The reality of "explicit consent": teutonic lobby groups vs. profound scholarly reflections
Some German privacy groups have published an open letter to the German Minister of Interior Affairs warning him not to give in to demands for a "weaker" European data protection regime in current discussions on a new European regulation.
Petition for "Simplicity" and "Strength" in Data Protection
The privacy groups demand tightening the rules on "explicit consent", and they call on the Minister to defend "the German data protection level as minimum standard for Europe." (see petition in German "Datenschutz: Einfach. Stark. - Offener Brief an Bundesinnenminister Dr. Hans-Peter Friedrich", open at Digitalcourage.de until 2 June 2013).
What is good for Germany will be best for Europe - a teutonic attitude that is presently quite popular in Germany. At the same time, there is an unfortunate tendency to ignore intellectual debates taking place in the rest of the world. Mainstream German discussions on the European data protection reform give the impression that the European debate is exclusively between German legislators, ministers and privacy advocates on the one hand ("the good guys") and sinister "lobby groups", dominated by US companies on the other hand ("the bad guys"). The only non-German voice audible is that of EU commissioner Viviane Reding. She is from Luxemburg, but some people would argue that nobody, except maybe the German chancellor, is more teutonic than her.
"Explicit Consent": Reality of a Holy Grail
For the "good guys" in German data protection debates, "explicit consent" is the holy grail of data protection. The argument is more than simple: Art. 8 of the EU Charter of Fundamental Rights recognises the right to data protection as a fundamental right. Therefore, "explicit consent" must be the rule and not the exception when it comes to data protection laws.
As users of online services of all kinds, we know the sober reality of "explicit consent": A tick-box that takes care of and, supposedly, protects our fundamental rights according to the logic of the "good guys". And as practising lawyers we know that privacy policies linked to the tick-boxes are the stuff we write for other lawyers but never read unless they are somehow related to a case we are working on. And even the European Commission does not fully trust the holiness of the grail: According to Art. 7 (4) of the proposed Regulation, consent shall not provide a legal basis for data processing, where there is a "significant imbalance" between the position of the data subject and the controller.
Dilemma of Consent
In two newly-published articles of renowned but non-German scholars, the shortcomings of "explicit consent" are pointed out. In an article in the Harvard Law Review, David Solove, professor at the George Washington University Law School and author of the book "Understanding Privacy" reflects on "Privacy Self-Management and the Consent Dilemma":
"Privacy self-management takes refuge in consent. It attempts to be neutral about substance — whether certain forms of collecting, using, or disclosing personal data are good or bad — and instead focuses on whether people consent to various privacy practices. Consent legitimizes nearly any form of collection, use, or disclosure of personal data." (Daniel J. Solove, "Introduction: Privacy Self-Management and the Consent Dilemma", Harvard Law Review, Vol. 126, p. 1880)
This is exactly the point why the reliance on consent fails to protect privacy. It leads to binary choices: Either you tick the box and allow the controller to collect and use information to the extent described in the (mostly unread) privacy policy. Or you decide not to use the service at all. When given such choice, experience shows that boxes tend to be clicked. In his article, Solove points out that privacy cannot simply be left to the users' "self-management". It is time to develop new concepts for privacy protection. (Daniel J. Solove, "Introduction: Privacy Self-Management and the Consent Dilemma", Harvard Law Review, Vol. 126, pp. 1880-1903)
Inappropriate Binary Choice
In the International Data Privacy Law, Fred H. Cale and Viktor Mayer-Schönberger come to similar results when summarising the results of worldwide regional privacy discussions held in September 2012:
"Today, almost everywhere that individuals venture, especially online, they are presented with long and complex privacy notices routinely written by lawyers for lawyers, and then requested to either ‘consent’ or abandon the use of the desired service. That binary choice is not what the privacy architects envisioned four decades ago when they imagined empowered individuals making informed decisions about the processing of their personal data. In practice, it certainly is not the optimal mechanism to ensure that either information privacy or the free flow of information is being protected." (Fred H. Cale/Viktor Mayer-Schönberger, "Notice and Consent in a World of Big Data", International Data Privacy Law (2013) 3(2), 67-73)
Hope for Positive Impulse on Reform Discussion
Both articles are brilliantly written and full of lucid observations. While none of the three authors claims to have a perfect idea of the core rules of modern privacy laws, they all agree that it is simply not enough and short-sighted to rely on an "opt-in" system. As a tool of privacy protection, "consent" is over-rated. And an exaggeration of consent requirements can be a serious impediment to the free flow of information, to the freedom of communication as well as to innovation in the age of "big data".
The voices and arguments of the three distinguished but non-German scholars would certainly deserve to be heard in Germany. They prove that the discussion about the necessary reforms in European data protection laws needs far more intelligent, profound and knowledgeable suggestions than contained in any of the 91 draft articles from Brussels.