nach oben

Ethics and Information Technology

Erschienen in:

01.06.2014 | Original Paper

The crisis of consent: how stronger legal protection may lead to weaker consent in data protection

verfasst von: Bart W. Schermer, Bart Custers, Simone van der Hof

Erschienen in: Ethics and Information Technology | Ausgabe 2/2014

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this article we examine the effectiveness of consent in data protection legislation. We argue that the current legal framework for consent, which has its basis in the idea of autonomous authorisation, does not work in practice. In practice the legal requirements for consent lead to ‘consent desensitisation’, undermining privacy protection and trust in data processing. In particular we argue that stricter legal requirements for giving and obtaining consent (explicit consent) as proposed in the European Data protection regulation will further weaken the effectiveness of the consent mechanism. Building on Miller and Wertheimer’s ‘Fair Transaction’ model of consent we will examine alternatives to explicit consent.

Vorheriger Artikel From open-source software to Wikipedia: ‘Backgrounding’ trust by collective monitoring and reputation tracking

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

See article 7a of Directive 95/46/EC of the European Parliament and the European Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

By an effective consent we mean a consent that fulfills its moral and societal requirements.

See for instance: Pollach (2007), Acquisti (2009), Böhme and Köpsell (2010), Adjerid et al. (2013) and Solove (2013).

Privacy statement, privacy policy and privacy notice are used interchangeably in practice and in literature. We will use the term privacy policy when we mean the privacy principles and procedures of data controllers. We will use the term privacy notice to describe the document that explains these policies to data subjects.

Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25.1.2012 (com)2012 final, article 4(8) jo article 7.

An element that is not included in the requirements set forth by Faden and Beauchamp is that of legal and moral authority. For a consent transaction to be morally transformative, the person who consents must have the moral and/or legal authority to give the consent. For instance: I may consent to one of my friends taking the crown of Her Majesty the Queen of England, but since I have no authority over her property, the consent will do little to change the act from a theft to a legitimate action.

Alice’s action can also be construed as an inaction (failing to close the door).

See for instance: Oregon Revised Statutes, Vol. 17, Chapter 813 §135.

See, for instance, article 8 of the European Convention of Human Rights.

The ethics of consent are discussed in far more depth in relation to bioethics and medicine. In these contexts the term informed consent is generally used.

Article 29 Working Party (2011), Opinion 15/2011 on the definition of consent p. 25.

Article 29 Working Party (2011), Opinion 15/2011 on the definition of consent.

The Article 29 Working Party is the body of national data protection authorities set up under article 29 of Directive 95/46/EC.

Article 29 Working Party (2011), Opinion 15/2011 on the definition of consent, p. 11.

Explanatory statement accompanying the Regulation proposal, p. 8.

For readability, we shall use the term ‘explicit consent’ when we mean both ‘unambiguous’ and/or ‘explicit’ consent.

There is also anecdotal evidence that data subjects seldom read terms and conditions and privacy notices. One entertaining example is the site Gamestation.co.uk that asked its users consent for the transfer of their immortal souls to Gamestation via its terms and conditions. 88 % consented to the transfer of their immortal souls. See: http://www.huffingtonpost.com/2010/04/17/gamestation-grabs-souls-o_n_541549.html. See also the related discussion in Nissenbaum (2011).

Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

See for instance: http://www.dutchnews.nl/news/archives/2013/05/dutch_cookie_law_to_be_watered.php Interestingly, actual consumer behaviour in this area seems to contradict the findings in many surveys that consumers do want to be informed about data processing (see e.g., McDonald and Lowenthal 2013, p. 345). It might well be that there is a difference between professed user attitude in surveys and their actual behaviour. Furthermore, most research on consumer attitudes in privacy do not actually ask how and when this information should be presented.

See for instance: Brockdorff, N., Appleby-Arnold, S. (2013), What consumers think, EU CONSENT Project, Workpackages 7 and 8.

For examples of how personal data may be processed (with or without consent) see, for instance, Nissembaum (2011), Solove (2011) and Zarsky (2003).

There is a growing trend towards free online services. In the app market for instance there are less and less paid apps. Instead, app developers rely on ad-support or in-app purchases. See: http://blog.flurry.com/bid/99013/The-History-of-App-Pricing-And-Why-Most-Apps-Are-Free.

Research indicates that already most users (between 70 and 80 %) don’t bother to read privacy policies. See for instance Internetsociety (2012).

Article 79 of The Commission proposal for the General Data Protection Regulation. The amended proposal of the European Parliament, that was voted on by the LIBE Committee in October 2013, contains even higher penalties of up to 5 % of the annual turnover.

For a good overview see, Solove (2013).

In those cases where consent is needed, privacy notions should be improved along the lines discussed in the literature described above (e.g., shorter notices, more visceral notices, more human readable).

For a good discussion on the fairness of the use of personal data for marketing purposes see: Calo 2013.

An example could be that a person would allow the processing of personal data for a credit check, but that this same data would be used later on for dynamic pricing (e.g., setting a higher price for someone with a high credit score).

