Consent-to-port: A new mechanism to protect our data4 min read . Updated: 08 Sep 2020, 08:08 PM IST
A specific okay for third-party data transfers would let us judge usage proposals case by case
A good part of my public writing on privacy, in this column and elsewhere, has centred around my discomfort with our over-reliance on consent as the primary means to protect our personal privacy. As useful as consent might have been in the early days of data protection, I have argued, it no longer performs that function effectively. Instead, it is used today as a get-out-of-jail-free card by technology companies which design their privacy policies to be as wide as possible so that when you accept their terms, you would have agreed to language that gets them off the hook with pretty much everything they do with your data.
The reason for this is the data asymmetry that is inherent in our online interactions today. Large tech companies have such disproportionate access to and control over our personal data that they often know more about the implications of our decisions than we can ever know. As a result, our consent will always be based on an imperfect appreciation of everything they can do with it because we simply cannot comprehend the many ways in which our data might be used.
Take transfers, for instance. Data protection laws require collectors of data to clearly specify the individuals and entities with whom and which it will be shared. However, in most instances, the number of entities with which data will be shared is so large that it is inconvenient to list them in anything but the broadest terms. As a result, the data-sharing provisions in most privacy policies are worded broadly, listing the entities to which data could be transferred by referring to categories as vague as “advertisers", “vendors" and “researchers". When we consent to the terms of these privacy policies, we permit our data to be shared with any entity that falls within those broad descriptions and forsake the opportunity to decide on a more granular basis which specific advertiser or researcher should have access to our data. Instead, we effectively delegate the responsibility of deciding which entity is appropriate to the company that controls our data.
This is one of the primary reasons I believe that consent as currently used is inadequate. When obtained upfront, it is by definition collected without reference to a specific entity or purpose for which it is used. It is, therefore, unmoored from the actual transaction that it is supposed to sanction. How can consent provided in this manner be valid, given that the data principal had no idea of the actual transaction to which the consent was applied.
But, as much as I might wish for greater agency in data transfers, there are practical constraints in its way. To be effective, cross platform data transfers need a common portability infrastructure that can be used by the entire ecosystem, so that they can proceed in a fair and non-discriminatory manner which does not prioritize large established companies over start-ups. This calls for a level of standardization currently absent across most sectors, and also common technical infrastructure to enable sharing.
Last week, the Niti Aayog released a draft document for discussion on the Data Empowerment and Protection Architecture (DEPA), India’s technology infrastructure for secure data sharing that I have written about before. It described the unique technological and regulatory framework that India has created to facilitate the transfer of data between various financial institutions using digital consent. Most recently, this has translated into the establishment of the Open Credit Enablement Network (OCEN), a set of digital lending application program interfaces for borrowers and lenders. Once widely adopted, OCEN will offer unprecedented opportunities for financial technology companies and banks to offer products and services that would otherwise not have been possible.
DEPA provides a framework within which data principals can give just-in-time consent for requests to port their data. Since the consent is provided for a specific purpose and proximate to the point in time of a transfer, data principals can better appreciate the implications of providing their consent for the transfer of their data. To that extent, it offers a more effective alternative to the upfront consent mechanism that is currently our only option.
Once it becomes possible for data companies to collect the consent to port data just before its transfer, we will be able to unbundle consent into that which is required for signing up to a service and that which needs to be obtained in order to port the data to a third party. Since the latter would no longer need to be procured upfront, it will greatly simplify our privacy policies.
From a privacy perspective, this is the real benefit of the DEPA framework. While I still believe such a consent system is sub-optimal, by separating consent to port from sign-on consent, we can significantly improve our effective control over our personal data.
Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina. His Twitter handle is @matthan