The European General Data Protection Regulation (GDPR) is simply the hot topic of 2016 at least for privacy experts. You haven’t made your own opinion about it yet? Well, it’s my pleasure to help you by making you think about a very important subject: consent.
Consent is a basic instrument to justify an infringement in rights. So, in Europe consent has been a legal base to legalize data processing. The reason is fairly simple: Processing personally identifiable information (PII) infringes the right to privacy and therewith a human right, set forth in Article 8 ECHR. I don’t want to go into details of its enactment from a European directive into Member States law and now the GDPR. Because more important is, that consent is a legal structure that justifies an infringement in someone’s right to privacy.
Well, reading my headline I guess you think that I don’t defend privacy. The opposite is the truth. I love privacy. But I think the regulation and the requirements concerning consent need to reflect the reality and the need of the data subjects. If regulators and data protection authorities make the same high demands for any processing of PII it will not only minimize our privacy but impede innovation in Europe.
Basically, consent creates on the one hand transparency for data subjects and on the other hand a barrier for processors to collect and use PII. If a company has to obtain a (prior) consent to process PII the company necessarily has to think about the amount of data, the purpose of data processing and who will get or might have access to this data. Additionally, the language of a consent needs to be precise, unambiguously and, still, clear. And there is another aspect many laymen don’t know: A consent that allows mailing is not mainly a privacy subject but regulated by another law. In Germany it is The Act about Unfair Competition, respectively Article 7. Consequently, if you have to ask the user for his consent concerning PII and you want to send mailings you have to implement two separated (!) opt ins.
Now, back to the privacy consent. The quality of a PII processing and therewith the impact on your right to privacy varies depending on the kind of data and the purposes of data processing. That’s the reason, why I call for a realistic interpretation of a consent.
Let me explain what I mean. Here are some examples:
(1) Frequency capping, i.e. a collection of data that helps advertisers to reduce the frequency display ads are shown to users, so that either a user sees an ad just a few times or only once. That is profiling. And it is PII, because it is connected to a cookie ID (or something similar).
(2) Personalized services, i.e. services that only work if information about you or your preferences are being collected. That can be a list of interest in a news aggregator, a restaurant app that saves your favorite places or a service in which you can create your shopping list. And yes, that is also profiling based on PII.
(3) Social services, i.e. services that only work if you interact with others. That implies for instance that you have to disclose either information about you or your location. This is obviously PII processing.
Reading these examples, it should be obvious that it is inappropriate to demand the same high requirements for a consent in example (1) to (3) (if there is no other legal base to process the needed PII). Additionally, if you start a social or profiling based app and the basic functionalities are blocked by default because you haven’t opted in, the app is simply boring. You will delete it. And any other app that does inform the user about the data processing in an transparent way but does not ask the user for a long and very transparent consent will have high traction. And high traction causes high traffic, many users and better ways to sell ads. No matter how innovative the app is, a highly regulated environment impedes innovation.
And last but not least, any provider with a direct relationship with the user has already the possibility to obtain the user’s consent. Companies that try to work with less data are forced to collect more data to know which person accepts the data processing. A data minimization approach isn’t competitive anymore. As a result, companies either wave any PII processing and provide only “stupid” services because almost any processing is connected to PII or they have to create a direct customer relationship. In the end, high requirements concerning consent lead to more PII processing, not less.
And while we are discussing this topic, non-European companies get more traction, more users, more data. And what is really crucial is the intended enforcement of the GDPR outside of the EU. It won’t be solved for the next years. Until then, European companies will struggle complying with the high requirements and strict interpretations concerning consent. That slows down any innovation in Europe and weakens our economy that is increasingly driven by digitization.