Is informed con­sent in the dig­i­tal age appropriate?

Prof. Dr Mar­cus Helfrich

In her Duet Inter­view with the well-respect­ed expert on data pro­tec­tion, Prof. Dr Hel­frich, Dr Cal­daro­la, author of Big Data and Law, con­sid­ers whether con­sent is a suit­able instru­ment for fre­quent use in dig­i­tal busi­ness models.

Prof. Dr Mar­cus Hel­frich: In my opin­ion, we should be tak­ing the con­cept of “informed con­sent” which forms the basis of pro­cess­ing of per­son­al data under Art. 6 para 1 lit. a GDPR (Gen­er­al Data Pro­tec­tion Reg­u­la­tion) more seri­ous­ly than has pre­vi­ous­ly been the case. Our demo­c­ra­t­ic and lib­er­al soci­ety is based on a very fun­da­men­tal under­stand­ing of a per­son being born free and able to iden­ti­fy him/herself as well as being capa­ble of lead­ing a life ground­ed in self-deter­mi­na­tion. Not only are our social and our polit­i­cal sys­tems based on this under­stand­ing, which philo­soph­i­cal­ly is formed by the ideas of enlight­en­ment, and, espe­cial­ly, by the influ­en­tial thoughts of Immanuel Kant, but, indeed, our very legal sys­tem reflects this under­stand­ing. For this rea­son, it is incum­bent upon us to take the notion of an informed con­sent very seri­ous­ly. The legal rela­tion­ships between indi­vid­u­als are based on trust and deci­sions which have been made by choice.

My favorite quote is:


“Sapere aude! Have the courage to use your mind with­out some­one else’s guidance.”

Immanuel Kant, 1784

Of course, I rec­og­nize that com­pet­i­tive mar­ket behav­iour, which is char­ac­ter­ized by rival com­pa­nies and the strug­gle to obtain cus­tomer or prod­uct sales, has made com­pa­nies sus­cep­ti­ble and will­ing to influ­ence the cus­tomers’ minds and deci­sions in as effec­tive a man­ner as pos­si­ble, includ­ing the use of psy­cho­log­i­cal arti­fices. But, in the end, the basic legal con­di­tion remains that a per­son­’s deci­sion must be based on it hav­ing been made inten­tion­al­ly and ratio­nal­ly. Such a deci­sion is only pos­si­ble if the indi­vid­ual is at least aware of all the rel­e­vant aspects that might be impor­tant. If we do not accept this pro­vi­so, we as a polit­i­cal soci­ety have to bid farewell to the con­cepts of free will and self-deter­mi­na­tion. The road to a non-demo­c­ra­t­ic autoc­ra­cy in the hands of the most influ­en­tial enter­pris­es or inter­est groups would then lie open.

As you might imag­ine, the ques­tion of how we deal with the con­cept of con­sent with­in a con­text of pro­tect­ing pri­va­cy leads direct­ly to the ques­tion of our under­stand­ing of democ­ra­cy, jus­tice and polit­i­cal participation.

In short, there is no alter­na­tive, in my opin­ion, to a con­cept of “informed con­sent”. First of all, it is the role and duty of a state to set up rules to pro­tect and enforce this notion. Sec­ond­ly, every­body has to make his or her own deci­sions regard­ing this impor­tant issue which trans­lates into exer­cis­ing our fun­da­men­tal right to self-deter­mi­na­tion. The con­cept of “informed con­sent” includes, there­fore, a need for con­scious action on the part of the cus­tomer. If he or she acts with­out hav­ing edu­cat­ed him­self or her­self on this mat­ter and has thus decid­ed with­out hav­ing giv­en any real thought to the issue, then we can­not speak of delib­er­ate con­sent in this sit­u­a­tion. But this might only describe a sin­gle instance and is not fun­da­men­tal­ly dif­fer­ent to the prin­ci­ple of informed con­sent. As Immanuel Kant stat­ed, we have to use our minds to act and live-in self-determination.

