Law in the Internet Society

View   r4  >  r3  ...
MilanPreeSecondEssay 4 - 06 Jan 2021 - Main.MilanPree
Line: 1 to 1
 
META TOPICPARENT name="SecondEssay"
Added:
>
>
Second draft

Criticism of the consent logic of the GDPR

Introduction

The European GDPR promotes individuals’ consent as a means of protection against the capture of their personal data. Indeed, consent is one of the six legal grounds that authorizes companies to process individuals’ data, along with, for instance, contractual necessity or legitimate interest. Moreover, consent is one of the rare exceptions allowing companies to collect so-called "sensitive" data, including biometric data. Consent is defined by the GDPR as any freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data concerning him or her (article 4(11) of GDPR). Regarding specificity, Recital 32 provides that consent should cover all processing activities carried out for the same purpose or purposes and that when the processing has multiple purposes, consent should be given for all of them. In sum, if individuals’ consent is obtained for a specific purpose, it ipso facto justifies the collection of their data for this specific purpose, and frees companies from any other legal justification.

With this definition of consent, the EU has acknowledged the opt-in solution. On the contrary, the American approach – the so-called “notice and choice” model – is characterized by the opt-out solution. This means that users implicitly agree to the collection and use of their data as soon as they use the services of a company, which must, nevertheless, provide for the possibility of withdrawal. If the data subject’s consent, and a fortiori the opt-in consent, seems to be the most protective legal ground of data processing, since emanating directly from individuals, the objective of this essay is to criticize its effectiveness and rationale.

Can opt-in consent protect individuals?

The opt-in logic gives individuals the possibility to consent or not, a priori, to the collection of their data. Yet, conversely, individuals’ consent allows companies to collect whatever they ask for. Therefore, I wonder: does the opt-in logic really allow individuals to manage the collection of their data, or does it rather allow companies to extract easily their consent and hence justify or legitimize the processing of their data?

Platform’s design choices are often aimed at nudging and influencing people’s consent: it is almost always easier or more attractive to accept rather than to reject cookies. I personally always perceive cookie banners as nuisances to get rid of, and often click mechanically on “accept” without even paying attention to it. I am furthermore convinced that most people do not know what data collection means and implies, or what a “cookie” is, and might identify the word “accept” as a way to be able to navigate on the website.

In addition, rather than losing time to go through all the privacy policies I am confronted to every day and to find the hidden sections allowing me to reject the cookies, I find it more convenient to just accept without inquiring. And I am not the only one: according to the BCG Big Data & Trust Consumer Survey conducted in 2015 (pre-GDPR), a third of the 8.000 persons interviewed throughout the world about privacy clauses considered that they do not have time to read them, and two thirds thought that they are too long and too complex. In addition, even though the cookie walls are officially forbidden since the EDPB Guidelines on consent issued in May 2020, numerous websites still use particularly hampering cookie banners that make their rejection a real obstacle course. Moreover, the GDPR does not provide any indication regarding the form that the information given by companies to consumers should take. Hence companies can easily comply with consent’s conditions by giving complex and discouraging privacy policies.

For these reasons, it is in my opinion illusory to believe that people can manage the collection of their data and freely decide to opt in or not. In practice, consent is rather sneakily extracted, and individuals trade their privacy for more convenience – because to “accept” cookies is almost always easier and faster than to reject them – or forfeit their privacy without even realizing they do so, through a mere unconscious click.

Problems generated by the logic of consent

Among the other legal grounds that are strictly framed by the law, consent has the particularity to be at the discretion of the individual and its “free” will. A first problem in this logic is that it contributes to legitimize invasive behavior collection, because consent gives companies more flexibility than other legal grounds enumerated in the GDPR such as legitimate interest which needs to be a minima justified to be used.

A second problem with the logic is that it gives individuals the possibility to consent to the collection and analysis of their behaviors, and hence to consent by mere clicks to forfeit their privacy, autonomy and freedom, to the benefit of the parasite. Therefore, I wonder: should individuals be given the right to forfeit their freedom? In the same logic as the protection of employees in their relations with employers, legislators should protect individuals from consenting to their own subjugation, especially when they are exposed to unbalanced power relations that precisely seek to make them voluntarily participate to their subjugation.

Another problem is that it puts a heavy burden of investigation, and hence the heavy burden of privacy, on individuals. But it should not be the duty of individuals to go through technical privacy clauses whenever they surf on the internet in order to find out whether or not they should consent to this or that collection, or at least to find the hidden section that allows them to say no. The protection of individuals from the harm of behavior collection should not come from individuals themselves, but from an effective legal architecture. It should be the responsibility of regulators to protect individuals from surveillance capitalism – through effective standards defining what is acceptable and what is not in terms of behavior collection, as well as institutions to effectively enforce those standards – rather than giving them the choice to opt in or not.

First draft

 

Facing the parasite: is consent an instrument of collective submission?

-- By MilanPree - 17 Nov 2020


Revision 4r4 - 06 Jan 2021 - 23:13:55 - MilanPree
Revision 3r3 - 27 Dec 2020 - 15:27:22 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM