If there was a prize for the most controversial provision in the draft EU Data Protection Regulation, it would probably be won by the article dealing with consent. From Member States’ governments to European Parliament’s committees, everyone seems to have a very strong opinion of that article. A number of European governments have already used their representation on the Council of the EU to criticise the legal uncertainty created by the draft provision. The level of disagreement with the Commission’s proposal is perhaps not surprising given the elevated and rather emotional role that consent has in privacy matters and the potentially catastrophic consequences of setting the bar for valid consent either too low or too high. But the point is that once again, the issue of individual’s consent is proving to be an uneasy one, to say the least.
This controversy is not driven by a purely academic interest about what may or may not happen in a few years’ time when the Regulation is adopted. Consent is a legal basis for collecting and exploiting personal information today, and in some cases, there is little or no option than to get people’s permission to use their data. Without a doubt, the most vibrant and present legal dilemma regarding what qualifies as consent is taking place in the context of cookies and anything else that amounts to storing or accessing information stored on someone’s device. If it wasn’t for the innate human difficulty in establishing what kind of conduct may amount to consent, it would be odd to think that after more than 3 years of heated debate about the cookie consent rule, we still are nowhere near finding a solution that everyone is happy with.
Some attempts to find a middle ground between a rock-solid, unflappably demonstrable opt-in consent and the mere assumption that anything goes when people surf the net have been made in recent times but many of the approaches adopted by European websites fall short of the necessary standards. So how can consent be obtained on the Internet other than by ticking a box? Is the concept of implied consent – so commonly used and relied upon in our ordinary comings and goings in the offline world – a workable way forward online? There isn’t a reason why it shouldn’t but to achieve a reasonable degree of legal certainty, some minimum conditions ought to be met as otherwise, we will be back to the assumption that unless someone makes a big deal of it, anything goes when you go online.
One could probably write a long academic article about this, but at a practical level it is possible to distil the conditions for valid implied consent into four ‘must have’ elements:
* Deploying a visible and prominent cookie notice – For someone to be in a position to have a say on anything, they really need to know what’s going on. So in the context of websites, that means that visitors must be presented with some kind of sufficiently clear and ‘in your face’ notice, so that it is obvious to the average user what is happening. That way, a visitor’s indication of wishes is impliedly given when they see the cookie notice, understand its meaning and rely on the functionality available to make their cookie choices.
The debate about whether consent should be a requirement to collect and use people’s information will no doubt continue and intensify as that information becomes more and more valuable. Whether we will ever have a definitive answer is yet to be seen but in the meantime, let’s try to look at technology as an enabler for individual choice. We may be surprised of what is possible.
This article was first published in Data Protection Law & Policy in September 2012.