Consent: lost (GDPR) and found (ePrivacy)

With the ePrivacy Regulation, ‘consent’ will regain importance

European data protection and electronic privacy regulations are going through a major overhaul. When legislators started this process, wanting to give more weight to the interests of individuals, they were faced with a quandary: what to do about “consent”?

On the face of it, the best way to ensure that people can make their own trade-offs on personal data and privacy is to ask them. Nothing should be done without consent.

It’s not so simple. Earlier legislation has been largely ineffective:

· Most people don’t know what they are agreeing to when they tick the box.

· No response is taken to mean consent.

· Too many requests for consent annoy and overwhelm users, so they ignore the requests or just say “yes” without thinking.

The current legal situation

Until recently, the main European legislation concerning personal data was the Data Protection Directive, published in 1995, translated into national laws that are more or less consistent across Europe. Last year, this directive was updated and approved as the General Data Protection Regulation (“GDPR”, EU regulation 2016/679), which enters automatically into operation in every EU country in May 2018.

Under the older law, the process for obtaining consent online is generally to ask users to tick a box to say that they have read the terms & conditions / privacy policy. Sometimes, the agreement box is pre-ticked. In other cases, web sites simply say: “If you carry on to use this service, you are indicating agreement to our privacy policy.” The legal terms are typically long, difficult to understand and simply a tedious obstacle to getting on with using the service. What’s more, often it’s not a real choice, since the terms are “take it or leave it”. Most people simply tick the box or hit “Continue” and don’t read anything.

In most cases, the terms & conditions or privacy policy permit a broad range of uses of the user’s personal data, including the passing on of data to other organisations.

To address the devaluation of the consent process, the new legislation has tightened up the definition of what is considered a legally valid consent.

Enter the GDPR

Although the 1995 directive stated that consent had to be “freely given specific and informed”, this wording did not always find its way into national legislation. The GDPR takes effect without needing national laws and states that consent must be “freely given, specific, informed and unambiguous” and has to be carried out “by a statement or by a clear affirmative action”. Furthermore, there is a 4-paragraph Article in the regulation that provides further constraints in judging when a consent is valid — such as separation of the consent from other matters and presentation of information in clear and plain language. Consent is not valid if it is for a purpose that is not necessary in order to provide the service the individual wants.

There are further rules when the consent applies to sensitive personal information (race, religion, health, sexual orientation etc). In these cases, the consent has to be explicit — for example, with an indication such as “Please tick this box if you agree that we can process your health data for the purposes of advising you on insurance”. An unambiguous, but not explicit, consent might be “Enter your email address here if you want to receive new product information from us”. (There is no “I agree” statement or similar, but the intention is unambiguous.)

So far, so good. However, many businesses that are dependent on using personal data argue that the new rules are too complicated and that they will lead to user “consent fatigue”. (It’s also possible that some businesses think they will not get user consent if they make it too clear what they are asking, but they won’t say this publicly.)

An underlying issue is “opt-out” consent compared to “opt-in”. The old directive left scope for the interpretation that opt-out consent was sufficient — that consent was assumed unless otherwise indicated. Since the GDPR requires a statement or clear affirmative action, consent has to be opt-in — no response means no consent.

Consent is scary for businesses

Businesses are very worried about the opt-in requirement. It’s common sense (as well as seen in practice) that fewer people opt-in than the number who do not opt-out when the default is already set. As stated by the European Data Protection Supervisor (“EDPS”), “Compared to a processing based on an opt-in consent, any opt-out solution offers less protection due to the power of the ‘default’: most people simply will not have the time, or interest to take action.”[1]

Some businesses also object to what they see as the extra “friction” at the time of gaining new customers, or potential new customers. They want to open up a personalised relationship with people without first having to convince them to consent to a service. A further issue for many businesses is that they don’t have direct contact with the people providing their personal data and so are unable to engage in a direct consent process.

Here is the quandary: on the one side the data protection supervisors want to put a stop to current pseudo-consent processes; on the other side, many industry players are highly resistant to embrace the opt-in and detailed consent process required by the GDPR.

The net result is, paradoxically, that the data protection supervisors and official advisory bodies are discouraging the use of consent as the lawful basis for processing personal data. They do not say this explicitly, because the official legal position is that there is no priority among the alternative justifications for legally handling personal data: the most “appropriate” of the alternatives should be chosen. However, they emphasise that more severity will be imposed, once the GDPR is operational, in the judgement of whether consents are valid.

Choosing a consent-based process creates major risks for businesses. Not only will they be taking on extra obligations towards the individuals concerned, such as the provision of data portability, but if their processes are later found invalid they will have to stop handling the data of everyone who went through the same process. They would also be liable to claims from any injured parties, as well as to potential administrative fines at the maximum level permitted by the GDPR. (See GDPR: data portability is a false promise for more on this topic.)

