What data protection reform will mean for obtaining 'customer consent'

But how does a business demonstrate that it has obtained valid consent from a customer or user of its services? This is one issue that remains controversial as review continues at EU level of the European Commission's proposal for a new EU-wide data protection law - the General Data Protection Regulation.

If current proposals for new data protection laws are implemented then rules about consent could cripple innovative businesses that increasingly rely on data to provide services.

What does the current law say?

Under the existing Data Protection Directive, for a business to rely on consent as a valid ground for processing personal data, the consent must have been unambiguously given, 'freely' given and not given under compulsion or as a result of an act of deceit, and constitute a "specific and informed indication" of a person's wishes for data to be processed.

If the consent relates to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life, it must be provided in a way so that it could be described as 'explicit consent', which can be contrasted with 'implied consent'.

Data can be transferred to countries outside the EU where these provisions are complied with and shared with another business or organisation.

How has this been interpreted?

The Article 29 Working Party has said that for consent to be 'unambiguously given' the procedures for obtaining it "must leave no doubt as to the data subject's intention", and enable the data subject to given an "active indication" of his or her wishes. At a minimum some form of "active behaviour" is required, according to the Working Party.

For consent to be 'freely given' the Working Party says that the business seeking consent should be able to demonstrate that there is "no risk of deception, intimidation, coercion or significant negative consequences if consent is not given."

To be 'specific and informed' means that "blanket consent without specifying the exact purpose of the processing is not acceptable". If there are multiple purposes for which data may be processed, each would need to be listed.   

What did the Commission's proposal say in 2012 about consent?

In the Commission's proposal for a new General Data Protection Regulation, it said that whenever a business relies on consent as a valid ground for processing personal data, that consent should be 'explicitly' given. This would change the current position where consent only need be 'explicit' where a business wants to rely on it as a basis for processing sensitive personal data.

Explicit, freely given, specific and informed consent obtained through a statement or "clear affirmative action" would be required by businesses seeking to rely on individuals' consent to go ahead with personal data processing. The Commission said consent to such processing would not be legally valid if obtained where there is "a significant imbalance between the position of data subject and the controller", and said individuals should also be given the right to withdraw their consent at any time.

What does the European Parliament's amended version say about consent?

For the proposed new data protection rules to be introduced, the Commission, the European Parliament and EU's Council of Ministers must formally agree on the same wording. However, there are major differences between the Parliament and Council on a number of the areas of prospective reform, including notably in relation to the 'consent' rules.

The Parliament has given its backing to the new definition of 'consent' suggested by the Commission. It too believes consent needs to be "freely given specific, informed and explicit" and provided "either by a statement or by a clear affirmative action". The burden of demonstrating that the legal standard of 'consent' has been achieved would lie with organisations.

The Parliament has set out more detail than the Commission to help businesses understand what practices will be acceptable. For example, it has said consent would not be considered 'freely given' if individuals are forced to provide personal information which is "not necessary for the provision of a service" when signing up to that service. 'Free' consent would also not be said to be obtained, under the proposals, if businesses pre-select 'tick' boxes relating to data processing activities that individuals would need to "modify" to express their objection to those processing operations.

The Parliament specifically demands that it should be "as easy to withdraw consent as to give it" under the reforms and that individuals need to be told if their withdrawal of consent would lead to "termination of the services provided".

In addition, the Parliament wants consent to processing to be "purpose-limited". Consent for each individual processing purpose would be invalidated where a purpose "ceases to exist" or if the data is "no longer necessary for carrying out the purpose for which they were originally collected", under its proposals.

Under the Parliament's rules, consent would be a valid legal basis for businesses wishing to transfer personal data overseas so long as the individuals concerned are "informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards".

EU justice ministers looking at a two-tiered consent regime

Whilst MEPs gave their backing to an amended version of the Commission's original proposals last spring, despite giving consideration to more than 4,000 suggested changes to the Commission's draft, no such consensus has been reached by justice ministers from across the EU under the Council of Ministers framework.

