The  Crisis  of  Consent     How  Stronger  Legal  Protection  may  lead  to  Weaker  Consent  in  Data   Protection   Dr.  Bart  W.  Schermer,  dr.  Bart  Custers,  prof.  Simone  van  der  Hof   eLaw@Leiden,  Leiden  University  Faculty  of  Law       to  be  published  in  Ethics  &  Information  Technology.  Article  title:  The  Crisis  of  Consent:  How  Stronger   Legal  Protection  may  lead  to  Weaker  Consent  in  Data  Protection   DOI:  10.1007/s10676-­‐014-­‐9343-­‐8       Abstract     In   this   article   we   examine   the   effectiveness   of   consent   in   data   protection   legislation.   We   argue   that   the   current   legal   framework   for   consent,   which   has   its   basis   in   the   idea   of   autonomous  authorisation,  does  not  work  in  practice.  In  practice  the  legal  requirements  for   consent   lead   to   ‘consent   desensitisation’,   undermining   privacy   protection   and   trust   in   data   processing.   In   particular   we   argue   that   stricter   legal   requirements   for   giving   and   obtaining   consent   (explicit   consent)   as   proposed   in   the   European   Data   Protection   Regulation   will   further   weaken   the   effectiveness   of   the   consent   mechanism.   Building   on   Miller   &   Wertheimer’s   ‘Fair   Transaction’   model   of   consent   we   will   examine   alternatives   to   explicit   consent.   1.   Introduction     The   notion   of   consent   is   important   in   law,   because   it   is   one   of   the   primary   mechanisms   through   which   legal   acts   are   constituted.   In   European   data   protection   law   consent   is   also   relevant   as   it   enables   data   subjects   to   authorise   data   controllers   to   process   their   personal   data.1  The   underlying   notion   is   that   data   subjects   make   conscious,   rational   and   autonomous   choices   about   the   processing   of   their   personal   data.   But   whether   data   subjects   are   always   capable   of   making   these   choices   and   willing   to   do   to   so   in   practice   is   questionable.2  There   is   mounting  evidence  that  data  subjects  do  not  fully  contemplate  the  consequences  and  risks   of   personal   data   processing.   Most   notably   in   the   online   world,   it   seems   that   data   subjects   simply  consent  whenever  confronted  with  a  consent  request  (Brockdorff  &  Appleby-­‐Arnold,   2013,   Custers   et   al.   2013).   Therefore,   there   is   a   growing   scepticism   in   academic   circles   regarding  the  effectiveness  of  notice  and  consent  in  the  context  of  data  processing.3  There   are   also   growing   doubts   in   society   as   to   the   effectiveness   and   fairness   of   consent   in   the   context  of  data  processing.  The  documentary  Terms  and  Conditions  May  Apply  for  instance,                                                                                                                   1  See  article  7a  of  Directive  95/46/EC  of  the  European  Parliament  and  the  European  Council  on  the  protection   of  individuals  with  regard  to  the  processing  of  personal  data  and  on  the  free  movement  of  such  data.   2  By  an  effective  consent  we  mean  a  consent  that  fulfills  its  moral  and  societal  requirements.   3  See  for  instance:  Pollach  (2007),    Acquisti  (2009),  Böhme  and  Köpsell  (2010),  Adjerid  et  al.  (2013)  and  Solove   (2013).   1   Electronic copy available at: http://ssrn.com/abstract=2412418 challenges  common  industry  practices  of  confronting  individuals  with  long,  legalistic  privacy   notices   and   ‘forcing’  users   to   consent.4  Industry,   however,   often   argues   that   data   protection   legislation  forces  them  to  ask  for  consent  in  this  way  and  that  users  always  have  a  choice  not   to  use  their  services.       As   it   stands,   there   seems   to   be   a   disconnect   between   the   legal   theory,   which   presupposes   a   rational,  informed  data  subject  who  makes  conscious  decisions,  and  the  current  practice  in   which  data  subjects  simply  agree  to  almost  all  consent  requests  without  actually  reading  the   fine   print.   This   disconnect   between   the   legal   theory   and   the   practical   reality   of   consent   presents   risks   to   both   data   subjects   and   data   controllers.   Data   subjects   may   unwittingly   consent   to   types   of   data   processing   that   in   reality   they   do   not   want.   This   diminishes   their   control  over  their  personal  data,  creates  a  false  sense  of  trust,  and  ultimately  increases  their   privacy   risks.   For   data   controllers,   inadequate   consent   mechanisms   mean   they   cannot   rely   fully   on   the   consent   they   obtain.   This   makes   processing   personal   data   on   the   basis   of   consent  more  risky,  because  it  exposes  them  to  potential  reputational  damage,  litigation  and   shifting  interpretations  by  the  supervisory  authorities  on  the  legitimacy  of  the  consent.     To   combat   this   ‘crisis   of   consent’,   politicians   and   lawmakers   seek   to   strengthen   the   constitutive  elements  of  consent  in  the  law.  For  the  most  part  this  means  more  focus  on  the   autonomous  choice  of  the  data  subject.  In  Europe  for  instance,  the  proposal  for  a  General   Data   Protection   Regulation   that   is   set   to   supersede   the   current   Data   Protection   Directive,   demands  that  consent  is  explicit.5  While  from  a  theoretical  legal  standpoint  it  seems  logical   to  place  more  focus  on  the  mechanism  of  consent  and  the  active  choice  of  the  individual  to   strengthen  privacy,  we  argue  that  strengthening  consent  mechanisms  in  law  not  only  fails  to   take  into  account  the  reasonable  interests  of  the  party  seeking  consent,  it  also  may  end  up   further  weakening  the  value  of  consent  in  practice.       More   specifically,   we   examine   and   challenge   the   notion   that   greater   focus   on   the   autonomous  choice  of  the  data  subject  will  improve  the  consent  mechanism  and  solve  the   current  crisis  of  consent.  We  will  argue  that  too  much  emphasis  is  placed  on  the  active  and   conscious  role  of  the  data  subject  and  that  we  need  to  move  to  a  more  differentiated  system   of  consent,  in  which  decisions  only  need  (strong)  consent  when  it  really  matters,  i.e.,  when   decisions  may  involve  serious  risks  or  consequences  for  the  person  who  consents.  In  order   to  do  this  we  will  first  discuss  the  ethical  foundations  of  consent  in  Section  2  and  the  relation   between   autonomy   and   consent   in   Section   3.   From   there,   we   will   move   on   to   discuss   the   translation   of   the   ethical   arguments   in   current   and   future   data   protection   legislation   in   Section  4.  Next,  we  will  examine  why  these  mechanisms  do  not  work  in  practice  in  Section  5   and   why   this   results   in   ‘consent   desensitisation’   in   Section   6.   We   will   discuss   possible   alternatives  in  Section  7  and  wrap  up  with  conclusions  in  Section  8.                                                                                                                     4  Privacy  statement,  privacy  policy  and  privacy  notice  are  used  interchangeably  in  practice  and  in  literature.  We   will  use  the  term  privacy  policy  when  we  mean  the  privacy  principles  and  procedures  of  data  controllers.  We   will  use  the  term  privacy  notice  to  describe  the  document  that  explains  these  policies  to  data  subjects.   5  Proposal  for  a  Regulation  of  the  European  Parliament  and  the  Council  on  the  protection  of  individuals  with   regard   to   the   processing   of   personal   data   and   on   the   free   movement   of   such   data   (General   Data   Protection   Regulation),  Brussels,  25.1.2012  (com)2012  final,  article  4(8)  jo  article  7.   2   Electronic copy available at: http://ssrn.com/abstract=2412418 2.   A  theory  of  consent     Before   we   can   discuss   the   effectiveness   of   consent   in   data   protection   law,   we   need   to   examine   the   role   of   consent   in   human   interaction.   Hurd   (1996,   p.   123)   observes   that   the   primary   role   of   consent   is   to   alter   the   morality   of   another   person’s   conduct.   