To put it sim­ply, if no legal grounds can be found under Art. 6 para 1 lit. b to f, then con­sent remains the only legal option to pro­cess­ing per­son­al data. This hav­ing been said, we have to keep in mind that the rela­tion between the dif­fer­ent legal grounds for pro­cess­ing per­son­al data under arti­cle 6 is com­pli­cat­ed. On the one hand, all of these grounds might act as a legal foun­da­tion for pro­cess­ing. On the oth­er hand, you are not enti­tled to base your pro­cess­ing on the legal grounds list­ed in Art. 6 para 1 lit. b to f, if you asked for con­sent as per Art. 6 para 1 lit a, and the con­sent was refused by the per­son in ques­tion. Fur­ther­more, request­ing con­sent might be seen as not act­ing in good faith if the rel­e­vant pro­cess­ing is a legal require­ment (e.g. tax law) because not pro­cess­ing the data is sim­ply not an option.

A rec­om­men­da­tion to process data legal­ly which is sole­ly based on the con­sent of an indi­vid­ual is sim­ple and, in its sim­plic­i­ty, wrong.

A com­pa­ny has to con­sid­er care­ful­ly which legal ground for pro­cess­ing under arti­cle 6 is most suit­able. Only after that legal analy­sis has been com­plet­ed, is the com­pa­ny able to iden­ti­fy sit­u­a­tions where it is advis­able to ask for consent.

Today, our leg­is­la­tors in Europe are seri­ous­ly con­sid­er­ing under which cir­cum­stances com­pa­nies should be allowed to process per­son­al data only if explic­it con­sent has been giv­en. These sit­u­a­tions seem to be char­ac­ter­ized by a sig­nif­i­cant risk that indi­vid­u­als, such as cus­tomers, might be mis­led, insuf­fi­cient­ly informed, or be put in a sit­u­a­tion requir­ing a high­er amount of pro­tec­tion by the law. The use of cook­ies for mar­ket­ing pur­pos­es (tar­get­ed mar­ket­ing) or for pre­dic­tive ana­lyt­ics might be a good exam­ple of these types of scenarios.

I doubt that any sci­en­tif­i­cal­ly reli­able research has been done on the ques­tion of how often com­pa­nies resort to oth­er legal grounds instead of con­sent for legit­i­mate pro­cess­ing of per­son­al data. For this rea­son, I am not able to spec­u­late on why alter­na­tives to con­sent are not used to process data.

Yes, con­sent is pro­mo­tion­al. Exer­cis­ing your right to free will and self-deter­mi­na­tion requires effort. If self-deter­mi­na­tion is not being prac­ticed owing to one or two clicks, this would prove that our polit­i­cal devel­op­ment since the 18th cen­tu­ry has only pro­gressed in terms of technology.

In my expe­ri­ence, these types of behav­iour on the part of com­pa­nies very often occur owing to mis­in­for­ma­tion and a lack of knowl­edge of how data pro­cess­ing might be done law­ful­ly. The lim­i­ta­tion to a defined pur­pose is one of the fun­da­men­tal prin­ci­ples of data pro­tec­tion law. I doubt it is pos­si­ble to iden­ti­fy com­pa­nies delib­er­ate­ly mis­us­ing the intend­ed legal panacea as a gen­er­al problem.

Of course, there are com­pa­nies who wil­ful­ly go beyond what they are legal­ly allowed to do and gath­er addi­tion­al data. In such cas­es, the super­vi­so­ry author­i­ties are asked to inves­ti­gate these sit­u­a­tions and to react by apply­ing sig­nif­i­cant puni­tive fines. In con­crete terms, we have seen that, since 2018, there is a devel­op­ment towards sanc­tion­ing these crim­i­nal acts.

If a request for con­sent is made, after a com­pa­ny had analysed the neces­si­ty for con­sent based on the rules of Art. 6, then it is indeed a pru­dent choice to ensure the secure legal grounds of dig­i­tal business.

The prob­lem is that legal advi­sors them­selves must analyse these sit­u­a­tions in a nuanced fash­ion, and their con­clu­sions must be based on skilled busi­ness exper­tise. We real­ly need spe­cial­ists who are famil­iar not only with the legal require­ments of the dif­fer­ent leg­isla­tive acts gov­ern­ing pri­va­cy laws, they must also know how busi­ness process­es are defined and which busi­ness needs are based on the pro­cess­ing of per­son­al data. Ful­fill­ing all of these require­ments means that pri­va­cy law and prop­er legal advice con­cern­ing it have become chal­leng­ing activ­i­ties for consultants.

