Regulators' clash on consent shows cultural differences could ruin ideal of one data protection law for EU, says expert

Hamburg and Ireland's data protection authorities have clashed on what organisations need to do to obtain lawful consent to the processing of personal data under the EU's Data Protection Directive. 

The German watchdog criticised its Irish counterparts' sanctioning of an opt-out consent mechanism used by Facebook and claimed consent rules under the Directive prohibit them. However, Ireland's deputy data protection commissioner has defended its regulation of the Directive in response to questions posed by Out-Law.com and said there is no bar on opt-out consent under the EU regime. 

The Directive is currently implemented differently by each EU country but is set to be replaced by a new General Data Protection Regulation. The Regulation will set a single law that will have uniform effect across the entire trading bloc. However, information law expert CerysWyn Davies of Pinsent Masons, the law firm behind Out-Law.com, said that the reforms will not guarantee a single interpretation of the rules by regulators. 

"Many of the fundamental underlying issues central to data protection law, like consent, are not exclusively abstract legal concepts," Wyn Davies said. "Consent is not an absolute objective concept that can be weighed in isolation. Its meaning is influenced by other factors, notably culture and attitudes of society as a whole. This disagreement between the Hamburg and Irish data protection authorities highlights this." 

"The new General Data Protection Regulation is aimed at ending the fragmented way in which data protection is regulated across the EU. Uniform rules would give greater clarity to businesses as they embrace new technology, but this case proves that companies are likely to see different interpretations of the new rules in practice. This could lead to uncertainty over compliance and hamper business innovation and consumers' access to exciting new products and services," Wyn Davies said.

Under the proposed new Regulation, a new framework encouraging data protection authorities to cooperate on cross-border data protection cases is being set up. However, both the UK and Ireland have raised concerns about how the 'one stop shop' mechanism will work in practice, and one expert has described the proposals as "a mess". 

"The 'one stop shop' mechanism promises much but it could result in complaints taking months to resolve through a messy procedural process, and even then the substantive issue in a case, such as when is consent actually given, could be considered differently depending on whether the case is resolved by two like-minded authorities, or the new European Data Protection Board," Wyn Davies said. 

In a recent speech, Johannes Caspar, data protection commissioner in Hamburg, said that opt-out consent mechanisms are "incompatible to the right to informational self determination of the individual user". 

He said that organisations' seeking to rely on people's consent to process personal data under the Data Protection Directive cannot be said to have the unambiguous consent they need under the rules if the mechanism for consent is not based on a person taking "an action". 

"The failure to perform an action – deactivation – may not be interpreted as consent on the part of the user," Caspar said. He said that opinions issued by the Article 29 Working Party on the processing of biometric data and the requirements of consent support its view, but that the Irish data protection authority went against this view when the watchdog considered whether Facebook introduced facial recognition technology with the valid consent of users. 

"In their first audit of Facebook Ireland they accepted Facebook's argumentation that users give their consent to all of the network’s conditions of use, including the guidelines on data usage and that this provides a substantive legitimation to the collection of users’ biometric face profiles," Caspar said. "This opinion ignores that with the opt-out feature Facebook does not fulfil the requirements of the EU Data Protection Directive." 

Caspar said Ireland's data protection laws are "a deficient implementation" of the Data Protection Directive. However, Ireland's deputy data protection commissioner John O'Dwyer told Out-Law.com that there is "absolutely no basis for this comment". 

O'Dwyer said: "The Directive was transposed into Irish legislation through the Data Protection
Acts 1988 and 2003. No issues regarding this transposition have ever been raised by the EU Commission nor have there been any challenges to those Acts in terms of their transposition." 

He said that the definition of consent under Irish data protection laws is drawn "directly" from the Directive and that "neither the EU Directive nor Irish law mention any specific means or controls that a data controller may use in order to obtain or express consent".

O'Dwyer said that an Article 29 Working Party opinion on consent had noted that there are "no limits as to the form consent can take". The opinion said that consent "requires indication" but that there is "the possibility of a wide understanding of the scope of such an indication".