Sini Laajala EU General Data Protection Regulation and the Effects of

the Changed Legal Context of Data Subject’s Consent

Making MyData Real Working Papers 2/2017 Making MyData Real –tutkimusraportti 2/2017

Making MyData Real is a two-year research project funded by TEKES, the Finnish funding agency for innovation. The project is run by the Faculty of Law at the University of Turku. The industry partners are S-Group, Elisa Oyj, and Lähitapiola. The project seeks to explore the popular MyData-frame to advance individual and human-centric understanding and use of data resources. MMR explores how legal, market and technological solutions can be be combined in MyData platforms to allow the optimization of privacy in data use and transfers. The objective is to merge cutting-edge legal research on privacy, information society, and contracting practices with expertise in information economy and business models. The project will produce a series of deliverables, both in English and in Finnish on matters concerning individual consent, sustainable data processing and trust. The key philosophy underlying the project, the easily overlooked truth about the relationships between law, technology and markets, namely the idea that law, markets and technolgies are are co-dependent and co-determinative, not mutually exclusive or excluded, is mainstreamed to all of the papers. Sini Laajala’s paper on the Changed Legal Context of Data Subject’s Consent is part of the design target “MyData Consent Interfaces” where we aim at legal facilitation and assist of the design processes of the platforms utilizing MyData concept. The paper focuses on analyzing data subject’s consent as a legal basis for processing personal data from the perspective of the changes occurring in the context: a change of the type of legislation, changes in the legal principles and effects of the strengthening of the rights approach to data protection law occurring in the EU, especially putting emphasis on data subject’s rights. The changes are demonstrated and analyzed from a perspective of Peripheral Protection Model which represents a novel approach to the modern regulatory framework of the protection of personal data.

EU General Data Protection Regulation and the Effects of the Changed Legal Context of Data Subject’s Consent

Making MyData Real Working Paper Series 2/2017 Making MyData Real –tutkimusraportteja 2/2017

Sini Laajala*

Abstract

This working paper analyzes the development of data subject’s consent as a legal basis due to the EU data protection law reform, especially from the point of view of the EU General Data Protection Regulation (GDPR). The provisions of the GDPR are analyzed against the provisions of the Data Protection Directive (DPD). The aim of the research is on defining whether the GDPR will change data subject’s consent as a legal basis for processing personal data in comparison to the situation under the DPD, focusing on the changes occurring in the context in which the consent requirements are interpret. The GDPR clarifies the requirements for a valid consent, but there are also other more comprehensive changes that should be taken into consideration, occurring in the context in which the requirements are interpret. The main thesis of the paper is that the changes in this context affect the position of data subject’s consent as a legal basis. Thus, data subjects are protected also through other mechanisms than by the actual consent requirements imposed by the GDPR. This is important, because the consent requirements under the GDPR consist of abstract terms, which inherently leave room for interpretation. This paper focuses on analyzing data subject’s consent as a legal basis for processing personal data from the perspective of the changes occurring in the legal context EU’s data protection regime: a change of the type of legislation, changes in the legal principles and effects of the strengthening of the rights approach to data protection law occurring in the EU, especially putting emphasis on data subject’s rights. These changes are demonstrated and analyzed with a model termed here as Peripheral Protection Model. The said model describes, inter alia, how the strengthening of data subject’s rights and the data processing principles, especially transparency and accountability principles, affect the requirements. These important developments occur mainly in the borderlines, the peripheral, around the actual requirements imposed on a valid data subject’s consent. Of the essence is that by virtue of the said changes the GDPR opens a possibility for interpretations that have the potential to considerably narrow the usability of data subject’s consent as a legal basis for processing of personal data. * LL.M. Sini Laajala works as a researcher and doctoral candidate in MMDR-project.

Table of Contents 1 Introduction 1

2 Changingthetypeoflegislation 4

3 Strenghteninglegalprinciples 9

4 Emphasizingfundamentalrights 14

5 Conclusion 24

6 BIBLIOGRAPHY 27

1

1 Introduction Both the Data Protection Directive (DPD)1 and the EU General Data Protection Regulation (GDPR)2 recognize data subject’s consent as one of the legal bases for the processing of personal data. Under the DPD consent rules have been unclear as the directive has left room for different implementations and interpretations. The European Commission set “clarifying and strengthening the rules on consent” as one of the goals for the ongoing EU data protection law reform.3 Therefore, the GDPR contains more articles providing for more detailed and clarified requirements for a valid data subject’s consent than the DPD did.4#For example, under the DPD it has been unclear whether a pre-ticked box, as an opt-out5 type of consent, can qualify for a valid consent or whether it should be required that a data subject ticks the box herself and, thus, actively consents to the processing of her personal data. The GDPR defines that the use of opt-out approach does not constitute a valid consent.

Understanding the change in the position of data subject’s consent as a legal basis in the EU law requires observing the change in a wider context than purely from the perspective of the requirements for a valid data subject’s consent. On the one hand, consent has an important role in the GDPR as a mechanism for data subjects to control their personal data. For example, processing of sensitive data and automated decision-making, which produces legal effects on data subject, can be based on the data subject’s explicit consent. In this sense the role of consent in the GDPR resembles to the one it had in the DPD. On the other hand, data subject’s consent as

1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 2 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 3 COM (2010) 609 final, p. 9. 4 The GDPR includes new articles, Article 7, added specially to define conditions for consent and Article 8, defining special conditions applicable to child’s consent in relation to information society services. 5 Opt-in approach requires that an affirmative act by the user, such as clicking a box on an online form, before the information provided by the user can be used. On the other hand, in accordance with the opt-out approach the user needs to take an action to prevent information from being used, for example, by unclicking a box on an online form, the default being that without action by the user the information can be used. See IT Law Wiki / Definition of opt-in and opt-out; Kuner 2007, p. 68. Opt-in and opt-out boxes are commonly used in a quick succession such as ticking to opt-in to receive information from the service provider or ticking to opt-out from passing data to third parties. See Murray 2013, p. 504.

2

a legal basis under the GDPR is subject to clarified and more detailed, but at the same time, still inherently abstract requirements. Thus, other mechanisms affecting the interpretation on what constitutes a valid consent, such as legal principles underlining data controller’s responsibilities or the emphasis given to the data subjects’ rights in case law, are essential to the outcome of the assessment. This makes the use of consent as a legal basis more complicated than before as in addition to the clarifications made to the requirements, also the context in which the said requirements are interpret has changed tremendously and this has significant effects on data subject’s consent as a legal basis.

The target of this research is to answer the following research question: Does the GDPR change data subject’s consent as a legal basis for processing personal data? In this paper the question is analyzed from the point of view of the changed context in which the requirements for a valid consent are interpret. This working paper approaches data subject’s consent from the point of view of so called Peripheral Protection Model (hereinafter referred to as the “Model”).

Figure 1.1 Peripheral Protection Model

3

The said name of the Model derives from the conclusion that data protection law reform is changing the context in which the requirements of data subject’s consent are interpret, especially by strengthening data subject’s rights, and this affects data subject’s consent as a legal basis. The Model consists of four layers in its entirety. In this paper, three outer layers of the Model, in other words, the peripheral area around the core, are descripted and analyzed. These layers describe and analyze the changes occurring in the context that affect data subject’s consent as a legal basis and guide the interpretation of the requirements. The three outer layers of the Model concern the effects of the changes in the type of legislation, legal principles and the rights of data subjects. The structures of the Model are potentially, at least partly, overlapping and the exact order and number of layers concerning different concepts and structures of EU data protection law affecting data subject’s consent can be argued. The aim of the Model is to demonstrate the main mechanisms of the GDPR that affect data subject’s consent as a legal basis.

Firstly, the possible effects of changing the type of legislation from a directive to a regulation are analyzed in Chapter II. Effects of the change of the type of legislation are comprehensive and, thus, it is regarded as the most external layer that affects all the other layers. During the era of the DPD one of the key issues relating to data subject’s consent has been the inconsistency of the consent requirements in the national laws of EU Member States. The adoption of regulation as a type of legislation in general provides for more unambiguous criteria for a valid consent in comparison to a directive that leaves more leeway to the Member States.

Secondly, changes occurring in the legal principles for processing personal data, especially strengthening of the transparency principle and the accountability principle, are discussed in Chapter III. Legal principles potentially guide the interpretation of provisions and concepts. Therefore, the strengthening of legal principles is placed into the third layer affecting data subject’s consent. Especially the transparency and accountability principles can direct the interpretation of the consent requirements to the direction that favors data subjects. Thus, these legal principles have the potential to affect the outcome of what can be regarded as a valid data subject’s consent in specific cases.

