Considerations at an EU level
The Data Protection Directive refers to individual’s consent in three separate places:
- An organisation must have a lawful basis for processing any personal data. It must be able to meet one of the preconditions to processing set out in Article 7 of the Directive. Obtaining an individual’s consent is one way of satisfying these conditions.
- Where sensitive personal data is concerned (for example, information about health and medical condition or racial and ethnic origin) then Article 8 requires an organisation to satisfy an additional more stringent precondition. Again, consent is one such condition – although here consent must be “explicit”.
- The Directive restricts the transfer of personal data to countries outside the European Union which do not offer an adequate level of protection for personal data. This prohibition is subject to a limited number of exceptions – one of which is where the individual has given consent. Here, consent must be “unambiguous”.
The Directive does not set out any specific formal requirements for consent. However, it does include a definition of consent at Article 2(h). This provides that the data subject’s consent is:
“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement for personal data relating to him being processed”.
Guidance from the Article 29 Working Party
The Article 29 Working Party interprets consent in a restrictive manner, so much so that, in its recent working paper on derogations from the transfer prohibition principle (Working Document on a common interpretation of Article 26(1), adopted on 25 November 2005, WP114) it suggests that:
“Relying on consent may therefore prove to be a “false good solution”, simple at first glance but in reality complex and cumbersome”.
The Article 29 Working Party has issued guidance on consent both in the context of international transfers of data and in the employment context. The recent guidance in WP114 provides a good summary of the Working Party’s overall views. The following extracts from this guidance are particularly pertinent:
“The importance of consent constituting a positive act excludes de facto any system whereby the data subject would have the right to oppose the transfer only after it has taken place …
Using pre-ticked boxes fails to fulfil the conditions that consent must be a clear and unambiguous indication of wishes.
… specific difficulties might occur to qualify a data subject’s consent as freely given in an employment context, due to the relationship of subordination between employer and employee . Valid consent in such a context means that the employee must have a real opportunity to withhold his consent without suffering any harm, or to withdraw it subsequently if he changes his mind. … the working party acknowledges, however, that there will be cases where it is appropriate for an employer to rely upon consent, for example in an international organisation where employees wish to take advantage of opportunities in a third country.
The data subject’s consent must be specifically given for the particular transfer or a particular category of transfers in question … To cite an example, a company, when obtaining its customers’ data for a specific purpose, cannot ask them to give their prior consent to the transfer of their data to a third country in the event of the company being taken over by a third country.
The data controller must be able to prove in all cases that, firstly, he has obtained the consent of each data subject and, secondly, that this consent was given on the basis of sufficiently precise information, including information on the lack of protection in the third country”.
If an existing employee is told that their payroll data will, henceforth, be transferred to the US and that if they do not give consent they cannot be paid, then it will be reasonable to say that this consent has not been freely given. However, if an applicant for a job is told at the outset that their information may be transferred outside the EU and the individual applies for the job knowing this, then it is hard to see why this consent should not be valid. The Article 29 Working Party guidance seems to suggest – and is often interpreted as suggesting – that consent will not be valid in any situation if an individual suffers detriment through refusing consent. This extreme position is not the case in other areas of life. A patient will be asked for consent to receive medical treatment; refusal to give consent may well result in detriment to the patient, but this does not mean that the consent he or she actually gives is invalid in any way. It is difficult to see why consent in a data protection context should be different.
There is no ECJ case law which discusses the meaning of consent.
The European Court at Strasbourg has, on occasions, specifically rejected the very protective approach towards employees advocated by the Article 29 Working Party. In Stedman v UK (1997 EHROR545) the applicant was employed by a private company. This company asked the applicant to enter into an employment contract which would require her to work one Sunday in four. The applicant refused to do this arguing, amongst other matters, that it would interfere with her religious beliefs. The company subsequently dismissed the employee who then brought proceedings before the European Commission of Human Rights arguing that this dismissal clashed with her right to freedom of religion under Article 9 of the ECHR. In effect, the applicant was arguing that a private company should not be able to require an individual to waive human rights protected by the ECHR. The European Commission of Human Rights refused to accept this argument and accepted that the private company was entitled to dismiss the employee for refusing to work contracted hours. The Commission concluded that there was no interference with the applicant’s religious beliefs as she was free to resign to pursue those beliefs.
