In our current digital economy consumers are increasingly more often required to disclose their personal data in order to obtain access to services. It seems that personal data is the fuel of this new economy as big data centers are slowly becoming almost as valuable as oil refineries. One of the reasons for this paradigm shift dates back to the 1990s. It was then when the prevalent business model on the Web was devised – provision of free online services compensated by a flow of advertising revenue. The personal data provided by the users drives the turbines of profiling and targeted advertising and thus “pays” for the seemingly free services. This is facilitated by the dynamic nature of a web page as it loads with different advertisements when accessed by different users. As a result, marketers gain a direct avenue to those that are particularly interested in their products, online service providers generate massive revenues by selling targeted advertising and users benefit from free services. Along this background, it is far from surprising that in the newly proposed Directive concerning contracts for the supply of digital content it is explicitly established that a consumer can pay either in the form of money or with personal data.
At the same time, another trend has dominated the last decades – the rise of Big Data analytics. The fast growth in computer processing power and the sharp decrease in price for data storage have made it easier than ever to amass and analyze huge amounts of data, to perform data mining and uncover hidden patterns and correlations. Moreover, quite often this newly derived knowledge is later used to arrive at automated decisions that significantly affect natural persons. These individuals are quite often deprived not only of knowledge about what happens with their personal data but also of meaningful control over its processing. Data protection law strives to introduce counter-balances to these trends and to implement a values-based approach into the purely for-profit formula of personal data processing. It is claimed that a critical tool for empowering the data subject and giving him control over his/her personal data is the notion of consent for processing. Consent is thus seen as a lever to self-manage data privacy. This article will try to demonstrate that the heavy reliance on consent, especially in the online environment, is a flawed approach.
The notion of consent was established as one of the legitimate grounds for processing of personal data by the Data Protection Directive back in 1995. It has been operationalized by the Directive in two dimensions – first as a general ground for lawful processing and second as a specific ground in particular contexts – to legitimize the processing of sensitive personal data and the transfer of personal data to a third country that does not ensure adequate protection. It must be noted that the consent of the data subject is just one of the possible grounds for lawful processing of personal data. Data controllers may also demonstrate that processing is legitimate if it is necessary for: i) the performance of a contract, ii) compliance with a legal obligation, iii) protection of the vital interests of the data subject, iv) performance of a task carried out in the public interest and iv) the pursuit of the legitimate interests of the data controller. On many occasions those other grounds for processing will be a lot more appropriate to rely on as compared to the consent of the data subject.
The importance of the notion was further asserted in the Charter of Fundamental Rights of the European Union. With the entry into force of the Lisbon Treaty the Charter became legally binding on the EU institutions and the national governments in the same way as the EU Treaties. Article 8 of the Charter explicitly establishes the right to protection of personal data as a separate fundamental right within the EU legal framework. Furthermore, the Charter in Article 8 (2) provides for two groups of legitimate grounds for processing of personal data – i) the consent of the data subject or ii) other legitimate grounds established by law.
Consent as a legitimizing ground for processing of personal data is fully retained and further strengthened in the new General Data Protection Regulation. The GDPR presents an improved definition of consent. It states that consent by the data subject needs to be unambiguous in addition to freely given, specific and informed. It further declares that consent can be indicated by a statement or a clear affirmative action. The GDPR clarifies that silence, pre-ticked boxes or inactivity cannot constitute consent. This is important guidance for data controllers especially when they intend to obtain consent through the use of online forms – evidently they shall refrain from using pre-ticked boxes and they shall not infer that the use of a service or the mere browsing of a website constitute consent to processing of personal data.
The GDPR enriches the concept of freely given consent. It requires the assessment for freely given consent to take utmost account of the fact whether the performance of a contract is made conditional on consent for processing of personal data when that processing is in fact not necessary for the contract. Additionally, the GDPR stresses that consent will not be a valid legal ground for processing of personal data in situations where there is a clear imbalance between the data subject and the controller – for example in relations between employers and employees.
The notion of informed consent is also strengthened by the GDPR. Recital 42 of the GDPR reads that for consent to be informed the data subject shall be aware at least of the identity of the controller and the purposes of the processing. Additionally, the GDPR covers new ground by imposing an obligation on data controllers to demonstrate that the data subject has consented to the processing of personal data. In practice, this means that controllers will have to keep record and maintain archives of the declarations of data subjects when they agree to processing of their personal data.