Thirdly, the grounds for the claim that the fundamental rights aspect of the EU data protection law has strengthened and that it echoes to the data protection law reform and to the case law of the Court of Justice of the European Union (CJEU) are defined in Chapter IV. The GDPR specifically seeks to clarify and strengthen the rights of data subjects and the general development in the EU has moved into the direction that puts special emphasis on the data subject’s fundamental rights. This development has potentially significant effects on the interpretation of consent

4

requirements as well as the usability of consent as a legal basis from the data controller’s point of view as data subject’s consent as a legal basis is closely linked to many strengthened rights of data subjects. For example, the right to withdraw consent and the right to erase personal data.

Chapter V summaries the conclusions of the main chapters and analyzes the overall change in the position of data subject’s consent in EU data protection law.

2 Changing the type of legislation One of the significant changes by the ongoing data protection law reform is that the general rules on processing of personal data are now set by a regulation instead of a directive. During the era of the Data Protection Directive, the requirements for data subject’s consent as a legal basis for processing personal data have varied in the national laws of Member States due to the leeway left by the Directive. The varying consent requirements have led to divergence, which may impede the protection of data subject’s rights and disturb business operations. In general, as a type of legislation, a regulation is less flexible than a directive. Thus, a changing the type of legislation from a directive to a regulation is likely to cause changes on data subject’s consent as a legal basis due to regulation’s inherently more harmonizing effects.

Lee Bygrave has pointed out that the data protection instruments traditionally provide significant amount of flexibility for their implementation to national legislation.6 The DPD is not an exception. As directives are binding solely in terms of their results and leave the choice of “form and methods” to the Member States, the DPD has left a margin for maneuver in its implementation.7 The legal basis of the DPD is Article 100a of the Treaty Establishing the European Community (TEC). The said Article provides for the adoption of measures for the approximation of the provisions which have as their object the establishment and functioning of the internal market.8 The aim of the DPD was to bring approximation of national laws resulting in equivalent levels of data protection across the Member States. Nevertheless, it is acknowledged even in the preamble to the DPD that disparities 6 For example, the OECD Guidelines are embodied as legally non-binding guidelines, and thus, inherently they contain the said element of flexibility. The aim of the Convention 108 was to guide and to act as a catalyst for state’s legislative initiatives rather than to set forth a package of directly applicable norms. See Bygrave 2002, pp. 33–34. 7 See Article 288(3) of the Treaty on the Functioning of the European Union (TFEU): “A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.” According to Article 5 of the DPD “Member States shall, within the limits of the provisions of this Chapter, determine more precisely the conditions under which the processing of personal data is lawful”. The amount of discretion is dependent on the objectives and the level of detail of the directive in question. See Bygrave 2002, p. 34. 8 The referred Article is contemporarily Article 114 of the TFEU.

5

can arise in the implementation of the DPD. The said disparities have given fuel to the EU data protection law reform.9 Thus, the DPD sets forth standards which all Member States must meet, allowing considerable leeway in determining how such standards are to be met and, at the same time, in fact accepts that discrepancies between Member States will arise.10

Christopher Kuner has described the discrepancies between the data protection regimes of Member States and compliance issues of companies trying to cope with the varying systems. The system is complex. Under the DPD all Member States have had their own data protection laws that differ considerably from each other in structure, content and approach. Since the DPD allows interaction of data protection law with other legislation, law in other fields than data protection may also need to be taken into consideration.11 Traditionally European data protection law has been built upon few key instruments while the important details have been included into the laws of the Member States, each with its own language, separate legal systems and tradition. Further, many aspects of data protection law are derived from varying administrative practices and informal customs that are not available in writing.12 Thus, the interaction between EU data protection law on a high level and local data protection laws on a lower level can be confusing. Many companies have made the mistake of assuming that it is enough to simply implement the principles of the DPD, without realizing to comply with the local laws. Data protection laws are often non-transparent and difficult to locate, owing particularly to the fact that many important source materials are available only in local languages. Especially companies which are used to compliance under the US regime are often initially frustrated by the diversity of approaches to data protection among EU Member States.13

The definition of data subject’s consent has not always been transferred word for word at national level. For example, data subject’s consent is not defined in the French data protection legislation, but its meaning has been precisely and consistently explained in the jurisprudence of the data protection authority14, in relation to the definition provided for in the DPD. In the UK the concept has been developed by common law in accordance with the wording of the DPD. Consent has also been explicitly defined in the legislation of specific sectors, for instance, in the

9 See recitals 8 and 9 of the preamble to the DPD. 10 Kuner 2007, pp. 33–35. 11 See recital 23 of the preamble to the DPD; Kuner 2007, pp. 33–35. For example, claims for data protection violations may be based on national consumer protection and unfair competition laws. 12 Kuner 2007, p. 2. 13 Kuner 2007, pp. 235–236. 14 The authority in question is the Commission nationale de l'informatique et des libertés (CNIL).

6

context of e-privacy, e-government, or e-health. Thus, the notion developed in specific legislation interacts with the concept developed in general data protection legislation.15 Some Member State laws have also restricted the possibility to give consent electronically. For instance, under the German Federal Data Protection Act, consent to the processing of personal data must be given “in writing” meaning pen on paper, unless consent is to be given in the course of using “teleservices” as set forth in the Teleservices Data Protection Act, in which case consent may be given electronically under certain conditions.16

As the abovementioned examples demonstrate, Member States have implemented the directive differently, despite its objective to ensure an equivalent level of data protection within the EU. Member States have adopted varying consent requirements and, accordingly, the national Data Protection Authorities (DPAs) have applied different interpretations. Consequently, a valid data subject’s consent in one Member State has not necessarily been legally valid in other Member States. This has created uncertainty among data controllers operating in several Member States. Commission’s Impact Assessment of 2012 especially mentions that dealing with different national laws and requirements within the EU leads to a fragmented legal environment, creating legal uncertainty and unequal protection for individuals as well as unnecessary costs and administrative burdens for businesses. Thus, this also constitutes a disincentive for enterprises, including SMEs, operating in the single market, who may wish to expand their operations cross-border.17 The Explanatory Memorandum of the Commission’s proposal for the GDPR acknowledged that the previous legal framework had not been able to prevent fragmentation in the way data protection was implemented across the EU, legal uncertainty and a widespread public perception that there are significant risks associated with online activity. Therefore, a stronger and more coherent data protection framework was needed in the EU, backed by strong enforcement that would enable the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities.18 According to the Commission, the proposal for the GDPR was built on the experience with the DPD and the problems encountered due to its fragmented implementation, which had prevented it from achieving its objectives.19 Thus, a regulation was deemed as the most appropriate

15 WP 187, p. 6 16 Kuner 2007, p. 69. 17 Commission Working Paper: Impact Assessment 2012, pp. 11–13. 18 Explanatory Memorandum of the Commission’s proposal for the GDPR, p. 2. 19 Legislative final statement of the Commission’s proposal for the GDPR, p. 104.

7

legal instrument to execute the planned improved data protection framework for the EU.20

Andrew Murray has especially pointed out that the actual core strength of the new data protection instrument is that it was drafted as a regulation, which creates a binding regime for all EU Member States.21 Under Article 288 of the TFEU, a regulation has general application. It is binding in its entirety and “directly applicable” in all Member States, whereas a directive is binding as to the result to be achieved, but shall leave to the national authorities the choice of “form and methods”.22 According to the Commission the direct applicability of a regulation will reduce legal fragmentation and provide greater legal certainty, improving the protection of fundamental rights of individuals and contributing to the functioning of the internal market.23 T.C. Hartley has described the distinctive differences between directives and regulations.24 Firstly, Member States are not principally allowed to adopt any national measures giving effect to the provisions of a regulation in national law, as it would disguise the EU character of the act. On the other hand, a directive entails, at least in theory, the right to choose the form and method by which the objective of the directive will be reached.25 Hartley maintains that the said feature applies even where the directive is “directly effective”.26 Secondly, it can be argued that having a direct effect is actually a normal characteristic of a regulation, but only exceptional for a directive.27 Thirdly, a regulation is applicable and directly effective in any type of legal relationship: both vertical and horizontal. Thus, the enforcement of a regulation may include sanctions imposed by a Member State

20 Explanatory Memorandum of the Commission’s proposal for the GDPR, pp. 5–6. 21 Murray 2013, p. 518. See also Bräutigam 2012, p. 419. 22 Kieran St. C. Bradley presents that directives as a type of legislation are said to reflect the principle of subsidiarity as the EU is supposed to lay down only the strictly necessary rules and procedures, entrusting Member States to adopt national laws and procedures accordingly. Thus, a directive is appropriate legal instrument for the pursuit of EU objectives in areas in which Member States have already developed legal framework. However, in the reality directives often regulate a policy area in detail, leaving Member States little discretion even about to the “forms and methods”. This is particularly true where the matter regulated is highly technical in character, owing to the trust issues between Member States and EU’s aim to gain legislative power. See Bradley 2014, p. 100. 23 Explanatory Memorandum of the Commission’s proposal for the GDPR, pp. 5–6. 24 Hartley 2014, p. 222. Hartley notices that differences remain even though granting a “direct effect” to directives has blurred the distinction between directives and regulations. See Hartley 2014, p. 222. As a term, direct effect means that the EU provision becomes an immediate source of law for the national court or administer, and an implementing act is not anymore necessary for its application within the national law. See Bobek 2014, pp. 143–153. 25 Bradley 2014, p. 99; Hartley 2014, pp. 222–223. Member States may exceptionally be required to adopt national provisions to implement regulation. 26 However, as Hartley notices, in such a case the Member State’s discretion can be severely restricted. See Hartley 2014, pp. 222–223. 27 Hartley 2014, p. 223.