United Kingdom position
Definition of consent and formalities
The Data Protection Act 1998 does not contain a definition of consent. According to Paul Boyle (the official responsible for data protection at the Department for Constitutional Affairs) this is one of the aspects of UK implementation of the Data Protection Directive which has been queried by the EU Commission.
There are no specific formal requirements (such as consent being in writing).
In Data Protection Act 1998: Legal Guidance the Commissioner has the following to say in relation to consent (at paragraph 3.1.5):
“The Commissioner’s view is that consent is not particularly easy to achieve and that data controllers should consider other conditions …before looking at consent.
In International Transfers of Personal Data – Advice on Compliance with the 8th Data Protection Principle the Commissioner further states that:
“Consent must be freely given. It can be made a condition for the provision of a non-essential service. But consent is unlikely to be valid if the data subject has no real choice but to give his/her consent. For example, if an existing employee is required to agree to the international transfer of personal data any consent given is unlikely to be valid if the penalty for not agreeing is dismissal. Consent must also be specific and informed. The data subject must know and have understood what he/she is agreeing to. The reasons for the transfer and as far as possible the countries involved should be specified. … It is possible to give some general examples:
“By signing below you accept that we can transfer any of the information we keep about you to any country when a business need arises?” – unlikely to produce valid consent.
“By signing below you accept that we may pass details of your mortgage application to XYZ Limited in Singapore who we have chosen to arrange mortgages on our behalf. You should be aware that Singapore does not have a data protection law”. – likely to produce valid consent.
“By signing below you agree that we may pass relevant personnel records to our subsidiary companies in any country to which you are transferred. Your records will continue to be handled in accordance with our code of good practice although you might no longer have rights under data protection law” – likely to produce valid consent in the case of an employee of a multi-national group who accepts a job involving international postings and where the multi-national has a group-wide data protection code.
There have been no cases which have considered the meaning of consent specifically as used in the DPA.
However, there have been many cases which have considered the meaning of consent – either in a criminal or contractual context.
- Consent must be informed – one cannot consent without knowing what it is one is consenting to. (Re Caughey ex p. Ford (1876) 1Ch.D.521).
- Consent may be expressed or inferred as long as there is some affirmative act – “consent involves some affirmative acceptance, not merely a standing by and absence of objection. The affirmative acceptance may be in writing, which is the clearest obviously; it may be oral; it may conceivably even be by conduct, such as nodding the head in a specific way in response to an express request for consent. But it must be something more than merely standing by and not objecting”. (Bell v Alfred Franks and Bartlett Co Ltd  1 AllER 356).
- Consent is not valid if obtained under duress or undue influence.
Notwithstanding the guidance from the Information Commissioner’s Office, consent is widely used in the United Kingdom.
Standard terms and conditions often include consent to the processing of personal data in general. Terms and conditions also often include consent to the transfer of personal data outside the European Union.
Employment contracts also often include consent from the employee to the processing of his or her data although this is perhaps less common than it used to because of the practical difficulties of dealing with data if an employee refuses to give consent or revokes consent.
Definition of consent and formalities
The Dutch Data Protection Act reproduces the definitions in the Data Protection Directive and uses consent in similar situations. There are no specific formal requirements in the Dutch Data Protection Act. This is a change to the old Data Protection Act which did require consent to be given in writing. Guidance from the Ministry of Justice does, however, note that written evidence of consent can be helpful.
The Ministry of Justice has published a “Manual on personal data processing for controllers”. This contains a section of guidance on the phrase “unambiguous consent” which includes the following comments:
“If the data subject consented to processing under pressure of the circumstances there is no question of free will. There is also no question of free will if the data subject has a dependent position in relation to you, and consented to the processing under pressure of this dependence. For example, if an employer asks a job applicant for data on his criminal behaviour, the employer cannot say that he is processing these data with the data subject’s consent.
If the data subject has given you an unspecific authorisation to process personal data, which is not aimed at specific data and specific forms of processing, this is not a legally valid consent.
You may not have any doubts about the data subject’s consent.
You may, for example, obtain a separate confirmation of the consent by having the data subject tick a box on a paper or electronic form.
