Privacy & Information Security Law Blog

On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework.  The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent.  In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

Below are some of the Working Party’s key conclusions:

• Only statements or actions that indicate the data subject’s agreement constitute valid consent.  Mere silence or inaction (opt-out) typically will not be viewed as valid consent, especially in an online context.  For example, default privacy settings used by online social networks, default Internet browser settings or pre-ticked boxes do not qualify as valid consent.
• Consent must be given prior to the data processing, after providing notice to the data subject.  The notice should be provided in clear and understandable language.
• In an employment context – where there may be an element of coercion – careful assessment is required to determine whether employees are free to consent.
• From an accountability perspective, data controllers should implement mechanisms to prove that they have obtained data subjects’ valid consent.
• Reliance on consent does not relieve data controllers of their obligation to comply with other EU data protection requirements for lawful processing of personal data, such as the principle of proportionality.
• If a data subject withdraws his or her consent, the data controller must delete any personal data pertaining to the data subject unless there is another legal basis that justifies continued storage of the data.
• A revised data protection framework should include specific provisions concerning the protection of minors, such as requiring online age verification mechanisms and information that is understandable to children.  Consent should not provide a basis for targeting underage consumers in the context of online behavioral advertising.
• The Working Party believes that it not necessary to include a general requirement for “explicit” consent in the revised EU data protection framework, and takes the position that, in most cases, data controllers should be able to obtain consent quickly and in a user-friendly manner.  The Working Party does, however, favor the introduction of a specific provision regarding the right to withdraw consent.