If a=b and b=c then it follows that a=c.
So, how does this set of simple equations relate to data protection? Well if direct marketeers, privacy advocates and supervisory authorities recognised that a=c then most of the debate concerning data protection and the marketing purpose would be settled.
Don’t believe me? Just follow the argument under the current Act (DPA) or indeed the General Data Protection Regulation (GDPR).
All across Europe (and especially the UK) there has been a debate about “opt-in” versus “opt-out” and whether “opt-out” properly represents “data subject consent” or not. There is no debate about “opt-in” because if the data subject misses the “opt-in” the default position is “no marketing” and an opt-in requires the data subject to perform an action by ticking the box.
This explains why the UK Commissioner refers to “opt-in consent” in the recent enforcement action against Age International and the British Red Cross (implying that “opt-out consent” is a different species).
This debate is set to continue when the GDPR comes into force. Most Data Protection authorities and privacy activists want “opt-in”; most controllers are very content with “opt-out”. Added to this divergence of views, the GDPR states in Recital 47 that direct marketing can be possible under the “legitimate interest” criteria whilst Recital 32 states that “pre-ticked boxes” cannot constitute data subject consent.
Also Article 7 of the GDPR places the burden of proof on the data controller to show it has obtained valid data subject consent and the definition of consent includes an “unambiguous indication of the data subject wishes”.
What does this mean in practice? I cannot see, for example, how a data subject can give an “unambiguous” indication of consent without being fully informed about the extent of any third party marketing and details about the third parties who are doing such marketing (and perhaps what types of products are being marketed).
This view is supported by the “Optical Express” Tribunal Decision (see references) which concerns third party marketing; it concluded that “when a data subject gives consent they must be informed about the processing to take place, including who by and what for. In no other way can consent be said to be “informed” (para 85).
Anyway, all this debate is redundant if you follow the logic. Big claim! Worth the effort.
Marketing via consent: opt-in and opt-out
The following analysis applies to a data controller who obtains personal data from a data subject for a marketing purpose; it also applies to a third party marketeer who obtains information from a data controller who obtains personal data from the data subject.
Suppose the “b” in the set of equations above represents “data subject consent” (i.e. the Article 6 GDPR [or Schedule 2 DPA] ground normally used to legitimise the processing of personal data for a marketing purpose). I have used the word “normally”, as there are some circumstances where “legitimate interests” can apply as the legal basis for marketing (Recital 47 of the GDPR; I address “legitimate interests” later in the blog).
Suppose set{a} represents the group of actions needed to support the “opt-in” approach to obtaining consent; for example all the requirements that would make “tick the box if you want to be marketed by email [ ]” a valid representation of data subject consent (i.e. fully informed, freely given etc).
Similarly, let the set{c} represents the group of actions associated with the “opt-out” approach to obtaining consent (i.e. tick the box if you do NOT want to be marketed by email [ ]”). The objective of the exercise in this blog is to identify the members of set{c}.
First of all, consider the actions that are contained in the set{a}? How would a controller get a data subject to consent on an application form or website which contained an “opt-in”? Would that “opt-in”:
- be placed in an unmissable position in any form?
- be in clear and plain language?
- be inviting to the data subject in order to encourage agreement?
- be in a large font size? etc etc
And would the content of the “opt-in” marketing message identify:
- the mode of marketing (e.g. email, post)?
- who is doing the marketing?
- the extent of third party marketing if any?
- the identity of any third parties (or description off third parties)?
- How a data subject can withdraw consent? etc etc
I assume the answer to all the above would be “yes”. If so, all the above actions are members of set{a} and represent the valid consent of the data subject.
In a sense this is the a=b; if a data controller delivers on all the actions contained in set{a} it will have obtained valid consent of the data subject.
It could be that further members of set{a} need to be added in due course. For example, the evidence required by Article 7 of the GDPR that consent has been obtained. It does not matter really what these future members of set{a} are, except to say they would be added to the existing set{a} of actions that make up valid data subject consent.
We can now consider the members of set{c} (the “opt-out” approach to consent). What actions have to be undertaken by a controller to arrive at the same legal basis b (the consent of the data subject); this is the c=b.
So if the actions associated with of set{a} definitely equate to valid data subject consent, and the actions associated with of set{c} have to relate to consent, the only way to do that is to equate to the members of set{c} with the members of set{a}.
