ANALYSIS: What Constitutes Consent In The European Union?
By Robert Bond, of Speechly Bircham LLP, London.
In terms of data protection, there is an ongoing debate in the European Union as to when and how an individual can meaningfully consent to data processing activities.
With the announcement of the European Commission’s proposed General Data Protection Regulation on January 25, 2012, in which, amongst other things, there are various specific requirements in respect of consent (see WDPR, January 2012, page 15), we take this opportunity to review what businesses need to do in order to ensure that they obtain meaningful consent from data subjects when they process their personal data.
In 2011 a handful of key documents guided us towards the current interpretations of consent; they are:
• the EU Article 29 Data Protection Working Party’s Opinion 15/2011 of July 13, 2011, regarding “the definition of consent” (WP 187) (see analysis at WDPR, August 2011, page 4);
• guidance from the UK and French data protection authorities on the consent necessary for the setting of cookies in May 2011 and November 2011, respectively (see WDPR, May 2011, page 29;WDPR, November 2011, page 28); and
• the EU Article 29 Data Protection Working Party’s Opinion 16/2011 of December 8, 2011, regarding “online behavioural advertising” (WP 188) (see WDPR, January 2012, page 20).
EU Article 29 Working Party Opinion 15/2011 on the Definition of Consent
The EU Article 29 Working Party, in its Opinion 15/2011, set out, as a result of detailed analysis, their views on what is meant by consent. The Opinion states as follows…