Report number
Date
PTS-ER-2015:27
15/10/2015
Obtaining consent
under the Electronic
Communications Act
(LEK)
Guidelines
Obtaining consent under the Electronic Communications Act (LEK)
Guidelines
Report number
PTS-ER-2015:27
Reference number
15-10069
ISSN
1650-9862
Authors
Karin Lodin and Staffan Lindmark
Swedish Post and Telecom Authority
Box 5398
102 49 Stockholm
+46 (0)8-678 55 00
pts@pts.se
www.pts.se
Swedish Post and Telecom Authority
2
Contents
1
Background
4
2
Rules of consent in LEK
5
3
What is consent?
7
4
Obtaining consent
8
4.1 Ways of obtaining consent
8
4.1.1 Consent is not a condition for an agreement
8
4.1.2 Information must be easily understood, clear and fixed
9
4.1.3 If support for processing involves consent, this must be clear 9
4.1.4 Changes in processing require a new consent
10
4.2 Information prior to obtaining consent
10
4.2.1 Description of data
10
4.2.2 Description of purposes
11
4.2.3 Description of processing to be carried out
12
4.2.4 Description of the duration of traffic data processing
12
4.3 Example
13
5
Withdrawal of consent
Requirements for consent under LEK in brief
Swedish Post and Telecom Authority
14
15
3
Obtaining consent under the Electronic Communications Act (LEK)
1
Background
Among other things, the Swedish Post and Telecom Agency (PTS) has the task
of ensuring that the providers of electronic communications services
(operators) protect users' privacy in connection with the provision of electronic
communications services. One of the Agency's strategic objectives for 20152017 is to strive for the general public having greater insights and more
influence over how personal information is used in connection with the use of
telephones and the internet. One step in achieving the objective was to
produce this guide on obtaining consent.
During 2013-2015 PTS carried out supervision in respect of the processing of
data and obtaining consent. The supervision included a total of ten operators
of varying size and with different activities.1 The guide only describes the
standpoints that PTS has expressed in the closed supervisory issues. The
standpoints are not binding for any others than the operators covered by each
review, but may nevertheless be indicative for other operators who must
observe the regulations on consent in the Electronic Communications Act
(2003:389), or LEK.
The review covered only a scrutiny of processing for marketing purposes,
subscriber information purposes and traffic management purposes. For this
reason, PTS did not request a full account of all data processing performed in
connection with the provision of electronic communications services within
the framework of supervisory issues. Nor has PTS examined whether the
information that the operators have submitted on data processing carried out
corresponds to the actual processing carried out. The main purpose of the
reviews was to examine whether the operators comply with the legal
requirements as regards the arrangements for obtaining consent and the content of the
information that should be given to subscribers prior to processing.
The guide is intended to be applied to all processing that requires consent
under LEK.
PTS ref. no. 13-12354, 13-12355, 13-12356, 13-12357, 13-12358, 13-12359, 13-12360, 13-12361, 1312362 and 13-12363.
1
Swedish Post and Telecom Authority
4
Obtaining consent under the Electronic Communications Act (LEK)
2
Rules of consent in LEK
Operators have access to extensive information about subscribers' and users'
communications and their content. To protect subscribers' and users' privacy
and limit the operators' possibilities regarding the processing of data, in
addition to what is required for the provision of the service, LEK contains a
number of regulations, according to which the processing of data for certain
purposes is only permitted after consent has been obtained.
Among other things, rules on consent are found in the provisions on processing
of traffic data in Chapter 6 Sections 5-7 in LEK. Under Chapter 6 Section 1 in
LEK, traffic data consists of data that are processed in order to forward an
electronic message via an electronic communications network, or to invoice
this message.
In Chapter 6 Section 5 in LEK it is stated that the operator, as a general rule,
must delete or anonymise processed traffic data for natural persons or
subscribers as soon as they are no longer needed to transfer an electronic
message.
In Chapter 6 Section 6 first paragraph in LEK it is stated that traffic data
required for invoicing or charges for joint traffic may be processed until the
debt is paid or the statute of limitations applies. The second paragraph states
that traffic data may also be processed to market electronic communications
services or to provide other services where the data is necessary ("value added
services") to the extent and for such time as is necessary for the marketing or
service. However, under the third paragraph, processing for these purposes
requires the consent of the data subjects. Before consent is obtained, the
provider must inform the data subjects of which traffic data are processed and
for how long the data are processed for these purposes.
