Most of us can say, with reasonable confidence, which digital services we have signed up to and so expect to be using our data. But can you recall with the same confidence every company that you have provided consent to use your data as you pass through a website or sign-up to a ‘free’ service? Consider as well, have you read the privacy notices you have encountered in detail? Have you looked through the list of entities (if they are explicitly listed at all) that your data may be passed to if you consent? Do you have any indication of how your shared data will be used?
The reality here may surprise you. Many businesses will have been able to obtain something that passes for consent via click-throughs, relying on what you haven’t read about ‘our partners’. Worse still, if your data has become part of a data set that’s sold on by data brokers (that you consented to without realising) you may have lost control of that data – even if the receiver does what they should and provide you with a privacy notice.
All-in-all, consent is an excuse for someone to process your data when you don’t have any other relationship with them and processing it benefits them and not you.
The ICO will tell you that each of the six bases for processing (contract, legal obligation, vital interests, public task, legitimate interest, and consent), are equally valid – and, of course, legally they are. However, from a personal sovereignty perspective, I would argue consent is weak and provides a legalised avenue for the unscrupulous to profit. The GDPR was supposed to bring on the concept of informed consent where a data processor needs to show that you have taken an explicit action and made a real choice – but in the real world, nobody reads all the legal notices (assuming they contain all the devilish detail you actually need). Moreover, the way data sharing has grown into a complex web between organisations that operate effectively in the background without real visibility to citizens makes it practically impossible to present this information in an understandable way to a person in a simple privacy notice.
I would argue therefore that we should make a break from consent as a basis.
Therefore, if a commercial organisation is processing your data, they should be providing you with some useful benefit. They should sign a contract and provide you some benefit – it shouldn’t just be your data providing benefit to them.
If you are a commercial organisation, you can help the community improve their data sovereignty by moving away from consent as your basis and look to offer a service as an equal exchange. If your organisation cannot move away from consent, consider helping by improving the transparency of what you are doing with peoples’ data, ensuring everyone has received a proper privacy notice.
As individuals we can work to improve the ownership and sovereignty of our data by lobbying authorities to be tighter on when and how consent is used as a basis for processing. We can also let our regulators know we want them to be much stricter on deciding that when consent is used it is only on a demonstrably informed basis and our data is not forever in the hands of those we did not intend it to be.
Also published here.