ONLINE DATA PROCESSING CONSENT UNDER EU LAW: A
THEORETICAL FRAMEWORK AND EMPIRICAL EVIDENCE FROM
THE UK
MAURIZIO BORGHI*, FEDERICO FERRETTI* AND STAVROULA KARAPAPA**
Abstract
This article analyses the results of an empirical study on the 200 most popular UK-based
websites in various sectors of e-commerce services. The study provides empirical evidence on
unlawful processing of personal data. It comprises a survey on the methods used to seek and obtain
consent to process personal data for direct marketing and advertisement, and a test on the frequency
of unsolicited commercial emails (UCE) received by customers as a consequence of their
registration and submission of personal information to a website. Part One of the article presents a
conceptual and normative account of data protection, with a discussion of the ethical values on
which EU data protection law is grounded and an outline of the elements that must be in place to
seek and obtain valid consent to process personal data. Part Two discusses the outcomes of the
empirical study, which unveils a significant departure between EU legal theory and practice in data
protection. Although a wide majority of the websites in the sample (69%) has in place a system to
ask separate consent for engaging in marketing activities, it is only 16.2% of them that obtain a
consent which is valid under the standards set by EU law. The test with UCE shows that only one
out of three websites (30.5%) respects the will of the data subject not to receive commercial
communications. It also shows that, when submitting personal data in online transactions, there is a
high probability (50%) of incurring in a website that will ignore the refusal of consent and will send
UCE. The article concludes that there is severe lack of compliance of UK online service providers
with essential requirements of data protection law. In this respect, it suggests that there is
inappropriate standard of implementation, information and supervision by the UK authorities,
especially in light of the clarifications provided at EU level.
*
Brunel University, Law School. Intellectual Property, Internet and Media Research Centre.
University of Reading, School of Law. Comments may be directed to fed.ferretti@libero.it
**
1
Keywords: data protection, e-privacy, e-commerce, consent, unsolicited commercial emails, EU
law, UK law
2
INTRODUCTION AND BACKGROUND
This article investigates the practice of obtaining consent for the processing of personal data in
the online environment and provides quantitative evidence on unlawful processing of such data. The
analysis is based on an empirical study conducted on a population of UK websites, and draws
conclusions on the basis of the requirements laid down under EU data protection law.1
With the expansion of e-commerce, social networking and e-governance, submission of
personal data to websites has become an essential prerequisite for taking advantage of online
services or facilities, and the processing of these data for commercial communications and direct
marketing is a key feature in many websites’ business models.2 At the same time, under EU law
data processing is not lawful unless there is a legal ground for legitimising it. In particular, the
current legal regime set by Directive 95/46/EC (hereinafter the Data Protection Directive) provides
for consent as a general ground for lawfulness of the processing of personal data.3 This is the first of
six different bases to legitimise data processing, and ‘unambiguous consent’ of the data subject is
laid down as the central condition upon which data processing is legitimised.4 For instance, when an
online service collects personal data with a view to perform or commence a contract, it is not
entitled to process those data for purposes that exceed the performance of the contract—such as
direct marketing and advertisement—unless it has obtained unambiguous consent to do so. This is
precisely the scenario that is discussed in this article.
Despite the fact that consent is a key requirement for the legitimacy of many forms of data
processing in the online world, there may be situations where the conditions that need to be met for
consent to be valid are not clear. Legal uncertainty as to the scope and meaning of consent in data
processing may not only lead to divergent approaches in different jurisdictions, but it may also
create controversy as to which practices online service providers should follow to comply with EU
data protection law. The various interpretations of data protection consent by the different EU
1
The empirical study has been conducted between October 2010 and November 2011 as part of a research grant
awarded by Brunel University. The sample comprises the 200 most popular websites with domain ‘.co.uk’ according to
Google Ad Planner (n 88-89). Raw data collected during the study are available on the website of the Intellectual
Property, Internet and Media Research Centre: http://www.brunel.ac.uk/law/research/centres/ipimrc. The authors wish
to thank the personnel involved in the project, in particular Mr Indranath Gupta (PhD Cand) for supervising the data
collection process, and Dr Ilias Kiourktsidis for providing technical assistance on the test on UCE.
2
M. Borghi and M.L. Montagnani, “Models for Managing Intellectual Property Rights on the Internet: Online
Distribution of Digital Media Content”, Final Report, Counter Project (October 2009), at http://www.counter2010.org;
P.A. Bernal “Web 2.5: The Symbiotic Web”, (2010) 24 International Review of Law, Computers & Technology, 25.
3
These are: that the data subject (i.e. the person whose data is stored) has unambiguously consented (art. 7(a)), or that
the processing is necessary for the performance or the commencing of a contract (art. 7(b)), or is required under a legal
obligation (art. 7(c)), or is necessary to protect vital interests of the data subject (art. 7(d)), or to carry out a public
interest task (art. 7(e)) or to carry out a task in the legitimate interests of the data controller 7 (f)).
4
Art. 7 of the Data Protection Directive. See also Art. 2h of the Data Protection Directive which premises the lawful
processing of personal data upon “any freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”. Also, Recital 30 of the Directive
defines consent as an expression of the will of the data subject. See also Article 29 Working Party, ‘Opinion 15/2011 on
the definition of consent’ (WP 187, 13 July 2011).
3
Member States, for instance, do not necessarily match the concept of consent as envisaged in EU
data protection law.
In this respect, the UK provides an interesting case to study. In April 2009, the EU Commission
has found that, among some identified gaps in its current data protection rules, the UK failed to
implement in its national law5 the definition of consent as the freely given, specific and informed
indication of a person’s wishes.6 Ambiguity as to the concept of data processing consent accelerates
in the online world where technology gives room for various, possibly ambiguous, methods for
expressing this indication of wish. In some cases, it may not even be clear what constitutes a freely
given, specific and informed consent.
Beyond its importance from a legal and policy perspective, legal uncertainty on data processing
consent may also raise social concerns. A survey published in June 2011 suggests that “nearly all
Europeans would like to give their specific approval before collection and processing of their
personal information”.7 An early survey requested by the European Commission in 2008 reveals
that most EU citizens (64%) are concerned about whether organisations that collect their personal
data handle them in an appropriate manner. This survey also demonstrates that the vast majority of
internet users (82%) feel insecure about the transmission of their personal data over the internet. 8
Up till now, the issue of consent for data processing has attracted scholarly and policy attention,
but there is little empirical evidence as to whether commercial websites comply with data protection
law in this respect. For instance, the aforementioned surveys focus on the perspective of internet
users but do not address the issue of the websites’ compliance with the relevant legal requirements.
A study on the compliance with the Data Protection Act 1998 by UK based websites has been
carried out in 2002, mainly with the aim of identifying critical areas and providing best practices in
5
Data Protection Act 1998.
EU Commission, “Telecoms: Commission launches case against UK over privacy and personal data protection”,
(IP/09/570, 14 April 2009) at http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/570. The EU Commission
has reached the second stage of the infringement procedure and has issued the following conclusions:
“The European Commission has requested the UK to strengthen the powers of its data protection authority so that it
complies with the EU's Data Protection Directive. The Commission request takes the form of a reasoned opinion – the
second stage under EU infringement procedures. In the UK, national data rules are curtailed in several ways, leaving the
standard of protection lower than required under EU rules”. This statement followed the EU Commission’s
investigation into the use of a behavioural advertising technology known as Phorm [Case Ref No 5253/08]; on April
2011 the Crown Prosecution Service decided not to prosecute BT Group Plc and Phorm Inc on the basis of s 4.2 of the
Code for Crown Prosecutors (‘a prosecution would not be in the public interest’). See Crown Prosecution Service, “CPS
decides no prosecution of BT and Phorm for alleged interception of browsing data” (8 April 2011), at
<http://www.cps.gov.uk/news/press_releases/116_11/index.html>.
7
Special Eurobarometer 359, “Attitudes towards data protection and electronic identity in the European Union”. Survey
conducted by TNS Opinion & Social at the request of Directorate-General Justice, Information Society & Media and
Joint Research Centre Survey (June 2011), available at
http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf), 153.
8
“Data Protection in the European Union- Citizens’ Perceptions”. Survey conducted by the Gallup Organization
Hungary upon the request of the Directorate General Justice, Freedom and Security, February 2008 (available at
http://ec.europa.eu/public_opinion/flash/fl_225_en.pdf).
6
4
the application of the newly introduced legislation.9 Other empirical studies have focused on critical
issues of e-privacy, such as the practices of children’s websites in processing personal data, 10 or
have addressed the processing of personal data in the broader context of the analysis of websites’
terms and conditions.11 A comprehensive study on a large sample of Israeli websites has been
conducted by Michael Birnhack and Niva Elkin-Koren.12 The study, which has been carried out in a
jurisdiction that shares many similarities with EU data protection law,13 highlights the low level of
compliance with respect to a wide range of legal requirements (most notably notice and consent)
and questions the viability of a single regulatory regime that fits all the players in the online
environment.14
In light of the variety of privacy policies of online service providers and of the uncertainty as to
the meaning of data processing consent in this context, a straightforward question arises: to what
extent is data protection law obeyed in the online environment? More specifically: how is the
requirement of unambiguous consent, as laid down by EU data protection law, respected when
personal data are stored and processed for purposes of direct marketing and advertisement?
This paper addresses the question from both a theoretical and an empirical perspective.
Part One of the paper sets the scene for the study. Here, we provide a conceptual and normative
account of data protection in light of the Treaty of Lisbon. We also identify the ethical or moral
values on which data protection is grounded in order to interpret, defend, and reinforce the
centrality of consent as a key ground for the lawfulness of personal data processing. Following, we
define consent for data processing by providing a theoretical analysis of this notion and outlining
the elements that have to be in place to seek and obtain valid consent in the context of the relevant
legal provisions of the acquis communautaire.
In Part Two, we discuss the finding of a study conducted on a sample of 200 most popular UKbased websites to assess their practices and activities in relation to the use of personal data for direct
marketing and advertisement. First, we examine the methods used by websites to seek and obtain
consent to process personal data. Second, we test the behaviour of the websites in response to
expressions of consent and refusal of consent. As an indicator of unlawful processing of personal
data, we have considered the frequency of unsolicited commercial emails (UCE) received by a
9
A. Macaulay and I. Bourne, Study of Compliance with the Data Protection Act 1998 by UK websites, Report for the
Office of the Information Commissioner, (May 2002).
10
Joseph Turow, Privacy Policies on Children’s websites: Do they play by the rules?, Annenberg Public Policy Center
(2001), at: http://www.asc.upenn.edu/usr/jturow/Privacy%20Report.pdf; J. Hörnle, I. Walden and J. Angel, Marketing
to Children, Data Collection Practices and the Law (2004, Queen Mary University of London).
11
S. Bradshaw, C. Millard and I. Walden “Contracts for Clouds: A Comparative Analysis of Terms and Conditions for
Cloud Computing Services”, (2011) 19 International Journal of Law and Information Technology, 197.
12
M. Birnhack & N. Elkin-Koren, “Does Law Matter Online? Empirical Evidence on Privacy Law Compliance”,
(2011) 17 Michigan Telecommunications & Technology Law Review, 337.
13
Ibid, 351-352.
14
Ibid, 378-380.
5
hypothetical customer as a direct consequence of
registration and submission of personal
information to a website. We conclude by addressing some policy considerations.
PART ONE
CONSENT IN EU DATA PROTECTION LAW: LEGAL AND THEORETICAL
FRAMEWORK
A. EU DATA PROTECTION LAW
Data protection is a complex and multifaceted concept both from a social and a legal point
of view. Traditionally, the primary object of data protection laws has been identified with the
protection of personal privacy within the context of processing operations involving personal data.
However, at least under EU law, privacy and data protection are distinct, yet complementary,
fundamental legal rights. They derive their normative force from values that - although at times
coincidental and interacting in a variety of ways - may be conceptualised independently.
The concept of privacy was first developed as an independent legal value when Brandeis
and Warren identified it as a tort action, defining it as ‘the right to be left alone’.15 Since then, it has
been largely accepted that, in its most general accession, privacy protection is a legal way of
drawing a line at how far society or other individual subjects may intrude into a person's own
affairs. It entails that such a person should be left able to conduct their personal legitimate affairs
relatively free from unwanted intrusions. As such, privacy is an expression of human dignity,
development of human personality, and freedom of the individual.16
S. Warren and L. Brandeis, “The Right to Privacy”, (1890) 4 Harvard Law Review, 193-220.
See, for example, E.J. Bloustein, “Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser”, (1964) 39
New York University Law Review, 962-1007: S. Stromholm, Right of Privacy and Rights of the Personality
(Stockholm, Norstedt 1967); J. Pennock. and J. Chapman (eds.), Privacy, NOMOS XIII (New York, Atherton Press
1971); J. Paul, F. Miller, and E. Paul (eds.), The Right of Privacy (Cambridge, Cambridge University Press 2000); J.
