By Sam Pfeifle
Publications Director

There are few privacy principles more generally ingrained than the ideas of notice and choice for consumers. People should be told when their data is being collected and that data should be constrained to the use for which those consumers consented.

Everyone knows that.

However, said Viktor Mayer-Schönberger from the IAPP Data Protection Congress keynote stage here in Brussels, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.”

Rather than protect the consumer, notice-and-consent mechanisms have simply become methods whereby consumers can either accept, the co-author of Big Data and professor of Internet governance and regulation at the Oxford Internet Institute argued, “or remain outside modern society.”

“It is nothing more than another hoop we all go through,” he said, “when we want services online and offline.”

Once he came to this realization, he said, after years of studying data protection laws, “I started to doubt.” Perhaps the radical changes in storage capabilities, making it unnecessary to ever discard any data, combined with the much-improved capacity for collecting data, really did represent the death of privacy, once and for all.

Viktor Mayer-Schönberger (left) debates the merits of his keynote address with attendees of the IAPP Data Protection Congress.

Further, by keeping the ineffective notice-and-consent regime in place, he said, we’re also limiting that value of data and hampering the good that could be done with Big Data applications. Previously, “data’s value never was exhausted by using it for the primary purposes for which it was collected,” Mayer-Schönberger said. “It always had latent value far beyond primary use, but it was too expensive, so we rarely bothered. It made economic sense to throw it away.”

Now, because of plummeting costs, the economics have completely changed.

“Data can, and ought, to be reused,” he argued, “unless we desire the resource wastage that we currently work so hard against with recycling in the physical world.”

However, that’s often not possible because of constraints created by specifying purpose at the time of consent. And that data that might be most valuable for social good, in the fields of health and education, say, is nominally protected most closely “while failing to protect the privacy of the subjects in the first place.”

Yes, said Mayer-Schönberger, he almost gave up on privacy.

“We don’t need to give up on privacy,” though, he realized. “Rather, what we need is a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data.

“What would that mechanism be?” he asked rhetorically. “My colleague Fred Cate (C. Ben Dutton Professor of Law at Maurer School of Law, Indiana University) has devised an amazing plan. Rather than focusing on notice and choice, we should focus on the use of personal data. It makes intuitive sense.”

Mayer-Schönberger referred the audience to a new whitepaper released on the Oxford Internet Institute’s website, which he co-authored, titled “Data Protection Principles for the 21st Century: Revising the 1980 OECD Guidelines” and released just in time for the Data Protection Congress. 

“It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis. Protection for the consumer should not depend on the ability to comprehend what’s going on with her data and ability to take action.”

The idea is to hold users accountable, whether they have persuaded a consumer to provide consent by clicking a button or not. The burden would be shifted from the consumer to complain about misuse of data and shifted to the user of the data and regulatory bodies to monitor that use.

“That would require assessments of risks and harms,” he said, devising the safeguards and insuring that the safeguards are implemented. Further, data users should be legally liable for the risk assessment and the implementation of the safeguards.

Then, there would be enforcement by agencies provided with larger budgets and powers, “rather than hope the individuals would enforce their rights, which we know they rarely do.”

In return for that new regulatory burden, and cost, data users would be permitted to reuse for novel purposes without having to ask for re-consent every time. Rather than accountability being a tack-on of privacy thinking, “make it the core mechanism of protecting information privacy in the coming decades,” Mayer-Schönberger argued.

Is this practical? The paper’s authors think so. Certainly, they understand it’s a concept that might be initially foreign, especially to professionals who have worked in a world of notice and consent for many years.

“I confess that I initially was uneasy with these ideas,” he said. “I couldn’t permit myself to think beyond conventional mechanisms of notice and consent.

“But now I find it utterly appealing.”

Read More By Sam Pfeifle:
EU, U.S. Officials Indicate Potential Privacy Agreement at Data Protection Congress
Top Six Inadequacies Found During Privacy Audits
Big Data Jobs Board Sees Privacy Jobs Growing Fastest
EuroPriSe Seal To Change Hands January 1


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»