For   instance,   consent  can  change  the  act  of  entering  into  a  house  from  trespassing  (no  consent)  to  visiting   (consent).  Furthermore,  consent  can  generate  a  permission  that  allows  someone  else  to  do   what   would   otherwise   be   regarded   as   a   wrongful   act.   Consent   is   thus   a   morally   transformative  act  that  changes  normative  expectations  between  people  and  groups  (Kleinig   2010).       Consent  and,  more  specifically,  a  consent  request  also  fulfil  a  practical  purpose.  A  consent   request  should  give  individuals  pause  and  make  them  think  actively  about  the  consequences   of   giving   consent.   In   a   sense,   a   consent   transaction   functions   as   a   warning   that   a   potentially   harmful   or   legally   meaningful   moral   transformation   will   take   place   that   requires   the   (undivided)  attention  of  the  individual.     For   consent   to   work   its   ‘moral   magic’   it   must   be   valid.   In   order   for   consent   to   be   valid,   it   must  be  given:       1) By  a  subject  with  substantial  understanding  about  the  consent  transaction,     2) In  substantial  absence  of  coercion  by  others,     3) Intentionally,  and     4) It  must  authorise  a  certain  course  of  action  (Faden  and  Beauchamp  1986,  p.  278).6     These  elements  of  valid  consent  are  discussed  below.     2.1   Substantial  understanding     In  order  to  say  that  a  person  has  substantial  understanding  about  a  consent  transaction,  the   consenter  must  have  the  capacity  for  moral  judgement  and  the  person  must  have  sufficient   information  about  the  context  and  consequences  of  the  consent  transaction.  Therefore,  in   most  cases,  children  and  people  with  a  mental  illness  are  not  considered  capable  of  giving   legally   valid   consent,   because   they   may   lack   the   required   understanding   to   make   autonomous  moral  choices.     It   is   possible   that   the   consent   of   a   person   is   based   on   insufficient   or   inaccurate   information.   It   is   then   dependent   on   the   circumstances   of   the   case   whether   the   consent   is   valid.   For   instance,  if  Alice  has  supplied  Bob  with  false  information  on  a  particular  transaction  because   she  knows  Bob  will  not  give  his  consent  based  on  the  true  situation,  the  consent  is  vitiated.   The  consequence  of  which  would  be  that  the  contract  is  voidable  under  contract  law.  What                                                                                                                   6  An  element  that  is  not  included  in  the  requirements  set  forth  by  Faden  and  Beauchamp  is  that  of  legal  and   moral  authority.  For  a  consent  transaction  to  be  morally  transformative,  the  person  who  consents  must  have   the  moral  and/or  legal  authority  to  give  the  consent.  For  instance:  I  may  consent  to  one  of  my  friends  taking   the  crown  of  Her  Majesty  the  Queen  of  England,  but  since  I  have  no  authority  over  her  property,  the  consent   will  do  little  to  change  the  act  from  a  theft  to  a  legitimate  action.   3   Electronic copy available at: http://ssrn.com/abstract=2412418 is  also  possible  is  that  sufficient  information  is  given,  but  the  person  who  consents  fails  to   make  a  proper  judgement  on  the  basis  of  this  information.  Take  the  following  example:     Alice   tells   Bob   that   there   is   a   99%   chance   that   the   investment   he   wants   to   make   in   her   company   will   not   return   any   profit.   Bob   wishes   to   invest   nonetheless,   thinking   that   Alice   is   wrong   and   he   will   make   a   lot   of   money   from   his   investment   and   gives   his   consent   for   the   high-­‐risk   transaction.   A   year   later   Alice   has   to   file   for   bankruptcy   and   Bob   loses   his   investment.     In  this  example  Alice  has  given  Bob  all  the  necessary  information  but  Bob  has  arguably  failed   to  make  a  proper  judgement  of  the  situation.  If  the  consequences  of  the  consent  transaction   are  negative  for  Bob,  this  will  generally  not  change  the  validity  of  the  consent.     2.2   Absence  of  coercion  by  others     For  consent  to  be  valid  it  must  be  freely  given.  Consent  is  not  morally  transformative,  if  it  is   not  the  result  of  an  autonomous  choice  of  the  person  giving  the  consent.  Absence  of  control   by  others  in  the  context  of  consent  presupposes  an  element  of  choice:  if  refusing  to  consent   is  not  a  viable  option,  because  it  is  either  impossible  or  it  would  have  a  very  negative  impact   on   the   person   giving   consent,   then   there   is   no   real   choice   and   thus   no   consent.   As   such,   if   a   person  is  under  duress  or  any  other  form  of  undue  influence,  the  consent  is  vitiated.       2.3   Intentionality     A  third  requirement  is  the  intentionality  of  consent:  the  act  of  consenting  must  be  aimed  at   the   activity   for   which   a   person   asks   for   consent.   In   most   cases,   consent   will   be   clearly   expressed,   signalling   to   the   person   asking   for   consent   that   his   or   her   course   of   action   is   allowed   (e.g.,   Bob   asks   Alice   if   he   may   enter   her   house   and   Alice   consents).   However,   consent   never   takes   place   in   the   vacuum   of   individual   choice.   Consent   transactions   are   by   their   very   nature   bilateral   or   multilateral.   As   such,   there   may   be   communication   errors   or   mistakes.  Take  the  following  example:       Alice  and  Bob  are  neighbours.  Alice  normally  leaves  the  kitchen  door  open  and  Bob  is  allowed   to  enter  the  house  when  the  door  is  open.  This  Sunday  Alice  does  not  want  to  be  disturbed,   but  she  has  forgotten  to  close  the  kitchen  door.  Bob,  assuming  he  is  welcome  in  the  house   because  the  kitchen  door  is  open,  walks  in  and  startles  Alice.     In   this   example   Alice   did   not   intend   to   let   Bob   enter   her   house.   However,   Bob   has   interpreted   Alice’s   action   (leaving   the   door   open)   as   consent.7  In   this   scenario,   Bob   infers   Alice’s  consent.  Consent  is  implied  in  those  situations  where  there  is  no  clear  expression  of   consent,  but  the  behaviour  of  one  person  may  lead  another  person  to  (reasonably)  believe   that  consent  has  been  given.  This  behaviour  can  be  active  or  passive.                                                                                                                     7  Alice’s  action  can  also  be  construed  as  an  inaction  (failing  to  close  the  door).   4   Implied   consent   has   both   a   subjective   and   an   objective   element.   The   subjective   element   entails   that   the   person   asking   for   consent   must   believe   that   consent   has   been   given   (Bob   sees  that  the  door  is  open  and  assumes  he  may  enter).  The  objective  element  is  that  society   must   agree   that   the   behaviour   displayed   may   lead   the   person   asking   for   consent   to   reasonably   believe   that   consent   has   been   given   (Bob   cannot   know   that   Alice   wants   to   be   alone  while  the  door  is  open).       An   interesting   discussion   in   this   regard   is   how   close   the   action   of   the   person   whose   consent   is  being  asked  for,  must  be  related  to  the  consent  situation.  For  instance,  in  some  states  of   the   United   States   consent   for   a   field   sobriety   test   is   implied   from   the   fact   that   you   use   a   motor   vehicle. 8  It   is   argued   that   driving   the   motor   vehicle   is   the   act   that   signifies   the   consent.  However,  it  could  also  be  argued  that  the  act  of  driving  a  motor  vehicle  is  unrelated   to  the  question  of  whether  or  not  you  consent  to  a  sobriety  test  and,  as  such,  consent  may   not  be  inferred  from  driving  the  motor  vehicle.     2.4   Authorise  a  course  of  action  (specificity)     Consent  must  authorise  a  certain  course  of  action.  So,  for  consent  to  be  valid,  it  must  be  1)   sufficiently  clear  what  the  course  of  action  is  that  is  in  need  of  consent,  and  2)  the  consent   itself   must   be   specifically   aimed   at   authorising   that   course   of   action.   