The consent may also be apparent from the data subject’s behaviour”.
There is some limited case law which considers the need for a data controller to obtain consent if there were no other grounds for legitimising processing (for example the Court of Arnhem 4 February 2003 LJNAF5278). However, there is no case law which specifically considers the meaning of consent.
General terms and conditions do often include a general statement of consent to processing of personal data. This type of general consent may likely not be sufficiently specific.
Definition of consent and formalities
The Organic Law 15/99 uses the same definition as the Directive. However, it goes further than the Directive and also requires that consent must be “unequivocal”.
Article 7.2 of the LOPD requires consent to be express and in writing for the processing of information relating to ideology, religion, beliefs and trade union membership. Under Article 7.3 consent for processing of other sensitive personal data needs to be express but does not necessarily need to be in writing.
In accordance with the Spanish Civil Code, minors older than 14 are mature enough to give consent. For minors who have not yet reached 14, consent is to be given by their legal representatives.
Note that the LOPD does not allow data to be processed based on the data controller’s “legitimate interests” (i.e. Article 7(f) of the Directive has not been implemented in Spanish law). Accordingly, organisations in Spain must, as a practical matter, make greater use of consent.
One of the exceptions to the principle of consent is where the data is in sources accessible to the public which are solely and exclusively:
- the promotional census (i.e. electoral roll data to be used for direct marketing);
- telephone directories;
- list of members of professional groups; and
- newspapers, official gazettes and the media.
There is guidance on consent in the Spanish Data Protection Agency’s legal report from 2000. There is a separate legal report (also from 2000) dealing with the issue of consent in children.
Consent of the data subject must in any case be informed. This means that prior to the processing a certain amount of information (specified in article 5 of the LOPD – correlative of the article 10 of the Directive) must be given to the data subject.
In this regard the decision R/00734/2004 of the Spanish Data Protection Agency refers to the suitability of the amount of information provided by TAIBESA (one of one of Peugeot’s official car dealers) to its customers for the collection of their personal data and sets out that:
- Informing data subjects of their personal data “being processed for commercial purposes" is not sufficient because of its broadness and TAIBESA should specify the services and products which the data subject should be marketed about. This implies that the data subjects shall be exactly informed of the products and services they are going to receive information about, when consenting to the use of their data for advertising or marketing purposes.
- The information provided to data subjects in order to collect their consent for the transfer of their personal data to third parties should also specify who are the data recipients. To that extent, the expression used by TAIBESA "companies in the Peugeot group" is not sufficient due to the lack of determination of the data recipient. The companies should therefore be specified.
It is also important to note that various judgments issued by the Audiencia Nacional (for instance its judgments dated 11 May 2001 and 15 December 2001). Spanish Data Protection decisions and reports have clearly set out that the controller must prove that he has the data subject express or implied consent for the processing.
Consent is widely used in Spain.
Standard terms and conditions often include consent to the processing of personal data in general.
Terms and conditions also often include consent to the transfer of personal data to countries that do not have an equivalent level of security. In this respect, if the data subject has not given his unequivocal consent to the international transfer and none of the other exemptions apply, the international transfer of data is subject to the previous authorisation of the Spanish Data Protection Agency’s Director. Such authorisation is obtained through an administrative proceeding in which the Director assesses whether the proposed destination guarantees an adequate level of data protection.
Definition of consent and formalities
Belgian law follows the Directive’s definition of consent.
Articles 6 and 7 of the Belgian Data Protection Act require consent to be in writing to process sensitive and health related personal data. Other than this, there are no requirements for formalities.
In addition, Article 39 provides that acts of violence or threats made with the purpose of obtaining a person’s consent are illegal and punishable by fine.
Belgian guidance is in line with that of the Article 29 Working Party – i.e. consent must be freely given, specific and informed and unambiguous. Similarly, consent is not considered an adequate basis for processing if the data subject is in a relationship of subordination towards the data controller (e.g. employees/employers).
There is no published case law which specifically deals with the meaning of consent under the Act.
Definition of consent and formalities
The Italian Data Protection Code (Legislative Decree Number 196/2003) does not contain a specific definition of consent. The requirements of the Data Protection Directive are reproduced in Article 23. In addition, this also provides that consent must be express (i.e. not implicit, for instance, by simply going ahead and using a service) and must be documented in writing or, in the case of sensitive data, actually given in writing.
