Opt-In & Opt-Out â Definitions of Consent according to the draft EU Data Protection Regulations

As a consumer, I am always in favour of legislation which seeks to protect individual freedoms, and reduce ambiguity in what organisations can and cannot do with my personal information. As a marketer too, it is important that the availability and use of a consumer’s personal information be governed by clear guidelines, and ends in a mutually beneficial result – at the bare bones of it; providing a customer with timely, relevant communications based on the data they have provided, at the same time as (hopefully) making a profit for the organisation I am working for.

The real worry is that the current draft of the European Union Data Protection Regulation, does the opposite by introducing more complexity and ambiguity than already exists, and potentially creates further issues which would not have surfaced if the status quo were maintained.

The verbatim definition of consent within the Regulation is as follows:

“…’the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed…”
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 4 (8)]

Furthermore, the “Conditions for Consent” are laid out as follows:
1. “The controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes.

2. If the data subject’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.”

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 7]

In the above, I have highlighted the key elements here – the Regulation is essentially saying that organisations need to obtain a clear and explicit statement/action by which a data subject provides consent. From an email permission-marketing best practice perspective, this is fine – however the Regulation does not address whether or not this would need to be retrospective for existing databases, and whether or not organisations would be able to contact customers with whom they have had previous interactions (as is currently permissible under the existing Privacy and Electronic Communications Directive – and, the majority of the time, expected by consumers).

This is completely disregarding whether or not those consumers actually want to be contacted, and if the “burden of proof” detailed above is an enforceable requirement (in a worse-case scenario) – then the Regulation is effectively saying organisations must delete said data if they cannot prove consent has been given explicitly! Then there’s the possibility of dispute over the meaning of “informed & explicit”… well, you can see where this is heading to – more ambiguity and less clarity.

Furthermore, there is an argument out there that this Regulation does not take into consideration the low risk use of Business-To-Business (B2B) data for marketing purposes – where, more often than not, a organisation would hold and process information on another organisation or group of members of staff, with perhaps multiple key decision makers – not an individual.

In summary, the intention is good but the detail is lacking – I strongly urge the legislators in Brussels to revise and alter the Regulation so that it can sit with the existing Privacy and Electronic Communications Directive They also need to focus on what the effect of the changes in the draft Regulation will be for both consumers and organisations.
To find out more about the consequences of this legislation passing unaltered, and the potential impact on your own business, take a look at http://dma.org.uk/eu-data-protection This site also provides information on how to take immediate action, by lobbying your regional MEPs.