Out-Law News 4 min. read
11 Mar 2013, 10:30 am
Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that recent comments by the EU's Justice Commissioner Viviane Reding demonstrate a greater willingness to accept a softening of "prescriptive" provisions that the European Commission has previously drafted.
Officials from EU governments and groups of MEPs have been engaging in separate processes to scrutinise the Commission's draft General Data Protection Regulation, first published in January 2012, with a view to agreeing on an amended framework to put to a formal vote of the European Parliament and Council of Ministers.
In an update on the current state of negotiations at a cloud computing conference in Brussels last week, Reding accused "certain lobbyists" of "scaremongering" over proposed reforms to rules governing 'consent' to the processing of personal data. Under the Commission's plans, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".
Under the existing EU laws on data protection personal data may be processed if a person has given their unambiguous consent or if one of a number of other limited grounds set out in the law apply.
Reding said, though, that there had been an "overblown discussion" on the topic of consent and that concerns about the practical affects of having to obtain 'explicit' consent were misplaced. She said that marketing groups would be able to rely on another legal basis for processing personal data that would not involve them having to obtain consent.
"What will [the change from unambiguous to explicit consent] mean in practice? That explicit consent will be needed in all circumstances? Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists," Reding said. "Citizens don’t understand the notion of implicit consent. Staying silent is not the same as saying yes."
"At the moment, consent is one of several bases which make the processing of personal data lawful. For instance, a business can process personal data for commercial purposes so long as it does not have a significant effect on the rights of the person concerned. This is called the 'legitimate interests' ground. The Commission has not proposed to change this. 'Legitimate interests' is the ground that is currently used by the marketing industry for example. It will continue to be used by the marketing industry. From the perspective of this Regulation, consent is irrelevant in such cases. It will continue to be irrelevant," she said.
Scanlon said, though, that the online advertising industry knows well that there are cases where marketing activities are governed by the rules on consent. Under the EU rules on privacy and electronic communications (e-privacy), organisations cannot send unsolicited electronic marketing communications to individuals unless the recipient has given their prior consent.
In addition, Scanlon said that e-privacy consent rules also impact on online behavioural advertising. The rules prohibit the storing and accessing of information on individuals' computers unless "the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
Publishers and advertising networks use 'cookies' to track user behaviour on websites and use the information they glean to display adverts based on the apparent interests of those users.
"In the context of online behavioural advertising, understanding consent requirements is a real and central concern," Scanlon said. "Given that even under the current laws the 'legitimate interests' ground to process is not absolute and cannot always be relied upon, businesses have very good reason to be concerned about the introduction of an expression - explicit consent - which could be interpreted more stringently and make the obtaining of consent practically more difficult in an online communication context."
Reding's comments on the 'legitimate interests' are at least a clear indication though that there is some pull back and distancing from the more extreme position taken by the European Parliament's rapporteur on the data protection reforms." The European Parliament's rapporteur had proposed that organisations' ability to rely on that basis for processing personal data be limited to 'exceptional circumstances'.
Scanlon also said that businesses would also welcome the suggestion by Reding that the practice of pseudonymising data could trigger a reduction in their proposed data protection obligations.
"We should encourage companies to use pseudonyms rather than the actual names of persons," Reding said in a speech at a meeting of the Justice Council late last week. "This makes sense. It is in the interest of citizens. For pseudonyms to be used, you need to create incentives. Lighter obligations on privacy by design or on notification of breaches are candidates."
"But I would sound a note of caution: Pseudonymous data is personal data. It relates to an identified or identifiable natural person and has to be protected under the [EU] Charter [of Fundamental Rights] and EU law," she said. "I am happy to work on the notion of pseudonymous data but I will be vigilant. We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the Regulation, allowing the non-application of its provisions."
A recent Council of Ministers document outlined efforts to explore to what extent the pseudonymisation of personal data can be used to "calibrate" businesses' obligations to data protection.
In a separate development one of the committees looking into the data protection reforms at the European Parliament has proposed that the Commission's draft Regulation be altered in order to allow employers to rely on staff consent to certain personal data processing activities.
The Commission's proposal, if introduced, would prohibit organisations from relying on consent as a legal basis for such processing where there is a "clear imbalance" between those organisations and individuals. It said that this imbalance exists in an employment context, however the Committee on Employment and Social Affairs has said such a blanket approach in an employment setting was not justified.
Employers should be able to rely on employees' consent to personal data processing where that processing is "intended to have primarily legally or financially advantageous consequences for the employee", the Committee has proposed.
