DATA SUBJECT’S CONSENT

Processing of personal data must always have a legal basis. The data subject’s consent forms a legal basis for data processing, but there are also other alternatives.⁵⁰⁹ Consent, like the other elements examined in this section, reflects

507 S. K. Karanja, Transparency and Proportionality in the Schengen Information System and Border Control Co-operation, (Leiden, 2008) 145.

508 See Chapter I, section 1.1.

509 See for example Article 6 of the GDPR. Besides consent, personal data may be processed if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior entering into a contract; or processing is necessary for compliance with legal obligation to which the controller is subject; or processing is necessary in order to protect the vital interests

self-determination.⁵¹⁰ However, as has been underlined on several occasions, the principle of self-determination is not absolute in a sense that data subjects would have absolute control over their own personal data.⁵¹¹

First, some basic elements of consent will be discussed and thereafter consent will be assessed from two different angles: firstly, can the processing of personal data be solely based on the consent of the data subject and secondly, how far-reaching is the data subject’s right to disallow the processing of his or her personal data.

Consent has been defined in the European data protection framework. It must be a freely-given, specific and informed indication of the data subject’s wishes. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The form of consent was not previously specified in the European data protection regime, not in the former Data Protection Directive nor in the former Data Protection Regulation.⁵¹² The GDPR in turn sets quite detailed requirements for consent.⁵¹³

Even if the form of the consent was not specified in the earlier legislation, such terms as “unambiguous” and “express” have appeared in practice. These terms suggest that the doctrine of implied consent cannot be applied when personal data is processed based on consent.⁵¹⁴ Thus, a simple notification by the controller stating that he is processing personal data, for example for marketing purposes, could not be considered unambiguous or express consent. It has been also suggested that simply clicking an icon referring to acceptance on a commercial website would not necessarily meet the requirements set for consent when the rules and conditions are very long and not easily understandable.⁵¹⁵

of the data subject or of another person; processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

510 See for example S. Holm & S. Madsen, “Informed consent in medical research – a procedure stretched beyond breaking point?”, in O. Corrigan; John McMillian; Kathleen Liddell; M.Richards & C.Wijer, the limits of consent, A socio-ethical approach to human subject research in medicine (Oxford University Press, 2009), 12.

511 A. Rouvroy & Y. Poullet, “The Right to Informational Self-Determination and the Value of Self-Development:

Reassessing the importance of Privacy for Democracy”, in S. Gutwith; Y. Poullet; P. De Hert; C. de Terwangne

& S. Nouwt, Reinventing Data Protection (Springen, 2009), 45–76. See also for instance Case C-524/06 Heinz Huber, ECLI:EU:C:2008:724. See also judgment by the German Constitutional Court, BVerfGE 65, 1 (15 December 1983).

512 Similarly, the implementing national legislations often do not contain provisions regarding the form of consent, see for instance the former Finnish Personal Data Act or UK’s Data Protection Act.

513 Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11 final, p. 46–47 (Articles 7 and 8).

514 See also for consent as regards cookies; Article 29 Working Party, Opinion 2/2010 on online behavioural advertising, adopted 22 June 2010.

515 C. Kuner, European Data Privacy Law and Online Business, (Oxford, 2003) 68.

Besides being express, the consent must be freely given. This raises the question of whether consent as a prerequisite for some other action – like getting a loan – is actually a consent, in particular when exceeding what is considered proportional processing of personal data for the specified purposes.⁵¹⁶

3.1.1 PROCESSING PERSONAL DATA BASED ON CONSENT

It has been suggested that the data subject’s consent as justification for the processing of personal data is threefold. Firstly, it should be considered a procedural justification rather than a substantive one. In other words, the justification rests on someone’s authorization rather than on the merits of the case, i.e. the right to process the personal data would not follow from the nature of the data or the circumstances, but from the authorization. This leads to the second point: the consent would be valid vis-à-vis the consenting party, not necessarily as a justification for the processing of personal data as such. Thirdly, the consent would primarily function as a “negating wrong”, and not create the basis for the right to process personal data.⁵¹⁷ The second point could signify, for instance, that the Data protection authorities would not allow some processing of personal data, even if the data subject had given their consent for the processing. However, the consent could have an effect, for example, on the data subject’s right to claim for compensation for the sole reason of the insufficient legal basis for the processing.