8

against an individual.28 A regulation as an instrument increases certainty, as it does not require nor allow any national implementation. It also clarifies the application and enforcement of EU level norms in the horizontal relationships.

From the perspective of a data controller doing international business it is a positive change that the varying consent requirements of Member States are to be harmonized. A regulation should be an effective way to ensure harmonized requirements as the criteria for a valid data subject’s consent are set forth at the EU level and applied as such. The said goal is achieved, regardless of the outcome concerning the exact criteria. Thus, the need for interpretation, unexpected risks and preparing different codes of conduct for business and, accordingly, also the expenses of business in different Member States potentially decrease. This facilitates national companies’ entry into the EU-wide market. As the regulation is directly applicable, national implementation does not blur the consent requirements set at the EU level. Nevertheless, an adoption of a regulation is at the same time also likely to strengthen data protection rights, data processing principles and data controllers’ obligations especially in the sense that a more uniform standard for data protection is created.29 Thus, the evaluation of the consequences of the change is complicated.

It should also be noted that the adoption of the GDPR does not mean that all national data protection acts would be revoked. For instance, in Finland it has been assessed that the provisions of the Personal Data Act (523/1999) and the enacted special legislation could further be applied to such processing of personal data that is left outside of the scope of the GDPR. The GDPR might even increase the amount of national special legislation as it requires Member States to adopt multiply legislative measures.30 Riitta Ollila has pointed out that this might lead to a situation in which the data controller is unsure of whether it needs to comply with the GDPR or the national acts.31 Thus, the GDPR does not unify all the aspects of the rules on

28 Bobek 2014, p. 148. The CJEU has founded that directives are not capable of imposing obligations on individuals. The Court has stated many times that directives can only confer rights on individuals against the state, but they cannot impose obligations on individuals in favor of the state or another individual. Directives can have only vertical direct effect unlike the regulations and treaty provisions; they are not capable of having a horizontal effect. See Hartley 2014, p. 223. Nevertheless, the question whether it is possible for directives to have a horizontal effect has been controversial for many years, see Hartley 2014, pp. 223–231. 29 It is possible that the adoption of regulation may as well decrease the local level of data protection in a place where adopted national data protection standard in compliance with the DPD has been set to its maximum and in case the regulation does not require an equally high standard. Nevertheless, as the GDPR in general aims to strengthen the rights of data subjects and the DPD has also contained provisions that aim to protect free flow of data from overly enthusiastic data protection, these cases are uncommon. 30 Government Memorandum U 21/2012 vp, p. 19. 31 Ollila 2014, p. 824.

9

processing of personal data in all cases, although the scope of the regulation is undeniably wide and the key criteria for a valid consent are set in the GDPR.

3 Strenghtening legal principles The General Data Protection Regulation provides for updated principles relating to processing of personal data that include some additions to the principles under the Data Protection Directive. Changes in the legal principles reflect to the provisions concerning data subject’s consent and affect the way the consent requirements are interpreted especially in unclear situations. Legal principles have effects on case law when there is a need for balancing of rights. When two legal norms are in contradiction, legal principles potentially guide the interpretation of provisions and concepts. In addition, changes in the legal principles inherently reflect on the adopted focus and approach of the data protection law.

The Article 29 Working Party (Article 29 WP) has emphasized that obtaining consent neither negates the data controller’s obligations under Article 6 of the DPD with regard to data processing principles nor does obtaining consent allow the circumvention of other provisions. Thus, the Article 29 WP has maintained that consent should not be an exemption from the other data protection principles, but as a safeguard.32 The Explanatory Memorandum of the Commission’s proposal for the GDPR defined that Article 5 of the GDPR sets out the principles relating to personal data processing, which correspond to those in Article 6 of the DPD. Additional new elements enacted were the transparency principle and the establishment of a comprehensive responsibility and liability of the data controller, i.e. stronger accountability principle.33

In comparison to the DPD, which only implicitly contains the transparency principle, the GDPR’s articles and the preamble provide for detailed description of the requirements concerning the transparency principle.34 Likewise, the accountability principle has already existed in the DPD, in which it obliges the data controller to ensure that the legal principles under Article 6 of the DPD are complied with. Nevertheless, the GDPR sets forth a requirement that additionally defines that data controllers “shall be responsible for, and be able to demonstrate compliance with” the said principles.35 The said demonstration obligation and the means to be used in order to meet its requirements are repeatedly referred to in the GDPR’s 32 WP 187, p. 7. 33 Explanatory Memorandum of Commission’s proposal for the GDPR, p. 8. See Article 5 of the GDPR. 34 See Article 12 of the GDPR and recitals 39 and 58 of the preamble to the GDPR. 35 See especially Article 5(2), 7(1) and 24 of the GDPR as well as recital 42 and 74 of the preamble to the GDPR.

10

preamble and articles.36 The role of the said principles seems to be emphasized in the GDPR, whereas they have not played such an important role in the DPD.

Kuner has mentioned earlier transparency as one of the underlying main principles of the DPD. The transparency principle is also implemented into the provisions of the DPD, expressed especially in Articles 10–12, concerning information to be given to the data subject and the data subject’s right to access data. According to Kuner’s definition, “transparency” as a term means that the data subject must be given information regarding the processing of her personal data. Correspondingly, individuals should be provided with information, inter alia, of the purpose of the processing and the identity of the data controller and any other information necessary to ensure fairness of processing.37 The DPD has implicitly contained the transparency principle and its contents seem to correspond widely with the contents of the GDPR, but the latter is much more detailed and explicit.

The Commission’s communication of 2010 especially mentioned “increasing transparency for data subjects” as one of the key objectives of the data protection law reform as transparency enables individuals to exercise control over their own data and ensure effective protection of it. It is essential that individuals are informed in a transparent way about how and by whom their personal data are processed and for what reason, for how long, and what their rights are if they want to access, rectify, or delete their data. The Commission considered that Article 10 and 11 of the DPD that define the information to be given to the data subjects were not ample. The Commission stressed that the transparency principle requires that information must be “easily accessible” and “easy to understand”, and that “using clear and plain language”. The said is relevant especially in the online environment, where privacy notices often are unclear, difficult to access, non-transparent, and not always in full compliance with existing rules.38 Consequently, the transparency principle was added to the data processing principles into Article 5(1)(a), according to which personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject”.39

About the Commission’s proposal for the GDPR, Kuner deemed that it aimed to increase the transparency of data processing by imposing stricter informational and

36 See, for example, Article 7(1), concerning conditions for consent and Article 24, concerning responsibility of the controller. 37 Kuner 2007, pp. 20–21. 38 COM (2010) 609 final, p. 6. 39 See recital 39 of the preamble to the GDPR. According to Article 12(1) the information shall be provided for the data subject “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. The GDPR also contains provisions on the information to be provided and the data subject’s right to access. See Articles 13–15 of the GDPR.

11

transparency obligations on data controllers. Some of these requirements were phrased in broad terms, such as in the first version of Article 12, and others in quite detailed form, such as proposed Article 13 and 14 that list the types of information that data subjects must be provided with.40 Kuner’s view applies also to the final version of the GDPR, even though the contents of Article 12 were clearly defined in the much more detail in the final version of the GDPR. The transparency principle is expressed on both legal principle and legal provision level in the GDPR. Even though it can be regarded that the principle has existed implicitly also prior to the GDPR, codifying the principle explicitly into the text of the GDPR is likely to affect the concept of consent in a way that emphasizes the data subject’s right to proper and more detailed information while collection of consent for processing and during consent’s lifecycle. Hence, it also affects the position of consent as legal basis. Article 7(2) of the GDPR concerning conditions for consent expresses transparency principle according to which the request for consent needs to be presented “clearly distinguishable from the other matters, in an intelligible and easily accessible form” and “clear and plain language” needs to be used. Thus, by this provision, transparency principle directly affects the requirements for a valid consent.

