The Limitations of ‘’Informed’’ Consent

i. The Importance of Informing Data Subjects

The central basis of giving power and control to the individual to manage their privacy is that it requires that the individual be informed and rational and be able to consent to the different forms of collection and processing of personal data497_{. However, it is a fact that} most individuals do not use the options that exist to protect their own privacy. Many reasons have been given for this, including the argument that the need to read through long texts discourages users498_.

A difficulty has been that finding effective ways to communicate information to individuals is difficult, and individuals do not necessarily understand the information given to them499_. 496 _{See “Peddinti, S. T., & Saxena, N. (2010, July). On the privacy of web search based on}

query obfuscation: a case study of TrackMeNot. In International Symposium on Privacy

Enhancing Technologies Symposium (pp. 19-37). Springer, Berlin, Heidelberg” for a study of the

tool, or consult https://cs.nyu.edu/trackmenot/ for information about the tool itself.

497 _{Berbers, Y., Hildebrandt, M., & Vandewalle, J. (2018). Privacy in an age of the internet,}

social networks and Big Data. Position paper 49b, Royal Flemish Academy of Belgium for

Science and the Arts.

498 _Ibid 499 _Ibid

132

What’s more, the problem is not necessarily that doctors - or in the data protection context data controllers - do not try to enlighten individuals, but instead it seems that even honest attempts at information have been unsuccessful. Both attempts by individual entities and legislative efforts for informed consent seems to have failed to produce a significant success500_.

An example of this phenomenon is the “informed consent” required in medicine for certain actions by the physician. A study showed that only 9% of doctors met the criteria for informed decision-making, which includes informing the patient of his role in the decision-making process, the nature of the decision, possible alternatives, pros and cons, uncertainties associated with the decision, an assessment of the patient’s understanding of the decision, and an exploration of the patient’s preferences501_.

Under traditional individual theory, individuals are forward looking, utility maximizing beings who are fully informed and base their decisions on probabilities coming from known random distributions502_{. This idea is common in the policy debate, where it is} assumed that individuals and organizations only need the ability to manage their information and make choices without regulatory intervention. However, several studies have shown that there is an apparent dichotomy between privacy attitudes and actual behavior. Individuals exchange large amounts of information for little reward, and are rarely willing to adopt privacy protective technologies503_.

Many factors hamper individual decision-making. Incomplete information, and information asymmetries between a well-informed data controller and a non-informed individual make privacy decisions unlikely to be accurate. What’s more, individuals cannot properly evaluate possible externalities (third party transfers); risk (privacy risks are not easy to estimate), and uncertainties about possible payoffs from their information all factor into making calculating the costs and benefits of privacy-intrusive actions difficult504_{. Worsening the effect is the fact that privacy does not have a quantifiable} monetary cost.505 _{Even if individuals did have access to complete information, they could} not process and act on the data optimally.

500 _{Ben-Shahar, O., & Schneider, C. E. (2011). The failure of mandated disclosure. University of}

Pennsylvania Law Review, 647-749.

501 _Ibid

502 _{Acquisti, A., & Grossklags, J. (2005). Privacy and rationality in individual decision making.}

IEEE Security & Privacy, 3(1), 26-33.

503 _Ibid 504 _Ibid 505 _Ibid

133

Even if individuals had access to all the information, rationality has its limits. Many deviations from rationality affect decision-making, in particular self-control problems and the many social norms at play in the making of those decisions. Finally, the ignorance of individuals of the dangers that come from privacy invasions is a factor506_.

This would not be an issue if the individual could accurately assess harm, cost, and the magnitude and probability of the loss. However this is not the case. Consumers lack the information necessary to make this decision, and are in a disadvantageous position to decide when and how to protect themselves from the harms inherent in behavioral targeting507_.

Consumers also lack information about what information can be obtained about them by data controllers. Their inability to assess the magnitude of loss and understanding the possibilities of data collection available to a data controller suggests that consumers would be more upset if they understood all those factors - such as phone calls being monitored.

ii. The Paradox of Informing Users

It would be easy to conclude that data controllers are intentionally keeping users uninformed for their own benefit. However, as we will, show, this increasing gap, the same gap blurring the concept of “personal data”, is present even where efforts are made to keep users up to date. The main paradox is called the “transparency paradox”, where the more information is shared, the less understandable this mass of information is508_. Because of the complexity of online tracking and surveillance, it is practically impossible for privacy policies shared by data controllers to be both accurate, and understandable by every user509_.

