August 8, 2011
On July 13, 2011, the EU’s Data Protection Working Party issued its Opinion 15/2011 on the definition of Consent (the "Opinion"), providing a thorough analysis of the concept of consent in EU Data Privacy law, and in particular in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (the "Data Protection Directive") and Directive 2002/58/EC, as amended by Directive 2009/136/EC, concerning the processing of personal data and the protection of privacy in the electronic communications sector (the "e-Privacy Directive").
Even though consent has always been a key notion in EU Data Protection law (in particular, it is one of several legal grounds enabling the processing of personal data under the Data Protection and e-Privacy Directives), it has not always been clear, according to the Working Party, where consent is needed and what conditions have to be fulfilled for consent to be valid. As EU Data Protection law is not fully harmonized, according to the Working Party, there is a risk of different approaches and divergent views of best practices in different Member States, which might weaken the position of data subjects. The Working Party’s goal with the Opinion is to analyze in detail the requirements for "consent" to be valid under the Data Protection Directive and the e-Privacy Directive, and thus to ensure a common understanding of the existing legal framework. The analysis is illustrated with practical examples based on national experiences. Also, the Working Party prepared its Opinion in response to the European Commission’s request for input regarding the concept of consent in the context of its ongoing review of the Data Protection Directive (more information on which can be found at the website of the European Commission).
General considerations regarding data privacy and consent in the EU
Data privacy is viewed as a fundamental right within the EU and each Member State is required to enact legislation consistent with the principles of the Data Protection Directive regarding the collection, processing and transfer of personal data. The Directive defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’)." Processing is described as "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See Data Protection Directive, Article 2.
Personal data may be processed based on any of the following six grounds: (1) the consent of the data subject, which must be explicit in the case of certain "sensitive" data; (2) the performance of a contract to which the data subject is a party; (3) for compliance with a legal obligation to which the controller is subject; (4) to protect the vital interests of the data subject; (5) to perform a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or (6) for purposes of the legitimate interests pursued by the controller or by the third party to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The Opinion uses purchasing an automobile as an example of how a number of legal grounds for processing can apply. Information related to the sales contract may be processed because it is necessary for performance of the contract. Processing of the automobile’s papers is necessary for compliance with a legal obligation. Information related to client management services such as automobile servicing by different affiliates throughout the EU may be considered necessary for a legitimate purpose, and under these circumstances the transfer of the information to a third party may be valid. The transfer of information to third parties for marketing purposes, according to the Opinion, would not be justified as necessary for a legitimate interest. For such a transfer to occur, the seller would need to obtain the purchaser’s consent. See Opinion 15/2011 at 8.
The Data Protection Directive requires that consent must be freely given, specific, informed and unambiguous. The European Commission recently observed that Member States have taken divergent approaches to consent, ranging from requiring written consent to accepting implied consent. Additionally, the Commission stated that it is sometimes not clear what constitutes valid consent in the online environment, such as in the case of behavioral advertising, where Internet browser settings are considered by some Member States, but not by others, to provide the user’s consent.
Highlights of the Opinion include the following:
Consent entails an affirmative indication
The Data Protection Directive provides that consent means a "specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed." See EU Data Protection Directive, Article 2(h) (emphasis added). Although the Directive does not define the form of indication required, the Working Party in its Opinion states that the minimum expression of an indication "could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller." See Opinion at 11.
The words "indication" and "signifies," according to the Opinion, suggest an affirmative action is necessary. See id. "In practice, in the absence of active behavior of the data subject, it will be problematic for the data controller to verify whether silence was intended to mean acceptance or consent." Id. at 12. The Opinion presents the example of sending a letter to customers informing them of an intended data transfer unless they object within two weeks, to which only 10% respond. The Opinion states that it is questionable whether the 90% who did not respond consented to the transfer–the data controller would have no clear indication of the data subjects’ intent and no evidence to demonstrate that he obtained consent. See id.
Consent should be freely given
The Opinion states that consent can only be valid if the data subject "is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he or she does not consent." Id. In the employment context, for example, employees must be able to provide or withhold consent without fear of negative consequences from their employer. Where consent is a condition of employment, it would not be freely given and another legal basis for processing would be required. In the health care context, if patients must pay substantially more for health care services if they refuse the use of electronic health records, then their consent would not be freely given. See id. at 15.
Consent should be specific
To be valid, the data subject must understand, when giving consent, that the data will be treated in a specific way. "[B]lanket consent without specifying the exact purpose of the processing is not acceptable." See id. at 17. For example, in the social networking context, the Opinion states that it may be inappropriate to require blanket consent to behavioral advertising as a condition for access to a social networking site. "Considering the importance that some social networks have acquired, some categories of users (such as teenagers) will accept the receipt of behavioral advertising in order to avoid the risk of being partially excluded from social interactions." Id. at 18. The user, according to the Opinion, "should be put in a position to give free and specific consent to receiving the advertising, independently of his access to the social network service." Id. (emphasis added). It suggests that a "pop-up box" could be used to offer such a possibility. See id.
Consent should be informed
The Opinion states that data controllers should also ensure that data subjects are fully informed of how their data will be treated. Subjects should be made aware of the "nature of the data processed, purposes of the processing, the recipients of possible transfers, and the rights of the data subject." Id. at 19. They should also have an awareness of the consequences of not consenting. See id.