A way of avoiding the need for consent

An alternative lawful basis for processing personal data is “legitimate interest” and a business may find this more attractive. When using a consent basis, the individual has to give consent before data is processed and has the right to withdraw consent at any time; when using a legitimate interest basis the business starts processing data and the individual only has a right to object after the fact. In addition, an objection may not stop the processing (unless it is an objection to direct marketing, which takes effect automatically).

As stated in Guidance from the Data Protection Network[2], written in collaboration with the Direct Marketing Association and the Incorporated Society of British Advertisers, “on balance, a Controller may wish to rely on its Legitimate Interests, as it has the opportunity to defend this decision, whereas when Consent is withdrawn, the processing must cease immediately.”

It is interesting to observe the position of official advisory bodies (such as the Article 29 Working Party, often called “WP29”, that will next year become the European Data Protection Board and have overall supervisory powers) and the EDPS (also with responsibility for providing guidance to national supervising authorities as well as being the direct supervisor of EU institutions). Their role is to interpret and provide guidelines on existing legislation — and to advise on forthcoming legislation.

In the case of the GDPR, the law has already been approved and it is not the role of these organisations to change it. Therefore, their guidance is about how to make the best of the situation. The “legitimate interest” of a business, balanced against the presumed interests, rights and freedoms of the affected individuals, is a legally valid basis for processing personal data — even if the people are not asked for permission first. The WP29 published in 2014 some extremely useful guidance about when and how to apply a legitimate interest[3] and stated that this grounds for processing “should not be automatically chosen, or its use unduly extended on the basis of a perception that it is less constraining than the other grounds.” But the GDPR is the GDPR…

If the GDPR is the only law to consider, the options for individuals to decide before their personal data gets used will probably decline. The momentum towards “consent” will be lost.

However, the forthcoming ePrivacy Regulation enters into the equation…

Here comes the ePrivacy Regulation

The ePrivacy Regulation (dealing with “the respect for private life and the protection of personal data in electronic communications”) is another update on existing law. The law in force at moment is a 2002 directive on privacy and electronic communications, plus subsequent amendments, which has been translated into national law in EU member states.

The relationship between the GDPR and the ePrivacy Regulation is somewhat complicated. In principle, the GDPR deals with the handling of personal data and the ePrivacy Regulation deals with electronic communications — which of course can be a medium for carrying personal data, as well as generating through its operation new personal data about people’s behaviour. Marju Lauristin, the European Parliament’s rapporteur for the regulation characterises it as: the GDPR implements Article 8 of the EU Charter of Fundamental Rights (“Everyone has the right to the protection of personal data concerning him or her”) and the ePrivacy Regulation implements Article 7 of the Charter (“Everyone has the right to respect for his or her private and family life, home and communications”) in as much as it relates to electronic communications.

In practice, the ePrivacy Regulation (similar to the directive that is currently in force) is a ragbag of different measures related to electronic communications. It has evolved from a 1997 Directive that was focused on traditional telecommunications and has added in new aspects, seemingly because this seemed like a handy legislative instrument. It covers confidentiality and privacy issues related to electronic communications, privacy issues related to software automatically placed onto users’ terminal devices, ‘cross-domain’ tracking of people based on their activities on different websites, tracking of individuals in public places using their WiFi/Bluetooth signals, publication of personal details in public directories and nuisance issues related to direct marketing (via electronic communications).

This is the famous “cookie law” that provides the legal controls on the identifiers or small software agents that are placed on smartphones and computers when connecting to a website or online service. It also covers issues such as the interception of phone calls or electronic messages, any handling of data and metadata by any entity involved in the transmission or processing of electronic communications, data minimisation (no unnecessary retention) by telecoms and messaging companies, the management of public hotspots, end-to-end encryption, and even extending into machine-to-machine communications and the Internet of Things. It may (if the European Parliament’s rapporteur amendments are accepted) end up covering targeted advertising, by classifying it as a variation of direct marketing communications.

There are various interesting issues regarding the overlap between the ePrivacy Regulation and the GDPR. In principle, it builds on the GDPR and does not remove or replace any of the GDPR provisions, but it stands as lex specialis, which means that if there are conflicts between the two regulations then the ePrivacy Regulation will prevail — since it is intended to cover special cases which are not fully dealt with by the GDPR.

This raises some significant issues related to consent…

It only takes one law to make consent obligatory

In the current draft of the ePrivacy Regulation (not yet through the legislative process and so subject to change), consent is central to many of the regulation’s provisions. Unlike the GDPR, there is no general application of the concept of legitimate interest and very few cases where the interests of any service provider can overrule the requirement of consent from the end user. Furthermore, consent is defined by explicit reference to the GDPR, which means that all the tougher requirements on consent introduced by the GDPR apply within the ePrivacy Regulation (although without the “explicit” requirement for special categories of data, under Art 8 of the GDPR).

