Forgetting About Consent. Why The Focus Should Be On “Suitable Safeguards” in Data Protection Law

  • Gabriela Zanfir


This paper explores the assumption that data processing based on consent is ancillary in the greater context of data protection, being only one of the six lawful bases for data processing. Moreover, the data protection draft regulation proposed by the European Commission in 2012 meets overwhelmingly the concerns regarding consent in data protection expressed on numerous occasions in the past years. Hence, the focus in data protection law should be, instead, on the development of efficient and clear provisions for handling data, which can be deemed as “suitable safeguards”, regardless of the bases of their processing. For instance, the rights of the data subject—access, information, erasure etc., purpose requirements and accountability rules are effective in all of the situations of data processing. This article proposes a set of such suitable safeguards which match the content and the purpose of the right to data protection.


Personal Data Data Protection Data Subject Supervisory Authority Fair Processing 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported by the strategic grant POSDRU/CPP107/DMI1.5/S/78421, Project ID 78421 (2010), co-financed by the European Social Fund—Investing in People, within the Sectoral Operational Programme Human Resources Development 2007–2013. The author would like to thank the Tilburg Institute for Law, Technology and Society for providing valuable support for her research during her research visit there.



  1. Bygrave, Lee A. 2002. Data protection law. Approaching its rationale, logic and limits. The Hague: Kluwer Law International.Google Scholar
  2. Dabin, Jean. 2007. Le Droit Subjectif. Paris: Dalloz.Google Scholar
  3. Hondius, Frits W. 1975. Emerging data protection in Europe. Amsterdam/New York: North-Holland Publishing Co./American Elsevier Publishing Co.Google Scholar
  4. Korff, Douwe. 2005. Data protection laws in the European Union. Federation of European Direct Marketing and Direct Marketing Association.Google Scholar
  5. Manson, Neil C., and Onora O’Neill. 2007. Rethinking informed consent in bioethics. Cambridge University Press.Google Scholar
  6. Nugter, Adriana C. M. 1990. Transborder flow of personal data within the EC. Dordrecht: Springer.Google Scholar

Chapters of Volumes

  1. Brownsword, Roger. 2009. Consent in data protection law: Privacy, fair processing and confidentiality. In Reinventing Data Protection? ed. Serge Gutwirth, Yves Poullet, Paul de Hert, Cecile de Terwangne, and Sjaak Nouwt, 83–110. Heidelberg: Springer.Google Scholar
  2. Bygrave, Lee A., and Dag W. Schartum. 2009. Consent, proportionality and collective power. In Reinventing data protection? ed. Serge Gutwirth, Yves Poullet, Paul de Hert, Cecile de Terwangne, and Sjaak Nouwt, 157–173. Heidelberg: Springer.Google Scholar
  3. de Hert, Paul, and Serge Gutwirth. 2009. Data protection in the case law of Strasbourg and Luxemburg: Constitutionalism in action, in Reinventing Data Protection? ed. Serge Gutwirth, Yves Poullet, Paul de Hert, Cecile de Terwangne, and Sjaak Nouwt, 3–44. Heidelberg: Springer.Google Scholar
  4. Gutwirth, Serge, and Paul de Hert. 2008. Regulating profiling in a democratic constitutional state. In Profiling the European citizen, ed. Mirelle Hildebrandt, and Serge Gutwirth, 271–303. Dordrecht: Springer.CrossRefGoogle Scholar
  5. Hildebrandt, Mirelle. 2008a. Defining profiling: A new type of knowledge? In Profiling the European citizen, ed. Mirelle Hildebrandt, and Serge Gutwirth, 17–45. Dordrecht: Springer.Google Scholar
  6. Mayer-Schönberger, Viktor. 1998. Generational development of data protection in Europe. In Technology and privacy: The new landscape, ed. Philip E. Agre, and Marc Rotenberg, 219–242. Cambridge, MA: The MIT Press.Google Scholar
  7. Poullet, Yves. 2008. Pour une troisième génération de réglementation de protection des données, dans Défis du droit à la protection à la vie privée. In coll. Cahiers du Centre de Recherches Informatique et Droit, 31. Bruxelles: Bruylant.Google Scholar
  8. Simitis, Spiros. 1997. Data Protection in the European Union—The quest for common rules. In Collected courses of the Academy of European Law. Vol. VIII-1, 95–141. European University Institute: Kluwer Law International.Google Scholar
  9. Zarsky, Tal. 2010. Responding to the inevitable outcomes of profiling: Recent lessons from consumer financial markets, and beyond. In Data protection in a profiled world, Yves Poullet, Serge Gutwirth, and Paul de Hert, 53–75. Dordrecht: Springer.Google Scholar


  1. Ausloos, Jef. 2012. The right to be forgotten—Worth remembering? Computers Law and Security Review 28:143–152.CrossRefGoogle Scholar
  2. Brownsword, Roger. 2004. The cult of consent: fixation and fallacy. King’s Law Journal 15:223–252.Google Scholar
  3. Curren, Liam, and Jane Kaye. 2010. Revoking consent: a blind spot in data protection law? Computer Law and Security Review 26:273–283.CrossRefGoogle Scholar
  4. de Hert, Paul, and Vagelis Papakonstantinou. 2012. The proposed data protection regulation replacing directive 95/46: A sound system for the protection of individuals. Computer Law & Security Review 28:130–142.CrossRefGoogle Scholar
  5. Eliantonio, Mariolina. 2009. The future of National Procedural Law in Europe: Harmonisation vs. Judge made standards in the field of administrative justice. Electronic Journal of Comparative Law 13.3:1–11.Google Scholar
  6. Feretti, Federico. 2012. A European perspective on data processing consent through the re-conceptualization of European data protection’s looking glass after the Lisbon treaty: Taking rights seriously. European Review of Private Law 2:473–506.Google Scholar
  7. Gomes de Andrade, Nuno Norberto. 2012. Oblivion, the right to be different from oneself. Reproposing the right to be forgotten. Revista de Internet, Derecho y Politica 13:122–137.Google Scholar
  8. Hildebrandt, Mirelle. 2008b. Profiling and the rule of law. 1. Identity in the Information Society 1:55–70.CrossRefGoogle Scholar
  9. Kightlinger, Mark F. 2007–2008. Twilight of the idols? EU internet privacy and the postenlightenment paradigm. Columbia Journal of European Law 14:1–62.Google Scholar
  10. Koops, Bert Jap. 2012. Forgetting footprints, shunning shadows. A Critical Analysis of the Right to be Forgotten in Big Data Practice. Tilburg Law School Legal Studies Research Paper Series 8.Google Scholar
  11. Le Métayer, Daniel, and Sarah Monteleone. 2009. Automated consent through privacy agents: Legal requirements and technical architecture. Computer Law & Security Review 25(2):136–144.Google Scholar
  12. Rosen, Jeffrey. 2012. The right to be forgotten. 64 Stanford Law Review Online 88.Google Scholar
  13. Swire, Peter, and Yanni Lagos. 2013. Why the right to data portability likely reduces consumer welfare: Antitrust and privacy critique. Maryland Law Review 72(2):335. Accessed 26 Feb 2013.Google Scholar
  14. Traung, Peter. 2012. The proposed new EU general data protection regulation. CRi 2:33–49.Google Scholar
  15. Zanfir, Gabriela. 2012. The right to data portability in the context of the EU data protection reform. International Data Privacy Law 2(3):149–163.CrossRefGoogle Scholar


  1. Kosta, Eleni. Unraveling consent in European Data Protection legislation. A prospective study on consent in electronic communications. Doctoral Thesis, submitted on June 1, 2011, Faculty of Law, K. U. Leuven, Interdisciplinary Center for Law and ICT.Google Scholar

Official Reports/Opinions

  1. Article 29 Working Party. 2011. Opinion 15/2011 on the definition of consent, WP 187.Google Scholar
  2. Committee on Civil Liberties, Justice and Home Affairs. 2012. Draft report on the proposal for a regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), (COM 2012. 0011– C7-0025/2012–2012/0011(COD)). December 17, 2012.Google Scholar
  3. European Commission. 2010. COM(2010) 609 final, A comprehensive approach of data protection in Europe (4 November 2010), p. 8–9.Google Scholar
  4. European Commission. 2012a. COM(2012) 10 final, Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, 25.1.2012.Google Scholar
  5. European Commission. 2012b. COM(2012) 11 final, Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25 January 2012.Google Scholar

Other Sources

  1. European Data Protection Supervisor. Opinion of the European Data Protection Supervisor on the data protection reform package, issued on March 7, 2012.Google Scholar
  2. Hustinx, Peter. 2005. Data protection in the European Union. Privacy & Informatie 2:62.Google Scholar
  3. Singer, Natasha. 2012. You for sale: Mapping, and sharing, the consumer genome. New York Times, 16th June.;=all. Accessed 28 Feb 2013.
  4. Van Alsenoy, Brendan, Eleni Kosta, and Jos Dumortier. 2012. D6.1—Legal requirements for privacy-friendly model privacy policies. The IWT SBO SPION Project.Google Scholar
  5. Whitely, Edgar A., and Nadja Kanellopoulou. 2010. Privacy and informed consent in online interactions: Evidence from expert focus groups. International Conference on Information Systems, St. Louis, Missouri.Google Scholar
  6. Zanfir, Gabriela. 2012. EU and US data protection reforms. A comparative view, in 7th edition of The International Conference “The European Integration, Realities and Perspectives” Proceedings. Accessed 26 Feb 2012.

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  1. 1.Faculty of Law and Administrative SciencesUniversity of CraiovaCraiovaRomania

Personalised recommendations