Today, consent is a fundamental concept in the European legal framework on data protection. The analysis of the historical and theoretical context carried out in this book reveals that consent was not an intrinsic notion in the birth of data protection. The concept of consent was included in data protection legislation in order to enhance the role of the data subject in the data protection arena, and to allow the data subject to have more control over the collection and processing of his/her personal information. This book examines the concept of consent and its requirements in the Data Protection Directive, taking into account contemporary considerations on bioethics and medical ethics, as well as recent developments in the framework of the review of the Directive. It further studies issues of consent in electronic communications, carrying out an analysis of the consent-related provisions of the ePrivacy Directive.
Author(s): Eleni Kosta
Series: Nijhoff Studies In EU Law
Edition: 1
Publisher: Koninklijke Brill
Year: 2013
Language: English
Commentary: TruePDF
Pages: 462
Tags: Data Protection: Law And Legislation: European Union Countries
Cover
Half Title
Series Title
Title
Copyright
Contents
Acknowledgments
List of Abbreviations and Short References
I | Introduction
1 | Setting
1.1 | The Concept of Consent
1.2 | The Role of Consent in the Protection of Privacy and Data Protection
1.3 | Contribution of the Book
2 | Outline
3 | Method
4 | Concluding Remarks
II | Placing Data Protection in Context: Initiatives, Issues, Policy History
1 | Introduction
2 | The Council of Europe
2.1 | The European Convention of Human Rights
2.2 | The Way to CoE Convention 108
2.2.1 | Early Initiatives of the Council of Europe
2.2.2 | CoE Convention 108
3 | The Organisation for Economic Cooperation and Development (OECD)
3.1 | The OECD
3.2 | OECD Priority on Information Technology
3.2.1 | OECD 1974 Seminar on Data Protection and Privacy
3.2.2 | Freese Proposal for Privacy Principles
3.2.3 | OECD 1977 Symposium on Transborder Data Flows and the Protection of Privacy
3.3 | OECD Guidelines
3.4 | Interim Remarks
4 | The First Pieces of National Legislations
4.1 | Sweden
4.1.1 | Conditions that Favoured the Adoption of the Data Act
4.1.2 | The Right of Public Access to Official Records
4.1.3 | The Advent of Data Protection Legislation in Sweden
4.1.4 | The Swedish Data Act
4.2 | The Federal Republic of Germany and the First State Data Protection Act
4.2.1 | The Data Protection Act of the State of Hesse
4.2.2 | The German Federal Data Protection Act
4.2.3 | The Population Census Case and the Right to Informational Self-Determination
4.2.4 | Concluding Thoughts
4.3 | The United Kingdom’s Way to Privacy Legislation
4.3.1 | The Turbulent Path of the UK to Data Protection Legislation
4.3.2 | The 1984 UK Data Protection Act
4.3.3 | Concluding Remarks
4.4 | United States of America
4.4.1 | The Right to Privacy
4.4.2 | Initiatives for Regulating the Technological Developments
4.4.3 | Report on Records, Computers, and the Rights of Citizens
4.4.4 | The US Privacy Act of 1974
5 | The European Data Protection Directive
5.1 | The Way to the Data Protection Directive
5.1.1 | Developments at European Level
5.1.2 | Initiative for the Adoption of Legislation on the Protection of Personal Data
5.1.3 | The Legislative Process to the Adoption of the Data Protection Directive
5.2 | Defining Consent in the European Data Protection Directive
5.2.1 | Commission Proposal
5.2.2 | First Reading of the European Parliament
5.2.3 | Commission Amended Proposal
5.2.4 | Council Common Position
5.3 | Consent as a Ground for Lawful Processing of Personal Data
5.3.1 | Commission Proposal
5.3.2 | First Reading of the European Parliament
5.3.3 | Commission Amended Proposal
5.3.4 | Council Common Position
5.4 | Consent in the Context of Sensitive Data
5.4.1 | Commission Proposal
5.4.2 | First Reading of the European Parliament
5.4.3 | Commission Amended Proposal
5.4.4 | Council Common Position
5.5 | Transfer of Data to Third Countries and the Consent of the Data Subject
5.5.1 | Commission Proposal
