Asian Journal of Computer Science And Information Technology 7: 4 August (2017)
Cyber Security & Privacy Researcher
Former Director, LNJN NICFS (MHA)
New Delhi, India
Professor & Head,
Information Technology & Telecommunication,
Raksha Shakti University,
Abstract: A large amount of personal data is being collected in the form of metadata or personal identification data having the potential of invading the privacy of the data subject, even when collected anonymously. The consent is an instrument in the hands of data subjects to control their personal data in the context of EU data privacy framework. The consent plays an important role in legitimising the processing of personal data and EU has place high stakes on this concept at the cost of other legitimising factors like contract, which probably would be a more attractive proposition for market forces. There is a real possibility that by the time GDPR is adopted by member states, the enforcement of the violations of the provisions related to the consent becomes impossible and redundant in view of rapidly evolving information society services.
|Keywords: Processing of Personal Data, Personal Data Protection, General Data Protection Regulation (GDPR), Right to Privacy, EU Data Protection Framework, Models of Consent|
A large amount of personal data is being collected in the form of metadata or personal identification data having the potential of invading the privacy of the data subject, even when collected anonymously. In EU, though most of the member states recognise privacy as a fundamental right, and the right to data protection is generally derived as extension to this right , . However, EU Primary Law viz., Charter of Fundamental Rights (CFR) of the European Union of 2000 , , , , Treaty on European Union  and the jurisprudence of the CJEU , now recognise data protection as a fundamental right. But this right is not absolute and “must be considered in relation to its function in society”  and is subject to the principle of proportionality and limitations of Article 52(1) CFR. European Court of Human Rights (ECtHR) recognises processing of personal data and its protection as encompassing the right to privacy. The Article 16 of the TFEU formally turned the right to data protection into a separate fundamental right. The legitimate processing of personal data need considered justification, the consent of the data subject being one of these. In this essay, the legitimising role of consent under current EU Data Protection Framework and the new GDPR would be critically analysed.
EU Framework on Personal Data Protection
The Data Protection Directive (The Directive)  aims to harmonise the national laws with somewhat mutually incompatible dual aim of protecting the fundamental right to privacy regarding data processing and free flow of data among member states. The Article 2(h) of the Directive defines ‘the data subject’s consent’ as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” . The Article 7 of the Directive lists the legal grounds which make data processing legitimate, the unambiguous consent  of the data subject being one of them. However it does not define how the unambiguity and the consent would be validated as both are affected by cognitive factors attributable to data subject’s behaviour, further becoming more complex in the online environment.
The sensitive data can only be processed with the “explicit consent” of the data subject  who can always withdraw the consent, in which case the data processing must stop . The member states can decide not to process sensitive data based on consent. The data subject is not allowed to consent to waive the other data protections of the Directive. While the consent to be legally valid, it has to be freely given, specific, informed and unambiguous, mere silence or inactivity does not signify consent.,
The E-Privacy Directive provide privacy of electronic communications. The validity of consent under this would be interpreted with reference to the Directive , consent of all parties involved is required under Article 5(1), consent to be obtained prior to data processing under Articles 6(3), 9, 13 and 5(3) and consent cannot be withdrawn retrospectively under Articles 6 and 9. 
Thus, in the context of EU data privacy framework, the consent is an instrument in the hands of data subjects to control their personal data. However, the harmonisation of provisions of the Data Protection Directive is not uniform and smooth across the member states.
The Consent under General Data Protection Regulation (GDPR) 
The Table 1 is a highly condensed mention of the improved provisions relating to ‘consent’ in GDPR .
|1.||4(11)||‘Consent’ means freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or a clear affirmative action, signifying agreement.|
|2.||6(1)(a)||‘Consent’ to be lawful only when consent is for one or more specific purposes;|
|3.||6(4)||When processing “for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent,” the controller should ascertain compatibility between intended and proposed purpose of data processing by accounting the link, context, nature, possible consequences and appropriate safeguards between the two.|
|4.||7||1. Data Controller to demonstrate that ‘consent’ was given.
2. The ‘consent’ which is part of a written declaration which also concerns other matters, the request for consent shall be presented as clearly distinguishable from the other matters, in an ‘intelligible and easily accessible form, using clear and plain language’. ‘Any part of such a declaration infringing this Regulation shall not be binding.’
3. The ‘consent’ can be withdrawn any time but would not affect the data processing retrospectively. The withdrawal of ‘consent’ to be as easy as giving it.
