Privacy Alert #1: Explicit Consent, the Cornerstone

This analysis is a part of a series.

Paris, 22 May 2013 — When you are browsing the web, can you say who collects information about you, what is the nature of that information and who may access it? Can you control who may know what about you? The European Commission intended to give you the power to do so, but European Parliament may vote otherwise, under pressure by corporate lobbies.

With the development of the data industry, citizens' control over their personal information has progressively decreased, while their fundamental right to privacy cannot be respected if they do not have the means to protect their privacy themselves. But protection of privacy is not the only issue: this lack of control leads to a lack of trust that already damages both freedom of expression1 and growth of Internet services2.

To address this critical situation, the EU Commission proposes to give citizens actual control over their personal data by setting a simple principle: users must give their explicit consent for each collection, processing or trading of information related to them.

The issue

To better understand the sense of the European Commission Proposal, let's go back to the current European legislation – the outdated 1995 Directive – where consent does not have to be “explicit” but merely “unambiguous”3. What is an “unambuguous consent”? The meaning of such a vague definition “is often misunderstood or simply ignored”, as deplored by the Article 29 Working Party4, a European body gathering the data protection authorities of each Member State. An “unambiguous consent” can be considered as given when users, informed of the processing of their personal data, do not oppose it. However, since the current legal framework does not force companies to ensure users are effectively informed, most companies are not particularly enthusiastic about disclosing what data they collect, for what purpose, in a visible, accessible and handy way.

As a result, users are not aware of most of the processing their personal data undergo: in practice, would they want to, they would not be able to oppose such processing.

Take Amazon for instance. When you look at an item on its website, your visit is saved by the company in order to suggest you similar products:

Amazon recommendation based on browsing history

Although the caption “recommended based on your browsing history” shows an undergoing processing of some of your personal data, you don't know that Amazon is collecting in fact much more data than your viewed items, even if it is your very first visit and you are therefore not even logged in:

Personal data collected by Amazon

This information is only accessible on the very bottom of the website's pages:

Link to the Amazon Privacy Notice

As for Google, it does not indicate at all that it collects, stores and processes information on whatever request you make or website you visit. You can only know that by looking for Google's privacy policy page:

Personal data collected by Google

The Commission's Proposal

The Proposal made by the European Commission would radically change this situation by introducing the principle of user's explicit consent. This would require citizens' consent to be expressed “either by a statement or by a clear affirmative action”5, and for each and every purpose companies intend to collect their data. “Informed silence” could not be considered as consent anymore. Companies shall then have to actively seek users' consent, which means no personal data could be processed until users have been really and directly informed. If adopted, the Proposal would ensure that nothing happens out of users' sight and control.

To that respect, some good practices already exist and may provide clear examples of what “explicit consent” can be on the Internet. Web browsers such as Firefox and Chrome already require your explicit consent before sending information on your geographic location to a given website.

Consent request on Firefox for geolocation
Consent request on Firefox. Try it yourself by clicking on 'Give it a try!' on the top of this Mozilla page.

This ensures that, for every processing, you are really informed on what is collected and, thus, have truly given your consent. Then, if you want, you can also simply choose to “always agree” that the website you are visiting may collect your geographic location again without having to ask for your consent.

Even if the concept of that “request box” is largely perfectible – as it does not indicate how your data will be used and who may access them – it shows, at least, the kind of control we would have over our data if the explicit consent requirement was adopted.

Internet giants' recommendations

Users' control seems to be problematic for Internet giants whose profits largely depend on the amount of personal data they collect. They dread a greater control by users, which for them would equate with less data processed. It also shows how these companies deal with our privacy: if their activity was really respectful of our private life, why should they fear us not giving our consent? Requiring an explicit consent would only harm those businesses which do not respect our privacy. The other ones, by contrast, could only capitalize the gain of confidence resulted from a real users' control.

Google, Facebook, Microsoft, Amazon and eBay unanimously asked MEPs to withdraw explicit consent from the Regulation6. Their main argument is that users “demand Internet services that are fast, easy-to-use and efficient [therefore, systematically requiring an explicit consent would] lead users to opt in as a matter of routine”, “as a consequence of consumers being overloaded with consent requests”.

But, since asking for their consent is the only way to guarantee users are truly warned of every processing their personal data undergo, there can not be too many consent requests. Whoever opts in “as a matter of routine” would still be warned of processing while we currently rarely are.

In addition, once they have agreed that a website may process some of their data for a specific and clear purpose, users would not have to consent to further processing pursuing the exact same purpose7. Thus, stating that consumers would be “overloaded with consent requests” is simply wrong. In practice, users may generally only be asked once, if any, when visiting a website for the first time, and/or when using new features and functionnalities of the service for the first time.

MEPs' proposals

Chair of the IMCO Committee

The “Consumer Protection” (IMCO) and the “Industry” (ITRE) Committees have followed Internet giants' recommendations and voted against the explicit consent requirement. IMCO proposed to make consent's explicitness dependent on “the context”, which is as vague and dangerous as requiring an “unambiguous” consent8; while ITRE Committee simply proposed to keep the same “unambiguous consent” required by the 1995 Directive9.

Those two opinions seem to have had a major impact on the debate since seven amendments have been tabled in the The “Civil Liberties” (LIBE) Committee, by seventeen MEPs, to propose the withdrawal of the explicit consent requirement from the Regulation10. Which proves those LIBE members, mainly liberals and conservatives, do not want to give users control over their data.

Today, it appears that most of MEPs are against the explicit consent principle, deceived by hundreds of lobbyists, and will not change their mind unless we do mobilize and act now.

