To consent and beyond: are No-Go Zones the next frontier? – Part 1
We’ve had a good run but it’s time to move on…
To find out more, see Part 2: To consent and beyond: are No-Go Zones the next frontier? here.
For those in the privacy space, consent has been a big buzz word lately. Consent is a key tenet of many privacy laws around the world, including Victoria’s Privacy and Data Protection Act 2014. It is considered an important mechanism that allows individuals to protect their privacy by exercising control over their personal information, including what personal information organisations can collect, how they can use it, when and to whom the information can be disclosed. Although there are other legal bases that permit organisations to do these things, consent is often relied upon as the default.
Increasingly – and perhaps inevitably – the conversation has shifted dramatically to one about the ongoing viability of consent in privacy regimes. Traditionally, consent has been based on a transactional model, where exchanges of information between individuals and organisations occurred at clearly defined moments, often for discrete or limited purposes, and were largely routine, binary and transparent. Individuals generally knew who was collecting their personal information, why, and when.
While still appropriate in certain instances, the limitations of consent in today’s digital environment are becoming more evident. New technologies, platforms and practices are posing unprecedented challenges to the consent model, and impacting individuals’ ability to provide meaningful consent – that is, consent that is voluntary, informed, specific, current and given by someone with capacity.
Human behaviour, practical constraints and cognitive biases also play a role in the effectiveness of the consent model. After all, who has the time to read the countless, often incomprehensible terms and conditions to which we all subscribe? How many of us consider ticking that pop-up box (supposedly an expression of our consent) an inconvenience (or, frankly, just plain annoying)?
Of course, laws can be amended and regulations introduced to address some of the challenges facing the consent model. For example, the European Union’s General Data Protection Regulation (GDPR) contains strengthened consent requirements, including the need for express consent, a requirement for clear and plain terms and conditions where consent is requested, and prohibits bundled consents. Similarly, the Australian Competition and Consumer Commission’s landmark Digital Platforms Inquiry Final Report recommended stronger consent requirements in the Commonwealth Privacy Act 1988.
Any reforms that enhance privacy protections for individuals are welcome, but given the enormity of the challenges that technologies, digital platforms and big data pose not only to the consent model, but the notion of information privacy more broadly, is it time to move our focus to limiting certain uses of our personal information, instead of asking for consent?
To find out more, see Part 2: To consent and beyond: are No-Go Zones the next frontier? here.
This blog post was written by Tricia Asibal, Senior Policy Officer, Office of the Victorian Information Commissioner. The views expressed in this post are the author’s own and do not necessarily reflect the views of OVIC.