Shifting sands - From consent to user accountability
My colleague Phil Lee in an earlier blog (http://privacylawblog.ffw.com/2013/a-brave-new-world-demands-brave-new-thinking) pointed out that we are entering a brave new world and that it demands brave
My colleague Phil Lee in an earlier blog (http://privacylawblog.ffw.com/2013/a-brave-new-world-demands-brave-new-thinking) pointed out that we are entering a brave new world and that it demands brave new thinking – thinking that moves away from seeing consent as some kind of data collection panacea. At the IAPP Europe Data Protection Congress in Brussels last week, some of that brave new thinking was evident. One of the buzz phrases was "data user accountability", a term used in a speech given by Viktor Mayer-Schonberger – as the term suggests, at the heart of this concept is the idea that data users should be held to account for the uses that they make of personal data.
One thing that struck me in the context of a separate debate about wearable technology was the sense of outrage in some quarters at the idea of unfair collection of personal data per se, the idea that personal data might be collected about individuals without their knowledge or consent. Increasingly it is becoming evident however that trying to itemize each data collection scenario and stamp it with a "Notice given/consent provided" label is like trying to count grains of sand on the beach or stop the inexorable ebb and flow of the tides.
In any event, the nature of a valid consent is that it must be informed. In other words, it is not so much about the fact that personal data is collected but rather about the purposes for which it is used. If we divorce collection of personal data from its use, informed consent becomes an impossible task. If, on the other hand, we focus on use, we can have a sensible discussion about the constraints that can be placed on use and the ways in which data users can be held to account for their actions. It is only in the context of a discussion about use that reference to concepts such as legitimacy, proportionality and the domestic purpose exemption really begin to make sense. If there is a case to be made for some form of notice and choice mechanism, we could also more sensibly explore this issue at the point of use of personal data rather than at the point of collection.
Against the background of this type of discussion, the idea of consent being at the heart of data protection is largely a red herring since the focus will move away from an automatic ticking of a consent box at the point of collection to a discussion about how to restrict the uses of personal data in a meaningful way or to give individuals an effective way of opting out of particular data uses if it is feasible to do so.
Aside from some extreme scenarios involving breaches of civil liberties, if the benefits of technological innovation have as a side-effect the collection of personal data about us, who really cares if it is just sitting in an electronic storage bunker for a limited period? The key concerns are that appropriate restrictions are placed on its use, data quality standards are adhered to, appropriate security measures are in place and suitable retention periods are applied.
Let's stop fooling ourselves that consent mechanisms offer a way of exercising genuine choice about how our personal data is used. Let's stop trying to account for every grain of sand but instead begin to discuss how we can hold accountable those who use it in ways for which it was never intended to be used.
One thing that struck me in the context of a separate debate about wearable technology was the sense of outrage in some quarters at the idea of unfair collection of personal data per se, the idea that personal data might be collected about individuals without their knowledge or consent. Increasingly it is becoming evident however that trying to itemize each data collection scenario and stamp it with a "Notice given/consent provided" label is like trying to count grains of sand on the beach or stop the inexorable ebb and flow of the tides.
In any event, the nature of a valid consent is that it must be informed. In other words, it is not so much about the fact that personal data is collected but rather about the purposes for which it is used. If we divorce collection of personal data from its use, informed consent becomes an impossible task. If, on the other hand, we focus on use, we can have a sensible discussion about the constraints that can be placed on use and the ways in which data users can be held to account for their actions. It is only in the context of a discussion about use that reference to concepts such as legitimacy, proportionality and the domestic purpose exemption really begin to make sense. If there is a case to be made for some form of notice and choice mechanism, we could also more sensibly explore this issue at the point of use of personal data rather than at the point of collection.
Against the background of this type of discussion, the idea of consent being at the heart of data protection is largely a red herring since the focus will move away from an automatic ticking of a consent box at the point of collection to a discussion about how to restrict the uses of personal data in a meaningful way or to give individuals an effective way of opting out of particular data uses if it is feasible to do so.
Aside from some extreme scenarios involving breaches of civil liberties, if the benefits of technological innovation have as a side-effect the collection of personal data about us, who really cares if it is just sitting in an electronic storage bunker for a limited period? The key concerns are that appropriate restrictions are placed on its use, data quality standards are adhered to, appropriate security measures are in place and suitable retention periods are applied.
Let's stop fooling ourselves that consent mechanisms offer a way of exercising genuine choice about how our personal data is used. Let's stop trying to account for every grain of sand but instead begin to discuss how we can hold accountable those who use it in ways for which it was never intended to be used.