When are you allowed to process someone else’s personal data? Simple. When this person tells me it is okay for me to do so. Right? Piece of cake. Or is it? Actually, it isn’t. In fact, using consent as a basis for processing personal data is a very complex scenario in terms of the legal intricacies. One of the first things to consider is the concept of ‘consent given on the basis of equality between parties’, which reflects general principles closely linked to the development of liberal, democratic societies in which all citizens are equal to the law.
In the western world, historian David Vincent notes, privacy has always been a trade-off. People consent to give up part of their privacy in return for something else. Social security for instance – as in the case of the British Poor Law – has traditionally been a subject of ‘negotiation’, a matter of trading privacy for support. More recently, the process of qualifying for tenement housing required consenting to inspections of one’s current accommodations by civil servants. And obviously, the trade-off was never really on equal terms.
With the coming into force of the GDPR, one of the legislator’s intentions was to promote genuine equality. Consent has to be given without any form of pressure being applied and without refusal of consent having negative effects for the person involved. Consent must also be based on the data subject being fully informed. It must be based, in other words, on equality.
But that is exactly what makes it so difficult to use consent as a legal basis for processing personal data in relations which, by definition, can never be totally equal. How equal is an employee to his employer, a student to his teacher? How equal, for that matter, is the consumer to an online service provider? It does not come as a surprise that supervisory authorities have expressed their reservations on the subject.
At first sight, the case of online service providers would appear to be the most straight-forward of the examples mentioned above, because consumers do have a choice of sourcing similar commercial services from another supplier. Right? Wrong. Especially in terms of the internet, by now there are multiple near-monopolists, like
Google, Facebook and Adobe. In dealing with these firms, opting for the refusal of consent means exclusion from services for which there are no real alternatives.
So, the key question seems to be whether giving or not giving consent is really an option we still have.
Well, there is hope. In a recent interpretation of standards on ‘cookie walls’, the Dutch Data Protection Authority ruled that access to (certain) websites should also be open to people choosing not to consent to the use of (certain) cookies. In cases, that is, where these websites offer public services or must be considered to operate from a position of (near-)monopoly. In these situations, there is no equality of relations and, as a result, consent is stripped of its validity. In relations which are fundamentally unequal, then, the key issue is no longer the ‘ability to choose’ but the definition of what exactly it is that consent may be asked for.
Obtaining consent… it all seemed so simple.