follow link for detail

Data Protection Training

London: Foundation
10, 11 & 12 Jan

London: Practitioner
Starts Jan 17

London: Practitioner
Starts March 28

FOI Training
London: Practitioner
Starts Feb 22

Information Security Management Training (CISMP)
London: Foundation
Starts June 26

Update: April 13
GDPR: Feb 23
PIA: Feb 27
DP Audit: Feb 20


« If Google remembers whom it has forgotten, has it complied with the ECJ Judgment? | Main | Google lost its two recent Court cases for the same reason the one-stop shop does not work »



Feed You can follow this conversation by subscribing to the comment feed for this post.

I share your fears Chris, but I look at this issue through different glasses! I’m thinking aloud a little here, so please excuse me:

‘Home office consent’ to which you refer is what I refer to as “consent as a condition of business”. It’s not ‘consent’ in the DPA tradition, in as much that it can’t be refused. But, to be legitimate, I have always judged it against whether it would be deemed an unfair contract term. Many years ago, I judged it against the OFT’s ‘unfair contract terms’ guidance; and more recently we have had other consumer legislation and the CPUTR’s.

So, for example, requiring a loan applicant to consent to CAIS / industry data sharing was legitimised as there was govt support for data sharing, to reduce the risk of consumers taking out numerous loans and becoming over-indebted. Readers may recall the suicides linked to credit card over-indebtedness of not that many years ago. It also seems fair to the credit industry, that they can make some assessment as to whether the person will/can repay any such loan. So, whilst the loan terms might say “you consent to…….”, it is not a ‘freely given’ consent. Indeed, use of the word ‘consent’ itself is something of a fiction; but arguably ‘consenting’ to pay 7.9% APR is also not consent, in as much that the rate and other loan terms are unlikely to be capable of being negotiated.

So, should we refer to such ‘consent’ as consent at all? It is ‘freely given’ in the sense of “I can take it or leave it”, but it does not allow a ‘pick and mix’ approach of which terms to accept and which to refuse. I think it more akin to a Sch 2 ‘legitimate interests’ processing condition, in as much that if it did not also meet the ‘legit interests’ processing condition test, it would likely be an unfair contract term – and if it was an unfair contract term it would be unenforceable.

As far as the “necessity” test under the new Regs is concerned, it will be interesting to see how this plays out. But the ICO has not taken action against ‘consent as a condition of business’ so long as it has met the fairness test; so one wonders whether things will change under the Regs?

The comments to this entry are closed.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.