1

Consent in Data Protection Regulation

Brussels, 23 March 2017Pieter.gryffroy@timelex.eu

1) How is consent used in existing and future regulation (DPD + GDPR)?

2) What are the issues with consent? Are there alternatives?

=> Discussion

Topics for tonight

Topic 1: Consent regulation

Important definitions:

Data subject: the person on whom personal information is gatheredPersonal data: any information relating to an identified or identifiable natural personIdentifiable person natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Processing of personal data: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal dataProcessor: processes data on behalf of the controller

Privacy and consent myths…• ‘You always need consent of the data subject’• ‘Consent is the easiest way to be compliant’• ‘Consent is best from a privacy perspective‘

All wrong, and the GDPR is now more explicit about it!

Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

7

Lawfulness – Article 6 of the GDPR

Consent Contract with the data subject

Legal obligation of the controller

Vital interest (subject or

another person!)

Performance of a task carried out in the public interest

Legitimate interest

Definition

• Freely given (no coercion)• Specific (clearly identifiable – no ‘bundled consent’)• Informed (clearly described)• Unambiguous indication of the data subject's wishes • Statement or clear affirmative action NEW!

No silence, tacit consent, pre-ticked boxes…

Conditions for consent (article 7)

• Burden of proof lies with the controller (he who determines goals and means of the

processing)

• Written consent? Presentation must be ‘clearly distinguishable from the other

matters, in an intelligible and easily accessible form, using clear and plain language’

NEW!

• Right to withdraw at any time (not retroactively), as easily as to give consent.

NEW!

• Subject must be informed of this right! NEW!

Protection of children – Article 8• What on earth is a ‘child’? Politicians can’t agree.• Consent for information society services is lawful as of 16• Except if a Member State lowers it to max. 13• Under 16 (or 13): parental consent!

• In Belgium: traditionally under 12: only parental consent; 12-16: double consent; and 16+: data subject consent

• Controller shall make reasonable efforts to verify in consent by the holder of parental responsibility over the child

Can I consent?

From a data controller perspective: how to manage consent?

1. Is consent needed and usable? 2. If yes:

a. Communicate clearly – separate text if in writingb. Inform the data subject of the right to withdrawc. For information society services: check for minors

3. Log the response for evidence4. Build procedures to manage data subject rights, including

withdrawal

Topic 2: Issues and alternatives

• Although 1 of 6, consent is arguably the most important legal ground for the processing of personal information

• But: do you really consent in an online environment? E.g. click-through, PP alone 76 days of work, legibility of the PP’s and the processing goals (very vague)

• Freely given (no coercion)• Specific (clearly identifiable – no ‘bundled consent’)• Informed (clearly described)• Unambiguous indication of the data subject's wishes

• Consent is in most cases an absolute illusion because of

- a lack of interest, capability - a lack of transparency afterwards- a lack of legibility of PP- …? (the illusion of consent issue)

• Even if you do manage to read through and understand it all, once you data is out there: no control, including in relation to 3rd parties (the general transparency issue)• Not unimportant: “you pay with your data”, “I have nothing to hide” (the

indifference issue)

Issues

Illusion of consent:

• Maintain consent and better inform (status quo + awareness)• Maintain consent but more strictly regulate types of uses by

controllers, even if consent has been obtained (change in legislation)• Get rid of consent altogether and strictly regulate authorized uses of

personal data (conceptual change; unpractical)• …• Sub-topic: increased legibility through standard PP.

Legal Solutions

Transparency:

• Obligations are in place and have been for a while, not much effect so far. Even controllers often have little transparency of where the data goes.

Indifference

• Limited to raising awareness.

• All legal solutions are flawed. They are either impractical, improbable or ineffective.

• Out of the box (or is it?): why not have a technical solution to these issues?

• E.g. tools that create greater transparency, that enforce privacy settings by users, that allow blanket consent preferences based on down to earth assessment questions…

Alternatives?

• Indifference is largely the result of the lack of transparency and people choosing ignorance over having to confront themselves with issues that are by any means –and understandably so- beyond their grasp.

• So technical, easy to use, intuitive solutions are the way to go. Everybody should be able to use them, whatever socio-economic background and level of education.

• Question remains: is this feasible?

Please discuss!