This   point   is   closely   related   to   the   requirements   of   substantial   understanding   and   intentionality   mentioned   above.   When   the   course   of   action   is   unclear,   the   consent   that   authorises   the   course   of   action  is  weak,  because  it  leaves  too  much  room  for  interpretation  by  both  sides,  creating   uncertainty.  The  same  goes  when  the  contents  of  the  consent  itself  are  unclear,  because  the   consent   does   not   specify   clearly   enough   which   actions   are   allowed.   As   such,   any   consent   that  covers  a  number  of  different  actions  or  is  open-­‐ended  in  nature  is  potentially  weak.  The   same  may  go  for  the  implied  consent  discussed  above.     To   summarise:   consent   is   morally   transformative   when   it   changes   the   expectations   of   the   person   consenting   (i.e.,   he   or   she   knows   what   to   expect   based   on   the   given   consent),   the   person   seeking   the   consent   (i.e.,   he   or   she   knows   that   the   course   of   action   is   considered   ‘fair’   or   allowed)   and   society   at   large   (i.e.,   society   recognises   the   effect   of   consent   on   the   relationship  between  the  person  seeking  consent  and  the  person  asking  consent).  Consent   may  not  be  morally  transformative  if  it  does  not  (fully)  meet  the  requirements  of  substantial   understanding,   absence   of   coercion   by   others,   intentionality   and   specificity.   These   requirements  are  strongly  linked  to  the  notion  of  autonomy  that  we  will  discuss  next.   3   Consent  and  autonomy     Consent,   as   an   expression   of   free   choice,   is   closely   linked   to   personal   autonomy.   Rawls   (1999,  p.  221),  for  instance,  argues  that  a  person  is  acting  autonomously  when:             “the   principles   of   his   actions   are   chosen   by   him   as   the   most   adequate   possible   expression  of  his  nature  as  a  free  and  equal  rational  being.”                                                                                                                     8  See  for  instance:  Oregon  Revised  Statutes,  Vol.  17,  Chapter  813  §135.   5   Faden   and   Beauchamp   (1986,   p.   7)   take   a   similar   Kantian   interpretation   of   personal   autonomy,  but  express  it  in  more  practical  terms:     “the  personal  rule  of  the  self  by  adequate  understanding,  while  remaining  free  from   controlling  interferences  by  others  and  from  personal  limitations  that  prevent  choice.       Consent   is   generally   conceived   as   a   specific   form   of   autonomous   action   (or   choice)   aimed   at   authorisation   (Faden   and   Beauchamp   1986,   p.   277).   Our   right   as   rational   human   beings   to   choose  our  course  of  action  freely  is  reflected  in  our  ability  to  consent.  This  way  of  thinking   about   consent   can   be   labelled   the   ‘autonomous   authorisation   model’   of   consent.   In   the   autonomous  authorisation  model  of  consent  the  focus  is  on  the  consenting  individual.       The  autonomous  authorisation  model  of  consent  emphasises  the  importance  of  a  clear  and   affirmative  choice  by  the  persons  who  consent.  However,  as  we  have  seen  in  the  example  of   the   kitchen   door,   there   are   situations   in   which   consent   is   not   entirely   clear.   Miller   and   Wertheim   (2011,   p.   203)   convincingly   argue   that   morally   transformative   consent   must   not   only  protect  the  rights  and  interests  of  persons  who  consent,  but  must  also  give  those  who   ask  for  consent  fair  notice  of  what  they  need  to  do  in  order  to  obtain  valid  consent  and  thus   avoid  wrongful  interaction  with  others.  To  this  end,  they  propose  a  fair  transaction  model  of   consent.   In   the   fair   transaction   model,   a   party   (A)   is   morally   permitted   to   undertake   an   action  requiring  consent  from  another  party  (B),  if  A  has  treated  B  fairly  and  responds  in  a   reasonable  manner  to  B’s  token  or  expression  of  consent,  or  what  A  reasonably  believes  is   B’s  token  or  expression  of  consent.  According  to  Miller  and  Wertheim  (2011,  p.  203):       “a  morally  defensible  theory  of  consent  transactions  needs  to  account  for  the  interests   of   the   consenters   and   those   who   solicit   consent   (and   society   at   large)   in   having   clear,   practical   and   fair   standards   by   which   recipients   can   determine   whether   they   are   entitled  to  proceed  with  transactional  or  cooperative  activities.”     We  will  revisit  these  different  models  of  consent  when  we  discuss  their  effectiveness  in  the   context  of  data  protection.   4   Consent  in  relation  to  privacy  and  data  protection  law     The  right  to  privacy  protects  the  personal  sphere.  Thus,  generally  an  invasion  of  the  personal   sphere  requires  the  morally  transformative  act  of  consent  to  be  legitimate.  Only  when  there   is  an  overriding  interest  (e.g.,  freedom  of  speech,  national  security,  the  protection  of  public   health,   or   the   rights   or   legitimate   interests   of   others)   may   privacy   be   infringed   without   consent.9  This   logic   is   also   reflected   in   data   protection   law.   Under   the   EU   Data   protection   directive   95/46/EC,   personal   data   may   only   be   processed   for   specified,   explicit   and   legitimate  purposes  (article  6).  A  purpose  is  rendered  legitimate,  if  it  can  be  based  on  one  of   the   grounds   in   article   7.   The   first   and,   arguably,   most   important   of   these   legitimate   grounds   is   the   unambiguous   consent   of   the   data   subject.   The   other   grounds   are:   processing   is   necessary   to   perform   a   contract   with   the   data   subject,   the   compliance   with   a   legal   obligation,  to  protect  the  vital  interests  of  the  data  subject,  processing  is  necessary  for  the                                                                                                                   9  See,  for  instance,  article  8  of  the  European  Convention  of  Human  Rights.   6   performance   of   a   task   carried   out   in   the   public   interest,   and   the   legitimate   interest   of   the   data  controller.       Consent   as   a   legitimate   basis   for   personal   data   processing   is   a   form   of   autonomous   authorisation:  the  individual  (the  data  subject)  authorises  the  data  controller  to  process  his   or   her   personal   data.   The   transformative   act   that   consent   establishes   in   data   protection   is   that   what   would   otherwise   be   considered   an   infringement   of   the   right   to   (informational)   privacy  of  the  individual  is  no  longer  perceived  as  such.  Consent  in  the  context  of  personal   data   protection   flows   forth   from   the   right   to   ‘informational   self-­‐determination’,   meaning   that  the  data  subject  has  the  right  to  choose  under  what  circumstances  and  for  what  goals   information   about   himself   or   herself   may   be   processed   (Westin   1967,   p.   7).   This   closely   matches  the  autonomous  authorisation  model  of  consent.     Below  we  will  discuss  the  way  the  concept  of  consent  is  described  and  used  in  the  current   European   data   protection   law   (Subsection   4.1)   and   in   the   new,   proposed   European   data   protection  law  (Subsection  4.2).   4.1   Consent  in  the  current  European  data  protection  law     Consent  is  defined  in  the  European  data  protection  directive  (95/46/EC)  in  article  1h:     (h)   'the   data   subject's   consent'   shall   mean   any   freely   given   specific   and   informed   indication  of  his  wishes  by  which  the  data  subject  signifies  his  agreement  to  personal   data  relating  to  him  being  processed.   Based  on  its  constitutive  elements  (specific,  informed  and  freely  given),  we  may  equate  this   form   of   consent   with   the   term   ‘informed   consent’   that   is   more   commonly   used   in   moral   philosophy.10  Informed  consent  must  meet  the  requirements  set  out  in  Section  2.     