Informing Consent: Giving Control Back to the Data Subject from a Behavioral Economics Perspective

Author:Santiago Ramírez López
Pages:35-50
SUMMARY

The development of data privacy legislation in Europe and America has been highly influenced by the idea that individuals must maintain the autonomy to take decisions regarding the general purpose and uses of their personal data; an idea that has been generally instrumentalized with the mechanism of informed consent. Recently, both companies and researchers in the field have criticized this idea, ... (see full summary)

 
FREE EXCERPT
Informing Consent
2018
35
1
Informing Consent
Giving Control Back to the Data Subject from a Behavioral
Economics Perspective
by Santiago Ramírez López*
© 2018 Santiago Ramírez López
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8.
Recommended citation: Sa ntiago Ramírez López, Informing Consent : Giving Control Back to the Data S ubject from a
Behavioral Economics Persp ective, (2018) JIPITEC 35 para 1.
Keywords: Behavioral economics; Data Privacy; Data Protection; General Data Protection Regulation;
Informational self-determination; Informed consent
implications and the impossibilities derived from ob-
taining an informed consent from data subjects that
are generally unfamiliar with the topic. Based on the
analyses regarding the difficulties of obtaining an ef-
fective and informed consent, this contribution will
examine how some of the bias and impasses studied
through the discipline of behavioral economics may
help us to understand the current problems in re-
lation to the way in which consent is requested and
provided by the data subjects. This contribution con-
cludes by proposing alternatives that seek to over-
come these biases and impasses with an easier pro-
vision of information of the data processing and the
implementation of a data management and a value-
oriented model, which would benefit the data sub-
jects.
Abstract: The development of data privacy
legislation in Europe and America has been highly in-
fluenced by the idea that individuals must maintain
the autonomy to take decisions regarding the general
purpose and uses of their personal data; an idea that
has been generally instrumentalized with the mech-
anism of informed consent. Recently, both compa-
nies and researchers in the field have criticized this
idea, arguing that with the new advances and tech-
nological progress, consent has lost importance due
to the ubiquity of the data processing and the ab-
sence of real participation of the data subjects. This
article seeks to take into account both points of view,
by recognizing the importance of the autonomy of in-
dividuals to determine the destination of their per-
sonal data, but also by understanding the practical
A. Introduction
1
It is safe to say that the notion of controlling the
destination of one’s personal information has been
strongly involved in the development of the data
privacy/data protection discipline.1 The right to
* LLB (Del Rosario University - Colombia); LLM (University of
Hannover / University of Oslo). IT Law Associate Professor
(El Bosque University – Colombia).
1 Professor Lee A. Bygrave has a thoughtful denition of
the eld of data privacy law, and the meeting points and
dissimilarities between different terms that compose
the eld, such as “data protection”, “data privacy” and
“data security”. For conceptual purposes, this work will
informational self-determination, developed in
Germany during the 1980’s, entails a value that is
still applicable in recent history; that individuals
should be able to limit the information that can be
used from them.2 The American tradition has long
indistinctively use the terms “data protection” and “data
privacy” to address, in the words of professor Bygrave,
the regulation of “(…) all or most stages in the processing
of certain kinds of data” as well as “(…) the ways in which
the data is gathered, registered, stored, exploited and
disseminated”. See: Bygrave, L. A. (2014). Data Privacy Law:
An International Perspective. London: Oxford University Press,
pp. 1-5.
2 Schwartz, P. (1989). The Computer in German and American
Constitutional Law: Towards an American Right of
2018
Santiago Ramírez López
36
1
an interconnected world.9 Although this explanation
is convenient for businesses, it also disregards the
fact that society has become increasingly more
suspicious of how companies are using the data and
information provided by users.10
5 This article aims to demonstrate that, although the
legal concepts of privacy between the predominant
Western traditions contain discrepancies mainly in
their formation, they are not so different in their
outcome, as Western traditions embrace the concept
of control of the data subjects as a capital guideline
of data protection.
6 This paper will analyze the implications of the eld