Information should be provided in a manner in which the "average user" should be able to understand it–e.g., "in plain text, without use of jargon, understandable, conspicuous." Id. The information should be accessible and clearly visible, such that the average user can understand how his or her personal data is being used. Id. at 20. The information "must be clearly visible (type and size of fonts), prominent and comprehensive." Id.
The Opinion states that informed consent is particularly important when personal data will be transferred to third countries. For example, the data subject should be properly informed "of the particular risk that his [or] her data are to be transferred to country lacking adequate protection" of personal data. Id. at 19.
Consent should be unambiguous
For consent to be valid under the Directive, it must also be unambiguous. The Opinion states that the procedures for obtaining consent, therefore, "must leave no doubt as to the data subject’s intention to deliver consent." Id. at 21 (emphasis in original). It states that if there is reasonable doubt as to one’s intention, then there is ambiguity. Id. The Opinion cites a recent decision of the European Court of Justice, in which recipients of EU agricultural subsidies signed a statement saying, "I am aware that Article 44(a) of Regulation No. 1290/2005 requires publication of information on the beneficiaries . . . and the amounts received per beneficiary." See id. at 22. Yet, the Advocate General held that the conditions for unambiguous consent were not met because "acknowledging prior notice that publication of some kind will happen is not the same as giving ‘unambiguous’ consent to a particular kind of detailed publication." Id. (emphasis added).
The Opinion also provides an example of an online game provider requiring players to provide their age, name and address, ostensibly for the purpose of matching players by age and address. The website contains a notice, accessible through a link (but it is not necessary to access the notice to participate in the game), stating that by using the website players are consenting to their data being processed to deliver them marketing information. The Opinion states that this would not constitute unambiguous consent because participating in the game "is not tantamount to giving unambiguous consent to the further processing of their personal information for purposes other than the participation in the game." See id. at 23. Similarly, the Opinion states that default privacy settings on a social networking site would not be considered unambiguous consent because of uncertainty as to whether the data subject means to signify consent by not changing the default settings. See id. at 24.
A data subject may give consent orally, in writing, or by implication. An example of implied consent is where a venue informs individuals that photographs will be taken during a particular period of time for use in advertising materials, and the individuals then choose to be at the venue when the photographs are taken. See Opinion at 23. If, however, data falls within certain "special categories" (e.g., racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, health, etc.), then consent cannot be inferred. Data subjects must explicitly consent to processing under these circumstances–meaning an active response, oral or in writing, whereby the individual expresses his wish to have his data processed for certain purposes. See id. at 25, 35. The Opinion states that an opt-out solution, such as a pre-ticked box, would not be sufficient. Id. at 35.
Although documentation of consent is not expressly required, the Opinion suggests that data controllers document and retain evidence of consent, so that if there is ever a question regarding consent controllers can prove consent based on the documentation. Id. at 26.
Consent and the e-Privacy Directive
The Opinion also comments on several matters relating to the e-Privacy Directive. The e-Privacy Directive supplements the Data Protection Directive and provides guidance regarding how personal data should be processed "in the electronic communication sector" to ensure that data can freely move between Member States, while also protecting the privacy rights of individuals. See e-Privacy Directive, Article 1. The Opinion states that when consent is required under the e-Privacy Directive, the same criteria apply as under the Data Protection Directive. See Opinion 15/2011 at 29.
Among other provisions requiring consent, the e-Privacy Directive requires that all parties to a communication must consent to its processing and that one party’s consent alone is insufficient. See id. at 30. According to the Opinion, this means–among other things–that Internet behavior cannot be tracked without the user’s consent. See id at 30-31. Consent should be active and cannot be implied by default browser settings or pre-clicked boxes. See id. In other words, an Internet user should be given the opportunity to control privacy settings and understand what type of information is being obtained when browsing the Internet.
Reform of the Data Protection Directive
Finally, the Opinion notes that the Data Protection Directive is under ongoing review and it makes several recommendations for consideration in the review, including: (1) clarifying the meaning of "unambiguous" consent and explaining that only consent that is based on statements or actions to signify agreement constitutes valid consent; (2) requiring data controllers to put in place mechanisms to demonstrate that they obtained valid consent; (3) adding an explicit requirement in the Directive regarding the quality and accessibility of the information forming the basis for the consent; and (4) a number of suggestions regarding minors and others lacking legal capacity.
Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you work, any of the following, or any member of the firm’s Electronic Discovery and Information Law Practice Group or Information Technology and Data Privacy Practice Group.
United States
S. Ashlie Beringer – Palo Alto (650-849-5219, [email protected])
Gareth T. Evans – Los Angeles/Orange County (213-229-7734, [email protected])
G. Charles Nierlich – San Francisco (415-393-8239, [email protected])
Jennifer H. Rearden – New York (212-351-4057, [email protected])
M. Sean Royall – Dallas (214-698-3256; [email protected])
Alexander H. Southwell – New York (212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (213-229-7472, [email protected])
Europe
James Barabas – London (+44 20 7071 4253, [email protected])
James A. Cox – London (+44 207 071 4250, [email protected])
Andrés Font Galarza – Brussels (+32 2 554 7230, [email protected])
Bernard Grinspan – Paris (+33 1 56 43 13 00, [email protected])
Daniel E. Pollard – London (+44 207 071 4257, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Mark Zimmer – Munich (+49 89 189 33-130, [email protected])
© 2011 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.