Selling your soul while negotiating the conditions: from notice and consent to data control by design

Original Paper
Part of the following topical collections:
  1. Privacy and Security of Medical Information

Abstract

This article claims that the Notice and Consent (N&C) approach is not efficient to protect the privacy of personal data. On the contrary, N&C could be seen as a license to freely exploit the individual’s personal data. For this reason, legislators and regulators around the world have been advocating for different and more efficient safeguards, notably through the implementation of the Privacy by Design (PbD) concept, which is predicated on the assumption that privacy cannot be assured solely by compliance with regulatory frameworks. In this sense, PbD affirms that privacy should become a key concern for developers and organisations alike, thus permeating new products and services as well as the organisational modi operandi. Through this paper, we aim at uncovering evidences of the inefficiency of the N&C approach, as well as the possibility to further enhance PbD, in order to provide the individual with increased control on her personal data. The paper aims at shifting the focus of the discussion from “take it or leave it” contracts to concrete solutions aimed at empowering individuals. As such, we are putting forth the Data Control by Design (DCD) concept, which we see as an essential complement to N&C and PbD approaches advocated by data-protection regulators. The technical mechanisms that would enable DCD are currently available (for example, User Managed Access (UMA) v1.0.1 Core Protocol). We, therefore, argue that data protection frameworks should foster the adoption of DCD mechanisms in conjunction with PbD approaches, and privacy protections should be designed in a way that allows every individual to utilise interoperable DCD tools to efficiently manage the privacy of her personal data. After having scrutinised the N&C, PbD and DCD approaches we discuss the specificities of health and genetic data, and the role of DCD in this context, stressing that the sensitivity of genetic and health data requires special scrutiny from regulators and developers alike. In conclusion, we argue that concrete solutions allowing for DCD already exist and that policy makers should join efforts together with other stakeholders to foster the concrete adoption of the DCD approach.

Keywords

Notice and consent Privacy by design Data control by design Data protection Health data 