Yes, I strong­ly believe in the capac­i­ty of peo­ple to under­stand what is impor­tant to them. This includes the fact that one can ask if some­thing is dubi­ous or not trust­wor­thy. In the end, one has to decide for one­self if one is will­ing to take the risk of being sub­ject to one’s per­son­al data being processed, if the grounds for such pro­cess­ing have not been explained prop­er­ly. This free­dom to take risks is also part of the idea of hav­ing the right of self-deter­mi­na­tion and act­ing upon it. As a lib­er­al soci­ety we have to accept such a deci­sion as well.

Dig­i­tal busi­ness mod­els are very intri­cate, and the pro­cess­ing of data is hard­ly com­pre­hen­si­ble for most con­sumers. Com­plex­i­ty can usu­al­ly only be reduced through trust. Is it, there­fore, not the respon­si­bil­i­ty of spe­cial­ists, such as data pro­tec­tion author­i­ties, data pro­tec­tion offi­cers, infor­ma­tion secu­ri­ty offi­cers, data pro­tec­tion leg­is­la­tors and oth­ers, who under­stand the com­plex­i­ty in its entire­ty due to their insights and pro­fes­sion, to act as a guar­an­tor for legit­i­mate, bal­anced, hon­est and fair data processing?

Yes, I agree com­plete­ly with that sen­ti­ment. Exper­tise is not only a pro­fes­sion­al qual­i­fi­ca­tion. It cor­re­sponds with an under­stand­ing of accept­ing the duties and respon­si­bil­i­ties which come with being an expert in that spe­cif­ic domain. There­fore, the expert in ques­tion should play an active role with­in the process of devel­op­ing trans­paren­cy and trust, espe­cial­ly if dig­i­tal tech­nol­o­gy is con­cerned and per­son­al data is being processed. In my opin­ion, there is a need to explain not only how data pro­cess­ing func­tions, but also to show which pos­i­tive effects might be asso­ci­at­ed with the use of data pro­cess­ing. A gen­er­al and broad­er social con­sent should become a pre­req­ui­site of the broad­er use of infor­ma­tion tech­nol­o­gy and data pro­cess­ing with­in a demo­c­ra­t­ic soci­ety. Data pro­cess­ing not only has pos­i­tive effects on the econ­o­my. It has an impor­tant impact on soci­ety and affects our under­stand­ing of polit­i­cal par­tic­i­pa­tion, deci­sion-mak­ing process­es and, in the end, how we view indi­vid­ual free­dom and human rights. Experts play an impor­tant role in how we ratio­nal­ly acquire knowl­edge con­cern­ing infor­ma­tion tech­nol­o­gy and data pro­cess­ing. Prop­er infor­ma­tion with­in a ratio­nal frame­work is the key to avoid­ing “alter­na­tive facts” and to cre­at­ing trust in legit­i­mate processes.

It is hard to spec­u­late about future legal devel­op­ments. But I do not think that the con­cept of con­sent will dis­ap­pear. As I explained ear­li­er, express­ing your con­sent is to be seen as one of the most impor­tant capa­bil­i­ties and rights of a self-deter­min­ing indi­vid­ual. Per­haps the con­cept of con­sent will reflect future tech­no­log­i­cal devel­op­ments. The core idea of con­sent, name­ly that an indi­vid­ual has to make a deci­sion while gath­er­ing all the nec­es­sary infor­ma­tion and eval­u­at­ing them using a val­ue- based approach to reach a ratio­nal con­clu­sion, will not change.

Giv­en that the draft is still under dis­cus­sion, it is impos­si­ble to spec­u­late or to dis­cuss aspects which could improve or cor­rect the pro­cess­ing of per­son­al data under e‑privacy at this time. The GDPR defines the basis for legit­i­mate pro­cess­ing of per­son­al data. Per­haps the upcom­ing e‑privacy reg­u­la­tion might improve the require­ments for law­ful pro­cess­ing. If the require­ments are not expand­ed upon or improved in some way, then we must revert back to the base­line found in the GDPR.

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with rec­og­nized experts, delv­ing even deep­er into this fas­ci­nat­ing topic.

About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Prof. Dr Marcus Helfrich

After having completed his studies in Law, Political Science and Economics at the University of Munich, Professor Helfrich specialized in data protection law and media law, as well as the EU legal system. He is currently an attorney-at-law and Professor for Business Law at the FOM University of Applied Science. Among his many publications, Professor Helfrich has written guides to privacy law as well as privacy and data Protection and is thus a well-respected expert on data protection.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.