Privacy body backs 'explicit consent' rules in data protection reforms

Out-Law News | 29 Jun 2015 | 3:49 pm | 3 min. read

Businesses looking to rely on people's consent to process their personal data under planned new EU data protection rules should have to ensure that consent has been explicitly given, a privacy watchdog has said.

The Article 29 Working Party, which is made up of representatives from national data protection authorities in the EU, said "there should be no doubt on the elements establishing consent and the intention of the data subject to consent". It said it was concerned with proposals that would require companies to obtain 'unambiguous consent' if seeking to rely on consent to process personal data under the planned new General Data Protection Regulation.

"Even though it can be expressed in many different ways, for instance through a statement or an affirmative action, the essential requirement [of consent] is that such statement or action must clearly signify the data subject’s agreement to personal data relating to them being processed," the Working Party said in a new paper outlining its views on the Regulation (24-page / 341KB PDF) at the start of final negotiations on its wording. The European Commission, European Parliament and Council of Ministers have opened trilogue discussions on the data protection reforms and aim to reach agreement before the end of this year.

"There has to be a clear distinction between opt-in and opt-out. Therefore, the notion of unambiguous consent foreseen by the Council of [Ministers] … may create some confusion with respect to the aim of the proposed text especially on the internet where there is now too much improper use of consent. Requiring it to be explicit is an important clarification, truly enabling data subjects the exercise of their rights. Furthermore consent should be informed and concern a specific purpose, any 'broad consent' would therefore not be acceptable," it said.

The Working Party also raised concerns about the qualified freedom that businesses would be given, under plans for the new Regulation, to process personal data for new purposes which are "incompatible" with the purposes that they originally said they would use the data for. It said the 'purpose limitation' principle should be preserved and that the new Regulation should not allow businesses to ignore it even where they can point to having an "overriding interest" in undertaking the new processing activities.

"According to the present legal framework, processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited," the Working Party said. "The controller cannot legitimise incompatible processing by simply relying on a new legal ground. The new legal provisions should ensure at least the same level of protection offered by the current Directive."

"Further processing should only be permitted once compatibility is established after a careful assessment that takes into consideration all relevant circumstances of both the original and the subsequent processing operations and provided that the controller may find an adequate legal basis. Compatibility should not be confused with legitimacy. Establishing that further use is compatible with the initial one does not mean that data may be processed without a valid legal basis or relying in the legal ground that legitimised the original processing. Compatibility and legitimacy are cumulative requirements and, for a change of purpose which is not incompatible, one of the legal bases has to be applied," it said.

The Working Party's paper also addressed the meaning of personal data. It said that the new Regulation should include wording which makes it clear that "the capacity to single out and treat differently is a means to identify the data subject". It said that proposals backed by both the European Parliament and Council of Ministers are "not satisfactory" on this point as they "could be interpreted in a way that identification numbers, location data, online identifiers or other specific factors will not be necessarily considered as personal data".

This might mean that there is "an unduly restrictive interpretation of the notion of personal data" under the new Regulation, it said.

On data breach notification, the watchdog said that it is right that the Regulation should set different rules for notifying breaches to data protection authorities than for notifying such incidents to the public. This is so that the authorities can "exercise supervision over the process of notification to data subjects by service providers", it said.

However, the Working Party said the threshold for notifying people about breaches of their personal data should be where "to a significant extent, 'the personal data breach is likely to adversely affect the personal data or privacy' of the data subject". This wording would "align the criteria [for notification]" with data breach rules and guidelines that apply to telecoms providers under the e-Privacy Directive, it said.

Some businesses, under the new Regulation, should be forced to employ a data protection officer, the Working Party also said in its paper. When this obligation should kick in should be established by assessing "objective criteria such as the type, volume of data or nature of activity of the concerned entity that helps to measure the risks" of their data processing, it said.