Rachels, “Why Privacy is Important”, (1975) 4 Philosophy and Public Affairs, 323-333. Other narrower views of
privacy see it as self-determination, intimacy, or a meaningful aspect of interpersonal relationships, personal expression,
and choice. See, for example, W. Parent, “Privacy, Morality and the Law”, (1983) 12 Philosophy and Public Affairs,
269-288. R. Gerstein, “Intimacy and Privacy”, (1978) 89 Ethics, 76-81; A. Westin, Privacy and Freedom (New York,
Atheneum 1967); J. Inness, Privacy, Intimacy, and Isolation (Oxford, Oxford University Press 1992); C. Fried, An
Anatomy of Values (Cambridge, Harvard University Press 1970); R. Gavison, “Privacy and the Limits of the Law”,
(1980) 89 Yale Law Journal, 421-471; A. Moore, “Intangible Property: Privacy, Power, and Information Control”,
(1998) 35 American Philosophical Quarterly, 365-378; F. Schoeman. (ed.), Philosophical Dimensions of Privacy: An
Anthology (Cambridge, Cambridge University Press 1984); J. DeCew, In Pursuit of Privacy: Law, Ethics, and the Rise
of Technology (Ithaca, Cornell University Press 1997). Such an individualistic approach to privacy has been criticised
by scholarship arguing that greater recognition should be given to the broader social importance of privacy: other than a
common value in which individuals enjoy some degree of it, privacy is seen as a public and collective value vis-à-vis
technological developments and market forces, requiring minimal levels of privacy for all. P. Regan, Legislating
Privacy (Chapel Hill, University of North Carolina Press 1995). There exists a number of works critical of privacy, too.
The so-called ‘reductionist approach’, for example, takes the view that the right to privacy is derivative, meaning that it
can be explained in the context of other rights without deserving any separate attention. As such, it can be protected
15
16
6
At legislative level, the experience of totalitarian regimes in the 20th Century pushed
European nations into attaching great importance to the right to privacy, as it had been
demonstrated how easily it can be violated, and how extreme the consequences of such violations
can be. Privacy was soon elevated as a human right and its standard at international level was
enshrined in the 1948 Universal Declaration of Human Rights and later, at European level, was
incorporated in the 1950 European Convention for the Protection of Human Rights and
Fundamental freedoms (ECHR).17
The considerable body of literature on the concept of privacy exemplifies the difficulty in
defining with precision what remains a broad and at times ambiguous term, but it also helps to set
the basis for distinguishing ‘data protection’ from ‘privacy’.
Personal data protection is a distinctive European innovation in law that over the years has been
gaining a mixed fortune outside the EU, from acceptance and emulation in a number of non-EU
jurisdictions, to criticism and disputes in others, such as the US. Certainly, the horrors of recent
European history and the subsequent international conventions played an important role in the
development of data protection laws across Europe and, ultimately, at EU level in the adoption of
the Data Protection Directive. Two other factors, however, proved decisive for its enactment under
the remit of the EU: (i) the progressive development in computers and information technologies
together with the dangers that this could represent for individuals, transcending national affairs; and
(ii) the need for the free movement of personal data within the Community to enable trade and
prevent conflict arising from separate national regimes.18 In the end, the real aims and scope of the
Data Protection Directive were both the protection of fundamental rights and freedoms of European
citizens, and the achievement of the internal market. Both objectives were equally important, even
though the jurisdiction of the EU on this subject rested on internal market grounds, having its legal
basis in Article 100a of the EC Treaty (now Article 114 TFEU).
through other rights without any explicit protection on its own. Any privacy violation would be better understood as the
violation of other more basic rights: ultimately, the right to privacy would merely be a cluster of rights, where these
rights are always overlapped by property rights or rights over the person, such as bodily security. J. Thomson, “The
Right to Privacy”, (1975) 4 Philosophy and Public Affairs, 295-314. For another strong critique of privacy see also R.
Bork, The Tempting of America: The Political Seduction of the Law (New York, Simon & Schuster 1990). These
‘reductionist approaches’ have been criticised by a number of commentators: see T. Scanlon “Thomson on Privacy”,
(1975) 4 Philosophy and Public Affairs, 323-333; J. Johnson “Constitutional Privacy”, (1994) 13 Law and Philosophy,
161-193. Another well-known contribution to the ‘reductionist approach’ is that of Posner who takes an economic, costbenefit analysis of privacy. He argues that the types of interests protected under privacy are not distinctive. Most of all,
nevertheless, the central proposition is that privacy protection is economically inefficient. Protection of individual
privacy would be difficult to defend because it does not maximise wealth. On this line of argument, Posner defends
organisational or corporate privacy as more valuable than personal privacy, the reason being that the former is likely to
improve economic efficiency. R. Posner, The Economics of Justice (Cambridge, Harvard University Press 1981).
17
Universal Declaration of Human Rights, 10 December 1948. Council of Europe, Convention for the Protection of
Human Rights and Fundamental Freedoms, ETS n. 005.
18
See Directive 95/46/EC OJ L 281, 23.11.1995 (hereinafter ‘Data Protection Directive’), Recitals 1-11.
7
A sector-specific regime with regard to privacy and electronic communications was the recently
amended Directive 2002/58/EC (the so-called ‘e-Privacy Directive’).19 This is a lex specialis vis-àvis the Data Protection Directive, which provides for a regime exclusively applicable to providers
of publicly available electronic communication services (e.g. telecom and internet service
providers) with regard to the processing of personal data in electronic communications. All the
same, the EU legislator consistently took a rigorous ‘fundamental human rights’ approach. This
stance was particularly important because it meant that data protection automatically trumped other
interests and could not be traded-off for economic benefits.20
This position has been made explicit lately by Article 16 TFEU which elevates the provision
on data protection to a ‘provision of general application’ under Title II alongside other fundamental
principles of the EU. It also imposes on the EU legislator to establish a certain and unequivocal
legal framework for data protection. Equally, with the Treaty of Lisbon, the Charter of Fundamental
Rights of the EU has become binding, and in its Article 8 it recognises the protection of personal
data as an autonomous right distinguished from ‘privacy’.
Indeed, data protection refers to the protection through regulation of personal information
pertaining to an identified or identifiable individual (data subject). Individuals do not own
information about themselves. Information does not pre-exist to its expression or disclosure but it is
always to some extent constructed or created by more than one agent. 21 Normatively, no proprietary
rights exist on personal information. It pertains to an individual but it does not belong to him or her
in a proprietary sense. Those who process personal data (data controllers) have the right to process
19
Directive 2002/58/EC OJ 2002 L201 p. 37-47, as amended by Directive 2009/136/EC OJ 2009 L377, 11-36.
D. Heisenberg, Negotiating Privacy (London, Lynne Rienner 2005), Ch. 1,2,3; V. Mayer-Schonberger “Generational
Development of Data Protection in Europe”, in P.E. Agre and M. Rotenberg (eds.), Technology and Privacy: The New
Landscape (Cambridge, The MIT Press 1997), 219-241; S. Simitis “From the Market to the Polis: the EU Directive on
the Protection of Personal Data”, (1995) 80 Iowa Law Review, 445-469. The draft relied heavily on the German and
French data protection laws, reflecting views that data privacy could not be traded-off against commercial interests or
other rights such as freedom of expression. Moreover, there was a strategic element to the choice of labelling data
protection as a fundamental human right. The European Court of Justice (ECJ) had ruled that it was bound by the
constitutional traditions of the Member States, and it could not uphold measures incompatible with fundamental rights
recognised and protected by the constitutions of those states. According to the ECJ, thus, the EC could not take away
the Member States’ guaranteed rights, and there was therefore a legal duty not to harmonise at the lowest level in order
to avoid conflicts between EC law and the Member States’ Constitutions (Internationale Handlelsgesellschaft mbH v
Einfuhr – und Vorratsstelle fur Getreide und Futtermittel (C 11/70) [1970] ECR 1125, [1972] CMLR 255; Nold (J.) KG
v Commission (C 4/73) [1974] ECR 491, [1974] 2 CMLR 338). Not all Member States approved the described
‘fundamental human rights approach’ taken by the Data Protection Directive. In particular, the UK sided with its
business community, complaining that the new standards were much higher than the law existing at the time, mainly
maintaining a utilitarian stance and disagreeing on the fact that data protection should not have been traded-off for
economic benefits. Isolated in its position, the UK abstained from voting on the Directive, signalling to its business
community that it had opposed its strict provisions. On the utilitarian approach of the UK, see A.T. Kenyon and M
Richardson “New Dimensions in privacy: Communications technologies, media practices and law”, in A.T. Kenyon and
M. Richardson (eds.), New Dimensions in Privacy Law (Cambridge, Cambridge University Press 2006), 1-10.
21
A. Rouvroy and Y. Poullet “The Right to Informational Self-Determination and the Value of Self-Development:
Reassessing the Importance of Privacy for Democracy”, in S. Gutwirth and others Reinventing Data Protection?
(Heidelberg, Springer 2009), 45-76.
20
8
those data as long as such processing is in compliance with procedural rules set by law. The
objective of data protection law is to protect individuals not against data processing per se, but
against unjustified collection, storage, use, and dissemination of the data pertaining to them.22 As
persuasively shown by Hert and Gutwirth, data protection cannot be reduced to a late privacy spinoff echoing a privacy right with regard to personal data, but it formulates the conditions under
which information processing is legitimate. While privacy laws derive their normative force from
the need to protect the legitimate opacity of the individual through prohibitive measures, data
protection forces the transparency of the processing of personal data enabling its full control by the
data subjects where the processing is not authorised by the law itself as necessary for societal
reasons. In short, data protection law focuses on the activities of the processors and it enforces their
accountability, thus regulating an accepted exercise of power.23
These principles are reflected in provisions of the Data Protection Directive, such as those
that require that data processing must be done for legitimate, explicit and precise purposes, which
have to be previously notified to the concerned individual (principles of purpose specification and
data minimisation); or the provisions granting to data subjects the right of access to their data; or,
again, those requiring that there should be a valid legal basis for the data processing, such as
consent of the data subject, or a legal obligation (the latter two may be summarised under the
‘principle of necessity’ of the processing which still needs to be notified to data subjects). 24
On discussions about individuals not owning information about themselves see J. Kang and B. Bunter “Privacy in
Atlantis”, (2004) 18 Harvard Journal of Law and Technology , 230-267; Rouvroy and Poullet (n 21).
23
P. De Hert and S. Gutwirth “Data Protection in the Case Law of Strasbourg and Luxembourg: Constitutionalisation in
Action”, in S. Gutwirth and others, Reinventing Data Protection? (Heidelberg, Springer 2009), 3-44. On a critical view
that data protection acts are seldom privacy laws but rather information laws, protecting data before people, see S.G.
Davis “Re-Engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity”, in
P.E. Agre and M. Rotenberg (eds.), Technology and Privacy: The New Landscape (Cambridge, The MIT Press 1997),
143-165. To appreciate the distinction between the concepts of privacy and data protection in practice, take the
example of a customer of a telephone operator. S/he has given away her/his personal data in order to benefit from the
required service. Suppose two different scenarios in the case the customer needs to contact the telephone operator, no
matters the reason: a) the customer widely uses the service and s/he is a big spender; b) the customer makes a moderate
use of the telephone and spends little money on it. In scenario a) s/he manages to access the operator of the call centre
straightaway or with little time wait; in scenario b), by contrast, s/he is hold on the line for a long time before an
operator answers, at times to the point that the customers hangs up the telephone in frustration. The telephone company,
without the customer knowing, has invested in software that screens customers’ spending and accordingly prioritises
phone calls from those who usually spend more. This would hardly be a violation of the customer’s privacy as s/he has
provided voluntarily her/his personal data including for reasons of customer support. However, many would say that
such practice is discriminatory as the telephone company makes an excessive use of data that it already holds or exceeds
the purpose for which they were first collected.
24
In short, said data protection principles aim at providing that personal data must be:
processed fairly and lawfully (Data Protection Directive - Art. 6a);
collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with
those purposes (Data Protection Directive - Art. 6b);
adequate, relevant, and not excessive in relation to the purposes for which they are collected and/or further
processed (Data Protection Directive - Art. 6c);
accurate and kept up-to-date; every reasonable step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were collected or for which they are further processed, are
erased or rectified (Data Protection Directive - Art. 6d);
22
9
Nowadays there is an unprecedented scale of personal data stored by online service
providers and used for commercial purposes. Information processing and technologies have a clear
potential to dramatically influence the lives of people and this puts an exceptional power in the
hands of those who use them—a risk that has only recently been perceived by business and
consumer associations alike.25 Like privacy, therefore, data protection finds its roots in the idea that
democratic societies should not be turned into systems of power resting on control, surveillance,
actual or predictive profiling, classification, social sorting, and discrimination. Data protection is
not only a matter of individual liberty, intimacy, and dignity of individuals but a wider personality
right aimed at developing people’s social identity as citizens and consumers alike. Hence, it has to
be agreed with those concluding that, although “data protection principles might seem less
substantive and more procedural compared to other rights (…) they are in reality closely tied to
substantial values and protect a broad scale of fundamental values”.26 that on many occasions may
overlap or intersect, but remain separate from those of privacy. For that reason, it also has important
connotations for society as a whole and it constitutes an important legislative tool to protect
collective social goods and fundamental values of a modern democratic order where citizens freely
develop their personality and autonomy. Therefore, both privacy and data protection regimes (i.e.
seclusion and legitimate opacity on the one side, and inclusion and participation on the other side)
represent a bundle of legal protections and tools to pursue the common goal of a free and
democratic society where citizens develop their own personality freely and autonomously through
individual reflexive self-determination and for collective deliberative decision making regarding the
rules of social cooperation.27
From this perspective, granting to individuals control over their personal information is not
only a tool to allow them control over the persona they project in society free from unreasonable or
unjustified associations, manipulations, distortions, misrepresentations, alterations or constraints on
their true identity. It is also a fundamental value pertaining to humans to keep and develop their
personality in a manner that allows them to fully participate in society without having to conform
thoughts, beliefs, behaviours or preferences to those of the majority or those set from above by the
industry for commercial interest.28 In this sense, the rights conferred by data protection legislation
are participatory rights of informational self-determination, where the requirement of individual
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for
which the data were collected or for which they are further processed (Data Protection Directive - Art. 6e).
25
London Economics, Study on the economic benefits of privacy enhancing technologies – Final Report to the
European Commission DG Justice, Freedom, and Security (July 2010), available at http:
http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_pets_16_07_10_en.pdf.
