ABSTRACT
Consent in data protection law is highly contentious. Critics argue that enabling people to make their own decisions is not feasible, as people are generally poor decision-makers, a problem that is exacerbated by the great volume of privacy notices one needs to read to make good decisions. However, proponents insist on the value of consent as a tool of empowerment. For them, the goal is to bridge the gap between the ideal decision-maker and the average person. These opposing views have dominated the discussion on consent and the broader value of control and individual rights in data protection law. However, both views are missing the point.
This article challenges the foundational assumptions of this debate. First, it argues that consent is antithetical to data privacy rather than a tool to protect it. Second, it argues that the decision to share one’s data concerns others as much as the person sharing them, despite the prevalent assumption of most data privacy laws to the contrary. Third, it posits that even if we were to bridge the gap between the layperson and the individual decision-maker, we would achieve a sub-optimal level of data privacy protection.
Setting aside these false assumptions, this article aims to resituate the consent debate in a framework that rests on more solid theoretical ground. First, it connects the economic concept of data externalities with the philosophical idea of the harm principle. This highlights how unilaterally imposing burdens on others, without consideration of their interests, is morally unjustifiable, thereby depriving consent of its normative justification. Second, it examines privacy as a public good, demonstrating that even completely rational decision-makers are bound to freeride on each other’s data privacy and make everyone worse-off, thereby rendering consent undesirable. Hence, this article concludes that we should abolish consent, while retaining control through data privacy rights.
This article pursues two main objectives. On the one hand, it seeks to make a theoretical contribution that will dispel prevalent misconceptions about consent and which will properly resituate the debate about it. This shift in perspective changes the framework of the discussion and it explores the policy implications of a rich body of research in other disciplines that have previously been underexplored. On the other hand, this article advocates for a new data privacy framework that will provide people with control only when it is truly meaningful, while resolving many of the issues that come with the current consent-based regime. As the appreciation of data privacy law’s collective problems grows, the policy recommendations in this article aim to pave the way toward a more effective and equitable approach. These insights are relevant to most data privacy laws around the world, including the European Union’s GDPR and all existing state privacy laws in the United States.
Bougiakiotis, Emmanouil, The Case for Control Without Consent in Data Privacy Law (August 12, 2024).
Leave a Reply