enable the entire “friends of friends” category making all the personal information of each user viewable to all “friends of friends”. Users who do not wish to have their information viewed by “friends of friends” are required to click a button. If they remain passive, or fail to engage in the action consisting in clicking a button, they are deemed by the controller to have consented to having their data viewable. However, it is very questionable whether not clicking on the button means that individuals at large are consenting to have their information viewable by all the friends of friends. Because of the uncertainty as to whether the lack of action is meant to signify consent, not clicking may not be considered unambiguous consent.
3. SENSITIVE PERSONAL DATA:
Sensitive personal data are personal data that reveal “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” and processing of such data is in principle prohibited, with a very limited list of exceptions (Article 8.2(a) of Directive 95/46/EC).
Article 8.2(a) Directive 95/46/EC requires explicit consent to process sensitive data.
In legal terms “explicit consent” is understood as having the same meaning as express consent. The difference here is that, whereas with regular personal data, for consent to be valid it must be unambiguous, and explicit/express consent is but one of the many ways to show unambiguous consent, in case of sensitive personal data, explicit/express consent is the ONLY valid way to show valid consent.
Article 29 WP: “meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent.”
Example: medical data for research
A patient who is informed by a clinic that his medical file will be transferred to a researcher unless he objects (by calling a number), will not meet the requirement of explicit consent.
Also: “Consent does not have to be recordable to be valid. However, it is in the interest of the data controller to retain evidence.”
F. UNAMBIGUOUS CONSENT AS LEGAL BASIS FOR TRANSFER OF PERSONAL DATA TO NON_ADEQUATE THIRD COUNTRIES (Article 26.1(a) of Directive 95/46/EC).
The article 29 WP repeats its opinion expressed in WP 114 that “Consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question” In case “ just one data subject subsequently decided to withdraw his consent…”, further transfers become invalid.
G. THE E-PRIVACY DIRECTIVE (Directive 2002/58/EC)
The recently amended e-Privacy Directive (Directive 2002/58/EC) applies to providers of publicly available electronic communication services only (e.g. providers of telephony, Internet service providers, etc).
1. CONSENT AND RELATION WITH DIRECTIVE 95/46 EC (Article 2(f)) Article 2 of the e-Privacy Directive explicitly states that the definitions of Directive 95/46/EC shall apply regarding Directive 2002/58/EC.
2. INTERCEPTION/SURVEILLANCE OF COMMUNICATIONS (Article 5(1)) Requires the consent of “all users concerned“, in other words, the two parties to a communication.
3. TIMING WHEN CONSENT IS REQUIRED (Articles 6(3), 9, 13 and 5(3)) Consent is to be provided prior to the processing. This is in line with Directive 95/46/EC.
4. THE RIGHT TO OBJECT AND ITS DISTINCTION FROM CONSENT (Article13(2-3)) If the addressee of the commercial communication is an existing client and the communication aims at promoting the provider’s own or similar products or services, the requirement is not consent, but ensuring that individuals “are given the opportunity to object” ex Article 13(2). Recital 41 explains the reasoning why the legislator, in this case, did not require consent: “Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services”. Thus, in principle, the contractual relationship between the individual and the service provider is the legal ground that allows the first contact by email.
5. POSSIBILITY TO WITHDRAW CONSENT (Articles6.3,9.3-4.)
H. ARTICLE 29 WORKING PARTYS ASSESSMENT CONCERNING THE CURRENT DATA PROTECTION FRAMEWORK and RECOMMENDED CHANGES
The Article 29 WP deplores the lack of uniformity in implementation of the requirements for valid consent by the EU member states at the national level.
It suggests the following changes as part or the revision of the general data protection framework.
- Further clarification of the wording “unambiguous”. “Clarification should aim at emphasizing that unambiguous consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. At the same time it should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent. This is especially true in the on-line environment.”
- Include the word “unambiguous” in the general definition of consent of Article 2(h), in order to avoid confusion.
- “Unambiguous consent” which encompasses explicit consent but also consent resulting from unambiguous actions should remain the required standard. This choice gives more flexibility to data controllers to collect consent and the overall procedure may be quicker and more user friendly.
- Include wording reflecting interpretations of consent by case law and Article 29 WP Opinions.
- Include enhanced protection rules for individuals lacking legal capacity, such as children.