26
De Hert and Gutwirth (n 23), 44.
27
Rouvroy and Poullet, (n 21).
28
Ibid.
10
consent for the processing of data is the cornerstone unless the processing is necessary, subject to
notice to data subjects,29 for the performance of a contract to which the data subject is party, for
compliance with a legal obligation of the data controller, to protect a vital interest of the data
subject him/herself, for public interest, or for overriding rights of the data controller or third
parties.30 As such, the instrument of consent as the tool to grant such participatory right rests on the
expression of a classical liberal conception of autonomy and individualism.
B. DATA PROCESSING CONSENT
The issue of consent is a complex one that raises difficult questions in many areas of the
law.31 In this study, consent is tied specifically to personal data protection and the substantial values
which it aims to safeguard.
At European level, Article 8 of the Charter of Fundamental Rights of the EU explicitly
recognises consent of data subjects as the main condition to enjoy the fundamental right to the
protection of personal data:
“[e]veryone has the right to the protection of personal data (…)” and “data must
be processed fairly for specified purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid down by law” [emphasis
added]
Likewise, the central legal requirement under the current legal framework set by the Data Protection
Directive is that personal data must be processed fairly. In the absence of another necessary basis
set by the law, the ‘unambiguous consent’ of the data subject is the central ground for processing
which empowers the data subject in the control over their data and in their self-determination.32 The
Directive’s definition of consent is limited to "any freely given specific and informed indication of
his wishes by which the data subject signifies his agreement to personal data relating to him being
processed".33
29
Art. 10 and 11 of the Data Protection Directive.
Art. 7(b) of the Data Protection Directive.
31
See, for example, D. Beyleveld and R. Brownsword Consent in the Law (Oxford, Hart 2007).
32
Article 7(a) of the Data Protection Directive.
33
Article 2(h) of the Data Protection Directive. Recital 30 of the Directive, in turn, simply defines consent as an
expression of the will of the data subject. It is interesting to note how such definition has been clarified in the proposed
reform of the data protection regime. See European Commission, Proposal for a Regulation of the European
Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation), COM (2012) 11 final. According to its Article
4(8) “the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes
by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data
relating to them being processed”.
30
11
Similarly, the e-Privacy Directive explicitly provides that the definition of consent of the
Data Protection Directive shall apply.34 This means that the criteria to determine whether consent is
valid are the same as those established by the Data Protection Directive.
The EU Commission has recognised that the "notion of 'unambiguous consent' (Article 7a)
in particular, as compared with the notion of 'explicit consent' in Article 8, needs further
clarification and more uniform interpretation".35 In maintaining their duty to transpose the
provisions of the Data Protection Directive into domestic law, the Member States – with the
exception of the UK - all allow for the processing of personal data on the basis of consent in terms
almost identical to those used in the Directive, or at least close to it with some additional
requirements.36 Moreover, in the majority of countries consent is given primary status over other
criteria. This seems to be in line with Recital 30 of the Directive that considers consent as the first
condition to be met for a lawful data processing. However, in countries such as the UK consent
should be relied upon only as a last resort.37 This different interpretation is deemed to reflect the
different conception that in most continental European States data protection is based on
constitutional principles. Consent - as its essential component - has been a part of the constitutional
doctrine of these States ever since the concept of the right to information self-determination took
shape.38
Five key elements may be identified in Article 7 of the Directive, which should form the
backbone of every domestic implementation of the notion of 'consent': (i) it must be unambiguous,
as ambiguous consent does not preclude all doubts that the data subject has expressed their will, and
therefore is not consent; (ii) it must be informed and (iii) specific so that all processing activities are
properly described, as uninformed or vague consent is no consent; (iv) it must be freely given, as
34
Art. 2(f) of the e-privacy Directive.
Commission of the European Communities, Report from the Commission – First report on the implementation of the
Data Protection Directive (95/46/EC), (Brussels 15 May 2003), COM (2003) 265 final, p. 17.
36
Overall, there is substantial convergence between the continental European States on the basic definition of consent,
or at least on its application in practice. For example, the data protection laws of Austria, Belgium, Cyprus, Czech
Republic, Denmark, Finland, Greece, Latvia, Lithuania, Luxemburg, Malta, The Netherlands, Poland, Portugal,
Slovakia, Spain, and Sweden word the definition of consent in more or less exactly the same terms as the Directive.
German law requires that consent should be given in writing, while Italian law stipulates that consent should be
documented in writing. By contrast, UK law does not define consent, and the data protection authority on occasions
relates the nature of the consent required to the circumstances, whilst elsewhere it expressly refers back to the Directive
in its guidance on the law. See Commission of the European Communities, Analysis and impact study on the
implementation of Directive EC 95/46 in Member States (Brussels, 16 May 2003), 10; D. Korff , “Comparative
summary of national laws”, EC Study on Implementation of Data Protection Directive (Study Contract ETD/2001/B5
3001/A/49), 27; J.L. Pinar Manas, "Consent of the Data Subjects", in Conference of the Rights and Responsibilities of
Data Subjects, The Council of Europe and the Office for Personal Data Protection of the Czech Republic (Prague, 14
and 15 Oct. 2004).
37
P. Webster, Data Protection in the Financial Services Industry (Aldershot, Gower 2006), 24; P. Carey, Data
Protection – A Practical Guide to UK and EU Law (Oxford, Oxford University Press 2004), 72.
38
See Korff (n 36), 74; Pinar Manas (n 36), 67.
35
12
enforced consent obtained under coercion, undue influence, or pressure is no consent; (v) as a
unilateral act, it is implicit that it must be revocable.39
(i)
Unambiguous consent
This element sheds light over the illegitimacy of assumed or implicit consent and some
practices making use of it. This is the view taken by the large majority of EU Member States which
require for any consent to be manifest. Likewise, such a consent seems to be not admissible for the
purposes of data protection inasmuch as the data subject must express their will unambiguously for
such an expression to be clear and conclusive.40 A non-response by a data subject is ambiguous as
long as specific information is not provided and no option has been given to freely decide whether
or not to agree. Arguably, therefore, consent should clearly emanate from the data subject in a way
that no doubts exist over their agreement, whatever form it takes, oral or written.41
In online transactions, a frequent phenomenon is that of consent by opt-out, which enables
the automatic processing of data unless a data subject explicitly objects to such data processed (i.e.
s/he opts-out). As the Art. 29 Working Party advises, however, that explicit and unambiguous
consent can also be given in the online environment. As in the offline domain, there are suitable
technical means for delivering such consent. The Art. 29 Working Party notes that the risk of
ambiguous consent is likely to be greater in the online world where specific attention is necessary. 42
What is more, the Working Party has reiterated the unsuitability of consent based on individuals'
opt-out or silence in the context of sending direct marketing through emails43 re-emphasising that
“implied consent to receive such mails is not compatible with the definition of consent of Directive
39
The innovation taken by the proposed new data protection regime of the Proposed Regulation (n 33), is that in its
Article 7 the law itself sets the conditions of consent as follows:
1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for
specified purposes.
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter,
the requirement to give consent must be presented distinguishable in its appearance from this other matter.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not
affect the lawfulness of processing based on consent before its withdrawal.
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position
of the data subject and the controller.
40
Commission of the European Communities (n 37), 10; Webster (n 38), 24; Carey (n 38), 72.
41
This view has been shared explicitly by the Data Protection Authorities of the Member States. See Korff (n 37), 7478; Pinar Manas (n 37), 67-74. The UK again provides an exception. Guidance on the law, issued by the data protection
authority, suggests that consent may, in certain circumstances, be implied. According to Korff (p. 75), this interpretation
is doubtful in terms of compliance with the Directive which requires that the data subject’s agreement to any processing
be ‘signified’. The author suggests that, presumably, the UK data protection authority’s guidance must be read as
meaning that a data subject’s consent can be inferred from signals which imply his or her agreement, even though such
signals may not be explicit.
42
Art. 29 WP on Consent (n 4).
43
Ibid, 24.
13
95/46/EC (...). Similarly, pre-ticked boxes, e.g., on websites are not compatible with the definition
of the Directive either”.44
In light of the proposed amendments to the EU data protection legal framework, it is now
accepted and recommended that, as far as information and communication technologies in the
consumer domain are concerned, the optimal solution is to counterbalance the benefits of
technological advancements and risks for individual data protection by complementing the legal
framework with the principle of “privacy by default and by design”. Accordingly, data protection
safeguards should be incorporated in the design and operation of technologies and systems so that
they will become default settings and new legal norms will provide for such binding requirement
for technology designers and producers, as well as for data controllers. Hence, opt-in consent will
become a key explicit element that allows the processing of personal data by data controllers that
would otherwise be forbidden.45
(ii) Informed consent.
The primary prerequisite for the validity of consent according to Article 2(h) of the Directive is
that it must be informed. From the perspective of contract law, the question of how much
information is needed before consent is sufficiently informed for a party to enter validly into a
transaction is one that has troubled academic commentators for a long time. 46 Information
asymmetry has informed a great deal of consumer legislation. The issues relating to the disclosure
notices in data protection terms raise additional complex questions on their own that would require
a separate analysis. What needs to be stressed here is that data subjects must be properly and
effectively informed, before the collection of the data, of the specific circumstances of the
Article 29 Data Protection Working Party ‘Opinion 5/2004 on unsolicited communications for marketing purposes
under Article 13 of Directive 2002/58/EC’, (WP90, 27 February 2004), cited in Art. 29 WP on consent (n 4).
45
The ‘opt-in’ system of the European model has been heavily criticised by North American commentators who argue
that it does not offer greater protection than allowing consumers to ‘opt-out’. They claim that it imposes higher costs on
consumers and businesses as it restricts the flow of information on which many businesses depend. See F.H. Cate and
M.E. Staten, “Protecting Privacy in the New Millennium: the Fallacy of ‘Opt-in’”, Report from the National Retail
Federation in Washington (2000), available at http://www.netcaucus.org/books/privacy2001/pdf/cate.pdf . These
considerations have found the opposition of other North American commentators who stress the different active
participation of consumers in the control of their information and how this enhances the protection of privacy. See B.
Givens, “What's Missing from This Picture? Privacy Protection in the New Millennium”, in the submission to the
National Association of Attorneys General Annual Conference in Seattle, available at
http://www.privacyrights.org/ar/nagg-mill.htm. Moreover, it has been objected that failure to opt-out does not imply
consent because it will not be clear that the individual exercised an informed choice. The reported examples are those of
the individual throwing a form in the bin without reading it, or that of not responding because it would involve costs or
some kind of effort on their part. See Office of the Federal Privacy Commissioner, Draft National Privacy Principles
Guidelines (2001), available at http://www.privacy.gov.au/publications/dnppg.html. For the proposed ‘privacy by
default and by design see the proposed new data protection regime (n 34).
46
Beyleveld and Brownsword, (n 34), 9.
44
14
processing.47 Such a notice must be precise and intelligible to the data subject.48 Data subjects must
understand the facts and implications of an action to be able to make informed choices, ensuring
that they are effectively able to choose freely and voluntarily whether or not to take part into an
agreement or in additional processing activities of their data for purposes not strictly necessary to
the subject matter of the agreement. Moreover, data protection notices have the essential function of
promoting transparency allowing data subjects to maintain control over information relating to
them. For all these reasons, therefore, data processing notices should also disclose the data mining
and manipulation techniques that may be employed, as well as the data aggregation procedures that
may be in place.
(iii) Specificity and the other requirements of the law
Some may think that ‘consent’ is sufficient to legitimise data processing where no other
legitimising circumstances of the Directive are met. However, in the terms of the Directive and
most of the national implementing legislation, consent does not exist in isolation. It does not appear
to be a sufficient basis on its own for legitimate data processing; it must be considered in
conjunction with other requirements, particularly those relating to specificity, purpose limitation,
and proportionality.49 For example, it would be a violation of the data protection principles to ask
consumers to sign authorisations, that are unlimited in subject matter, essentially purporting to give
permission to data controllers to process any personal data that they unilaterally decide to be
relevant, and disclose that information for expanding purposes to any person willing to pay for it.
By contrast, one of the primary concerns of the Directive is to ensure that data subjects consent
specifically to all uses for which the data is processed. Processing based on consent cannot be
regarded as lawful if sought for general or vague aims or if the data subject has no possibility of
knowing the recipients of their data. This would be regarded as a way to evade the limitations
imposed by the law.50
Moreover, since consent must be specific, it could be problematic to obtain the data subject’s
consent if the occurrence and specific circumstances of a processing are not known at the time
consent is requested, so that the impact on the data subject cannot be assessed.51
47
This includes: the purpose of processing, the identity and details of the recipients, all the logics behind data
processing, the consequences, the valuation standards and decisions resulting from personal profiles, possible sharing of
data and the actors involved, and so on.
48
Article 10 and 11 of the Data Protection Directive.
49
See, for example, Y. Poullet and J.M. Dinant “The internet and private life in Europe: risks and aspirations”, in A.T.
Kenyon A.T. and M. Richardson (eds.), New Dimensions in Privacy Law (Cambridge, Cambridge University Press
2006), 60-90; Korff, (n 37).
50
Consent must be specific (Data Protection Directive, Art. 7(a)).
51
See, for example, Art. 29 WP on consent (n 4).
15
In the implementation of the Directive several countries have made it clear that even if a
controller obtains the consent of the data subject, there are still the other requirements of the law to
be respected; processing that does not meet those requirements is unlawful irrespective of the fact
that consent has been given. This is because the right to data protection is often viewed not only as a
personal right but also as a public concern and an issue of social protection embedded in the
Constitutions of a number of Member States.52
(iv) Freely given consent
Another fundamental feature is that, as a general rule, each instance of consent should result
from the free choice of the individual. Consent would be meaningless if people have no option but
to consent in order to obtain a benefit or a service that could be provided nonetheless.
