Simon Davies is one of the world’s leading authorities in the field of online privacy. He thinks we are in the middle of a huge crisis – one that should concern us all.
The titles of two of his recent blogs almost tell you everything you need to know. The first is Why the idea of consent for data processing is becoming meaningless and dangerous.
Davies does not deny that the idea of consent is important and people should always have the right to withdraw it, if in fact they can. It’s more a question, as he puts it, of whether the principle of consent any longer has or will soon have any meaningful value.
The consent principle has been corroded over the years through an array of public interest and economically pragmatic carve-outs. The twitching data carcass that’s left is ravaged by circuitous arguments about the difference between explicit, informed and unambiguous consent. Still, all of us hold on to the idea of consent, even if it’s just to remind us that the data subject has at least some inalienable rights.
Davies explains that most consent mechanisms were conceived in the pre-dawn of the Internet age. They were developed at a gentler time in history – a time when it was possible to build a simple flow chart of personal data relationships.
This age of innocence encouraged a”tick box” mentality which, according to Davies now very heavily favours the large, well-established, rich companies most of which have global headquarters outside of the EU. Facebook and Google are referred to several times.
Davies argues that data has become such a labyrinth that consent enforcement has now, in practice, shrunk to a focus on the activities of a relatively small number of global online household brands (see above). Maybe the nationally based privacy commissioners simply have not had the wherewithal to tackle the scale and complexity of the issues. Will the new arrangements taking shape around the EDPS be up to the task? We can but hope.
Aside from the large global platforms, Davies implies, almost every other entity does more or less what it pleases. I must say this aspect in particular struck a chord with me. Officials of the European Commission, for example, often seem completely preoccupied with the current practices of a very small number of companies, to the exclusion of all others. This is wrong – at a number of different levels.
Davies’s second blog is called: For the sake of Europe’s privacy, it’s time we moved on from the unworkable consent model.
Davies cites an essay published last year in which the European Commission’s Gerald Santucci expressed grave concerns that the current data protection framework is entirely unsuited to the emerging information age – and particularly the Internet of Things. In the wake of a vast new generation of complex data streams, Santucci argued, how can consent be meaningfully managed? In this view, the data overload of the coming decade risks turning much of what we refer to as consent into little more than a symbolic effort. Think about your connected fridge, electricity meter and motor car.
With the continuing rise of small form and highly mobile devices such as smartphones I guess it is clear this problem is set to grow. Which brings me to children and young people.
Davies does not refer to them (unfortunately) but it seems obvious that if adult users are confounded the position of legal minors is hardly likely to be any better. Yet under 18s make up one in three of all (human) internet users in the world – rising to one in two in parts of the developing world. And never mind under 18s – see the LSE study of internet users who are aged 8 and below!
Thus Davies suggests either a technical solution must be developed or data rights enforcement must be shifted to focus on the actual use of data by organisations. I guess that involves establishing a framework which describes consumers’ reasonable expectations of how, by whom and in what circumstances their personal data might be collected and the uses to which it might be put. No longer would a so-called “free app” that provided you with a map of, say, the centre of Barnsley be able to take your entire contact list and browsing history and sell it to scam merchants in places a million miles away from that noble town.
In this putative new order any departure from the as yet unknown prescribed norms and reasonable expectations must be evidenced by adherence to a clearly defined process which presumably cannot be executed with a single mouse click in an intentionally swift and smooth “on-boarding” process. Concerns about the “customer experience” cannot be used as camouflage for sucking in more data without any genuine effort having been made to ensure that the data subject is not only “on-board” but knows it.
Desiderata 