Skip to main content
SpringerLink
Log in

The crisis of consent: how stronger legal protection may lead to weaker consent in data protection

  • Original Paper
  • Published:
Ethics and Information Technology Aims and scope Submit manuscript

Abstract

In this article we examine the effectiveness of consent in data protection legislation. We argue that the current legal framework for consent, which has its basis in the idea of autonomous authorisation, does not work in practice. In practice the legal requirements for consent lead to ‘consent desensitisation’, undermining privacy protection and trust in data processing. In particular we argue that stricter legal requirements for giving and obtaining consent (explicit consent) as proposed in the European Data protection regulation will further weaken the effectiveness of the consent mechanism. Building on Miller and Wertheimer’s ‘Fair Transaction’ model of consent we will examine alternatives to explicit consent.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. See article 7a of Directive 95/46/EC of the European Parliament and the European Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

  2. By an effective consent we mean a consent that fulfills its moral and societal requirements.

  3. See for instance: Pollach (2007), Acquisti (2009), Böhme and Köpsell (2010), Adjerid et al. (2013) and Solove (2013).

  4. Privacy statement, privacy policy and privacy notice are used interchangeably in practice and in literature. We will use the term privacy policy when we mean the privacy principles and procedures of data controllers. We will use the term privacy notice to describe the document that explains these policies to data subjects.

  5. Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25.1.2012 (com)2012 final, article 4(8) jo article 7.

  6. An element that is not included in the requirements set forth by Faden and Beauchamp is that of legal and moral authority. For a consent transaction to be morally transformative, the person who consents must have the moral and/or legal authority to give the consent. For instance: I may consent to one of my friends taking the crown of Her Majesty the Queen of England, but since I have no authority over her property, the consent will do little to change the act from a theft to a legitimate action.

  7. Alice’s action can also be construed as an inaction (failing to close the door).

  8. See for instance: Oregon Revised Statutes, Vol. 17, Chapter 813 §135.

  9. See, for instance, article 8 of the European Convention of Human Rights.

  10. The ethics of consent are discussed in far more depth in relation to bioethics and medicine. In these contexts the term informed consent is generally used.

  11. Article 29 Working Party (2011), Opinion 15/2011 on the definition of consent p. 25.

  12. Article 29 Working Party (2011), Opinion 15/2011 on the definition of consent.

  13. The Article 29 Working Party is the body of national data protection authorities set up under article 29 of Directive 95/46/EC.

  14. Article 29 Working Party (2011), Opinion 15/2011 on the definition of consent, p. 11.

  15. Explanatory statement accompanying the Regulation proposal, p. 8.

  16. For readability, we shall use the term ‘explicit consent’ when we mean both ‘unambiguous’ and/or ‘explicit’ consent.

  17. There is also anecdotal evidence that data subjects seldom read terms and conditions and privacy notices. One entertaining example is the site Gamestation.co.uk that asked its users consent for the transfer of their immortal souls to Gamestation via its terms and conditions. 88 % consented to the transfer of their immortal souls. See: http://www.huffingtonpost.com/2010/04/17/gamestation-grabs-souls-o_n_541549.html. See also the related discussion in Nissenbaum (2011).

  18. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.

  19. See for instance: http://www.dutchnews.nl/news/archives/2013/05/dutch_cookie_law_to_be_watered.php Interestingly, actual consumer behaviour in this area seems to contradict the findings in many surveys that consumers do want to be informed about data processing (see e.g., McDonald and Lowenthal 2013, p. 345). It might well be that there is a difference between professed user attitude in surveys and their actual behaviour. Furthermore, most research on consumer attitudes in privacy do not actually ask how and when this information should be presented.

  20. See for instance: Brockdorff, N., Appleby-Arnold, S. (2013), What consumers think, EU CONSENT Project, Workpackages 7 and 8.

  21. For examples of how personal data may be processed (with or without consent) see, for instance, Nissembaum (2011), Solove (2011) and Zarsky (2003).

  22. There is a growing trend towards free online services. In the app market for instance there are less and less paid apps. Instead, app developers rely on ad-support or in-app purchases. See: http://blog.flurry.com/bid/99013/The-History-of-App-Pricing-And-Why-Most-Apps-Are-Free.

  23. Research indicates that already most users (between 70 and 80 %) don’t bother to read privacy policies. See for instance Internetsociety (2012).

  24. Article 79 of The Commission proposal for the General Data Protection Regulation. The amended proposal of the European Parliament, that was voted on by the LIBE Committee in October 2013, contains even higher penalties of up to 5 % of the annual turnover.

  25. For a good overview see, Solove (2013).

  26. In those cases where consent is needed, privacy notions should be improved along the lines discussed in the literature described above (e.g., shorter notices, more visceral notices, more human readable).

  27. For a good discussion on the fairness of the use of personal data for marketing purposes see: Calo 2013.

  28. An example could be that a person would allow the processing of personal data for a credit check, but that this same data would be used later on for dynamic pricing (e.g., setting a higher price for someone with a high credit score).