However, there are many situations where there is a clear power imbalance between the data
subject and the business counterpart (data controller). What is more, the complexities of some
business models, data collection tools and practices, vendor/customer relationships and
technological applications may make it impossible for consumers to understand, or freely and
actively decide to accept, the consequences of consenting to the processing of data, particularly
when faced by perceived immediate economic or other benefits in kind.
The conditions for a free and voluntary consent lead to the very essence of its meaning, which
has to be examined within the context in which it is provided.
As seen, the expression of will, in order to be regarded as having been given voluntarily, must
refer explicitly to the processing of personal data, and not to the consent to conclude the principal
contract. This would be already a sufficient reason to maintain that the refusal by a data subject to
permit an amount of processing of personal data that is not necessary for the provision of a service,
is not failure to consent to that service. Or, again within the category of data that does not fall
within the ‘necessity principle’, it may well be the case that someone may agree with the processing
of some data but not certain other data. A typical example is that of commercial marketing: no one
denies that it is an important economic activity that would increase the profitability of an industry,
this latter circumstance possibly being reflected also in an economic advantage for consumers. It is
well accepted in data protection, however, that data controllers should not obtain consent to process
the data for such a purpose if the goods or services may not be otherwise be purchased or obtained.
See Korff, (n 37), 74-78; R. Wong “Privacy: Charting its Developments and Prospects”, in M. Klang and A. Murray
(eds.) Human Rights in the Digital Age, (London, Cavendish 2005), 147-161.
52
16
According to the Directive, and read in conjunction with the proportionality principle, such a
practice to obtain consent would lack its freely given element.53
However, some may reasonably contend that this application would contrast with the basic
principle of ‘freedom of contract’, which relates but is different from the incorporation of data
processing consent in the terms and conditions of contract. For example, if data subjects do not
accept data controllers’ processing and own procedures, despite a separate request for consent has
been made, and hence do not consent according to Article 7(a) of the Directive, then data
controllers are free to refuse to enter into a contract which would leave the data subject without the
good or service required. Either a data subject accepts to provide such a permission or a commercial
organisation should be free to avoid any business with him/her. After all, parties of a contract, and
commercial organisations in particular, do not have any obligation to enter into a contract with all
applicants. If the data subject does not want to provide such a consent, s/he has always the
alternative of not entering the contract.54
Others may contend that almost no contract is consensual because there is always pressure for
everyone, for one reason or for another, in order to live in this world. This leaves no choices for the
parties but to enter into contracts.55However, such views of the contractual type of consent neither
correspond to the letter nor to the rationale of the Directive, whose enactment finds its justification
in the protection of the freedom of individuals and the other values explained earlier.
At any rate, these two views, that share the thread to reduce the concept of consent to other
concepts such as wrongdoing, efficiency, distributive justice and so on, have been thoughtfully
criticised on the ground that people do not make use of consent in either of the ways mentioned
above and that the reasons for consenting are not the same as the consequences of consenting. In
this latter sense, the difference that is emphasised is between ‘consent’ and ‘causation’.56 Moreover,
53
See for example C. Kuner, European Data Protection Law (Oxford, Oxford University Press 2007), Ch. 5J; D.
Bainbridge, Data Protection Law (St Albans, XPL 2005); R. Jay, Data Protection Law and Practice (London,
Thomson Sweet and Maxwell 2007), Ch. 12 and 22.
54
See for example P. Atiyah “Economic duress and the overborne will”, (1982) 98 The Law Quarterly Review, 197202; This view has been also explored by S.A. Smith, Contract Theory (Oxford, Oxford University Press 2004), 331339.
55
This is the view expressed by Hale who believed that people have no choice but to enter contracts for any aspect of
their life so that “coerciveness is not a ground for condemnation except when used in the sense of influence under pain
of doing a morally unjustified act”. R.L. Hale, “Coercion and Distribution in a Supposedly Non-Coercive State”, (1923)
38 Political Science Quarterly, 470-494, 476. See also F.A. Hayek, The Constitution of Liberty (London, Routledge
1960). According to the author, for instance, “even if the threat of starvation (…) impels me to accept a distasteful job at
a very low wage, even if I am ‘at the mercy’ of the only man willing to employ me, I am not coerced by him or anybody
else” (p. 137).
56
Smith, (n 55), 332-333.
17
these are notions of consent that have been condemned for flirting with the myth of the equality of
power in negotiations and relationships between organisations and individuals.57
Smith provides an interesting alternative account of consent. Focusing on the nature of the
relevant pressure affecting the free and voluntary provision of consent in the context in which it is
released, and accepting the imprecision of its notion, the scholar suggests that consent is free not
only in the absence of pure states of necessity, but also in the absence of substantively unfair
contracts.58
This is also the view adopted by other scholars who robustly maintain that for the notion of
consent to work as a true source of personal responsibility, the individual would have to be in a
strong bargaining position when facing a commercial organisation.59
All these considerations have pushed consumer lawyers to the point of doubting whether there
are any general principles of traditional contract law left where consumers are involved, stressing
how in these circumstances contract law operates in a manner quite distinct from the classical
notion of freedom of contract.60
Looking at the issue of consent from this perspective, it may be noted that the concept of ‘unfair
term’ is employed in the language of European consumer legislation.61 It finds its justification in the
power imbalance between supplier and consumer, as well as in the perceived need of the law to be
shaped in accordance with the costs and benefits of having standard form contracts.62 As such, the
assessment of unfairness is subjected to the ‘good faith’ and ‘significant imbalance test’ of the
parties. This notion is increasingly used in the area of data protection for the assessment of the
provision of a valid consent by data subjects who are perceived to be in a position of having
unequal bargaining power vis-à-vis data controllers.63 Actually, some commentators stress that the
S. Leader “Inflating consent, inflating function, and inserting human rights” in J. Dine and A. Fagan (eds.), Human
Rights and Capitalism (Cheltenham, Edward Elgar 2006), 28-47.
58
Smith, (n 55), 331-339.
59
Leader, (n 58), 28-47.
60
See G. Howells and S. Weatherill, Consumer Protection Law (Aldershot, Ashgate 2005), 14-35.
61
Directive 93/13/EC, OJ 1993 L 95/29 replaced by Directive 2005/29/EC, OJ 2005 L 149/22.
62
Howells and Weatherill, (n 61), Ch. 1.
63
Poullet and Dinant, (n 50); T. Léonard, “E-commerce et protection des données á caractère personnel: quelques
considerations sur la licéité des pratiques nouvelles de marketing sur internet”, Internet & Recht (AntwerpenApeldoorn, Maklu, 2001), 418-451; S. Garfinkel, Database Nation (Cambridge, O’Reilly 2001), Ch. 6 and 11; G.
Buttarelli, Banche dati e tutela della riservatezza: la privacy nella societa’ dell’informazione (Milano, Giuffre’ 1997),
285; Decision of the Italian Data Protection Authority, Unione Italiana Bancari UIB/SBG vs. Camera Sindacale
Provinciale Asterisco di Bolzano of 13/02/1998; Decision of the Italian Data Protection Authority, General Decision on
“Smart (RFDI) Tags: Safeguards Applying to their use”, 09/03/2005; Y. Poullet “Making data subjects aware of their
rights and capable of protecting themselves”, Conference on the Rights and Responsibilities of Data Subjects organised
by the Council of Europe and the Office for Personal Data Protection of the Czech Republic (Prague, 14 and 15 October
2004).
57
18
rationale for the data protection law in its current form is to enable individuals to bargain more
effectively over the use of their personal information.64
Importantly, for the assessment of unfairness the tests make reference to the requirement of
allowing a choice to the consumer, particularly in the absence of alternative contracts which do not
contain the objectionable clause, and clauses which make consent a condition of the contract. It is
suggested that a standard industry practice for uses of information which effectively deprive the
data subject of a choice is questionable where such uses are not essential for the purposes of the
contract.65
Others further question the validity of consumers’ consent for data processing purposes when it
is solicited in exchange for economic advantages, or for fear of not being allowed to obtain goods or
services, or for obtaining them at a lower quality.66 This phenomenon is also known as ‘engineered
consent’ or ‘engineering of choice’: if data subjects have to give more information than is strictly
necessary to buy goods or access services, then it is likely that they will consent to whatever broad
uses of their data to obtain the goods or services. This objection has been supported by the Article
29 Working Party interpreting that “consent given by a data subject who (…) has been presented
with a fait accompli cannot be considered to be valid”.67
In the end, therefore, consent might be formally free in the sense that there is not a single or
traditional method of forcing individuals into a transaction by commercial organisations, but if the
P.E. Agre “Introduction”, in P.E. Agre and M. Rotenberg (eds.) Technology and Privacy: The New Landscape
(Cambridge, MIT Press1997) 1-28, 7-12.
65
See, for example, Jay (n 54), 152-153; G. Howells, “Data Protection, Confidentiality, Unfair Contract Terms,
Consumer Protection and Credit Reference Agencies”, (1995) 4 Journal of Business Law, 343-359.
66
Poullet and Dinant (n 50); Léonard (n 64); Davis (n 23), 143-165; Younes-Fellous, Commission Nationale de
l’Informatique et des Libertés, Workshop on Privacy and Data Protection Issues (Brussels 13 February 2007).
According to D. Gibson, Aspects of Privacy Law (Toronto, Butterworths 1980), ‘consent’ clauses in application forms
“can hardly be regarded as voluntarily given, since the subject’s free-will is likely to have been overborne by the desire
to succeed in the application” (p. 122).
67
Article 29 Working Party on Data Protection, ‘Working Document on a Common Interpretation of Article 26(1) of
Directive 95/46/EC of 24 October 1995’ (WP 114, 25 November 2005), 11. An area where such abuse of the data
subject’s consent has been so far identified is the labour market in the employer-employee relationship. This is due to
the perceived inequality and disadvantage of employees in terms of bargaining power in the relationship and the
resultant lack of proper consent in its ‘freely given’ element. True, the example of the labour relation may not be
entirely satisfactory for commercial transactions if one looks beyond an already established employer-employee
relationship. In fact, it could be argued that the situation would be different when individuals are in the open job market.
Here, it could be said, they will have a free choice whether or not to apply for a particular job. If consent to a certain
processing of personal data is a condition of an application being considered, this would not prevent the consent being
freely given. As the British Information Commissioner has stated, however, “as recruitment proceeds the opportunities
to obtain valid consent are likely to be reduced. If for example, the consequences of not consenting is the automatic
withdrawal of a job offer the consent is unlikely to be given freely”. British Information Commissioner, ‘Conditions for
processing sensitive data’, available at
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/coi_html/english/supplementary
_guidance/conditions_for_processing_sensitive_data.html. See also R. Fragale Filho and M. Jeffery “Information
Technology and Workers’ Privacy: Notice and Consent”, (2002) 23 Comparative Labour Law and Policy Journal, 551567. See also Carey (n 38), 72-73.
64
19
costs of not consenting are considerable in relation to the situation at stake, and there are no live
options, then consent can be said not to be materially free.68
(v) Revocability of consent
As a unilateral act, it is inherent in the nature of consent that it can be withdrawn by the data
subject at any time, albeit without retrospective effect. 69 Furthermore, consent may be withdrawn if
the data processing is not necessary for the service provided, or it may be denied for a further
processing that may be compatible, but still different, from the original purpose of the processing.
This is the reason why consent is seen as an unlikely and ephemeral mechanism to provide an
adequate long-term framework for data controllers in cases of repeated communications and further
processing.70 Again, some may be tempted to think that a solution could lie in contract: consent, in
fact, would not be withdrawn by a data subject, at least for a certain lapse of time, if it had been
given under contractual arrangements which limit its withdrawal. However, for all the reasons
explained above, in legal terms such an obligation should not be incorporated in the standard terms
of a commercial agreement with consumers, leaving no option to consumers to exercise the right of
withdrawal.
In the end, therefore, there remains little alternative but to agree with the Article 29 Working
Party that interprets consent in data protection in a restrictive manner. They suggest that “relying on
consent may therefore prove to be a ‘false good solution’, simple at first glance but in reality
complex and cumbersome”71 and, lastly, that “consent is sometimes a weak basis for justifying the
processing of personal data and it loses its value when it is stretched or curtailed to make it fit to
situations that it was never intended to be used in. The use of consent ‘in the right context’ is
crucial. If it is used in circumstances where it is not appropriate, because the elements that
constitute valid consent are unlikely to be present, this would lead to great vulnerability and, in
practice, this would weaken the position of data subjects in practice”.72
C. DATA PROCESSING CONSENT VS. CONTRACT TERMS AND CONDITIONS
68
Leader (n 58); L. Becker, Property Rights: Philosophical Foundations (London, Routledge 1977), 76-77; Agre (n
65).
69
Korff (n 37), reports the UK Information Commissioner suggesting that “even when consent has been given it will
not necessarily endure forever. While in most cases consent will endure for as long as the processing to which it relates
continues, data controllers should recognise that the individual may be able to withdraw their consent” (p. 78).
Note that the new Proposed Regulation (n 34) explicitly provides for the withdrawal of consent as one of the two
grounds for the exercise of the newly set ‘Right to be forgotten and to erasure’ (Article 17).
70
Article 29 WP (n 44).
71
Ibid.
72
Art. 29 WP (n 4), 10.
20
The current normative approach to consent reflects the argument that the right to data protection
rests on the individual’s choice about the processing of their data and that no one is better placed to
judge and decide about the use of data than the concerned data subject himself/herself.
However, there may be instances, particularly in commercial transactions, where the
empowerment of data subjects and the nature of ‘data processing consent’ may not be properly
applied or they may be blurred. For example, it may be common to notice the complexities and
difficulties surrounding the ‘free’ element of consent in the practice of including notices of data
processing consent in the standard terms of contract for the purchase of goods or services, whether
online, on hard paper, or verbally.
Conversely, treating consent as a transactional moment, such as using standard form or clickwrap agreements, may constitute a mechanical or pre-functionary means of obtaining overarching
consent for data processing. The inclusion of data processing consent in the general terms and
conditions of sale or services can be a common, yet subtle or elusive, method of obtaining consumer
consent notwithstanding whether a transaction occurs online and irrespective of the opt-in/opt-out
dichotomy. With the voluntary element being central to any form of agreement, consent becomes
associated with the legal paradigm of contract. Acceptance of a contract by a consumer
automatically signifies acceptance of a term or condition in a contractual clause whereby the
consumer contextually agrees for the processing and/or communication of their personal data to
third parties.
At this stage, a key distinction should be made: there are certain personal data that are necessary
either for the performance of the contract to which the data subject is party, or to take steps at the
request of the data subject prior to entering into the contract. This is flagged in the Directive, which
in Art. 7(b) states that the processing is fair provided that data subjects are informed of such
processing. No consent would be required as the processing would fall within the other necessary
conditions set by the law itself. In this case, such notice could well be placed in the terms and
conditions of the contract. However, there are other data processing activities that, although
motivated by asserted economic benefits, are not strictly necessary either for the performance of the
contract or to take necessary steps prior to entering the contract. These are the cases where data
controllers are tempted to maximise data collection and use for purposes beyond a necessary
processing likely to have excessive scope or deep use conditions.
Arguably, however, an implicit or a contextual consent to data processing which is given by
acceptance of the general terms and conditions of sale or service does not necessarily lead to
unambiguous consent as required by Article 7 of the Data Protection Directive. On the contrary, this
would represent a confusion of the concepts of ‘data processing consent’ and ‘agreement of
21
contractual terms’. Accordingly, consent offers a procedural justification to the values and rights
that data protection aims to promote and guarantee. If such rights have to be taken seriously, the
abuse, confusion or conflation of consent should be avoided.73 An understanding of the difference
between data processing consent and agreement of contractual terms may therefore shed some light
over what would be necessary to ensure the standards governing its application and avoid the risk
that it remains just a notional concept.
The consent to process personal data for the specific purposes of the contractual relationship
between the parties of a contract should be distinct from the legitimisation of business organisations
processing of consumers’ data for purposes related, but not essential, to the supply of goods or
provision of services that are the subject matter of the underlying agreement. The former kind of
processing, in fact, would be necessary in order to conclude and continue the business transaction
per se, which is a processing separate from that of additional activities, even when these are
ancillary to the principal relationship. As it would be necessary for the performance of the contract,
it falls within the scope of Art. 7(b) of the Directive and it is not subject to a requirement of consent.
This leads to the important consideration that, in consumer transactions, account may be taken of
more than one type or instance of consent of the consumer/data subject: the consent that is a
requisite for the conclusion of the legal dealing between a supplier and a consumer (the contract),
and the consent of the consumer regarding the processing of their personal data. This means that
consent for the processing of those data that are not covered by the necessity principle of Article
7(b) cannot be given by accepting the general terms and conditions of the service.74 This is also a
corollary of the rule that ‘consent’ for data processing must be specific ex Art. 6(b).
In principle, the rights conferred by the data protection legislation are enjoyed by a data subject
independently of the package that has to be negotiated with a supplier of goods or services,
precisely in the same fashion described by Howells and Weatherill with regards of the rights
conferred to consumers by consumer legislation or those enjoyed by workers under employment
law.75
What is more, the function of consent in data protection is different from its function in
contract: in the former instance it represents a permission for what would otherwise be a violation
of a data subject’s right or, as defined by Brownsword, a procedural justification for the underlying
See R. Brownsword, “Consent in Data Protection Law: Privacy, Fair Processing and Confidentiality”, in S. Gutwirth
and others, Reinventing Data Protection? (Heidelberg, Springer 2009), 83-110.
74
Pinar Manas (n 37), 76. See also Art. 29 WP (n 44). According to Article 7(b) of the Data Protection Directive
personal data may be processed if the processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
75
Howells and Weatherill (n 59), Op. cit. at 61, 14-18.
73
22
right;76 in the contractual type of consent, by contrast, the function of consent would not be to give
to one party a defence against the breach of the other party’s rights, but rather it means to create
new rights and duties in the relationship between the parties.77
A thorough account of the reasons behind the importance of consent in contract law is provided
by Smith, according to whom two possible explanations exist: i) consent matters because it is a
prerequisite for establishing responsibility, and responsibility is a prerequisite for legal liability; ii)
preferably, consent matters because a non-consensual contract may give rise to unjust enrichment.78
Arguably, none of the two suggestions would apply to consent under data protection law, unless
one considers personal data exclusively as a commodity neglecting the rationale and justification of
data protection. Indeed, advocates of the view that there may be a contractual relationship between
the data subject and the data controller support the idea that individuals have proprietary rights on
their information, which constitutes an asset in the information society, and therefore may be the
object of economic transactions.79
As seen, however, the conceptualisation of data protection derives its normative force from
fundamental values and freedoms, and not from property. Data processing consent, therefore, is a
unilateral act, aligned with the fact that in the law it is neither always necessary nor always
sufficient.80
Unlike in private law, thus, data processing consent would be best understood as providing to
the data subjects an ongoing act of agency rather than an isolated instance of contractual agreement
when the parties communicate their intention to be bound by a specific term.81
In sum, in contract law the consent of the individual is necessary to conclude the contract and
obtain the service that s/he requests. By contrast, in the ‘consent’ required for the legitimate
processing of data that do not fall within the scope of Article 7(b) of the Directive, the data
76
Brownsword (n 74).
Beyleveld and Brownsword (n 32), 7. The authors specify that particularly in consumer contracts, the law requires
that consent should be free and informed, thus suggesting that the law might set the same conditions for consent
irrespective of the function played by consent.
78
Smith (n 55), 324-331.
79
See, for example, S. Bibas “A contractual approach to Data Privacy” (1994) 17 Harvard Journal of Law and Public
Policy, 591-605; P. Mell, “Seeking shade in a land of perpetual sunlight: Privacy as Property in the electronic
wilderness” (1996) 11 Berkeley Technical Law Journal, 1-92; J. Litman, “Information Privacy / Information Property”,
(2000) 52 Stanford Law Review, 1283-1312; A.R. Miller The Assault on Privacy: Computers, Data Banks, and
Dossiers (Chicago, Ann Arbor 1971), 21; P.M. Schwartz, “Property, Privacy, and Personal Data”, (2004) 117 Harvard
Law Review, 2055-2128; V. Bergelson, “It’s Personal but Is It Mine? Toward Property Rights in Personal Information”,
(2003) U.C. Davis Law Review, 379-451; A.D. Moore, “Toward Informational Privacy Rights”, (2007) 44 San Diego
Law Review, 809-845; J.E. Cohen, “Examined Lives: Informational Privacy and the Subject as Object” (2000) 52
Stanford Law Review, 1373-1437; P. Samuelson, “Privacy as Intellectual Property, (2000) 52 Stanford Law Review,
1126-1171.
80
D. Solove, “Conceptualising Privacy”, (2002) 90 California Law Review, 1087-1154; Rouvroy and Poullet (n 21),7274.
81
See also I. Kerr and others, “Soft Surveillance, Hard Consent – The Law and Psychology of Engineered Consent”, in
I. Kerr and others (eds) Lessons from the Identity Trail (Oxford, Oxford University Press 2009), Ch. 1.
77
23
subject’s consent does not entail the element of causal necessity for the activity and purpose of the
data controller with whom s/he intends to enter into an agreement. After all, the issue of the
processing of personal data that are not strictly necessary for a given circumstance is not unknown
to data protection: indeed, it is the one that justifies the use of consent ex Article 7(a) of the
Directive separately from the underlying transaction or operation ex Article 7(b) of the Directive.82
PART TWO
EMPIRICAL EVIDENCE ON ONLINE DATA PROCESSING
Further to the analysis of the legal framework which is in line with the opinion of the Art. 29
Working Party, data controllers should be encouraged to have in place procedures and mechanisms
that ensure that effective consent is given, and that it is unambiguous, specific, and freely given. As
suggested by the Art. 29 Working Party, the more complicated the environment in which data
controllers operate, the more measures will be necessary to ensure that affirmative action is taken
by data subjects. The suggestion is that, in the online environment, explicit consent may be given by
use of electronic or digital signatures or through clickable buttons depending on the context,
through confirmatory emails, a request to click on icons, etc.83 While there is no specific
requirement as to the particular form in which the expression of consent has to take place, data
controllers should make sure that consent is (1) unambiguous, (2) informed, (3) specific and (4)
freely given; moreover, they also have to make sure that consent is (5) revocable at a later stage.
These conditions are cumulative, meaning that consent is not valid if one of the first four conditions
is not met at the moment of the collection of consent, and it is no longer valid if the data subject has
revoked it at a later stage.
In this second part, we discuss the results of an empirical study on the level of compliance of
UK online operators with the above discussed requirements of data protection law.
The UK is a particularly interesting jurisdiction for this kind of study. The European
Commission has opened infringement proceedings against the UK under Art 258 TFEU (ex Art 226
EC), which gives the Commission the power to take legal action against a member state that is not
The conclusions of this analysis conform with Art. 29 WP on Consent,(n 4), 8, which asserts that “a data controller
using Article 7(b) as a legal ground in the context of the conclusion of a contract cannot extend it to justify the
processing of data going beyond what is necessary: he will need to legitimise the extra processing with a specific
consent to which the requirements of Article 7(a) will apply. This shows the need for granularity in contract terms. In
practice, it means that it can be necessary to have consent as an additional condition for some part of the processing.
Either the processing is necessary to perform a contract, or (free) consent must be obtained”.
83
Art. 29 WP on Consent (n 4).
82
24
respecting its obligations under EU law.84 In particular, the Commission found that the UK fails to
correctly implement and comply with the Data Protection and the e-Privacy Directives. The
procedure originates from the Commission's investigation into the use, by internet service
providers, of a behavioural advertising technology known as ‘Phorm’. In particular, according to the
EU Commission, among some identified main gaps in the current UK data protection rules, UK law
provisions do not comply with EU rules defining consent as a freely given, specific, and informed
indication of a person’s wishes.85
This part is divided into two sections. In section A, we analyse the practices of a population
of websites with respect to their methods of obtaining consent from data subjects. The analysis is
oriented by a straightforward question: do data controllers obtain unambiguous, informed, specific
and freely given consent from data subjects in order to process their personal data? The question is
targeted specifically to the processing of personal data for purposes of direct marketing. In section
B, we examine how websites act in response to expressions of consent from data subjects, or more
precisely: how do they behave when data subjects deny consent for processing personal data and/or
revoke consent at a later stage. To respond to this questions, we have made a test with unsolicited
commercial emails (UCE). The amount of UCE sent to customers is a good proxy of whether the
data controller has processed personal data unlawfully or not – i.e. without having obtained consent,
or after the consent has been revoked.
A. OBTAINING VALID CONSENT FOR DATA PROCESSING
The first part of the study explored the data protection practices of websites, and in particular
the mechanisms of collecting personal data and of obtaining consent to process such data. It is
According to the TFEU, Art 258 the infringement procedure begins with a request for information (a ‘Letter of
Formal Notice’) to the member state concerned, which must be answered within a specified period.
If the Commission is not satisfied with the information and concludes that the member state in question is failing to
fulfil its obligations under EU law, the Commission may then send a formal request to comply with EU law (a
‘Reasoned Opinion’), calling on the member state to inform the Commission of the measures taken to comply within a
specified period, usually two months. If a member state fails to ensure compliance with EU law, the Commission may
then decide to refer the member state to the Court of Justice of the EU (CJEU).
85
EU Commission, Telecoms: Commission launches case against UK over privacy and personal data protection,
(IP/09/570, 14 April 2009) at http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/570. The EU Commission
has reached the second stage of the infringement procedure and has issued the following conclusions:
“The European Commission has requested the UK to strengthen the powers of its data protection authority so that it
complies with the EU's Data Protection Directive. The Commission request takes the form of a reasoned opinion – the
second stage under EU infringement procedures. In the UK, national data rules are curtailed in several ways, leaving the
standard of protection lower than required under EU rules” (EU Commission, Data protection: Commission requests
UK to strengthen powers of national data protection authority, as required by EU law,( IP/10/811/, 24 June 2010) at
http://europa.eu/rapid/press-release_IP-10-811_en.htm).
Eventually, the EU Commission has referred the UK to the Court of Justice of the EU over privacy and personal data
protection. In particular, the Commission has concluded that UK law does not comply with EU rules on consent as
"freely given, specific and informed indication of a person’s wishes" to interception and on enforcement by supervisory
authorities (EU Commission, Digital Agenda: Commission refers UK to Court over privacy and personal data
protection, (IP/10/1215, 30 September 2010) at http://europa.eu/rapid/press-release_IP-10-1215_en.htm?locale=en).
84
25
standard practice for websites to collect personal data (name, address, telephone number, etc.) at the
moment of the registration to their services. During the registration process, data subjects are also
commonly requested to express their consent over the processing of their personal data for purposes
other than those directly necessary for the performance of the contract, i.e. for the delivery of the
online service. These “exceeding” purposes include a variety of activities that can be generally
classified as direct marketing, which include the sending of commercial communication to the data
subject. The method(s) through which consent is obtained for this purpose is the subject of our
analysis.
