Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Explicit consent should only be required for sensitive personal data processing, say EU Ministers


Organisations seeking to rely on individuals' consent for personal data processing should generally not be required to ensure that that consent is explicitly given, EU Ministers have said.

Only if organisations are processing sensitive personal information, such as individuals' medical records, should they require individuals' explicit consent to do so, they said.

The Irish Presidency of the Council of Ministers said that most EU member states were opposed to suggested new consent rules, first proposed by the European Commission.

Under the draft General Data Protection Regulation published by the Commission in January 2012, businesses would need to obtain the explicit, freely given, specific and informed consent of individuals, through a statement or "clear affirmative action", if they were seeking to rely on consent to process personal data. The draft Regulation, similarly to the existing data protection regime, would allow personal data processing to take place without consent under some circumstances.

Currently organisations seeking to rely on individuals' consent must ensure that the consent they obtain is "unambiguous". Some business groups are opposed to the move from requiring 'unambiguous' consent to needing 'explicit' consent, and a note issued by the Irish Presidency of the Council of Ministers has now revealed that most EU member states believe it is "unrealistic" to force companies to obtain explicit consent from individuals. (12-page / 155KB PDF)

"The majority of Member States agree that the requirement for ‘explicit’ consent in all cases - which differs from the requirements of the 1995 Data Protection Directive - was unrealistic," according to a note issued by the Irish Presidency.

The Irish Presidency has published the latest version of the draft Regulation (95-page / 391KB PDF) that EU Ministers are still working on. Under the current plans unambiguous, rather than explicit, consent would be required by businesses processing personal data. In a statement, Alan Shatter, Ireland's Justice Minister, said that there was "significant support" among EU countries for the latest proposals on the issue of consent.

"Consent should be given unambiguously by any appropriate method enabling a freely-given, specific and informed indication of the data subject's wishes, either by a written, oral or electronic statement or by a clear affirmative action by the data subject signifying his or her agreement to personal data relating to him or her being processed," according to the latest draft plans. "This could include ticking a box when visiting an Internet website or any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent."

"Where it is technically feasible and effective, the data subject's consent to processing may be given by using the appropriate settings of a browser or other application. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, unambiguous consent should be granted for all of the processing purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.," the text states.

Organisations wishing to process personal data that reveals individuals' racial or ethnic origin, political opinions, religion or philosophical beliefs, trade-union membership, or wishes to process genetic data or information concerning individuals' health or sex lives then they would require individuals' explicit consent to do so, under the EU Ministers' proposals.

Earlier this year the European Data Protection Supervisor, which advises EU institutions on data protection and privacy matters, called on the requirement for explicit consent to be "maintained" in the final version of the legislation.

The watchdog said: "It provides for some flexibility as to its manner of expression (by a statement or a clear affirmative action) and builds on the requirement of 'unambiguous' consent which constitutes an essential element of the overall balance of data protection since 1995. EU data protection authorities have consistently interpreted the requirement of [existing rules under the 1995 Directive] that the consent be 'unambiguous' as meaning that such consent needed to be 'explicit' (so that, for instance, a lack of action or silence cannot be considered as unambiguous)."

MEPs are separately working on forming another amended version of the European Commission's original draft Regulation. Only once MEPs and EU Ministers have settled on, and voted to accept, a single version of the text can the new framework be introduced.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.