On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee.
What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. Another important lesson that emerges from the consent guidelines is that consent must be sufficiently granular to show that the individual specifically gave his or her consent to each type of processing that is envisaged by the data controller. According to their Article 29 Working Party, a general consent to any and all transfers to unspecified third parties would not be sufficiently specific to constitute valid consent. And, Another conclusion that we can draw from the guidelines is that silence or the failure to act can never be considered valid consent. Consent has to be evidenced by an affirmative clicking of a box or any other relevant positive act.