Abstract
This paper explores the assumption that data processing based on consent is ancillary in the greater context of data protection, being only one of the six lawful bases for data processing. Moreover, the data protection draft regulation proposed by the European Commission in 2012 meets overwhelmingly the concerns regarding consent in data protection expressed on numerous occasions in the past years. Hence, the focus in data protection law should be, instead, on the development of efficient and clear provisions for handling data, which can be deemed as “suitable safeguards”, regardless of the bases of their processing. For instance, the rights of the data subject—access, information, erasure etc., purpose requirements and accountability rules are effective in all of the situations of data processing. This article proposes a set of such suitable safeguards which match the content and the purpose of the right to data protection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
European Commission (2012b).
- 2.
Directive 95/46 of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, (23 November 1995), 31-50.
- 3.
- 4.
- 5.
See Curren and Kaye (2010).
- 6.
Article 29 Working Party (2011), supra in note 3, p. 34.
- 7.
- 8.
European Commission, COM(2012) (2012a)
- 9.
Bygrave (2002).
- 10.
- 11.
See Manson and O’Neill (2007) (n 4) at 112; They are referring to the UK Data Protection Act, which transposes the provisions of the Data Protection Directive, stating that the Act “assigns individual consent a large, indeed pivotal role in controlling the lawful acquisition, possession and use of personal information”; See also Brownsword (2009) (n 3) at 109.
- 12.
See Bygrave (2002) (n 9) at 66.
- 13.
See Le Métayer and Monteleone (2009) (n 3) at 139.
- 14.
See Article 29 Working Party (2011) (n 3).
- 15.
See Feretti (2012) (n 3) at 505.
- 16.
See Bygrave and Schartum (2009) (n 4) at 160. In line with their idea, Feretti (2012) (n 4) at 488, also makes a point from underlying that “the inclusion of data processing consent in the general terms and conditions of sale or services can be a common, yet subtle or elusive, method of obtaining consumer consent notwithstanding whether a transaction occurs online and irrespective of the opt-in/opt-out dichotomy”.
- 17.
See Feretti (2012) (n 3) at 500.
- 18.
See Bygrave and Schartum (2009) (n 3) at p. 170.
- 19.
See Le Métayer and Monteleone (2009) (n 3) at pp. 140–142.
- 20.
See Feretti (2012) (n 3) at p. 501.
- 21.
Traung (2012).
- 22.
de Hert and Papakonstantinou (2012).
- 23.
de Hert and Papakonstantinou (2012), p. 131.
- 24.
See Traung (2012) (n 21) at p. 38.
- 25.
See de Hert and Papakonstantinou (2012) (n 22) at p. 135.
- 26.
Recital 25 specifically states that silence or inactivity should not constitute consent and that consent is considered as being explicitly given either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
- 27.
Even the European Commission criticized the effects in practice produced by the wording of the Data Protection Directive regarding consent, in a 2011 report: “(…) these conditions are currently interpreted differently in Member States, ranging from a general requirement of written consent to the acceptance of implicit consent. Moreover, in the online environment—given the opacity of privacy policies—it is often more difficult for individuals to be aware of their rights and give informed consent. This is even more complicated by the fact that, in some cases, it is not even clear what would constitute freely given, specific and informed consent to data processing, such as in the case of behavioural advertising, where internet browser settings are considered by some, but not by others, to deliver the user’s consent”. See European Commission. COM(2010) 609.
- 28.
See de Hert and Papakonstantinou (2012) (n 22) at p. 136.
- 29.
Hildebrandt (2008a, p. 19).
- 30.
- 31.
In the American legal system, personal data is often regarded as personally identifiable information. However, the Consumers’ Privacy Bill of Rights released in 2012 by the White House opts for the expression “personal data”; see in this regard, Zanfir (2012).
- 32.
- 33.
- 34.
- 35.
For instance, in a famous case in Romanian courts, an individual received a 10,000 EUR compensation for moral damages, caused by the publication of details regarding his health condition on the website of the Municipality of Sector 1 of Bucharest as a justification for the individual receiving a public transportation free pass; he based his allegations on the provisions of Law No. 677/2001 which transposes into national law the Data Protection Directive; (See Jud. sect. 1 Bucureşti, sentinţa civilă din 16.03.2009, irevocabilă).
- 36.
Kosta (2011, p. 315).
- 37.
Van Alsenoy et al. (2012, p. 31).
- 38.
Brownsword (2004).
- 39.
Kosta (2011) (n 36) at p. 315.
