Although consent is a key concept in Data Protection, discussions of it often seem confused and legal interpretations inconsistent. For example the European Commission has in the past called both for a crackdown on the over-use of consent and for all processing of personal data to be based on consent! A new Opinion on the Definition of Consent from the Article 29 Working Party, probably the most authoritative body short of court cases, falls firmly into the “over-use” camp: “If it is correctly used, consent is a tool giving the data subject control over the processing of his data. If incorrectly used, the data subject’s control becomes illusory and consent constitutes an inappropriate basis for processing” (p2), and “Relying on consent may … prove to be a ‘false good solution’, simple at first glance but in reality complex and cumbersome”(p27). Fortunately consent is only one of six grounds for processing personal data that are provided by UK and European legislation: others include that processing is necessary for the performance of a contract between the parties, necessary to fulfil a legal obligation, and necessary for the legitimate interests of the data controller or a third party (see, for example, Schedule 2 of the UK Data Protection Act 1998). The Opinion aims to encourage those currently using consent as their justification to consider the possibility of “other legal grounds perhaps being more appropriate from both the controller’s and from the data subject’s perspective”.
The Working Party also suggest that in some cases a hybrid approach may be needed, with different grounds justifying different processing within the same transaction. Their example, of buying a car, is a little more complex than the federated access management situation I discussed recently. For a car purchase, some processing is necessary to create a valid contract between the parties, some (e.g. registering the new owner) is required by law, some (e.g. providing details to third parties who may service the car) takes place in the legitimate interests of those third parties, and some (e.g. collecting e-mail details for related advertising) is based on the buyer’s consent, which can be withdrawn at any time. Since each of those grounds gives the buyer different opportunities to stop processing, the distinction needs to be explained clearly to them.
To determine when consent may be the right choice, the Opinion starts from the definitions in the Data Protection Directive (95/46/EC) that, in order to be valid, consent must be “freely given, specific and informed” (p6) and that the person consenting must give an “unambiguous indication” that they have done so. Each of those requirements is then considered in turn:
- Freely-given: “Consent can only be valid if the data subject [the person whose information is being processed] is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent”, and the “individual data subject … is subsequently able to withdraw the consent without detriment” (p13). The Opinion notes that questions about the validity of consent may arise when the data subject is under the influence of the data controller, for example as their employee, and where refusal of consent may have financial, emotional or practical consequences (p14). Consent will not inevitably be invalid in these circumstances but using a different justification, if possible, may lead to fewer difficulties.
- Specific: “Consent must be given in relation to the different aspects of the processing, clearly identified. It includes notably which data are processed and for which purposes … There is a requirement of granularity of the consent with regard to the different elements that constitute the data processing: it cannot be held to cover ‘all the legitimate purposes’ followed by the data controller. Consent should refer to the processing that is reasonable and necessary in relation to the purpose.” (p17). Although consent does need to be obtained separately for different uses of personal data, it does not have to be sought every time the same use occurs: “It should be sufficient in principle for data controllers to obtain consent only once for different operations if they fall within the reasonable expectations of the data subject” (p17).
- Informed: Informing the user is a requirement of most of the purposes of processing, not just consent, however the above requirement that consent be specific clearly means that valid consent is impossible unless appropriate information is provided. The information must be “clear and sufficiently conspicuous so that users cannot overlook it” (p35) and presented in a form appropriate to the context (dense legalese is unlikely to be considered clear). As with the UK Information Commissioner’s Good Practice Guide on Privacy Notices, layered notices are suggested for the on-line environment so the user can follow links to more detailed information if they wish. However there is a warning against burying significant features of the processing (for example that may involve disclosure to third parties, or take place overseas) in linked pages that the user can choose not to read (p23).
- Unambiguous indication: the Opinion notes that the Directive allows consent to be expressed by “any” action, so long as there is no doubt that it indicates consent. The Working Party see this as allowing for many different approaches to provide user-friendly interfaces. Consent can, therefore, be inferred from a user’s action – such as requesting a particular service – so long as there is no doubt that the user understood and intended the consequences of that action (p21). Thus consent cannot be inferred from an action that might have been taken for another reason (such as entering the range of a Bluetooth transmitter with a device enabled to receive messages (p12)), nor can it be inferred from a failure to act (e.g. not responding to an e-mail warning that processing will take place unless you advise otherwise (p24) or failing to untick a checkbox on a web form (p24)).
Finally the Opinion warns against viewing consent as an easy option: “consent … does not relieve the data controller from his obligation to meet the other requirements of the data protection legal framework, for example, to comply with the principle of proportionality under Article 6.1(c), security of the processing ex Article 17, etc.” (p34), “and it does not legitimise processing that would otherwise be unfair according to Article 6 of the Directive” (p9). Consent remains an important part of data protection law, but it’s far from the whole story.