The study was conducted on a sample of 200 websites with the domain ‘.co.uk’. The sample
comprised of the most popular websites within the UK in a wide range of categories of e-commerce
according to Google Ad Planner.86 It included websites in all categories of goods, services,
information, news and entertainment, telecom and mobile, and social networking. 87 Although very
broad in scope, the sample was meant to represent ‘standard’ e-commerce and information services.
For this reason, we have excluded websites that are likely to manage sensitive information, such as
e-government and health services, and websites that may be subject to specific obligations
regarding the processing of personal data or that may present issues specific to a single sector, such
as finance and banking services. The choice of most popular websites only, instead of a
combination of large and small online services, was also dictated by the expectation that large
corporate players are in the best position to comply with legal requirement in the processing of
personal data.88
As discussed previously, the law does not specify what is the form in which the expression of
consent has to be given in order to be valid, and this leaves room for a variety of possibilities
through which websites can seek consent from data subjects. A common method of obtaining
consent is to ask the data subject to tick into a box or to select an option (yes/no) during the
registration process. In order to examine the validity of these methods – i.e. the compliance with the
conditions (4+1) discussed thoroughly earlier –a number of elements must be considered. These
include: the amount and quality of personal data that is collected at the registration stage, the
amount and quality of information that the data controller provides to the data subject at the
moment of the expression of consent, the options that are given to the data subject at the registration
86
<www.google.com/adplanner>
The resulting top-200 list was obtained using the “Best Match” ranking method, by selecting the following options:
Geography: United Kingdom
Language: English
Category: all, excluded “Finance”, “Health” and “Law & Government”
Domain suffix: .co.uk
The list was obtained in December 2010 and is available at the website of the Intellectual Property, Internet and Media
Research Centre, together with all the raw data of this study.
88
This is suggested for instance by Birnhack and Elkin-Koren (n 12), 365-366 and 368.
87
26
stage and the mechanism through which s/he can signify his or her consent (e.g. “opt-in” or “optout”). There is also the mechanism for revoking or withdrawing consent at a later stage. All
aforementioned elements have been identified by analysing the notice provided to customers in the
document called “terms and conditions” and/or in the “privacy policy” (hereinafter T&C), and the
mechanisms implemented by the website to register to its services.
Thus, each website has been examined with respect to five features, namely: (1) the method of
registration, (2) the mechanism adopted to obtain consent, (3) the types of data and information
requested from the data subject, (4) the information provided in the T&C, and (5) the procedure to
unsubscribe from the service and/or to revoke consent. Overall, subject to observation were 52
variables on each website.89 According to the analysis conducted in Part One, these variables can
help identifying the elements upon which the validity of lawfully given consent is premised, namely
that the consent must be unambiguous, informed, specific, freely given and revocable.
(i) The registration process
In order to avail some or all of the services provided by a website, customers may be requested
to register or to create an account. Out of our population of 200 websites, only three did not have a
registration process in place. The great majority offers to customers the option to register. When
registering, data subjects are usually requested to submit a certain amount of personal data. Some
data are necessary for the performance of the contract or to deliver the requested service, and their
submission is a pre-requisite to successfully complete the registration. Other data, however, should
be submitted at the discretion of the data subject. We will demonstrate later whether or not this is
the case. The kind of compulsory data depends largely on the kind of service which is offered, and
it is not possible to determine a priori whether a request for data adheres to the principle of
proportionality, by being “adequate, relevant, and not excessive in relation to the purposes for
which they are collected”90. For instance, a website offering a service of online dating may need to
know the marital status of the subscriber, whereas this information is irrelevant to a different ecommerce service, such as telecom or news websites. Even requests of sensitive data may be
justified in certain circumstances, although the processing of these data is subject to a more
restrictive regime.91
89
The observation was performed by a team of students between December 2010 and January 2011. In order to achieve
consistency, tutorial sessions were delivered followed by trial observations and discussion of ambivalent results. Each
student was provided with valid email account and mobile telephone number in order to check all the elements present
in the registration process in cases where validation through email or SMS text was requested to access the stage where
data subjects are requested to express their consent.
90
Data Protection Directive, Art. 6c.
91
Sensitive data are defined in Art. 8 of the Data Protection Directive as data that reveal religious beliefs, political
opinions, health, sexual orientation, race, membership of past organisations
27
Websites use different ways through which customers can create an account with them. The
most popular way is a process where registration is completed by clicking a “sign-in” or “register”
button after having filled in all compulsory fields. This is the system adopted by 95% of websites
that have a registration process in place. Alternatively, websites can use a two-step process, where
subscribers are sent an email with a link or an automatically generated password (or “activation
code”) to be compulsorily used in order to complete the registration. In our sample, only 10
websites used a two-step process with email validation.
We have observed that there is a great variety as to the data that websites seek from data
subjects during registration (table 1). Mentioning them in terms of frequency, the data that are
sought to register with the website are the email address, name, postcode, country, address,
telephone number, age and gender. Miscellaneous non-sensitive data include for instance marital
status, mother’s maiden name or qualitative information such as the level of knowledge in a
particular field, or the provision of a photo. Only 3 websites in our sample requested the submission
of sensitive data.
Table 1 – Personal data to be compulsorily submitted for successful registration
Count
%
Email address
193
98%
Name
175
89%
Post code
119
60%
Country
98
48%
Address
91
46%
Telephone number
86
44%
Age
73
37%
Miscellaneous non-sensitive data
65
33%
3
2%
Sensitive data
In the course of the registration process, a certificate of security and https encrypted
connection92 is present in 116 websites (58.6%). Out of them, however, it is only 67 websites
(33.8%) that offer a secured encrypted connection at all the stages of the registration process. The
practical consequence is that in two out of three cases the data subject is requested to submit
personal data without any security as to who will receive the data.
92
The website certificate of security is issued by a Certification Authority that verifies the credentials of the website
when engaging in business transactions.
28
In the following sections, we examine the behaviour of our sample websites in obtaining
consent from data subjects to process their personal data. Our main focus shall be on how the
websites seek consent for processing data in the context of direct marketing purposes. The
mechanism of obtaining consent is analysed through the lenses of the key requirements of data
protection law, namely informed, specific, freely given and unambiguous consent.
(ii) Informed consent
As seen, when providing their personal data to register with websites, data subjects should be
fully aware that they are consenting, and understand to what they are consenting, irrespective of the
way by which the consent has been given. This requirement is split down into two obligations on
behalf of the websites. The first is that the purpose of the processing should be clearly notified to
individuals through clear and intelligible indications of the specific purposes for which the data will
be processed. This means that the data subject should be given the option of making an informed
choice on the basis of adequate information about data processing.93 For instance, in the UK Data
Protection Act the informed character of the consent is essential in establishing fairness in the
processing of personal data.94
The second requirement of informed consent is that individuals should be informed about the
purposes of processing at the time of the collection of their data. This applies irrespective of the
medium or the practical difficulties that may be raised.95 Data subjects should be informed at the
outset of the purposes for which their information will be used so as to be in capacity of making
informed decisions over entering or not this relationship.
93
The UK Data Protection Act 1998 makes a distinction between situations where the data have been obtained directly
from the data subject and situations where the data have been obtained otherwise. Compare Schedule 1, Part II,
Paragraph 2(3) and Schedule 1, Part II, Paragraph 2(1)(b) of the Act.
94
The processing of personal data can only be fair and lawful once the data subjects have given their consent for this
processing. This flows from Part I of Schedule I of the Data Protection Act, under which: “Personal data shall be
processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule
2 is met.”
Schedule 1, Part II, Paragraph 2(3) indicates that information should cover at least the identity of the company, the
purposes of the processing and any further information. This further information should be necessary with regards to the
specific circumstances for which the data are collected with a view to guarantee fair processing in relation to a
particular individual. To qualify as informed, consent should be appropriate to the age and capacity of the individual
giving it, and to the particular circumstances of each case.
Traditionally, there have been uncertainties as to the applicability and effectiveness of implied consent. In Bell v Alfred
Franks & Bartlett Co Ltd, [1980] 1 All ER 356, consent was distinguished from mere acquiescence, requiring that
consent should constitute an active rather than a passive action. Similarly, cases such as Linguaphone v DPR, Case
DA/94 31/49/1, and British Gas Trading Ltd v Data Protection Registrar, Case DA/98 3/49/2, suggest that consent
requires an active step and data subjects should provide their consent using opt-in rather than opt-out boxes.
95
This flows from the Innovations case where the Data Protection Tribunal found that the collection of data in the
context of telephone sales, with the intention of being disclosed to third parties for direct marketing purposes, is not fair
if the individuals were not so informed at the time of data collection. In this case, individuals were “mislead or
deceived” and there was no lawful ground for their data being traded in this way. Innovations (Mail Order) Ltd. v Data
Protection Registrar (Case DA/92 31/49/I), Data Protection Tribunal Decision of 28.9.1993.
29
While it is a legal requirement that a data controller states clearly the purpose of processing
personal data, there is no requirement as to the form in which this information has to be provided.
Websites often declare the scope and purpose of data processing in the T&C. In our sample, only 3
websites did not have any privacy policy in place, while in 7 cases the link to the privacy statement
was not active, and in 3 cases the document remained silent as to the purpose of data processing
(table 2). Whereas the large majority of websites (93.4%) inform data subjects on the purpose of
data processing, the information provided is not always satisfactory. As shown in table 2, some
essential information is frequently missing from the privacy policy statement. This includes
information over changes in the privacy policy, option to update personal data at later stage, and
transfer of data to third parties. In particular, despite the fact that the law mandates that data
subjects should be informed in case the purpose of data processing changes,96 and that they should
be given the possibility to update their personal data at later stages, a large number of websites do
not specify in their privacy policy whether these options are available. More specifically, websites
do not indicate whether they will notify the data subject in case their privacy policy changes in 105
cases (54.1%) and they do not specify whether data subjects will be given options to update their
personal data in 37 cases (19%). Although this does not mean that these websites do not comply
with the respective legal requirements, the fact of omitting this notice means that the information
communicated to data subjects in order to express informed consent is neither sufficient nor
accurate.
Table 2 – Information provided to data subjects in the websites’ T&C
Count
%
The privacy policy is not available
3
The purpose of processing personal data is not stated
3
The link to privacy policy or T&C is not active
7
Total number of websites that do not provide any information
13
6.6%
105
54.1%
the data subject has the option to update their personal data
73
37.6%
it will use data for direct marketing
46
23.7%
it will transfer data to third parties
37
19.0%
The website does not specify whether...
it will notify the data subject in case of change of privacy policy
96
Article 2h of the Data Protection Directive.
30
As shown in table 2, 46 websites (23.7%) do not provide clear indications as to whether or not
they will use personal data for the purposes of direct marketing or sending commercial emails, and
37 (19%) do not state whether or not they will transfer data to third parties. Because this
information is not given, these websites are not entitled to engage in direct marketing or in transfer
of personal data to third parties, since they have not obtained a valid consent to do so. In Part B, we
will examine the actual behaviour of these websites in this respect. As far as transfer of data to third
parties is concerned, the majority of websites restrict the scope of such “transfer” in various
respects, and it has been observed, for instance, that 9 websites of our sample include the “selling”
of personal data in the concept of data “transfer”. Table 3 provides an overview of these findings.
Table 3 – Transfer of data to third parties as specified in the T&C
Count
The website will transfer data to third parties
%
157
79.8%
Only to known affiliates and/or subsidiaries
85
54.1%
Only if the data subject opts-in
50
31.8%
Only anonymised data
15
9.5%
9
5.7%
Transfer include “selling”
While it is only a thin minority of websites that fails to inform data subjects as to their policy on
processing personal data, the information they provide frequently lacks specificity and is not
complete. In particular, two kinds of essential information may be omitted in the T&C, namely
whether data will be processed for direct marketing purposes and whether or not they will be
transferred to third parties. To conclude that these websites fail to obtain informed consent,
however, it is important to establish whether or not they actually engage in these activities. We will
address this issue in part B.
(iii) Separate consent: freely given and specific
As discussed in the theoretical framework of Part One of this study, consent does not only need
to be informed but it should also be specific and freely given. We discuss these distinct, yet strictly
related, requirements together in this section.
To be specific, consent should relate to a defined set of activities about which the individual has
been informed at the time of giving consent. Specific consent needs always to be informed; by
contrast, informed consent may not necessarily be specific. For instance, a website may provide in
its T&C information that personal data will be communicated to third parties without indicating
which these parties are, or whether the data will be used for purposes of direct marketing; however,
31
the website cannot lawfully engage in such processing unless the data subject has specifically
consented to have their data processed towards that particular secondary purpose. What is more, as
seen earlier, providing consent to the T&C does not satisfy the requirements of informed and
specific consent for the purpose of direct marketing.
To be freely given, consent should be expressed by the data subject without fearing that s/he
will lose the chance of availing some or all of the services offered by the website. This means inter
alia that consent should be sought separately and not as part of the process through which the data
subject agrees to the T&C of the website. ‘Separate consent’ is thus an umbrella term that
encompasses the elements of specificity and freedom in order for consent to be valid.
Before outlining the behaviour of data controllers in obtaining consent, it is important to note
that in 17 websites (8,5%) data subjects have not been given the possibility to express consent
during registration in any form.