of behavioral economics in the data privacy scenario.
Supporting the position of other authors,11 it will be
argued that some of the bias and impasses studied
in the eld of behavioral economics may help to
explain the issues and problems of consent as a way
to provide control to the data subject based on a
conscientious decision-making scenario.
7
The objective of this analysis is to restore the
position of the concept of informed consent as the
primary means of control for the data subject, while
recognizing that to achieve such informed consent,
the data subjects must be provided with more
suitable conditions that allow them to overcome
the biases and impasses.
8
As a conclusion, this contribution will analyze a
proposal for the creation of such a suitable scenario,
by implementing alternative ways to provide and
manage information and by giving a tangible
value to the data from the user’s perspective. This
proposal is composed of the following components:
(i) alternative and user-friendly ways of providing
the information required by Article 13 of the GDPR,
resorting to existing models, such as Creative
Commons; (ii) a data management system that
contains unied information of the personal data
circulating online of the data subject; and (iii) a
model based on the value of the data in benet of the
9 In 2010 with the rapid increase in the use of social media,
Mark Zuckerberg, founder of Facebook, stated that privacy
was no longer a “social norm”, as social media sharing
reected a change in attitude. See: Johnson, B. (2010, 1
11). Privacy no Longer a Social Norm, says Facebook Founder.
Retrieved 7 1, 2016, from <https://www.theguardian.com/
technology/2010/jan/11/facebook-privacy>.
10 Several polls have shown the rejection of the public in
relation to surveillance and data gathering. These polls will
be discussed in Section B.II. See: Jourová, V. (2015). Data
Protection Eurobarometer-Factsheet. European Commission.
See also Madden, M., & Rainie, L. (2015, 5 20). Americans’
Attitudes About Privacy, Security and Surveillance. Retrieved 7
2, 2016, from <http://www.pewinternet.org/2015/05/20/
americans-attitudes-about-privacy-security-and-
surveillance/>.
11 See footnotes 54 to 56.
recognized equivalent values, identifying the right
“to be let alone” as a way to promote a non-intrusive
information gathering against the media and the
emerging technologies,3 and as a right grounded
in the control of the individual to determine what
information can be openly communicated.4
2
On paper, the European legislation has included
several provisions which seem to provide data
subjects more control over their information.
Indeed, the former Data Protection Directive5 (from
now on the “DPD”) and the recently adopted General
Data Protection Regulation6 (from now on the
“GDPR”), contain the basis to prevent practices that
may constitute an illegitimate processing of data,
and dedicate several provisions to the possibility of
control of the data subject grounded on informed
consent. Nevertheless, the reality of the online
scenario has shown the inability of this model to
provide control and to protect the data subject’s
right to privacy.
3
Among experts, there is a debate if whether
providing more control to the data subject can
be a solution applicable in the real world for the
protection of the right to privacy. The critics of a
control-oriented approach base their arguments on
the practical, conceptual, and moral difculties of
the model,7 but mainly on the fact that the consent,
as the main mechanism of control of the data subject,
has so far proved to be impractical and inefcient.8
4
A concise reason for the failure of a consent-
oriented model is still subject to debate. Some,
especially in the private sector, believe that modern
society is currently suffering a transition, where
the traditional concept of privacy, or privacy as a
“social norm,” is being dismissed with the excuse of
Informational Self-Determination. The American Journal of
Comparative Law, 37, pp. 678-689.
3 Warren, S., & Brandeis, L. (1890, December 15). The Right to
Privacy. The Harvard Law Review, IV(5).
4 Ibid.
5 The European Parliament and the Council of
the European Union. Directive 95/46/EC of the
European Parliament and the Council of 24 October
1995 on the protection of individuals with regard
to the processing of personal data and on the free
movement of such data.
6 The European Parliament and the Council of the European
Union. Regulation (EU) 2016/679 on the protection of
natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation).
7 Allen, A. L. (2000). Privacy-as-Data Control: Conceptual,
Practical, and Moral Limits of the Paradigm. Connecticut Law
Review, 32, 861-875.
8 Koops, B.-J. (2014). The Trouble with European Data
Protection Law. Tilburg Law School Legal Studies Research
Paper Series, 4, p. 3.

To continue reading

REQUEST YOUR TRIAL