Law in the Internet Society

View   r2  >  r1  ...
SoichiroKatayamaSecondEssay 2 - 01 Jan 2022 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="SecondEssay"
Deleted:
<
<
 
Deleted:
<
<
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.
 

How can we really protect personal data from malicious companies?

Line: 39 to 37
 GDPR and other similar privacy acts already restrict companies’ way of getting consent . For example, GDPR Article 7 states (i) Consent needs to be freely given, (ii) Consent needs to be specific, per purpose, (iii) Consent needs to be informed, (iv) Consent needs to be an unambiguous indication, (v) Consent is an act: it needs to be given by a statement or by a clear act, (vi) Consent needs to be distinguishable from other matters, (vii) The request for consent needs to be in clear and plain language, intelligible and easily accessible. While this restriction is helpful, it is doubtful whether companies are complying – especially whether “Consents are freely given” is questionable. For example, sales clerks at clothes stores sometimes ask customers to fill in some form that request their personal data right before purchase. Obviously, the data is not strictly necessary for customers to buy clothes (i.e. core service), but consumers tend to provide consent to get their purchase done without thinking a lot. In order to make sure that consents are freely given, I think we should make companies always remind users that they don’t have to consent (i.e. not take-or-leave)
Added:
>
>
I don't understand the concept of prohibiting people from voluntarily giving information to other parties unless obliterating the concept of freedom of expression is intended. What is the point of imagining a political consensus for such an outcome?

 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

SoichiroKatayamaSecondEssay 1 - 08 Dec 2021 - Main.SoichiroKatayama
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="SecondEssay"

It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

How can we really protect personal data from malicious companies?

1.Background

Netflix documentary The Great Hack begins with a key message “Data has surpassed oil as the world’s most valuable asset.”. There is no doubt that almost all companies are motivated to collect users’ data to generate revenue. In the meantime, it is not always true that users take care of their “most valuable” personal data in the same level with other valuable staff such as their jewelry. For example, when they find an attractive app advertised in Facebook, a typical pattern seems to be as follows:

1. Consider whether the app deserves downloading by checking whether their friends put “Like it”; 2. (If yes) Rush to download the app; 3. Click “consent” button for data privacy policy/cookie etc. without bothering reading them; and 4. Start interacting with the app.

When they start interacting with the app, they usually have already forgotten whether they clicked “consent”. Even if they manage to remember that they did click “consent”, most of them can’t tell whether such consent was on the matter strictly necessary for the performance of the app or against functionality. However, importantly, it does not necessarily mean that they don’t care about the value of their personal data. Rather, they usually do care and have no desire to voluntarily share their data with third parties, while they (no matter how much educated on privacy issues) just don’ want to bother thinking about the consequence of their consents and reading annoying data policy statements (even if they are clear, plain, and specific). They seem to be giving up by thinking like “if you start think about what-ifs, there is no ending to it”. At least I often feel in this way. Assuming this understanding is correct, I will briefly discuss the feasibility of the following four intentionally drastic approaches (2-4) to protect their personal data.

2. To make it illegal for users to give consent on sharing their personal data

Free choice, autonomy and self-determination are one of the most important rights of people. However, in many countries, consent on voluntary euthanasia is not permitted (and even if permitted, it is under limited conditions) by laws. There are some reasons for this prohibition, but main argument is that such consent is against the public interest and actually diminishes individual choice and self-determination by death. Question here is whether the same prohibition should apply to personal data. In other words, should free choice and self-determination be outweighed by protection of personal data? In my opinion, since personal data is still something people should freely dispose of, because disposal is not against public interest nor eventually diminishes individual’s choice.

3. To make it illegal for companies to seek users’ consent on sharing any personal data

Next question is whether we should completely prohibit companies from seeking users’ consent on sharing any personal data. My opinion is “No, it does not work”. If companies can’t seek users’ consent, then they can’t provide the services which require users’ data for the performance of the service (e.g. online sellers can’t process a transaction without buyers’ credit card information). This eventually leads to restriction of freedom for users to enjoy the services. One alternative approach is to prohibit companies from seeking users’ consent on sharing (not all but only) personal data which is not necessary for the performance of the core service (e.g. to prohibit a mobile app for photo editing from asking its users to have their GPS localization activated, which is not necessary for the performance of the “core” service). I think this approach is worthwhile to consider, but we should strictly categorize the cases where personal data is not necessary for the performance of the core service. If personal data is helpful for advanced service (though it is not strictly necessary for the performance of the core service) (e.g. sharing users GPS location information to easily find an Uber driver V.S. sharing purchase information with Facebook for target advertisement), then I think users should have rights to consent. Otherwise, users can’t enjoy advanced function and companies are demotivated to develop advanced services.

4. To make it illegal for companies to bargain their service for collecting personal data

There are lot of services/apps which offer (not related) additional benefits for users who provide some personal data (e.g. an automobile company provides free maintenance service if customers provides driving record). This effectively means the company bargain their service for getting customers’ personal data. Since the value of personal data is unlimited and it is difficult for even users to correctly appreciate their data’s value, (though disadvantage for customers is that they can’t enjoy additional benefits) it is worthwhile to consider to prohibit this bargain regardless of customers’ consent.

5. To make companies always remind users that “they don’t have to click consent button”

GDPR and other similar privacy acts already restrict companies’ way of getting consent . For example, GDPR Article 7 states (i) Consent needs to be freely given, (ii) Consent needs to be specific, per purpose, (iii) Consent needs to be informed, (iv) Consent needs to be an unambiguous indication, (v) Consent is an act: it needs to be given by a statement or by a clear act, (vi) Consent needs to be distinguishable from other matters, (vii) The request for consent needs to be in clear and plain language, intelligible and easily accessible. While this restriction is helpful, it is doubtful whether companies are complying – especially whether “Consents are freely given” is questionable. For example, sales clerks at clothes stores sometimes ask customers to fill in some form that request their personal data right before purchase. Obviously, the data is not strictly necessary for customers to buy clothes (i.e. core service), but consumers tend to provide consent to get their purchase done without thinking a lot. In order to make sure that consents are freely given, I think we should make companies always remind users that they don’t have to consent (i.e. not take-or-leave)


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Revision 2r2 - 01 Jan 2022 - 20:37:28 - EbenMoglen
Revision 1r1 - 08 Dec 2021 - 05:52:53 - SoichiroKatayama
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM