Information Commissioner on Alternatives to Consent

A helpful comment on page 3 of the Information Commissioner’s discussion of the latest (Council) draft of the General Data Protection Regulation:

We reiterate our view that there must be realistic alternatives to consent – for example 'legitimate interests' where the data processing is necessary to provide the goods or services that an individual has requested.

That supports the approach we’ve adopted in federated access management – that 'legitimate interests' provides both the most appropriate justification [for identity and service providers and the best protection for users. Indeed the ICO's "necessary to provide the … services that an individual has requested" almost exactly matches my wording from last year!

The ICO's comment about "alternatives to consent" also supports something that has been worrying me for a while. If you give consent a higher status than other justifications - as some data protection laws and proposals do - then you encourage data controllers to use consent when it's not appropriate: for example when the processing is necessary for something the individual needs so they can't give free consent anyway. Paradoxically, that actually weakens the protection provided by consent, because those less-than-free consents become legitimised. The common practice of having a single "consent" cover both necessary and optional processing is a good/bad example ("by registering you agree that we can send you advertising…"). Much better for individuals to have necessary processing dealt with under its own, appropriate, justifications, keeping consent for processing that really can be refused.