Published on LinkedIn, 15 March 2019.
*** This is part of the GDPR ethics series; A broad mission statement may be found in its opening text. ***
As seen in the analysis of Article 6 of the GDPR, consent is an important, and by far the preferable, legal mechanism for the lawful processing of personal data. Its importance is further exemplified by the fact that a whole article of the GDPR, Article 7, gives us the conditions under which alone consent is lawfully provided. Article 7 admittedly reads more like a contractual clause and less than a legal provision. The GDPR frequently does that, taking some time off from its grand objective to regulate any and all personal data processing in human life in order to address down to earth, humble requests for more practical guidance.
So, consent needs to be, among others, demonstrable, distinguishable, and withdrawable. It is this last part that attracted my attention while thinking about the ethical aspects of Article 7 of the GDPR.
Of course I understand that consent needs to be withdrawable.
Is there, however, an ethical obligation for one not to withdraw it?
I suppose then that what is under discussion here is commitment. Commitment to a promise that we made. Because consent is, in fact, a promise: One promises from now on to let another process his or her personal data.
Promises are basic components of human life. I would imagine that one of the first uses of human language was to make a promise – if not the basic reason why humans developed language at all. At any event things progressed a lot since that time. Today promises are found everywhere around us, in religion (oath), family (marriage), business (contracts) and even software (in JavaScript). From a philosophical perspective I would recommend anybody interested in the subject to start with David Owens’ work (complete with an analysis on the possibility of consent).
If one however views all this progress from a distance, he or she will immediately observe that what changed was only the level of sophistication. In essence humans moved from a (hypothetical) original crude and catch-all “promises should be kept” doctrine to today’s complex construction dictating which promises are or should be more binding than others and under what circumstances they can be broken.
In essence, today while all promises are equal, some are more equal than others.
Notwithstanding its binding effect, a promise is a promise. Even the least binding one will cause a justified and expected why if one breaks it. In real life a simple because is not an acceptable answer. A broken promise without any explanation whatsoever is a social anomaly.
So, how are all these connected with GDPR’s freely withdrawable consent?
The GDPR wants the promise underlying consent fully retractable. No questions are asked to the promisor, no explanation is needed. From a legal point of view this is a clever trick to excuse lawyers, and DPAs, from moralising: The motivation for a withdrawal of consent is not assessable for legal purposes. In other words, it is what it is. From a legal perspective this is a closed loop and an efficient system: If consent is withdrawn then the controller may continue to process data if another legal basis is or becomes applicable. So, from a legal point of view, no harm done.
This however leaves GDPR’s ethical approach at a less enviable position. GDPR’s consent in the above system develops the lowest possible binding level of a promise. Even children would find it difficult to play if promises were that easy to break. In the adults’ world this would be, and is, simply inconceivable.
The GDPR therefore appears to be undermining commitment and indulging whims. In its effort to strengthen the position of individuals (that are always perceived as the weaker parts in the relationship) it seems to allow them to behave irresponsibly.
However, is a free ride on breaking promises an ethical lesson to individuals that the GDPR wishes to make?
I think not. I believe that individuals should have good or even some reasons to withdraw their consent. A mere “I am concerned about my rights” would do – anything is better than nothing. This is not only the ethical thing to do, but it is also compatible to the data protection purposes: Individuals will demonstrate alertness and a continued interest and involvement in protection of their fundamental rights.
Similarly, I believe that judges and DPAs (as last resorts in case of conflict) should be able to ask why. Why have you withdrawn your consent? Why are you breaking your promise? Again, this is not only the ethical thing to do, but it may also be assessable while deciding on the controller’s continued right to keep processing the data.
I have left the point of view of the promisee last, because it is the easiest to think about in this case. A promise that by virtue of all of humanity’s known culture and history is to be kept allows the promisee to act upon it. If I promise an organisation that it can process my data the organisation will buy computers, hire a DPO, conduct costly compliance exercises etc. If I suddenly withdraw my promise for no apparent reason the damage is plain for all to see. In usual contracts termination for no reason carries a number of protective provisions for the party affected, for example a few months’ notice. Or, it also triggers some detrimental effect for the party terminating the relationship (deletion of all files and immediate cease of using the service). The GDPR has chosen to stay away from this civil law system, although it has emerged after centuries of experience and hard practice. However, on the topic of GDPR exceptionalism we will have to come back in the future.