«

»

Why the idea of consent for data processing is becoming meaningless and dangerous

permission-granted

 By Simon Davies

Over the past couple of years I’ve noticed a growing discord among my colleagues on the issue of consent in data protection. Indeed I’d go as far as saying that many believe that this pillar of rights is becoming a dangerous illusion. I’m starting to agree.

I don’t say this lightly. All privacy advocates enter this field believing that the concept of consent is self evident. It’s one of three untouchable buttresses – the other two being proportionality and necessity. These principles form the foundation of our work.

Many of us long ago gave up believing in the “fair and lawful” provisions of data protection. However it seems increasingly that even the most ardent data rights traditionalists are privately conceding that the consent concept is becoming unstable and largely unworkable. There have been countless articles and papers over the past few years challenging the notion of consent, ranging from the domain of biobanks through to employment.

The twitching data carcass that’s left is ravaged by circuitous arguments about the difference between explicit, informed and unambiguous consent.

Like the story of “the emperor’s new clothes”, little is said of this view within civil society. To do so could be seen as giving ground to the data vultures. Making any concession on consent could weaken an already fragile framework. At least, that’s one view from the advocacy community.

All the same, we all regularly bemoan the decay of consent – even if it is in private conversation. The principle has been corroded over the years through an array of public interest and economically pragmatic carve-outs. The twitching data carcass that’s left is ravaged by circuitous arguments about the difference between explicit, informed and unambiguous consent. Still, all of us hold on to the idea of consent, even if it’s just to remind us that the data subject has at least some inalienable rights.

Of course none of this should detract from the principle of consent – absolutely not. Consent is rightly a cornerstone of data protection. It’s just a question of whether the principle has any meaningful value.

Before I started writing this blog I tried testing out my views by starting a conversation on Twitter (hardly scientific, but a useful litmus test). All the responses expressed concern over the instability of consent in the current framework. The vast majority of respondents argued for a technological /mathematical solution. Others expressed the view that the current focus on consent should be shifted to a stronger effort to control the “use” of data by organisations.

These are useful perceptions. However, the two issues that concern me are:

a) will it be even possible in a few years to maintain any practical consent framework, and

b) will the surveillance required to enforce consent become a worse invasion than the original processing.

I’ll address the latter challenge first.

My take on this issue is that most consent mechanisms were conceived in the pre-dawn of the Internet age. They were developed at a gentler time in history – a time when it was possible to build a simple flow chart of personal data relationships.

Not so these days. Data has become such a labyrinth that consent enforcement has now shrunk to a focus on the activities of global online household brands. Almost every other entity does more or less what it pleases.consent 2

At its most basic level, I’m sure all academic colleagues will resonate with the fact that this week alone I’ve unsubscribed from more than twenty junk email streams, most of which laid some hollow claim to justify the invasion. Many people don’t take such a risk, fearing that the unsubscribe feature is merely a validation trap. But even those entities that should know better are playing fast and loose with consent.

As a case in point, a couple of weeks ago I foolishly requested a brochure for the University of Salford’s online international commerce law course. In response, I received no fewer than seven marketing emails from various parts of the university before I finally called a stop to the menace. If UK business schools are incapable of respecting consent, what hope is there for anyone else?

It goes without saying that the overwhelming view of large swathes of business is that consent is something you respect in the “unambiguous opt-out” – hardly a view that chimes with the more robust interpretation of consent. To be frank, I’m coming to the view now that “legitimate interest” is the way to go. At least that way, there can be a tighter focus on how data is used. More on that later.

But even if consent was respected and followed, the key question is whether the remedy might become worse than the malady. To illustrate this point we need look no further than the notice and takedown requirements on providers.

Perhaps someone could enlighten me on how precisely at any practical level we can enforce consent in a decade’s time? When your refrigerator becomes a data intermediary for processing and disclosure to your doctor or supermarket, I wonder at what point the data subject has a chance to be involved.

I was interested to read last month an analysis on that subject by Daphne Keller of Stanford University’s Center for Internet and Society  One of Keller’s key arguments is that Europe’s new notice and takedown framework is so poorly conceived that it becomes not only an unnecessary threat to free speech, but it also morphs into a vast surveillance mechanism.

We face the same problem when enforcing consent. Any online user in Europe will be familiar with the last bungled effort to achieve this outcome. In summary, the “EU Cookie Directive” requires most websites to seek explicit consent from users. This imposition not only proved to be an utter pain for all parties, but it severely damaged the integrity and reputation of data protection. And providing a clear audit trail of consent would require significant additional processing.

The cookie farce is a clear example of analogue thinking. Tackling the cookie issue with such a blunt instrument has become counter-productive. A proper audit and compliance element in the system could require the processing of even more data than the original unregulated web traffic. Even if it was possible for consumers to use some kind of gateway intermediary to manage the consent requests, the resulting data collection would be overwhelming.

I wonder why we’re even going down this road. Some colleagues have suggested that a vast opt-in regime serves to sensitise business to the need for data compliance, but this seems to me a little like the reasoning behind public floggings.

In an essay published last year in the Privacy Surgeon, the European Commission’s Gerald Santucci expressed grave concerns that the current data protection framework is entirely unsuited to the emerging information age – and particularly the Internet of Things. In the wake of a vast new generation of complex data streams, he argued, how can consent be meaningfully managed? In this view, the data overload of the coming decade risks turning much of consent into little more than a symbolic effort.

Perhaps someone could enlighten me on how precisely at any practical level we can enforce consent in a decade’s time? When your refrigerator becomes a data intermediary for processing and disclosure to your doctor or supermarket, I wonder at what point the data subject has a chance to be involved. In the end, like the Cookie Directive, we end up with a meaningless box-checking exercise that merely irritates countless consumers.

There are two obvious paths that can be taken. One is to go down the health and safety road. The other is to adopt mathematical solutions. 

Some colleagues have suggested that a vast opt-in regime serves to sensitise business to the need for data compliance, but this seems to me a little like the reasoning behind public floggings.

In the health and safety road, the onus for protection would be removed from the citizen and placed squarely onto the organisation (the data use approach). With rare exceptions, employees no longer have to bear the responsibility for workplace safety, nor do they need to consent to the consequences of dangerous work environments. The same could apply to processors.

In the mathematical model, powerfully encrypted “black box” technology would create a technological lock-down to guarantee privacy protection. However neither of these approaches has evolved over the past decade, leaving the consumer responsible for self-enforcement of rights.

Returning to the new General Regulation, there’s a clear conflict between consent and the equally crucial matter of data minimisation. Entities are required to fulfil a number of conditions, including consent and prior relationship. In the present wording of the Regulation this requirement necessitates the collection of considerable amounts of data on customers. This surely was not the intention of the Regulation, but the legal enforcement aspect will ensure that data will be archived simply to protect the backs of data controllers.

One thing is clear. The present moment for European data protection should not be wasted passing fruitless and counter-productive rules. This should be an opportunity to create constructive and meaningful laws that support online growth while also genuinely protecting rights.