Out-Law News 2 min. read

Opt out consent 'incompatible' with 'the right to informational self-determination', says Hamburg watchdog


Forcing consumers to de-select pre-ticked boxes to prevent businesses collecting, using and disclosing their personal information goes against their "right to informational self determination", a data protection watchdog in Germany has said.

Professor Johannes Caspar, the data protection commissioner in Hamburg, said businesses should be forced to obtain people's explicit consent to the processing of their personal data when they seek to rely on consent as the legal basis for processing that information.

In a speech, Caspar criticised plans backed in principle by the Council of Ministers which would enable organisations to process personal information if they had unambiguous consent to do so.

Justice ministers from across the EU backed the unambiguous consent wording earlier this month as they edged closer to agreement on a new General Data Protection Regulation for the trading bloc. Agreement was qualified on the basis that "nothing is agreed until everything is agreed". The draft Regulation, which would replace the existing EU Data Protection Directive, was originally proposed by the European Commission in 2012 but has been the subject of intense debate and negotiation since.

"The proposal of the Council … falls back not only beyond the proposal of the Commission but also beyond the EU Directive," Caspar said. "Instead of an explicit consent required by the proposal of the Commission mere unambiguity shall be sufficient. That would open the way to opt-out-solutions which in fact are incompatible to the right to informational self-determination of the individual user."

"A central requirement for the ongoing debate on the data protection regulation is to implement a definition which states that consent of the users always has to be given explicitly," he said.

Caspar also made recommendations on how the new 'one stop shop' mechanism should operate.

The one stop shop regime, as originally envisaged, was aimed at streamlining oversight of data protection in the EU by enabling businesses to engage with just a single regulator in the country of their main establishment within the EU with limited input from regulators based elsewhere. However, those plans look set to be watered down, with the Council of Ministers giving their qualified support for rules that would ensure data protection authorities (DPAs) across the EU countries can have a greater say in important cross border data protection cases.

Caspar said: "It is of great importance that the exclusive supervisory responsibility of the authority at the location of the headquarters of the data controller must not lead to a forum-shopping of major Internet companies. Otherwise we might face a race to the bottom in protecting the privacy in the EU."

"The general Regulation therefore has to find clear and transparent procedures which provide effective provisions for the law enforcement. Consideration should therefore be given to the question of arming those supervisory authorities with particular rights for the case that the leading authority should remain inactive," he said.

"A view on the actual proposal of the Council … raises doubts whether the procedure of the one stop shop will be effective enough for law enforcement. Complex and time consuming procedures among the involved parties, the lead authority, the concerned DPA and the European Data Protection Board, could stifle even well intentioned provisions," Caspar said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.