The precise meaning of including transparency principle into Article 5 of the GDPR in terms of change is still unclear and will concretize itself in the future. Nevertheless, transparency principle has the potential to guide the interpretation of the consent requirements in a way favorable to the data subjects, especially as it has been emphasized in the conditions for consent. This seems to take EU data protection law into the direction of consumer law type of thinking, as data subjects are protected by provisions which aim to ensure that data subjects receive enough information and take into consideration the stronger position that the data controller initially has.

The DPD does not expressly provide for the burden of proof on a valid data subject’s consent. However, the Opinion 11/2011 of the Article 29 WP on the definition of consent seem to place at least majority of the burden of proof to data controllers by stating that unambiguous criterion under the DPD requires that data controllers create robust procedures for collection of a consent, namely it needs to be done either by a clear express consent or by relying on certain types of procedures that deliver individual’s clear consent. Data controllers must also sufficiently verify that the person giving consent is the data subject, especially online. In addition, the Article 29 WP has presented that the data controllers relying on consent may want

40 Kuner 2012, p. 10. Kuner’s original text refers to different article numbers as referred to in here, because it was based on the Commission’s proposal for the GDPR, not the final version, which had not yet been published in 2012. For clarity, this paper refers to the articles of the final version of the GDPR. The Commission’s proposal for the GDPR had different article division than the final version of the GDPR.

12

or need to demonstrate that consents have been obtained, for instance, in the context of a dispute with data subject. This could be done, for instance, by express statements to signify agreement such as signed agreement or written statements.41

The wordings concerning the accountability principle varied during the legislative procedure. Kuner presented that Article 5(f) of the Commission’s proposal for the GDPR strengthened the accountability of data controllers.42 Article 5(f) of Commission’s proposal and the Parliament’s proposal for the GDPR maintained that personal data must be processed under the responsibility and liability of the data controller, who shall ensure and be able to demonstrate for each processing operation the compliance with the provisions of the GDPR. The preambles to both the Commission’s and the Parliament’s proposal for the GDPR established a comprehensive responsibility and liability of a data controller for any processing of personal data. Data controllers were especially required to ensure and were obliged to demonstrate the compliance of each processing operation under the GDPR.43 Nevertheless, the Council’s general approach to the GDPR maintained solely that the data controller shall be responsible for compliance with the principles related to processing personal data, as it was provided for also in the DPD. Thus, the Commission’s and Parliament’s proposals seemed to have adopted a deeper liability as those provisions mentioned that it is applied for all the provisions of the GDPR. The word “comprehensive” was also deleted from the preamble to the Council’s approach. Nevertheless, it was maintained that the data controller should be obliged to implement appropriate measures and be able to demonstrate the compliance of processing activities with the GDPR. The Parliament and the Commission also stated that these measures should consider the nature, scope, context and purposes of the processing and the risk for the rights and freedoms of individuals.44

Although the proposals for the GDPR approached the accountability principle in a slightly different way, some kind of enforcement of liability of the controller seemed to be under agreement during the whole legislative procedure. The proposals of the Commission and the Parliament adopted wordings in favor of strong and comprehensive principle of data controller’s liability. The Council’s general 41 WP 187, p. 21. 42 Kuner 2012, p. 9. At this point it should be noted that the accountability principle is provided for in Article 5(2) in the final version of the GDPR. 43 See Article 5(f) of the Commission’s proposal and the Parliament’s proposal for the GDPR and recital 60 of the preamble to the said proposals. Compare also Article 22, current 24 Article of the GDPR, in the Commission’s proposal and Parliament’s legislative resolution on the GDPR to the Council’s general approach to the GDPR. The said provision sets forth obligations on data controllers. The Council adopted less detailed approach to controller’s obligations. The final version of the GDPR followed the wordings and structure of the Council’s approach in regard to the said Article. 44 See recital 60 of the preamble and Article 22 of the Council’s general approach to the GDPR.

13

approach seems to have taken some steps back from that, but it maintains the same clarification to the duty to demonstrate and comply with the processing activities under the GDPR. The final version of the GDPR followed the wordings of the Council’s approach, although it also mentions that the effectiveness of the measure shall also be demonstrated.45

Strong accountability principle affects consent through different mechanisms. Article 5(2) of the final version of the GDPR maintains that the data controller is responsible for, and be able to demonstrate compliance with data processing principles, which affect all processing activities. Accountability principle was explicitly enforced in relation to consent requirements in the GDPR. According to Article 7(1) of the GDPR: ”Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” Although it has been maintained in the literature and by Article 29 WP that the data controller should be able to demonstrate compliance with a valid consent, explicitly expression of this strengthens the requirement. The said provision sets forth liability to carefully manage and control procedures relating to consent. This provision is in line with the general article concerning the responsibility of the data controller, Article 24. Under Article 24 the data controller needs to implement appropriate technical and organizational measures, including appropriate data protection policies, to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.

Accordingly, it can be said that a clarification has been given on the liability question in favor of the data subjects. Emphasizing the liability of a data controller is likely to clarify the burden of proof questions relating to consent as well as to guide the interpretation of provisions especially in the case law. It could be said that the demonstration requirement is of the essence in the GDPR. Owing to it data controllers need to document their data processing in detail. The said inherently causes burden and expenses to data controllers. As the documentation and demonstrations requirements apply to all the phases in a lifecycle of consent, the data controllers may need to adopt whole new procedures and mechanisms to comply with the said requirements. As consent can be withdrawn at any point as easily as it was given and due to other consent requirements, it is possible that many business operators are reluctant to adopt such time consuming and expensive measures.46

45 See especially recital 74 of the preamble to the GDPR and Article 24 of the GDPR, concerning responsibility of the data controller. 46 According to Article 29 WP, the strength of the evidence provided by a specific mechanism varies. Consent that has been obtained through a clickable button with the identity of the individual supported with an email address has less evidentiary value than a similar process that is supported, for instance, with recordable consent mechanisms. For example, Greek and German law have

14

In general, strengthening the role of data controller’s accountability seems to reflect a wider, more comprehensive, change in the foundations of the EU data protection law. Under the DPD data subject’s consent had pretty much a liberating role as data controllers could rely on it as a quite strong basis for processing personal data. Thus, it could be said that the DPD expressed data protection by consent type of thinking. The liability provisions in the DPD were not as sharp as in the GDPR. The GDPR clearly sets the baseline that data controllers need to be prepared to demonstrate at any point that they are operating under a valid legal basis. Imposing strong accountability principle on the data controllers is one important characteristic of the new regulation. As the requirements for a valid consent are set high, organizations may find consent less reliable and more problematic as a legal basis than before as the requirements of consent have been strengthened and clarified under the GDPR.

What is important in the GDPR is that data controllers are now explicitly obliged to demonstrate the compliance with the GDPR, and basically with the all aspects of it. Pursuant to Article 83(5) of the GDPR, an infringement of the provisions concerning basic principles for processing, including conditions for consent, Articles 5, 6, 7 and 9, which are of the essence of this research, are now subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. As the principles for processing are comprehensive and at some level still abstract the DPAs, the European Data Protection Board i.e the current Article 29 WP and the CJEU are likely to provide guidance on the line of interpretation in the future.47 What is of the essence is that the stakes are potentially higher than ever.

4 Emphasizing fundamental rights Fundamental right to the protection of personal data and the way it reflects on the data protection law are at the center of the contemporary European data protection

required consent to be recorded in a secure manner, the possibility to be accessed by the user or subscriber any time and to be revocable at any time. The type of evidence depends on the type of data collected and the purpose of processing. For example, an electronic signature will not be needed to consent to receiving commercial offers, but it might be necessary to the processing of certain types of financial data online. See WP 187, p. 26; Article 5(3) of the Greek Law 3471/2006 on the protection of personal data in the electronic communications sector; Article 13(2) of the German Law on Teleservices, Article 94 of the German Law on Telecommunications, and Article 28 (3a) of the German Federal Data Protection Law. 47 Previously DPAs in different EU jurisdictions have adopted different approaches to the preferred measures to ensure compliance. It is very interesting to see will the role of the Finnish Data Protection Ombudsman and Swedish Data Protection Authority change by virtue of the new provisions of the GDPR, concerning extended liability and penalties, as traditionally the said have operated mainly through guidance and advice. It is likely that their approach will not change quickly and radically. It should be noted that the current national laws also equip the authorities with measures such as administrative fines and criminal sanctions.

