Informed consent as a key element for data protection
- In the wake of numerous well-publicised breaches of databases containing personal information, many States have drafted new laws to provide people with greater data protection. Some of these laws require that consent be given freely for the processing of personal data by companies.
- The meaning of “informed” consent or consent freely given differs in various jurisdictions, but tech giants seem to favour an approach that makes use of their services conditional on users granting consent to the processing of their personal data for purposes such as targeted advertising.
- It is likely that information regulators in Europe will soon rule that this practice is contrary to the GDPR. These findings may positively influence the way that the South African Information Regulator defines “informed” consent. Moreover, European rulings may have residual benefits as firms change their privacy policies globally to comply with the GDPR.
Consent is one of several stipulated grounds for the lawful processing of personal information; where consent is the ground relied upon, this must be freely given. Where consent to data processing is made a condition for using a product, this consent, if given, is deemed not to have been given freely. Brynne Guthrie
2018 was dubbed by some as “the year of data protection”. But perhaps more accurately, it was a year of shocks as consumers realised just how little protection their personal data was afforded. In June, Liberty Holdings’ email repository was breached by a hostile third party which accessed the personal information of the company’s South African insurance customers. This came just a month after the personal records of nearly a million drivers were breached via the State’s online traffic fine website. The subsequent rise of public interest in data protection has forced legislators across the world to revisit and strengthen the laws protecting the privacy of people within their borders.
In May 2018, the EU-wide General Data Protection Regulation (GDPR) came into force. This was a significant development, as the GDPR expands the rights and protections afforded to European data subjects and applies extra-territorially (meaning that it can apply to organisations based outside of Europe that are processing the personal information of European data subjects). That same month, the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia jointly issued guidelines for obtaining meaningful consent to help private sector organisations obtain legally valid consents to the collection, use and disclosure of personal information. In 2018 at least 11 American states passed legislation to provide citizens with greater transparency and control over their personal data and there is mounting pressure for the enactment of similar federal protections. The South African version of a comprehensive data protection law, the Protection of Personal Information Act (POPIA), will likely come into force in its entirety in 2019 with a one-year grace period provided for in the legislation before compliance is required. These generally promising legislative developments must be tested practically before their efficacy can be assessed properly.
Some commentators believed that the introduction of data protection laws, such as those described above, would force big tech firms like Amazon, Twitter, Google, LinkedIn and Facebook to change the way that they collect and analyse users’ personal data, effectively undercutting their advertising businesses and empowering their smaller competitors. However, it appears, at least in the short term, that the opposite has occurred. The complexity of the data protection laws, particularly the GDPR, is such that advertisers have channelled the little business that they were not already giving to the big tech firms to the tech giants, which are assumed to be far better equipped than their smaller counterparts to prove that their data processing is done with the consent of users and in compliance with the law. The correctness of this assumption has been rocked in recent days as the French data protection authority has given its interpretation of the meaning of “consent” under the GDPR and found big tech firms’ policies lacking.
The meaning of consent
Different regulatory frameworks attribute different content to “consent”. For instance, article 7 of the GDPR mandates that requests for consent be presented in an intelligible and easily accessible form, with the purpose of the data processing attached to that request. Further, it provides that the request for consent is clear and distinguishable from other matters and that it must be provided for using clear and plain language. Moreover, it requires that the withdrawal of consent is as easy as the granting of it. POPIA, on the other hand, merely states that consent is “any voluntary, specific and informed the expression of will in terms of which permission is given for the processing of personal information”.
In December 2018, the South African Information Regulator published its POPIA Regulations. According to these, a party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must complete a specified form which is attached to the Regulations. This form creates a wholly impractical procedure that must be followed to obtain consent, not least because it requires the physical signature of both the data subject and the person responsible for processing the data. This process will be particularly unwieldy in the context of multi-national tech companies such as Facebook and Google which process huge amounts of data, on a nearly constant basis, for targeted advertising. While the GDPR specifies conditions that must be met for consent to be “informed” or “meaningful”, the South African Information Regulator and courts only have an unworkable consent form to draw from and will still have to decide what POPIA means by “informed” consent.
There are a few ways that this interpretive exercise could go:
- The first is to emulate the European approach and use the consent requirements established in the GDPR as guidelines for determining the meaning of “informed” consent. These guidelines include specifications of when consent is freely given, the proper use of tick-boxes and the impact that power imbalances may have on the validity of consent given. On 21 January 2019, the French data protection authority, CNIL, fined Google €50million for failing to provide users with transparent and understandable information on its data use policies. This was because consent was essentially forced as data protection settings were scattered over various locations requiring users to actively search for opt-out options. Moreover, some data-use consent boxes were automatically checked, meaning that users had to opt-out of their data being processed for those purposes rather than opt-in. This finding points to the fact that “informed” consent is consent given after easily accessing privacy and data usage policies and must be consent that is given and not assumed.