From  this  general  description  of  consent,  the  Directive  further  specifies  the  role  of  consent   in   the   articles   7   (legitimate   basis   for   processing),   8   (legitimate   basis   for   processing   special   categories   of   data)   and   26   (legitimate   basis   for   transfer   of   data   to   third   countries).   As   discussed,   the   primary   role   of   consent   in   data   protection   law   is   to   provide   a   legitimate   basis   for   data   processing.   The   Directive   adds   two   procedural   requirements   for   giving   (and   obtaining)   consent   when   consent   is   used   as   a   legitimate   basis   for   processing   that   are   dependent  on  the  type  of  data  being  processed.  For  personal  data  in  general  unambiguous   consent  is  required,  for  special  categories  of  personal  data  (sensitive  data)  explicit  consent  is   required.     4.1.1   Unambiguous  consent     When  consent  is  the  legal  basis  for  processing  ‘regular’   personal  data  the  consent  must  be   unambiguous  according  to  article  7  of  the  Directive,  meaning  that  there  must  be  no  doubt   about   the   consent   of   the   data   subject.   Doubt   is   removed   when   consent   is   based   on   an                                                                                                                   10  The  ethics  of  consent  are  discussed  in  far  more  depth  in  relation  to  bioethics  and  medicine.  In  these  contexts   the  term  informed  consent  is  generally  used.     7   express   action   carried   out   by   the   individual   or   by   being   clearly   inferred   from   an   action   carried  out  by  an  individual.11  An  example  of  an  unambiguous  consent  would  be  to  enter  a   room  that  is  under  camera  surveillance  after  having  read  a  sign  on  the  door  that  says  “if  you   enter  this  room  you  consent  to  being  filmed  by  surveillance  cameras”.       4.1.2   Explicit  consent     The  processing  of  special  categories  of  personal  data  (e.g.,  data  related  to  health,  sexual  life,   or   ethnicity)   requires   explicit   consent   according   to   article   8.   In   the   original   European   Commission   proposal   for   the   Directive,   the   consent   had   to   be   “in   writing”.   However,   that   was   ultimately   changed   to   “explicit”,   which   is   more   technology   neutral.12  Explicit   consent   differs  from  unambiguous  consent  in  the  sense  that  the  act  of  consent  must  be  specifically   aimed  at  signifying  the  consent.  According  to  the  Article  29  Working  Party  (WP29),  in  order   for  the  consent  to  be  deemed  explicit  data  subjects  need  to  be  presented  with  a  proposal  to   agree  or  disagree  with  a  particular  use  or  disclosure  of  their  personal  information  and  they   need   to   respond   actively   to   the   question.13  The   underlying   idea   is   that   for   these   ‘high-­‐risk’   categories  data  subjects  need  to  make  a  more  active  and  affirmative  decision.  An  example  of   an  explicit  consent  would  be  the  signing  by  the  data  subject  of  a  consent  form  that  sets  out   all  the  different  processing  purposes  and  personal  data  used.         4.1.3   Implied  consent     There  is  still  discussion  whether  implied  consent  is  also  a  valid  form  of  consent  in  relation  to   personal  data  protection.  In  its  Opinion  on  Consent,  the  WP29  seems  to  argue  that  consent   in  this  context  can  only  be  inferred  from  an  action:     “The   minimum   expression   of   an   indication   could   be   any   kind   of   signal,   sufficiently   clear  to  be  capable  of  indicating  a  data  subject's  wishes,  and  to  be  understandable  by   the  data  controller.  The  words  “indication”  and  “signifying”  point  in  the  direction  of  an   action   indeed   being   needed   (as   opposed   to   a   situation   where   consent   could   be   inferred  from  a  lack  of  action).”14     The  question  then  becomes  what  can  be  defined  as  an  action.  If  we  take  our  kitchen  door   example,  Alice’s  failing  to  close  the  kitchen  door  could  be  considered  an  action  (i.e.,  keeping   the  door  open),  but  an  equally  strong  argument  can  be  made  that  this  is  a  lack  of  action  (i.e.,   not  closing  the  door).  In  general,  we  observe  that  the  WP29  is  very  strict  when  it  comes  to   allowing  implied  consent  as  a  legitimate  basis  for  processing.   4.2   Consent  in  the  new  Data  protection  Regulation                                                                                                                     11  Article  29  Working  Party  (2011),  Opinion  15/2011  on  the  definition  of  consent  p.  25.    Article  29  Working  Party  (2011),  Opinion  15/2011  on  the  definition  of  consent.   13  The   Article   29   Working   Party   is   the   body   of   national   data   protection   authorities   set   up   under   article   29   of   Directive  95/46/EC.   14  Article  29  Working  Party  (2011),  Opinion  15/2011  on  the  definition  of  consent,  p.  11.   12 8   The   proposal   for   a   Data   Protection   Regulation   removes   the   current   ambiguity   described   above.  Consent  is  defined  in  article  4(8)  of  the  Regulation  as:      “the   data   subject's   consent   means   any   freely   given   specific,   informed   and   explicit   indication  of  his  or  her  wishes  by  which  the  data  subject,  either  by  a  statement  or  by  a   clear  affirmative  action,  signifies  agreement  to  personal  data  relating  to  them  being   processed.”   With   this   new   definition,   confusion   between   the   different   types   of   consent   in   the   current   legal  framework  is  avoided.  Furthermore,  the  European  Commission  argues  that  by  adding   the   criterion   ‘explicit’  to   the   definition,   the   awareness   of   the   data   subject   that,   and   to   what,   he   or   she   gives   consent   is   ensured.15  This   new   definition   of   consent,   even   more   than   the   current   definitions   of   consent,   is   strongly   influenced   by   the   autonomous   authorisation   model   of   consent.   With   the   addition   of   ‘explicit’  in   the   definition   of   consent,   there   seems   to   be  little  room  for  an  interpretation  inspired  by  the  fair  transaction  model  of  consent.   We  have  established  that  consent  in  data  protection  must  be  either  unambiguous  or  explicit   in  order  for  it  to  be  considered  a  legitimate  ground  for  processing  personal  data.16  Thus,  in   the  context  of  data  protection,  consent  must  meet  specific  demands  in  terms  of  its  form  to   be  valid.  Furthermore,  we  may  conclude  these  demands  will  become  stricter  in  the  new  Data   Protection  Regulation.  In  the  autonomous  authorisation  model  of  consent,  the  data  subject   makes  a  free,  conscious  and  rational  decision  to  consent  based  on  the  available  information.     5   Practical  issues  with  autonomous  authorisation  in  data  protection     Above   we   described   the   “requirements”   for   consent   from   the   perspective   of   moral   philosophy  and  examined  how  data  protection  law  sets  about  creating  mechanisms  and  pre-­‐ conditions  for  valid  consent.       From  the  research  of  Pollach  (2007),  Acquisti  (2009),  Böhme  and  Köpsell  (2010),  Adjerid  et   al.  (2013),  Solove  (2013),  Brockdorf  &  Appleby-­‐Arnold  (2013),  we  may  provisionally  conclude   that   the   requirements   laid   down   in   the   law   do   not   have   the   effect   in   practice   desired   by   the   legislator.   What   the   work   of   these   researchers   shows   is   that   users   seldom   read   privacy   notices,   do   not   comprehend   them   fully,   but   consent   to   the   processing   of   personal   data   nonetheless. 17  While   consent   may   be   considered   validly   given   from   a   legal-­‐technical   standpoint,  it  is  questionable  whether  morally  transformative  consent  always  takes  place.  In   our   opinion,   this   can   be   explained   by   the   practical   effects   that   an   overemphasis   on   the   autonomous   authorisation   model   of   consent   has.   These   effects   are   described   below:                                                                                                                   15  Explanatory  statement  accompanying  the  Regulation  proposal,  p.  8.    For   readability,   we   shall   use   the   term   ‘explicit   consent’  when   we   mean   both   ‘unambiguous’  and/or   ‘explicit’   consent.   17  There  is  also  anecdotal  evidence  that  data  subjects  seldom  read  terms  and  conditions  and  privacy  notices.   One   entertaining   example   is   the   site   Gamestation.co.uk   that   asked   its   users   consent   for   the   transfer   of   their   immortal  souls  to  Gamestation  via  its  terms  and  conditions.  88%  consented  to  the  transfer  of  their  immortal   souls.   See:   http://www.huffingtonpost.com/2010/04/17/gamestation-­‐grabs-­‐souls-­‐o_n_541549.html.   See   also   the  related  discussion  in  Nissenbaum  (2011).   16 9   consent   transaction   overload   (Subsection   5.1),   information   overload   (Subsection   5.2)   and   absence  of  meaningful  choice  (Subsection  5.3).     5.1   Consent  transaction  overload     The   first   effect   of   the   overemphasis   on   autonomous   authorisation   is   an   overload   of   consent   transactions.  In  practice,  there  are  simply  too  many  consent  requests  for  an  individual  user   to   consider,   watering   down   the   psychological   effect   of   being   confronted   with   a   consent   transaction.   Jolls   and   Sunnstein   (2006,   p.   212),   for   instance,   have   found   that   consumers   learn  to  tune  out  messages  that  they  see  often.  This  means  that  the  effectiveness  of  consent   as  a  safeguard  against  unauthorised  data  disclosure  is  reduced,  because  it  is  overused.  This   ‘safeguard   inflation’   is   a   threat   to   the   privacy   of   data   subjects,   as   well   as   a   threat   to   the   validity  of  the  mechanism  of  consent  itself.     The   Dutch   implementation   of   article   5(3)   of   Directive   2009/136/EC   (the   ‘cookie   law’)   is   a   good  example  of  how  excessive  consent  requests  have  led  to  ‘consent  fatigue’.18  The  Dutch   cookie   law   stipulates   that   tracking   cookies   (used   for   behavioural   targeting   and   ad   retargeting)  are  presumed  to  be  personal  data.  This  means  that  unless  the  party  that  installs   the   cookie   can   prove   that   the   cookie   does   not   identify   an   individual   user,   he   will   need   a   legitimate   basis   for   processing   under   article   8   of   the   Dutch   Data   Protection   Act   (the   equivalent   of   article   7   of   Directive   95/46/EC).   Since   the   only   viable   option   is   the   unambiguous  consent  of  the  data  subject,  most  website  owners  present  users  with  pop-­‐up   screens  demanding  this  unambiguous  consent.  Although  users  are  now  prompted  to  make   more   conscious   decisions   about   the   use   of   cookies   and   their   personal   data,   the   general   consensus   among   consumers   seems   to   be   that   these   pop-­‐ups   are   merely   irritating   and   do   not  provide  any  additional  privacy  protection.  The  result  is  that  both  business  and  consumer   organisations  have  lobbied  for  changing  the  consent  requirement  in  the  law.19     It   is   likely   that   the   Regulation   will   lead   to   even   more   consent   requests.   Because   the   definition   of   personal   data   will   be   broadened,   more   and   more   types   of   data   will   be   considered  personal  data,  leading  to  more  consent  requests.  Since  consent  must  be  explicit   under   the   Regulation,   less   intrusive   ways   of   obtaining   consent   (e.g.,   implied   consent)   will   be   outlawed,  leaving  only  more  intrusive  alternatives  such  as  pop-­‐ups.       5.2   Information  overload                                                                                                                   18  Directive   2009/136/EC   of   the   European   Parliament   and   of   the   Council   of   25   November   2009   amending   Directive  2002/22/EC  on  universal  service  and  users’  rights  relating  to  electronic  communications  networks  and   services,  Directive  2002/58/EC  concerning  the  processing  of  personal  data  and  the  protection  of  privacy  in  the   electronic   communications   sector   and   Regulation   (EC)   No   2006/2004   on   cooperation   between   national   authorities  responsible  for  the  enforcement  of  consumer  protection  laws.   19  See  for  instance:  http://www.dutchnews.nl/news/archives/2013/05/dutch_cookie_law_to_be_watered.php   Interestingly,   actual   consumer   behaviour   in   this   area   seems   to   contradict   the   findings   in   many   surveys   that   consumers  do  want  to  be  informed  about  data  processing  (see  e.g.,  McDonald  &  Lowenthal  2013,  p.  345).  It   might   well   be   that   there   is   a   difference   between   professed   user   attitude   in   surveys   and   their   actual   behaviour.   Furthermore,   most   research   on   consumer   attitudes   in   privacy   do   not   actually   ask   how   and   when   this   information  should  be  presented.   10     The  second  effect  is  information  overload.  Consent  must  be  based  on  adequate  information,   which   is   generally   provided   in   the   form   of   a   privacy   notice.   Given   the   highly   complex   nature   of   data   processing   and   the   legal   requirements   regarding   transparency   and   notification,   privacy  notices  are  generally  long,  difficult  and  highly  legalistic  texts.  This  can  be  explained   by   the   fact   that   privacy   notices,   are   for   the   most   part   aimed   at   avoiding   liability   or   enforcement   (Pollach   2007,   p.   107).   McDonald   and   Cranor   (2010,   p.   560)   have   estimated   that  if  data  subjects  were  to  read  all  the  privacy  policies  presented  to  them,  it  would  take   them  244  hours  annually.  If  data  subjects  were  only  to  skim  the  policies  they  would  still  have   to   spend   154   hours   annually.   The   transaction   costs   associated   with   reading   or   skimming   privacy  policies  was  estimated  at  3534  US  dollars  and  2226  US  dollars  respectively.  Because   of  the  complexity  of  privacy  notices  and  the  high  costs  associated  with  reading  them,  it  is  not   surprising  that  surveys  regularly  show  that  data  subjects  hardly  ever  read  them.20     But  even  if  data  subjects  were  to  read  all  the  privacy  notices,  it  is  questionable  whether  they   would  fully  grasp  the  possible  consequences  of  the  data  processing.  Even  if  someone  (e.g.,  a   privacy  lawyer)  understood  all  the  privacy  notices,  he  or  she  would  probably  have  no  idea   what   happens   to   much   of   his   or   her   personal   data.21  Acquisti   and   Grossklag   (2005)   attribute   this   to   bounded   cognitive   abilities:   people   are   unable   to   acquire,   understand   and   process   all   the  information  that  is  relevant  to  make  a  decision  about  consent  to  data  processing.  Thus   people   rely   on   simplified   mental   models,   approximate   strategies,   and   heuristics   to   guide   their  decision  making  process  (Acquisti  &  Grossklag  2005).  However,  these  strategies  fail  to   take   into   account   all   the   relevant   aspects   that   should   guide   decision   making.   As   data   processing  becomes  more  and  more  complex,  more  factors  need  to  be  taken  into  account.   The  result  is  that  the  reality  of  data  processing  will  become  even  further  removed  from  the   simplistic   mental   models   employed   by   data   subjects.   This   undermines   the   basic   notion   of   consent,   as   it   may   be   argued   that   consent   is   not   fully   informed   and   truly   transformative,   when  the  person  who  consents  is  unable  to  comprehend  the  consequences.     The   issue   of   information   overload   is   exacerbated   by   the   fact   that   data   subjects   are   often   confronted  with  consent  decisions  while  they  are  involved  in  a  completely  different  decision   making   process,   such   as   the   decision   to   buy   new   shoes   or   to   book   a   holiday.   Privacy   protection   then   becomes   a   trade   off   between   instant   gratification   (getting   the   shoes,   or   the   prospect  of  going  on  vacation)  versus  the  abstract  risks  associated  with  misuse  or  abuse  of   personal  data,  which  are  often  not  well  understood,  if  at  all.     5.3   Absence  of  meaningful  choice     A   third   effect   is   that   while   data   subjects   are   confronted   with   a   consent   request,   there   is   often  an  absence  of  meaningful  choice  for  them.  