DIGITALEUROPE’s response to public consultation on Article 29 Working Party draft guidelines on consent under Regulation 2016-679

INTRODUCTION

DIGITALEUROPE welcomes the opportunity to provide comments on the draft guidelines on consent under Regulation 2016/679 published by Article 29 Working Party (WP29). We were closely engaged in the legislative debate and provided input throughout the process. This involvement provided us with insight into the intentions behind specific provisions. Our members include digital companies with headquarters or significant presence in the EU and European national trade associations, representing large, medium and small companies in the technology sector from across the continent.

While the GDPR has further strengthened alternative grounds for the lawful processing of personal data, it is essential that consent standards remain practical and applicable by all in industry, especially given the disproportionate emphasis that the European Commission’s proposal for an ePrivacy Regulation puts on consent. It is therefore important that the standard is not only considered in terms of how it can be practically implemented but that it is also relevant and appropriate to current and emerging technologies, and how a user interfaces with these types of services.

With this in mind, we are concerned that the requirements regarding the lawful capturing of consent specified in the draft guidance document will be so difficult in practice to obtain that they risk removing consent as a viable legal ground on which to process personal data, which we assume is not the intention of the WP29.

DIGITALEUROPE welcomes the emphasis that the WP29 puts on other legal bases and we have consistently advocated for sufficient space for other legal grounds, such as legitimate interest and contract.

The freedom to conduct business, including contractual freedom, is an essential part of how our marketbased economy operates and also individual autonomy. It should be up to companies to define the conditions under which they offer their services, the features they integrate and which of these they make optional to their users as well as the most appropriate way to monetize a given service. As long as a company is compliant with the law, can be held accountable, follows a risk based approach, provides transparency and control to its users and integrates privacy in its design process, it should be left to decide how it differentiates itself in a market and what products and features it offers to its users. Indeed, privacy settings and control tools are increasingly becoming market differentiators. Consent or restrictive interpretation of other legal bases should not be used to limit innovation or step into product design and development