Acquisti, A. (2009), Nudging privacy: The behavioral economics of personal information. Security & Privacy Economics. November/December 2009.

Acquisti, A., Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Security & Privacy. January–February, 24–30.

Adjerid, I., Acquisti, Brandimarte, L. & Loewenstein, G. (2013). Sleights of privacy: Framing, disclosures, and the limits of transparency. SOUPS ‘13 Proceedings of the ninth symposium on usable privacy and security, Article No. 9.

Böhme, R. & Köpsell, S. (2010), Trained to accept?: A field experiment on consent dialogs. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2403–2406.

Brockdorff, N. & Appleby-Arnold, S. (2013). What consumers think, EU CONSENT Project, Workpackages 7 & 8.

Calo, M. R. (2012), Against notice skepticism in privacy (and Elsewhere), 87 Notre Dame Law Review 1027.

Calo, M. R. (2013), Digital market manipulation, University of Washington School of Law Research Paper No. 2013-27; 2013-08-15.

Custers, B. H. M. (2001). Data mining and group profiling on the internet. In Anton. Vedder (Ed.), Ethics and the internet (pp. 87–104). Antwerpen: Intersentia.

Custers, B. H. M. (2012). Predicting data that people refuse to disclose; how data mining predictions challenge informational self-determination, Privacy Observatory Magazine, Issue 3.

Custers, B., Van der Hof, S., Schermer, B., Appleby-Arnold, S., & Brockdorff, N. (2013). Informed consent in social media use. The gap between user expectations and EU personal data protection law. Journal of Law and Technology, 10(4), 435–457.

Faden, R., & Beauchamp, T. L. (1986). A history and theory of informed consent. New York: Oxford University Press.

Hurd, H. M. (1996). The moral magic of consent. Legal Theory, 2, 121.CrossRef

Internet Society. (2012). Global internet user survey, summary report. http://www.internetsociety.org/sites/default/files/rep-GIUS2012global-201211-en.pdf. Accessed February 14, 2014.

Jolls, C., & Sunstein, C. (2006). Debiasing through law. The Journal for Legal Studies, 35(1), 199.CrossRef

Kleinig, J. (2010). The nature of consent. In The ethics of consent: Theory and practice (Miller & Wertheim, ed.), New York: Oxford University Press.

Kosinski, M., Stillwell, D. & Graepel T. (2013), Private traits and attributes are predictable from digital records of human behavior. PNAS Early Edition.

McDonald, A. M. & Cranor, L. F. (2010). The cost of reading privacy policies.

McDonald, M., & Lowenthal, T. (2013). Nano-notice: Privacy disclosure at a mobile scale. Journal of Information Policy, 3(2013), 331–354.

Miller, F. G. & Wertheim, A. (2010). Preface to a theory of consent: beyond valid consent. In The ethics of consent: Theory and practice (Miller & Wertheim, ed.), New York: Oxford University Press.

Miller, F. G., & Wertheim, A. (2011). The fair transaction model of informed consent: An alternative to autonomous authorization. Kennedy Institute of Ethics Journal, 21(3), 201.CrossRef

Nissenbaum, H. (2011). A contextual approach to privacy online. Daedalus, 140(4), 32–48.CrossRef

Pollach, I. (2007). What’s wrong with online privacy policies? Communications of the ACM, 50(9), 103–108.CrossRef

Rawls, J. (1999). A theory of justice (revised edition). Oxford: Oxford University Press.

Solove, D. J. (2011). Nothing to hide; The false tradeoff between privacy and security. New Haven: Yale University Press.

Solove, D. J. (2013). Privacy self-management and the consent dilemma. Harvard Law Review, 126, 1880–1903.

van den Berg, B., & van der Hof, S. (2012). What happens to my data? A novel approach to informing users of data processing practices. First Monday, 17(7), 2.

Westin, A. F. (1967). Privacy and freedom. New York: Atheneum Press.

Zarsky, T.Z. (2003). Mine your own business. Yale Journal of Law & Technology,5(1), Article 1.

Titel: The crisis of consent: how stronger legal protection may lead to weaker consent in data protection
verfasst von: Bart W. Schermer
Bart Custers
Simone van der Hof
Publikationsdatum: 01.06.2014
Verlag: Springer Netherlands
Erschienen in: Ethics and Information Technology / Ausgabe 2/2014
Print ISSN: 1388-1957
Elektronische ISSN: 1572-8439
DOI: https://doi.org/10.1007/s10676-014-9343-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 2/2014

From open-source software to Wikipedia: ‘Backgrounding’ trust by collective monitoring and reputation tracking

A meta-ethical approach to single-player gamespace: introducing constructive ecumenical expressivism as a means of explaining why moral consensus is not forthcoming

Green is good but is usability better? Consumer reactions to environmental initiatives in e-banking services

The relationships among consumers’ ethical ideology, risk aversion and ethically-based distrust of online retailers and the moderating role of consumers’ need for personal interaction

A confluence of new technology and the right to water: experience and potential from South Africa’s constitution and commons

Brain simulation and personhood: a concern with the Human Brain Project

Premium Partner