Yes, Consent Is Dead. Further, Continuing To Give It A Central Role Is Dangerous
At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynoter Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.”
Contemporary ideas of notice and consent, he argued, are a farce.
In the moment, he was quite compelling. It is important that we as privacy professionals from time to time question the underpinnings of our training and, especially, our industry and profession.
In the early days of data privacy as a regulated activity, putting people in control of their information was thought to be what mattered the most. From the 1980 OECD Guidelines to the latest version of the EU e-Privacy Directive, consent has been a cornerstone across legal regimes and jurisdictions. EU data protection law is based on the principle that an individual’s consent is the most legitimate of all legitimate grounds to use information about people. But does this approach still hold true? Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate?
From the moment we turn on the light—or the Blackberry—in the morning to the moment we turn it off in the evening, every action that involves using technology is recorded somewhere. The Internet has maximised this in such an unprecedented way that the value of the information we generate by simply using it makes other, more traditional identifying factors trivial. From a legal perspective, this phenomenon has entirely distorted the meaning and scope of personal data, but the point is that information about us is constantly flowing around the world without our knowledge, let alone our consent.
My grave suspicion is that attempting to put people in control of their own information by giving them the power to consent to the uses made by others is simply unachievable. The concept of consent should not be underestimated. The ability to make choices is what makes people free. However, pretending that we can take a view in any meaningful way as to how all that information about us is gathered, shared and used by others is wishful thinking. We cannot even attempt to recognise which personal information is being made available by us in our daily comings and goings, so how could we possibly decide whether to consent or not to every possible use of that information?
Consent might have been a valid mechanism to control data-handling activities in the past, but not any more.
So what do we do now? Do we simply give up on privacy? Of course not, but the approach to protecting it must change. In the same way that our ability to control our own information is moving away from us, our responsibility to decide what others can know about us is also receding. Our privacy is less than ever in our own hands because the decision-making power is not really ours. Any legal regime that puts the onus on individuals—who are meant to be protected by that regime—is bound to be wrong. The onus should not be on us to decide whether a cookie may reside in our computer when hardly anyone in the real world knows what a cookie does. What the law should really do is put the onus on those who want to exploit our information by assigning different conditions to different degrees of usage, leaving consent to the very few situations where it can be truly meaningful.
Using European jargon for a moment, the law should regulate data controllers, not data subjects. Like it or not, individuals have a limited role in the data-handling decision-making process. This is a fact, and regulation should face up to this fact. Technology is more and more complex, whilst our human ability to decide remains static. Feeding us with more detailed and complex privacy notices will not change that. In the crucial task of protecting our personal information and our privacy, consent can only have a residual role. Continuing to give consent a central role in the protection of our privacy is not only unrealistic but dangerous because it becomes an unhelpful distraction for individuals, organisations and regulators.
The emphasis must simply be put elsewhere.
Note from the Editor:
A version of this argument first appeared in Eduardo Ustaran's new book The Future of Privacy.
About the Author
Eduardo Ustaran, CIPP/E, is a dually qualified English solicitor and Spanish abogado based in London and an internationally recognised expert in privacy and data protection law. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK and is ranked as a leading individual for data protection by Chambers UK. Ustaran is also the author of The Future of Privacy, a book aimed at reshaping the global debate around data and privacy. Ustaran advises on the impact of EU data privacy law on the operational activities of all types of organisations and has assisted data protection regulators from different countries to align their positions and interpretation of the law. He is editor of Data Protection Law & Policy and a member of the panel of experts of DataGuidance. Ustaran is co-author of E-Privacy and Online Data Protection and of the Law Society’s Data Protection Handbook.