The continuing problems with online consent under the EU's emerging data protection principles

Since the original Data Protection Directive in 1995, EU law has attached particular importance to user consent. This emphasis on consent is retained – albeit in different forms – in the various positions adopted by the EU institutions on the draft General Data Protection Regulation in advance of their trilogue negotiations. This article identifies three distinct models of user consent in the EU jurisprudence in this area: presumed consent; informed consent; and active consent. The article suggests that the later models developed as a response to empirical concerns about treating consent as a reliable proxy for user privacy preferences online. On this analysis, the active consent model advocated by the Article 29 Working Party and favoured by the Parliament's draft Data Protection Regulation is assumed to address the empirical issues associated with the presumed and informed consent models. In fact, the psychology and behavioural science research shows that website users are subject to a variety of specific situational influences that intuitively impel the giving of consent. The article concludes that the EU's approach to data and privacy protection online, even under current proposals, is fundamentally misguided and makes four recommendations about the future direction of EU law in this area.