January 28, 2014
Consent in privacy law is dead, the victim of technological developments like Big Data and the Internet of Things--or so the new conventional wisdom goes.
At a workshop held by the Federal Trade Commission in November 2013 on connected devices (the "Internet of Things"), the alleged obsolescence of the Fair Information Practices was a common refrain. Consent was singled out for particularly harsh treatment. Before the conference, the Future of Privacy Forum released a whitepaper arguing for a reimagining of the FIPS by decreasing the role of user control in data collection. And several weeks after the workshop, IAPP's Privacy Perspectives blog featured a post by Eduardo Ustaran declaring that not only was consent "dead," but "continuing to give it a central role is dangerous." Finally, last week, another IAPP blog post echoed the same theme.
Two primary arguments against consent are advanced. First, consent is impractical: in the modern data ecosystem, data is constantly being collected, often by devices with no clear interface. As the FPF whitepaper states, "If the only way to authorize the collection of personal data were based on traditional notice and choice, individuals would be prompted to consent to data collection and use each time they bumped into new connected devices."
Second, conditioning data collection on consent would prevent many socially-beneficial uses of data, because people might say "no." As an example, the FPF whitepaper discusses United Nations Global Pulse, which has used data generated by mobile phones to track post-earthquake migration patterns in Haiti.
An initial problem with these arguments is their misconception of consent. Consent has never been conceived of as a universal prerequisite to data processing. Rather, the role of consent has been understood to vary with context. The 1973 HEW Report--the first articulation of the FIPs--embodied this understanding by tying the requirement of "informed consent" to the presence of "individually identifiable data." The Report discussed traditional conceptions of privacy centered on secrecy and control, and noted that:
Each of the [traditional definitions], however, speaks of the data subject as having a unilateral role in deciding the nature and extent of his self-disclosure. None accommodates the observation that records of personal data usually reflect and mediate relationships in which both individuals and institutions have an interest, and are usually made for purposes that are shared by institutions and individuals. In fact, it would be inconsistent with this essential characteristic of mutuality to assign the individual record subject a unilateral role in making decisions about the nature and use of his record. To the extent that people want or need to have dealings with record-keeping organizations, they must expect to share rather than monopolize control over the content and use of the records made about them.(Emphasis added).
Consent, properly understood, has a flexibility that ensures its relevance in contemporary society. One example is the treatment of individually identifiable data discussed in the HEW Report. Where personally identifiable information is involved, privacy risks are compelling; where de-identified or aggregate data is involved, privacy risks are lessened, and something less than informed consent may be appropriate. Thus, consent needs no modification to accommodate the social benefits of data. Google Flu Trends, United Nations Global Pulse, and Street Bump involve aggregate data for which the impact on privacy is low.
Moreover, the argument from impracticability assumes an uneven pattern of technological development that seems implausible. If we imagine the world of data as one of limitless possibility, why not do the same for interface design? Surely some of the ubiquitous connectivity promised by the Internet of Things could be directed to a smart phone or other device with a usable interface. Indeed, such developments are already occurring. The Internet of Things might even facilitate data "tagging" that allows for the convenient expression of privacy preferences.
It is also worth asking what role these arguments play in public discourse. Who benefits? While consumers like cool things and want their products and services to function, they are not exactly clamoring for disempowerment regarding the management of their personal data. On the other hand, I'm sure Google and the NSA love hearing about the futility of closing the data floodgates.
Of course, a closer look reveals that not even the boldest commentators truly believe in the death of consent. Ustaran's blog post ends by suggesting that the law "put the onus on those who want to exploit our information by assigning different conditions to different degrees of usage, leaving consent to the very few situations where it can be truly meaningful." The FPF whitepaper also approves of "provid[ing] appropriate controls over those practices that should be forestalled or constrained by appropriate consent." New technologies may very well require revisions to existing frameworks--indeed, several are being developed. Absent a serious alternative framework, however, bold proclamations about the demise of consent merely provide cover for the invasive practices of corporations and government entities.