Chapter 6 Section 7 in LEK describes who has the right to process data under
Sections 5-6 and Chapter 6 Section 8 describes certain exceptions from the
provisions in Sections 5-7, such as when an authority or court needs access to
traffic data to resolve disputes.
As regards localisation data that is not traffic data and
which derives from users who are natural persons or subscribers, under
Chapter 6 Section 9 in LEK, these may only be processed after they have been
anonymised, or after the user or subscriber has given consent for such
processing.
Swedish Post and Telecom Authority
5
Obtaining consent under the Electronic Communications Act (LEK)
With the exception of that described in Sections 5-7 and 20, under Chapter 6
Section 17 in LEK no party except for the users concerned may process content
in an electronic message, or traffic data belonging to this message, unless one of
the users has given consent for such processing. The second paragraph
describes three exceptions to the above:
1. Storage that is automatic, intermediate and temporary, if it is necessary
for transfer or operations (so-called buffering),
2. Access to the content in an electronic message, if the content is
generally available anyway and if it takes place to streamline transfer
(so-called caching), or
3. The interception of or access to a radio transmitted electronic
communication via a radio receiver.
There is a rule in Chapter 5 Section 11 in LEK for obtaining consent on the
disclosure of certain information in connection with the porting of numbers.
There are also rules on consent that apply to parties other than operators.
There is a requirement in Chapter 6 Section 16 in LEK for obtaining consent
for a party who intends to process personal data about a subscriber in a
subscriber list. Chapter 6 Section 18 in LEK states the requirement for obtaining
consent for any party who stores or collects data on subscribers' or users'
terminal equipment (e.g. the use of so-called cookies).
Finally, it should be mentioned that some of the processing that operators
carry out on data does not fall within the scope of application of LEK, but
come under the Personal Data Act (1998:204) (PUL). The main rule under
PUL is also that the processing of personal data requires consent, but
exceptions are permitted in certain cases. It should be emphasised, however,
that the exceptions from the requirement of consent under PUL do not apply
in the case of processing that is regulated by LEK. This is because LEK, in its
status as special legislation, must be applied rather than PUL.
Swedish Post and Telecom Authority
6
Obtaining consent under the Electronic Communications Act (LEK)
3
What is consent?
Under Chapter 6 Section 1 in LEK, the concept of consent must be
interpreted in accordance with PUL. This means that the rules describing
consent and how to obtain consent under PUL, and practice regarding consent
by the Swedish Data Protection Authority, must also be applied when consent
is required under LEK.
Consent is defined in PUL as every type of freely given, specific and
unambiguous expression of will by which the data subject, having
received information, accepts the processing of personal data
concerning him or her. Many of the rules in LEK are not limited to the
processing of personal data, but also presuppose consent for the processing of
data on subscribers who are legal persons, for example. The Data Protection
Authority has stated how the constituent elements of acceptable consent shall
be interpreted: 2
Consent must be voluntary, meaning that the data subject must have a free
choice to determine whether his or her data shall be processed. The
requirement that consent must be specific means that general consent for the
processing of data is not acceptable. Consent must apply to processing for one
or more specified purposes.
The requirement of clarity means that there may be no doubt that the data
subject accepts the processing of data concerning him or her. An operator who
performs processing that requires consent has the burden of proof for the real
existence of the consent.
Consent must also be individual. Only the subjects whose data are to be
processed may approve such processing of their own free will.
Finally, the data subjects must be provided with certain mandatory information on
processing prior to giving consent. Before obtaining consent, the operator must
provide information about what data will be processed, the purpose of the
processing and the type of processing that will be made.
As regards obtaining consent for the processing of traffic data, under LEK the
information must also include an indication of the time period for the
processing.
2
Swedish Data Protection Authority informs - consent under PUL, last revised August 2015, page 5 ff.
Swedish Post and Telecom Authority
7
Obtaining consent under the Electronic Communications Act (LEK)
4
Obtaining consent
For consent to be valid, the process of obtaining consent must take place in
such a way that it does not violate any of the conditions set out in section 3.
This places certain demands on operators, partly concerning the ways in which
consent is obtained and partly in terms of the information that must be
communicated to the subscriber prior to obtaining consent.
4.1
Ways of obtaining consent
There are many different ways of obtaining acceptable consent. In practice, the
obtaining of consent often takes place by subscribers approving the general
terms and conditions, in which information on consent and the terms and
conditions applicable are specified. Consent of the general terms and
conditions may take place by the subscriber ticking a box if giving approval
online, by the subscriber orally agreeing on the phone, or by the subscriber
signing a subscription agreement with attached general terms and conditions
when a contract is signed in a shop.
The following requirements for the ways of obtaining consent are stated in the
PTS standpoints in the specified review cases.
4.1.1
Consent is not a condition for an agreement
In practice, operators often choose to obtain consent for various types of data
processing through formulations in the general terms and conditions, which
are part of the subscription agreements with customers. Even if the obtaining
of consent is often carried out in connection with signing a contract, the
obtaining of consent may not be presented as a condition of the contract. A
contract is an agreement between several parties, whereas consent is a unilateral
expression of the will of one party.
When consent is obtained in connection with entering into a contract, the
operator must point this out to the subscriber. This could take place by
referring to the consent described in the general terms and conditions when
approving the contract conditions. It must therefore be clear to the subscriber
that it includes both the conclusion of a contract between a number of parties
and the giving of unilateral consent for the processing of data, and that further
information on this can be found in conditions appendix given to the
subscriber. 3
3
See PTS ref. no. 13-12355, for example.
Swedish Post and Telecom Authority
8
Obtaining consent under the Electronic Communications Act (LEK)
4.1.2
Information must be easily understood, clear and fixed
That consent must be a unilateral, unambiguous expression of will also means that it
lies in the operator's interest to make it as clear as possible to the individual
that it is a question of consent. It is the operator who has the burden of proof
that acceptable consent has been obtained. The aspect of easily understood and
clear to the subscriber places demands on the ways in which the operator
provides the subscriber with compulsory information prior to giving consent.
Before consent can be given, the subscriber must be given the necessary
information to take a standpoint on whether the data should be processed for
the purposes and in the manner referred to. The information must therefore be
adapted to the average subscriber and his/her abilities. The information must
be easy to find and understand, and as far as possible it should be gathered in
one place.4
The information must also be fixed at the time when the consent is obtained.
For example, it is not sufficient to refer to subscriber information on a website,
since that can easily be changed. It may be difficult for the subscriber to know
afterwards what the consent was for, and the operator may find it difficult to
show what data processing the consent covers. It is far better to include all the
information regarding consent as fixed in terms of contract terms and
conditions, which are then marked with a date or version number.5 For
requirements concerning information content, see below under section 4.2.
4.1.3
If support for processing involves consent, this must be clear
For the condition of unilateral, unambiguous expression of will to be fulfilled, when
an operator intends to process data on the grounds of consent, it is necessary
that the subscriber clearly understands that legal grounds for processing lie in
the consent. Therefore, it is not permitted to inform the subscriber only in the
general terms and conditions that the operator "may" or "can" carry out certain
processing; it must be clear that the subscriber "agrees" to such processing.6
Furthermore, it is not appropriate to obtain consent for processing that does
not require consent, e.g. processing which the operator is obliged to carry out
under the law. It is in the nature of consent that it can always be withdrawn see below under section 5; and it could be misleading to the subscriber if such
a withdrawal were to be nullified as a result of the operator having the right to
proceed with the processing without consent.7
See PTS ref. no. 13-12359, for example.
See PTS ref. no. 13-12357, for example.
6 See PTS ref. no. 13-12354, for example.
7 See PTS ref. no. 13-12360, for example.
4
5
Swedish Post and Telecom Authority
9
Obtaining consent under the Electronic Communications Act (LEK)
4.1.4
Changes in processing require a new consent
Consent must be specific and apply to one or more specified purposes.
Therefore, it only applies to the processing that the operator has obtained
consent for. If the processing is changed in any way, such as the operator
wishing to process more data, the operator must provide new information to
the subscriber about the intended processing and then obtain a new consent.
4.2
Information prior to obtaining consent
Before obtaining consent, the subscriber must be provided with certain
compulsory information regarding processing. The requirements on the ways
in which this information must be provided to subscribers have been stated
above. This section describes the assessments that PTS has made in the
specified review cases with regard to the requirements on the content of the
information which must be given.
The information that must be given to the subscriber before obtaining consent
is as follows:
1.