The proposed ePrivacy Regulation is based around end-user consent. (Diagram by Xifrat Daten)

The current cookie law provisions are generally considered to be a failure. They have resulted in users facing multiple banners that present meaningless (or certainly not understood) requests for consent to cookies. The result has been the classic problem of devaluing any single request because there are too many of them. The new regulation is not responding to this by removing the need for consent — except in the case of some cookies that do not threaten privacy and are needed for basic website operation — but by requiring ‘gateway’ software (such as a browser) to establish a set of user consent preferences that can subsequently be applied to all websites and services.

The ‘Do Not Track’ indicator, as set in a browser or equivalent, will have to be communicated to all parties who get user data and it will be a legal obligation to act on this.

Some number of organisations will find themselves subject to both the GDPR and the ePrivacy Regulation. In fact, every organisation that operates a website will have to consider the ePrivacy Regulation — both in terms of implementing updated consent provisions on cookies and in giving particular attention to any data they pass on to third parties (such as analytics engines). Providers of any kind of communication or messaging service will be affected, since the regulation extends coverage from first-level internet or telecoms service providers to any provider of communications running over an electronic service. The data they handle (including metadata) will be classified as personal data if it is linked to an individual, so bringing the GDPR into play, and in any case all data handling is subject to strict ePrivacy provisions.

The impact on marketing

Those doing marketing through electronic channels will be subject to the ePrivacy Regulation provisions — in particular Art 16 on unsolicited communications and other articles on phone-based marketing. The words of the Commission draft of the new regulation are not much different from the current directive, but because the regulation passes automatically into current law it will supplant existing national legislation.

Particularly noteworthy for direct marketers is that it will no longer be possible to rely on an opt-out approach for unsolicited email sent to people at their work email addresses. All communications will be on the basis of opt-in consent, except in the case of messages related to similar products and services that are sent to existing customers (an existing provision, often referred to as “soft opt-in”), where an opt-out approach is permitted.

If the amendments are accepted that have been proposed by the rapporteur of the European Parliament (based on recommendations from the WP29 and the EDPS), then the net will catch the entire targeted advertising industry. The new definition proposed for “direct marketing communications” is “any form of advertising, whether in written, oral or video format, sent, served or presented to one or more identified or identifiable end-users of electronic communications services”. In the opinion of the WP29, this would cover all “behavioural advertisements” (based on the profile of end-users)[4].

Apart from the “soft opt-in” exception for existing customers (if they have a direct relationship with the business), all targeted marketing will become subject to the strict consent measures dictated by the GDPR. The “legitimate interest” basis will not apply.

Consent may have been “lost” in the GDPR, but it has been “found” again in the ePrivacy Regulation.

The WP29 and the EDPS, that clearly wish to advance a consent agenda for communications data regardless of the need to discourage this in the context of the GDPR alone, are trying to push home the advantage. The European Parliament rapporteur has followed their lead and has proposed that Recital 15 should include the words “When the processing [of electronic communications] is allowed under any exception to the prohibitions under this Regulation, any other processing on the basis of Article 6 of Regulation (EU) 2016/678 should be considered prohibited, including processing for another purpose on the basis of Article 6(4) of that Regulation.”

This means “Goodbye to legitimate interests of the controller”.

Awaiting the final version…

We don’t know how the final text of the ePrivacy Regulation will turn out. Parliament has to agree on various amendments that have been proposed and the EU Council has to provide its input. Typically, the Council, whose constituent members are representatives of the member states, will take a more business-friendly approach than the Parliament (that wants to directly serve EU citizens and so tends to be more pro-individual). Following a general decision by the Council on its approach, the legislative process will move to negotiation between the Commission, the Parliament and the Council (the “trialogues”) — leading to a compromise text.

The Commission and the Parliament have said that they want to approve the ePrivacy Regulation so that it can enter into full force on the same date as the GDPR: 25th May 2018. That is an extremely ambitious agenda, being only 16 months between the Commission’s first published draft and the effective date of the law. In the case of the GDPR, it was more than 5 years. The next few months will see some intense lobbying!

[1] EDPS Opinion 06/2017: https://edps.europa.eu/sites/edp/files/publication/17-04-24_eprivacy_en.pdf

[2] https://www.dpnetwork.org.uk/dpn-legitimate-interests-guidance/

[3] Article 29 Working Party Opinion 06/2014, WP 217, on the notion of legitimate interests of the data controller: http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf

[4] Article 29 Working Party Opinion 01/2017, WP 247, on the Proposed Regulation for the ePrivacy Regulation, p21: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610140