On one side, NGOs and online activists have launched a campaign asking citizens to bombard their MEPs’ inboxes with nude photographs of themselves, in opposition to big corporations’ assault on personal data.
Opposing them are the most powerful web industries, whining for more “flexibility” when it comes to shuffling the private data of millions of Internet users.
And in the middle stand archivists and genealogists, waving their little flag out of fear that the “right to be forgotten” would endanger the collective memory.
Major changes are underway, as the reform would replace the European directive governing personal data, passed in 1995. The digital landscape has changed since then, particularly outdating a provision on the “unambiguous consent” of individuals when it comes to the collection of their data.
But what exactly does “unambiguous” mean? The G29 working group, composed of representatives of all the European bodies affiliated with France’s National Commission on Computing and Freedoms, worked on the issue in 2011 and came to the conclusion that this fuzzy word “is often badly interpreted or simply ignored” and invited virtually any fantasy a company can imagine. “Unambiguous consent”, it found, can consist of “a written signature, but also a verbal statement, or behaviour from which it may reasonably be concluded that consent is implicit”.
The G29 cites the example of a telephone service by which users call in for weather forecasts. If users know the principle behind how the service operates before picking up their phones, and they still wish to call in, it can be concluded that they have given their consent to the company’s collecting information on their location. This is the same logic used at Amazon, where suggestions are made to Internet shoppers to buy products that are similar to products they have already browsed on the website: as users see these suggestions pop up, it is assumed they do realise that their browsing history has been and is being recorded, and if they stay on Amazon.com, they can surely have no further objections. In other words, the “consent” of Internet users has gradually morphed into “absence of refusal”.
The complete overhaul of the directive is therefore designed to give citizens effective control over their data. First, in finally enshrining the principle of the “right to be forgotten” so frequently requested in recent years. Then, and in particular, by paving the way to rejoining the qualifier “explicit” with the term “consent”. It may be a little word, but it has a lot of enemies. Already envisaged and then removed in 1995, it has returned to the table as a means of characterising how a “concerned person accepts, by a declaration or an unambiguous positive act, that any personal data concerning him or her can be processed”.
In practice, it could be a matter of a small tooltip, which is already displayed in Firefox and Chrome when we visit a site that uses “geotags”, or metadata that locates our position. One can then choose to allow the site to collect this information for the current visit, or for all future visits, or never.
On YouTube, there could be a pop-up asking permission to dip into our navigation history before suggesting videos of cute kittens. Facebook might have to warn us that the mobile phone numbers that we provide to “strengthen the security of [our] accounts” may be sent on to the developers at Farmville. Advertising banners might even end up being held on “pause”, waiting for our approval to be targeted by age group, gender, city of residence and favorite brands of swimwear.
Horror! Such a flood of pop-ups would “inundate” and eventually confuse users, exclaim Facebook, Amazon, Microsoft, Google and eBay, who fear this “excessively formalising and rigid” system for gaining explicit consent would hamper their ability to “innovate” (can they not innovate with the consent of their customers?). The merry band has asked, with great insistence, that members excise the “explicit consent” from the text voted by the “Civil Liberties” Commission of the European Parliament on May 29, and incorporate into it many amendments sometimes copied word for word from proposals from the lobbies.
Pressure from the industry, which has been so intense that 18 American NGOs have formally requested that the United States stop meddling in European legislation, is, of course, motivated by money. “The Internet giants fear users having more control will cut down on the volumes of data they process”, says French advocacy group Quadrature du Net. And their arguments have been heard: judging the project too punitive on small and medium-sized businesses (and too fuzzy and too sensitive, moreover), MEPs are rejecting the text, pushing the continuation of the discussion back to 2014. In the meantime, the giants of the Web will have the time to collect a pretty little packet of personal data.
An unexpected obstacle
New regulations aimed at personal data protection could compromise research into family genealogies, warns Finnish daily Helsingin Sanomat. According to the paper, in practice:
this will require researchers to obtain the consent of the person on whom they are doing research to allow the use of their personal data. That means that genealogists will have to obtain the written consent of all the living persons whose name appears in the Civil Registry. That can involve thousands of people.
Thus, notes the Helsingin Sanomat, “in the future, research could be restricted to deceased ancestors.”