References

  • Acquisti, A. (2009), Nudging privacy: The behavioral economics of personal information. Security & Privacy Economics. November/December 2009.

  • Acquisti, A., Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Security & Privacy. January–February, 24–30.

  • Adjerid, I., Acquisti, Brandimarte, L. & Loewenstein, G. (2013). Sleights of privacy: Framing, disclosures, and the limits of transparency. SOUPS ‘13 Proceedings of the ninth symposium on usable privacy and security, Article No. 9.

  • Böhme, R. & Köpsell, S. (2010), Trained to accept?: A field experiment on consent dialogs. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2403–2406.

  • Brockdorff, N. & Appleby-Arnold, S. (2013). What consumers think, EU CONSENT Project, Workpackages 7 & 8.

  • Calo, M. R. (2012), Against notice skepticism in privacy (and Elsewhere), 87 Notre Dame Law Review 1027.

  • Calo, M. R. (2013), Digital market manipulation, University of Washington School of Law Research Paper No. 2013-27; 2013-08-15.

  • Custers, B. H. M. (2001). Data mining and group profiling on the internet. In Anton. Vedder (Ed.), Ethics and the internet (pp. 87–104). Antwerpen: Intersentia.

    Google Scholar 

  • Custers, B. H. M. (2012). Predicting data that people refuse to disclose; how data mining predictions challenge informational self-determination, Privacy Observatory Magazine, Issue 3.

  • Custers, B., Van der Hof, S., Schermer, B., Appleby-Arnold, S., & Brockdorff, N. (2013). Informed consent in social media use. The gap between user expectations and EU personal data protection law. Journal of Law and Technology, 10(4), 435–457.

    Google Scholar 

  • Faden, R., & Beauchamp, T. L. (1986). A history and theory of informed consent. New York: Oxford University Press.

    Google Scholar 

  • Hurd, H. M. (1996). The moral magic of consent. Legal Theory, 2, 121.

    Article  Google Scholar 

  • Internet Society. (2012). Global internet user survey, summary report. http://www.internetsociety.org/sites/default/files/rep-GIUS2012global-201211-en.pdf. Accessed February 14, 2014.

  • Jolls, C., & Sunstein, C. (2006). Debiasing through law. The Journal for Legal Studies, 35(1), 199.

    Article  Google Scholar 

  • Kleinig, J. (2010). The nature of consent. In The ethics of consent: Theory and practice (Miller & Wertheim, ed.), New York: Oxford University Press.

  • Kosinski, M., Stillwell, D. & Graepel T. (2013), Private traits and attributes are predictable from digital records of human behavior. PNAS Early Edition.

  • McDonald, A. M. & Cranor, L. F. (2010). The cost of reading privacy policies.

  • McDonald, M., & Lowenthal, T. (2013). Nano-notice: Privacy disclosure at a mobile scale. Journal of Information Policy, 3(2013), 331–354.

    Google Scholar 

  • Miller, F. G. & Wertheim, A. (2010). Preface to a theory of consent: beyond valid consent. In The ethics of consent: Theory and practice (Miller & Wertheim, ed.), New York: Oxford University Press.

  • Miller, F. G., & Wertheim, A. (2011). The fair transaction model of informed consent: An alternative to autonomous authorization. Kennedy Institute of Ethics Journal, 21(3), 201.

    Article  Google Scholar 

  • Nissenbaum, H. (2011). A contextual approach to privacy online. Daedalus, 140(4), 32–48.

    Article  Google Scholar 

  • Pollach, I. (2007). What’s wrong with online privacy policies? Communications of the ACM, 50(9), 103–108.

    Article  Google Scholar 

  • Rawls, J. (1999). A theory of justice (revised edition). Oxford: Oxford University Press.

    Google Scholar 

  • Solove, D. J. (2011). Nothing to hide; The false tradeoff between privacy and security. New Haven: Yale University Press.

    Google Scholar 

  • Solove, D. J. (2013). Privacy self-management and the consent dilemma. Harvard Law Review, 126, 1880–1903.

    Google Scholar 

  • van den Berg, B., & van der Hof, S. (2012). What happens to my data? A novel approach to informing users of data processing practices. First Monday, 17(7), 2.

    Google Scholar 

  • Westin, A. F. (1967). Privacy and freedom. New York: Atheneum Press.

    Google Scholar 

  • Zarsky, T.Z. (2003). Mine your own business. Yale Journal of Law & Technology,5(1), Article 1.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. eLaw@Leiden, Leiden, The Netherlands

    Bart W. Schermer, Bart Custers & Simone van der Hof

Authors
  1. Bart W. Schermer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bart Custers
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Simone van der Hof
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bart W. Schermer.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Schermer, B.W., Custers, B. & van der Hof, S. The crisis of consent: how stronger legal protection may lead to weaker consent in data protection. Ethics Inf Technol 16, 171–182 (2014). https://doi.org/10.1007/s10676-014-9343-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10676-014-9343-8

Keywords

Search

Navigation