Opinion

Yes, Consent Is Dead. Further, Continuing To Give It A Central Role Is Dangerous

By Eduardo Ustaran, CIPP/E

At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynoter Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.”

Contemporary ideas of notice and consent, he argued, are a farce.

In the moment, he was quite compelling. It is important that we as privacy professionals from time to time question the underpinnings of our training and, especially, our industry and profession.

In the early days of data privacy as a regulated activity, putting people in control of their information was thought to be what mattered the most. From the 1980 OECD Guidelines to the latest version of the EU e-Privacy Directive, consent has been a cornerstone across legal regimes and jurisdictions. EU data protection law is based on the principle that an individual’s consent is the most legitimate of all legitimate grounds to use information about people. But does this approach still hold true? Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate? 

My grave suspicion is that attempting to put people in control of their own information by giving them the power to consent to the uses made by others is simply unachievable.

From the moment we turn on the light—or the Blackberry—in the morning to the moment we turn it off in the evening, every action that involves using technology is recorded somewhere. The Internet has maximised this in such an unprecedented way that the value of the information we generate by simply using it makes other, more traditional identifying factors trivial. From a legal perspective, this phenomenon has entirely distorted the meaning and scope of personal data, but the point is that information about us is constantly flowing around the world without our knowledge, let alone our consent.

My grave suspicion is that attempting to put people in control of their own information by giving them the power to consent to the uses made by others is simply unachievable. The concept of consent should not be underestimated. The ability to make choices is what makes people free. However, pretending that we can take a view in any meaningful way as to how all that information about us is gathered, shared and used by others is wishful thinking. We cannot even attempt to recognise which personal information is being made available by us in our daily comings and goings, so how could we possibly decide whether to consent or not to every possible use of that information?

Consent might have been a valid mechanism to control data-handling activities in the past, but not any more.

What the law should really do is put the onus on those who want to exploit our information by assigning different conditions to different degrees of usage, leaving consent to the very few situations where it can be truly meaningful.

So what do we do now? Do we simply give up on privacy? Of course not, but the approach to protecting it must change. In the same way that our ability to control our own information is moving away from us, our responsibility to decide what others can know about us is also receding. Our privacy is less than ever in our own hands because the decision-making power is not really ours. Any legal regime that puts the onus on individuals—who are meant to be protected by that regime—is bound to be wrong. The onus should not be on us to decide whether a cookie may reside in our computer when hardly anyone in the real world knows what a cookie does. What the law should really do is put the onus on those who want to exploit our information by assigning different conditions to different degrees of usage, leaving consent to the very few situations where it can be truly meaningful.

Using European jargon for a moment, the law should regulate data controllers, not data subjects. Like it or not, individuals have a limited role in the data-handling decision-making process. This is a fact, and regulation should face up to this fact. Technology is more and more complex, whilst our human ability to decide remains static. Feeding us with more detailed and complex privacy notices will not change that. In the crucial task of protecting our personal information and our privacy, consent can only have a residual role. Continuing to give consent a central role in the protection of our privacy is not only unrealistic but dangerous because it becomes an unhelpful distraction for individuals, organisations and regulators.

The emphasis must simply be put elsewhere.

Note from the Editor:

A version of this argument first appeared in Eduardo Ustaran's new book The Future of Privacy.

More from Eduardo Ustaran

About the Author

Eduardo Ustaran, CIPP/E, is a dually qualified English solicitor and Spanish abogado based in London and an internationally recognised expert in privacy and data protection law. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK and is ranked as a leading individual for data protection by Chambers UK. Ustaran is also the author of The Future of Privacy, a book aimed at reshaping the global debate around data and privacy. Ustaran advises on the impact of EU data privacy law on the operational activities of all types of organisations and has assisted data protection regulators from different countries to align their positions and interpretation of the law. He is editor of Data Protection Law & Policy and a member of the panel of experts of DataGuidance. Ustaran is co-author of E-Privacy and Online Data Protection and of the Law Society’s Data Protection Handbook.