What you can do

Manifestation anti-ACTA
Manifestation anti-ACTA

First of all, you should use only software and services you can trust. Choose free-as-free-speech software, and host your own services as much as possible. Many tools, such Tor11, DuckDuckGo12, or browser add-ons such as NoScript or HTTPS Everywhere, allow you to replace, circumvent and block Internet services trying to collect your personal data.

Unfortunately, these solutions will never be enough to fully protect your privacy, as they are not installed by default, require effort, and are sometimes perceived as complex to use. So, we have to act to ensure real protection of citizens' privacy on the future regulation: write or call your representatives now – their voters' concerns and defense of fundamental freedoms should always weigh more than Internet giants' economic interest –, share this article, write some about your thoughts on data protection, talk about it around you, or invent something else using images, video, sound, etc. Now is time to Act! The LIBE members of different political groups have already started seeking compromises on this very issue: we must contact them before they agree on the worst amendments.

To get more information and discuss this, you can visit our forum.

  • 1. The UNESCO published in 2012 a "Global survey on Internet privacy and freedom of expression", which starts by: “The right to privacy underpins other rights and freedoms, including freedom of expression, association and belief. The ability to communicate anonymously without governments knowing our identity, for instance, has historically played an important role in safeguarding free expression and strengthening political accountability, with people more likely to speak out on issues of public interest if they can do so without fear of reprisal.”

    What has always been true about governments' surveillance may now stand for private surveillance. May people really speak freely if any company, or anyone, can know who they are or access any other sensitive information related to them?

  • 2. A report by the Boston Consulting Group showed that “the value created through digital identity can indeed be massive: €1 trillion in Europe by 2020 [but that] two-thirds of digital identity’s total value potential stands to be lost if stakeholders fail to establish a trusted flow of personal data”.
  • 3. 1995 Directive:
    Article 2 - Definitions
    (h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
    Article 7
    Member States shall provide that personal data may be processed only if:
    (a) the data subject has unambiguously given his consent; or [...]
  • 4. Opinion of the Article 29 Data Protection Working Party on the Definition of Consent (2011):
    'This Opinion is partly issued in response to a request from the Commission in the context of the ongoing review of the Data Protection Directive. It therefore contains recommendations for consideration in the review. Those recommendations include:
    (i) clarifying the meaning of “unambiguous” consent and explaining that only consent that is based on statements or actions to signify agreement constitutes valid consent;
    (ii) requiring data controllers to put in place mechanisms to demonstrate consent (within a general accountability obligation);
    (iii) adding an explicit requirement regarding the quality and accessibility of the information forming the basis for consent, and
    (iv) a number of suggestions regarding minors and others lacking legal capacity.'
    'The notion of unambiguous consent is helpful for setting up a system that is not overly rigid but provides strong protection. While it has the potential to lead to a reasonable system, unfortunately, its meaning is often misunderstood or simply ignored.'
    'Clarification should aim at emphasizing that unambiguous consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. At the same time it should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent. This is especially true in the on-line environment.'
    'The Council Common Position10 in 1995 introduced the final (today's) definition of consent. It was defined as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". The main change from the 1992 Commission position involved deleting the word "express" that had preceded the word "indication". At the same time, the word "unambiguous" was added to Article 7(a), so it reads as follows: "if the data subject has given his consent unambiguously".'
  • 5. Data Protection Proposal Regulation
    Article 4 - Definitions
    8. 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
  • 6. Read internet giant's recommendations send to MEPs against explicit consent on La Quadrature's wiki. You may also read many other documents send by lobbies to MEPs about this Regulation.
  • 7. La Quadrature du Net will publish a dedicated Privacy Alert on this very subject.
  • 8. Read our reaction to the 23 January IMCO's vote.
    IMCO's opinion: amendment 63
    Article 4 - Definitions
    8. ‘the data subject's consent’ means any freely given indication that must be specific, informed and as explicit as possible according to the context, of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, explicitly whenever the data referred to in Article 9(1) are to be processed, signifies agreement to personal data relating to them being processed;

    (How to read an amendment: added to the initial text / deleted from the initial text)
  • 9. Read our reaction to the 21 February ITRE's vote.
    ITRE's opinion: amendment 82
    Article 4 - Definitions
    (8) ‘the data subject's consent’ means any freely given specific, informed and explicit unambiguous indication of his or her wishes by which the data subject , either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Silence or inactivity does not in itself indicate consent ;

    (How to read an amendment: added to the initial text / deleted from the initial text)
  • 10. Amendments 757, 758, 760, 762, 764, 765 & 766, tabled in LIBE by:
    Lidia Joanna Geringer de Oedenberg (S&D - Poland)
    Adina-Ioana Vălean (ALDE - Romania)
    Jens Rohde (ALDE - Denmark)
    Louis Michel (ALDE - Belgium)
    Sarah Ludford (ALDE - United Kingdom)
    Charles Tannock (ECR - United Kingdom)
    Timothy Kirkhope (ECR - United Kingdom)
    Axel Voss (EPP - Germany)
    Seán Kelly (EPP - Ireland)
    Wim van de Camp (EPP - Netherlands)
    Hubert Pirker (EPP - Austria)
    Monika Hohlmeier (EPP - Germany)
    Georgios Papanikolaou (EPP - Greece)
    Véronique Mathieu Houillon (EPP - France)
    Anna Maria Corazza Bildt (EPP - Sweden)
    Agustín Díaz de Mera García Consuegra (EPP - Spain)
    Teresa Jiménez-Becerril Barrio (EPP - Spain)
  • 11. Tor is a free software and an open network that helps you protect yourself against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.
  • 12. DuckDuckGo is an Internet search engine that uses information from crowdsourced websites such as Wikipedia to obtain its results. The search engine policy says that it protects privacy, and does not record user information.