This analysis is a part of a series.

Paris, 22 May 2013 — When you are browsing the web, can you say who collects information about you, what is the nature of that information and who may access it? Can you control who may know what about you? The European Commission intended to give you the power to do so, but European Parliament may vote otherwise, under pressure by corporate lobbies.





With the development of the data industry, citizens’ control over their personal information has progressively decreased, while their fundamental right to privacy cannot be respected if they do not have the means to protect their privacy themselves. But protection of privacy is not the only issue: this lack of control leads to a lack of trust that already damages both freedom of expression

What has always been true about governments’ surveillance may now stand for private surveillance. May people really speak freely if any company, or anyone, can know who they are or access any other sensitive information related to them? and growth of Internet services .

To address this critical situation, the EU Commission proposes to give citizens actual control over their personal data by setting a simple principle: users must give their explicit consent for each collection, processing or trading of information related to them.

The issue

To better understand the sense of the European Commission Proposal, let’s go back to the current European legislation – the outdated 1995 Directive – where consent does not have to be “explicit” but merely “unambiguous” . What is an “unambuguous consent”? The meaning of such a vague definition “is often misunderstood or simply ignored”, as deplored by the Article 29 Working Party , a European body gathering the data protection authorities of each Member State. An “unambiguous consent” can be considered as given when users, informed of the processing of their personal data, do not oppose it. However, since the current legal framework does not force companies to ensure users are effectively informed, most companies are not particularly enthusiastic about disclosing what data they collect, for what purpose, in a visible, accessible and handy way.

As a result, users are not aware of most of the processing their personal data undergo: in practice, would they want to, they would not be able to oppose such processing.

Take Amazon for instance. When you look at an item on its website, your visit is saved by the company in order to suggest you similar products:

Although the caption “recommended based on your browsing history” shows an undergoing processing of some of your personal data, you don’t know that Amazon is collecting in fact much more data than your viewed items, even if it is your very first visit and you are therefore not even logged in:

This information is only accessible on the very bottom of the website’s pages:

As for Google, it does not indicate at all that it collects, stores and processes information on whatever request you make or website you visit. You can only know that by looking for Google’s privacy policy page:

The Commission’s Proposal

The Proposal made by the European Commission would radically change this situation by introducing the principle of user’s explicit consent. This would require citizens’ consent to be expressed “either by a statement or by a clear affirmative action” , and for each and every purpose companies intend to collect their data. “Informed silence” could not be considered as consent anymore. Companies shall then have to actively seek users’ consent, which means no personal data could be processed until users have been really and directly informed. If adopted, the Proposal would ensure that nothing happens out of users’ sight and control.

To that respect, some good practices already exist and may provide clear examples of what “explicit consent” can be on the Internet. Web browsers such as Firefox and Chrome already require your explicit consent before sending information on your geographic location to a given website.



Consent request on Firefox. Try it yourself by clicking on ‘Give it a try!’ on the top of this Mozilla page.

This ensures that, for every processing, you are really informed on what is collected and, thus, have truly given your consent. Then, if you want, you can also simply choose to “always agree” that the website you are visiting may collect your geographic location again without having to ask for your consent.

Even if the concept of that “request box” is largely perfectible – as it does not indicate how your data will be used and who may access them – it shows, at least, the kind of control we would have over our data if the explicit consent requirement was adopted.

Internet giants’ recommendations

Users’ control seems to be problematic for Internet giants whose profits largely depend on the amount of personal data they collect. They dread a greater control by users, which for them would equate with less data processed. It also shows how these companies deal with our privacy: if their activity was really respectful of our private life, why should they fear us not giving our consent? Requiring an explicit consent would only harm those businesses which do not respect our privacy. The other ones, by contrast, could only capitalize the gain of confidence resulted from a real users’ control.

Google, Facebook, Microsoft, Amazon and eBay unanimously asked MEPs to withdraw explicit consent from the Regulation . Their main argument is that users “demand Internet services that are fast, easy-to-use and efficient [therefore, systematically requiring an explicit consent would] lead users to opt in as a matter of routine”, “as a consequence of consumers being overloaded with consent requests”.

But, since asking for their consent is the only way to guarantee users are truly warned of every processing their personal data undergo, there can not be too many consent requests. Whoever opts in “as a matter of routine” would still be warned of processing while we currently rarely are.

In addition, once they have agreed that a website may process some of their data for a specific and clear purpose, users would not have to consent to further processing pursuing the exact same purpose . Thus, stating that consumers would be “overloaded with consent requests” is simply wrong. In practice, users may generally only be asked once, if any, when visiting a website for the first time, and/or when using new features and functionnalities of the service for the first time.

MEPs’ proposals



Malcolm HARBOUR (UK/ECR),

Chair of the IMCO Committee Malcolm HARBOUR (UK/ECR),Chair of the IMCO Committee

The “Consumer Protection” (IMCO) and the “Industry” (ITRE) Committees have followed Internet giants’ recommendations and voted against the explicit consent requirement. IMCO proposed to make consent’s explicitness dependent on “the context”, which is as vague and dangerous as requiring an “unambiguous” consent ; while ITRE Committee simply proposed to keep the same “unambiguous consent” required by the 1995 Directive .

Those two opinions seem to have had a major impact on the debate since seven amendments have been tabled in the The “Civil Liberties” (LIBE) Committee, by seventeen MEPs, to propose the withdrawal of the explicit consent requirement from the Regulation . Which proves those LIBE members, mainly liberals and conservatives, do not want to give users control over their data.

Today, it appears that most of MEPs are against the explicit consent principle, deceived by hundreds of lobbyists, and will not change their mind unless we do mobilize and act now.

What you can do



Manifestation anti-ACTA Manifestation anti-ACTA

First of all, you should use only software and services you can trust. Choose free-as-free-speech software, and host your own services as much as possible. Many tools, such Tor , DuckDuckGo , or browser add-ons such as NoScript or HTTPS Everywhere, allow you to replace, circumvent and block Internet services trying to collect your personal data.

Unfortunately, these solutions will never be enough to fully protect your privacy, as they are not installed by default, require effort, and are sometimes perceived as complex to use. So, we have to act to ensure real protection of citizens’ privacy on the future regulation: write or call your representatives now – their voters’ concerns and defense of fundamental freedoms should always weigh more than Internet giants’ economic interest –, share this article, write some about your thoughts on data protection, talk about it around you, or invent something else using images, video, sound, etc. Now is time to Act! The LIBE members of different political groups have already started seeking compromises on this very issue: we must contact them before they agree on the worst amendments.

To get more information and discuss this, you can visit our forum.