See all posts by Eduardo Ustaran

Comments

  • December 18, 2013
    Gabriela Zanfir
    replied:

    One could add that a similar argument was brought at the Computers, Privacy and Data Protection Conference - January 2013, in Brussels, where I presented the paper “Forgetting about consent. Why the focus should be on suitable safeguards in data protection law” - in the Academic Papers Session. In that paper, after arguing why we should remove the focus from consent in data protection law, I propose solutions for where the emphasis could be put, identifying three types of safeguards: the rights of the data subject, accountability measures and purpose limitation measures. The paper is published in S. Gutwirth, R. Leenes, P. de Hert (eds.) - “Reloading Data Protection. Multidisciplinary Insights and Contemporary Challenges”, Springer (November, 2013).

  • December 18, 2013
    Nicholas Crown
    replied:

    On the surface, I agree with your argument.  However, I believe consent must continue to play a critical role because it is just as difficult, if not more, for the regulators to understand the tradeoffs and make determinations on behalf of the data subjects as it is for the data subjects.  Admittedly, my opinion is informed by my typical American sensibilities, but can you imagine how difficult it would be to craft legislation that could take into consideration the myriad reasons for data collection, while providing enough freedom for the individuals to choose?  All roads lead back to a choice, whether that choice is made for you or by you.

  • December 19, 2013
    mouth
    replied:

    “Consent might have been a valid mechanism to control data-handling activities in the past, but not any more.”

    Are you kidding me?
    Why is this, if I may ask? Because Companies don’t like to get consent from their “customers”?

    It’s actually not that hard. Store the information you NEED in order to fulfill a service and everything on top requires explicit consent. And be completely transparent about this and how the data get’s shared if it is required. The end.

    If not, in the end no one will trust this company anymore.

  • December 31, 2013
    Name
    replied:

    Give up consent for the benefit of whom?  Surely there are conditions where consent can and should be obtained which include allowing a company to do a background check for purposes of employment, having a credit report to verify the credit morality of a loan applicant, being on a mailing list, allowing medical records to be shared, etc. Do we toss all consent out the door because technology is moving at a faster pace than the imagination of the legal profession?  Choice is what democracy is all about.  Lawyers and politicians will just have to keep up.

  • January 06, 2014
    AskTheAlgorithms
    replied:

    The banking, credit card and technology corporations, in combination with governments of basically every world nation seem to think that everyone else on earth exist merely to serve as lab rats in their unauthorized experiments.  The internet is the maze, free content is the cheese, and every electric powered device in the world is collecting the information they plan to use as a tool to enslave humanity.  The trick is, no one will even know it happened, because they are too busy chasing shiny objects planted by omnipotent predictive algorithms that no human can compete with.  Human brains cannot outsource the sorting of trillions of terrabytes worth of information to supercomputers unless they can afford to buy one.  Whoever wins the data armsrace wins the title of Emperor of Earth.  That ought to turn out well.

  • January 06, 2014
    Eduardo Ustaran
    replied:

    Glad to see that my blog is generating a healthy debate.

    For the record, I am not saying that we should give up on protecting privacy, but we need to be realistic about the most effective way of doing it in today’s data-reliant world.

    Here is something that gives us an idea of where we are already heading: http://www.entrepreneur.com/article/230555

  • January 08, 2014
    Emma Butler
    replied:

    Consent has always been one of 6 conditions for processing in EU law. It is some regulators, and some legislators, who have pushed consent as the gold standard over the years. So we have the current situation where many organisations shoehorn legitimate processing into consent because they have been led to believe that is the best option. It isn’t, and there are usually always other conditions for processing available.  Consent should be reserved for the situations where an individual has genuine choice. A poster above mentions background checks and credit reports - but consent is not appropriate here. If you refuse a background check you won’t get the job - it’s not free choice, so consent is the wrong way to go for things like this.

  • January 09, 2014
    Matt Block
    replied:

    Notice as currently practiced and consent as presently collected are less useful than they can and should be.  But the solution is not to deemphasize them, but to find ways to implement (and protect) them that make them more useful.  I have no objection to regulating data controllers in order to set a baseline standard for data collection (although I happen to think that better models to accomplish the same thing may exist).  But good notice and truly informed consent should still be required for collection, retention, use, dissemination, and destruction of data.

    It is not an argument to say that much data collection now is passive on the part of the data subject.  What does that matter?  It should still be illegal if unauthorized and unconsented to.

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!