The gold standard for consent
19 July 2011
This article was first published in Data Protection Law
& Policy in July 2011.
Irrespective of whether one agrees or disagrees with the Article
29 Working Party’s Opinion on the definition of consent, the
Working Party should at least be praised for taking a clear cut
line on this issue. Never before has the group of EU data
protection authorities carried out such a detailed assessment of
one of the legal grounds for the use of personal information.
If there was ever any doubt as to where the regulators stood in
terms of the conditions for obtaining individuals’ consent, that is
no longer the case. Whether their assessment is entirely
correct is a different matter and deserving of debate.
Here are the bottom lines of the Working
- Consent has to be given before the
- Consent differs from the right to object –
basically, just allowing people to opt out is not good
- Consent based on an individual’s inaction
or silence would normally not constitute valid consent, especially
in an online context.
- A situation of subordination often
prevents consent to be free.
- Blanket consent without specifying and
separating each purpose of the processing is not acceptable.
- The mere availability of information is
not good enough for consent to be informed – the information should
be provided directly to individuals.
- Consent must always be unambiguous so that
there is no reasonable doubt about the individual’s intention.
- Evidence of consent should be created and
retained, so that consent is verifiable.
- And finally, the measures used to ensure
that consent is verifiable should be put at the disposal of the
data protection authority upon request.
To summarise, this is the gold standard for
consent and anything below that is simply not enough. There
is no middle ground. No wavering for the sake of
pragmatism. As far as the EU data protection authorities are
concerned, consent is basically a rock solid prior opt-in.
Anything less will not cut it. But there is one problem with
this stance: data protection is not mathematics. Privacy and
data protection compliance always involve a balance of interests,
and this balancing exercise does not come across in the
Opinion. In other words, the Working Party’s approach is just
too dogmatic. Wherever there is room for legal
interpretation, the Opinion invariably chooses the most
There are three aspects of the Opinion
where this approach is particularly extreme. The first is
that, whilst the Working Party briefly concedes that consent can be
reasonably concluded from behaviour, its position is that only some
kind of positive action will qualify as proper consent.
However, this ignores that in the real world ascertaining consent
is a matter of assessing the level of certainty arising from an
individual’s behaviour. The onus of this should of course be
on the data controller, but there will be situations where it may
be perfectly reasonable to accept someone’s passive behaviour as
consent – particularly when the use of that person’s information is
within their expectations and ultimate control.
Another extreme position adopted by the
Working Party is in respect of the requirement for all consent to
be unambiguous and for that unambiguity to be based on express or
unmistakable actions. Because the standard sought by the
Working Party is so high, there is no room for such consent to be
implied – at least not in an online environment. This results
in another extreme assessment of the requirement for consent in the
specific situation regarding the use of Internet cookies under the
e-privacy directive. In this respect, the Working Party
demands both prior and express consent, irrespective of the uses
made of those cookies.
The outcome is somewhat disproportionate. The e-privacy
directive itself distinguishes between different purposes for which
third parties may wish to store or gain access to information
stored in the terminal equipment of an Internet user. These
purposes will range from the legitimate – in particular, cookies –
to those involving an unwarranted privacy intrusion, such as
spyware or viruses. Therefore, a balanced and realistic
assessment of the requirement for consent should take those
differences into account and aim not just for a blind gold
standard, but for the right and reasonable standard. Even if
it is at the expense of complete legal certainty.