Consent as a Universal Principle in Global Data Protection
Remarks at the 7th European Data Protection Days
May 15, 2017
Address by Patricia Kosseim,
Senior General Counsel and Director-General, Legal Services, Policy, Research and Technology Analysis
(Check against delivery)
Introduction: Early History of Consent / Moral Transformer
To begin our whirlwind tour of Consent in just under 15 minutes, let’s go back to 400 BC with some ancient Greek philosophy.
Plato, who wrote about how societies should be structured in his seminal work Republic was not a proponent of consent, or a society based on market transactions and other consensual exchange. He supported a society where everyone is compelled to cultivate their unique capabilities – thought to be present at birth and unchangeable – with little room for individual choice or social relations based on individual consent. He held that the few wise in society are best suited to determine who is assigned what in life.
Soon after Plato’s death, Aristotle put forth a different conception of what society should look like: that it be comprised of repeated exchanges of goods and services among free and independent producers and consumers. Consent became the linchpin of the entire system. According to Aristotle, the bonds that hold political association together are forged through consensual social relations and consensual exchange.
And so it was that consent emerged as a mediator of social relations, functioning as a form of individual “empowerment.”
Over time, consent became the fundamental legal and ethical underpinning: a “moral transformer” that converts slavery into employment, battery into medical treatment, and, privacy violations into lawful uses of personal information.
Over time, however, we set limits on consent. For example, it is common in criminal law systems to invalidate someone’s consent to being severely harmed by another, for consent presupposes a social context that enables individual flourishing. When consent functions otherwise, it has, to quote Professor John Kleinig from City University of New York, “uprooted itself from that which sustains it,” and lost its moral magic.
We also place other limits on consent. For example, consent will not hold up when a person does not have the requisite capacity to make informed choices, such as in the case of children and legally incapable adults. Likewise, consent is invalid if the person is not sufficiently informed to truly understand the consequences of their decision. Finally, consent will not stand up if the individual providing it did so involuntarily or under coercion.
Consent and Medical Research / Research Ethics
For illustrative purposes, let us trace the evolution of consent in the context of medical research, from which we can draw certain parallels to global data protection in an age of Big Data.
Informed consent emerged as the “gold standard” in medical research, following the Nuremberg Trials that condemned the Nazi experiments of World War II. Informed consent engages respect for persons as persons (not human guinea pigs) and serves as an express manifestation of the individual right to autonomy, liberty and dignity. It has become engrained as a universal bioethics principle.
Like medical treatment, clinical research tends to involve some physical interference with the human body. Hence, from a legal perspective, consent also serves as a defense against the tort of battery.
However, unlike medical treatment, clinical research is not exclusively for the benefit of the patient. Rather, its purpose is to increase knowledge through experimentation in the hopes of benefitting future patients. The effectiveness and potential side effects of any treatment may not be fully known and it is those research participants who assume risk for the communal benefit of others. As such, the disclosure requirements for consent became even more stringent than for informed medical care, necessitating disclosure of all risks, no matter how minimal.
But the field of health research soon evolved from this original paradigm and the more exacting requirement for specific informed consent became unsustainable.
We moved from small-scale randomized clinical trials to large-scale population health research; from binary relationships between clinician-researcher and patient, to complex data analyses by global scientific teams far removed from any known individual; from traditional medical records, to millions – if not billions – of data points about all aspects of human and environmental life. Even the physical space in which research takes place has evolved from bench and bedside, to huge computer servers and whole genome sequencers. More and more, health research is data-driven.
With this fundamental shift comes a new reality:
First, the sheer volume and breadth of data collected for analyses has grown exponentially.
Second, given the complexity of research and the speed with which it is evolving, it has become impossible to explain to individuals at the time their personal data and bio-samples are collected, exactly how it may be used for future research.
Third, these data are here to stay. To think that these valuable data repositories will be destroyed after each project, only to be rebuilt again for the next project is folly, considering the huge investments made in building them.
And finally, unless there is a longitudinal component built into the research design or a survey component that requires periodically re-contacting individuals, there is no opportunity to communicate with participants at an individual level.
As a result, there has been a movement internationally away from a model of specific informed consent negotiated one-on-one between clinician and patient, to a concept of broad consent for use of data in future research studies. To compensate for this lack of specificity, there must be more stringent review by independent, third-party experts (such as research ethics boards), stronger safeguards, for example, de-identification, and a more robust governance framework in accordance with widely accepted ethics principles.
Consent in the Privacy Context
In the same way as medical research evolved from a researcher-subject relationship at an individual level, to one of large-scale population studies, so too have commercial relationships evolved. Collection, use and disclosure of data in the commercial context have moved from binary exchanges between buyer and seller, to complex ecosystems involving third party intermediaries who experiment in Big Data, in ways largely invisible to consumers.
