Selling your soul while negotiating the conditions: from notice and consent to data control by design

This article claims that the Notice and Consent (N&C) approach is not efficient to protect the privacy of personal data. On the contrary, N&C could be seen as a license to freely exploit the individual’s personal data. For this reason, legislators and regulators around the world have been advocating for different and more efficient safeguards, notably through the implementation of the Privacy by Design (PbD) concept, which is predicated on the assumption that privacy cannot be assured solely by compliance with regulatory frameworks. In this sense, PbD affirms that privacy should become a key concern for developers and organisations alike, thus permeating new products and services as well as the organisational modi operandi. Through this paper, we aim at uncovering evidences of the inefficiency of the N&C approach, as well as the possibility to further enhance PbD, in order to provide the individual with increased control on her personal data. The paper aims at shifting the focus of the discussion from “take it or leave it” contracts to concrete solutions aimed at empowering individuals. As such, we are putting forth the Data Control by Design (DCD) concept, which we see as an essential complement to N&C and PbD approaches advocated by data-protection regulators. The technical mechanisms that would enable DCD are currently available (for example, User Managed Access (UMA) v1.0.1 Core Protocol). We, therefore, argue that data protection frameworks should foster the adoption of DCD mechanisms in conjunction with PbD approaches, and privacy protections should be designed in a way that allows every individual to utilise interoperable DCD tools to efficiently manage the privacy of her personal data. After having scrutinised the N&C, PbD and DCD approaches we discuss the specificities of health and genetic data, and the role of DCD in this context, stressing that the sensitivity of genetic and health data requires special scrutiny from regulators and developers alike. In conclusion, we argue that concrete solutions allowing for DCD already exist and that policy makers should join efforts together with other stakeholders to foster the concrete adoption of the DCD approach.

[1]  H. P Gassmann,et al.  OECD guidelines governing the protection of privacy and transborder flows of personal data , 1981 .

[2]  Marvin R Natowicz,et al.  Individual, family, and societal dimensions of genetic discrimination: A case study analysis , 1996, Science and engineering ethics.

[3]  R. Hes,et al.  Privacy-Enhancing Technologies: The Path to Anonymity , 1998 .

[4]  D W Nebert,et al.  Pharmacogenomics: out of the lab and into the community. , 2001, Trends in Biotechnology.

[5]  O. O’neill Informed Consent and Genetic Information , 2001 .

[6]  Charles Safran,et al.  Toward a national framework for the secondary use of health data: an American Medical Informatics Association White Paper. , 2007, Journal of the American Medical Informatics Association : JAMIA.

[7]  D. Diniz,et al.  Um caso de discriminação genética: o traço falciforme no Brasil , 2007 .

[8]  Peter Conrad,et al.  The Medicalization of Society: On the Transformation of Human Conditions into Treatable Disorders , 2007 .

[9]  Eve Maler,et al.  User-managed access to web resources , 2010, DIM '10.

[10]  A. Acquisti The Economics of Personal Data and the Economics of Privacy , 2010 .

[11]  A. Cavoukian,et al.  Privacy by Design: essential for organizational accountability and strong business practices , 2010 .

[12]  Paul M. Schwartz,et al.  The PII Problem: Privacy and a New Concept of Personally Identifiable Information , 2011 .

[13]  Ira S. Rubinstein,et al.  Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents , 2012 .

[14]  Doc Searls,et al.  The Intention Economy: When Customers Take Charge , 2012 .

[15]  Julie E. Cohen Configuring the Networked Self - Law, Code, and the Play of Everyday Practice , 2012 .

[16]  A. Mitchell From data hoarding to data sharing , 2012 .

[17]  Joseph W. Jerome Buying and Selling Privacy: Big Data's Different Burdens and Benefits , 2013 .

[18]  Marit Hansen,et al.  Privacy Considerations for Internet Protocols , 2022 .

[19]  P. Hert,et al.  eHealth to mHealth : A journey precariously dependent upon apps? , 2013 .

[20]  Nigel Shadbolt Midata: towards a personal information revolution , 2013 .

[21]  R. Desjardins,et al.  OECD Skills Outlook 2013: First Results from the Survey of Adult Skills , 2013 .

[22]  Grant Blank,et al.  A New Privacy Paradox: Young People and Privacy on Social Network Sites , 2014 .

[23]  Jesus Rodriguez Skills Outlook 2013: first results from the survey of adult skills , 2014 .

[24]  Klaus Wehrle,et al.  Privacy in the Internet of Things: threats and challenges , 2014, Secur. Commun. Networks.

[25]  Amedeo Santosuosso,et al.  Legal Interoperability as a Comprehensive Concept in Transnational Law , 2014 .

[26]  E. Hafen,et al.  Health Data Cooperatives – Citizen Empowerment , 2014, Methods of Information in Medicine.

[27]  Rolf H. Weber,et al.  Legal Interoperability as a Tool for Combatting Fragmentation , 2014 .

[28]  H. Honko,et al.  MyData A Nordic Model for human-centered personal data management and processing , 2015 .

[29]  Gordon Hull,et al.  Successful failure: what Foucault can teach us about privacy self-management in a world of Facebook and big data , 2015, Ethics and Information Technology.

[30]  J. Reeve,et al.  Solutions to problematic polypharmacy: learning from the expertise of patients. , 2015, The British journal of general practice : the journal of the Royal College of General Practitioners.

[31]  José Roque Junges,et al.  Sigilo e privacidade das informações sobre usuário nas equipes de atenção básica à saúde: revisão , 2015 .

[32]  Andres Ledesma,et al.  Health figures: an open source JavaScript library for health data visualization , 2016, BMC Medical Informatics and Decision Making.

[33]  Luca Belli,et al.  Terms of service and human rights: an analysis of online platform contracts , 2016 .

[34]  Maciej P. Machulak,et al.  User-Managed Access (UMA) Profile of OAuth 2.0 , 2016 .

[35]  Luca Belli,et al.  Private ordering and the rise of terms of service as cyber-regulation , 2016 .

[36]  Luca Belli,et al.  Network Neutrality: An Empirical Approach to Legal Interoperability , 2016 .

[37]  Minna Ruckenstein,et al.  Keeping data alive: talking DTC genetic testing , 2017 .