How can we really protect personal data from malicious companies?

1.Background

Netflix documentary The Great Hack begins with a key message “Data has surpassed oil as the world’s most valuable asset.”. There is no doubt that almost all companies are motivated to collect users’ data to generate revenue. In the meantime, it is not always true that users take care of their “most valuable” personal data in the same level with other valuable staff such as their jewelry. For example, when they find an attractive app advertised in Facebook, a typical pattern seems to be as follows:

1. Consider whether the app deserves downloading by checking whether their friends put “Like it”; 2. (If yes) Rush to download the app; 3. Click “consent” button for data privacy policy/cookie etc. without bothering reading them; and 4. Start interacting with the app.

When they start interacting with the app, they usually have already forgotten whether they clicked “consent”. Even if they manage to remember it, most of them can’t tell whether such consent was on the matter strictly necessary for the performance of the app or against functionality. However, importantly, it does not necessarily mean that they don't care about the value of their personal data. Rather, they do care, while they (no matter how much educated on privacy issues) just don't want to bother thinking about the consequence of their consents and reading annoying data policy statements (even if they are clear, plain, and specific). They seem to be giving up by thinking like “if you start think about what-ifs, there is no ending to it”. At least I often feel in this way. Assuming this understanding is correct, I will briefly discuss the feasibility of the following three intentionally drastic approaches (2-4) to protect their personal data. However, to be clear, (directly or indirectly) prohibiting people from voluntarily giving information is, on its surface, conflicting with their freedom of expression. Therefore, in the following discussion, I will also note it that the prohibition should work only (i) when protecting their privacy supersedes their freedom of expression (, which is unlikely in this context) or (ii) when the prohibition actually enhances their freedom of expression (e.g. if the personal information is exploited and the minds are hijacked by a third person, then freedom of expression is eventually deprived), works for achieving public compelling interests, and the prohibition is the least restrictive way for the protection.

2. To make it illegal for users to give consent on sharing their personal data

Free choice, autonomy, and self-determination, as well as freedom of expression, are one of the most important rights of people. However, in many countries, consent on voluntary euthanasia is not permitted by laws. Main reason for this is that such consent is against the public interest and actually diminishes individual choice and self-determination by death. The question here is whether the same argument should apply to the prohibition of giving personal data. In other words, should freedom of expression etc. be outweighed by the protection of personal data? In my opinion, the answer is “No”. Such prohibition is directly against freedom of expression and self-determination etc., disposal of the personal data is not against public interest, and their personal data can be protected by other less restrictive ways.

3. To make it illegal for companies to seek users’ consent on sharing any personal data

Next question is whether we should completely prohibit companies from seeking users’ consent on sharing any personal data (, while not prohibit people from voluntarily giving information). . My opinion is "No". If companies can’t seek users’ consent, then they can’t provide the services which require users’ data for the performance of the service (e.g. online sellers can’t process a transaction without buyers’ credit card information). This eventually leads to restriction of freedom for users to enjoy the services, and has an indirect impact on users’ voluntary disclosure (i.e. freedom of expression). One alternative approach is to prohibit companies from seeking users’ consent on sharing personal data which is not necessary for the performance of the core service (e.g. to prohibit a mobile app for photo editing from asking its users to have their GPS localization activated, which is not necessary for the performance of the “core” service). I think this approach is worthwhile to consider, but we should strictly categorize the cases where personal data is not necessary for the performance of the core service. If personal data is helpful for advanced service (e.g. sharing users GPS location information to easily find an Uber driver V.S. sharing purchase information with Facebook for target advertisement), then I think users should have rights to consent. Otherwise, users can’t enjoy advanced function and companies are demotivated to develop advanced services.

4. To make companies always remind users that “they don’t have to click consent button”

GDPR and others already restrict companies’ way of getting consent . For example, GDPR Article 7 states (i) Consent needs to be freely given, (ii) Consent needs to be specific, per purpose, (iii) Consent needs to be informed, (iv) Consent needs to be an unambiguous indication, (v) Consent is an act: it needs to be given by a statement or by a clear act, (vi) Consent needs to be distinguishable from other matters, (vii) The request for consent needs to be in clear and plain language, intelligible and easily accessible. While this restriction is helpful, it is doubtful whether companies are complying – especially whether “Consents are freely given” is questionable. For example, sales clerks at clothes stores sometimes ask customers to fill in some form that request their personal data right before purchase. Obviously, the data is not strictly necessary for customers to buy clothes (i.e. core service), but consumers tend to provide consent to get their purchase done without thinking a lot. In order to make sure that consents are freely given, I think we should make companies always remind users that they don’t have to consent (i.e. not take-or-leave)

I don't understand the concept of prohibiting people from voluntarily giving information to other parties unless obliterating the concept of freedom of expression is intended. What is the point of imagining a political consensus for such an outcome?


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.