The law firm Field Fisher Waterhouse has been in the news recently in connection with the unprecedented level of lobbying activity directed against the new Data Protection Regulation, currently being debated in the European Parliament. For example see Data Protection: All You Need to Know about the EU Privacy Debate and Silicon Valley Companies Lobbying Against Europe’s Privacy Proposals.
We would like to take issue with a recent piece from a Senior Associate of their Privacy & Information Law Group, Victoria Hordern, in which she criticises the current draft of the Regulation (Consent - the silver bullet? - quotes from FFW article in italics).
"... how realistic is it to really rely on consent as the ground to justify data processing particularly in the context of the online, networked world?"
The draft Regulation does not say that the ability to process data only relies on consent; but that this is the minimum requirement and that collection must be contingent on it. The need to gain the agreement of individuals will force data controllers to describe their purpose for collecting data. This cannot be buried in complex legal text in footnotes or privacy statements but clearly and unambiguously describe what the controller means to do with the data. This is only burdensome on organisations that need to collect data secretly without the data subject being aware of it.
"Just how many consents would I need to give every day when I use the internet?"
Once controllers have acquired consent they can retain a record of it so there is no need to ask for it again. This record would be keyed to a unique identifier, perhaps stored in a cookie, whose purpose could be described within the text that informed the subject. Individuals should be able to revoke their consent at any time, and it should be automatically revoked after a reasonable period. The technology to do this is readily available and it only appears complex because it is described as such by those with a vested interest in continuing to track people. There is absolutely no need to “frequently” bombard a data subject with requests for consent.
"consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated processing"
In order to protect fundamental rights the law still limits what controllers can do with the data they have collected. They cannot use it for proscribed purposes or for purposes other than those they clearly described when they asked for consent. If they have asked for consent to share the data with controllers or processors in other jurisdictions then they must also have contractual agreements or Binding corporate Rules in place. If the draft Regulation is lacking in this area then the answer is to stiffen the proscriptions on use, not weaken the consent requirement.
"Furthermore, where the use of personal information involves very little intrusion into an individual’s privacy, obtaining consent in such circumstances is very heavy handed."
Obtaining consent does not need to be “heavy handed”, just clear and unambiguous. The length of time before it lapses could be longer for less sensitive data, but the data subject should always be asked before their data is collected. The question only needs to be asked once and only repeated when consent has lapsed. Moreover, the interaction should be seen as an opportunity for data collectors to communicate their good intentions and initiate a trustful relationship with citizens.
"The legitimate interest ground requires a controller to demonstrate that the data processing is necessary for his legitimate interests, and that his interests are not overridden by the interests of the affected individuals."
No controller has a legitimate interest, in normal circumstances, to collect personal data about individuals without their consent, and often even without their awareness. This fundamental right can only be abrogated on grounds of serious social concern, for instance as part of criminal investigations, and then it requires the oversight of a court. If data controllers rely on a business model where their commercial interest is considered to override the fundamental rights of European citizens, they need a new model. They have had plenty of warning.
"The Rapporteur’s enthusiasm for consent
... effectively elevates consent to the primary lawful ground for data processing ..."
The fundamental need for consent to be given by data subjects to data controllers before their own personal data is processed has been implicit in European Law since the 1995 Data Protection Directive. This has been successively reiterated since then, in the 2003 Lisbon treaty that established data protection as a fundamental right, in the 2009 Data Privacy Directive that called for informed consent before identifiers were stored in browsers, and recently in the first draft of the Regulation produced by the European Commission. The amendments introduced by the LIBE committee only clarify the obvious point that our personal data belongs to us, and no one has the right to use it without our permission except under special circumstances that affect, for instance, public safety.
"The proposed amendments also leave little room for a flexible interpretation of legitimate interests that accounts for any actual risk to the individual’s privacy, a flexibility which is generally available under the EU Data Protection Directive."
The fact that a data controller may be a large enterprise that relies on gathering this data to generate revenue is not sufficient to override a citizen's rights and interests. The Directive came into force in the very early years of the world wide web revolution, before anyone even imagined online behavioural advertising. It is clear that "legitimate interest" was meant to only override consent for significant reasons such as concern for public safety or crime detection. Its subsequent use to justify data collection for simple commercial gain effectively hijacked the original purpose to the detriment of citizen's rights.