By Simon Davies
Last week I published a post that questioned whether Europe’s data consent regime was any longer sustainable. The response to this blog was interesting. Rather than being pilloried by colleagues, I received overwhelming positive comments, both privately and on Twitter. Many took the view that consent was becoming meaningless, and that either a technical solution must be developed or data rights enforcement must be shifted to the actual use of data by organisations.
However a couple of correspondents did ask whether I felt that maintaining the consent concept could create any clear and present danger and whether I had thoughts on specific threats to data protection in the immediate future. That is, does the consent concept amount to merely a waste of time or will it create actual harm to data rights.
I’ve been giving some thought to this question. At the core of this contemplation is my belief that consent over the coming decades will become meaningless and onerous. Importantly, any consent model – whether or not it works in practice – will devastate the quest for data minimisation.
At the core of this contemplation is my belief that consent over the coming decades will become meaningless and onerous. Importantly, any consent model – whether or not it works in practice – will devastate the quest for data minimisation.
Whenever any core right is threatened, my first instinct is usually to ask how that vulnerability will be exploited by government. In the case of consent, my instinct is to ask how the big data platforms will exploit the weakness.
It will come as no surprise to regular readers when I recall my long and turbulent history with many of the US based platforms. Google knows this all too well – and to a lesser extent, so does Facebook. We have battled furiously for years over their policies. Consent has often heavily featured in these public disputes. The companies say consent works, and I say it’s illusory and largely a waste of time.
Having said that, the question remains about what actual dangers are triggered by a reliance on the consent model. Of course I could repeat my concern over the creation of a check-box society or the threat of a auditable consent model being so onerous that it brings data protection into disrepute, but there are other very significant threats to consider that are less obvious.
Just for background, there are three basic legal conditions under the EU rules (both the existing Directive and the future Regulation) that private companies can leverage for the processing of personal data: consent, contract and “the legitimate interests of the controller”
Civil society has historically frowned on the legitimate interest model, partly because of the risk of manipulation of data users and the creation of a culture of pointless claim and counter claim. However, by appearing now to back away from supporting the legitimate interest model, European institutions such as the Parliament have moved by default to supporting a consent-only model – whether that consent is unambiguous or explicit. This is the point where the consent rubber hits the road.
Moving on from the concerns mentioned above, one consequence of the consent-only model is that a huge advantage will be handed to the US based mega platforms such as Google and Facebook which are fully equipped to manage check-box consent. I’m not sure that dynamic is in the best interests of Europe. Given the appalling track record on privacy shown by those companies, I’m certain that the current dynamic will be bad news for data protection.
Earlier this year Google announced in a blog post that it will be introducing a new user consent policy that requires website owners to collect consent from EU based users for the use of Google products (AdSense, etc). How – on the basis of any logic – will this measure actually improve data protection for Google customers ?
One consequence of the consent-only model is that a huge advantage will be handed to the US based mega platforms such as Google and Facebook which are fully equipped to manage check-box consent.
There has to be a better way to strengthen data rights. As I briefly outlined in the previous blog, a well-crafted non-consent “legitimate interest” legal base could provide a more meaningful and enforceable processing regime. I won’t pretend for a moment that this path will be simple, but nor should it be ignored.
Returning to my earlier point about the clash between consent and data minimisation, there is a possibility that the right legitimate interest model could actually improve data protection. A strong and auditable model could encourage controllers to process less data, as well as nurturing viable business models that do not require the collection of lots of data.
There is an additional aspect that we should also consider. Over the past few years there has been a (largely unmet) expectation that Europe would become home to privacy-friendly competitors to the US mega corps. I have written on these pages many times about my continuing battles with the European Commission’s competition authority on this point. I argued that the data supremacy of companies like Google will crush local European competition.
The subject of this blog reflects this concern. Anyone who cares about an open and competitive Internet that offers genuine advantages to EU operators – and EU rights – should carefully consider whether the present consent trend is in the Europe’s interest.
Google and Facebook are both large enough to easily comply with a consent requirement. They enjoy a strong likelihood that users are already logged into their services (Gmail, YouTube, Google+, Google Music, Android, Facebook, Messenger App, WhatsApp, Instagram…) which constitutes consent. This condition also applies to third parties’ websites (consider the recent Facebook judgment in Belgium, which only took issue with Facebook tracking non-logged-in users).
Google and Facebook are also large enough – and have sufficient resources – that they can work with and/or force website owners to accept a contract that makes the website owner responsible for organizing the consent of the data subject on behalf of the mega corps. Such an arrangement would be a requirement to use their services, i.e. Google advertising to monetize their content and Facebook “Like”-buttons for increasing reach through social media.
Smaller competitors do not have the possibility of enticing users to log-in to their services at such frequency. They may not have the requisite direct relationship to the user, and they likely also don’t have the resources or leverage to force website owners to organize consent on their behalf. Even if they did, that model creates a vast amount of work for website owners who may choose to go with fewer third party partners, consolidating their use of services, which further increases the market power of the big established players.
As I said earlier, I’m not pretending that a non-consent model will be a simple goal or one that is universally applicable. My point is that all of us should tread carefully to ensure that the right decisions are made in the overall interest of Europe’s people.