- 40.
See Feretti (2012) (n 3) at p. 476.
- 41.
See Brownsword (2009) (n 3) at p. 99.
- 42.
- 43.
Gutwirth and de Hert (2008).
- 44.
Gutwirth and de Hert (2008, pp. 276–278 ).
- 45.
Gutwirth and de Hert (2008, pp. 276–278).
- 46.
Gomes de Andrade (2012, p. 125).
- 47.
Poullet (2008, p. 41).
- 48.
Gomes de Andrade (2012) (n 76) at p. 125.
- 49.
de Hert and Gutwirth (2009, pp. 3–44).
- 50.
Hustinx (2005, p. 62).
- 51.
See de Hert and Gutwirth, (n 49) at 3.
- 52.
Dabin (2007, p. 168).
- 53.
See generally Nugter (1990). The volume analyzes some of the first data protection laws in Europe – Bundesdatenschutzgesetz (Germany, 1977), Loi relatif a l’informatique, aux fichiers et aux libertes (France, 1978), Data Protection Act (UK, 1984) and Wet Persoonsregistraties (The Netherlands, 1989), all of them containing provisions with regard to the specific rights of the data subjects and correlative obligations of the data processors. Information and access rights were omnipresent, while the first European data protection laws contained some variations of the right to object, the right to erasure and the right to correction.
- 54.
See Bygrave (2002) (n 9) at 63.
- 55.
Simitis (1997, p. 130).
- 56.
For a comprehensive analysis of these rights enshrined in the DPD and also in Directive 2002/58 on privacy and electronic communications, see Korff (2005, pp. 71–144).
- 57.
For instance, the Romanian law transposing Directive 95/46, Law no. 677/2001 for the protection of persons with regard to the processing of personal data and the free movement of such data, enshrines in art. 18 “The right to a judicial remedy”, under Chapter IV – “The rights of the data subject in the context of personal data processing”.
- 58.
See Simitis (1997) (n. 55) at 131.
- 59.
See Articles 13(1), 14(a) and 15(2) DPD.
- 60.
See de Hert and Papakonstantinou (2012) (n 22) at 141–142.
- 61.
See de Hert and Papakonstantinou (2012).
- 62.
Committee on Civil Liberties, Justice and Home Affairs (2012).
- 63.
See para. 3.4.3.1. from the Explanatory Memorandum of the DPR Proposal.
- 64.
- 65.
- 66.
For instance, such a situation can easily be imagined in the context of database transactions between data brokers. See Singer (2012).
- 67.
Article 17(3)(d) of the DPR proposal.
- 68.
Article 18(1) of the DPR proposal.
- 69.
Opinion of the European Data Protection Supervisor (2012), para. 160.
- 70.
Opinion of the European Data Protection Supervisor (2012), para. 159.
- 71.
Articles 11 to 16 of the proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
- 72.
Article 9 of the draft Directive.
- 73.
Article 6(1)(b),(c),(d),(e) of the Data Protection Directive.
- 74.
According to Article 2(d), (d) “’controller’ shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”.
- 75.
See Bygrave (2002) (n 9) at 61.
- 76.
See Simitis (1997) (n 55) at 129.
- 77.
Article 5(b) of the draft regulation and Article 4(b) of the draft directive.
- 78.
Article 5(c),(d) of the draft regulation and Article 4(c),(d) of the draft directive.
- 79.
Article 5(c) of the draft regulation, second thesis.
- 80.
Article 5(e) of the draft regulation and Article 4(e) of the draft directive.
- 81.
EDPS Opinion (n 58), para. 116.
- 82.
EDPS Opinion (n 58), para. 117.
- 83.
For instance, personal data related to the students of a University are processed with the purpose of keeping track of their academic results; hence, the period of time needed for this processing equals to the period of the students’ enrollment. If all or some of their personal data need to be processed for statistical purposes after this period, the legal safeguards for this situation must be observed.
- 84.
See Bygrave (2002) (n 9) at 61.
- 85.
See de Hert and Papakonstantinou (2012) (n 22) at 134.
- 86.
de Hert and Papakonstantinou (2012).
- 87.
de Hert and Papakonstantinou (2012).
- 88.
See Articles 50 to 55 from the draft directive.
- 89.
This provision must refer to legal persons in their controller or representative of a controller capacity, as the DPR proposal makes it very clear that its provisions only apply to natural persons.
- 90.