References

  1. 1.
    Acquisti A. (2010). The Economics of Personal Data and the Economics of Privacy. Joint WPISP-WPIE Roundtable. Background Paper #3. OECD Conference Centre. https://www.oecd.org/sti/ieconomy/46968784.pdf.
  2. 2.
    Belli, L. & Venturini, J. (2016). Private ordering and the rise of terms of service as cyber- regulation. Internet Policy Review, 5(4). https://policyreview.info/node/441/pdf.
  3. 3.
    Belli, L. and Foditsch, N. (2016) “Network Neutrality: An Empirical Approach to Legal Interoperability”, in Belli, L. and De Filippi, P. (Eds.) Net neutrality compendium: human rights, free competition and the future of the internet. Springer.Google Scholar
  4. 4.
    Blank G, Bolsover G, Dubois E. New privacy paradox: young people and privacy on social network sites. Global Cyber Security Capacity Centre: Draft Working Paper; 2014.Google Scholar
  5. 5.
    Cannataci, J. (2016). Report of the Special Rapporteur on the right to privacy, Joseph A. Cannataci. A/HRC/31/64.Google Scholar
  6. 6.
    Cattaneo G. et al. (2015). European Data Market SMART 2013/0063. D6 — First Interim Report.https://idc-emea.app.box.com/s/k7xv0u3gl6xfvq1rl667xqmw69pzk790.
  7. 7.
    Cavoukian A. Privacy by design: the 7 foundational principles. Ontario: Office of the Information and Privacy Commissioner; 2009. Retrieved May 30, 2016 from https://www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf Google Scholar
  8. 8.
    Cavoukian A. and Prosch, M. (2011). Privacy by ReDesign: Building a Better Legacy. http://privacybydesign.ca/content/uploads/2010/11/ PbRD.pdf.
  9. 9.
    Cohen JE. Configuring the networked self: law, code, and the play of everyday practice. New Haven, CT: Yale University Press; 2012.Google Scholar
  10. 10.
    Conner-Simons A. Web Inventor Tim Berners-Lee’s Next Project: A Platform that gives users control of their data. 2015; In MIT CSAIL. http://www.csail.mit.edu/solid_mastercard_gift
  11. 11.
    Cooper, et al. Privacy considerations for internet protocols. RFC. 2013;6973 https://tools.ietf.org/html/rfc6973#ref-PbD
  12. 12.
    ENISA (2014). Privacy and data protection by design. From policy to engineering. https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design.Google Scholar
  13. 13.
    European Commission (2015). Special Eurobarometer 431 “Data Protection.” http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_en.pdf.
  14. 14.
    Funk, C., Kennedy, B., & Podrebarac Sciupac, E. (2016). U.S. Public Wary of Biomedical Technologies to ‘Enhance’ Human Abilities. Pew Research Center. http://www.pewinternet.org/2016/07/26/u-s-public-wary-of-biomedical-technologies-to-enhance-human-abilities/.
  15. 15.
    Geller, L. et al. Individual, family, and societal dimensions of genetic discrimination: a case study analysis. In: ALPER, J. et al. (Eds.). The doubleedged helix: social implications of genetics in a diverse society. Baltimore: The Johns Hopkins University Press, 2002. p. 247-266.Google Scholar
  16. 16.
    Gjorgievska, A. (2016). Google and Facebook lead digital ad industry to revenue record. Bloomberg Technology. https://www.bloomberg.com/news/articles/2016-04-22/google-and-facebook-lead-digital-ad-industry-to-revenue-record.Google Scholar
  17. 17.
    Guedes, Cristiano & Diniz, D. (2007). Um caso de discriminação genética: o traço falciforme no Brasil. PHYSIS: Rev. Saúde Coletiva, Rio de Janeiro, 17(3):501-520, 2007 Available at http://www.scielo.br/pdf/physis/v17n3/v17n3a06.pdf.
  18. 18.
    Hafen E, Kossmann D, Brand A. Health data cooperatives - citizen empowerment. Methods Inf Med. 2014;53(2):82–6. doi:10.3414/ME13-02-0051.CrossRefGoogle Scholar
  19. 19.
    Hanen, Marsha. (2009). Genetic Technologies and Medicine: Privacy, Identity, and Informed Consent. Lessons from the identity trial: Anonymity, Privacy and Identity in a Networked Society. Available on http://idtrail.org/content/view/799.html.
  20. 20.
    Hull G. (2015). Successful failure: what Foucault can teach us about privacy self-Management in a World of Facebook and big data. In Ethics and Information Technology 17(2).doi:10.1007/s10676-015-9363-z.
  21. 21.
    Jerome, J. (2013). Buying and Selling Privacy: Big Data's Different Burdens and Benefits Available on http://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=1513383.
  22. 22.
    Junges, José Roque. Recktenwald, Micheli. Hebert, Noéli Daiãm Raymundo. Moretti, Andressa Wagner. Pereira, Bárbara Nicole Karlinski. (2015) Sigilo e provacidade das informações sobre usuário nas equipes de atenção básica à saúde: revisão. Revista Bioética: 2015–23 (1). Available on http://revistabioetica.cfm.org.br/index.php/revista_bioetica/article/view/1000.
  23. 23.
    Kellogg, B. (2016). DataWallet Launches to Empower Consumers to Claim the Profits Made with Their Data. prweb. http://www.prweb.com/releases/2016/06/prweb13479668.htm.
  24. 24.
    Kerr I. et al. (2009). Soft Surveillance, Hard Consent: The Law and Psychology of Engineering Consent. Lessons from the identity trial: Anonymity, Privacy and Identity in a Networked Society. Available on http://idtrail.org/content/view/799.html.
  25. 25.
    KPMG. The internet of things: should We embrace its full potential? Cyber Insights Magazine: Edition. 2015;3 https://assets.kpmg.com/content/dam/kpmg/pdf/2016/04/ch-the-internet-of-things-en.pdf
  26. 26.
    Ledesma A, Al-Musawi M, Nieminen H. Health figures: an open source JavaScript library for health data visualization. BMC Medial Informatics and Decision Making. 2016; doi:10.1186/s12911-016-0275-6.Google Scholar
  27. 27.
    Louzada, L. (2015). Bancos de Perfis Genéticos para fins de investigação criminal: reflexões sobre a regulamentação no Brasil. Dissertação de Mestrado. Programa de Pós-Graduação em Ciências Sociais e Jurídicas da Universidade Federal Fluminense (PPGSD/UFF).Google Scholar
  28. 28.
    The midata vision of consumer empowerment. From the Department for Busniess, Innovation & Skills and The Rt Hon Edward Davey. 2011; https://www.gov.uk/government/news/the-midata-vision-of-consumer-empowerment
  29. 29.
    Machulak, M. P., Maler, E. L., Catalano, D., & Van Moorsel, A. (2010). User-managed access to web resources. In Proceedings of the 6th ACM workshop on Digital identity management (pp. 35–44). ACM.Google Scholar
  30. 30.
    Mantovani E, Quinn P, Guihen B, Habbig A, De Hert P. eHealth to mHealth – a journey precariously dependent upon apps? European Journal of ePractice. 2013;20:48–66. http://www.vub.ac.be/LSTS/pub/Dehert/461.pdf Google Scholar
  31. 31.
    McDonald A.M. and Cranor L.F. (2008). The Cost of Reading Privacy Policies. In I/S: A Journal of Law and Policy for the Information Society. 2008 Privacy Year in Review issue.Google Scholar
  32. 32.
    Mitchell A. From data hoarding to data sharing. Journal of Direct, Data and Digital Marketing Practice. 2012;13(4):325–34. doi:10.1057/dddmp.2012.3.CrossRefGoogle Scholar
  33. 33.
    Nebert D, Bingham E. Pharmacogenomics: out of the lab and into the community. Trends Biotechnol. 2001;19(12)Google Scholar
  34. 34.
    Obar J. A. and Oeldorf-Hirsch A. (2016). The Biggest Lie on the Internet: Ignoring the Privacy Policies and Terms of Service Policies of Social Networking Services http://ssrn.com/abstract=2757465.
  35. 35.
    OECD. (2013a). Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value. OECD Digital Economy Papers, No. 220. OECD Publishing. Paris. doi:10.1787/5k486qtxldmq-en.
  36. 36.
    OECD. OECD skills outlook 2013: first results from the survey of adult skills. OECD Publishing. 2013b; doi:10.1787/9789264204256-en.Google Scholar
  37. 37.
    OECD. Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. 2013c; http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
  38. 38.
    OECD. Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. 1980; http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
  39. 39.
    O’Neil O. Informed consent and genetic information. Studies in History Philosophy of Biology and Biomedical Sciences. 2001;32(4)Google Scholar
  40. 40.
    Poikola, A., Kuikkaniemi, K. and Honko, H. (2015). “MyData: A Nordic Model for human-centered personal data management and processing.” Finnish Ministry of Transport and Communications. http://www.lvm.fi/documents/20181/859937/MyData-nordic-model/2e9b4eb0-68d7-463b- 9460-821493449a63?version=1.0.
  41. 41.
    Rainie, L. (2016). The state of privacy in America: what we learned. Pew Research Center. http://www.pewresearch.org/fact-tank/2016/01/20/the-state-of-privacy-in-america/.Google Scholar
  42. 42.
    PSFK Labs. Creating a Transparent Marketplace for Personal Data. 2015; http://www.psfk.com/2015/08/personal-data-datacoup-personal-information-marketplace-matt-hogan.html
  43. 43.
    Ramirez, A., Brill, J., Ohlhausen, M., Wright, J. and McSweeney, T. (2014). Data brokers: a call for transparency and accountability. Federal Trade Commission. https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.Google Scholar
  44. 44.
    Ruckenstein M. Keeping data alive: talking DTC genetic testing. Information, Communication & Society. 2016:1–16. doi:10.1080/1369118X.2016.1203975.
  45. 45.
    Safran, C., Bloomrosen, M., Hammond, W.E., Labkoff, S., Markel-Fox, S., Tang, P., & Detmer, D. (2007). Toward a National Framework for the secondary use of health data: an American medical informatics association white paper.Google Scholar
  46. 46.
    Santosuosso A. and Malerba A. (2014). Legal interoperability as a comprehensive concept in transnational law. Law, Innovation and Technology 6(1) http://www.tandfonline.com/doi/abs/10.5235/17579961.6.1.51.
  47. 47.
    Searls D. The intention economy: when customers take charge. Cambridge: Harvard Business Review Press; 2012.Google Scholar
  48. 48.
    Searls, D. (2016a). Time for THEM to agree to OUR terms. Customer Commons Blog. http://customercommons.org/blog/.Google Scholar
  49. 49.
    Searls, D. (2016b). At last, a protocol to connect VRM and CRM. ProjectVRM Blog. http://blogs.harvard.edu/vrm/2016/08/18/at-last-a-protocol-to-connect-vrm-and-crm/.Google Scholar
  50. 50.
    Schwartz P.M. & Solove D.J. (2011). The PII Problem: Privacy and a New Concept of Personally Identifiable Information. N.Y.U. L. Rev. 86.Google Scholar
  51. 51.
    Shadbolt N. Midata: towards a personal information revolution. Digital Enlightenment Yearbook. 2013:202–24.Google Scholar
  52. 52.
    “User-Managed Access (UMA) Profile of OAuth 2.0”. Retrieved on 30 September 2016 from https://docs.kantarainitiative.org/uma/rec-uma-core.html.
  53. 53.
    Vaidhyanathan, S. (2015). The rise of the Cryptopticon. The Hedgehog Review 17(1). http://www.iasc-culture.org/THR/THR_article_2015_Spring_Vaidhyanathan.php.
  54. 54.
    Van Blarkom G.W., Borking J.J. and Olk J.G.E. (2003). Handbook of privacy and privacy-enhancing technologies the case of intelligent software agents. PISA Consortium.Google Scholar
  55. 55.
    Van Rossum H, et al. Privacy-enhancing technologies: the path to anonymity. In: Registratiekamer, the Netherlands, and information and privacy commissioner. Ontario: Canada; 1995.Google Scholar
  56. 56.
    Venturini, J. et al. (2016). Terms of service and human rights: an analysis of online platform contractual agreements. Revan Editor. http://internet-governance.fgv.br/sites/internet-governance.fgv.br/files/publicacoes/tos_0.pdf.Google Scholar
  57. 57.
    World Economic Forum. Personal Data: The Emergence of a New Asset Class. 2011; http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011.pdf
  58. 58.
    Williams F. (2006). Internet privacy policies: a composite index for measuring compliance to the fair information principles.Google Scholar
  59. 59.
    Weber, R. (2014). Legal interoperability as a tool for combatting fragmentation. GlobalCommission on Internet Governance, Paper Series n°4. https://www.cigionline.org/sites/default/files/gcig_paper_no4.pdf.
  60. 60.
    Ziegeldorf JH, Garcia Morchon O, Wehrle K. Privacy in the internet of things: threats and challenges. Security and Communication Networks. 2014;7:12. doi:10.1002/sec.795.CrossRefGoogle Scholar

Copyright information

© IUPESM and Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.Center for Technology & SocietyFundação Getulio Vargas (FGV)Rio de JaneiroBrazil
  2. 2.University of MalmöMalmöSweden
  3. 3.Universidade do Estado do Rio de JaneiroRio de JaneiroBrazil

Personalised recommendations