Article 8 of the GDPR ensures the legal protection of children when their consent is required for processing of personal data in the provisioning of information society services. The GDPR sets the age limit where children’s consent can legitimize processing of personal data to at least 16 years old. Below that age, processing can only be lawful if consent is provided by a parent. However, the GDPR allows Member States to set in their national legislation a lower age of consent but not below 13 years old. This approach of the GDPR deserves criticism as it will not only lower the level of protection provided to children but also act as an impediment to a fully harmonized legal regime across the EU.
Additionally, Article 83.5 (a) of the GDPR introduces hefty administrative fines for infringements of the basic principles of processing, including the conditions for consent, reaching up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover for the preceding year, whichever of the two is higher.
Despite the ambitious reform of the GDPR, a pertinent question is still looming – is consent a suitable ground for processing, especially when used in the online environment? The theoretical legal reasoning behind the concept of consent is that data subjects will generally make conscious, prudent and autonomous choices when managing their personal data. Whether that actually happens in practice is highly questionable.
Let’s ask ourselves – how many of the individuals who tick the consent box when using an internet-based service actually locate, read and familiarize themselves in detail with the privacy policies? And would it be possible to devote the time and effort for such thorough familiarization when most users engage with dozens of different online services, websites and apps on a daily basis. And even if such an effort is undertaken, what if the content of the privacy policy does not become clear to the data subject to a level that he can make an informed choice? Further, what if the data subject disagrees with any of the conditions for processing? In most circumstances the dilemma for him will be to either agree with the unfavourable conditions or not use the service at all. While in some cases there might be competitors who offer equivalent services on more favourable conditions, in other instances the service in question might be the most used and thus the alternative options will not be a viable alternative.
Indeed, the GDPR tries to tackle some of the above-mentioned issues by requiring in recital 42 that any declaration of consent that is preformulated by the controller shall be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. With regards to the last requirement, the GDPR redirects to the provisions of Directive 93/13/EEC on unfair terms in consumer contracts. It remains to be seen to what extent the general provisions of Directive 93/13/EEC will be a suitable fit to protect data subjects when it comes to such a niche regulatory field as the specific conditions for data processing imposed by data controllers. Furthermore, a natural paradox exists in relation to the simplicity of a privacy policy. If a privacy policy is prolonged and convoluted it is very unlikely that it will be read. However, there is a rational explanation for such volume – data processing operations are ever more complex and data controllers are naturally striving to avoid liability. At the same time, the more the drafter is pushed towards using a short form with simple language and graphic icons, the less meaningful details about the processing and its potential consequences for the data subject could be conveyed and the less the individual will be alerted that at this step of the transaction he is giving out something of value.
Second, contemporary processing in the era of Big Data, behavioural marketing and widespread tracking rarely involves a single data controller. In most cases individuals will be faced with an intricate web of controllers and processors that exchange various sets of data for a wide variety of processing purposes. Far too many entities are amassing and using personal data which makes it hardly possible for natural persons to distinguish between their roles and use consent (or its withdrawal) as a tool to manage their privacy separately with each entity. Moreover, many privacy risks are a natural result of the steady aggregation of items of data over a period of time by different entities. When using consent in an individual transaction, without proper understanding of the big picture that includes any further ensuing uses of that data, it will be impossible for a data subject to weigh the costs and benefits of divulging his personal data.
Last but not least, consent as developed by the GDPR could also turn out to be problematic for data controllers. The GDPR introduces cumbersome obligations on controllers thus making it a lot harder to obtain valid consent. In addition, data subjects have the ultimate power to withdraw consent at any time without the need to invoke a reason. The immediate result of such action is the restriction of further processing of personal data. Furthermore, if the controller is unable to demonstrate the existence of another legitimate ground for processing, the data will have to be erased. Thus, many data controllers will be naturally inclined to use other grounds for processing instead of consent – for example the legitimate interests ground. And for risk minimizing purposes consent could be downgraded for use only in case of processing operations that are optional for the controller. Obviously, such developments would not be in line with the desire of the European legislator to empower the data subject and put him in control of his personal data.
Without a doubt, the legislative reform introduced with the GDPR provides a solid shield for data privacy interests. At the same time, the reform is not immune from conceptual flaws. An example in point is the case with the notion of consent especially when provided in online environment. Instead of further strengthening the concept by introducing additional cumbersome obligations for data controllers, the EU legislator could have invested efforts in rethinking it and re-targeting its use in a more differentiated manner. As demonstrated above, consent is not a natural fit to be a universal remedy for end-user empowerment. It sounds promising on paper but it often leaves a lot to be desired when applied in practice.