As a privacy-sensitive person, I’m concerned that the trend in European Data Protection law seems to be to place more and more weight on my consent as justification for processing my personal data. In theory that sounds fine – given full information and a free choice, I can decide whether or not I’m willing for the processing to take place. Except that in most other areas of law when an individual interacts with a business, the law presumes that it isn’t safe to leave those decisions to the individual because they probably don’t understand all the consequences and they may be pressurised into a decision. Consumer law – and Europe has a lot of that – is all about helping me escape the consequences of decisions that seemed like a good idea at the time. Medical and criminal law go even further and define areas (e.g. to sell my “spare” organs) where I am simply not allowed to make a decision even though I am the only person affected.
The first draft of the Data Protection Regulation seemed to be following that approach – according to Recital 34 “consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller”. Instead the controller needed to find some other justification that legislators and regulators had either pre-authorised (e.g. “necessary for a contract”) or made subject to conditions (e.g. “not overridden by fundamental rights”). However among amendments that were otherwise seen as enhancing the protection of individuals, the European Parliament’s draft deleted that qualification, apparently restoring the current EU position where businesses and employers may be able to “encourage” individuals to give consent (English law retains its long-standing unease about “consent” between employee and employer).
Like the current law, the Parliament’s draft does give individuals the right to change their mind, withdraw consent and terminate further processing. But if the harm that I now regret consenting to has already happened, that’s probably not much comfort.
In fact current data protection laws already contain the outline of a four-step scale that, if used more generally, could provide much better support for individuals than a simple consent/no-consent one. Governments and regulators could authorise (by creating statutory duties/permissions or recognising “legitimate interests”) or prohibit processing at the two extremes of the benefit/risk scale. For decisions in the middle a hint could be given by requiring either an opt-out or opt-in approach, as in the e-Privacy Directive, which requires opt-out for postal marketing but opt-in for e-mail. Complex decisions (e.g. “may we keep a record of your browsing history in order to offer you personalised pricing?“) might be better addressed by regulation, leaving consent for the simpler ones where individuals are less likely to be unpleasantly surprised by the consequences.
In computer security we learned long ago that asking users for permission too often results in them clicking “OK” to everything without thinking about the consequences at all. Consent seems to carry a similar risk: if I’m asked too often to “consent” to things that are blindingly obvious (either “yes” or “no”) then I’m unlikely to think about, or even notice, the occasions when I ought to be giving the question serious thought. Using consent less often might lead to better decisions when we do.