However, under a provisional agreement reached in December last year, the Council said there was broad support for rules which would require organisations seeking to rely on consent to process personal data to ensure that the consent is "unambiguous". In other words, it seems that they back the broad legal standard for consent that exists under current EU data protection laws.

A leaked working document later in December last year revealed further details about the current direction of travel by the Council on the data protection reforms and the consent rules more specifically.

That document said that regardless of the method for gaining consent that is used, organisations should ensure the consent given is a "freely-given, specific and informed indication of the data subject's wishes, either by a written, oral or other statement or by a clear affirmative action by the data subject signifying his or her agreement".

The Council's paper stated that consent could not be considered to be 'informed' unless individuals are told who the data controller is and the purposes for which they intend to process their data. Consent would not be 'freely-given' if individuals have "no genuine and free choice and is unable to refuse or withdraw consent without detriment", it said.

However, the ministers appear to be considering giving their support to maintaining the two-tiered legal standard for consent to personal data processing that is provided for under the current law. For processing information falling within selected listed special categories of data, such as health data or information about political or religious beliefs, organisations would require individuals' explicit consent, according to the proposals.

Overseas transfers of personal data could be facilitated with individuals' explicit consent, under the Council proposals

Implications for businesses

There are many competing interests underpinning the reform discussions on consent. It is important however, that the differing views of the Commission and the Parliament on the one hand, and the Council on the other, do not result in impractical solutions. Data privacy and the value that processing and re-using personal data can bring to consumers, economies and more generally society as a whole need to be carefully balanced.

The Commission's proposal that the legal validity of consent should depend on whether or not a 'significant imbalance' between the parties exists is concerning. The UK Information Commissioner's Office (ICO) in its analysis of the Commission's proposal for the General Data Protection Regulation said in regard to this proposed condition that "determining whether there is a ‘significant imbalance’ between an individual and a data controller is difficult to do in practice". It said that whilst it "fully accept[s] that genuine consent depends on freedom of choice, it is still possible to have genuine consent within a basically ‘imbalanced’ relationship – for example in respect of certain aspects of employer – employee data processing."

In a business-to-consumer context, it often may be difficult to demonstrate that the relationship is balanced. Where a business provides a service that has unique attributes - for example, the number of users that Facebook and LinkedIn have mean that there are currently no services that can currently act as effective substitutes for their services - it may never be possible to conclude that the relationship is 'balanced'.

Most businesses are striving to gain competitive advantage by demonstrating the uniqueness of their products, services and business models, If the Commission's 'significant imbalance' condition were to succeed, it could mean that all attempts at obtaining consent by businesses that provide unique services might be subject to legal challenge on the grounds that valid consent has not been obtained. Limiting the ability of businesses to provide unique products and services benefits no-one.

The Parliament's argument that businesses should not be able to rely on implied consent is equally concerning. As the ICO has also pointed out, doing away with implied consent could result in unnecessarily overburdening both service providers and consumers. The ICO has highlighted that under a 'no implied consent regime' "when you buy a book online, for example, there would have to be separate consent to use your details to despatch the book and take payment. Consent could not be implied from the customer’s decision to buy the book. This could be onerous and in many cases pointless."

These are just two examples of the concerning implications the General Data Protection Regulation could have on businesses if a poorly worded version is agreed upon. It is yet unclear how the clash between the Council and Parliament will be resolved when the institutions come round to negotiating an agreement on the new Regulation. Talks are expected to take place later this year. Ensuring that the Council engages effectively with the Parliament should therefore be viewed as a policy engagement priority in the coming months for all businesses that rely on processing personal data.

Luke Scanlon is a technology law expert for Pinsent Masons, the law firm behind Out-Law.com. This article is part of a series examining EU data protection reform. You can also read our views on data protection impact assessments and the duty to appoint of data protection officers.