In  general,  data  subjects  seek  to  access  a   service   (e.g.   news,   social   networking,   search)   and   in   exchange   for   accessing   the   service   they   ‘allow’   the   processing   of   their   personal   data.   These   online   services,   in   particular   free                                                                                                                   20  See   for   instance:   Brockdorff,   N.,   Appleby-­‐Arnold,   S.   (2013),   What   consumers   think,   EU   CONSENT   Project,   Workpackages  7  &  8.   21  For  examples  of  how  personal  data  may  be  processed  (with  or  without  consent)  see,  for  instance,   Nissembaum  (2011),  Solove  (2011)  and  Zarsky  (2003).   11   services,  usually  provide  little  to  no  room  for  negotiation,  because  the  use  of  the  personal   data  is  vital  for  the  success  of  their  business  model.22  As  such,  data  subjects  are  presented   with  a  ‘take  it  or  leave  it  scenario’,  when  it  comes  to  the  use  of  their  personal  data  (Custers   2001).   Apart   from   commercial   reasons,   there   are   other   compelling   reasons   for   data   controllers  to  use  general,  non-­‐negotiable  privacy  policies.  First  of  all,  more  general  privacy   policies   can   also   be   used   at   larger   scales   and   in   changed   circumstances.   Second,   online   services   need   quick   and   efficient   sign-­‐up   flows   in   order   not   to   lose   potential   customers   in   the   process.   The   more   choices   and   clicks   a   user   needs   to   make   before   he   or   she   can   start   using  the  service,  the  more  likely  he  or  she  is  to  drop  out  of  the  sign-­‐up  process.       Over   the   years,   consumers   have   become   accustomed   to   blindly   accepting   these   adhesive   contracts   (terms   and   conditions,   end   user   license   agreements   and   privacy   notices).   An   empirical   study   by   Böhme   and   Köpsell   (2010)   shows   that   users   have   become   accustomed   to   regularly   clicking   on   consent   dialogue   boxes.   They   found   that   the   more   consent   boxes   resemble  end  user  license  agreements  (EULAs),  the  more  likely  the  users  are  to  accept  them:     “ubiquitous   EULAs   have   trained   even   privacy-­‐concerned   users   to   click   on   “accept”   whenever   they   face   an   interception   that   reminds   them   of   a   EULA.   This   behaviour   thwarts  the  very  intention  of  informed  consent.”   The  reason  that  users  are  more  likely  to  accept  EULAs  might  be  that  users  know  that  these   EULAs  are  more  or  less  non-­‐negotiable  and  that  declining  a  EULA  will  likely  ban  their  access   to  the  service.  Furthermore,  we  hypothesise  that  a  reason  why  users  blindly  accept  EULAs  is   that   users   do   not   see   accepting   them   as   a   big   risk.   An   explanation   for   this   might   be   that   the   risks  of  EULAs  do  not  always  materialise  or,  if  they  do,  the  connection  between  the  consent   and   the   negative   consequences   is   not   always   obvious   or   transparent   to   users.   Consumer   protection   law   in   Europe   generally   prohibits   contractual   clauses   that   are   too   disadvantageous   for   consumers.   As   such,   the   effects   of   EULAs   on   the   legal   position   of   the   consumer   are   relatively   limited.   Consumers   might   argue   that   the   same   is   valid   for   privacy   notices.   6   Consent  desensitisation     In   our   opinion,   consent   overload,   information   overload,   and   the   absence   of   meaningful   choice   leads   to   ‘consent   desensitisation’.   Users   no   longer   make   active,   informed   choices   when  confronted  with  a  consent  situation,  but  instead  simply  provide  consent  when  consent   is   asked.23  The   move   in   the   European   legal   framework   towards   explicit   consent   will   do   nothing   to   remedy   this   situation.   It   might   even   make   matters   worse.   First,   consent   will   be   required   in   more   situations   than   is   currently   the   case,   leading   to   even   more   consent   requests.   Second,   given   the   threat   of   high   penalties   envisioned   in   the   Data   Protection   Regulation  (up  to  2%  of  the  annual  turnover  of  an  enterprise),  it  is  likely  that  organisations                                                                                                                   22  There  is  a  growing  trend  towards  free  online  services.  In  the  app  market  for  instance  there  are  less  and  less   paid   apps.   Instead,   app   developers   rely   on   ad-­‐support   or   in-­‐app   purchases.   See:   http://blog.flurry.com/bid/99013/The-­‐History-­‐of-­‐App-­‐Pricing-­‐And-­‐Why-­‐Most-­‐Apps-­‐Are-­‐Free.     23  Research  indicates  that  already  most  users  (between  70  and  80%)  don’t  bother  to  read  privacy  policies.   See  for  instance  Internetsociety  (2012).     12   will   become   more   risk-­‐averse. 24  This   risk   aversion   might   manifest   itself   in   the   form   of   stronger   opt-­‐in   mechanisms   that   are   more   legalistic   in   nature.   According   to   Böhme   and   Köpsell   (2010),   these   stronger,   explicit   consent   mechanisms   might   actually   have   the   effect   that  users  will  make  less  informed  decisions  about  their  privacy,  or  at  least,  it  will  not  make   their  decisions  more  informed  than  they  are  now.     We,   thus,   come   to   the   conclusion   that   the   strong   focus   in   the   legal   framework   on   autonomous   authorisation   leads   to   consent   desensitisation.   This   has   two   negative   effects   that  are  described  below:  it  will  actually  lower  the  protection  of  data  subjects  in  the  long  run   (Subsection  6.1)  and  it  fails  to  take  into  account  the  bilateral  nature  of  consent  transactions   (Subsection  6.2).     6.1   Lowering  the  standard  for  data  protection     With  the  new  Regulation,  the  ‘high’   standard  for  consent  (explicit  consent)  will  become  the   default   setting,   accelerating   consent   desensitisation   and   raising   the   risk   of   data   subjects   unwittingly   and   unwillingly   disclosing   personal   data   for   high   risk   processing   activities.   This   is   worrying,   especially,   from   a   legal   point   of   view,   because   of   the   transformative   effect   of   consent.  Data  subjects  can  authorise  far-­‐reaching  uses  of  personal  data  with  a  simple  mouse   click.  Take  the  following  example:       Alice  seeks  information  about  her  illness  on  the  free  e-­‐health  website  of  Bob.  She  is  presented   with   a   consent   dialogue   box   specifying   all   the   processing   purposes   and   an   accompanying   privacy  notice.  Alice  doesn’t  bother  to  read  the  text,  because  she  has  accepted  hundreds  of   these  consent  requests  without  any  negative  consequences,  and  gives  her  (explicit)  consent   by  clicking  “I  agree”.  One  of  the  purposes  of  processing  personal  data  of  users  mentioned  in   the  consent  dialogue  box  is  selling  medical  data  to  third  parties.  Bob  subsequently  sells  the   medical  data  Alice  leaves  behind  on  the  site  to  a  marketing  company  based  on  her  consent.     This  consent  is  legally  valid,  but  it  is  very  likely  that  Alice  does  not  really  want  her  data  to  be   sold.   If   she   finds   out,   she   might   feel   tricked   and   betrayed.   From   the   perspective   of   Alice,   moral  transformation  has  not  taken  place,  but  from  a  legal  perspective  the  consent  is  valid.     6.2   Disregard  for  the  bilateral  nature  of  consent  transactions     Autonomous  authorisation  in  data  processing  may  not  only  affect  data  subjects  negatively,  it   also   disregards   the   bilateral   nature   of   consent   transactions.   Autonomous   authorisation   presupposes  an  individual  that  will  make  conscious,  rational  choices.  Data  controllers  must   be   able   to   trust   this   fiction.   However,   because   of   consent   desensitisation,   data   controllers   can   no   longer   trust   that   consent   is   truly   consent.   Data   controllers   that   base   their   data   processing  activities  on  consent  may  thus  be  fully  compliant  with  the  law,  but  might  still  face   trust  issues  with  users  when  these  users  feel  that  they  have  been  misled  (as  described  in  the   above  example).                                                                                                                   24  Article  79  of  The  Commission  proposal  for  the  General  Data  Protection  Regulation.  The  amended  proposal  of   the  European  Parliament,  that  was  voted  on  by  the  LIBE  Committee  in  October  2013,  contains  even  higher   penalties  of  up  to  5%  of  the  annual  turnover.   13     Additional   focus   on   autonomous   authorisation   will   also   lead   to   further   rigidity   in   the   European  data  protection  system.  Explicit  consent  in  data  protection  closes  the  door  on  the   fair   transaction   model   of   consent,   making   less   obtrusive   consent   transactions   impossible.     Especially   for   free   services,   it   might   not   be   unfair   that   those   visiting   the   website   automatically  consent  to  the  processing  of  a  limited  set  of  their  personal  data,  as  long  as  this   trade-­‐off   is   made   sufficiently   clear.   In   the   fair   transaction   model   there   is   more   room   for   taking  into  account  the  reasonable  interests  of  the  party  asking  for  consent.  While  it  could   be  argued  that  article  7f  of  the  Directive  caters  to  this  situation,  we  feel  we  must  distinguish   (implied)  consent  from  the  legitimate  interest  of  the  data  controller  as  a  basis  for  processing   (article  7f).  Implied  consent  differs  from  the  legitimate  interest  of  the  data  controller  in  the   sense  that  the  needs  and  preferences  of  the  data  subject,  expressed  via  his  behaviour  and   the   interpretation   of   that   behaviour   by   others,   determines   whether   data   may   be   processed.   When  the  legitimate  interest  of  the  data  controller  is  the  legitimate  grounds  for  processing,   the   processing   is   allowed   for   the   data   controller   and   there   is   no   room   for   choice   on   the   part   of  the  data  subject  (other  than  opting  out).  Furthermore,  there  is  also  a  practical  issue  in  the   sense  that  the  legitimate  interest  of  the  data  controller  is  a  much  more  vague  concept  that  is   subject  to  interpretation  by  the  data  protection  authority,  making  it  a  less  ‘safe’   alternative   for  data  controllers.   7   Alternatives  to  autonomous  authorisation     Miller  and  Wertheim  (2010)  argue  that  any  acceptable  moral  principle  must  be  responsive  to   the   basic   facts   about   human   beings   and   social   life.   As   we   have   seen,   autonomous   authorisation   is   unresponsive   to   the   facts   about   human   beings   and   social   life   when   it   comes   to   making   decisions   about   data   processing.   In   our   opinion,   the   overemphasis   on   autonomous   authorisation   in   data   protection   is   the   result   of   a   positive   and   laudable,   but   ultimately  flawed  idea  about  human  behaviour  in  the  context  of  privacy  and  data  protection.   The   current   and   future   legislation   is   based   on   the   idea   that   all   data   subjects   are   rational   actors   that   will   read   all   privacy   statements   and   carefully   weigh   and   balance   the   consequences  of  consent.  As  we  have  seen,  this  is  clearly  not  the  case.  In  this  section  we  will   first   investigate   some   possible   solutions   to   remedy   the   issues   with   current   system   of   autonomous   authorisation   in   data   protection   (Subsection   7.1)   and   then   discuss   a   fair   transaction   model   of   consent   as   a   possible   alternative   to   more   focus   on   autonomous   authorisation  (Subsection  7.2).     7.1   Possible  solutions     Different   solutions   have   been   proposed   to   remedy   the   current   issues   with   consent,   each   with  their  own  strengths  and  weaknesses.25       The   first   solution   is   a   more   prescriptive   and   paternalistic   approach   to   data   protection   by   simply  banning  particular  types  of  processing  of  personal  data.  However,  this  approach  has   many   undesirable   effects   (Solove   2013).   Not   only   does   it   undermine   personal   autonomy   (i.e.,   choosing   how   you   wish   your   data   to   be   used),   it   may   also   hamper   innovation   and                                                                                                                   25  For  a  good  overview  see,  Solove  (2013).   14   requires   strong   (and   costly)   enforcement.   Furthermore,   research   has   shown   that   not   collecting   these   (often   sensitive)   types   of   personal   data   does   not   prevent   data   controllers   from   predicting   these   characteristics   of   users   and   building   profiles   based   on   these   predictions  (Kosinski,  Stilwell  and  Graepel  2013,  Custers  2013).     The   second   solution   is   to   make   privacy   notices   more   accessible   and   readable.   Since   most   scholars   have   focussed   their   attention   on   privacy   notices,   many   useful   suggestions   and   alternatives  have  been  developed  (see  for  instance:  Van  der  Berg  &  Van  der  Hof  2012,  Calo   2012   and   McDonald   &   Lowenthal   2013).   While   making   privacy   notices   more   readable   and   comprehensible   is   a   very   important   step   in   addressing   the   problem   of   information   overload,   it   will   do   little   to   alleviate   the   other   issues   associated   with   explicit   consent.   A   consent   overload  will  remain  and  people  will  likely  still  face  plenty  of  ‘take  it  or  leave  it’   scenarios.   Also,  an  important  question  is  whether  the  complexities  of  data  processing  can  be  reduced   to  simple  and  visceral  privacy  statements.  Furthermore,  this  solution  is  not  in  line  with  the   desire  of  data  controllers  to  avoid  compliance  issues  and  (legal)  risks.  For  data  controllers,   longer   and   more   legalistic   privacy   statements   may   be   preferable   to   ensure   all   issues   are   covered  in  cases  of  compliance  checks  and  audits  and  in  cases  of  disputes.     A   third   solution   is   to   ‘nudge’   users   into   making   responsible   decisions   about   privacy,   as   proposed   by   Acquisti   (2009).   This   approach   primarily   addresses   the   issues   of   bounded   cognitive   ability   and   may   also   reduce   consent   overload   by   means   of   less   invasive   consent   requests.   However,   it   is   questionable   whether   it   will   be   effective   in   ‘take   it   or   leave   it’   scenarios.  Furthermore,  it  could  be  argued  that  nudging  encroaches  upon  the  autonomy  of   the  individual.   7.2   Towards  a  fair  transaction  model  of  consent     Although   the   solutions   suggested   above   are   helpful,   we   feel   that   ultimately   they   will   not   solve  all  the  issues  associated  with  the  autonomous  authorisation  model  of  consent  in  data   protection.   We   argue   that   a   differentiated   system   of   consent   is   therefore   required.   In   this   system,   decisions   only   need   unambiguous   or   explicit   consent   when   it   really   matters,   i.e.,   when   decisions   may   involve   serious   risks   or   consequences   for   the   person   who   consents.26  In   all  other  cases,  a  consent  mechanism  that  is  inspired  by  the  fair  transaction  model  is  more   appropriate.     In  a  fair  transaction  model  of  consent,  formal  requirements  for  giving  and  obtaining  could  be   relaxed.   In   practice,   this   could   mean   allowing   implied   consent   for   processing   of   personal   data   in   particular   cases.   Lowering   the   threshold   for   consent   will   lead   to   less   explicit   and   legalistic   consent   requests.   This   addresses   the   issue   of   consent   overload   and   to   a   lesser   extent   that   of   information   overload.   It   would   also   increase   the   flexibility   of   the   data   protection   legislation.   However,   relaxing   consent   requirements   should   not   result   in   inadvertently  lowering  the  standards  for  data  protection.  Furthermore,  in  a  fair  transaction   model   of   consent,   consent   also   needs   to   be   morally   transformative.   