Automatic for the people: EU plans browser settings law for consent to 'personal data processing'

Website operators and online advertisers may be given carte blanche to process people's personal data with approval provided by just the tick in a box on a web browsers' settings, according to leaked European Union data protection proposals.

The proposals form part of the negotiations over a new EU General Data Protection Regulation, which will apply across the European Union and which circumvents the conventional directive approach to pan-EU law-making. A regulation is required, argues the EU, because directives are interpreted too widely in different countries when they are translated into national laws.

The plans could be approved at a meeting later this week, according to the website of law firm Pinsent Masons. The proposals were published on whistle-blowing website Statewatch.org.

"Consent should be given unambiguously by any appropriate method enabling a freely-given, specific and informed indication of the data subject's wishes, either by a written, including electronic, oral statement or, if required by specific circumstances, by any other clear affirmative action by the data subject signifying his or her agreement to personal data relating to him or her being processed," states the draft provisions published by Statewatch.org.

It continues: "This could include ticking a box when visiting an internet website or any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Where it is technically feasible and effective, the data subject's consent to processing may be given by using the appropriate settings of a browser or other application."

Explicit consent would generally be required where the processing involves more sensitive personal information, it added.

In its original draft, according to Pinsent Masons' Outlaw.com legal website, "the European Commission said that businesses seeking to rely on individuals' consent to go ahead with personal data processing should be required to obtain individuals' explicit, freely given, specific and informed consent obtained through a statement or 'clear affirmative action'," it explained.

"The European Parliament in outlining its position on the General Data Protection Regulation backed the 'explicit' consent requirement. However, a number of EU countries, including the UK, have raised concerns with those plans," it concluded.