I did a presentation at the EEMA eID Interoperability conference last month on alternatives to “consent” in federated access management. At the moment consent seems to be the most often cited justification for processing personal data – websites frequently say that “by using this site you consent to…”. The problem with this is that the individual using the site may not have much choice about using the site if doing so is a legal requirement, necessary for their job, or even just an inevitable result of a decision. Once I choose to book a hotel room and pay by credit card it’s inevitable that the hotel and the card processor will both process my personal data: I can’t withdraw my “consent” without cancelling the whole booking. Regulators are increasingly pointing that out: the Article 29 Working Party’s Opinion on Consent states that consent cannot be used when there is either direct or indirect pressure on the individual to agree (for example if the individual is an employee); the Information Commissioner’s guidance on Privacy Notices warns against offering individuals an appearance of choice that they don’t actually have (as in the hotel booking example).
Consent, in its true legal sense, is actually a poor basis for many services anyway. In law, consent must be freely-given which means it can also be withdrawn at any time; consent therefore doesn’t work for services that depend on a long-term relationship with their users. As above, consent is often also inappropriate where the site and the user have an existing relationship which may create pressure, or where decisions have any sort of complex consequences. These types of service are much better suited to the other justifications for processing personal data that are provided by the European Directive (in Article 7) and UK Law (Schedule 2 of the Data Protection Act 1998): for example that the processing is necessary:
- for the performance of a contract (often the case for employer/employee);
- to satisfy a legal obligation; or
- in the legitimate interests of the organisation or a third party, provided these are not overridden by the fundamental rights of the individual (for example to provide a service that the individual has requested, but not formally contracted for).
The Information Commissioner’s guidance is that these alternative justifications should be considered before relying on consent; the Article 29 Working Party warn that consent may be a “false good solution”.
One reason why these justifications are not more widely used may be that they are not consistently applied in different member states, indeed in some member states the “legitimate interests” justification has been limited or omitted when transposing the Directive. However a recent judgment of the European Court on Spain’s restricted transposition of the “legitimate interests” justification notes that all of them are required for the “operation of the internal market” and calls for more consistency. The current Directive also omits “legitimate interests” as a justification for transfers outside the EEA, with the result that many overseas transfers claim to be based on consent even though the individuals may not be in a position to give it.
However the new Data Protection Regulation proposed by the European Commission would fix both of these problems. Since the new law is a Regulation, it should be implemented much more consistently. For the first time it allows “legitimate interests” to be used for overseas transfers so long as they are not “frequent or massive”, which seems to fit many federated access management applications. The proposal also codifies in law most of the limitations on consent that have been developed by regulators and courts in the seventeen years since the current Directive was passed.
It therefore seems like a good time to review any systems that we currently claim are based on “consent”, to check whether other justifications might, in fact, be more appropriate. Where personal information is genuinely required to provide a service, another justification will often be a better fit. Consent can then be left for its proper purpose where information is genuinely optional and the user is really able to make a free choice. This has benefits for both service providers and users. Interfaces for strictly necessary information processing only need to inform the user what will happen as an inevitable consequence of their use of a service: they don’t need to provide “I agree” buttons or other interactions that spoil the user interface. Where a service uses both necessary and optional information there are familiar examples from the real world of how to express this – we are all used to paper (and online) forms that have some (necessary) fields marked with asterisks and others left to us to choose whether we want to fill them in. Making this distinction clear avoids users feeling pressurised to disclose information that they aren’t comfortable with – something that at best encourages us to provide false information and at worst can put us off using a site at all.
Considering all the options the law provides could have benefits for everyone.