2.
3.
4.
4.2.1
what data will be processed,
the purpose of the processing,
what kind of processing will be carried out, and
how long the data will be processed for (if consent applies to the
processing of traffic data).
Description of data
Consent obtained cannot be considered as acceptable if the subscriber has not
been given sufficiently clear information on the data to be processed. It may be
acceptable to categorise data in the information; e.g. "Customer Data", as long
as the concept is well described, such as in a definition.8
The operator's description or definition of data must clearly indicate the
specific data that the operator intends to process. It is not sufficiently clear and
specific to state categories such as "data generated by use of the service"9 or
"other data about the customer"10. Vague and broad data descriptions, in
combination with generally formulated descriptions of purpose, may cover a
great deal of processing - including some which is not currently performed.
Since consent must be specific, it is not usually possible to obtain consent for
such extensive processing. Nor is it appropriate, for the same reason, to obtain
See PTS ref. no. 13-12356, for example.
See PTS ref. no. 13-12357, for example.
10 See PTS ref. no. 13-12354, for example.
8
9
Swedish Post and Telecom Authority
10
Obtaining consent under the Electronic Communications Act (LEK)
consent for processing that the operator does not perform or intend to
perform.11
The description of data must not refer to terms such as "Customer's
consumption of data"12 or "scope" 13. Such terms are deemed to refer to
information that can be derived from the processing of data, rather than being
independent categories of data.
The definition or description of what data will be processed may not only refer
to what the data will be used for, i.e. the purpose of the processing. It is thus
not sufficient to state that the processing will include "data necessary for
marketing"; the description must specify what actual data is concerned, such as
name, address or phone number. 14 This means it is not normally sufficiently
clear to refer to legal definitions, since these are often far too general and
comprehensive - and besides, they often refer to the purpose or purposes of
the processing.
One way to describe a category of data, in addition to describing the concept,
could also be giving clear examples of data that falls into the described
category.
4.2.2
Description of purposes
When obtaining consent, the operator must also inform the subscriber of the
purpose of the processing. The description of the purpose must be formulated
in such a way that the average subscriber can understand why the data are
processed. This means that the description could be brief for well-established
and well-known purposes such as marketing, while in other cases, such as data
processing to carry out statistical analyses or taking technical measures to
improve or maintain security in the network, the purpose of processing the
data may need to be described in more detail.
Purpose descriptions must not be too general, which means that the operator
must avoid using descriptions of purposes such as "in order to fulfil Your
contract".15 Generally formulated purpose descriptions, in particular in
combination with general and wide-ranging data descriptions, can be unclear
and misleading for the subscriber. See above under section 4.2.1.
See PTS ref. no. 13-12362, for example.
See PTS ref. no. 13-12356, for example.
13 See PTS ref. no. 13-12359, for example.
14 See PTS ref. no. 13-12359, for example.
15 See PTS ref. no. 13-12358, for example.
11
12
Swedish Post and Telecom Authority
11
Obtaining consent under the Electronic Communications Act (LEK)
4.2.3
Description of processing to be carried out
The operator must also specify what kind of processing the data will be
subjected to. It is important that the description is so clear that there is no
doubt for the average subscriber what he/she is giving consent to. The form of
the processing can be described by using terms such as "register", "store",
"compile", "filter", "block" or "hand over". It is only acceptable to indicate that
the data will be "processed for the stated purpose" if there will be no doubt for
the average subscriber what processing is being referred to.16
4.2.4
Description of the duration of traffic data processing
With regard to the processing of traffic data, which under LEK may only be
carried out with the consent of the subscriber, information about the duration
of data processing must be given prior to obtaining consent. Just as for other
information, the indication must be sufficiently specific for the average
subscriber to understand the duration of processing.
Therefore, it is not sufficient to only state that processing will take place "as
long as necessary" or similar descriptions which refer to factors that the
subscriber is not normally familiar with. The more specific the indication is, the
clearer it becomes for the subscriber and the easier it is to decide whether such
processing can be accepted. For this reason, the operator should normally
indicate that the processing will take place over a specified period or use clear
expressions such as "momentary" for processing which is only temporary.17
16
17
See 13-12354, for example.
See 13-12357, for example.
