FiCom Contribution: WP29 Guideline on Consent
Finnish Federation for Communications and Teleinformatics, FiCom is a co-operation organisation for the ICT industry in Finland. FiCom’s members are companies and other entities that operate in the communications and teleinformatics sector in Finland.
FiCom welcomes the emphasis in the guidelines that consent is only one of the legal bases introduce by the GDPR. Contract typically provides better basis for processing especially in provision of services that are offered against payment.
Consent and Contract
In FiCom’s view WP29 is taking too restrictive a stance on processing users’ data as a part of contract for providing a service. The GDPR does not suggest that this legal basis can only be used when the processing is ‘strictly’ necessary.
In communication services, the ones offered on top of the internet often rely on advertisement-based model, where users’ data is processed to facilitate advertising and services are free for the users. Typically, traditional communication services are offered against payment and do not carry advertising. However, business-models are evolving and it is necessary to give room also for hybrid models, where users are also offered services which include data processing for advertising purposes and receive lower price. In these cases, the legal basis for data processing is performance of the contract – not consent. Delivery of electronic direct advertisements is based on consent according to the ePrivacy directive and national legislation. Users are offered also communication services without advertisement, at slightly higher price. This cannot be regarded being detrimental to the consumers.
Contractual freedom is a fundamental pillar of the European market economy. Not only it is essential to promote market transaction, it is also a fundamental part of individual autonomy. Accordingly, companies should be free to decide what service they would like to offer and under what conditions. As long as these contracts are reasonable and balanced under national and EU law, the controller is accountable and integrates privacy in its design process, it is not up to the Working Party to decide when data processing is necessary for provision of the service.
Issues regulated in other pieces of legislation
Guideline document contains some reference on consent given on browser settings. Use of cookies is exclusively regulated in the ePrivacy directive, which has been implemented in national laws of the member states. These provisions remain effective as long as the ePrivacy directive remains in force. GDPR does not change these provisions, and Working Party should refrain from giving guidance on areas of law that are regulated by other instruments than the GDPR.