M. Borghi, F. Ferretti, S. Karapapa – Online data processing consent under EU law

Maurizio Borghi, Federico Ferretti, Stavroula Karapapa, “Online data processing consent under EU law: a theoretical framework and empirical evidence from the UK”, International Journal of Law and Information Technology,  2013, 21 (2), 109-153

 Abstract

This article analyses the results of an empirical study on the 200 most popular UK-based websites in various sectors of e-commerce services. The study provides empirical evidence on unlawful processing of personal data. It comprises a survey on the methods used to seek and obtain consent to process personal data for direct marketing and advertisement, and a test on the frequency of unsolicited commercial emails (UCE) received by customers as a consequence of their registration and submission of personal information to a website. Part one of the article presents a conceptual and normative account of data protection with a discussion of the ethical values on which European Union (EU) data protection law is grounded and an outline of the elements that must be in place to seek and obtain valid consent to process personal data. Part two discusses the outcomes of the empirical study, which unveils a significant departure between EU legal theory and practice in data protection. Although a wide majority of the websites in the sample (69 per cent) has in place a system to ask separate consent for engaging in marketing activities, it is only 16.2 per cent of them that obtain a consent which is valid under the standards set by EU law. The test with UCE shows that only one out of three websites (30.5 per cent) respects the will of the data subject not to receive commercial communications. It also shows that, when submitting personal data in online transactions, there is a high probability (50 per cent) of incurring in a website that will ignore the refusal of consent and will send UCE. The article concludes that there is a severe lack of compliance of UK online service providers with essential requirements of data protection law. In this respect, it suggests that there is an inappropriate standard of implementation, information and supervision by the UK authorities, especially in light of the clarifications provided at EU level.

» Paper available from SSRN.