Consent may either be given by the data subject or by the person entitled to act on the data subject’s behalf.
The Garante (the Italian data protection authority) has issued guidance both generally in relation to consent and also in relation to particular situations.
- Video Surveillance – on 29 April 2004 the Garante issued guidance stating that video surveillance could only be used with the individual’s prior consent. Further, this must be explicit and documented in writing. The Garante specifically advised that implied consent – inferred by an individual entering a building – would not be valid.
- Internet monitoring – an employer may only process sensitive personal data collected in the course of monitoring internet activity of employees with their prior written consent. There is an exception to this where the processing is necessary to establish or defend a legal claim.
- Loyalty cards – on 24 February 2005 the Garante advised that consent must be obtained if a data controller wishes to use loyalty card data to carry out ancillary activities such as profiling, market surveys or marketing activities.
- There is also specific guidance by the Garante in relation to use of personal data for political marketing and the health sector.
Case law does not clearly define the meaning of consent under the DP Code. The definition of consent is, however, given in judgments in other areas. There is a definition of consent in a decision of the Garante (Italian DP Authority, decision 28 May 1997): “consent is the manifestation of the right to informative self-determination”.
In addition some of the general requirements for the consent can be inferred from other decisions.
In particular, consent must be:
- free: it must be freely expressed by the data subject and not obtained under duress, undue influence and by fraud.
- not influenced: for example, the supply of a service cannot depend on giving/not giving the consent to some processing.
- informed: the data subject must receive clear and exact information on the use of his/her personal data so that s/he is able consciously to make a choice on giving his/her consent.
- specific: the consent must be referenced to a clearly determined processing.
- express: this means that it must be shown by an explicit manifestation of the will of the data subject that can be expressed orally or in writing.
The way in which consent is obtained in practice, depends very much on the particular type of activity.
In the employment relationship, consent (where required) is often included in the employment agreement or at the end of a separate information list attached to the employment agreement.
There can be specific difficulties when consent is bundled into general terms and conditions for the supply of services. In practice, such consents are often unclear and inaccurate so that the resulting consent is not specific and informed.
There are also specific difficulties where provision of a service is made conditional on a subscriber giving consent to receiving advertising messages.
Definition of consent and formalities
In the Swedish Personal Data Act (1998:204), section 3, consent is defined as:
“Every kind of voluntary, specific and unambiguous expression of will, by which the registered person, after having received information, accepts processing of personal data concerning him or her.”
There are no formal requirements, such as consent being in writing.
The Swedish supervisory authority, the Data Inspection Board, has published information and guidelines on the meaning of consent under the PDA. This covers the requirement that consent is given by the correct person, that consent is voluntary, specific, unambiguous and informed. The guidance also considers how to provide proof of consent, consent given by children and the fact that consent can be revoked.
There is no case law regarding consent under the PDA.
Data controllers in Sweden tend to rely either on consent or on necessity under Section 10 of the PDA. (This allows processing of personal data to fulfil a contract; to comply with legal obligations etc). In relation to sensitive personal data, consent is still the most common legal basis for processing because the alternatives are fewer and more difficult to apply.
An additional reason for choosing consent is that this exempts the data controller from the obligation to notify processing to the Data Inspection Board under Section 36 of the PDA.
Definition of consent and formalities
The French Data Protection Act reproduces the definitions in the Data Protection Directive. There are no specific formal requirements in the French Data Protection Act.
The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés: CNIL) considers that consent must be given in writing.
Concerning the collection and processing of personal data: the CNIL considers that the data subject’s consent is not required as:
- personal data is processed either in compliance with any legal obligations to which the data controller is subject or in the context of the pursuit of the data controller’s or the data recipient’s legitimate interest; and
- the data subject is informed of this processing (in accordance with section 32 of the French Data Protection Act).
The CNIL considers that the data subject’s consent is not sufficient to justify the collection and processing of sensitive data. Sensitive data collected and processed must be adequate, relevant and not excessive in relation to the purposes for which it is obtained.
The CNIL has issued guidelines on transfers of personal data outside the European Union.
