Have you “really” got consent for every email on your mailing list?

It seemed like such a great idea

Once upon a time, when I was a young man trying to be helpful about my parent’s house, I decided to clean out the ashes in the fire. I’d watched my father on his hands and knees plenty of times, using a brush and steel coal shovel to transfer the ashes into a battered steel bucket. It looked like no fun at all. I realized that, foolish middle-aged parent that he was, he must have missed the obvious solution. Why not just vacuum up all those ashes? Not for me, the cinders and ash of Grimm’s fairytales. I would apply modern technology for better living.

I quickly finished the job, leaving a dust-free hearth.

I don’t know why nobody has ever thought of this before, I said to myself. Then I turned around and found the vacuum cleaner was on fire. Some eejit had filled it full of hot ash and embers.

Sometimes, as I learned then, there is a reason nobody has thought of your brilliant idea before.
This experience popped into my head as I considered the story I’m about to tell you from the Spamhaus listing archives.

Another “great” idea

Our friendly data controllers wanted to use a database of email contacts they had obtained (by means unknown) for commercial purposes. They wanted to sell access to this database of email addresses to their clients and use it themselves. However, they knew, dimly in the back of their minds, that there was some Data Protection issue under the General Data Protection Regulation (GDPR). Then, like my younger self, someone among our Data Controllers stopped suddenly one day and thought to themselves, “I don’t know why nobody has ever thought of this before.”

Their idea wasn’t to suck up a load of rubbish – quite the opposite.

They were going to send rubbish, I mean emails, to people. And after the people had received the emails, they believed they could use those email addresses legitimately.

The subject line they chose was “Notice of Data Processing. This is not an advertisement.”

And to be fair, you will probably agree with that subject line’s assessment once you understand their concept…

Let’s circumnavigate “consent”

Here was the big idea: what if we sent out a sort of Privacy Notice to everyone by email? We could even follow the format of the GDPR’s requirement for a Privacy Notice, and then we tell them that we’re processing their data on the legal basis of ‘legitimate interest.’ both ours and our clients.

Having thought it, they then acted upon that thought. And how.

They sent these messages out to millions and millions of email addresses.

It’s not just about the GDPR

The problem here, as you may have guessed by now, is that there is actually a reason why nobody has ever thought, let alone done, this before.

And that reason is that emailing people for commercial purposes (which is what even emails headed ‘this is not an advertisement’ are doing when you send them to benefit a commercial, corporate entity) is not an activity solely subject to the GDPR.

Commercial email to EU addresses is also subject to the e-Privacy Directives and their various national transpositions in each of the EU member states.

What is the e-Privacy Directive?

Good question. The e-Privacy Directive is known in the arcana of European law as a lex specialis. The GDPR is the general data protection regulation (the clue is in the name). Meanwhile, the e-Privacy rules amend those general provisions with specific, different rules for specific circumstances. Like, for example, sending commercial emails.

So, while legitimate interest is permitted as a legal basis for data processing under Article 6 of the GPDR, the e-Privacy Directive restricts the legal basis on which data may be processed for the purposes of sending out commercial email to only one basis – consent.

Here’s Article 13.1 of the e-Privacy Directive as inserted by Directive 2009/136/EC. You can quote this at parties if you want to be considered charming and popular.

1. The use of … electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent.

Just so everybody has an incentive to behave themselves, it goes on at Article 13.7 to insert a clause to ensure that every single person in the EU who receives an email that breaks that consent rule has a right to sue for defined penalties.

A deeper dive into “consent”

You’ll notice the requirement for ‘prior consent‘. The definition of consent it uses is set out in Article 4(11) of the GDPR, which sets out four requirements for;

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Let’s break these down.

1) Freely Given
What is the power relationship between the human being and the institution looking for consent? If not consenting resulted in “negative consequences” for the individual, any consent received couldn’t be said to be truly free.

So, employers shouldn’t rely on consent received from their employees for processing data. Similarly, public authorities should not rely on consent as the basis of data processing of citizens or residents. In both cases, the power imbalance is too great for most consents to be freely given. The threat, even if unspoken, of potential negative consequences is too large. While there are some exceptions to this general rule, they revolve around very limited situations (limited in terms of the number of data subjects effected and the extent of the data processing involved).

Our friends in data control haven’t even got as much as some compelled consent to rely upon.

2) Specific
There’s some considerable overlap with the sources of the requirements for freely given consent and specific consent. This makes sense because, before you can get freely given consent, you must know what it is that you seek consent to do. Therefore you need to have a specific purpose for every form of processing so that you can seek specific, granular consent for that purpose.

“Specificity” is the mortal enemy of function creep – the gradual addition of new purposes for data.
By definition, if a data controller wants to increase the number of uses applied to data collected from a subject, more consent information is required. And to allow for specific consent to be given for each different use, the data controller must give the data subject a separate granular opportunity to consent.

3) Informed
For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. Therefore, WP29 is of the opinion that at least the following information is required for obtaining valid consent:

i) the controller’s identity,
ii) the purpose of each of the processing operations for which consent is sought,
iii) what (type of) data will be collected and used,
iv) the existence of the right to withdraw consent,
v) information about the use of the data for automated decision-making in accordance with Article 22 (2)(c)34 where relevant, and
vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.

Concerning item (i) and (iii), WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organizations should all be named. European Data Protection Board

Back to the email sent by the data control team

The notice sent out (‘not an advertisement’) made an effort to tell the recipients some of these things, perhaps with some intention to claim they had been appropriately informed and given ‘implied consent’ if they didn’t object. The problem with that idea comes with the final part of the puzzle.

4) Unambiguous
It isn’t enough to presume consent. It’s necessary to receive an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. People have to take a step to indicate their consent- using pre-ticked boxes or presuming that consent is given by not objecting will not meet the requirement.

To recap, sending out a data processing notice by mass email doesn’t get you a clean database of European email addresses that you can say have given valid, informed consent to receive commercial email. It just gets you millions and millions of potential instances of regulatory and civil liabilities.

As I learned to my cost all those years ago, nobody’s ever thought of this before because sometimes you’ve come up with an idea so bad, you’ve managed to create a trash fire in a vacuum.

About Simon McGarr

Simon McGarr is a lawyer with McGarr Solicitors in Dublin, and the managing director of Data Compliance Europe, a global consultancy on GDPR and data protection matters. He is a Senior Policy Advisor for M3WAAG and a guest lecturer with the European Academy of Law in Trier as well as the External Examiner for the Law Society of Ireland on Data Protection. He has represented clients in both the landmark Digital Rights Ireland and Schrems I cases before the Grand Chamber of the Court of Justice of the EU.