Data Privacy Day: can we stop informed consent from being an illusion?

Do you feel that you have control over how your data is shared and used? Do you give informed consent or do you feel resigned to giving up your data? This Data Privacy Day, Peter Wells explains what we can all do to help make consent more informed

null

Unless more people can understand terms and conditions, and manage their privacy settings effectively, ‘consent’ may be an illusion. CC BY 2.0, uploaded by Dominic Alves.

The European Union is close to passing an important new regulation that will affect data infrastructure across Europe. Once the EU general data protection regulation (EU GDPR) is made law, all organisations that process personal data for EU citizens will have two years to become compliant.

A new European regulator with strong enforcement powers will be created and those organisations that process personal data will have to implement privacy by design and comply with new rules for informed consent along with many other things.

Depending upon the choices we make, different pieces of personal, commercial and government data may be positioned in different parts of the spectrum of closed, shared and open data.

To build a strong data infrastructure it is as critical that we protect data that needs to be kept private as it is that we openly publish data that should be open for everyone to use and benefit from.

The new regulations are about data protection but they are also about choices. It’s important that we consider the choices that the regulation would restrict and shape.

One of the most important choices we make is around consent. We decide whether or not we consent to give our personal data to an organisation, and we decide whether we consent to the ways in which the organisation proposes to use and share that data.

The illusion of consent

We fear that the sections in the draft EU regulations on consent are based on a false, or even dangerous, assumption: that individual people are able to make rational, informed choices about the use of their data and the way it is shared.

A 2015 report from the University of Pennsylvania concludes that Americans are resigned to giving up their data and believe it is futile to manage what companies learn about them. The study showed that over half of people don’t want to lose control over their data but believe that has already happened. They may feel unhappy about the way a social network shares their data but unable to move away from that network for fear of losing connections with friends and family. They may feel concerned about how government uses their data, while being required to provide it in order to receive welfare payments.

Even when given control over the way their data is used or shared, a significant proportion are not able to manage their privacy settings effectively. A 2011 survey by Skandia showed just 7% of Britons read online terms and conditions. A 2012 Consumer Reports study showed 7.7% of Facebook users in the US have not changed or are unaware of their privacy settings: while this is a small percentage, it’s equivalent to around 13 million people in the US. The UK Government’s Digital Inclusion Strategy estimates that just under 10% of UK adults will never be able to gain basic digital skills. Can we, then, expect people to make rational informed choices about the use of their data?

Unless these issues are resolved then consent may be just an illusion.

Informed consent needs more than regulation

Informed consent is extremely complex. It is not just about regulation, people will require support so they are able to make informed decisions.

Emerging technology-driven approaches, increased organisational transparency over data usage, a competitive market of service providers and improved data literacy will help. Data literacy should be seen as part of the basic digital skills required by individuals, businesses, governments and the third sector.

The new rules that require parental consent for processing data about children will require us to develop better services for granting consent and for countries to determine what age is appropriate for their residents. Parental consent is not easy. Many family relationships are complex and sometimes individuals make decisions with the help of professionals who are not their parents. The parental consent services that will need to be built by online providers will need to cater for these complex situations and geographic variations.

We can help each other, as well. We can work together to create more accessible versions of terms and conditions. We can help our friends, family and neighbours understand their data privacy settings and how their data is used so they can make more informed decisions. We can develop language that is accurate and useful, but simple enough for everyone to understand.

Through all of these activities we may start to remove the illusion and create true consent.

We need an adaptable legal framework and a continuous debate

In such a fast-moving world as that of online services we know that things will change. There should be a continuous and informed public debate about the legal limits on the use and sharing of personal data.

We need a legal framework that is adaptable and iterative to take account of technical and social changes. While we can rest on some underlying principles, many of the decisions that are made about the use and sharing of data are, by necessity, case-by-case decisions. The framework must allow for these decisions to grow into a coherent set of guidelines and regulations that meet the outcomes of that public debate.

We need to debate the choices that we make and those that are made on our behalf by policymakers, regulators and organisations. Work with us to explore these issues and explore solutions or tweet us at @ODIHQ.

Peter Wells is an ODI Associate at the ODI. Follow @peterkwells on Twitter.