Shifting the Burden of Consent under the GDPR

February 18, 2016

In a nutshell, the GDPR looks to reinforce the rights of individuals whilst supporting endless free flows of personal data in the digital market. This is an intricate balancing act. Personal data is fast becoming a ‘commodity’. However, the Charter of Fundamental Rights enshrines the protection of personal data as an autonomous right (art. 8) separate and distinct from the right to a ‘private life’ (art.7). This is a slight but significant difference as data protection claims are so often bundled with the right to privacy.

Consent under the current framework

At first blush, the trump card converting dubious data-collection-practices into lawful processes is ‘user consent’.The Data Protection Directive (DPD), art. 7 states that ‘Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or…

This itself is a little ambiguous, especially with regards to the threshold for consent. Tensions between the CJEU and the Article 29 Working Party on this point are further revealing, however such is arguably a symptom of continuing to work with and around DPD in the age of big data.

Consent Fatigue?

The Article 29 Working Party observed that the ‘complexity of data collection practices… outstrip[s] the individual’s ability or willingness to makes decisions to control the use and sharing of information through active choice.’[1] Consent-fatigue is a widely acknowledged phenomenon – the notion that users are so accustomed to box-ticking privacy policies in order to continue browsing online that the gesture has lost all significance.

From a legal perspective, consent should not operate as a panacea negating controller obligations under art. 6 of the DPD. In practice however, many invasive commercial practices tread a fine line when claiming to adhere to the principles of fairness, necessity and proportionality.

Consent under the GDPR

The GDPR will arguably transform this dynamic by shifting the burden of proof. Article 7(1) (in the initially available version) ‘Conditions for Consent’, states that ‘the controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes‘ and art. 7(4) ‘consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.’

Whilst it is tempting to speculate as to how these provisions will take effect following implementation of the GDPR, one defining aspect is that ‘shifting the burden of consent’ has been matched with a ‘significant imbalance between the parties’ test. Meaning that where controllers (in particular internet services providers) satisfy the former, a defence will likely fail on grounds of the latter.

Looking at member state case law, there is the beginnings of a trend towards shifting the burden of proof onto controllers. In the case of Verbraucherzentrale Bundesverband (VZBV) v Apple [2] the Regional Court of Berlin struck down eight clauses in Apple’s privacy policy for non-compliance with the German Civil Code and Telecommunications Act. It could not be demonstrated that users were sufficiently informed regarding how their data would be used and any potential third-party shares.[3] Consent in this context was effectively nullified.

In Vidal- Hall v Google [2014] EWHC 13 (QB), consent was judged on the basis of user actions. The user had chosen Apple’s Safari Browser on the understanding that it blocked third-party cookies (based on the T&Cs). The court held that this implicitly demonstrated that the user had not consented to their personal data being collected, despite many T&Cs loop-holes. This was a  mile-stone victory in elevating the data-subject above the cliché of disgruntled browser – the court acknowledged both the ‘fundamental rights’ nature of personal data collected via an ISP address and that consent could be both explicit and implicit for the purposes of the DPA 1998.

Ensuring that T&C’s are intelligible to a standard where it could be said that the reasonable person is ‘informed’ seems rudimentary from a legal perspective. However, the reality of the situation is that many ‘data controllers’ in the Internet of Things are not large companies with legal departments, they are small start-ups or businesses just starting to get online.

This is most likely why the drafters of the GDPR sought to shift the burden, to halter what is essentially a dangerous trend for both data-controllers and subjects. Data layers will only become more complex going forward and, in this context, when can it be said consent is exhausted?

If we glimpse at the current predicament: non-personal data sets combined with other non-personal data sets may create independent data from which a natural person may be identified – it is easy to envisage how this web of potential identification will only increase with Moore’s law!

Contract v Consent

Under the GDPR, where legitimacy stems from elsewhere, i.e. ‘processing is necessary for the performance of a contract to which the data subject is party’ (art. 6(b)) or to ‘protect the vital interests of the data subject’ (art. 6(d)), data-controllers avoid the complexities surrounding ‘consent’ – a welcome development. Put simply, it is far easier to prove that the collection of personal data was necessary for the performance of a contract than it was – ‘consensual’. Inversely it may be argued that this will benefit both data controllers and users in equal measure in the form of greater legal certainty and higher standards.

Whilst it remains to be seen how the GDPR and more specifically art. 7 will affect industry going forward, it cannot be denied that the shift in burden of proof will change and challenge the traditional dynamic of data-controller and data-subject. In the interim, we must prepare for this shift and the ICT industry must progress beyond box-ticking privacy policies towards a more sustainable data-sharing model.  

Felicity Turton is a postgraduate at the Center for Commercial Law Studies Queen Mary University of London, and researcher in the fields of Big Data, Maritime Finance and Sustainability.

[1] “The Future of Privacy: Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data”, 1 December 2009, WP 168

[2] Journal Article – Case Comment Berlin Regional Court slices into Apple’s data protection consent.Philipp Kramer. P.L. & B.I.N. 2013, 124(Aug), 25-26.[Privacy Laws & Business International Newsletter]Publication Date: 2013


[3] Pg 843