The consequence of this overload of information, intrusive pop-ups screens and lack of choice is “consent desensitisation”: users are no longer used to making active, informed

506 _Ibid

507 _{Politou, E., Alepis, E., & Patsakis, C. (2018). Forgetting personal data and revoking consent}

under the GDPR: Challenges and proposed solutions. Journal of Cybersecurity, 4(1)

508_{Schermer et al. (n.460)}

509 _{Van Alsenoy, B., Kosta, E., & Dumortier, J. (2014). Privacy notices versus informational self-}

determination: Minding the gap. International Review of Law, Computers & Technology, 28(2), 185-203.

134

choices when confronted with a consent situation510_{. This will only be exacerbated with} the added requirements from the General Data Protection Regulation.

Another difficulty comes from the scale of Big Data - the number of entities collecting and sharing data for individuals to keep track of. A survey has shown that the average US citizen, for example, visits almost a hundred websites a month, doing business online and offline with countless companies, each of which has the potential to hold, use, transfer, or sell personal data511_{. This extends to data that individuals might not even be} aware exists, such as metadata for phone calls or websites tracking every click and second spend on their site by each individual512_.

This means that even if the option existed to protect one’s privacy, and even if every company provided informed and reasonable choices to manage and protect one’s data, this challenge would persist: individuals do not have the time or energy or willpower to manage all of the entities holding their data513_.

As an example of the difficulty individuals face in using their ability to consent, one study explained that it would cost 781 billion dollars in lost productivity if everyone were to read every privacy policy they visited in a one-year period514_.

This is the main issue with the idea of consent as an expression of one’s true intentions: attempts to inform the public and lead to pertinent decision-making are not effective. Individuals do not read the information provided to them. If they read it they do not understand it. If they read it and understand it, they do not have the knowledge to make an informed choice515_{. If they read it, understand it, and have the knowledge to make an} informed choice, that choice is very likely skewed by obstacles to decision-making.

In conclusion, the GDPR creates stronger consent requirements, demanding individuals be more and more informed in order for consent to be given. However, it is fast becoming impossible for individuals to understand the issues they are faced with because of the

510 _{Bergemann, B. (2017). The Consent Paradox: Accounting for the Prominent Role of Consent}

in Data Protection. In IFIP International Summer School on Privacy and Identity Management (pp. 111-131). Springer

511 _Ibid 512 _Ibid

513 _{Solove, D. J. (2012). Introduction: Privacy self-management and the consent dilemma. Harv.}

L. Rev., 126, 1880.

514 _{McDonald, A. M., & Cranor, L. F. (2008). The cost of reading privacy policies. ISJLP, 4, 543} 515_{Custers, B., van Der Hof, S., Schermer, B., Appleby-Arnold, S., & Brockdorff, N. (2013).} Informed Consent in Social Media Use-The Gap between User Expectations and EU Personal Data Protection law. SCRIPTed, 10, 435.

135

complexity both in the processing of the collected data, and in what information may be created by data processing later on (too complex and too unpredictable). This shows at the very least that consent as an instrument fails to ensure the protection of autonomy, but we would go further and argue that because of the ever-widening gap between individual knowledge and the complexity of data processing, free autonomy is going to become increasingly challenging to prove. This also challenges the conception of informational privacy as ‘’control’’, since achieving such control is difficult, or even impossible.

We argue that any attempt to move European data protection towards adapting to the Big Data age will mean a move towards top-down regulation, instead of a focus on fixing consent and reinforcing the control of individuals. Though such efforts are important and have a place (as we will show later on) they are likely to fail if data processing practices remain the same as they are now. As we have shown in our third Chapter, data processing is increasingly elaborate and complex, worsening the existing limitations developed in this section.

In this Chapter so far, we have gone over how the technical challenges involved in the rise of Big Data technology have affected two pillars of EU data protection regulation: anonymisation (and with it the ‘’personal/non-personal data’’ paradigm) and consent (and with it ‘’control’’ as a focus of data protection). We have shown that these technologies provide tremendous power to parties which can use it to their benefit, and that this power involves threatening informational privacy by giving more power to data controllers without giving sufficient Guarantees to data subjects. Meanwhile, “personal data” is hard to define, and limitations in fields such as anonymisation and consent both in defining personal data and handling the changes that come from its further processing will get more prominent as dat processing continues to increase in complexity.

We have now identified some key challenges in European data protection regulation. We will now synthesize and analyze the deeper issues which have led to this problem, in order to understand the core reason behind these limitations. We will also study how the European framework of privacy is also showing signs of being affected by the changes Big Data has brought but has handled them in an approach which supports the ‘’Information/Guarantees Balance’’ approach.

B. Challenges in Informational Privacy Protection: