The Very Necessary Shift From Consent to Contract for Personal Data Exchange on The Internet

..... enabled by IEEE7012

I was in Brussels last week presenting, courtesy of OECD and MyData; just writing up this post to summarise the thesis and discussion. This logic has been bubbling up for a long time now; but its seems now that the time is right.

My start point thesis, shared by many, is that the current dominant model through which personal data flows on The Internet is very broken. Superficially that means that when we are presented with check boxes to say we have read and agree to terms and conditions, and privacy policies, we tick them. Even though we know fine well that we have not read them; and that if we did we would not understand them - because they are designed that way. Having read many, and written a few, I would suggest that their defining characteristic is that they are written from the perspective of the organisation, and their objectives. Their content is typically:

• Some pretty generic boiler plate, compliance related text

• Some service/ sector specific text including pricing, warranties etc

• Some bits about liability, and things that the customer would probably not be keen on should they actually read and understand the content (e.g. around third party tracking and onward data sharing)

The regulatory response to the above, as typified by The GDPR, has been to dial up the requirements on organisations. GDPR mandated that all personal data processing must have a directly associated legal basis. That in itself was a great innovation, but when in deployment mode regulators established ‘legal basis = Consent’ as the high bar to be used for the most troublesome data exchange scenarios such as advertising and marketing. That’s what is behind all of those cookie pop-ups, and a significant part of those ‘I agree’ check boxes. The actual terms and conditions of a product/ service (pricing, warranty etc) are part of this, and now personal data exchange and use has also been conflated behind that check box. A real mess….

One of the other 6 legitimate bases for data processing is Contract, the others and their logic are listed here. Contract has always been a good base; people understand what they are and how they work - two parties agree to something, write it up and each sign a copy that binds them to the terms of the contract. That is to say, they understand and agree to do something that both parties acknowledge. The problem with it to date is that the regulatory assumption is that contracts around data sharing would be written by organisations and their legal teams and that individuals have no means to understand, negotiate and sign. That leads to the consent/ check box add-on.

My looking forward thesis, backed by many years working on the IEEE7012 draft standard, is that there is now a way to break through on the above. Imagine the following scenario:

• Contracts could be written from the perspective of individuals; not from that of the organisation

• Those contracts could be standardised, and reduced to a digestable number of variations with clearly understood differences (e.g. sharing data to hire a car is different to sharing data to buy health insurance)

• The wording and terminology within the agreements are precisely defined and designed to be easy to engage with from the legal perspective (by pointing to the wonderful Data Privacy Vocabulary resource).

• The contracts are ‘machine readable’, that is to say software agents can understand their logic and act on them based on rules (set by either party to the agreement)

That’s what is now proposed; the technical design of the agreements being defined in IEEE7012, and their implementation being led by Customer Commons (in a similar way to how Creative Commons changed copyright on The Internet). Imagine the scenario below.

Clearly that is very disruptive to the current model; but then again the current model is very broken.

So that’s my suggestion. We should move beyond the current Consent based model for personal data sharing, and towards one based on a series of standard, balanced contracts written from the perspective of the individual to govern the data exchange aspect of any digital relationship between individuals and the organisations they engage with. I would contend that would work perfectly well for the vast majority of organisations worldwide; those that are not doing anything particularly controversial around personal data. It’s more disruptive for those organisations and sectors who would rather their data activities were less transparent.

Lot’s more to do and then say on this; all questions and comments welcome.

Comments

[NickT]

Excellently article, I shall follow up your references. A machine, or more importantly a wallet readable contract based consent mechanism would certainly address the imbalance of power between the organisation and the individual that you highlight in the article. It would also go a long way towards enabling the individual to take back control of their digital destiny. Bring on the Digital Republic! https://x.com/jamiesusskind