In the late sixties, with the development of automated data banks and the growing use of computers in the private and public sector, privacy was conceptualized as having individuals "in control over their personal information" (Westin, 1967). The principles of Fair Information Practices were elaborated during this period and have been incorporated in data protection laws ("DPLs") adopted in various jurisdictions around the world ever since. These DPLs protect personal information, which is defined similarly in various DPLs (such as in Europe and Canada) as "information relating to an identifiable individual". In the U.S., information is accorded special recognition through a series of sectoral privacy statutes focused on protecting "personally identifiable information" (or PII), a notion close to personal information. Going back to the early seventies, we can note that identical or very similar definitions of personal information were already used in DPLs, illustrating that this definition of personal information dates back to this period.
In recent days, with the Internet and the circulation of new types of information, the efficiency of this definition may be challenged. Recent technological developments are triggering the emergence of new identification tools allowing for easier identification of individuals. Data-mining techniques and capabilities are reaching new levels of sophistication. In the era of Big Data, because it is now possible to interpret almost any data as personal information (any data can in one way or another be related to some individual) the question arises as to how much and which data should be considered as personal information.
In section 1, I elaborate on how a literal interpretation of the definition of personal information is no longer workable. In light of this, I present the proposed approach to interpreting the definition of personal information, under which the ultimate purpose behind DPLs should be taken into account. I then demonstrate that the ultimate purpose of DPLs was to protect individuals against a risk of harm triggered by organizations collecting, using and disclosing their information. In section 2, I demonstrate how this risk of harm can be subjective or objective, depending on the data handling activity at stake and I offer a way forward, proposing a decision-tree test useful when deciding whether certain information should qualify as personal information. The objective of my work is to come to a common understanding of the notion of personal information, the situations in which DPLs should be applied, and the way they should be applied. The approach is meant to provide for a useful framework under which DPLs remain efficient in light of modern Internet technologies.The Article 29 Data Protection Working Party has followed up 2011 work on cookies, 'do not track' and consent by adopting (on 2 October) ‘Working Document 02/2013 providing guidance on obtaining consent for cookies’ [PDF].
The document states that -
Since the adoption of the amended e-Privacy Directive 2002/58/EC in 2009, implemented in all EU Member States1, a range of practical implementations have been developed by websites in order to obtain consent for the use of cookies or similar tracking technologies (hereinafter referred to as “cookies”) used for various purposes (from enhanced functionalities, to analytics, targeted advertising and product optimisation, etc., by the website operators or third parties). The range of consent mechanisms deployed by website operators reflects the diversity of organisations and their audience types.
The website operator is free to use different means for achieving consent as long as this consent can be deemed as valid under EU legislation. The assessment as to whether or not a particular solution implemented by the website operator fulfils all the requirements for valid consent is considered later in this paper.
Although the ePrivacy Directive stipulates the need for consent for the storage of or access to cookies the practical implementations of the legal requirements vary among website operators across EU Member States. Currently observed implementations are based on one or more of the following practices, although it is important to note that whilst each may be a useful component of a consent mechanism the use of an individual practice in isolation is unlikely to be sufficient to provide valid consent as all elements of valid consent need to be present (e.g. an effective choice mechanism also requires notice and information):
- an immediately visible notice that various types of cookies are being used by the website, providing information in a layered approach, typically providing a link, or series of links, where the user can find out more about types of cookies being used,
- an immediately visible notice that by using the website, the user agrees to cookies being set by the websites,
- information as to how the users can signify and later withdraw their wishes regarding cookies including information on the action required to express such a preference,
- a mechanism by which the user can choose to accept all or some or decline cookies,
- an option for the user to subsequently change a prior preference regarding cookies.
Taking into account the different interpretations of the e-Privacy Directive among stakeholders and the respective practical implementations, the emerging question is: what implementation would be legally compliant for a website that operates across all EU Member States?
Article 2(f) and recital 17 of Directive 2002/58/EC define the notion of consent in reference to the one set forth in Directive 95/46/EC. Article 2(h) of Directive 95/46/EC provides that consent of the individual for processing his or her personal data should be a freely given specific and informed indication of his or her wishes by which the individual signifies his or her agreement to this data processing. According to Article 7 of Directive 95/46/EC consent should also be unambiguous.
In its opinion on consent the Working Party has acknowledged the differences in the notion of consent that may occur in different Member States. The opinion on consent provides further clarity on the requirements of valid consent and its main elements:
1. Specific information. To be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.
2. Timing. As a general rule, consent has to be given before the processing starts.
3. Active choice. Consent must be unambiguous. Therefore the procedure to seek and to give consent must leave no doubt as to the data subject's intention. There are in principle no limits as to the form consent can take. However, for consent to be valid it should be an active indication of the user’s wishes. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject's wishes, and to be understandable by the data controller (it could include a handwritten signature affixed at the bottom of a paper form, or an active behaviour from which consent can be reasonably concluded).
4. Freely given. Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.
In line with the above clarifications and elsewhere6 on what constitutes valid consent across all EU Members States, the Working Party elaborates that should a website operator wish to ensure that a consent mechanism for cookies satisfies the conditions in each Member State such consent mechanism should include each of the main elements specific information, prior consent, indication of wishes expressed by user’s active behaviour and an ability to choose freely.