Working Party Opinion on Consent 15/2011

On July 13 the Article 29 Working Party issued Opinion 15/2011 on the definition of consent.

In their words:
“The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive and in the e-Privacy Directive. Drawing on the experience of the members of the Article 29 Working Party, the Opinion provides numerous examples of valid and invalid consent, focusing on its key elements such as the meaning of "indication", "freely given", "specific", "unambiguous", "explicit", "informed" etc. The Opinion further clarifies some aspects related to the notion of consent. For example, the timing as to when consent must be obtained, how the right to object differs from consent, etc.”

The opinion, all 38 pages of it, answer some of the questions that face many organizations when it comes to tactical privacy decisions involving consent. It has many real world examples, and gives great insight into the WP thinking for possible future changes. It is easy to fall into the trap of only looking at 95/46 and not taking the various member state implementations into account, and consent is no exception to this rule.

Following are some items to consider when making decisions based on consent.

- Currently, the Council’s definition of consent is
"any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed"
- Consent should not be used as an exemption form other data protection principles, you still need to process for purpose, use limitation, openness, etc.
- Consent is a weak basis for justifying the processing of personal data, and loses even more value when stretched to include items not in the original scope of the processing or for other purposes is not sufficient to prove consent
- Subjects should be able to exercise a real choice when consenting, and negative consequences of non-consent is not a good idea (duh!)
- Consent must be specific, and for the exact purpose of the processing
- Controllers should review data subject’s choices periodically
- Consent should be verifiable, and you should maintain proof of the consent
- Consent in the case of sensitive personal data must be explicit
- Explicit consent in the on-line world may be a clickable button, but not the lack of clicking or un-checking a default. In other words inaction typically will not be viewed as valid consent
- Be careful when using consent in the employment context. The WP’s stance on employee consent remains as it was in WP48 and WP 114

"where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent.… An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid. The situation is even clearer cut where, as is often the case, all employers impose the same or a similar condition of employment.”