Law in the Internet Society
Second draft

Criticism of the consent logic of the GDPR

Introduction

The European GDPR promotes individuals’ consent as a means of protection against the capture of their personal data. Indeed, consent is one of the six legal grounds that authorizes companies to process individuals’ data, along with, for instance, contractual necessity or legitimate interest. Moreover, consent is one of the rare exceptions allowing companies to collect so-called "sensitive" data, including biometric data. Consent is defined by the GDPR as any freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data concerning him or her (article 4(11) of GDPR). Regarding specificity, Recital 32 provides that consent should cover all processing activities carried out for the same purpose or purposes and that when the processing has multiple purposes, consent should be given for all of them. In sum, if individuals’ consent is obtained for a specific purpose, it ipso facto justifies the collection of their data for this specific purpose, and frees companies from any other legal justification.

With this definition of consent, the EU has acknowledged the opt-in solution. On the contrary, the American approach – the so-called “notice and choice” model – is characterized by the opt-out solution. This means that users implicitly agree to the collection and use of their data as soon as they use the services of a company, which must, nevertheless, provide for the possibility of withdrawal. If the data subject’s consent, and a fortiori the opt-in consent, seems to be the most protective legal ground of data processing, since emanating directly from individuals, the objective of this essay is to criticize its effectiveness and rationale.

Can opt-in consent protect individuals?

The opt-in logic gives individuals the possibility to consent or not, a priori, to the collection of their data. Yet, conversely, individuals’ consent allows companies to collect whatever they ask for. Therefore, I wonder: does the opt-in logic really allow individuals to manage the collection of their data, or does it rather allow companies to extract easily their consent and hence justify or legitimize the processing of their data?

Platform’s design choices are often aimed at nudging and influencing people’s consent: it is almost always easier or more attractive to accept rather than to reject cookies. I personally always perceive cookie banners as nuisances to get rid of, and often click mechanically on “accept” without even paying attention to it. I am furthermore convinced that most people do not know what data collection means and implies, or what a “cookie” is, and might identify the word “accept” as a way to be able to navigate on the website.

In addition, rather than losing time to go through all the privacy policies I am confronted to every day and to find the hidden sections allowing me to reject the cookies, I find it more convenient to just accept without inquiring. And I am not the only one: according to the BCG Big Data & Trust Consumer Survey conducted in 2015 (pre-GDPR), a third of the 8.000 persons interviewed throughout the world about privacy clauses considered that they do not have time to read them, and two thirds thought that they are too long and too complex. In addition, even though the cookie walls are officially forbidden since the EDPB Guidelines on consent issued in May 2020, numerous websites still use particularly hampering cookie banners that make their rejection a real obstacle course. Moreover, the GDPR does not provide any indication regarding the form that the information given by companies to consumers should take. Hence companies can easily comply with consent’s conditions by giving complex and discouraging privacy policies.

For these reasons, it is in my opinion illusory to believe that people can manage the collection of their data and freely decide to opt in or not. In practice, consent is rather sneakily extracted, and individuals trade their privacy for more convenience – because to “accept” cookies is almost always easier and faster than to reject them – or forfeit their privacy without even realizing they do so, through a mere unconscious click.

Problems generated by the logic of consent

Among the other legal grounds that are strictly framed by the law, consent has the particularity to be at the discretion of the individual and its “free” will. A first problem in this logic is that it contributes to legitimize invasive behavior collection, because consent gives companies more flexibility than other legal grounds enumerated in the GDPR such as legitimate interest which needs to be a minima justified to be used.

A second problem with the logic is that it gives individuals the possibility to consent to the collection and analysis of their behaviors, and hence to consent by mere clicks to forfeit their privacy, autonomy and freedom, to the benefit of the parasite. Therefore, I wonder: should individuals be given the right to forfeit their freedom? In the same logic as the protection of employees in their relations with employers, legislators should protect individuals from consenting to their own subjugation, especially when they are exposed to unbalanced power relations that precisely seek to make them voluntarily participate to their subjugation.

Another problem is that it puts a heavy burden of investigation, and hence the heavy burden of privacy, on individuals. But it should not be the duty of individuals to go through technical privacy clauses whenever they surf on the internet in order to find out whether or not they should consent to this or that collection, or at least to find the hidden section that allows them to say no. The protection of individuals from the harm of behavior collection should not come from individuals themselves, but from an effective legal architecture. It should be the responsibility of regulators to protect individuals from surveillance capitalism – through effective standards defining what is acceptable and what is not in terms of behavior collection, as well as institutions to effectively enforce those standards – rather than giving them the choice to opt in or not.

First draft

Facing the parasite: is consent an instrument of collective submission?

-- By MilanPree - 17 Nov 2020

The European GDPR promotes individuals’ consent as a means of protection against the capture of their personal data. However, if individuals’ consent is obtained, it ipso facto justifies the collection of their data and frees companies from any other legal justification.

Not precisely. GDPR intends to require consent not only for additional collection, but also for each form of use of the data, on the basis of regulated disclosure. That's important to be clear about here.

Moreover, consent is one of the rare exceptions to the collection of so-called "sensitive" data, including biometric data. The objective of this essay is to criticize the relevance of consent, which emerges as a means of collective submission rather than protection.

Consent has no value in practice

According to the GDPR, individuals’ free and informed consent allows companies to collect whatever they want. But this requirement is useless in practice.

Consent is not informed

Informed consent first implies an understanding of the global issues surrounding data and behavior collection. Individuals about to accept being tracked and sampled need to have at least a partial understanding of the reality and meaning of data capture, on their life, and on society as a whole. If not, how can unsuspecting individuals realize how much a simple "accept" click might generate and harm them? Being aware of what is at stake is essential to realize the dangers of clicking. But for the consent to be informed it is then essential to know what each click means in practice, and hence understand technical privacy clauses.

In practice, it is illusory to expect individuals to have such an understanding. In fact, apart from a small minority of savvy people, nobody has a clue, so consent cannot be truly informed. People don’t know what data collection is, what a “cookie” is, what it means to click and hence consent, why it matters not to consent. In addition, due to a huge asymmetry of information, individuals can easily trust companies’ privacy bullshit.

Is this a real statement about how informed consent can work, or a complaint that the way informed consent does work in this domain is different from the nature of informed consent in the delivery of health care, or how fiduciary responsibility works in the provision of financial advisory or legal services? If the former, why is this a different problem than those in the other domains. If the latter, what is the evidence upon which you make this judgment, and how should readers inform themselves, given that you cite nothing whatever, in order to test your conclusion?

Consent is extracted

In addition to the absence of informed consent, one practical problem of consent as protection is that the burden of investigation, and therefore the burden of privacy, is put on individuals. However, it is unrealistic in practice to require from individuals to read all the privacy clauses and pop-ups they are confronted to every day. How long would it take? 2 hours? 5 hours? The cost of reading privacy clauses is far too high.

How can these estimates be taken seriously? An average of 2 to 5 hours a day? If the actual number turned out, on the basis of some real data, to be 45 minutes a year or less, would the argument change? If so, where's your data?

This excessive burden placed on individuals makes consent an unfair game, because individuals trade their privacy for more convenience, and we can’t blame them for laziness or consent fatigue: mechanical clicking and privacy carelessness is the norm. Hence, facing the parasite, consent is a quasi-inevitable abdication, fostered by the huge asymmetry of information between the individuals and the company they deal with.

But if, as in GDPR-land, collection and processing occur on an opt-in basis, then fatigued individuals can stop doing consent-work, and the result will be that they are opted out from the collection and processing. You should at least respond to this objection, because it is central to the difference between EU and US approaches.

Therefore, consent appears as an instrument of collective submission rather than protection.

Not shown.

Collective submission is all the easier thanks to platform’s design choices aimed at nudging and influencing people’s privacy choices, conditioning the consumer to mechanically and instantly “agree” without even paying attention to it, without even realizing it: consent becomes a mere unconscious click. Furthermore, pop-up and privacy clauses are perceived as nuisances to get rid of: go away pop-up, let me read my article and use my brand-new iPhone. Lastly, consenting appears as a condition for the use of attractive services, transforming the meaning of what one consent to: I do not consent to be tracked, I consent to UberEATS? !

The consent requirement seems irrelevant in theory

The logic of a free and informed consent requirement seems as irrelevant in theory as it is in practice.

Why would free and informed consent be useful?

What is the rationale for the requirement of a free and informed consent? Is the objective simply to give individuals a choice, and thus give them the choice to forfeit their freedom? Or is it the underlying objective, the hoped-for consequence, to enable individuals to trust that their data will be used, stored and shared in a way that is consistent with their interests and the circumstances in which it was collected?

If the objective lies in the latter, it implies that there may be some legitimate data collection that individuals should look for. But this reasoning poses two problems. First, the burden of investigation remains on the individuals, which raises the problems of asymmetry and achievability outlined above. Second, this suggests not only that individuals could trust what they agree to, but that there is some legitimate data collection.

How could individuals trust what they agree to? How can they verify how the company will use and share the data they agreed to give away in a way they deem consistent with their interests and the circumstances in which it was collected? I don’t see how it is possible in practice. Furthermore, suggesting the possible consistency of some data capture amounts to claiming the moral victory of surveillance capitalism.

Should individuals be given the power to consent to their subjugation?

Finally, if the rationale for the requirement of a free and informed consent is to simply give individuals a choice, we give them the choice to say no, but also to say yes. A first problem in this logic is that it contributes to legitimize invasive and uncontrolled data collection, because consent could give companies carte blanche.

A second problem with this logic is that individuals are given the choice to forfeit their freedom. But contract law shouldn’t allow individuals to consent to their own subjugation, especially when exposed to unbalanced power relations that precisely seek to make them voluntarily participate to their subjugation. Through the same logic as the protection of employees in their relations with employers, the protection of the individuals from the parasite must prompt states to safeguard human beings from the harm of surveillance capitalism.

Therefore, the logic of consent is irrelevant and dangerous because it gives and encourages the parasite to organize, favor and tilt the voluntary submission of individuals to its unbridled and liberticidal consumption. This voluntary submission is all the easier due to the lack of awareness and knowledge individuals have.

The goal of this draft seems to be to ignore the criticisms of consent that I offered at length in the course and to replace them with other arguments. One route to improvement would be to explain why the arguments I made aren't worth acknowledging, or why if they are acknowledged they are shown to be false or unimportant. Another route to improvement would be to make your analysis of GDPR more accurate, and to provide some of the evidence upon which your judgments depend. It would also be helpful to explain why "submission" is the correct concept to describe users' relationship to opt-in agreements for data collection and management. It would be useful to contrast GDPR approaches to consent with the other global regimes, to locate the EU concepts against the background. I am not an admirer of GDPR or a believer in the principle of consent, as I discussed at length in the course, but to my eye this draft fails to take into account what the drafters of GDPR intended and achieved.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r4 - 06 Jan 2021 - 23:13:55 - MilanPree
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM