Is Consent Really Dead?
13 Pages Posted: 2 Oct 2018
Date Written: August 15, 2018
The global regulatory landscape on data privacy and protection is undergoing a paradigm shift. Europe, China, Australia and India (among others) are adopting reviewed legislative policies around data collection, processing and controlling entities. A seminal judgement by the Supreme Court of India, in August last year, upheld the individual right to privacy, and recognised that such a right extends to an individual's virtual persona. At the same time, India’s Ministry of Electronics and Information Technology commissioned a group of experts to deliberate on whether India needed a dedicated privacy statute, and, if yes, the contours of such law. In the midst of it all, the telecommunications regulator, hosted a parallel consultative process on the security, privacy and ownership of data within the Indian context.
In the backdrop of next generation technologies, and the rising dependence of (at the risk of sounding sci-fi-esque) humans on machines, and machines on human behaviour patterns and related consumer data, this increased regulatory attention is both welcome and essential. However, what impact does the discourse on changing contours of technology and policy have on individual user access to products and services, and the associated consent? The focus on the adequacy of existing legislation in protecting consumer interest and privacy has called into question the qualification of what constitutes ‘data protection’. Additionally, the sufficiency of extant norms of notice and consent in ensuring data privacy is being revaluated. The more alarmist question, therefore, is one of the following versions – Is the consent regime a failure? Is consent dead? With Artificial Intelligence and Machine-to-Machine communication dominating upcoming products and innovations, is individual consent no longer important, necessary, or even meaningful?
One school of thought determines consent irrelevant due to the very nature of innovation itself – increasingly automated with little or no human interface. Camp and Connelly evaluated privacy and consent within the paradigm of ubiquitous computing in home-based healthcare in 2007, and discussed the concerns associated with consent and its withdrawal. Rahul Matthan, a leading privacy lawyer in India, decreed consent inadequate in 2017, and propagated shifting data privacy discourse to a rights based model. The core of the argument against consent rests on how obtaining it may be challenging in a connected ecosystem designed to ensure a seamless user experience. Connected venues and cities are oft cited examples in furtherance of this thought. Future (i.e. currently unascertainable) uses of collected data today are the other prong in this context. The legal mandate of identifying and limiting the purpose of personal data collection, and its exact scope of usage is seen as a challenge – use cases may be dynamic as technology and service offerings evolve. Smart cities, the Internet of Things, the use of sensors and small cells – in a connected environment, the prerequisite of consent has (almost blasphemously) been referred to as “an inconvenient bottleneck”.
In my paper, I argue that the right to consent is exactly that – a right – which must be treated as sacrosanct. I further defend the right of users to access services, and therefore consent to sharing their personal data. I challenge and defend consent, assess its essence and nature, and analyse the meaning of its absence for the individual user – who stands to lose autonomy over her personal, private data. I add nuance to the discussion by drawing a distinction between consent itself and consent fatigue. I address the normative and empirical foundation of consent, and how it is not inconvenient to user experience, but rather complementary and essential to it. I propose solutions to the inadequacy argument propounded by Matthan by illustrating the ongoing collection of informed consent through regular awareness programmes in clear and accessible formats. I also illustrate how the rights based approach is complementary to, and not a substitute of consent. Finally, I draw the important distinction between consenting to, and thereby providing, access to private data on the one hand, and the obligation to protect it, on the other. The latter, I argue, ought to be the focus of discussion, such that the user has access to services she provides consent for, while having, at all times, the right to have her data safe, secure and protected.
Keywords: Consent, Privacy, Data Protection, Technology, Law, Rights, Individual Rights, Access to Services, Next Generation Technologies, Artificial Intelligence, AI, Machine to Machine, M2M, Internet of Things, IoT, Smart Technology, India, GDPR
Suggested Citation: Suggested Citation