Privacy body backs ‘explicit consent’ rules in data protection reforms

The Article 29 Working Party has released an opinion concerning the requirements for consent in the upcoming GDPR.

I’d agree that it’s important that there is no doubt as to the subject’s intent to consent – That is fundamental and arguably a good definition of what we try to encapsulate through the term “meaningful”.  Their use of the word “explicit” seems problematic, to me, though.  For a start it isn’t really clear what that means – to me explicit consent means an act that ONLY creates consent, with not other meaning or effect.  That feels like overkill, and will constrain innovation around genuinely consentful interactions.  My view is that we should be able to measure if an interaction really embodies consent, and it’s clear (to cite the common example of holding our your arm to give blood) that consent CAN be both intended, meaningful and implicit. That is to say, the act of holding out my arm intuitively gives consent to phlebotomy but also makes my arm physically available for the procedure.

Uploading a photograph by clicking “upload”, in the clear presence of an appropriate notice, is not necessarily explicit consent, but it does to me embody a signal of consent that is unambiguous and meaningful. The act of transmitting the photograph may not be an explicit consent signal, but it clearly does embody consent to the same extent that ticking a box would.

My own feeling is that we should really be talking in terms of whether or not consent signals are intended and unambiguous rather than whether they are “opt-in” and “explicit”.  Opt-in and explicitness clearly are ways to reduce ambiguity, but they just become box-ticking requirements for interaction designers that constrain us to a subset of meaningful consent interactions and which rule out some interactions that actually would fulfil our desires and which actually reinforce some of the extant problems with consent, like user-bother and consent fatigue.

Have a read of the Article 29 opinion, and maybe watch my recent WSI talk for more about my thoughts on taking a broader, more innovative approach to consent.

Source: Privacy body backs ‘explicit consent’ rules in data protection reforms

How EU data protection law could interfere with targeted ads

An interesting article in The Conversation by James Davenport at the University of Bath about some of the possible implications of the GDPR.  The extent to which cloud computing providers, such as Amazon Web Services, should be considered data processors is particularly interesting.  After all, these companies need to exercise some basic competence to ensure data security, but beyond that have no real say in what’s happening to data since they’re involved only at the “bit” level.

From a consent perspective, does an infrastructure provider matter, or is this a case where just regulating these companies as utility providers would be the best approach?

Source: How EU data protection law could interfere with targeted ads

The man who read all the small print on the internet

Very nice piece in The Guardian by someone who decided not to do anything before he’d read all the terms and conditions first. Did you know Sony is allowed to brick your (offline!) Playstation if you were to translate the PS4 software?

The article makes a great case for increasing negotiating power of consumers. See

Microsoft announces new Skype ToS

Microsoft has announced that Skype will be governed by the new Microsoft Services Agreement and the Microsoft Privacy Statement from 1st August 2015.

This is part of an effort to standardise all services under a single Terms of Service document and Privacy Policy. Less terms of service to read should be good for consent, but Microsoft provides such a broad range of services that such a document might be too vague to really inform digital citizens about what, specificcally, is happening to their data. Google took a lot of flack, including a fine from the French data protection body when it tried a similar unification in 2012.

When Microsoft acquired Skype in 2011, we brought together our communication technologies to help you stay closer to friends, family and colleagues. And, if you’re like millions of other people who use a number of Microsoft’s services (for example, for email, Bing, Xbox, Office 365, etc.) we’re making life a little easier for everyone. How? Well, most of Microsoft’s consumer services are being brought together under a single Microsoft Services Agreement and a consolidated Microsoft Privacy Statement.

Full Email

Meanwhile, Apple assumes that bloggers consent to the terms of service for its forthcoming News service unless they opt-out – Apparently even if they’ve never heard of it!

A good week for Meaningful Consent? Leave your thoughts in the comments.