15

discussion. Never have data protection rights and at the same time duties been taken as seriously in Europe as now in dawn of the new General Data Protection Regulation.48 The fundamental rights rationale has an essential link to the position of data subject’s consent as a legal basis. The Commission mentioned that to strengthen data subject’s rights, ensuring informed and free consent is one of the key objectives of the data protection law reform.49 Consent is closely linked to certain new or strengthened rights and duties under the GDPR. After the Lisbon Treaty European data protection law has clearly developed into direction that emphasizes the right to data protection as a fundamental right. The Charter of Fundamental Rights of the European Union (Charter) has an essential role in this development and in the related fundamental rights discussion. Thus, all data subject’s rights under the Data Protection Directive, and especially under the new GDPR, are anchored to the right to the protection of personal data.

The data protection law rationale is moving to the direction where special emphasis is given to the fundamental rights perspective. The said mindset imprints on the whole data protection law reform and the provisions of the GDPR. Changes in the underlying rationale of legislation inevitably affect the concepts and the legal norms in the legal system as they are used as means to fulfill the said underlying objectives. EU data protection law has an inherent underlying conflict of interest that inevitably imprints on the whole data protection regime. On the one hand, privacy, integrity and autonomy interests of data subjects invoke the need for strengthening right to data protection. On the other hand, economic, social and political interests of data controllers require ensuring free flow of personal data.50 Following the footsteps of the DPD, the GDPR is based on the intertwining between the fundamental rights discourse and the functioning of the single market, especially in the form of free flow of information. Traditionally the single market argumentation has been at the core of discussion in the EU, but it can be argued that especially during the recent decade there has been significant change in the emphasis of the EU data protection law in favor of the fundamental rights aspect.

The original legal basis of the DPD lies heavily on the internal market grounds. Issuing EU legislation was justified in the first place, because the Member States had different approaches to data protection, which impeded the free flow of information.51 The DPD was adopted under the former Article 100a of the TEC, contemporarily Article 114(1) of the TFEU. The said Article was part of the chapter

48 As a reference to ideas of the Donald Dworkin’s famous “Taking Rights Seriously” work, especially Chapter 7, Dworkin 1980, pp. 184–205. 49 For instance, see COM (2010) 609 final, p. 8–9. 50 See recitals 2–4 of the preamble to the DPD. See also Bygrave 2002, pp. 40–41. 51 COM (2003) 265 final, p. 3; COM (90) 314 final, p. 4.

16

on the “Approximation of Laws” aiming to harmonize laws, regulations or administrative provisions of Member States and enabling the establishment and functioning of the European Single Market.52 The GDPR was adopted under Article 16(2) and Article 114(1) of the TFEU. Article 16, which is the new legal basis for the adoption of data protection rules introduced by the Lisbon Treaty, allows the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Member States when carrying out activities which fall within the scope of EU law. It also allows the adoption of rules relating to the free movement of personal data, including personal data processed by Member States or private parties.53 Thus, contemporarily more specified provisions can be used as legal bases for new EU legislation in comparison to the time during the adoption of the DPD.

Interestingly the first version of the GDPR, which prematurely leaked to the publicity, was solely based on Article 16(2) of the TFEU.54 Thus, in contrast to the DPD, it was not based on a provision aimed at establishing the Common Market. Article 16(2) is placed under the title “Principles” of the Treaty, outlining a part that concerns competences and provisions with general application in the EU. Under the said Article the EU is provided to lay down legislation relating to the protection of personal data of individuals as well as free movement of personal data. As Tobias Bräutigam has noticed, at this point, the principle of free movement of personal data was not brought to the forefront, although it was presented as one of the objectives of the proposal.55 Nevertheless, by virtue of critique, Article 114(1) concerning the approximation of laws to fulfil the objectives of Article 26, in other words, functioning of the internal market, was added to the Commission’s proposal for GDPR. According to Bräutigam this can be seen as strong evidence on how the Directorate-General Justice has conceptualized privacy governance predominantly as an area of fundamental rights protection. He has also argued that while the basis for the authority to legislate was changed because of the critique, it is unlikely that the underlying element has changed.56 Explanatory Memorandum of the Commission’s proposal for the GDPR explicitly mentions that the reference to

52 See also Bräutigam 2012, pp. 417–418; De Hert – Gutwirth 2009, pp. 8–9. Thus, as Bräutigam notices, it can be said that the DPD is based primarily on the common market rationale. See also Lynskey 2013, pp. 63–65 concerning the validness of the legal basis chosen for the DPD. 53 See the Explanatory Memorandum of the Commission’s proposal for the GDPR, p. 5. 54 See the Draft General Data Protection Regulation Version 56, p. 6. 55 See Article 1 of the Draft General Data Protection Regulation Version 56. Article 1 provides for the objectives of the GDPR and equally mentions both rationales. The contents of the provision remained the same in the final version of the GDPR, although its formation was changed a bit. 56 The said refocusing was criticized by the Directorate-General Internal Market and it was also criticized on that such legislation with such a wide scope could not be based only on Article 16(2) TFEU. See Bräutigam 2012, pp. 418–419.

17

Article 114(1) of the TFEU is only necessary for amending the e-Privacy Directive57 to the extent that it also provides for the protection of the legitimate interests of subscribers who are legal persons.58

The presented two elements, the uncertain position of Article 114(1) as legal basis for the GDPR during the legislative procedure and the Commission’s statement in the Explanatory Memorandum, support the statement that the internal market aspect seems to be losing its significance in the GDPR in comparison to the DPD in which it has more emphasized role. As Bräutigam points out, some significance can also be given to the fact that Commission’s proposal for GDPR originated from Commissioner Viviane Reding, who was responsible for Justice, Fundamental Rights and Citizenship matters and not from Commissioner Michel Barnier in charge of Internal Market and Services. The said clearly seems to put emphasis on the fundamental rights aspect.59 Correspondingly, the LIBE (Civil Liberties, Justice and Home Affairs) Committee of the European Parliament was the main committee responsible for the GDPR, although other committees were also involved, perhaps indicating that the European Parliament places the fundamental rights elements of the GDPR more value than the economic ones, although still acknowledging that economic elements are present.60

After the adoption of the DPD by virtue of the Lisbon Treaty, the Charter has become legally binding instrument. When the DPD entered into force 1995, EU did not have specific charter concerning fundamental rights. Thus, the preamble to the DPD cites to Article 8 of the European Convention of Human Rights (ECHR) and to the general principles of the EU in the protection of fundamental freedoms and rights of an individual and protection of privacy in the processing of personal data. Thus, the human rights enshrined in the ECHR and the common constitutional principles of Member States formed the ground for fundamental rights in the 1990s. Article 7 of the Charter, concerning private and family life covers a particularly wide range of issues, extending from private life and family life to inviolability of the home and secrecy of communications. Article 8 of the Charter recognizes the right to the protection of personal data as a new fundamental right, distinct from the rights out in Article 7 of the Charter. According to Tuomas Ojanen, Article 8 of the Charter has its roots on a variety of legal instruments, although the protection of personal data

57 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 58 The Explanatory Memorandum of the Commission’s proposal for the GDPR, p. 6. 59 Bräutigam 2012, p. 416. 60 Other committees involved were Internal Market and Consumer Protection, Industry, Research and Energy, Economic and Monetary Affairs, Legal Affairs and Employment and Social Affairs. See Voss 2012, p. 2.

18

has not been recognized as a specific right in the framework of existing international instruments on the protection of human rights.61 The object of Article 8 of the Charter is to protect personal data against arbitrary interference by institutions and bodies of the EU and the Member States when they are implementing EU law, but the protection of personal data may also relevant in private relations between individuals.62

The amended position of the Charter and, thus, the strengthening of the fundamental rights aspect to data protection have reflected on the framework documents of the data protection reform, mainly on the communications of the European Commission. The Commission pointed out in 2003 that the proclamation of the Charter by the European Parliament, the European Council and the Commission in December 2000, especially as regards Article 8 which incorporates the right to data protection, added emphasis on the fundamental rights dimension of the DPD.63 Bräutigam notices that the Commission’s proposal for the GDPR aimed to concretize Article 7 of the Charter as well as Article 8 of the ECHR, concerning the right to the protection of personal data.64 According to Bräutigam, it seems that the Commission’s proposal for the GDPR tipped the scale into the direction of fundamental rights.65 The final version of the GDPR seems to follow this same path. In general it can be said that the strengthening of the role of fundamental rights is a development shift, which stands out of the underlying preparatory framework of the GDPR. Therefore, although the Commission’s communications around the data protection law reform in years 2009–2012 tend to argue around both fundamental rights aspect and the internal market aspect, it seems that the fundamental rights aspect has been emphasized during the preparatory phase of the GDPR.66 Aims relating to internal market functioning are often discussed in the context of the maneuver that the DPD allows and the goal to develop internal market further by adopting a regulation to increase harmonization and certainty.67

61 The said Article derives from Article 8 of the ECHR and the case law of the European Court on Human Rights, on the protection of privacy and private life, although the protection of personal data is not, as such, explicitly mentioned in the ECHR. Furthermore, Article 8 of the Charter is inspired by the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). See Ojanen 2006, pp. 90–91. 62 See Ojanen 2006, p. 95. Regarding protection of personal data in relations between private persons see C-101/01 Lindqvist [2003] ECR I-12971, especially paragraphs 24–27. 63 COM (2003) 265, p. 3. 64 Bräutigam 2012, pp. 434–435. 65 Bräutigam 2012, p. 417. 66 See for example COM (2009) 262, p. 5; COM (2012) 09 final, pp. 2–3; Commission Working Paper: Impact Assessment 2012, pp. 11–31. 67 See, for instance, COM (2012) 09 final, pp. 2–3.