4. If ‘consent’ to processing of personal data is conditional to performance of contract, it would not be considered ‘given freely’.
|5.||8||1. The personal data processing of child of 16 years of age to be unlawful in absence of consent of person having parental responsibility of such child.
2. The data controller to make reasonable effort to verify that lawful consent was given in case of child below 16 years.
|6.||9||Special categories of personal data defined and its processing prohibited except on listed grounds, the ‘explicit consent’ being one of them and in accordance with applicable law.|
|7.||13(2)(c)||Duty of the controller to provide information regarding the existence of the right to withdraw the ‘consent’ at any time, without affecting the lawfulness of processing retrospectively.|
The role of consent in legitimising the processing of personal data has been the consistent hallmark of the EU data protection framework. The framework and ‘models of consent’  have evolved over time, strengthening the legitimising role of consent thus giving informational self-determination in EU approach to privacy. Many scholars have argued that in practice the consent correlates poorly with autonomy of data subject , which is a prerequisite and consequence of ‘consent’ . The cognitive and psychological limitations coupled with demographic, cultural and racial profile of data subjects affects and influence the complex process of giving or withholding the consent. The GDPR being a Regulation would act as the single EU law with uniformity in application across member states. However, the entire process of legitimising consent has become very complex and, with passage of time, there is a real danger that it becomes irrelevant in future. The advent of internet of things, virtual reality and augmented reality would make this concept less practicable to apply to big data.
The consent plays an important role in legitimising the processing of personal data and EU has place high stakes on this concept at the cost of other legitimising factors like contract, which probably would be a more attractive proposition for market forces. There is a real possibility that by the time GDPR is adopted by member states, the enforcement of the violations of the provisions related to the consent becomes impossible and redundant in view of rapidly evolving information society services.
 EU Agency for Fundamental Rights (FRA), Data Protection in the European Union: the role of National Data Protection Authorities (Strengthening the fundamental rights architecture in the EU II), 2010) P. 14
 R Leenes and BJ Koops, Constitutional Rights and New Technologies. A Comparative Study Covering Belgium, Canada, France, Germany, the Netherlands, Sweden, and the United States (IT & Law Series), The Hague: TMC Asser Press 2007)
 Article 8
 Sionaidh Douglas-Scott, ‘The European Union and human rights after the Treaty of Lisbon’ (2011) 11 Human rights law review 645
 Klara Kanska, ‘Towards administrative human rights in the EU. Impact of the charter of fundamental rights’ (2004)
 R Alonso Garcia, ‘The general provisions of the charter of fundamental rights of the European Union’ (2002) 8 European Law Journal 492
 Article 6(1)
 Promasicae v Telefonica C-275/06 p 70
 Michal Bobek, ‘Joined Cases C-92 & 93/09, Volker und Markus Schecke GbR and Hartmut Eifert, Judgment of the Court of Justice (Grand Chamber) of 9 November 2010’ (2011) 48 Common Market Law Review 2005
 Paul De Hert and Serge Gutwirth, ‘Data protection in the case law of Strasbourg and Luxemburg: Constitutionalisation in action’, Reinventing data protection? (Reinventing data protection?, Springer 2009)
 Paul De Hert and Vagelis Papakonstantinou, ‘The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals’ (2012) 28 Computer Law & Security Review 130
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Official Journal L 281 , 23/11/1995 P. 0031 – 0050 (Accessed at: http://www.refworld.org/docid/3ddcc1c74.html on 14 November 2016) (1995)
 Ibid Art. 2(h)
 Ibid Art. 7(a)
 Ibid Art. 8
 W Kotschy, ‘Directive 95/46/EC—Data protection directive’ (2010) Concise European IT law Kluwer Law International, Alphen aan den Rijn
 Directive 95/46/EC n.12
 Paul De Hert and Serge Gutwirth, ‘Privacy, data protection and law enforcement. Opacity of the individual and transparency of power’ (2006) Privacy and the criminal law 61
 , ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent (ARTICLE 29 DATA PROTECTION WORKING PARTY 2011)
 Volker und Markus Schecke  EUECJ C-93/09 (Court of Justice of the European Communities (including Court of First Instance Decisions))
 Directive 95/46/EC Arts. 2(g), 7(a) and Recital 17.
 , ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent
 , Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, p. 1–88 (2016)
 Eoin Carolan, ‘The continuing problems with online consent under the EU’s emerging data protection principles’ (2016) 32 Computer Law & Security Review 462
 , ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 15/2011 on the definition of consent