Furthermore, it has been noted that the wording of the European legal framework does not suggest that consent alone would provide sufficient grounds for the processing of personal data. For instance, the requirement of proportionality should be respected despite of the potential consent of the data subject.⁵¹⁸ And not only proportionality, but also other principles governing the processing of personal data

516 The European Parliament took a stand on this issue during the negotiation process on the General Data Protection Regulation suggesting in its text that “the execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract or the provision of the service pursuant to Article 6(1), point (b) ”. The outcome of the trilogue negotiations leaves this issue more open. Article 7(4) of the GDPR stipulates that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. Thus, the final formulation of the GDPR has some relics of the approach taken by the European Parliament, but does not take as strict an approach as the European Parliament. For the European Parliament’s approach, see European Parliament legislative Resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

517 R. Bronsword, “Consent in Data Protection Law: Privacy, Fair Processing and Confidentiality” in S. Gutwith;

Y. Poullet; P. De Hert; C. de Terwangne & S. Nouwt, Reinventing Data Protection (Springen, 2009), 88–101.

518 A. Rouvroy & Y. Poullet, “The Right to Informational Self-Determination and the Value of Self-Development:

Reassessing the importance of Privacy for Democracy”, in S. Gutwith; Y. Poullet; P. De Hert; C. de Terwangne

& S. Nouwt, Reinventing Data Protection (Springen, 2009), 62–76.

should always apply. An example of this would be a decision taken by the Finnish Data Protection Board.⁵¹⁹ The Board took the view that the data subject’s consent does not suffice to form the basis for the processing of personal data. Furthermore, the Board saw that consent did not justify derogating from the data protection principles; the processing of personal data had to be in line with the data protection principles. The Supreme Administrative Court later confirmed this approach by holding the decision of the Data Protection Board.

It is quite natural that certain established principles of the regulatory framework should apply regardless of the data subject’s consent. In other words, the data subject cannot consent to differing from the data protection legislation’s provisions or principles, but solely to form a basis for the processing.⁵²⁰ If this was not the case, the data subject and data controller could quite freely stipulate how to process the personal data, rendering data protection regulation somewhat void.

3.1.2 THE LIMITS OF CONSENT

It has been now established that not all of the requirements of data protection legislation are met solely based on the data subject’s consent. In other words, processing should always meet the other requirements set out in the regulatory framework. It was also established that consent should rather be considered a procedural justification than a substantive one. This leads to the following question:

when the legitimacy for the processing of personal data is not derived from the nature of the data or the circumstances in which the data is being processed, what significance should be given to the nature of the data and circumstances vis-à-vis the data subject’s consent? Two questions are of particular interest in this context.

Firstly, when processing is based on the data subject’s consent, how far-reaching is the data subject’s control over their personal data once the processing of personal data has begun? And secondly, could the nature of the data or the circumstances in which the data has been processed create boundaries to what the data subject can consent to?

It is clear that when processing is based on consent, the legal basis vanishes when the data subject withdraws his or her consent. But could the nature of the data or circumstances in which it has been processed require processing regardless

519 See for example Decision of the Finnish Data Protection Board (tietosuojalautakunta) 4/2007, dnro 6/932/2006.

520 This approach was confirmed by the adoption of the GDPR. According to Article 7(2) of the GDPR “2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”

of the data subjects’ wishes? For example, when personal data is being processed for scientific research purposes based on consent and the data subject withdraws his or her consent, it seems reasonable to argue that the circumstances where data is being processed create justification to continue the processing. Clearly, the data should not be processed for new research purposes but withdrawing certain data from the research sample could lead to corrupted results.

It was already established that the controller or processor cannot circumvent the requirements set out in data protection legislation simply by gaining the data subject’s consent. But another question is whether the data subject can agree to any type of processing, regardless of the nature of the data or the circumstances.

I see at least two situations in which there appear to be natural limits to consent.

First, quite often processing carried out in the public sector derives from legal obligations and, as such, it seems quite reasonable to expect that the processing is based on legislation. In these cases, consenting should not play a significant part. Secondly, there are situations where basing the processing of personal data on consent sets too much responsibility on the data subject. An example of this would be scientific research and the data banks used in scientific research, which are constructed solely based on the consent of the data subject. The core issue is not necessarily whether their consent is freely given but whether the data subject is in reality in such a position that he or she can assess the actual consequences of their consent.⁵²¹ It seems that the burden set on the data subject is too heavy in such a construction, and such processing should rather have its legitimacy and safeguards in the legislation.⁵²²