The Article 29 Data Protection Working Party, an independent European advisory body on data protection and privacy, has issued an opinion in which they clarify the definition of consent, a key notion in the protection of personal data that gives the data subject control over the processing of their data, and give recommendations for the future.
As the processing of personal data is becoming a prominent feature of today’s society, both in the online and offline world, the importance of consent as one of several legal grounds to process personal data is increasing.
According to the data protection authorities, it is not always clear when consent is needed and what requirements have to be fulfilled for consent to be valid, making it necessary to clarify the notion of consent as used in the Data Protection Directive and in the e-Privacy Directive.
Providing examples for valid and invalid consent, the data protection authorities recommend that consent is to require the use of mechanisms that leave no doubt of the data subject’s intention to consent, meaning that mere silence or inaction could not constitute valid consent – if a user, e.g., was to register with a social network and the default settings of their profile made all personal information viewable to all “friends of friends”, it could not be inferred that this user had given their consent to such visibility.
The authorities also recommend that consent be given prior to the start of processing activities or before any new use of the data, with the data subject having the right to withdraw their consent. In addition, data subjects should to be informed about the data processing and specific attention is to be paid to individuals lacking legal capacity, such as minors.
Finally, data controllers should be able to demonstrate that they have obtained valid consent, with quality and accessibility of information forming the basis for consent.