50 shades of privacy: Consent and the fallacy that will prevent privacy for all
“Consent, in its purest form, could easily become a dystopian stick to control citizens with,” Susan Morrow, doesn’t pull her punches as she argues that GDPR hasn’t resolved the conflict between choice and consent.
The GDPR has begun a frantic discourse across the globe on how to achieve Privacy by Design and Default. But it has not resolved the conflict between choice and consent.
One of the great things about working in the tech sector is that you genuinely get involved in thoughtful conversations. This piece is about one such conversation that shines a light on a common fallacy of data privacy in a digital age — consent.
What is data privacy anyway?
The debate discussed here was predicated upon a particular notion of what it means to offer a customer a privacy-enhanced service. Data privacy, in this context, is about user choice and transparency in data use, so the usual definition goes. Give the user the choice in sharing their personal data and you’ve ticked a key privacy box. Of course, the world and its machinations are rarely black and white. In fact, it was the less than granular nature of Google and Facebook’s consent process that landed them with a GDPR complaint from Max Schrems of Noyb. Noyb took Google and Facebook to task over ‘forced consent’ rather than freely given consent. In other words, if the user decided they didn’t want to hand over their consent, belt and braces, they wouldn’t get the service, end of story. This is a ‘wild west’ approach to meeting the notion of privacy and stretches the idea of consent to breaking point.
The GDPR has begun a frantic discourse across the globe on how to achieve Privacy by Design and Default
Data privacy must be more than an on/off consent switch. Because data privacy lies at the heart of how we transact via our digital persona, it needs to have considerations that go beyond the purely legal or the purely technical. Privacy needs a social prism.
Here is how the debate panned out…
The big privacy debate — consent, implied consent, GDPR and consent
I noted that in some Twitter and LinkedIn conversations, that data privacy was being linked to the monetisation of data. I first noticed this shortly after some major data breaches, including the Facebook/Cambridge Analytica debacle. Industry folks were posting ideas about setting a payment level in exchange for varying levels of privacy. This was as a way to manage the privacy issues on free platforms like social media.
Last week, I became involved in a Twitter debate about a related area. This time it developed into a direct monetization of data debate. A tweet from Ann Cavoukian, privacy pioneer extraordinaire and inventor of Privacy by Design, said this:
Someone then asked about monetisation to trade data.
The reply being: “Surely that should be up to the data subject — it’s their information, to do with as they wish. If they wish to obtain remuneration in some form for the uses of their data, who are we to tell them no? Elitism has no place here. It’s all about personal control over one’s data.”
At this point, I had to wade in.
I pointed out that, whilst in a perfect world this was fine, in a less than perfect one we would be creating a tiered privacy system; the wealthy having the choice to retain data privacy rights whilst those in need having less choice.
Choice suddenly becomes less black and white and more 50 shades of grey; along the lines of, “I made the choice to sell my data because my baby needed food.”
50 shades of privacy
I will introduce you to Malcolm Crompton before I begin. Malcolm has the kind of resume that most of us dream of. Just so you understand a few of his privacy credentials, Malcolm is the ex-Privacy Commissioner for Australia and Director of International Association of Privacy Professionals (IAPP) from 2007 to 2011. I asked Malcolm what he thought about the two sides of the privacy by consent debate?
Malcolm pointed to Joni Brennan (President of Digital ID & Authentication Council of Canada (DIACC)). During the debate Joni stated this: “Let’s have a positive-sum discussion. Subjects should have the right to self-monetise their data AND system designers (engineers, policy makers, etc) should be cognizant regarding the unintended effects this may have on populations at risk of exploitation.”
This nuanced and positive approach to the debate struck me. Joni had hit on an important factor in digital system design – design for people, placing choice as a design remit.
Malcolm pointed to Joni’s tweet because of her reference to folks in situations of financial stress or subject to family violence, etcetera. He pointed to a new law in Australia, the so-called “Consumer Data Right“.
Malcolm describes this as being: “supposedly all about the civil libertarian concept of ‘you will have to be told everything and hence you are free to make a decision as an equal party to the bank (or whatever) to negotiate your terms’.
Yeah right! “
Malcolm hit the high note. Privacy is a precious commodity and one that is easily exploited. Privacy is as precious as the data and the person behind the data, that it sets out to protect. And it is a commodity that cannot be easily encapsulated. The problem then is that privacy will become obfuscated by legalities that even those well-versed in the industry mantras struggle to understand.
Malcolm Crompton: “[The law] makes assumptions that folks have the time to understand what they are told; folks have the capability to analyse the consequences both short term and long term; folks have the strength (including economic independence) to negotiate the terms of the exchange; folks have alternatives etc.”
Malcolm continued to unpick some of the issues around the Australian situation – which, of course, is applicable worldwide.
He stressed that in terms of understanding the concept behind the freedom to make choices around data sharing that: “[The law] makes assumptions that folks have the time to understand what they are told; folks have the capability to analyse the consequences both short term and long term; folks have the strength (including economic independence) to negotiate the terms of the exchange; folks have alternatives etc.”
We risk a digital crisis in 2019 akin to the 2008 banking crisis, warns data privacy lawyer
Consent, in its purest form, could easily become a dystopian stick to control citizens with. If it was the bank instead of Facebook or Google who enforced this new ‘right’. Or a landlord or an employer or a school or a hospital – they could easily manipulate the elastic nature of any laws with ‘consent’ as a basis. Consent to give us access to whatever personal and behavioral data needed, or woe betide; the result of choosing to withhold consent – no bank, no home, no job, no school? Or reduced services, higher loan fees, poorer healthcare?