Privacy from Cradle to Grave “What is the effective consent?”

From IIW

Cradle to Grave

Wednesday 5G

Convener: Akiko Orita

Notes-taker(s): Susan David Carevic

Tags for the session - technology discussed/ideas considered:

Consent, Agency Law, Notice, Transparency, Permission

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Can we ban the word “consent” - its misleading and being abused – as a first step of the solution. An alternative might be “Notice” or “transparency” Contract/Agreement: Responsibilities on both sides. Are you saying that Consent is vendor driven? The way its used is being pushed by the provider.

Should we call it “rights negotiation”? In policy language it is permissions and obligations.

Notice/transparence and permission/obligation are two factors that were part of the “C” word

Who is the owner: They who have the right to delete it? Owner is a legalistic concept. What about the stuff that can’t be deleted? Officials who have my data and can’t delete it – Do they own my data or do I and they have access rights to them? If you were the owner would you have the right to tell them to delete it?

Does owner have access/use? - Disagreement of that as a definition.

Agency Law:

  • Principal
  • Agent (Lawyer): surrogate becomes agent
  • Third parties: Get’s license
  • Good Faith: quality of description of the icons
  • Notice: transparency

License: Permission/obligation

Who would be the owner of a deceased person’s data – for example on facebook.

Still need to be able to give access/usage rights.

Who controls the data: vague – UMA splits control between authorization (Agent) server and resource server (Third party).

Consent: Granularity doesn’t exist: User driven by default agreement.

Gem from VRM Session: Icon: What vs. Why: Why don’t you label the icons with why you are asking for the what? – if there isn’t a reason why – no one will do it.

Owner can forcibly argue that he owns the data. Derived data: does the company who derived the data own the data, or since the derived data came from the person giving the data –does that person own it?

Businesses in UK to provide style advice: Customers give them information with their permission to use data to give them advice. They have built a “Secret” algorithm that is giving a customer value. Why should the algorithm be the customers?

Counterexample: Mayoclinik – gives IBM Watson 1 million heath records: Watson turns data into secret algorithm, which provides a diagnosis. Before IBM Watson, the algorithm would have been tested, printed in a journal. Can this algorithm be made secret, just because it’s electronic now? -- doesn’t work for medicine, law or Wikipedia. … maybe it does work for medicine: New drug testing: patent for drug for 15-20 years.

Originating person: can I have a look at all of the data: why: understand cancer better. If we try to remove from consent all economic incentives, nothing is going to happen.

We need to get rid of identities in this: use metadata instead of identities.