Without question, the most challenging privacy issue facing innovators and entrepreneurs is consent. How do we exploit the benefits of personal information while navigating the complex maze of global privacy laws that put control over the collection, use and disclosure of personal information into the hands of individual data subjects? How do we leverage the data amassed about individuals to enable artificial intelligence and machine learning? It seems that everywhere we turn, the nasty issue of consent raises its head to thwart our efforts.
While consent may seem like an onerous burden to place on the backs of innovators and entrepreneurs, it is the loan arrow in our quiver of tools to protect our basic human right to privacy. It is what gives each of us, as individuals, control over our digital destinies.
Rather than bemoaning the need for consent, we must embrace it.
The recent Facebook/ Cambridge Analytica scandal was a global tipping point where the records of 87 million Americans were exploited for electoral advantage. It is clear that we need more consent, not less, to protect us from corporate and political overreach.
Governments and regulators around the world are struggling to keep up with the pace of technological change. Privacy and consent are among those challenges. Many of our consent rules were born in the last century, long before social media, smart phones, and the Internet of Things. As individuals and innovators, we need to rethink our approach to consent and how we protect our privacy rights.
We’re not doing a very good job managing consent in the digital world. Consent statements are often buried in lengthy and incomprehensible Terms and Conditions and Privacy Notices that encourage consumers to click through as quickly as possible so that they can get to the desired service offering. While such approaches may be technically legal from a contract law point of view, they do not afford the consumer the protections contemplated under privacy laws.
The European General Data Protection Regulation (GDPR), which came into effect in May 2018, is the most recent iteration in global privacy protection. It provides a roadmap going forward dealing with a range of privacy issues, including consent. The GDPR has emboldened regulators around the world to aggressively promote 21st century privacy protections. We can expect other countries, including Canada, to align our privacy laws with the GDPR over time.
So what does the GDPR say about consent?
Consent must be freely given – While nobody’s holding a gun to our heads, consent is often a condition for the receipt of goods and services. We don’t really have a choice. Recital 42 of the GDPR states,” consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”.
Consent must be specific – There cannot be any uncertainty concerning the purposes for the consent. Article 6 of the GDPR states that the consent must be for “one or more specific purposes.” Blanket consent is not allowed.
Consent must be informed – in order to be informed, we must understand the purposes for the information, who is using it, what data is collected and used, our right to withdraw consent, the use of data for automated decision-making (if applicable) and the possible risks of data transfers.
Consent must include an unambiguous statement of wishes – Article 4 of the GDPR requires a clear statement from the data subject (in writing or oral) or a clear affirmative act (choosing from a range of alternatives). There cannot be any uncertainty concerning the data subject’s intention or choice.
In addition to the conditions for a valid consent described above, the GDPR requires explicit consent for special categories of personal data including health, genetic and biometric data. This is somewhat at odds with Canadian health privacy legislation that relies heavily on implied consent within the circle of care. Canada has taken a different approach to patient control of their data by enabling patients to issue consent directives (a.k.a. lock box or masking) restricting the use and disclosure of personal health information. One thing is clear however, the bias is towards giving data subjects greater control of their personal information.
At this stage, it is still unclear how strictly regulators will interpret the GDPR, and the extent to which current practices are in compliance with the regulation. At a minimum, consent statements in and Terms and Conditions must be reviewed to confirm that consent is freely given, specific, informed, and includes an unambiguous statement of wishes.
Integrating consent into our healthcare apps will be a challenge for developers and a classic case for Privacy by Design. Canadian companies have an opportunity to gain an edge in the global healthcare marketplace by proactively developing consent solutions. Consent solutions must focus on the user experience, enabling and encouraging data subjects to exercise their right to privacy.
The GDPR is another step forward in the evolution of global privacy protection. In time, other countries will undoubtedly push further, giving data subjects increasing control over their digital destinies. Consent is perhaps the most important tool we have to help us exercise our rights and freedoms.