When people talk about personal data, many quickly get ensnared by endless debates about consent: what it means, whether people really understand what they are consenting to, how best to give and get informed consent, and so on.
Consent is meant to empower individuals. To put them in control of their data. But it has become a stick to beat them with. It’s time to move on.
Focusing on consent as the way to solve the problems of personal data is a recipe for frustration and failure. Here are some reasons why.
Organisation centric ‘Consent’ focuses on individuals giving consent to what organisations do with their data. Most discussions about giving individuals ‘control’ is in the context of what organisations do with their data. This is the exact opposite of giving individuals the ability to use/control their own data for their own purposes in their own lives. The debate about consent keeps us stuck in organisation-land — assuming that this is all about ‘what organisations do with our data’ — and never about ‘what we can do with our data’.
Shifting responsibility Consent is a neat way to shift the onus of responsibility for what organisations do with personal data from the organisation to the individual. Once you have signed a consent form, or ticked a box, that’s it! The organisation can now say “if you don’t like it, tough! You agreed to it!”
Hard work Doing consent properly imposes a cognitive and administrative burden on the individual. To give truly informed consent you have to read acres of small print and divine the true meaning of a torrent of legalese designed to confuse and mislead you. And you don’t have to do this just once: given that you’ve probably got a hundred or more data relationships with different organisations, you have to do it 100 times over. (Then, if you can’t be bothered to invest all this time and effort right now and just tick the box so that you can get on with what you were trying to do, whatever you agree to is now your fault and you have no comeback.)
This hard work is futile Investing all this time and effort trying to get ‘informed’ and make informed choices is futile because the way consent has worked so far, you are presented with a long list of things you are being asked to agree to and you either have to agree to them all … or to none. If you want to access the service in question you have to agree anyway! So what’s the point of trying to get informed in the first place?
Gamed to the nth degree Knowing this, corporate lawyers have used to consent to reduce their paymasters’ risks and liabilities and to maximise their freedom of action, throwing as much as they can into their terms and conditions and privacy notices (we can do this with your data, and that, andthis other thing, and …) And, as above, if you want to access the service in question, you have to agree to it all.
Learned helplessness For individuals, the real ‘choice’ created by consent is the choice between investing huge amounts of time and effort trying to get informed and exercise a ‘control’ that is illusory and pointless, or just shrugging your shoulders and saying to yourself ‘whatever!’. Psychologists have a term for this: ‘learned helplessness’ where, knowing there’s nothing you can do really to change things for the better, you give up even trying.
Unnecessary The ridiculous thing is that this whole charade is unnecessary. If you step on aeroplane you are placing your very life at risk, not just some of your data. But we are not asked to sign consent forms every time we step on to a plane. Why not? Because flight operators are simply expected to keep their services as safe as possible. And if something goes wrong they are responsible — not the passengers.
Safe by default
In previous posts we’ve argued that the biggest problem with personal data today is not the policies organisations adopt in collecting and using individuals’ data. It goes deeper than that, to the very structure of the system — to the fact that organisations have a monopoly on the ability to collect and use personal data in the first place. To get personal data onto a positive, truly value-creating footing, individuals also need to be able to collect and use their own data for their own purposes.
To be able to do this, we continued, every individual should be provided with their own personal data store. The provision of such services isn’t just about offering a new service or app. It’s the creation of a new piece of infrastructure — akin to a national grid for electricity, or the internet — which means that individuals become the ‘magnet’ around which all their data is aggregated, organised, curated and shared.
But where does that leave organisations wanting to collect and use data? And where does that leave consent?
The other side of the coin of a new infrastructure for personal data empowerment is Safe By Default. By this, we mean that when individuals provide organisations with data they should ‘just know’ that their data will be safe with that organisation without having to navigate an obstacle of arcane legalese. Just as, when you get on a plane, you ‘just know’ that you will arrive at your destination safely (and that if this doesn’t happen there will be all hell to pay).
People often say that personal data is incredibly complex and then wring their hands endlessly about how difficult it is to create systems to handle all this complexity. It’s true at one level — just as safely flying tons of metal and flesh through the air from one place to another is incredibly complex. But at another level, making personal data seem ever so difficult and complicated is useful for those wanting to pull wool over peoples’ eyes.
At the level of consumer service, flying is incredibly simple. It’s either safe, with all the agreed safety mechanisms and protocols being scrupulously followed, or it’s not. End of story. Personal data can and should be incredibly simple too. That’s what Safe By Default is all about.
Under Safe By Default, individuals would ‘just know’ that when an organisation collects and uses their data, the organisation will:
- only use the data to provide the service in question, and not for any other purposes
- not collect any data that’s not needed to provide this service
- not share the data with anyone else (other than, perhaps, a designated data processor helping provide this service and contractually committed to the same requirements)
- not have to agree to any extra data sharing or use as a condition of accessing a service
That’s it. Incredibly simple. An approach that completely enables any and all organisations to collect and use as much personal data as they need … if (but only if) it’s for the genuine provision of bona fide services. All Safe By Default does is stop organisations using data for purposes other than the provision of bona fide services to individuals (i.e. monetising this data for their own purposes), and stop them using ‘consent’ as a cover for these non-value adding activities.
A couple of points to note about Safe By Default.
First, as with air travel, behind the scenes it might get more complicated. For example, operationally, to make Safe By Default work, individuals would need the (PDS) tools and technologies that enable them to keep a record, in one easy-to-use place, of all their data relationships and what the purposes of these relationships are (a consents dashboard) and automatically compare what organisations say about their use of data to what they are actually using it for (smart contract).
- it’s what European legislators originally intended when they first developed European data protection principles. If the collection of data is ‘necessary for the performance of a contract’ it doesn’t require consent under data protection regulations. (Unfortunately, by adding the extra provision of ‘consent’ the EU opened the floodgates of abuse that now dominate the entire personal data environment).
- it fits perfectly with a data infrastructure where each individual has a personal data store, with professional PDS providers enabling ongoing data sharing between individuals and service providers
- it cuts huge amounts of friction and duplication of effort out of the system, making it more efficient as well as safer, and therefore more trustworthy
- it applies as much to Personal Information Management Services (PIMS) using data to provide services on behalf of individuals as to incumbent ‘data controller’ service providers. So, while an energy supplier can and should work on a Safe By Default basis, so should a price comparison service monitoring energy prices across the market on an ongoing basis. In fact, Safe By Default helps and accelerates the growth of PIMS by freeing them from personal data management responsibilities and letting them focus on the use of data for service provision.
The bottom line of this is simple. Really simple. Individuals should be able to collect and use their own data for their own purposes. To do this, they need personal data stores. With a personal data store infrastructure in place, a Safe By Default approach by users of this data could unleash a new burgeoning of service innovation and provision, without any of today’s consent problems dragging it down.
David Alexander FRSA | F.APS
CEO | Platform Architect | Co-Founder | CISO