Every now and again, I have an argument on Twitter with Eduardo Ustaran, Head of Privacy and Information Law at everyone’s favourite law firm Field Fisher Waterhouse (for some reason, I can hear John Williams’ ‘Imperial March’ playing somewhere). Ustaran believes consent is unsuited to the world that we’re living in now, and that for privacy laws to work effectively, different methods are needed to regulate and protect data. I think that consent is just fine, and the problem is that some organisations don’t like obtaining consent because people say no.
It’s obviously a matter of opinion as to whether privacy has to adjust to needs of the digital world, or whether the digital world has to make concessions to privacy. However, there is a point on which I am certain Ustaran is wrong. He’s far from being the only person who says it (I’ve even heard senior people at the ICO trot out the same nonsense despite what their own guidance says, and Which? do it all the time), but Ustaran is a highly respected figure in the Data Protection and Privacy world, and his views carry weight. Therefore, I think it’s necessary to challenge them. In conversation with someone else, but using the all important . at the start of his tweet to declare “hey all of my followers, come see this thing I am saying”, Ustaran said this:
Instead, the EU Data Protection Directive sets out a strict test for consent. To use consent as the justification for using, sharing or selling personal data, the organisation must have a ‘freely given, specific and informed indication’ of the subject’s wishes. This is a high bar to clear. You must have had a genuine choice (freely given), you must know what you’re agreeing to (informed), you must have agreed to something that has been properly defined (specific), and you must have done something active (indication). It’s entirely possible to do this without a tick box, but a tick box itself is nothing. There is no question that this makes life difficult for those who don’t have legal powers, obligations or contractual requirements. It makes the private sector’s ability to use data for purposes beyond those necessary for delivering a product or service quite tricky. This is why, years ago, the Information Commissioner’s old Legal Guidance to the Data Protection Act effectively told Data Controllers that consent was a last resort:
“The Commissioner’s view is that consent is not particularly easy to achieve and that data controllers should consider other conditions in Schedule 2… before looking at consent”
There are several options. Rather than relentlessly blaming consent, those involved in obtaining it should look at what that consent is being sought for. Give people simple, meaningful choices. Level with the customer about how the internet is paid for, and how you expect them to pay for your part of it. Consider – and this still seems to be anathema to many – giving the owner of the data a cut of the money you intend to make. Tesco is the subject of much urban myth and paranoia about its ClubCard scheme (admittedly the T&Cs are far from perfect), and yet the business model is simple, sound and optional: they pay you with vouchers and offers for your data. Rather than rewriting reality in search of solutions to the consent problem that (I fear) might be more business than consumer friendly, this is the kind of transparency we should be looking for.