5.5.2 | First Reading of the European Parliament
5.5.3 | Commission Amended Proposal
5.5.4 | Council Common Position
5.6 | Reflections on Consent in the Adoption of the Data Protection Directive
6 | Concluding Thoughts
III | Elucidation of Consent in the Data Protection Directive
1 | Introduction
2 | Informed Consent in Bioethics
2.1 | Introduction
2.2 | The Nuremberg Code
2.2.1 | The Creation of the Nuremberg Code
2.2.2 | Consent in the Nuremberg Code
2.2.3 | Importance of Voluntary Consent
2.3 | Declaration of Helsinki
2.3.1 | The Promulgation of the Declaration of Helsinki
2.3.2 | Consent in the Declaration of Helsinki
2.3.3 | Requirements for Valid Informed Consent
2.3.4 | Interim Comments
2.4 | UNESCO Universal Declaration on Bioethics and Human Rights
2.4.1 | UNESCO Declaration on Bioethics and Human Rights
2.4.2 | Consent in the Declaration
2.4.3 | Interim Comments
2.5 | Clinical Trials Directive
2.5.1 | The Adoption of the Clinical Trials Directive
2.5.2 | Consent in the Clinical Trials Directive
2.5.3 | Interim Comments
2.6 | Closing Remarks
3 | The Consent of the Data Subject as an Act of Autonomy
3.1 | Autonomy
3.1.1 | Relation between Autonomy and Consent
3.1.2 | Gradation of Consent
3.2 | Rights-Based Approach for Informed Consent Requirements
3.2.1 | Reliance on Autonomy
3.2.2 | The Right to Informational Self-Determination and Autonomy
3.3 | Duty-Based Approach for Informed Consent Requirements
3.4 | In Support of a Rights-Based Approach for Informed Consent Requirements in Data Protection
3.5 | Concluding Remarks
4 | The Consent of the Data Subject in Data Protection
4.1 | Introduction
4.1.1 | The Charter of Fundamental Rights of the European Union
4.1.2 | Choice of Countries
4.2 | Consent in the Data Protection Directive
4.2.1 | The Role of Consent in the Data Protection Directive
4.2.2 | Lack of Harmonised Interpretation of Consent in the Member States
4.3 | The Concept of Consent in Data Protection
4.3.1 | Outline
4.3.2 | Introduction
4.3.3 | The Concept of Consent in Germany
4.3.4 | The Concept of Consent in the United Kingdom
4.4 | Consent as Indication of the Wishes of the Data Subject
4.4.1 | Legal Capacity for the Provision of Consent
4.4.2 | Expressing the Indication of the Wishes of the Data Subject
4.5 | Freely Given
4.5.1 | Introduction
4.5.2 | Involuntary Actions and Voluntary Actions Made under Pressure
4.5.3 | Electronic Health Records
4.5.4 | Passenger Name Records
4.5.5 | Legal and Factual Dependencies
4.5.6 | Volker und Markus Schecke GbR/Hartmut Eifert v. Land Hessen
4.5.7 | The Erroneous Debate Around “Opt-In” and “Opt-Out” Consent
4.5.8 | Concluding Remarks
4.6 | Informational Requirements for Valid Consent
4.6.1 | Introduction
4.6.2 | Information to be Provided to the Data Subject
4.6.3 | Provision of Excessive Information
4.6.4 | When Does the Information Need to be Provided
4.6.5 | Provision of Information in an Intelligible Form
4.6.6 | Responsibility of the Data Subject
4.6.7 | Privacy Policies
4.6.8 | Language and Comprehension of Information
4.6.9 | Concluding Thoughts
4.7 | The Requirement for Specific Consent
4.7.1 | Introduction
4.7.2 | The Specificity Requirement
4.7.3 | Article 29 Working Party on Specific Cases
4.7.4 | Volker und Markus Schecke GbR/Hartmut Eifert v. Land Hessen
4.7.5 | Specificity Requirement and Multiple Processings
4.8 | Consent Given Unambiguously as a Ground for Data Processing and Transfer of Personal Data to a Country that Does not Ensure an Adequate Level of Protection
4.8.1 | The Qualification for Unambiguous Consent
4.8.2 | The Lindqvist Case
4.8.3 | Priority of Consent
4.8.4 | The Essence of “Unambiguously”
4.8.5 | Concluding Remarks
4.9 | Explicit Consent as Ground for the Processing of Sensitive Data
4.9.1 | The Concept of Sensitive Data
4.9.2 | Exceptional Processing of Sensitive Data Under Explicit Consent
4.9.3 | The Qualification for Explicit Consent
4.9.4 | Concluding Remarks
4.10 | Withdrawal of Consent
4.10.1 | The Withdrawal of Consent
4.10.2 | From the Withdrawal of Consent to the Right to be Forgotten
5 | Concluding Remarks