On the basis of our analysis on the requirement for the consent to be informed, 184 websites
(93.4%) state the purposes of data processing in their respective privacy policies, although a
significant portion of these websites fails to provide a clear and complete information on the
conditions and purposes of such processing (supra, tab 2). As regards the requirement for consent to
be specific and freely given, however, the number of websites that actually seek consent separately
for a set of defined activities drops to 168 (85,3%) (tab 4). This leaves out 29 websites which either
do not request consent in any form at the moment of the data collection (17 websites – 8,6%), or
request the data subject to express consent by signing the contract with the website (i.e. by
registering to the service), without however specifying how the data is going to be processed (12
websites – 6,1%). This latter set of websites deals with consent as a prerequisite of registration. A
formula which is typically used in these cases is: ‘By registering and entering your details you
consent to the [website’s] terms and conditions and privacy policy’ (consent to T&C), or
alternatively ‘...you consent to [the website] sending you information about products and/or services
that may be of interest to you’ (consent to direct marketing). While the first formula does not meet
the requirement of specific consent, the second one does. This is because the purpose of data
processing is explicitly mentioned (‘sending information’, etc.) and not only generically stated
(‘agree to T&C’ and the like). However, consent in this case may be still be invalid since, when the
website imposes consent as a prerequisite for availing from the services, the requirement for
consent to be freely given may not be met.
Table 4 – Methods of obtaining consent
Count
32
%
No expression of consent is sought
17
8,6%
Expression of consent automatically signified by registration
12
6,1%
Consent is referred to...
T&C in general
9
T&C and direct marketing
2
Direct marketing only
1
The data subject can express separate consent
168
85,3%
A wide majority of websites (85,3%) do request separate consent. This means that the
expression of consent is not automatically signified by registering to the website but is sought
individually as part of a separate transaction. In other words, the data subject is given the
opportunity to register to the service without having to consent to data processing for direct
marketing. As we have discussed in Part One, this is an essential prerequisite for an expression of
consent to be valid.
As regards the websites which seek consent separately from the registration, our study
indicates that there is not only great variety as to what data subjects are sought their consent for, but
there is also diversity in the ways of phrasing the request for consent. Beyond these variations, the
method used to obtain separate consent is essentially one: data subjects are requested to tick a box
corresponding to an expression of consent.97 In order to identify the websites that seek specific and
freely given consent for direct marketing, we have first made a distinction between the registration
processes where the data subject is requested to tick in one box only and those where two or more
boxes are available. Second, we have considered the wording of the expression(s) of consent in
order to ascertain whether consent was sought with reference to the T&C (e.g. ‘I agree with the
privacy policy’), to direct marketing (e.g. ‘I wish /I do not wish to be contacted by you’), or to both.
Table 5 illustrates the findings of this observation. The single-box system is adopted by 51
websites. In this group, 24 websites offer a box where only consent for purposes of direct marketing
is mentioned. It is only these websites that meet the requirement for consent to be specific, namely
covering direct marketing in particular. The other websites either do not seek consent for direct
marketing (only consent to T&C; 18 websites) or ask consent for both T&C and direct marketing in
the same box (9 websites).
The multiple-box system is used by 117 websites. These websites obtain consent by offering
the option to click more than one box. Apart from a very small number of websites where all boxes
An alternative, but less frequent system is that of clicking into a ‘yes’ or ‘no’ cell. For example: ‘I wish to be kept up
to date’ YES /NO.
97
33
refer to T&C only (5 websites), all other websites offer at least one box where the expression of
consent addresses specifically the processing of data for purposes of direct marketing. In particular,
83 websites seek consent for both T&C and direct marketing, and 29 for direct marketing only.
These two latter sets of websites obtain specific consent and meet the legal requirement for the
consent to be informed and specific.
Table 5 – Mechanism for specifying separate consent
The data subject can express separate consent
168
85,3%
Separate consent is expressed...
By clicking in a single box
51
Referring to T&C only
18
Referring to T&C and direct marketing
Referring to direct marketing only
By clicking in more than one box
9
24
117
All boxes referring to T&C only
5
Boxes referring to T&C and to direct marketing
83
All boxes referring to direct marketing only
29
Websites obtaining specific consent for direct marketing
136
69,0%
The sum of the websites that validly obtain specific consent for direct marketing is 136,
which represents the 69% of the sample. The question is whether this specific, freely given and
informed consent is also unambiguous. If consent is informed, freely given and specific, yet not
unambiguous, it is not valid in light of the relevant legal requirements. We address the requirement
for unambiguous consent in the following section.
(iv) Unambiguous consent
In our study we have observed that websites follow different policies in seeking specific consent for
direct marketing. It is not only the wording of the expression of consent that may vary significantly
from website to website, but, most importantly, the form in which the consent is sought can be
different. For example, one website can place the request in the following terms: ‘If you do not wish
to receive our emails and our fantastic offer please tick this box’, while another website may say:
‘By ticking this box you consent to receive information about products and/or services that may be
of interest to you’. Besides the specific wording chosen by each website to convey the message to
their customers, there is an essential difference in the form of the communication between the data
controller and the data subject: in the first case, the data controller asks the data subject to express a
34
‘non-consent’ or, otherwise put, to signify an objection to the processing of personal data for the
purpose direct marketing; in the second case, the data controller seeks the data subject’s (positive)
consent for the same activity. We refer to the first method as ‘opt-out’ and to the second one as
‘opt-in’.
The UK Information Commissioner’s Office (ICO) has distinguished between someone who
has been offered the option to object but has not used it (opt-out), and someone positively
confirming their consent by ticking a box (opt-in).98 Direct marketing is lawful only if the recipient
has previously freely given their consent to receiving such communications. The act of ticking a
box is in principle a valid expression of consent. However, this should take place by actively
consenting to the marketing, e.g. by ticking in a box to ‘opt-in’ to direct marketing activities, rather
than to ‘opt-out’ from the same activities. In our view, opt-out does not result to valid expression of
consent: this is because consent does not follow from the active input of the data subject but could
result from a mere oversight of what was written in the sentence next to the box.
Besides opt-in and opt-out there is yet a third option: it is when the website expresses the
consent in the form of positive confirmation (opt-in) but the box is pre-selected. This means that the
data subject has to actively de-select the box, should s/he not wish to consent to that particular data
processing. Pre-selected opt-in is, again, a doubtful way of obtaining consent, since it may go
against the requirement for consent to be unambiguous. In table 5 we compare the methods of
obtaining specific consent, as followed by the websites comprising our sample.
Table 6 – Method of obtaining separate consent to process personal data
Count
%
The data subject cannot express specific consent for direct marketing
61
31.0%
The data subject can express specific consent to direct marketing
136
69,0%
By selecting opt-out from receiving ads / info
66
33,5%
By de-selecting opt-in to receive ads / info
38
19,3%
By selecting opt-in to receive ads / info
32
16,2%
As we saw earlier (table 5), 136 websites obtain specific consent for purposes of direct
marketing. This represents the 69% of our sample. However, it is only 32 websites which seek
consent in an opt-in mode. This amounts to a meagre 16,2% of the whole sample. Therefore, it is
only 1 out of 6 websites that actually abides with the requirements for consent to be informed,
98
<http//www.ico.gov.uk>
35
specific, freely given and unambiguous, hence obtaining valid consent to process personal data for
direct marketing purposes.
(v) Revocable consent
In the context of valid consent, it is important, as we explained earlier, that data subjects are
given options to revoke their consent at any time. This means that consent is valid only if it
revocable, and this condition should not be restricted either contractually or practically. If an
individual has consented to receiving emails for marketing purposes, the email s/he receive should
incorporate an option of opting out of this service.
In the following section (section B), we will examine the behaviour of the websites as regards
the withdrawal of consent. Table 7 outlines the unsubscribing policies as declared in the T&C of the
websites.
Table 7 – Procedure for revoking consent (as declared in the T&C)
Count
Procedure not specified
%
72
36.6%
125
63.4%
By sending email of notification
83
42.1%
By modifying user’s profile
53
26.9%
By clicking on link
49
24.9%
By writing to specific mail address
44
22.3%
By writing to a specific person
11
5.6%
By calling to a telephone number
10
5.1%
7
3.6%
Procedure specified
Other
While the majority of websites specify a procedure for unsubscribing and having the personal
data deleted (63.4% of the sample), the methods that websites use to offer this option vary. Most
websites declare that they will delete the data upon receiving email notification (83 websites, 42.1%
of the whole sample), or upon modification of a specific option in the profile of the data subject (53,
26.9%). Other websites offer an unsubscribing link in their T&C and/or in their commercial emails
(49, 24.9%), or require the data subject to notify their choice of unsubscribing to a specific mail
address (44, 22.3%). Options belonging to the pre-digital world, such as notification by post or
telephone calls, are offered but are less frequent.
B. TO WHAT EXTENT DO UK WEBSITES RESPECT CONSENT?
36
In the previous section we have examined the practices of websites with respect to the legal
requirement that consent for processing personal data for direct marketing purposes should be
informed, specific, freely given and unambiguous. We have concluded that, although the majority
of websites seek specific consent for direct marketing in one form or in another (69%), most of
these websites do not obtain unambiguous consent within the meaning of EU data protection law.
This is not to say that all of these websites will necessarily process personal data for direct
marketing purposes; however, to the extent that they do so they would not have obtained the
necessary consent within the requirements of EU law.
In this section, we endeavour to assess whether websites do respect consent in fact. Even
though consent may be valid and lawfully sought, it may not be respected in practice – and vice
versa: a website may obtain consent in a non-orthodox way and still respect it in practice. The
question we address is the likelihood that a UK website processes personal data in two
circumstances: when (1) consent for such processing is refused at the outset; and (2) consent is
revoked at a later stage.
To answer this twofold question, we have conducted an empirical test. We have completed
the subscription to the services offered by a sample of websites and have calculated the number of
the emails received from each website over a given period of time. Under the conditions that we
have set for our test, the quantity and quality of emails received can be used as an indicator that
personal data have been processed unlawfully, i.e. in spite of the fact that the data subject has either
refused or revoked consent. Emails that are sent without the consent of the recipient are termed as
‘unsolicited commercial emails’ (hereinafter UCE). Both the emails sent against consent to direct
marketing and the emails sent after the data subject has requested removal of his or her personal
data, fall under the definition of UCE. Emails sent with the consent of the recipients are, by
contrast, ‘solicited’ emails and do not raise any issue of compliance. The empirical test was aimed
at ascertaining how UK websites respect consent by analysing their behaviour with respect to the
sending of UCE and of solicited emails.
(i) Methodology
To carry out the test, we have created a sub-sample of 100 websites out of the initial
population of 200. This sub-sample was obtained by making a random selection from the groups of
websites represented in Table 6 (supra), namely we have selected: 20 websites from the ‘opt-in’
group, 20 from the ‘pre-selected op-in’, 30 from the ‘opt-out’ and 30 from the group of websites
that do not offer specific consent for direct marketing. Hence, we created 200 simulated identities
(SI), provided with valid email address, home address and mobile telephone number. These SI were
37
used to complete the registration process in all of the 100 websites. To be precise, we registered
with each website twice: once, by instructing a SI to express a refusal to consent to processing data
for direct marketing purposes - in whichever form the consent was sought from the website (Registration 1)99 and a second time by instructing another SI to register to the website by
expressing consent to such processing (Registration 2). After a period of 4 months, the latter SI
notified the website that it withdrew the consent to process their personal data (in whichever form
the website managed this withdrawal)100. The test was concluded after 8 months from the initial
registration with the website.
The following scheme summarises the actions that have been carried out with respect to
each of the 100 websites of the sample:
0
4m
Registration 1
Registration 2
Initial expression of consent
8m
Consent refused
Consent given
Consent withdrawn
Revocation of consent
The grey area in the scheme above represents the status where there is no consent for the
processing of personal data. The commercial emails that each SI received in the email accounts
corresponding to Registration 1 or Registration 2 in that period of time can be defined as UCE. By
contrast, emails received by SI further to Registration 2 during the first 4 months (white area) can
be classified as ‘solicited’ commercial emails, i.e. emails sent with the consent of the recipient.
While the total number of commercial emails indicates the extent to which websites process
personal data for direct marketing, the number of UCE provides indicative evidence of whether
websites process personal data unlawfully.101 Besides this quantitative evidence, we have also
extracted qualitative information from the experiment. Both solicited and unsolicited emails can be
sent either by the website to whom personal data has been submitted via registration, or by other
subjects. In this last case, data have been transferred to third parties, and the domain name of the
99
These are: opt-out, pre-selected opt-in, pure opt-in (Table 6). Where the website does not ask for specific consent,
refusal has been signified according to the available forms (e.g. by sending an email, or by following an appointed
procedure, where in place).
100
See above Table 7. In cases where no procedure was specified, we notified the website by replying to one of the
commercial emails received.
101
All email accounts of the 200 SI have been ‘sterilised’ after registration, namely: they have been secured and not
used to any form of communication. This was to avoid that emails of different provenance (so-called ‘spam’) could
reach the account. A visual survey of all emails received has excluded the possibility that the accounts could have been
exposed to spamming or other forms of emailing from uncertain origin. In other words, all emails that we found in each
account’s mail box were originating, either directly or indirectly, from the website to which the account was registered.
38
commercial emails received by each SI provides indirect evidence on websites practices with
respect to the transfer of data to third parties.
We discuss the findings of the experiment in the following section.
(ii) Emails received from websites as result of submission of personal data
During the 8 months time of the experiment, our 200 SI received over 3.000 emails. These include
both solicited emails and UCE. Table 8 summarises the findings in relation to Registration 1 and 2.
Table 8 – emails received by registering to 100 websites
Total
number Average
of emails
emails/month
per website
Registration 1 (no consent)
661
0.8
Registration 2 after withdrawal (no consent)
958
2.4
Total UCE
1,620
1.4
Registration 2 before withdrawal (consent)
1,511
3.8
Total emails
3,131
As expected, the probability of receiving emails is higher when consent for direct marketing
is given: in this situation, one should expect to receive on average almost 4 emails per month (3.8)
from each website to which s/he has submitted personal data. This number drops to 2.4 emails per
month when the SI has revoked consent at a later stage. Where consent is refused at the outset, each
data subject is expected to receive less than one email per month (0.8) from each website on
average. Although the number of emails per month is different in each situation, it should be borne
in mind that in the last two cases (refusal and withdrawal of consent) no commercial emails should
be sent at all to data subjects. Practice indicates, however, that this is not the case and the overall
average number of UCE is 1.4 emails per month from each website.102
Not all websites have the same behaviour when it comes to direct marketing and commercial
communications. From a quantitative point of view, our experiment demonstrates great variety as to
the number of both solicited emails and UCE. With regards to solicited emails, a significant number
of websites (28) do not engage in sending commercial information, despite the fact that these
websites seek consent for direct marketing at the registration stage.
