Out-Law News | 24 Dec 2014 | 10:08 am | 3 min. read
The UK government has raised objections to current EU proposals that would require businesses seeking to rely on 'consent' as the lawful basis for processing personal data to ensure that that consent has been unambiguously given "for one or more specific purposes".
It said those proposals are "unjustified" and called on EU law makers to instead turn to the definition of consent under existing EU data protection rules instead for setting the legal standard businesses would need to achieve for consent under the draft new General Data Protection Regulation.
Under the 1995 Data Protection Directive, set to be replaced by the Regulation, individuals' consent is defined as "any freely given specific and informed indication of … wishes by which the data subject signifies his agreement to personal data relating to him being processed".
However, organisations wishing to rely on individuals' consent to process their data are obliged to ensure that "the data subject has unambiguously given his consent". The UK government is arguing for this requirement to be removed. Its concerns are detailed in a Council of Ministers (Council) document published by information law business Amberhawk Training (232-page / 700KB PDF).
However, even the proposals for consent to personal data processing to be unambiguous represent a climb-down from earlier plans EU ministers were considering. Under the previous proposals, businesses relying on consent would have been required to ensure that the consent was "explicit". France is among the list of countries to have raised concern about the deletion of that requirement from the current Council proposals.
Under those plans, explicit consent would in general be needed where businesses wished to process special categories of personal data, such as health data or information on individuals' ethnic origin or political beliefs. There would, though, be limited circumstances in which this kind of data could be processed without consent altogether, according to the Council document.
In addition, where businesses use "automated processing" to build a profile about individuals, they must ensure they have individuals' explicit consent to that activity, or otherwise show that the activity "is necessary for entering into, or performance of, a contract" between them and the individual, or unless the activity is permissible under other EU or national laws that contain "suitable measures to safeguard the data subject's legitimate interests".
The non-binding recitals to the draft Regulation help to explain in more detail where profiling would be lawful without individuals' explicit consent.
"Decision making based on [automated] processing, including profiling, should be allowed when authorised by Union or member state law to which the controller is subject, including for fraud and tax evasion monitoring and prevention purposes and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent," one of the Council's draft recitals said.
The non-binding recitals to the draft Regulation contained within the Council's latest proposals also give further detail on the standards of consent businesses would have to adhere to in more conventional processing circumstances, should the proposals be finalised in their existing form.
According to those recitals, businesses should "be able to demonstrate" that they have obtained individuals' consent to "the processing operation" in question.
"In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that, and the extent to which, consent is given," one proposed recital said. "For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended; consent should not be regarded as freely-given if the data subject has no genuine and free choice and is unable to refuse or withdraw consent without detriment."
"In order to safeguard that consent has been freely-given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller and this imbalance makes it unlikely that consent was given freely in all the circumstances of that specific situation," it said.
"Derogations from the general prohibition for processing such special categories of personal data should be explicitly be provided for where the data subject gives his or her explicit consent or in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms," it said.
The Council is just one of the EU institutions involved in negotiating the new General Data Protection Regulation.
The European Parliament agreed on its version of the Regulation earlier this year and is waiting for the Council to reach its own consensus on the reforms before trialogue discussions on a final version of the text, which would also involve the European Commission, can be opened.
Officials from the 28 EU countries that make up the Council have reached provisional agreement on some areas of the proposed Regulation, but a major sticking point remains on how data protection should be regulated across national borders in the EU under the new regime.