The deluge of e-mails in your inbox requesting your consent makes it feel like GDPR (General Data Protection Regulation) is going to change everything and that no one will be able to gather data without our consent anymore – the truth, however, is much more complicated.
For a start it is likely that many of the e-mails for consent that you are receiving are either unnecessary or unlawful. Unnecessary because they already have your valid consent, or illegal because they have never had your consent to communicate with you.
GDPR is a great move forward for our digital rights – especially as a tool to help increase collective bargaining power, by specifically allowing class actions and third party representation, and providing for meaningful individual recourse when things go wrong, notably the rights to rectification and erasure, coupled with increased fines for those breaching the law based primarily on a percentage of turnover. All this means that companies will be financially interested in protecting our data. It will also mean that the rules governing data collection and protection will be more consistent as global companies may set their default policies to the EU standard to ease compliance with the law.
To test how much change we can expect it’s worth looking at the big guys. Criteo (one of the largest ad-tech firms) have stated that they “expect limited impact of the new regulation, if any, on our clients’ and publisher partners’ ability to work with Criteo”. This is interesting to contrast with the same company’s statement that they would lose a fifth of their revenue due to enhanced default privacy settings implemented in the Safari browser in January 2018. So how can something all about ensuring good data gathering practices have little or no effect on the business of large data brokers?
Firstly some data brokers exempt themselves from the whole legislative framework by claiming “to deal with anonymous data, or deny being a data controller, or structure their operations in order to avoid EU jurisdiction.”
Secondly some firms seek to make use of the ‘legitimate interest’ justification of keeping data, considered by the Information Commissioners Office (ICO) to be the ‘most flexible’ option to justify data collection and processing. You can start to get a feel for the breadth of the justification by reviewing whose legitimate interests a company would be allowed to consider. The ICO states that they can include ‘your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits’. The Chief Privacy Officer of largest data broker in the world, Acxiom, which holds thousands of data points on hundreds of millions of individuals has publically stated that “Legitimate interest is the idea that data fuels the economy” with Criteo adding that “…the legitimate interest of the data controller – our clients and publishers – may include direct marketing purposes.” Thirdly the perceived focus on consent is a bit misleading. The idea of consent obfuscates the fact that the use of data by many companies is clearly not consented to in any meaningful way, and that much of the data gathered is classified as non-personal so as to escape the reach of Data Protection Act (DPA) and GDPR. And indeed this is all perfectly legal. Indeed the ICO itself has issued a guidance document in order to bust the myth that consent is needed to process personal data. And this makes sense when you think about it. It would not make sense for banks sharing information about potential criminal transactions or insurance companies processing claims to seek consent from all the parties involved. In fact there are six legal bases for processing with consent being one, but this is not accorded any higher status that the alternatives.
It is hard to understand how people can meaningfully consent to sharing data when it is already widely understood that the majority of people do not read terms and conditions and merely click to accept almost anything. Here are some of the things that we already agree to, often without realising: Facebook can do whatever it wants with the photos and information you provide; Netflix have the right to disclose your information publically; and Spotify have access to basically everything stored in your phone. When you consider the number of entities that we interact with online that seek to capture data and the variety of purposes for which it is being gathered it is almost impossible to imagine how consent can be meaningful. It would require people to read long terms and conditions to authorise the data sharing and potentially require additional permission, along with further terms and conditions, to consent to subsequent uses once the data has been sold or merely being used for something that was not in the original contract.
People also feel powerless when confronted with decisions about whether to share data. In many cases people really want to use the services of these companies and are unaware of how much data is being collected about them and what is being done with the data. People are also unaware about the purpose of the data gathering. A recent report from Doteveryone found that 45% of people are unaware information they enter on websites and social media can help target ads and 83% are unaware that information can be collected about them that other people have shared. Often even the company gathering the data does not know what it is going to do with the data they gather. It, of course, would not make sense for the company to try to gain the active consent of all the data subjects whose data it is going to analyse for a new purpose – unless we want to severely limit the use of big data.
The market for personal data in many ways relies on customers’ lack of awareness of its functioning to keep working. If a big data world relies on being able to gather all information, and therefore spells the end of an expectation of privacy in our digital lives, then why is the ‘revolution occurring mostly in secret’? While GDPR will help to bring some practices into the open it is debatable how radically it is going to transform the data economy and our relationship to it.