Therefore,   in   the   fair   transaction  model  of  consent,  legal  requirements  for  giving  and  obtaining  consent  can  only                                                                                                                   26  In  those  cases  where  consent  is  needed,  privacy  notions  should  be  improved  along  the  lines  discussed  in  the   literature  described  above  (e.g.,  shorter  notices,  more  visceral  notices,  more  human  readable).   15   be  relaxed,  if  there  is  a  common  understanding  in  society  on:  1)  what  actions  -­‐or  inactions-­‐   constitute  consent,  2)  what  ‘fair  use’  of  personal  data  is.     Authorisation:  fair  and  appropriate  consent  mechanisms  in  an  online  context   In  the  autonomous  authorisation  model  of  consent,  there  is  a  strong  focus  on  the  action  that   signals  the  consent.  This  action  must  explicitly  or  at  least  unambiguously  signal  consent.  In   the   fair   transaction   model,   these   requirements   can   be   less   strict   and   more   suited   to   the   realities   of   human   behaviour   in   a   digital   environment.   At   the   same   time,   it   must   still   be   sufficiently   clear   what   constitutes   consent.   Therefore,   we   must   establish   what   actions   (or   inactions)   objectively   signal   consent.   Therefore,   we   must   establish   what   actions   (or   inactions)   objectively   signal   consent.   An   answer   to   this   question   is   outside   of   the   scope   of   this   paper   as   an   answer   to   this   question   is   highly   context-­‐sensitive,   but   we   can   give   some   examples.   For   instance,   following   the   line   of   reasoning   used   to   construe   consent   for   field   sobriety   tests,   we   could   argue   that   entering   particular   (online)   environments   and   participating   in   online   activities   already   constitutes   consent   for   particular   uses   of   personal   data.   For   instance,   the   act   of   sharing   personal   data   via   a   free   social   media   platform   could   imply  consent  for  the  use  of  these  data  for  advertising  purposes.  Another  example  is  consent   for  cookies.  In  the  case  of  cookies  it  could  be  argued  that  when  a  user  does  not  alter  his  or   her   browser   settings   (thus   allowing   cookies),   website   owners   may   infer   consent   to   drop   cookies  from  this  (lack  of)  action.  Whether  an  action  or  inaction  can  be  (objectively)  viewed   as   a   valid   consent   is   dependent   on   different   factors,   a   very   important   one   being   the   level   of   technical   expertise   in   society.   For   instance,   if   the   majority   of   people   do   not   know   what   cookies  are,  or  how  browsers  work,  the  argument  that  not  changing  browser  settings  signals   consent  is  less  strong.       ‘Fair  use’  of  personal  data   When   lower   standards   for   giving   consent   are   accepted,   it   must   be   sufficiently   clear   what   actions   are   authorised   by   (implied)   consent.   This   is   important   because,   unlike   explicit   consent   whereby   information   about   intended   processing   purposes   must   be   prominently   displayed,  data  subjects  will  have  far  less  warning  in  the  fair  transaction  model  of  consent.   As   such,   in   a   fair   transaction   model   of   consent   data   subjects   must   be   able   to   rely   on   socially   accepted  standards  for  data  processing  in  a  particular  context.     The   question   is   thus:   what   do   we   consider   a   ‘fair   transaction’   in   the   context   of   data   protection?  An  answer  to  this  question  is  also  outside  of  the  scope  of  this  paper  given  the   context-­‐sensitivity.   For   different   scenarios   (e.g.   surfing   the   web,   buying   goods,   using   social   media,   et   cetera)   we   must   determine   what   is   fair,   when   it   comes   to   data   processing.   An   example  could  be  that  when  you  share  your  personal  data  via  a  free  social  media  platform,   society   deems   it   fair   that   the   platform   uses   these   data   for   targeted   ads   that   generate   revenue,   as   long   as   they   exclude   all   sensitive   data   (e.g.,   health   data,   sexual   preference).   When   the   platform   wants   to   use   the   sensitive   data   for   ad-­‐targeting,   they   need   to   ask   for   explicit  consent  using  a  consent  dialogue.     For   implied   consent   to   be   fair,   processing   activities   that   can   be   sanctioned   by   implied   consent   must   therefore   be   more   or   less   standard   and   non-­‐infringing.   Processing   purposes   16   that   are   non-­‐standard   or   may   entail   more   privacy   risks   (e.g.,   selling   data)   would   warrant   unambiguous   or   even   explicit   consent.27  Furthermore,   for   implied   consent   to   remain   valid,   alternative   uses   of   data   should   not   be   allowed.   The   difficulty   with   data   processing   is   that   different  types  of  personal  data  collected  at  the  same  time  can  be  used  for  many  different   purposes.28  If   we   want   to   reduce   the   dependence   on   explicit   consent,   we   need   to   create   clarity   and   certainty   for   the   data   subject   in   those   cases   where   we   accept   implied   consent   as   a   standard.   Therefore,   under   the   fair   transaction   model   of   consent,   data   may   not   be   processed  for  other  purposes,  even  if  they  are  considered  compatible  with  the  original  goal   of  processing.  To  protect  trust  in  this  system  of  implied  consent,  enforcement  should  focus   on  those  behaving  unfairly  against  data  subjects  by  processing  data  for  other  purposes.     Fair  transaction  as  new  legitimate  basis  for  processing?   A   system   whereby   we   rely   more   on   shared   ideas   about   socially   and   morally   acceptable   uses   of  personal  data  in  different  situations,  allows  for  more  flexibility  and  a  fairer  balancing  of   different   interests.   To   some   extent,   this   idea   of   balancing   different   interests   (those   of   the   data  controller  and  the  data  subject)  is  already  reflected  in  article  7(f)  of  the  Data  protection   directive.  However,  as  described  above  this  balancing  of  interests  does  not  take  the  action   or  inactions  of  the  individual  into  account.  The  fair  transaction  model  of  consent  could  add   an  extra  layer  of  granularity  and  flexibility  by  introducing  a  new  category  (implied  consent)   that  sits  between  the  unambiguous  consent  and  the  legitimate  interest  as  a  basis  for  data   processing.       An  added  benefit  of  the  fair  transaction  model  of  consent  is  that  it  reintroduces  a  measure   of  risk  into  the  system  of  data  protection.  When  data  subjects  can  no  longer  rely  on  explicit   consent   requests   to   warn   them   in   all   cases,   they   may   have   an   incentive   to   become   more   aware  about  their  (online)  interactions  and  the  role  of  personal  data  in  these  interactions.  In   those   cases   where   data   subjects   are   confronted   with   consent   requests   the   warning   effect   will  be  stronger.     8   Conclusion     We   have   established   that   the   legal   framework   for   governing   consent   transactions   in   data   protection,  which  has  its  basis  in  the  autonomous  authorisation  model  of  consent,  no  longer   works   in   practice.   Data   subjects   are   not   making   conscious   and   informed   decisions   when   confronted  with  a  consent  request  due  to  consent  overload,  information  overload,  and  the   fact   that   there   is   oftentimes   no   real   choice.   The   reaction   of   the   legislator   has   been   to   strengthen   the   position   of   the   data   subject   by   introducing   stricter   consent   requirements   along   the   lines   of   the   autonomous   authorisation   model   of   consent.   However,   in   practice   these  mechanisms  will  further  undermine  the  privacy  of  the  data  subject.  Moreover,  further   emphasis  on  the  autonomous  authorisation  model  of  consent  fails  to  take  into  account  the   legitimate  interests  of  the  party  asking  the  consent.                                                           ...
Purchase answer to see full attachment