|
META TOPICPARENT | name="FirstEssay" |
|
| -- By MayaWakamatsu - 19 Oct 2021 |
|
< < | Problems regarding Obtaining Consent to Privacy Policies |
> > | 1 Problems regarding Obtaining Consent to Privacy Policies |
| |
|
< < | In some countries, data protection acts depend on the idea of individual consent to the collection of information. For example, under the EU General Data Protection Regulation (GDPR), processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. Under the Protection of Personal Information in Japan, consent is required if a company provides personal data to third parties, obtains “special care-required personal information” (which includes data such as race, social status medical history, etc.), or utilizes collected information for purposes other than those it had informed the public about. However, there are some problems with relying on individual consent as follows. |
> > | In some countries, data protection acts depend on the idea of individual consent to the collection of information. However, there are some problems regarding individual consent as follows. |
| |
|
< < | The Problem1: Users consent to privacy policies even if they do not want to |
> > | 1.1 Users consent to privacy policies even if they do not want to |
| |
|
< < | First, people generally cannot use systems or services that companies provide unless they consent to privacy policies and terms of use. Some people might consent to the privacy policy, even if they do not want to consent to the privacy policy, just because they want to use the service or they feel it is almost impossible to negotiate with companies to amend the privacy policy. If they want to or they need to use the service, there is no way to avoid consenting the privacy policy unless an individual negotiates with companies, and companies agree with it. As a result, even if users do not want companies to surveil their information, their information is controlled and surveilled by companies after users consent to the privacy policy. and it could endanger people’s freedom of thought. |
> > | Some people might consent to the privacy policy, even if they do not want to consent to the privacy policy, just because they want to use the service or they feel it is almost impossible to negotiate with companies to amend the privacy policy. As a result, even if users do not want companies to surveil their information, their information is controlled and surveilled by companies after users consent to the privacy policy, and it could endanger people’s freedom of thought. |
| |
|
< < | The Problem 2: Users consent to privacy policies without reading |
> > | 1.2 Users consent to privacy policies without reading |
| |
|
< < | Secondly, the more detailed companies’ privacy policies become in an effort to obtain users’ valid consent, the more likely it is that users will tend not to read such long and detailed privacy policies, and, ironically, some users will consent without reading and understanding the whole content of the privacy policies. This reality is echoed by the Japan Fair Trade Commission’s survey in 2020, which showed that only 5.5% out of 2,000 people read full contents of terms of use before starting services. Some users may argue that while they consented to the privacy policy, they overlooked the specific contents of the privacy policy, and they may argue that the consent should ultimately be recognized as invalid. As a result, the validity of the consent will become questionable. |
> > | The more detailed companies’ privacy policies become in an effort to obtain users’ valid consent, the more likely it is that users will tend not to read such long and detailed privacy policies, and, ironically, some users will consent without reading and understanding the whole content of the privacy policies. Some users may argue that while they consented to the privacy policy, they overlooked the specific contents of the privacy policy, and they may argue that the consent should ultimately be recognized as invalid. As a result, the validity of the consent will become questionable. |
| |
|
< < | Possible Solutions |
> > | 2 Possible Solutions |
| |
|
< < | The Solution 1: Regulations and Standards |
> > | There are two main directions in which these issues can be addressed.
The first is to make efforts to increase the effectiveness of consent. For example, in order to improve the rate of reading and understanding of the terms and conditions, there is an idea to further subdivide the documents and timing of consent. However, this will not solve the issues above fundamentally. Users might still consent to privacy policies without reading or they might consent to them even if they do not want to.
The other direction is to give up on formal consent and seek other means as follows. |
| |
|
< < | It is unreasonable that we can’t use systems or services unless we consent to their privacy policies, and it could endanger people’s freedom of thought as mentioned above.
Although The GDPR and its guidelines provide detailed and strict requirements of obtaining consent and mandate that consent should be freely given, specific, informed, and unambiguous, setting stricter requirements on the obtaining of consent would not be practical and ideal solutions in light of freedom of thought. Privacy is not something that individuals should or can consent to allow surveillance.
To protect our freedom of thought, individual consent should not be the criterion, and we need to generally regulate privacy invasion by setting regulations and standards.
Setting standards to regulate collecting and surveilling personal information, rather than setting stricter requirements on the obtaining of consent, would be a practical and possible solution.
Companies should make systems secure and secret for users, and If companies did not follow the standards, they should be strictly subject to penalties. |
> > | 2.1 Procedural obligation |
| |
|
< < | The Solution 2: Support for Companies |
> > | The first idea is to impose a procedural obligation to ensure that privacy policies are reported to personal information commissions and made public by the commissions, like a list of companies that are providing information to third parties by using the opt-out method in Japan.
In Japan, those who intend to provide personal data to a third party are required to notify the Personal Information Protection Commission. When the Personal Information Protection Commission receives the notification, it shall make public the matters pertaining to the notification (https://www.ppc.go.jp/en/index.html). |
| |
|
< < | Even if it is possible to set standards or regulations to socially regulate collecting personal information, companies might argue that their revenue might reduce because of the standards and regulations. Some companies earn money by selling data, and data is used for personalized advertisements, but companies still can earn money by advertisements if the companies can keep having users. Some users will not mind paying some amount of fee to use the services and supporting companies as long as they will not endanger their freedom of thought. Additionally, companies can be operated with money collected from donations, investment crowdfunding, or rewards-based crowdfunding. |
> > | Analysis: |
| |
|
< < | Conclusion |
> > | This idea is to build or expand the public announcement system, and it may be realistic. Additionally, this idea will be effective for some companies which care about the reputation of potential users, and companies will not stipulate privacy policies that do not follow personal data protection laws.
However, even if privacy policies are in public, there will be no way for users to amend the privacy policies. Eventually, users need to accept the privacy policy if they want to use their services. |
| |
|
< < | I believe that there are some problems on obtaining consent to privacy policies, and we should set regulations or standards to socially regulate on collecting and surveilling our personal information. |
> > | 2.2 Audit Obligation |
| |
|
< < |
The best route to improvement is to locate the idea of your own that goes beyond what we discussed in class, and to make that the center of the essay. Most of what is contained in the present draft summarizes the discussion of the inadequacy of consent from class. Making clearer what you yourself are adding to the conversation will produce a much more effective second draft.
|
> > | The other idea is to impose an audit obligation. Services that handle the personal information of users should be required to have a professional third-party organization audit whether they are actually managing and operating the information in accordance with the privacy policies. This idea is similar to the audit obligation with regard to securities reports and financial statements of listed companies.
Analysis:
This idea would require an auditing firm, and the auditing firm will audit whether firms are managing the information in accordance with the privacy policies. As compared to the first idea (2.1 Procedural obligation), this idea will be effective because third parties will check companies’ privacy policies fairly, and it will be beneficial to users.
Companies should make systems secure and secret for users, and if companies did not follow the standards, they should be strictly subject to penalties.
3 Conclusion
If we choose not to provide personal information to those who have a dominant position, we will be put in a disadvantageous position. I believe that we should pursue new directions as mentioned above instead of formal consent acquisition schemes. |
|
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. |