Feeds

A pre-ticked box in web forms should NOT mean consent - EU report

New proposals suggest an end to automated assent

Choosing a cloud hosting partner with confidence

Businesses will not be able to use pre-ticked boxes to gain user consent for the processing of their data under changes proposed by the European Parliament to new EU data protection laws.

In a new report, Jan-Philipp Albrecht, a rapporteur for the European Parliament's Civil Liberties, Justice and Home Affairs Committee on the proposed EU data protection reforms, said that consumers should not have to opt out from automatic settings in order to avoid businesses deeming that they have given consent to their personal data being processed.

Albrecht's report contains proposed amendments to the draft General Data Protection Regulation the European Commission published in January 2012. Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Albrecht has now said (215-page/751KB PDF) that freely given consent would generally not be said to have been obtained if the consent is gleaned from "pre-ticked boxes" companies often use in consumer agreements.

"In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment," Albrecht said. "The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent."

Organisations seeking to rely on consent should have the burden of proving that they have obtained the permissions from consumers, but under Albrecht's plans would not have to seek confirmation of data subjects' by way of a "positive identification ... unless necessary" in order to be said to have sufficient proof of consent.

Companies that hold a dominant position in a particular market would also face more stringent rules on consent if Albrecht's proposals are adopted. Under the Commission's plans consent could not be relied upon by firms if there was a "clear imbalance" of rights in their favour that disadvantaged consumers. Albrecht has expanded on this concept and suggested that dominant market players could not make "unilateral and nonessential" changes to contractual terms if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".

Albrecht has also proposed new rules that would allow companies to rely on "automated means using a technical standard" to obtain individuals' consent to the processing of pseudonymised data. However, the standard through which that consent could be gleaned would have to be approved by the European Commission.

Albrecht said that this would incentivise the processing of pseudonymised information and allow for standards such as 'do not track' (DNT) to be used. The World Wide Web Consortium (W3C), which is responsible for ensuring that web technology is based on an agreed set of technical standards, has been working on developing a new DNT controls system for operation within web browser settings.

The rapporteur has also set out what should be meant be 'anonymised' data, which he said would be fully outside the scope of the data protection law framework.

"[Anonymised data is] data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed," Albrecht has proposed.

Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned. However, Albrecht has proposed that companies should only be able to rely on the 'legitimate interests' provisions in "exceptional circumstances".

Albrecht's report also contains proposed amendments that provide guidance on when organisations' 'legitimate interests' could be said to outweigh individuals' rights, and vice versa.

Under the Commission's draft Regulation, businesses would be required to notify any regulators of any data breach "without undue delay and, where feasible, within 24 hours" of having become aware of it. However, Albrecht has said it is "not always feasible" for companies to meet this deadline, and has proposed extending the reporting requirement to within 72 hours. Individuals should only be notified in cases where the breach is "likely to adversely affect the protection of [their] personal data or privacy ... for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation".

The ability of the European Commission to lay out some detail on the meaning and interpretation of some of the rules under the proposed new Regulation would be tempered if Albrecht's proposals were adopted. The Commission would have to consult with supervisory privacy body the European Data Protection Board over the 'delegated acts' it would want to introduce.

The report has also recommended that data controllers or processors provide “financial indemnification” to individuals for any data breaches that occur from international data transfers to non-approved 'third' countries. In addition, the individuals should be provided with full details” of the access rights public authorities in those countries have to their personal data, Albrecht has proposed.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.