19

Ollila has presented that prior to the Lisbon Treaty the CJEU interpret the rights of data subjects on the basis of balancing aims of the DPD with the rights and freedoms of data subjects, but after the Lisbon Treaty the CJEU has in its case law also cited to the rights provided for in Article 7, respect for private and family life, and 8, protection of personal data, of the Charter.68 It has been argued that the case law of the CJEU has shifted its emphasis from harmonizing internal market and ensuring free flow of information into the direction of the fundamental rights aspect. The argumentation of the CJEU in its rulings of 2010s, after the Lisbon treaty, has emphasized the individual’s fundamental rights protected in Article 7 and 8 of the Charter.69

Orla Lynskey has argued that the DPD’s scope of application has been interpreted as widely as possible in the case law of the CJEU and that a broad margin of discretion in implementation has been left to national authorities. This has had the effect of distancing the DPD from its internal market harmonization objective.70 According to Lynskey, the CJEU has been eager to endorse the right to data protection in the EU legal regime, but, nevertheless, its insistence on conflating the right to data protection and right to privacy has the potential to limit the development of an independent right to data protection and, therefore, to preclude the need for consideration of its distinct, but sometimes overlapping objectives.71 Lynskey has especially pointed out that while the DPD’s market making characteristics have been interpreted loosely by the CJEU, its fundamental rights characteristics on the other hand have become increasingly prominent after the Lisbon Treaty.72

The protection conferred by Article 8 of the Charter was established in the judgment C-275/06 Promusicae, concerning, inter alia, the protection of the confidentiality of electronic communications. In the said case the CJEU referred to the stable link between the protection of privacy and the right to data protection now established 68 Ollila 2014, p. 821 69 Ollila 2014, p. 815. For instance, see case C-131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, published in the electronic Reports of Cases, paragraphs 97–99. 70 Lynskey 2013, p. 65. As an example of the wide scope of application, see joined cases C-465/00, C-138/01 and C-139/01 C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-4989, paragraphs 41–44, and C-101/01 Lindqvist, paragraphs 42–45. As an example of the broad margin of discretion left to national authorities in implementation, see cases C-73/07 Tietosuojavaltuutettu v. Satakunnan Markkinapörssi OY, Satamedia [2008] ECR I-09831, paragraphs 52–55, and C-275/06 Productores de Música de España (Promusicae) v. Telefónica de España [2008] ECR I-00271, paragraphs 47–55. In comparison to the latter see C-468/10 Asociación Nacional de Establecimientos Financieros de. Crédito (ASNEF) v Administración del Estado [2011] ECR I-12181, paragraphs 27–35. 71 Lynskey 2013, pp. 76–77. 72 Lynskey 2013, p. 80.

20

in Article 8 of the Charter.73 However, as Mikael Koillinen has pointed out, the meaning of Article 8 of the Charter was truly established in the joined cases of Volker und Markus Schecke and Eifert, concerning publication of information on beneficiaries of agricultural aid. Nevertheless, the link between the right to data protection and the right to privacy was still emphasized in the judgment, as the CJEU argued that the fundamental right of Article 8 of the Charter is closely connected with the right to respect for private and family life expressed in Article 7 of the Charter.74 Thus, it can be said that Article 8 of the Charter received its independent endorsement in the case Scarlet Extended SA.75

Koillinen has presented that the codifying nature of Article 8 of the Charter complicates its evaluation, as it is often regarded to be a collection of effectual data protection principles. Nevertheless, he states that Article 8 potentially offers strong support for the individual right to data protection as a legal basis for developing data protection law.76 Correspondingly Ollila has noticed that the interpretations of the CJEU that are based on the fundamental rights provided in Article 7 and Article 8 of the Charter and direct applicability of the DPD have created strong basis for data subject’s rights. Ollila has presented that the national interpretations of the DPD were born at the time when the Charter as such did not exist. Thus, the establishment of the Charter and the development of the fundamental rights emphasis in the CJEU’s case law might lead to a situation in which old cases might be reconsidered in light of the fundamental rights.77

The case law of the European Court of Human Rights (ECtHR) concerning Article 8 of the ECHR has also had impact on the case law of the CJEU.78 Article 8 of the

73 See case C-275/06 Promusicae, paragraphs 63–65. Nevertheless, Koillinen has noticed that the said development swift did not stabilize itself immediately, as in the case C-73/07 Satakunnan Markkinapörssi and Satamedia, the DPD was interpret with a reference to the protection of privacy and freedom of speech, but without defining the actual legal basis of these rights. See Koillinen 2013, p. 179; C-73/07 Satakunnan Markkinapörssi and Satamedia, paragraphs 50–62. 74 Koillinen 2013, p. 180. See joined cases C-92/09 and C-93/09 Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen [2010] ECR I-11063, paragraph 47. 75 The Scarlet Extended SA case concerned installation of a system for filtering electronic communications to prevent file sharing that infringes copyright. In the said case the CJEU contrasted the right to data protection with the protection of the intellectual-property right and the freedom to conduct business without indication to the protection of privacy. See case C-70/10 Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) [2011] ECR I-11959, paragraphs 49–51. This was repeated in the case C-360/10 Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog NV, 16 February 2012, published in the electronic Reports of Cases, paragraph 48. 76 Koillinen 2013, p. 180. 77 Ollila 2014, p. 822. 78 For instance, see joined cases C-465/00, C-138/01 and C-139/01 Rechnungshof (C-465/00) v Österreichischer Rundfunk and Others and Christa Neukomm (C-138/01) and Joseph Lauermann (C-139/01) v Österreichischer Rundfunk, paragraphs 68–75, 95. See also Koillinen 2013, p. 178.

21

ECHR entails the right to respect for private and family life. There is no separate notion of the right to data protection in the ECHR, but since the case of Leander v. Sweden it has been regarded to belong under the right to privacy provided for in Article 8 of the ECHR.79 According to De Hert and Gutwirth, the role of the ECtHR can be described as twofold, being both a self-contained system of human rights protection and the provider for guidelines for the CJEU for concretizing fundamental rights of the EU.80

Recent case law of the CJEU has indicated that data subject’s rights are to be taken seriously. The CJEU has in its case law repeatedly underlined that the provisions of the DPD must be interpreted in light of the fundamental rights guaranteed by the Charter.81 The CJEU has emphasized the importance of Article 7 and 8 of the Charter, maintaining that it is apparent from Article 1 of the DPD and recitals 2 and 10 of its preamble that the directive seeks to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms.82

It can be said that the DPD reflected rights-based approach.83 Nevertheless, in comparison to DPD, which contains less detailed provisions and leaves more room for interpretation, the GDPR provides more specific articles with clearer and strengthened rights for data subjects, for example, Article 7(3) explicitly expressing the right to withdraw consent, Article 17, concerning the right to be forgotten, Article 20, providing for the right to portability of personal data, and Article 21, providing for the right to object processing of personal data. Nevertheless, fundamental rights in privacy and data protection, like other fundamental rights, cannot be absolute.

79 Leander v. Sweden, Strasbourg 26 March 1987, paragraphs 66–67. According to Koillinen, the case law of the ECtHr has provided institutional support for the link between privacy and data protection. See Koillinen 2013, p. 177. An example of the case law of the ECtHR concerning data protection see case S. and Marper v. the United Kingdom, Strasbourg 4 December 2008, paragraphs 66–67. 80 De Hert – Gutwirth 2009, pp. 15–16. 81 See case C-553/07 College van burgemeester en wethouders van Rotterdam v M. E. E. Rijkeboer [2009] ECR I-03889, paragraph 47; joined cases C-293/12 and C-594/12 Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung (C-594/12) and Others, 8 April 2014, published in the electronic Reports of Cases, paragraph 53; case C-131/12 Google Spain and Google, paragraphs 53, 66 and 74; and case C-362/14 Maximillian Schrems v Data Protection Commissioner, 6 October 2015, published in the electronic Reports of Cases, paragraph 38. 82 See judgments in C-553/07, Rijkeboer, paragraph 47; joined cases C-293/12 and C-594/12 Digital Rights Ireland and Others, paragraph 53; C-131/12 Google Spain and Google, paragraphs 53, 66 and 74; and case C-362/14 Schrems, paragraph 39. 83 See Brownsword 2009, p. 83.