In other words, the “opt-out” version of consent has to be exactly the same as the “opt-in” version of consent except for the opt-out wording (i.e. “tick the box if you do NOT want to be marketed by email [ ]”).
So when enforcing the data protection rules, all the supervisory authority need to do is ask itself “What are the members of the set{a} that provide valid consent of the data subject via opt-in?” (see above for my provisional list). Having identified the set of actions that constitute an opt-in approach to consent, the same set of actions have to apply to any opt-out version of consent.
If the set of actions do not equate, then it follows that the opt-out approach cannot represent valid consent. In practice there might be minor deviations from the equality between the two sets; but not much in the way in deviation.
This is as simple as abc (i.e. if set{a}=consent and set{c}=consent it follows that set{a}=set{c}).
Marketing via legitimate interests
I now address the “legitimate interests” approach to show that it does not apply or equates to consent when personal data are collected by a controller from the data subject. This conclusion also applies to the circumstances when a third party list provider obtains personal data from a controller who obtains personal data from a data subject.
First, assume the following proposition to be true: a data controller can process personal data collected from a data subject for a marketing purpose and that such processing is “necessary in the legitimate interests of the controller…”.
As is well known, the “legitimate interest” ground also requires the controller to take account of “the legitimate interests of the data subject”. As there is an absolute right to object to the processing of personal data for a marketing purpose, this opportunity to object has to be offered at the time of collection when the personal data are being collected from the data subject by the collecting data controller.
The idea of offering the right to object at the time of obtaining is reinforced by the fair processing requirements which state that the intended marketing purpose has to be identified to the data subject in advance of any processing. If this is the case, it makes sense to offer the right to object in advance of the processing.
Let us also assume that the data subject’s response to the controller’s offer of the right to object to marketing has to be by “opt-out” (this is because the “opt-in” option would equate to consent).
So what are the members of set{d} which represents the group of actions associated with the “opt-out" approach to respecting the rights of data subject and offering the ability to object to marketing at the time of collection.
Would the that “opt-out” approach to respect the rights of data subjects to object:
- be placed in an unmissable position in any form?
- be in clear and plain language?
- be inviting to the data subject in order to encourage agreement?
- be in a large font size? Etc etc
It does not take long to see that the members of set{d} are the same as set{c}. However, set{c} is associated with data subject consent and set{d} are associated with legitimate interests and that these are different grounds for the processing.
In mathematical terms this would be a contradiction. This in turn means that the proposition that a data controller can process personal data collected from a data subject and claim that such processing for a marketing purpose is “necessary in the legitimate interests of the controller…” is false.
Alternatively, one can state that in these circumstances (obtaining personal data from the data subject) there is no difference between “legitimate interests” and “consent of the data subject”.
It then follows that the use of the legitimate interests to justify the processing of personal data for a marketing purpose has to apply in circumstances when personal data are not collected from the data subject. For example, rare circumstances as in the British Gas Trading Enforcement (see references) where the data controller was in transition from a public sector monopoly to one of many private sector suppliers competing against each other).
It can be argued that legitimate interests can apply when personal data such as email addresses have been placed in the public domain by the data subject. However, before whooping with joy, the PECR rules require prior consent for email marketing from each individual subscriber – so the legitimate interests ground will not apply.
It also follows that those who rely on “legitimate interests” to justify marketing will need to demonstrate why the right to object to marketing could not be offered to data subjects at the time of collection of personal data and why data subject consent was inappropriate. If they can do this, any marketing communication also needs to offer the right to object to marketing in order to respect the data subject’s right to object.
Publicity
If you are seeking insights like the above, Amberhawk holds all day GDPR Regulation Workshops in London , Leeds, Douglas Isle of Man and Edinburgh. Details on http://www.amberhawk.com/bookevents3.asp
To train your Data Protection Officer, we have a BCS DP Practitioner Qualification (starting in London on July 12). Need to know more about information security management: BCS Foundation CISMP course starts in London on June 13). Full details from the Amberhawk home page: www.amberhawk.com
References
Optical Express Tribunal: http://www.informationtribunal.gov.uk/DBFiles/Decision/i1628/EA-2015-0014_31-08-2015.pdf
British Gas Trading Tribunal (under the DPA 1984): http://www.informationtribunal.gov.uk/DBFiles/Decision/i162/british_gas.pdf