Subject RE: Privacy Self-Management and the Consent Dilemma
From Andrew Cormack <Andrew.Cormack@xxxxxx>
Date Mon, 17 Jun 2013 07:03:47 +0000

Interesting paper, thanks. I wonder whether the cleanest approach would be to end up with four different classes of processing:
*) processing that's never allowed
*) processing that's allowed if the individual consents
*) processing that's allowed unless the individual objects
*) processing that's allowed because the benefits to society override any small risk to individuals

If those four categories were created by law then the job of regulators would be to provide guidance/rulings on which of the four any new form of processing falls into.

Unfortunately the debate over the new EU data protection law seems to be becoming increasingly polarised, rather than converging to any sort of consensus, so I fear the result is more likely to be determined by politics than reasoned argument :(


Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238

> -----Original Message-----
> From: trscavo@xxxxxxxxx [mailto:trscavo@xxxxxxxxx] On Behalf Of Tom
> Scavo
> Sent: 27 May 2013 13:51
> To: REFeds
> Subject: [refeds] Privacy Self-Management and the Consent Dilemma
> Thoughtful, scholarly piece by Daniel Solove, Law Professor at George
> Washington University:
> new-article-privacy-self-management-and-the-consent-dilemma
> Some nuggets from the article:
> "Privacy scholars must identify a conception of consent that both
> protects privacy and avoids paternalism."
> "The EU has a more paternalistic approach to data processing...EU
> privacy law has a self-management component, but it requires a much
> more stringent and explicit form of consent than U.S. privacy law. The
> difficulty with the EU approach is that data collection, use, and
> disclosure are rarely inherently good or bad."
> "For all its flaws, privacy self-management should not be
> abandoned...and paternalistic solutions are troubling."
> "Ironically, perhaps the greatest practical impact of privacy
> self-management is not in informing individuals and improving their
> privacy management, but in informing the companies that are collecting
> and using the data and in improving the companies' management of
> privacy."
> "what many people want when it comes to privacy is for their data to
> be collected, used, and disclosed in ways that benefit them or society
> without harming them individually."
> "People want some privacy self-management, just not too much. Privacy
> law needs to find a way to deliver partial privacy self-management."