Facing the parasite: is consent an instrument of collective submission?

-- By MilanPree - 17 Nov 2020

The European GDPR promotes individuals’ consent as a means of protection against the capture of their personal data. However, if individuals’ consent is obtained, it ipso facto justifies the collection of their data and frees companies from any other legal justification.

Not precisely. GDPR intends to require consent not only for additional collection, but also for each form of use of the data, on the basis of regulated disclosure. That's important to be clear about here.

Moreover, consent is one of the rare exceptions to the collection of so-called "sensitive" data, including biometric data. The objective of this essay is to criticize the relevance of consent, which emerges as a means of collective submission rather than protection.

Consent has no value in practice

According to the GDPR, individuals’ free and informed consent allows companies to collect whatever they want. But this requirement is useless in practice.

Consent is not informed

Informed consent first implies an understanding of the global issues surrounding data and behavior collection. Individuals about to accept being tracked and sampled need to have at least a partial understanding of the reality and meaning of data capture, on their life, and on society as a whole. If not, how can unsuspecting individuals realize how much a simple "accept" click might generate and harm them? Being aware of what is at stake is essential to realize the dangers of clicking. But for the consent to be informed it is then essential to know what each click means in practice, and hence understand technical privacy clauses.

In practice, it is illusory to expect individuals to have such an understanding. In fact, apart from a small minority of savvy people, nobody has a clue, so consent cannot be truly informed. People don’t know what data collection is, what a “cookie” is, what it means to click and hence consent, why it matters not to consent. In addition, due to a huge asymmetry of information, individuals can easily trust companies’ privacy bullshit.

Is this a real statement about how informed consent can work, or a complaint that the way informed consent does work in this domain is different from the nature of informed consent in the delivery of health care, or how fiduciary responsibility works in the provision of financial advisory or legal services? If the former, why is this a different problem than those in the other domains. If the latter, what is the evidence upon which you make this judgment, and how should readers inform themselves, given that you cite nothing whatever, in order to test your conclusion?

Consent is extracted

In addition to the absence of informed consent, one practical problem of consent as protection is that the burden of investigation, and therefore the burden of privacy, is put on individuals. However, it is unrealistic in practice to require from individuals to read all the privacy clauses and pop-ups they are confronted to every day. How long would it take? 2 hours? 5 hours? The cost of reading privacy clauses is far too high.

How can these estimates be taken seriously? An average of 2 to 5 hours a day? If the actual number turned out, on the basis of some real data, to be 45 minutes a year or less, would the argument change? If so, where's your data?

This excessive burden placed on individuals makes consent an unfair game, because individuals trade their privacy for more convenience, and we can’t blame them for laziness or consent fatigue: mechanical clicking and privacy carelessness is the norm. Hence, facing the parasite, consent is a quasi-inevitable abdication, fostered by the huge asymmetry of information between the individuals and the company they deal with.

But if, as in GDPR-land, collection and processing occur on an opt-in basis, then fatigued individuals can stop doing consent-work, and the result will be that they are opted out from the collection and processing. You should at least respond to this objection, because it is central to the difference between EU and US approaches.

Therefore, consent appears as an instrument of collective submission rather than protection.

Not shown.

Collective submission is all the easier thanks to platform’s design choices aimed at nudging and influencing people’s privacy choices, conditioning the consumer to mechanically and instantly “agree” without even paying attention to it, without even realizing it: consent becomes a mere unconscious click. Furthermore, pop-up and privacy clauses are perceived as nuisances to get rid of: go away pop-up, let me read my article and use my brand-new iPhone. Lastly, consenting appears as a condition for the use of attractive services, transforming the meaning of what one consent to: I do not consent to be tracked, I consent to UberEATS? !

The consent requirement seems irrelevant in theory

The logic of a free and informed consent requirement seems as irrelevant in theory as it is in practice.

Why would free and informed consent be useful?

What is the rationale for the requirement of a free and informed consent? Is the objective simply to give individuals a choice, and thus give them the choice to forfeit their freedom? Or is it the underlying objective, the hoped-for consequence, to enable individuals to trust that their data will be used, stored and shared in a way that is consistent with their interests and the circumstances in which it was collected?

If the objective lies in the latter, it implies that there may be some legitimate data collection that individuals should look for. But this reasoning poses two problems. First, the burden of investigation remains on the individuals, which raises the problems of asymmetry and achievability outlined above. Second, this suggests not only that individuals could trust what they agree to, but that there is some legitimate data collection.

How could individuals trust what they agree to? How can they verify how the company will use and share the data they agreed to give away in a way they deem consistent with their interests and the circumstances in which it was collected? I don’t see how it is possible in practice. Furthermore, suggesting the possible consistency of some data capture amounts to claiming the moral victory of surveillance capitalism.

Should individuals be given the power to consent to their subjugation?

Finally, if the rationale for the requirement of a free and informed consent is to simply give individuals a choice, we give them the choice to say no, but also to say yes. A first problem in this logic is that it contributes to legitimize invasive and uncontrolled data collection, because consent could give companies carte blanche.

A second problem with this logic is that individuals are given the choice to forfeit their freedom. But contract law shouldn’t allow individuals to consent to their own subjugation, especially when exposed to unbalanced power relations that precisely seek to make them voluntarily participate to their subjugation. Through the same logic as the protection of employees in their relations with employers, the protection of the individuals from the parasite must prompt states to safeguard human beings from the harm of surveillance capitalism.

Therefore, the logic of consent is irrelevant and dangerous because it gives and encourages the parasite to organize, favor and tilt the voluntary submission of individuals to its unbridled and liberticidal consumption. This voluntary submission is all the easier due to the lack of awareness and knowledge individuals have.

The goal of this draft seems to be to ignore the criticisms of consent that I offered at length in the course and to replace them with other arguments. One route to improvement would be to explain why the arguments I made aren't worth acknowledging, or why if they are acknowledged they are shown to be false or unimportant. Another route to improvement would be to make your analysis of GDPR more accurate, and to provide some of the evidence upon which your judgments depend. It would also be helpful to explain why "submission" is the correct concept to describe users' relationship to opt-in agreements for data collection and management. It would be useful to contrast GDPR approaches to consent with the other global regimes, to locate the EU concepts against the background. I am not an admirer of GDPR or a believer in the principle of consent, as I discussed at length in the course, but to my eye this draft fails to take into account what the drafters of GDPR intended and achieved.

---

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

• #Set ALLOWTOPICVIEW = TWikiAdminGroup, MilanPree
• #Set DENYTOPICVIEW = TWikiGuest

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.