Since the Treaty of Amsterdam, an explicit base for harmonization of civil procedural law is to be found in Article 65 of the EC Treaty (currently Article 81 TFEU); See Eliantonio (2009).
- 91.
Kosta (2011) (n 36) at 318.
- 92.
The preliminary results of the EU Fundamental Rights Agency project on “Data protection: Redress Mechanisms and Their Use”, presented at the Computers, Privacy and Data Protection Conference in Bruselles, January 23–25, 2013, show that „data protection cases are few and dispersed between a variety of different courts” in the Member States and that „in most jurisdictions data protection does not form an important area for the specialization and development of judicial expertise”.
References
Volumes
Bygrave, Lee A. 2002. Data protection law. Approaching its rationale, logic and limits. The Hague: Kluwer Law International.
Dabin, Jean. 2007. Le Droit Subjectif. Paris: Dalloz.
Hondius, Frits W. 1975. Emerging data protection in Europe. Amsterdam/New York: North-Holland Publishing Co./American Elsevier Publishing Co.
Korff, Douwe. 2005. Data protection laws in the European Union. Federation of European Direct Marketing and Direct Marketing Association.
Manson, Neil C., and Onora O’Neill. 2007. Rethinking informed consent in bioethics. Cambridge University Press.
Nugter, Adriana C. M. 1990. Transborder flow of personal data within the EC. Dordrecht: Springer.
Chapters of Volumes
Brownsword, Roger. 2009. Consent in data protection law: Privacy, fair processing and confidentiality. In Reinventing Data Protection? ed. Serge Gutwirth, Yves Poullet, Paul de Hert, Cecile de Terwangne, and Sjaak Nouwt, 83–110. Heidelberg: Springer.
Bygrave, Lee A., and Dag W. Schartum. 2009. Consent, proportionality and collective power. In Reinventing data protection? ed. Serge Gutwirth, Yves Poullet, Paul de Hert, Cecile de Terwangne, and Sjaak Nouwt, 157–173. Heidelberg: Springer.
de Hert, Paul, and Serge Gutwirth. 2009. Data protection in the case law of Strasbourg and Luxemburg: Constitutionalism in action, in Reinventing Data Protection? ed. Serge Gutwirth, Yves Poullet, Paul de Hert, Cecile de Terwangne, and Sjaak Nouwt, 3–44. Heidelberg: Springer.
Gutwirth, Serge, and Paul de Hert. 2008. Regulating profiling in a democratic constitutional state. In Profiling the European citizen, ed. Mirelle Hildebrandt, and Serge Gutwirth, 271–303. Dordrecht: Springer.
Hildebrandt, Mirelle. 2008a. Defining profiling: A new type of knowledge? In Profiling the European citizen, ed. Mirelle Hildebrandt, and Serge Gutwirth, 17–45. Dordrecht: Springer.
Mayer-Schönberger, Viktor. 1998. Generational development of data protection in Europe. In Technology and privacy: The new landscape, ed. Philip E. Agre, and Marc Rotenberg, 219–242. Cambridge, MA: The MIT Press.
Poullet, Yves. 2008. Pour une troisième génération de réglementation de protection des données, dans Défis du droit à la protection à la vie privée. In coll. Cahiers du Centre de Recherches Informatique et Droit, 31. Bruxelles: Bruylant.
Simitis, Spiros. 1997. Data Protection in the European Union—The quest for common rules. In Collected courses of the Academy of European Law. Vol. VIII-1, 95–141. European University Institute: Kluwer Law International.
Zarsky, Tal. 2010. Responding to the inevitable outcomes of profiling: Recent lessons from consumer financial markets, and beyond. In Data protection in a profiled world, Yves Poullet, Serge Gutwirth, and Paul de Hert, 53–75. Dordrecht: Springer.
Articles
Ausloos, Jef. 2012. The right to be forgotten—Worth remembering? Computers Law and Security Review 28:143–152.
Brownsword, Roger. 2004. The cult of consent: fixation and fallacy. King’s Law Journal 15:223–252.
Curren, Liam, and Jane Kaye. 2010. Revoking consent: a blind spot in data protection law? Computer Law and Security Review 26:273–283.
de Hert, Paul, and Vagelis Papakonstantinou. 2012. The proposed data protection regulation replacing directive 95/46: A sound system for the protection of individuals. Computer Law & Security Review 28:130–142.
Eliantonio, Mariolina. 2009. The future of National Procedural Law in Europe: Harmonisation vs. Judge made standards in the field of administrative justice. Electronic Journal of Comparative Law 13.3:1–11.
Feretti, Federico. 2012. A European perspective on data processing consent through the re-conceptualization of European data protection’s looking glass after the Lisbon treaty: Taking rights seriously. European Review of Private Law 2:473–506.
Gomes de Andrade, Nuno Norberto. 2012. Oblivion, the right to be different from oneself. Reproposing the right to be forgotten. Revista de Internet, Derecho y Politica 13:122–137.
Hildebrandt, Mirelle. 2008b. Profiling and the rule of law. 1. Identity in the Information Society 1:55–70.
Kightlinger, Mark F. 2007–2008. Twilight of the idols? EU internet privacy and the postenlightenment paradigm. Columbia Journal of European Law 14:1–62.
Koops, Bert Jap. 2012. Forgetting footprints, shunning shadows. A Critical Analysis of the Right to be Forgotten in Big Data Practice. Tilburg Law School Legal Studies Research Paper Series 8.
Le Métayer, Daniel, and Sarah Monteleone. 2009. Automated consent through privacy agents: Legal requirements and technical architecture. Computer Law & Security Review 25(2):136–144.
Rosen, Jeffrey. 2012. The right to be forgotten. 64 Stanford Law Review Online 88.
Swire, Peter, and Yanni Lagos. 2013. Why the right to data portability likely reduces consumer welfare: Antitrust and privacy critique. Maryland Law Review 72(2):335. http://ssrn.com/abstract=2159157. Accessed 26 Feb 2013.
Traung, Peter. 2012. The proposed new EU general data protection regulation. CRi 2:33–49.
Zanfir, Gabriela. 2012. The right to data portability in the context of the EU data protection reform. International Data Privacy Law 2(3):149–163.
Theses
Kosta, Eleni. Unraveling consent in European Data Protection legislation. A prospective study on consent in electronic communications. Doctoral Thesis, submitted on June 1, 2011, Faculty of Law, K. U. Leuven, Interdisciplinary Center for Law and ICT.
Official Reports/Opinions
Article 29 Working Party. 2011. Opinion 15/2011 on the definition of consent, WP 187.
Committee on Civil Liberties, Justice and Home Affairs. 2012. Draft report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), (COM 2012. 0011– C7-0025/2012–2012/0011(COD)). December 17, 2012.
European Commission. 2010. COM(2010) 609 final, A comprehensive approach of data protection in Europe (4 November 2010), p. 8–9.
European Commission. 2012a. COM(2012) 10 final, Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, 25.1.2012.
European Commission. 2012b. COM(2012) 11 final, Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25 January 2012.
Other Sources
European Data Protection Supervisor. Opinion of the European Data Protection Supervisor on the data protection reform package, issued on March 7, 2012.
Hustinx, Peter. 2005. Data protection in the European Union. Privacy & Informatie 2:62.
Singer, Natasha. 2012. You for sale: Mapping, and sharing, the consumer genome. New York Times, 16th June. http://www.nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of-consumer-database-marketing.html?_r=1&pagewanted;=all. Accessed 28 Feb 2013.
Van Alsenoy, Brendan, Eleni Kosta, and Jos Dumortier. 2012. D6.1—Legal requirements for privacy-friendly model privacy policies. The IWT SBO SPION Project.
Whitely, Edgar A., and Nadja Kanellopoulou. 2010. Privacy and informed consent in online interactions: Evidence from expert focus groups. International Conference on Information Systems, St. Louis, Missouri.
Zanfir, Gabriela. 2012. EU and US data protection reforms. A comparative view, in 7th edition of The International Conference “The European Integration, Realities and Perspectives” Proceedings. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2079484. Accessed 26 Feb 2012.
Acknowledgments
This work was supported by the strategic grant POSDRU/CPP107/DMI1.5/S/78421, Project ID 78421 (2010), co-financed by the European Social Fund—Investing in People, within the Sectoral Operational Programme Human Resources Development 2007–2013. The author would like to thank the Tilburg Institute for Law, Technology and Society for providing valuable support for her research during her research visit there.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Zanfir, G. (2014). Forgetting About Consent. Why The Focus Should Be On “Suitable Safeguards” in Data Protection Law. In: Gutwirth, S., Leenes, R., De Hert, P. (eds) Reloading Data Protection. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-7540-4_12
Download citation
DOI: https://doi.org/10.1007/978-94-007-7540-4_12
Published:
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-7539-8
Online ISBN: 978-94-007-7540-4
eBook Packages: Humanities, Social Sciences and LawLaw and Criminology (R0)