The Article 29 Working Party has published a new opinion offering ‘a thorough analysis of the concept of consent as currently used in the Data Protection Directive and in the e-Privacy Directive’
The Article 29 Working Party has responded to a request from the EU Commission and has focused its collective wisdom on the troublesome issue of consent. Opinion 15/2011 on the definition of consent was published on 13 July and is now available in full here.
The Article 29 Working Party has itself summarised the Opinion as follows:
The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive and in the e-Privacy Directive. Drawing on the experience of the members of the Article 29 Working Party, the Opinion provides numerous examples of valid and invalid consent, focusing on its key elements such as the meaning of "indication", "freely given", "specific", "unambiguous", "explicit", "informed" etc. The Opinion further clarifies some aspects related to the notion of consent. For example, the timing as to when consent must be obtained, how the right to object differs from consent, etc.
Consent is one of several legal grounds to process personal data. It has an important role, but this does not exclude the possibility, depending on the context, of other legal grounds perhaps being more appropriate from both the controller's and from the data subject's perspective. If it is correctly used, consent is a tool giving the data subject control over the processing of his data. If incorrectly used, the data subject's control becomes illusory and consent constitutes an inappropriate basis for processing.
This Opinion is partly issued in response to a request from the Commission in the context of the ongoing review of the Data Protection Directive. It therefore contains recommendations for consideration in the review. Those recommendations include:
(i) clarifying the meaning of "unambiguous" consent and explaining that only consent that is based on statements or actions to signify agreement constitutes valid consent;
(ii) requiring data controllers to put in place mechanisms to demonstrate consent (within a general accountability obligation);
(iii) adding an explicit requirement regarding the quality and accessibility of the information forming the basis for consent, and
(iv) a number of suggestions regarding minors and others lacking legal capacity.