In these guidelines, the CNIL indicates that consent must be specific and must refer to identified transfers. Consent cannot be given for future, unidentified transfers.
In the context of transfers of data outside the European Union, the CNIL prefers data controllers to sign data transfer agreements rather than other derogations provided by the French Data Protection Act.
More generally, the CNIL (and the European Working Party) considers that in an employment context, employees’ consent is not freely given due to the relationship of subordination between employer and employee and the greater bargaining power held by the employer.
In a French judgment (Nanterre “Tribunal de Grande Instance”) dated 2 June 2004, it was held that AOL’s standard subscriber contract was unenforceable as it breached data protection laws, and mandatory consumer and contract laws.
In France, consent needs to be positive, i.e. the subscriber needs to actively communicate his/her consent by ticking an opt-in box.
AOL’s contract relied on an opt-out approach, whereby the subscriber’s consent was held to be implied where he/she failed to register the fact that he/she did not want his/her data to be transferred cross-border and/or shared with direct marketers. The High Court of Nanterre rejected the opt-out approach as it considered it to be too demanding for the subscriber. As a result, both of these terms were held to be illegal and were consequently unenforceable.
In France, it is preferable to sign data transfer agreements.
Furthermore, pursuant to article 32 of the French Data Protection Act, data subjects must be informed of intended transfers outside the European Union to a country which does not provide a sufficient level of protection.
Definition of consent and formalities
German data protection law defines consent as a free and informed declaration: Section 4a para. 1 sentence 1 Federal Data Protection Act (Bundesdatenschutzgesetz), which is applicable to the private sector, requires that consent must be a result of a free decision of the data subject. The data subject must be informed about the purpose of the data collection, processing or use and the consequences of a refusal to give consent if necessary or if the data subject so requests (Section 4a para. 1 sentence 2 Federal Data Protection Act).
To the extent sensitive data are concerned the consent must refer explicitly to such sensitive data (Section 4a para. 3 Federal Data Protection Act).
As regards formal requirements, German law requires (Section 4a para. 1 sentence 3 Federal Data Protection Act) the written form unless another form is appropriate. If consent is included with other provisions, the consent wording must be highlighted (Section 4a para. 1 sentence 4 Federal Data Protection Act).
In Germany, the Länder regulate data protection compliance in the private sector. Thus, any company doing business in Germany must identify and should consider the guidance issued by the relevant Land.
The Länder data protection authorities regularly liaise in the so-called Düsseldorf Circle (Düsseldorfer Kreis) in order to agree on joint approaches. There is no guidance of the Düsseldorf Circle on consent.
There is some case law dealing with consent. Besides the requirement of free and informed consent (as set out in statute), courts have held that:
- consent must be specific, i.e. a consent is invalid which is too general as to the purpose for which the personal data shall be used (e.g. Federal Court of Justice (Bundesgerichtshof) of 19 September 1985, BGHZ 95, 362, 367 et seq.),
- consent must be declared in advance, i.e. subsequent consent generally cannot justify data collection, processing or use that happened prior to such consent (comp. Court of Appeal Cologne of 12 June 1992, NJW 1993, 793 et seq.),
- consent must be express (comp. Federal Court of Justice of 11 December 1991, BGHZ 116, 268, 273), and
- consent for which the data controller uses its standard wording must be fair and may not unreasonably place the data subject at a disadvantage (comp. Federal Court of Justice of 19 September 1985, BGHZ 95, 362, 367 et seq; Regional Court of Munich I of 1 February 2001, RDV 2001, 187).
Consent is widely used in Germany, including for transfers of personal data outside the EU. Consent wordings are often not specific enough as to their purpose or mix purposes that require the data subject’s consent with purposes which do not require consent, which can make the data processing unlawful.
Consent wording bundled in standard terms and conditions is mostly not enforceable; consent requires an express declaration by the data subject, e.g. by ticking a box in electronic forms or by signing a separate consent clause.
Firstly, the employee’s ability to give a valid consent is restricted as he/she might not be free due to his/her dependency on the employer. And secondly, the request for consent leaves an open question as to what to do if an employee refuses to give consent or revokes the consent.
 Opinion 8/2001 on the processing of personal data in the employment context and executive summary dated 13 September 2001.