Data Privacy and Consent | Fred Cate

Introduction

Thank you, I'm going to warn you right now: there's no audiovisuals. Part of that is because I want you to be looking at me, and part of it's because, after 30 years of working in technology, I don't trust it. But don't worry, I have note cards. When I told the organizers this, they looked slightly chagrined, but I said don't worry; it's only for the long boring quotes and statistics that I want to bore the audience with. That made them feel a great deal better.

So, let me say, when I heard the topic was entropy, nothing came to mind faster for me than data. We are surrounded by data that seems to be falling out of control—data being lost by corporations, data being stolen from government agencies, and data that we are volunteering that’s being collected about us. Billions of bytes a day seem hopelessly out of control, and it seems to be getting worse. So, I thought what I might do this evening is talk particularly about the challenge of personal data and privacy.

Remember, much of this data we are talking about is data we are volunteering. We are posting those pictures of our delicious meals, engaging in millions of texts a second, and posting images and videos at a colossal rate. It’s become almost meaningless to talk about the volume, but it has a tremendous impact on our privacy. This data that's being volunteered is not only collected but also calculated or inferred about us—are you a good credit risk? Should you be able to buy that car? Are you somebody that we want to market to? These may not even be data that really exist about you but rather data that are being created.

The New York Times reported in 2017 that a company—one that's not Facebook, not Amazon, and one you've probably never heard of—engages in 50 trillion personal data transactions a year, buying and selling your data and mine every year. It seems completely out of control, along with our privacy. There are many reasons for this, but the one I want to focus on, which I hope will be of interest and a tiny bit controversial, is the role that consent plays in data protection and privacy today.

Modern privacy law really came about in the 1960s. Dr. Alan Weston at Columbia University wrote his doctoral dissertation, later turning it into a book called "Privacy and Freedom." In that book, he defined privacy in a way that every country in the world now follows: "The claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others."

By the 1990s, every country followed suit. The Supreme Court in 1988, in Department of Justice vs. Reporters Committee, gave us a definition that we use today. Even the European Union enacted a general data protection regulation that took effect May 18 months ago, which mentions consent 108 times. California also adopted the California Consumer Privacy Act, giving individuals the right to consent to uses of their data collected online.

Challenging consent seems totally counterintuitive in the world of privacy, but for seven quick reasons, I'm going to argue it's both impractical and undesirable to focus on consent.

Complexity of privacy notices: They're difficult to comprehend. For example, PayPal's policy is 36,275 words long, and iTunes’ is longer than Macbeth.
Inaccessibility: You can't practically consent to cameras on the streets or recording devices in the audience.
Ineffectiveness: Most people ignore privacy policies entirely.
Illusory consent: You often don't have a real choice, as seen with mandatory software updates for phones.
Burden on individuals: The legal shift of liability to the individual can be overwhelming.
Disservice to individuals and society: Some uses of data, like fraud detection, need to override consent.
Lousy privacy protection: Consent can lead to broad, meaningless agreements eliminating real privacy.

If we want to improve, we should focus less on consent and more on stewardship of data, setting clear rules for data use, and ensuring redress when things go wrong. Even when asking for consent, it should be meaningful, timely, and effective.

Thank you very much.

Keywords

Data Privacy
Consent
Personal Data
Data Protection
Privacy Law
Alan Weston
Complex Privacy Notices
Stewardship of Data
Illusory Consent
Data Transactions

FAQ

Q1: Why is consent considered impractical and undesirable in data protection?

A1: Consent is seen as impractical and undesirable because it’s often too complex to understand, inaccessible in group settings, ineffective since people ignore it, illusory because it doesn’t offer real choice, burdensome shifting liability to the individual, can hinder societal interests such as fraud detection, and leads to weak privacy protection.

Q2: What is the role of stewardship in data privacy?

A2: Stewardship in data privacy means that those who collect and use personal data should be responsible for its protection. If something goes wrong, causing harm, they should be liable instead of shifting that liability to the data owner through consent.

Q3: How could we improve the consent process to make it more effective?

A3: To improve the consent process, it should be made meaningful, timely, and effective. For example, providing a just-in-time message that informs users about their data being used, which allows them to make real-time choices about their privacy.

Q4: What did Dr. Alan Weston contribute to the field of privacy?

A4: Dr. Alan Weston wrote "Privacy and Freedom," where he defined privacy as the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. His definition has guided privacy laws worldwide.

Q5: How prevalent are personal data transactions according to recent reports?

A5: A New York Times report from 2017 highlighted that a company you’ve probably never heard of engages in 50 trillion personal data transactions a year, indicating the massive scale at which personal data is bought and sold.