Feeds

A pre-ticked box in web forms should NOT mean consent - EU report

New proposals suggest an end to automated assent

Secure remote control for conventional and virtual desktops

Businesses will not be able to use pre-ticked boxes to gain user consent for the processing of their data under changes proposed by the European Parliament to new EU data protection laws.

In a new report, Jan-Philipp Albrecht, a rapporteur for the European Parliament's Civil Liberties, Justice and Home Affairs Committee on the proposed EU data protection reforms, said that consumers should not have to opt out from automatic settings in order to avoid businesses deeming that they have given consent to their personal data being processed.

Albrecht's report contains proposed amendments to the draft General Data Protection Regulation the European Commission published in January 2012. Under the Commission's proposed regime, organisations seeking to rely on individuals' consent in order to process their personal data would be required to ensure that that consent was explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Albrecht has now said (215-page/751KB PDF) that freely given consent would generally not be said to have been obtained if the consent is gleaned from "pre-ticked boxes" companies often use in consumer agreements.

"In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment," Albrecht said. "The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent."

Organisations seeking to rely on consent should have the burden of proving that they have obtained the permissions from consumers, but under Albrecht's plans would not have to seek confirmation of data subjects' by way of a "positive identification ... unless necessary" in order to be said to have sufficient proof of consent.

Companies that hold a dominant position in a particular market would also face more stringent rules on consent if Albrecht's proposals are adopted. Under the Commission's plans consent could not be relied upon by firms if there was a "clear imbalance" of rights in their favour that disadvantaged consumers. Albrecht has expanded on this concept and suggested that dominant market players could not make "unilateral and nonessential" changes to contractual terms if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time".

Albrecht has also proposed new rules that would allow companies to rely on "automated means using a technical standard" to obtain individuals' consent to the processing of pseudonymised data. However, the standard through which that consent could be gleaned would have to be approved by the European Commission.

Albrecht said that this would incentivise the processing of pseudonymised information and allow for standards such as 'do not track' (DNT) to be used. The World Wide Web Consortium (W3C), which is responsible for ensuring that web technology is based on an agreed set of technical standards, has been working on developing a new DNT controls system for operation within web browser settings.

The rapporteur has also set out what should be meant be 'anonymised' data, which he said would be fully outside the scope of the data protection law framework.

"[Anonymised data is] data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed," Albrecht has proposed.

Organisations can legitimately process personal data without obtaining individuals' consent under certain circumstances, including if the "legitimate interests" of the organisations outweigh the fundamental rights of the individuals concerned. However, Albrecht has proposed that companies should only be able to rely on the 'legitimate interests' provisions in "exceptional circumstances".

Albrecht's report also contains proposed amendments that provide guidance on when organisations' 'legitimate interests' could be said to outweigh individuals' rights, and vice versa.

Under the Commission's draft Regulation, businesses would be required to notify any regulators of any data breach "without undue delay and, where feasible, within 24 hours" of having become aware of it. However, Albrecht has said it is "not always feasible" for companies to meet this deadline, and has proposed extending the reporting requirement to within 72 hours. Individuals should only be notified in cases where the breach is "likely to adversely affect the protection of [their] personal data or privacy ... for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation".

The ability of the European Commission to lay out some detail on the meaning and interpretation of some of the rules under the proposed new Regulation would be tempered if Albrecht's proposals were adopted. The Commission would have to consult with supervisory privacy body the European Data Protection Board over the 'delegated acts' it would want to introduce.

The report has also recommended that data controllers or processors provide “financial indemnification” to individuals for any data breaches that occur from international data transfers to non-approved 'third' countries. In addition, the individuals should be provided with full details” of the access rights public authorities in those countries have to their personal data, Albrecht has proposed.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.