In most data protection regimes world-wide, consent functions as a way for individuals to protect their privacy by exercising control over their personal information. But there are differences in how this concept has evolved.
Historically, in Europe privacy is deeply rooted in notions of dignity.
In mid-nineteenth century France, for example, jurisprudence began to develop around the sale or distribution of salacious images. French courts held that one’s privacy was not something that was captive to market forces. The sale of a salacious image by a person who had momentarily "forgotten his dignity" in having the photos taken and choosing to sell them could be voidable. A person should not be able to freely dispose of her dignity.
In other words, the European tradition has held that informed consent, though central, is insufficient to authorize a given use of personal information.
Moreover, consent is not the only source of authorization. The GDPR recognizes consent as an important lawful basis for processing of personal data, but it is only one among other legal grounds.
The “legitimate interest” basis is of particular note for us. Sometimes legitimate interests of the controller are compelling and beneficial to society-at-large. Other times, it can encompass a controller’s economic interest to better target its advertisements. While the concept of legitimate interests can be quite broad, it tends to be circumscribed at a second stage of analysis when weighed against the interests and fundamental rights of data subjects.
In comparison, the US conception of privacy has historically been grounded in values of liberty and freedom from state intrusion. From this perspective, specific informed consent should be both necessary and sufficient for privacy protection. As long as an individual agrees to a particular use of her data, his or her freedom is being respected.
The US third party doctrine essentially resembles a very broad application of implied consent, holding that a person has no legitimate expectation of privacy in information he or she voluntarily turns over to third parties, including banks, phone companies, or internet service providers. Even the Fourth Amendment – the protection against unreasonable search and seizure – does not preclude the government from accessing it without a warrant.
It could – and has – been argued that the third party doctrine was a minor enough mistake when it was created more than forty years ago, but now, technological developments have greatly exacerbated its adverse impacts.
On the whole, Canada’s privacy laws fall somewhere between those in Europe and those in the United States. Our bijurical legal system is based on both civil law and common law. Our approach to privacy includes both a civil law emphasis on fundamental rights, including the right to dignity and integrity, and a common law emphasis on protection from unreasonable search and seizure.
Yet, when it comes to consent, Canada has less flexibility than both Europe and the US. Unlike in the EU, which has multiple grounds for processing, consent in Canada is the sole ground. It is the gateway concept through which all collection, use and disclosure of personal information must pass, subject to limited exceptions.
And, unlike the US that can rely on the third party doctrine, we have a much stricter scope of implied consent.
While many privacy advocates have heralded the uniquely central role consent plays in Canadian privacy laws, it does admittedly raise practical challenges in an era of Big Data. These challenges are largely reminiscent of similar challenges faced by health researchers as research methodologies evolved in recent decades.
We at the Office of the Privacy Commissioner of Canada are currently working on a crucial undertaking to revisit consent in the privacy context, see how well it is working, how it can be improved and, where it cannot, propose a way forward.
A year ago, we published a discussion paper exploring the continuing viability of the consent model of privacy protection. We then issued an open call for submissions on this topic and received more than 50 written submissions from a broad range of stakeholders. This was followed by stakeholder meetings in five major cities and focus groups with individuals across the country.
We are in the process of drafting our policy position on consent, which we will publish in the fall.
What we heard won’t surprise you: the consent process, as we currently know it, involving reams and reams of legalese nobody reads or understands does not always accomplish its intended goal. This is not individual flourishing to say the least.
Consent is not always meeting the needs of individuals in their efforts to exercise control over their personal information, particularly when it is unduly stretched to accommodate the complexity of emerging technologies and business models. There is also a real risk of consent fatigue setting in overtime.
That doesn’t mean we should throw out consent as a foundational basis for privacy protection. It does mean we need to revisit how we apply consent and acknowledge that in some justifiable cases, consent may simply be impossible or impracticable. We recognize that certain data uses are sufficiently beneficial and compelling from a societal perspective to warrant finding other practical solutions. What should be our balancing test and our sina qua non conditions for determining whether consent should be removed as a requirement in certain limited circumstances?
We are currently examining alternatives to consent in these limited circumstances, and the types of governance models that can adequately oversee companies and protect consumers’ privacy with appropriate safeguards.
Where to from here?
It seems universally established that consent is critically important for global data protection, but there is no single conception of its role nor its place across geography and time.
By reducing the role consent plays in privacy protection, are we returning to a pre-consent, 400 BC society?
As we move forward, we are not suggesting that we abandon consent altogether in favour of a system in which immutable characteristics – determined by the few “wise” in society – decide for us what privacy protections are appropriate.
Rather, we wish to maintain the pivotal role of autonomy and hold a place for consent where it truly does function as an appropriate way of protecting privacy. But when consent has “uprooted itself from that which sustains it”, and lost its moral magic, it may well be time to consider alternatives and supplementary protections.
- Date modified: