Subject Re: Privacy Self-Management and the Consent Dilemma
From Jaime Pérez Crespo <jaime.perez@xxxxxxxxxx>
Date Mon, 17 Jun 2013 10:34:42 +0200

On Jun 17, 2013, at 09:03 AM, Andrew Cormack <Andrew.Cormack@xxxxxx> wrote:
Interesting paper, thanks.

Indeed. Thanks Tom!

I wonder whether the cleanest approach would be to end up with four different classes of processing:
*) processing that's never allowed
*) processing that's allowed if the individual consents
*) processing that's allowed unless the individual objects
*) processing that's allowed because the benefits to society override any small risk to individuals

That'd be a very nice way to categorize the different uses of data and alleviate a bit the load on the citizens. But the problem as I see it, is first of all how to apply the categories (is there a way to describe them so precisely that there's no room for personal interpretation?) and more importantly, how to deal with changes, like data aggregation. The paper states that one of the main problems of basing everything on consent is that people is unable to foresee the consequences of the release of different pieces of data at different points in time, to different processors. And I agree and go even further, as I think it's almost impossible to handle, not only by people.

If those four categories were created by law then the job of regulators would be to provide guidance/rulings on which of the four any new form of processing falls into.

Unfortunately the debate over the new EU data protection law seems to be becoming increasingly polarised, rather than converging to any sort of consensus, so I fear the result is more likely to be determined by politics than reasoned argument :(

Is there anything in the EU that does not end up being like that? :-)

Jaime Pérez

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost