Clarifying and strengthening the obligations for consent is a very important point for EDRi. The failings in the implementation of the existing Directive are well known (see for example the Commission impact assessment). The Eurobarometer 359 survey showed that 70 % of Europeans are concerned about how companies use their data and feel they have only partial if any control; 74% want to be asked to give specific consent before their information are collected and processed.
There are three features of data collection that make the current rules on consent ineffective:
- Technology has evolved rapidly and become so sophisticated that data subjects do not know and/or are not aware that their data are being collected and processed, or when this happened, or what data are being collected and processed, or the amount of data involved (so-called invisible data mining). Nor do they have any knowledge of the extent to which the processing is potentially sensitive, or how it can affect them – or indeed of the purpose for which their data are used.
- The information provided by controllers is typically either obscure and legalistic or hidden in rarely-read privacy notices, which means that data subjects are not taking informed decisions.
- Controllers often find ways to claim that consent was given by users (e.g., through opt-outs, pre-ticked boxes, etc) without users/consumers in reality having given free and informed consent.
Eliminating deceptive practices
The draft Regulation’s definition of and conditions for consent reflect efforts to increase the responsibility of data controllers and processors in order to ensure that they seek to obtain meaningful consent. Data controllers must provide evidence of consent according to defined standards. We feel that behavioural economic research should be carried out on how free and informed consent at present really is and to frame the kind of information companies should give and how to design the information.
EDRi believes that consent is a key aspect of the proposal for a Regulation, and that consent should always be the result of an active choice, as referred to in Recital 25, and should not be assumed on the basis of a data subject’s perceived behaviour. Not changing default settings should certainly not be interpreted as consent to whatever these settings allow.
The definition provided in Article 4(8) should therefore remain unchanged
Nonetheless, Article 6(1) provides a list of six criteria for lawful processing, and consent is only one of these. EDRi thinks that among these there is an important loophole that can be used by data processors to justify any processing of personal data, namely the concept of “legitimate interest” in the “balance” provision contained in Article 6(1)(f). This provision can in practice offer controllers a way to avoid many processing restrictions altogether, since current experience suggests that few data subjects will be able or willing to test reliance on this criterion in court. Moreover, the broadness of the term “legitimate interest” creates legal uncertainty, both for data subjects and business. Furthermore this uncertainty will most probably lead to divergences in practice between different member states and therefore a failure to achieve the goal of harmonisation. Policy should be developed based on the principle that data processors are intrinsically incapable to balance their interests with that of data subjects’ right to privacy.
If a data controller wishes to use “legitimate interest” as a basis for processing, this must be separately and explicitly flagged to the data subject and the data processor should publish its grounds for believing that its interests override those of the data subject.
If changes are needed to the definition (Article 4(8)), it should be to echo the burden of proof requirement contained in Article 7(1). It is indeed crucial that consent be demonstrable and, of course, that the burden of proof remain with controllers; data subjects should not be required to prove that consent was not given.
In EDRi’s view, it is not a good idea to try to define means of expressing consent in legislation: there are more possibilities than just opt-in and opt-out. Instead, the relevant means of expression need to be adapted to the circumstances. This approach supports our contention that the burden of proof should rest on the controller. In the interest of data minimisation, it would also be useful to expressly clarify in the text of the Regulation that collecting data that are not necessary for or relevant to the purpose in question cannot be justified on the basis that the controller has a “legitimate interest” in collecting the data, e.g., for proof of consent purposes.
Concerning the term “significant imbalance” in Article 7(4), EDRi believes that the examples given in the Recital are too narrow. The phrase should cover all situations where there is a serious difference in power. A similar non-exhaustive list to the one in the Unfair Contract Terms Directive should be added in Recital 34 illustrating what “significant imbalance” means, including, for example, situations of de iure or de facto monopolies and oligopolies which, in practice, offer users/consumers no real opportunity to choose a privacy-respecting service provider. Similarly, where a data subject has spent years developing his/her persona in an online game or on a social network, a “take it or leave it” change of terms of service by the operator would clearly leave the user in a very weak position vis à vis the provider.
On the possibility of having a contextual approach to consent, EDRi believes that what matters is that the given consent is meaningful. In our opinion, the criteria of a “freely given specific, informed and explicit” consent allow users to be in a position to give meaningful consent. To undermine these requirements would be to undermine the Regulation itself – any flexibility offered to business should not be allowed to undermine the core elements of the exercise of the fundamental right to privacy