Event recap: Consent public forum
2018 has been a big year for privacy, both internationally and here in Australia. The flurry of emails that we all received asking us to agree to new privacy policies and terms and conditions following the introduction of the General Data Protection Regulation (GDPR) in May, and the debate around an opt-in versus opt-out model for the Australian Government’s My Health Record, both focused on a key theme in privacy: consent.
The Office of the Victorian Information Commissioner’s (OVIC) third public forum for the year, held on Wednesday 29 August, explored this topical issue of consent and its relationship to privacy in a range of different contexts. Sven Bluemmel, Victoria’s inaugural Information Commissioner, began the ‘in conversation’ style forum by welcoming our two guests:
- Lauren Solomon – CEO of the Consumer Policy Research Centre (CPRC); and
- Mark Taylor – Associate Professor from the University of Melbourne.
Mark opened with a comment on the current landscape of privacy and consent: that as a society, we’re allowing the concept of consent to be debased, with consent being used and relied upon in circumstances where it’s not serving the interests of the individuals providing the consent. Lauren gave her perspective from a market viewpoint, noting that transparency is needed for consumers to be able to navigate markets and make informed choices – however, the reality is that consumers often aren’t able to express their preferences or ensure privacy protections are there in the goods and services they use. Notably, Lauren questioned whether there should be certain privacy protections that are default for everyone, especially vulnerable consumers who may face barriers when engaging in markets.
The conversation then turned to the notion of ‘nudging’ (influencing people’s behaviour or decision making) in light of individuals’ tendency to default to standard settings rather than customising their privacy protections. Lauren raised some of the key issues arising from nudging, including questions of collective versus individual benefit, individual liberty, and importantly, that nudges shouldn’t take things away from individuals without their consent.
This led to a discussion around opt-in versus opt-out, with Mark noting the distinction between a consent model and an opt-out model, although the two are often conflated. Mark explained that valid consent must be communicated in some way, whether expressly or signalled through conduct; inaction or silence cannot constitute a valid signal for consent, which is precisely what an opt-out system relies upon.
The speakers also discussed another element of meaningful consent: that it must be informed. Lauren talked about the shift – reflected in international regulation – from information disclosure via lengthy privacy policies, to comprehension testing, which is an important step to empowering consumers and ensuring they understand the information being given to them. Mark further observed that there is often an assumption that letting individuals know how their information will be used to enable them to give valid consent has to only occur prior to obtaining their consent. However, organisations have a responsibility to continue informing individuals about how their information is being used, particularly for uses that they may not reasonably expect. Consent should not be a set and forget exercise, but an ongoing conversation between the organisation and the individual.
Another key topic explored in the discussion was in relation to minors and consent, with Sven asking the speakers whether minors should have a role in expressing consent on their own behalf. Mark explained that both (mature) minors and parents should be involved in that decision, until the minor becomes an adult. Importantly, however, it will be different for all families. Lauren also noted that whether the decision to give consent is made by parents, or both the minor and their parents, will depend on the situation and the type of information in question.
Finally – and perhaps inevitably – the conversation turned to the GDPR and its high standard for consent. Both Lauren and Mark agreed that Australia should aspire to greater levels of consent, transparency, and comprehension.
The forum ended with some interesting questions from the audience, touching on a range of issues from individual responsibility to protect not only one’s privacy but that of others (friends, families, colleagues etc.), to context-based consent.
OVIC would like to extend its thanks and appreciation to Mark and Lauren for an interesting discussion, and to everyone who came along on the day. It was a very well attended and well received event, and we look forward to the next one!
For those that missed out or would like to relive the discussion, a recording of the forum is available on the OVIC Periscope channel.