Swedish Post and Telecom Authority
12
Obtaining consent under the Electronic Communications Act (LEK)
4.3
Example
Below is an example of how consent could be obtained for a certain type of
processing that an operator performs. It should be stressed that the consent
obtained needs to be adapted in each case to the process which is actually
carried out by the operator.
___________________________________
Operator AB wishes to prevent subscribers being bothered by spam and
malware transmitted via the operator's e-mail service. The operator wants to
filter out messages that contain such content before they reach the subscriber's
inbox. Filtering of e-mail in this case takes place by the operator processing
both traffic information (e.g. IP addresses) and the content of the messages
transmitted.
All processing of traffic data beyond what is necessary for the transmission of
messages or for invoicing purposes requires consent under Chapter 6 Section
5-7 in LEK. Consent is also required for processing message content under
Chapter 6 Section 17 in LEK. Clear and easily understood information must be
provided to the subscriber before he/she gives consent, as above in section
4.2.
In this example, consent could be obtained in the following way (note the
references to each item in section 4.2 above):
You give your consent to
[1] IP addresses and e-mail addresses, as well as the entire contents,
including headers and attachments, in e-mail messages
[3] are stored, analysed and filtered by Operator AB
[4] for a maximum period of one minute
[2] in order to find and remove spam and malware.
In the example given, the operator puts the information about consent in their
general terms and conditions. Since the operator is required to specifically
point out to the subscriber that consent is being obtained (see above section
4.1.1), the operator informs the subscriber about the consent information
when approving the terms of the contract in the following way:
☐ I accept the terms of the contract and approve the processing of data as
described in the general terms and conditions.
Swedish Post and Telecom Authority
13
Obtaining consent under the Electronic Communications Act (LEK)
5
Withdrawal of consent
A subscriber may withdraw previously given consent at any time. Such a
withdrawal means that additional information on the subscriber may not be
processed thereafter. Notwithstanding a withdrawal of consent, data already
collected may be further processed, but the data may not be updated or
supplemented.18
The fact that consent can always be withdrawn means that it is not appropriate
to only say that consent for a certain type of processing may be withdrawn in
the operator's information to the subscriber. Such a description might mislead
the subscriber into believing that consent cannot always be withdrawn.19
The prohibition for an operator to process additional data after a subscriber
has withdrawn his/her consent applies even if the withdrawal concerns
processing that is necessary for the operator to provide a service in accordance
with the terms and conditions for the service. According to PTS assessments in
review cases described, if a withdrawal of consent means that the operator can
no longer provide a service, the operator must then cease such provision. It
may therefore be appropriate, in relevant cases for the processing of data, to
underline the need for valid consent to be able to provide the service described
in the subscription contract. If the subscriber has withdrawn consent but still
wants to continue using the service, the operator must first provide updated
information about processing and then obtain a new consent.20
Withdrawal need not take place in any specific manner, such as in writing.
However, it is the subscriber who has the burden of proof for the withdrawal
of consent.
Swedish Data Protection Authority, op. cit., page 11ff.
See PTS ref. no. 13-12355, for example.
20 See PTS ref. no. 13-12357, for example.
18
19
Swedish Post and Telecom Authority
14
Obtaining consent under the Electronic Communications Act (LEK)
Requirements for consent under LEK in brief
To process data in connection with electronic communications, in many cases the subscriber's
consent must be obtained. There are also requirements on how consent must be obtained for it
to be valid. The operator has the burden of proof for valid consent being obtained. Consider
the following before processing data:

Judge whether the proposed processing requires consent to be carried out.

Limit obtaining consent to the processing that will actually be carried out.

Before consent is obtained, inform the subscriber about:
–
what data will be processed
(such as "name," "address," "IP address"),
–
the purpose of the processing
(e.g. "to remove malware"),
–
what kind of processing will be performed
(e.g. "filtering" or "blocking")
–
information about how long the data will be processed if it
relates to traffic data (e.g. "for a maximum of 1 minute")

Give easily understood, clear and fixed information. As far as possible,
collect data in one place.

Do not allow consent to look like a condition of the contract. Consent is
unilateral approval by the subscriber.

Specifically point out to the subscriber that consent is being obtained, e.g.
in connection with the approval of general terms and conditions.

Give updated information and obtain a new consent if there are any
changes to the processing.

Consent may be withdrawn at any time by the subscriber.
Swedish Post and Telecom Authority
15