Information Law and the Limitations of Consent

February 8, 2013

Although data protection law is claimed to be based on a fundamental human right of the privacy of the individual, the complexities of the balance between information that ought to be legitimately held about us and what is excessive or illegitimate is often lost. I think my frustrations arise as the application of this principle often does not take into account the practicalities of the massively increased collection of data and the implications for the privacy of individuals.

Whilst privacy may well be a theoretical and desirable aspiration, in practice snippets of information are being collected about us all the time. This accumulation of snippets of information enables profiling in a wide variety of areas giving an extensive understanding of individuals in a wide range of areas. There does not need to be any release of data in these circumstances. We feel uncomfortable being aware that organisations know a great deal about us just from snippets of data that we provide in day-to-day life.

These snippets can be details of our purchases in the supermarket, aggregated through “loyalty cards”, our internet browsing habits and our online purchasing record with particular vendors. In London it can be our travel records and travel patterns through the use of our Oyster cards. The sign-up terms and conditions for retail loyalty cards enable the retailer to keep track of purchases and to “profile” the members for targeted offers. Now that payment by credit and debit card is so prevalent, are loyalty card schemes still so important or can retailers retain details of purchases made by credit and debit cards in any case?

There is a paradox through ignorance. Apparently, one of the reasons – not the sole reason I am sure – for the success of “50 Shades of Grey” has been the extent of its download sales. Purchasers like the fact that they cannot be identified in a public place reading that novel, they’re just reading something on their Kindle. However, the fact that they have downloaded the novel will be logged on to the vendor’s systems as their purchase. It will be added to their profile for commercial marketing purposes and the download log could be requested by public authorities for law enforcement purposes. If they had bought the book for cash, read it and thrown it away, no-one would be any the wiser.

There is next to no real privacy in the online world. IT systems can keep track of our online movements at virtually every stage in the process, if not at every stage in the process. From keeping track of our web-page access, the web-searches that we make, and our online payments. The apparent anonymity of the online world is an illusion

The data protection position that we are entitled to the non-disclosure of personal information that is held about us may no longer be a sufficient right. As well as the commercial consequences of extensive profiling of individuals, a recent Google Transparency report shows that Google frequently discloses extensive amounts of personal information to civil justice bodies when they are required to do so in the course of a criminal investigation. Few of us would argue against the disclosure of information for law enforcement purposes but we may be surprised at the extent of the information that is held about us that can be disclosed by these commercial entities.

The EU data protection approach is to require data controllers to obtain consent from the data subjects for the scope of the processing of the data that is held about them. The recent EDRI guide on basic data protection issues emphasises that the consent provided by data subjects must be “explicit, specific and well-informed”.

In a theoretical EU data protection world, that may be attainable. In the real world, this is rarely the case – or more parochially and quite frankly “dream on”. We all accept terms of use almost daily, without reading the small print, which in most cases is probably so obscure that it is almost unintelligible, giving consent to the use of our data without reviewing or checking how extensive that consent might be.

Greater focus is needed on the scope and nature of the consents that can be required from data subjects. To a certain degree, the marketplace gives some basic measure of protection. The recent public outcry over the new Instagram terms for photo uploads indicates that there are some basic limits that data subjects will not tolerate in their consent requirements.

Some years ago I mulled over the possibility of a set of “Privacy Commons” that would establish basic sets of usage rights over personal data in much the same way that the Creative Commons licence terms do for copyright works. It seems to me that the issue remains as important as ever – if not more so.

“Big data” and the relatively easy accumulation and storage of massive amounts of data about us, together with the profiling for personal information from that data should concern us all.

This is one of the themes that Professor Nigel Shadbolt will be focussing on in his SCL Annual Lecture in March. Professor Shadbolt is a key proponent of “open data” and is a Founder of the Open Data Institute. It will be interesting to hear what Professor Shadbolt has to say about the limits on the openness of data and what we – as IT lawyers –ought to be doing to make sure that our personal data is used appropriately.