22

There are competing rights and interests for information to be made available, for example, protection of property rights, the conduct of business, access to health care, social security and social assistance in case of illness and the fundamental freedom of the sciences as well as other public interests. Therefore, the right to data protection needs to be balanced against other rights.84 However, the CJEU has interpreted the DPD and the Charter in a way which indicates that it puts special emphasis on data subject’s rights. It is likely that this line of interpretation that emphasizes data subjects’ rights will become even more apparent when the GDPR is applied. The right to withdraw consent provides an excellent example of the data subject’s rights that are closely linked to data subject’s consent as a legal basis. As the clarified right to withdraw is combined with the other rights, such as the right to erasure or the right to object, the scope of authorization for data processing based on data subject’s consent, even though the consent would have been collected and managed properly, is more limited than before.

Recently the CJEU has handed down notable rulings with respect to fundamental rights and data protection law prior to enter into force of the GDPR. Especially the famous Google Spain ruling of the CJEU in 2014 endorsed and clarified data subject’s right to be forgotten, in other words, the right to have personal data concerning him or her erased, under certain conditions. Now the guidelines concerning the right to be forgotten provided in the said ruling have been codified into the GDPR.85 It seems that the deficiencies of the DPD made the CJEU to take the lead to further the rights conferred by the Charter. In case Schrems of 2015 the CJEU went so far that it even invalidated the so called Safe Harbor system for transatlantic data transfers in the name of data subject’s fundamental rights.86 Especially the said Schrems case represents a rise of individual privacy advocacy. The rise of data protection awareness has created privacy advocates, private persons and even organizations, actively promoting data privacy rights.87 This progress indicates that data protection rights have become more than just printed words that could be ignored without consequences. This also applies to the requirements of valid consent as well as the rights of data subject’s which are closely linked to consent as legal basis.

84 Aldhouse 2013, p. 291; Mostert et al. 2015, p. 2. For example, see case C-70/10 Scarlet Extended, paragraphs 43–46. See Articles 12, 34 and 35 of the Charter concerning the rights mentioned as examples and recital 4 of the preamble to the GDPR. 85 With regard to the right to be forgotten, compare Article 12(b) of the DPD to Article 17 of the GDPR and see case C-131/12 Google Spain and Google, paragraphs 92–99. 86 See case C-362/14 Schrems, paragraphs 67–106. 87 It seems that the Schrems case was only a beginning as now the validity of standard contractual clauses for the transfer of personal data to third countries, which are commonly used as legal basis for data transfers, have been placed under doubt. See Europe-v-facebook.org / Press release of 25 May 2016.

23

To conclude, there are at least four development swifts that support the statement that the fundamental rights aspect to the EU data protection law has strengthened and the effects of the phenomenon specifically imprint on the GDPR. Firstly, the development in the underlying rationale of data protection law has tipped the scale for fundamental rights. Underlying argumentation of the GDPR’s chosen legal basis and the way the data protection reform has been approached from the point of view of rights in the EU, especially the Commissioner of Justice and the LIBE Committee taking the lead, reflect the said development. Secondly, the strong position of the Charter as a legally binding instrument imprints heavily on the GDPR as well as its underlying framework documents. Thirdly, the development of the case law of the CJEU, in connection with the case law of the ECtHR, has developed into the direction that puts special emphasis on the data subject’s rights and the Charter. It can be argued that the Charter and the ECHR guide the case law of the CJEU into the direction of emphasizing fundamental rights approach to data protection. Last but not least the rise of general awareness of data protection related issues and the so called data privacy advocacy to promote data subject’s rights will shape the future field of data protection. This has already affected the GDPR and the case law of the CJEU.

The most emphasized objective of the whole data protection law reform is to empower data subjects and further their right to data protection. Data subject’s consent as a legal basis is closely linked to certain data subject’s rights. These data subjects’ rights conferred by the GDPR have the potential to limit the scope of valid consent and make it more troublesome to manage. Under the GDPR consent needs to be easily withdrawn and in certain cases when personal data has been processed based on consent, personal data needs to be erased in case requested by the data subject. In addition, the GDPR provides data subjects with wide right to receive information as well as right of access to the collected personal data. It also strengthens the priory existing rights to object, right to restriction of processing and right to rectification.88 As the requirements for consent are potentially interpret in favor of data subjects and taking consideration data subjects’ fundamental rights such as clarified right to withdraw, combined with, for example, right to erasure or right to object, the usability of valid consent as a legal basis for processing personal data is limited, even though data subject’s consent would have been collected and managed properly. Thus, the said development has potential to affect the position of consent as a legal basis as it is closely linked to many of the said strengthened rights. Thus, as result data controllers may now feel the need to rely on other legal bases than consent to justify their processing of personal data.

88 See especially Articles 7(3) and 12–19 of the GDPR in comparison to Articles 10–12 and 14 of the DPD.

24

5 Conclusion The General Data Protection Regulation (GDPR) as part of the data protection reform changes data subject’s consent as a legal basis in comparison to the Data Protection Directive (DPD) at least through two mechanisms: firstly, through the changes occurring in the context in which the consent requirements are interpreted, and secondly, by providing more detailed and clarified requirements that define a valid consent. These changes have been analyzed and systemized by drafting the Peripheral Protection Model. The idea of the model is to indicate and demonstrate that the border layers around the concept of consent, the context, affect and guide the interpretation of the clarified requirements provided for in the GDPR and placed at the core of the Model. Thus, in this paper the effects of other mechanisms than the actual consent requirements affecting data subject’s consent as a legal basis were emphasized.

Changing the type of legislation from a directive into a regulation harmonizes the differences between the Member States legal systems. As the requirements for a valid consent have varied between the Member States, this change benefits also the data controllers. The general requirements for a valid consent are harmonized as they are provided for in the GDPR and applied as such. Regulation as a type of legislation provides for more consistent consent rules in the EU, which is likely to increase legal certainty and potentially decrease compliance costs. Thus, organizations may have an easier entry to intra-EU trade by using data subject’s consent as a legal basis. Therefore, in this light the importance of data subject’s consent as a legal basis could potentially even increase, as the requirements for a valid consent have varied. Nevertheless, simultaneously the harmonization of rules, especially taking into consideration the adopted emphasis of the GDPR to cherish individuals’ right to data protection, is also likely to clarify and strengthen data subject’s rights, data processing principles and obligations imposed on data controllers. The said at the same time potentially narrows the scope of legitimate processing of personal data based on data subject’s consent. In addition, although the GDPR as a regulation is directly applicable legal instrument, some national laws are likely to remain in force and supplement its provisions also in the future. This in some cases might lead to confusion over which provisions to apply. Thus, the exact effects of changing the type of legal act are hard to estimate.

The GDPR sets forth strong transparency and accountability principles that are expressed as individual data processing principles and as general provisions. Both principles have also explicitly been reflected to the conditions for consent. These legal principles have the potential to guide the interpretation of the requirements for a valid data subject’s consent into direction that favors data subjects and tightens the requirements for valid consent. Owing to the explicit transparency requirement,

25

data controllers must be able to provide proper information in more detail concerning the collection and use of data subject’s consent as a legal basis and its lifecycle than under the DPD. Transparency principle makes the collection of consent potentially harder as consent cannot be hidden in the privacy policies, strengthening data subject’s control over their personal data and right to be informed. The obligation to demonstrate a valid consent during every phase of a lifecycle of the processing of personal data typically requires active measures from data controllers. Especially the data controllers who did not meet the requirements under the DPD, may need to adopt new measures and procedures that enable them to comply with the demonstration and transparency obligations in case they want to rely data subject’s consent as a legal basis. This might decrease the popularity and position of consent as a legal basis and lead to the trend that other legal bases, such as legitimate interest under Article 6(1)(f) of the GDPR, are preferred instead.

It is of the essence that the EU data protection law has shifted strongly into the direction of emphasizing fundamental rights approach. By virtue of this development and the concerns relating to data subjects’ control over their personal data, the GDPR provides stronger rights for data subjects to, inter alia, access information, withdraw their consents and to be forgotten. These rights are all closely linked to the data subject’s consent as a legal basis. Due to the data subjects’ strengthened rights, the scope of freedom that data subject’s consent provides for the data controller has potentially become narrower than under the DPD. This may decrease the significance of consent as a legal basis since consent as a legal basis is inherently linked to elements of uncertainty as it can be revoked easily and its utilization is also sensitive to the effects of many related rights, making it more troublesome to manage.