- The other way that “informed” consent could be interpreted would be less expansive and based on the approach of some US Courts. In August 2018, the U.S. District Court for the Southern District of New York investigated alleged breaches of data protection laws by a company which accessed personal data for the purpose of clearing spam from consumers’ email inboxes. The Court ruled that, based on the California Invasion of Privacy Act and the Electronic Communications Privacy Act, if a party consented to the processing of their personal data there could be no violation of data protection laws. The Court reasoned that a privacy policy that requires consumers to consent or not use the product at all was neither legally nor procedurally unconscionable. This is because the Court held that a consumer’s choice to simply close their browser and not use the product is a meaningful one.
The consent-or-leave-the-service approach should be treated with caution as it may create problems when regulators deal with consent in terms of some of the privacy policies of the tech giants. These companies have captive markets and users who cannot afford not to consent to the processing of their data. Refusal could mean losing access to its biggest platform for news and communication or might hinder the day-to-day use of their smartphones (remembering that Google owns Android). Unsurprisingly, big tech companies seem to favour the consent-or-leave-the-service approach.
For example, just days after being fined by the French data protection authority, Google updated its Terms of Service and Privacy Policy for Europe. While acknowledging that further updates will be necessary to address the reasons for their fine, the new policy strikingly notes that “if you don’t want to accept these changes in our terms and Privacy Policy, you can choose to stop using the applicable services”. Basically, this would seem to be a consent-or-leave-the-service, or conditional consent, approach.
All is not lost
There are numerous complaints currently before data protection regulators around Europe on the exact issue of conditional consent – something that is explicitly prohibited by Article 7(4) of the GDPR. In November 2018, the Information Commissioner for the United Kingdom ruled that the Washington Post’s offering of three access options on their website, with only the most expensive one allowing readers to switch off location tracking and cookies, was contrary to the GDPR. The Washington Post claimed that readers consented to the use of cookies and tracking for advertising purposes by choosing the lower-cost access options. However, the Information Commissioner held that this amounted to tying consent to access to the website and was invalid because no free alternative to accepting cookies was available.
Consent is one of several stipulated grounds for the lawful processing of personal information; where consent is the ground relied upon, this must be freely given. Where consent to data processing is made a condition for using a product, this consent, if given, is deemed not to have been given freely. Aside from facilitating the provision of Facebook and Google’s basic service, these companies process data and sell it to advertisers which then target consumers’ needs as identified in that data. Google’s latest privacy policy seems to make use of its products conditional on consent being given to them to process users’ personal information. To hold tech giants accountable for this behaviour it will be necessary to disassociate the advertising businesses, from which massive profits are derived, from the core businesses or products that these firms, and their platforms, provide.
The finding of cookies, mentioned above, is useful here because in it the Regulator found that even though profits were derived from the advertising facilitated by data processing, this was not related to the core performance of the news website. The core performance was the publication of news stories and this could be done without the processing of readers’ personal information. Resultantly, access to the website was made conditional on consent to the processing of data to be used for a purpose other than the performance of the core function of the business and was invalid. If previous rulings and the efforts of privacy activists are anything to go by, Google’s new consent-or-leave-the-service policy may not withstand scrutiny, and big tech firms may soon be forced to restructure their advertising-based business models to the benefit of consumers’ privacy.
And what about POPIA?
By the time POPIA becomes fully operational, the South African Information Regulator should have a wide variety of foreign case law to draw from to inform the meaning of “informed” consent. Given that POPIA was based on the EU Data Protection Directive – the predecessor to the GDPR – the rulings from Europe will be particularly persuasive. The European approach arguably fits far better into South Africa’s jurisprudential tradition of progressive and transformational understandings of concepts such as consent and privacy – as well as the spirit and objects of POPIA – than the American approach which strictly follows the agreed-upon contractual terms between data providers and controllers.
However, the South African Information Regulator may not have to get to the point of having to interpret “informed” consent in the context of data processing by the big tech companies (some of which have their African offices headquartered in South Africa). This is because, in order to comply with the GDPR, some firms have changed their global privacy policies to apply to all users, not just the European-based users. This means that even though South African users are not directly protected by the GDPR, we can still enjoy some of the effects of its more stringent privacy requirements. If this trend continues, then policy changes sparked by findings by European data protection watchdogs will result in similarly useful global protection. Even where firms do not voluntarily introduce GDPR-compliant global policies, the protection of EU residents’ data creates a unique lobbying tool for activists hoping to pressure firms into providing equal protection for their consumers. This is because, if successful, firms will have to raise their policy positions to meet the highest standard of protection to the benefit of all users.
If 2018 was the year of data protection, then 2019 will be the year that those protections are tried and tested. In particular, judging by the complaints that are currently before various regulatory bodies, it will be a year which clarifies the content of “meaningful” and “informed” consent. This clarification will likely come from both local and foreign sources but will hopefully be reflective of the public calls for the progressive, purposeful and effective protection of personal information.
Brynne Guthrie is the 2019 Google Policy Fellow at ALT Advisory.
Brynne writes in her personal capacity and the views expressed herein do not necessarily represent the views of ALT Advisory.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].