IV | Consent in the Protection of Privacy and the Processing of Personal Data in the Electronic Communications Sector
1 | Introduction
1.1 | The ePrivacy Directive
1.2 | Scope of Application of the ePrivacy Directive
1.2.1 | Communication
1.2.2 | Electronic Communications Service
1.2.3 | Electronic Communications Network
1.2.4 | Public
1.3 | Electronic Communications and Online Environments
2 | Consent in the ePrivacy Directive
3 | Electronic Consent
3.1 | Electronic Consent in Germany
3.2 | Electronic Consent in TKG and TMG
3.2.1 | Consent Deliberately and Unequivocally
3.2.2 | Logging of Consent
3.2.3 | Access to the Consent Declaration
3.2.4 | Withdrawal of Consent
3.3 | Interim Conclusions on Electronic Consent
4 | Confidentiality of Communications
4.1 | Interception or Surveillance of Communications
4.2 | Infringement Procedure Against the UK for Incorrect Application of the Provisions of the ePrivacy Directive on the Confidentiality of Electronic Communications
4.3 | The Debate on Consent and the Storing of or Gaining Access to Information that is Already Stored in the Terminal Equipment of the Users or the Subscribers
4.3.1 | The Provision of Article 5(3) ePrivacy Directive
4.3.2 | Scope of Application of Article 5(3) ePrivacy Directive
4.3.3 | Information Covered by Article 5(3) ePrivacy Directive
4.3.4 | The New Requirement for Consent
4.3.5 | Reactions Against the New Consent Requirement
4.3.6 | Analysis of the New Requirement for Consent
4.3.7 | The Provision of Consent via Browser Settings
4.3.8 | The Role of the European Commission
4.3.9 | The UK National Implementation of Article 5(3)
4.3.10 | Critique
4.3.11 | Interim Conclusions
5 | Traffic Data
6 | Location Data
6.1 | The Concept of Location Data
6.1.1 | Relation between Location, Traffic and Personal Data
6.1.2 | Location Based Services
6.2 | Processing of Location Data other than Traffic Data
6.3 | Provision of Information
6.3.1 | Furnishing the User with Relevant Information
6.3.2 | Responsible for the Provision of Information
6.3.3 | Providing the Information
6.4 | Consent
6.4.1 | Acquiring Consent for Location Based Services
6.4.2 | Entities Responsible for Acquiring the Consent
6.4.3 | Consent of the User or the Subscriber
6.4.4 | Time Validity of Consent
6.5 | Absence of Consent and Emergency Calls
6.5.1 | Emergency Calls
6.5.2 | eCall
6.6 | Interim Conclusions
7 | Directories of Subscribers
8 | Regulating Unsolicited Communications for Direct Marketing
8.1 | Unsolicited Communications for Direct Marketing
8.1.1 | Article 13(1) ePrivacy Directive
8.1.2 | Terminological Remarks
8.1.3 | Methods for Sending Unsolicited Communications for Direct Marketing
8.1.4 | Recipients of Unsolicited Communications
8.1.5 | Consent
8.1.6 | Furnishing the User with Relevant Information
8.2 | Exception for Existing Customer Relationship
8.2.1 | Exceptional Regime for Existing Customer Relationship
8.2.2 | Conditions for the Application of the Exception
8.3 | Regulating the Rest of Unsolicited Communications for Direct Marketing
8.4 | Electronic Mail While Disguising or Concealing the Identity of the Sender
8.5 | Infringement Procedure
9 | Concluding Remarks
V | Conclusions and Thoughts for Future Research
1 | Problem Statement
2 | Overview of the Research Results
2.1 | The Evolving Role of Consent in Data Protection
2.2 | The Fragmented Understanding of Consent
2.2.1 | Reliance on a Rights-Based Approach for Consent Requirements
2.2.2 | Legal Capacity of Minors
2.2.3 | The Concept of Consent
2.2.4 | Requirement for Freely Given Consent
2.2.5 | Requirement for Informed and Specific Consent
2.2.6 | Qualification for Unambiguous Consent
2.2.7 | Qualification for Explicit Consent
2.2.8 | Contextual Nature of Consent
2.3 | Consent in Electronic Communications
2.3.1 | Consent of the User or the Subscriber
2.3.2 | Consent and Confidentiality of Communications
2.3.3 | Consent for the Provision of Location Based Services
2.3.4 | Consent in Unsolicited Communications for Direct Marketing Via Electronic Means
3 | Final Conclusions and Further Thoughts
3.1 | Rethinking the Concept of Consent
3.2 | Rethinking the Context of Consent
Bibliography
Index