It could be argued that the DPD expressed the idea of so called data protection by consent in which the existence of consent as such has been regarded as sufficient basis for processing personal data. This is true at least in the sense that roles of data subject’s rights and accountability of the data controller were not at as emphasized during the early years of the DPD as they currently are. In comparison to the DPD, the GDPR provides for stricter accountability principle which requires data controller to be able to demonstrate its compliance with the data protection provisions. The GDPR also contains new or strengthened and clarified rights, obligations and principles. Owing to the emphasis that is put on the data subjects’ fundamental right to data protection as well as the stronger accountability obligation imposed on data controllers, the GDPR requires more of a valid consent than the DPD did and this is reflected to the usability of consent as a legal basis. To conclude, the GDPR is very likely to change the position of data subject’s consent as a legal basis.

26

Although data subject’s consent maintains its position as one of the legal bases for processing of personal data like in the DPD, the actual significance of consent as a legal basis can potentially decrease. One important reason for this that the context which guides the interpretation of the requirements for data subject’s consent has changed. The scope and stability of a valid consent are now more narrowed than during the era of the DPD. Nevertheless, as the processing of personal data always needs to have a defined legal basis, in some cases data subject’s consent still inevitably needs to be used. The level of impact of the changed context depends on the data controller in question. On the one hand, for those data controllers whose data processing has been fully in compliance with the DPD, the GDPR might not require any big changes. On the other hand, those who have put only little effort to ensure the compliance with the DPD, are likely to find the new rules and changing context in which consent’s requirements are interpreted even more challenging than under the DPD.

27

6 BIBLIOGRAPHY

Literature

Aldhouse, Francis: Comment: Data protection in Europe – Some thoughts on reading the academic manifesto. Computer Law & Security Review, Volume 29, Issue 3, 2013, pp. 289–292. (Aldhouse 2013)

Bobek, Michal: The Effects of EU in the National Legal Systems. Barnard, Catherine and Peers, Steve (ed.), European Union Law. Great Britain: Oxford University Press, 2014. (Bobek 2014)

Bradley, Kieran St. C.: Legislating in the European Union. Barnard, Catherine and Peers, Steve (ed.), European Union Law. Great Britain: Oxford University Press, 2014. (Bradley 2014)

Brownsword, Roger: Consent in Data Protection Law: Privacy, Fair Processing and Confidentiality. Gutwirth, Serge at al. (ed.), Reinventing Data Protection? Springer, 2009, pp. 83–110. (Brownsword 2009)

Bräutigam, Tobias: Getting High on Information? The European Commission’s Proposal for Renewal of the Data Protection Legislation. JFT 5/2012, pp. 415–435. (Bräutigam 2012).

Bygrave, Lee A.: Data Protection Law: Approaching Its Rationale, Logic and Limits. The Hague, London, New York: Kluwer Law International, 2002. (Bygrave 2002)

De Hert, P. – Gutwirth, S.: Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalism in Action. Gutwirth, Serge at al. (ed.), Reinventing Data Protection? Springer, 2009, pp. 3–44. (De Hert – Gutwirth 2009)

Dworkin, Ronald: Taking Rights Seriously. Cambridge, Mass.: Harvard University Press, 1980. (Dworkin 1980)

Hartley, T. C.: The Foundations of European Union Law. Eighth edition. Great Britain: Oxford University Press, 2014. (Hartley 2014)

28

Koillinen, Mikael: Henkilötietojen suoja itsenäisenä perusoikeutena. Oikeus 2/2013, pp. 171–193. (Koillinen 2013)

Kuner, Christopher: European Data Protection Law: Corporate Compliance and Regulation. Second edition. Oxford University Press, 2007. (Kuner 2007)

Kuner, Christopher: The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law, Privacy and Security Law Report, 2012, pp. 1–15. (Kuner 2012)

Lynskey, Orla: From Market Making Tool to Fundamental Right: The Role of the Court of Justice in Data Protection´s Identity Crisis. Gutwirth, Serge et al. (ed.), European Data Protection: Coming of Age. Springer, 2013. (Lynskey 2013)

Mostert, Menno et al.: Big Data in medical research and EU data protection law: challenges to the consent or anonymise approach. European Journal of Human Genetics (2015), p. 1–5 (Mostert et al. 2015)

Murray, Andrew: Information Technology Law. The Law and Society. Second edition. UK: Oxford University Press, 2013. (Murray 2013)

Ojanen, Tuomas: Article 8: Protection of Personal Data. European Network of Experts on Fundamental Rights and the European Commission: Commentary on the Charter of Fundamental Rights of the European Union. 2006, pp. 90–97. (Ojanen 2006)

Ollila, Riitta: Artikkeleita Eurooppaoikeudesta – Artiklar inom Europarätt: Henkilötietojen suoja EU:n perusoikeutena. Defensor Legis N:o 5/2014, pp. 814–824. (Ollila 2014)

Voss, W. Gregory: Preparing for the Proposed EU General Data Protection Regulation: With or Without Amendments. Business Law Today: The ABA Business Law Section’s Online Resource, November 2012, p. 2–5. (Voss 2012)

Case law

European Court of Human Rights (ECtHR)

S. and Marper v. the United Kingdom, Strasbourg 4 December 2008. Applications nos.

29

30562/04 and 30566/04.

Leander v. Sweden, Strasbourg 26 March 1987. Application no. 9248/81.

Court of Justice of the European Union (CJEU)

Case C-362/14 Schrems, 6 October 2015, published in the electronic Reports of Cases

Case C-131/12 Google Spain and Google, 13 May 2014, published in the electronic Reports of Cases

Joined cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, 8 April 2014, published in the electronic Reports of Cases

Case C-360/10 SABAM, 16 February 2012, published in the electronic Reports of Cases

Case C-70/10 Scarlet Extended SA [2011] ECR I-11959

Joined cases C-468/10 and C-469/10 ASNEF [2011] ECR I-12181

Joined cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010] ECR I-11063

Case C-553/07 Rijkeboer [2009] ECR I-03889

Case C-73/07 Satakunnan Markkinapörssi and Satamedia [2008] ECR I-09831

Case C-275/06 Promusicae [2008] ECR I-00271

Joined cases C-397/01 to C-403/01 Pfeiffer and others [2004] ECR I-08835

Joined cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others

[2003] ECR I-04989

Case C-101/01 Lindqvist [2003] ECR I-12971

Official materials

Article 29 Working Party (WP 29)

Opinion 15/2011 on the definition of consent (WP 187). Adopted on 13 July 2011.

Council of Europe

Convention for the Protection of Human Rights and Fundamental Freedoms, CETS No.: 005. Effective from 3 September 1953. Rome, 4 November 1950. (ECHR)

30

Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Preparation of a general approach. Brussels, 11 June 2015. 9565/15. Interinstitutional File: 2012/0011 (COD).

Available at (accessed 8 May 2017):

http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf

(Council’s general approach to the GDPR)

European Commission

Commission Staff Working Paper Impact Assessment. SEC(2012) 72 final. Brussels, 25 January 2012. (Commission Working Paper: Impact Assessment 2012)

Communication from the Commission to the European Parliament and the Council: An area of freedom, security and justice serving the citizen. Brussels, 10 June 2009. (COM (2009) 262 final)

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A Comprehensive approach on personal data protection in the European Union. Brussels, 4 November 2010. (COM (2010) 609 final)

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Safeguarding Privacy in a Connected World a European Data Protection Framework for the 21st Century. (COM (2012) 09 final)

Report from the Commission: First report on the implementation of the Data Protection Directive (95/46/EC). Brussels, 15 April 2003. (COM (2003) 265 final)

Proposal for a Directive concerning the protection of individuals in relation to the processing of personal data, COM (90), 314 final, SYN 287 and 288, Brussels, 13 September 1990. (COM (90) 314 final)

European Parliament

European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of

31

individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 0011 – C7-0025/2012 – 2012/0011(COD). (Parliament’s legislative resolution on the GDPR)

European Union

The Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR) Brussels, 25 January 2012. COM (2012) 11 final 2012/0011 (COD). (Commission’s proposal for the GDPR)

Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Version 56. 29 November 2011. (Draft General Data Protection Regulation Version 56)

Accessible at (accessed 8 May 2017):

http://statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf

Government of Finland

Government Memorandum U 21/2012 vp.

Organisation for Economic Cooperation and Development (OECD)

The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. (OECD Guidelines)

Online materials

Europe-v-facebook.org / Press release of 25 May 2016:

Facebook & NSA-Surveillance: Following “Safe Harbor” decision, Irish Data Protection Commissioner to bring EU-US data flows before CJEU again.

Available at (accessed 8 May 2017):

http://www.europe-v-facebook.org/PA_MCs.pdf

IT Law Wiki / Definitions of opt-in and opt-out.

32

Available at (accessed 8 May 2017):

http://itlaw.wikia.com/wiki/Opt-in

http://itlaw.wikia.com/wiki/Opt-out