102
We consider a valid number of emails as 2 or more emails sent by a website. This is because websites may send one
to two emails to confirm the registration, and these emails are not indicative of a direct marketing activity.
39
With regard to UCE, a striking datum emerges from our test: almost half of the websites (48
out of 100) did engage in sending UCE to subscribers (Table 9). The amount of UCE sent over the
whole period varies – from a handful of emails (less than 10 in 20 cases) to a maximum of 249
emails in one case – but the conclusion is unequivocal: when a data subject submits personal data to
a UK website, there is a good 50% of probability of receiving commercial emails without consent.
Table 9 – Quantity of UCE sent by websites
# websites
No UCE103
52
Less than 10
20
11 to 20
8
21 to 30
5
31 to 40
5
41 to 50
2
51 to 100
4
More than 100
4
In the following section, we analyse in more details the behaviour of these noncompliant websites.
(iii) Respect of consent refusal and of consent withdrawal
Websites may ignore consent in two ways. First, they may disregard the initial refusal of consent,
and second, they may not take into account the subsequent revocation or withdrawal of consent.
Both behaviours result in unlawful processing of personal data. Table 10 summarises the observed
behaviour of websites with respect to initial refusal of consent and to subsequent withdrawal.104
Tab 10 – Processing of personal data and data subject’s consent
# websites
Do not engage in direct marketing
28
Engage in direct marketing
72
Respect of all expressions of consent (initial refusal / subsequent
%
22
30,5
No respect of initial refusal to consent
21
29,2
No respect of subsequent withdrawal of consent
16
22,2
withdrawal)
103
Including 28 websites that do not send any email at all (either solicited or unsolicited).
When testing the respect of revocation of consent, we considered a “grace period” of 15 days after which websites
can be reasonably expected to stop sending emails upon notification of withdrawal.
104
40
No respect of any expressions of consent (initial refusal / subsequent
13
18,0
withdrawal)
100,0
As observed earlier, a significant number of websites (28) do not engage in direct marketing,
namely they do not send any commercial emails in spite of the fact that they have obtained consent
from data subjects to this end. However, it is more interesting to observe the behaviour of the
websites that do engage in direct marketing by addressing commercial communications to data
subjects (72). Out of these 72 websites, the great majority (which almost reaches 70%) does not
respect at least one of the two expressions of consent that have been tested, namely: the initial
refusal of consent (in the 29,2% of cases), the withdrawal of consent at a later stage (in the 22,2% of
cases), while in the 18% of cases the website does not respect any expressions of consent (initial
refusal or later withdrawal). Only a meagre 30 per cent of the tested websites respect consent at all
stages, namely at the moment of data collection (initial refusal to consent to direct marketing –
Registration 1 of our test) and at a later stage, when the data subject exercises the right to withdraw
consent (Registration 2, month 4).
Based on these results, the question arises as to whether there is any correlation between the
way in which a website seeks consent and the way in which the same website processes the data. To
sharpen the question: is compliance with data protection law in obtaining consent a reliable
predictor on whether the website will process personal data lawfully? We answer this question in
the following section.
(iv) Method of obtaining consent and respect of consent
In the section A of this part, we have observed that websites have different methods of obtaining
consent (see Table 6 above). According to our analysis, the proper way of obtaining unambiguous
consent is the “opt-in” system, namely when data subjects are given the possibility of positively
expressing their agreement to receiving commercial information or to otherwise agree on the
processing of their personal data for direct marketing purposes. Other methods of obtaining consent,
namely “opt-out” and “preselected opt-in”, do not result to valid consent, since consent might not
be unambiguous, albeit being informed, specific and freely given. In Table 11 below, we have
crossed the four clusters obtained in Table 6 with the data on the emails received from each website.
This provides an indication on whether the respect of consent is related to the way in which
websites obtain consent in the fist place.
Tab 11 – Forms of obtaining consent and respect of consent
41
Engage in
direct
marketing
105
Respect to
Respect to
Respect to
initial refusal
withdrawal
both
to consent
of consent
All websites
72%
53%
59%
30%
No specific consent for direct marketing
73%
36.8%
57.9%
21%
62.5%
56%
56%
24%
Preselected opt-in to direct marketing
78%
66.7%
72.3%
50%
Opt-in to direct marketing
91%
50%
50%
30%
Opt-out from direct marketing
In a general framework of low level of compliance, websites that obtain consent through preselected opt-in boxes show the best level of respect of consent in all situations, and half of them
respect both initial consent and withdrawal. Not surprisingly, the poorest performance in relation to
respect of initial consent (only 36.8%) is shown by websites that do not seek specific consent. This
is partially compensated by a better level of respect of subsequent withdrawal (57.9%, the second
best performance after the ‘pre-selected opt-in’ websites). Yet, the overall compliance of websites
that do not seek specific consent is the lowest of all websites (21%), followed by opt-out websites
(24%) and opt-in websites (30%). Opt-in websites are more likely than others to engage in direct
marketing activities (91% of them do send commercial emails) and demonstrate a level of respect
which is in line with the average.
The overall performance of each group of websites is better captured with reference to the
quantity of emails that are actually sent to subscribers (Table 12).
Tab 12 – Forms of obtaining consent and emailing activity
% of websites Solicited emails UCE (# per
engaging
in (# per website)
website)
direct
marketing106
All websites
72%
5.5
2.0
No specific consent for direct marketing
73%
4.5
2.3
62.5%
5.1
2.1
Preselected opt-in to direct marketing
78%
8.8
1.6
Opt-in to direct marketing
91%
2.5
1.7
Opt-out from direct marketing
105
106
I.e. websites that sent more than 2 emails – see above note 104.
I.e. websites that sent more than 2 emails.
42
The average number of UCE received from each website is the highest in websites that do
not seek specific consent and is followed by the number of emails sent by the opt-out websites (over
2 UCE per month, on average). Websites using opt-in and pre-selected opt-in send UCE too, but on
a lower degree (1.7 and 1.6 emails per month, respectively). As to the lawful direct marketing
(solicited emails), it can be observed that the websites that demonstrate the highest level of activity
are those that obtain consent through pre-selected opt-in (although the data is influenced by the
presence in this cluster of 3 of the 4 websites that have sent more than 100 emails – see Table 8
supra).
Overall, the figures confirm that, in a general framework of low level of compliance,
websites that seek separate consent show a relatively better compliance than those that do not have
a separate consent system in place – both in terms of actual respect for consent at all stages (initial
consent and subsequent withdrawal) and in terms of number of UCE that are sent to subscribers.
Amongst websites that ask for separate consent, the pre-selected opt-in websites demonstrate the
best performance. By contrast, the opt-out websites show the poorest level of performance amongst
the websites that do seek specific consent: a level which is close to that of the websites that do not
request specific consent.107
(v) Transfer of data to third parties
Personal data that are submitted to a website in the registration process can be transferred to,
and processed by, third parties. Indirect evidence that data have been transferred to third parties is
provided by the domain name of the commercial emails received as a consequence of the
subscription to a website. When all emails come from one unique sender, we can conclude that data
have been processed by one single data controller, presumably the website that has initially
collected the data. By contrast, when emails originate from more than one unique sender, we may
infer that data have been processed by other subjects too, to which the data have been transferred.
Table 13 summarises the findings of the test. Out of 72 websites that have sent at least one email,
27 have sent emails from one unique sender and 45 from more than one unique sender. A
qualitative screening of the unique senders reveals that 33 are presumably affiliated in some way
with the initial website, either because their domain name is a sub-domain of the website (e.g.
marketing.domain.co.uk), or because other kinds of connection can be established (e.g. same
domain name but different extension). In 16 cases we have found emails from domain names that
are not related with the initial website and do not bear any signs of possible connection.
107
Opt-out websites are also those who are less likely to engage in direct marketing (only 62.5%, see tab 11). If we
consider the overall performance of opt-out websites, including those who do not send commercial emails, the average
number of UCE is lower than the average number of UCE sent by all websites (1.4 against 1.5).
43
Incidentally, we have observed that emails with the same domain name may originate from
different websites; this means that different websites have transferred the data to the same subject,
presumably a company specialised in direct marketing.
Table 13 – Email senders
# websites
Emails from 1 unique sender
27
Emails from more than 1 unique sender
45
Likely subsidiaries / affiliates
33
Third parties
16
Unclear
6
When data have been transferred to third parties, the question arises as to whether the withdrawal of
consent at later stage is effective with respect to these parties too or not. In other words: when a data
subject exerts their right to have their personal data removed by a website, will this also cover the
data that the website has in the meantime transferred to third parties? The limited size of our sample
does not allow drawing statistically significant conclusions. However, we have observed that in at
least 4 cases the SI continued to receive emails from a sender different than the original website
after having withdrawn consent. At the same time, there is no clear indication that websites that do
transfer data to third parties are less likely to respect the withdrawal of consent.108
CONCLUSIONS
This paper investigated data processing consent as the linchpin of EU data protection
legislation. With the Treaty of Lisbon data protection has been upgraded as a provision of general
application and formally recognised as a fundamental right of the EU. Normatively, data protection
and privacy have been re-conceptualised as a bundle of legal rights and tools to pursue the common
goal of a democratic society, not only free from unjustified intrusion and surveillance but where
citizens may develop their personality freely and autonomously through individual reflexive and
active participation in society. Therefore data protection principles, as a legal tool, should be seen as
less procedural and more substantive to protect and guarantee the underlying fundamental values.
Consent is a crucial component of data protection law to give effect to the goal it purports to
achieve giving individuals the tool to have control over their personal information and the persona
they project in society.
108
Out of the 16 websites that have presumably transferred data to third parties, 7 respect withdrawal of consent and 9
do not.
44
The aim of this study is to provide empirical evidence on the practice of obtaining consent
and respecting a person’s wishes with regard to the processing of their personal data by online
operators. The study focused on e-commerce services and the UK jurisdiction.
The findings of the study demonstrate a significant departure between EU legal theory and
practice in the UK. In particular, to the extent that only ‘opt-in’ mechanisms can be considered as
valid methods of obtaining unambiguous consent under the requirements set by EU law, the study
shows an extremely low level of compliance. It reveals that only a meagre 16.2% of websites obtain
a valid form of consent to process personal data for purposes of direct marketing. However, the fact
that a wide majority of websites (69%) has in place a system to request separate consent for
engaging in marketing activities—although in the forms of ‘opt-out’ or ‘pre-selected opt-in’
mechanisms—, illustrates that there is a general awareness of the importance of obtaining consent
before processing data. This suggests that there is a lack of, or inappropriate standard of information
on what the law requires, especially in light of the clarifications provided at EU level. In this
respect, this study confirms the view of the EU Commission in the Phorm case of a poor
implementation and compliance of the UK with EU rules.
Yet, besides the compliance with formal legal requirements, the practice of websites in
processing personal data confirms a scenario of bad performance. This is substantiated by the test
on the frequency of UCE sent by websites. The test shows that less than a third of websites (30.5%)
respect the will of the data subject not to receive commercial communications. Even though a
significant number of websites do not send commercial emails at all, in spite of asking consent to do
so (28%), the likelihood of submitting personal data to a website that will ignore the refusal of
consent and will send UCE is still surprisingly high (50%). Moreover, the sending of UCE may
represent only the most visible indicator that personal data have been processed unlawfully. In fact,
other less visible processing activities exist that are very difficult, if not impossible, to detect. One
can only speculate on whether or not such unlawful processing of personal data also extends to
other privacy-invasive and prejudicial activities, such as user profiling, behavioural advertising, or
price and service discrimination.
What is more, the study unveils that the way in which websites obtain consent (opt-in, preselected opt-in, or opt-out) is not a proxy of lawful processing of data at a later stage. However, the
survey demonstrates that websites that do not ask for separate consent at all are more likely to
engage in further unlawful processing at a later stage than those websites that collect consent
separately. This suggests that the high level of non-compliance can be partially explained as the
effect of a deficit in information rather than of a conscious infringing behaviour.
45
A final consideration may need some attention. The survey has been carried out on a sample
of the most popular UK-based websites. Less popular websites according to the set criteria have not
been scrutinised. As a conjecture, it may be assumed that minor players or bogus websites engage in
even lower levels of compliance.109 On a pure speculative level, arguments may be developed that
the size of a commercial venture may bring with it a reputation collateral that forces firms to
maintain compliance high. Thus, the suggestion is that the overall website performance may be
worse than the one resulting from the study.
The results of this study support the view that supervision and enforcement by national
authorities is a critical need and it becomes one of the greatest challenges facing data protection.
However, they also suggest that online operators should be properly informed on how to comply
with the legal requirements. If it is true that unenforced law is no law at all, it is also true that
unclear or unexplained law is detrimental to the development of a safe online environment and,
ultimately, to citizens.
Birnhack and Elkin-Koren’s study on a sample of 1360 Israeli websites shows that the 45 websites listed as the ‘most
popular’ have a significantly higher level of compliance compared to other categories. Their explanation is that
‘Commercial enterprises are generally more risk averse; they are highly visible, have deep pockets, and are more likely
to be drawn into expensive litigation’ (n 12, 380).
109
46