Out-Law News 4 min. read

Explicit prior consent needed for personal data processing, EU Commissioner says


Organisations that want to process personal data will have to obtain explicit prior consent from individuals to do so under new EU data protection laws, the EU Justice Commissioner has said.

Viviane Reding also said that individuals would be able to force organisations to delete the personal information they hold about them under the new laws, which the European Commission has said will be formally proposed before the end of January.

In a joint statement with Germany's Consumer Protection Minister, Reding said that the changes would "empower" internet consumers.

"In modernising the EU's data protection rules, we believe that consumers must be more empowered than they are today," the statement said.

"Users should be in control of their data. This is why in our view, EU law should require that consumers give their explicit consent before their data are used. And consumers generally should have the right to delete their data at any time, especially the data they post on the Internet themselves. We will work closely together to make sure that the modernisation of the EU’s data protection rules addresses these issues and that the EU’s data privacy principles are turned into a reality for consumers and businesses everywhere in Europe," Reding said.

Under the EU's current Data Protection Directive organisations must process personal data fairly and lawfully and can only process the information if a person has given their unambiguous consent and if that consent is explicitly given. Any change to the definition of 'consent' in a revised Directive, to include the fact that consent must be given prior to processing, would have a bearing on EU laws on 'cookies'.

Cookies are small text files that websites store about users to remember their activity on the site. The Privacy and Electronic Communications Directive (E-Privacy Directive), from which laws governing the use of cookies are drawn, states that the meaning of 'consent' within provisions of those laws must derive from the original definitions given to the word in the Data Protection Directive.

The E-Privacy Directive says that storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

The E-Privacy Directive was implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain "informed consent" to tracking users through cookies.

The Information Commissioner's Office (ICO) has previously issued guidance on how website owners can comply with this requirement, but it has left it up to individual companies to choose methods they believe comply with the laws. The Government is working with browser manufacturers to come up with a way to gather consent via browser settings.

Claire McCracken, an expert in E-Privacy laws at Pinsent Masons, the law firm behind Out-Law.com, said that the new EU proposals for explicit prior consent would help to clarify the present uncertainties surrounding when users' consent is required.

"Since May this year when the new cookie laws came into force in the UK there has been a great deal of debate not only about how users' consent can be obtained, but also when. Clarification on this point should help shape the technology being developed to gather consent via browser settings and also help businesses to ensure compliance," McCracken said.

The ICO has recently told Out-Law.com that it will issue further guidance on cookie consent and progress towards compliance over the next few weeks.

Kathryn Wynn, data protection law expert at Pinsent Masons, the law firm behind Out-Law.com, said introducing a 'right to be forgotten' would likely impact most on social media companies.

"The right to be forgotten is a really good thing, especially in the era of social media," Wynn said.

"It is particularly positive for the younger generation who maybe feel that they are invincible during their teenage years and post embarrassing or compromising comments or pictures on social networking sites but who find they are later judged on that content by potential employers searching the internet."

"I think the right to be forgotten would only catch out companies on the edge of compliance with data protection laws, not those that have the correct procedures and policies in place. In fact, it may benefit companies that currently store masses of personal data about people that may not all be accurate, and ensure that information they do store is proportionate to their needs and up to date," Wynn said.

In her statement Reding also said that the revised data protection laws should apply to companies with EU consumers that store personal data in 'the cloud'. Cloud computing refers to the storage of files and programs on an internet-based network rather than on local computing resources. It allows internet users to access or store information without owning the software to do it and many online companies, such as Google, operate huge servers that store the data and deliver it to users.

"Consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established," Reding said.

"We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a 'cloud'," she said.

The European Commission said that new EU data protection laws are required to "successfully address the challenges of today's digital world". The existing Data Protection Directive came into effect in 1995.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.