We are used now to the fact that we cannot gain access to social media or search engines without agreeing to the harvesting and use of our personal data. When we first sign up or visit the site, we are offered a choice, but if we say no to everything, then the service in question is closed to us. And so most people say yes. Is this real consent, freely given consent in the sense that the GDPR demands? That, I suggest below, depends on the price of saying no. What would it mean to live without those services? If it is more than we can reasonably ask of a person growing up, and living, in a modern society, then it follows from this that they really have no choice but to agree. But in that case, their consent is not freely given, and the processing of their data in all these cases is against the law.
Free consent and the GDPR
The general data protection regulation places consent at the heart of its philosophy. A person or computer is generally only entitled to gather and use my data if I have freely given consent for this.
Consent here serves two functions. One is that of legal certainty. How is a company to know what data it is entitled to gather, and how it may use it? The answer is made legally clear if it is reduced to the question ‘what has the data subject consented to?’ A consent model is a highly workable basis for contracting and business.
However, the GDPR aims for more than practicality. Consent is also what legitimates the data processing. It is my data, and the reason why you can use it is because I say so. Consent provides the moral foundations for acceptable data processing.
This is why consent is not just treated as a formal matter, a pure question of which boxes have been ticked or the small print in the terms and conditions. Rather, consent must be substantively genuine, or, as the GDPR puts it, it must be freely given. Whatever they have agreed to on paper, or on the screen, the state of mind, and the circumstances of the data subject may still be relevant to the legality of the data processing.
This raises the tricky question of what ‘freely given’ actually means. It is certainly a term of normal language, using everyday words, but it is also a clear reference to contractual thinking, suggesting that to some extent it may be a term of legal art.
Obviously, consent is not free, or real, when it is obtained under duress, or by threats. A contract signed at gunpoint will be void. But does it matter whether it is the contracting partner, or a third party, pointing the gun? Does it matter whether it was a person posing a threat at all, or mere circumstances – the descending avalanche, the storm sinking the ship, the unbearable hunger – forcing you to agree terms with your rescuer? Those differences could be relevant in some circumstances, but within the GDPR the question is not whether the data processor is behaving badly, but merely whether the data subject was free. The GDPR asks a subjective question, to which the origin of the unfreedom is irrelevant, if that unfreedom exists.
Still, a way has to be found to determine when this is the case. What are the distinguishing circumstances of freely given consent? The question can be translated to a more transparent one without changing its meaning: does the data subject really have a choice? Could they say no?
The question is not formal, in the sense of asking if they are capable of ticking a different box. That would be a question about capacity or intention. Rather, if it is substantive consent that is in issue then it is also substantive freedom that must be assessed. That, as a matter of logic, can only be determined with a but-for test: what would happen if the person did not consent? Would the consequences be within the range that the law considers bearable, acceptable, reasonable? That is what freedom in this context must mean.
A life apart
A social media company might say ‘if you don’t like our terms, don’t use our service’. Is not using mainstream social media services an acceptable option? There are, perhaps, a few privacy-friendly networks and communications services out there, but the network effect means that being in the same group as everyone else is precisely the point. As long as all the big groups collect and use personal data, the real options for an individual are (i) click ‘accept’ or (ii) stay outside the social media world. Whether (i) represents free and real consent depends on the burden, the harm, the acceptability of option (ii).
How bad is it? Is exiling a person from WhatsApp, Facebook, Instagram, and Snapchat as bad or worse than, say, punching them in the face or kicking them in the stomach? If so, the answer to our question is simple, for it would hardly be controversial that if a person clicked ‘accept’ under the threat of such physical violence, wherever that threat came from, they would not be genuinely consenting. Since it is the subjective nature of the freedom that the GDPR puts central, it is the subjective suffering resulting from ‘do not accept’ that must be measured. If most people would choose to be hit, even nastily, rather than face social media exile, then it seems to follow that they find the latter worse. If the threat of being hit makes consent not free it follows that so does the threat of social media exclusion.
Certainly, for some, this might be exaggerated. Individuals exist who do not use social media at all, and for whom online exile is an inconvenience at worst. But they are probably the exceptions. For many adults, WhatsApp is not just the basis of communications around school and sport, but also even work, where the WhatsApp group is how news and information are quickly shared and appointments are made. To not be a part of that is to accept exclusion from a large part of the work and social environment. It can perhaps be compared with a ban from entering city centres. For many young people, the issue is more emotional and personal. A denial of access to Snapchat and Instagram is a rule that they may not participate in the social life of their class, community, or generation. It is equivalent to putting them in isolation. To call is psychological violence against a teenager or twenty-something is not an exaggeration. And for many an elderly or immobile person, Facebook is their window onto the social world, the way that they can continue and build relationships after physical circumstances make that harder. Taking it away is like telling an active older person ‘from now on, you are stuck at home’. If that was the threat – ‘sign the contract or never go out again’ – the contract would be void.
Perhaps this is why Recital 43 of the GDPR says that
Consent is presumed not to be freely given … if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
It is a recognition of the importance of many online services. If they can only be accessed by giving (formal) consent to data processing, then that (formal) consent is not freely given.
How much energy must we have?
The situation around search engines, or even websites, is more nuanced. Here, there are some alternatives. There are privacy-friendly search engines that can be used, and it is possible for every website to go through the cookie options and say no, and limit data processing to the functionally necessary. Data processing is, in principle, a choice.
At least it is for the ruthlessly disciplined and never-tired person. We have all been driven crazy by the endless popups on every webpage asking us for consent to cookies. I wonder, how many people are there who never just give in and click on the first button in order to get to the screen that they need to read? What magnificent level of fight would be required to never weaken, never waver for a moment, and calmly go through checking boxes and making choices for every page we read? Given that using the internet is not a real choice, but something almost all of us are condemned to, it could even be argued that there is only free consent to data processing by websites if a consistent refusal of that consent is within the range of discipline and strength that a reasonable person can muster. I am inclined to think it is not.
Bringing back choice
At least for social media it seems most likely that consent to data processing is, in most cases, not freely given, and their processing is therefore contrary to the GDPR. To make it real consent, people would need to have an alternative, another option.
On the other hand, however persuasive this argument, the fact remains that without data processing there would be no social media, for that is how they make their money. We pay with our data for their considerable services.
To make data processing lawful without destroying the very business in issue, one solution would be to require social media companies to offer a paid alternative. Each consumer could choose how to pay for the services – with data, or with money. That would arguably represent more of a choice, so that whichever path was taken could be said to be more free.
There are still problems with this. One is that it might fall foul of blackmail laws: individuals would be told, in substance ‘we will collect personal data about you and pass it on to third parties (our ‘partners’) unless you pay us’. There could be some legal wrangles there.
The greater problem is that it would create inequality. The global middle class might choose to pay a small fee to preserve their privacy. Those less wealthy would choose to pay with their information. This is not just a question of unfairness, but of fundamental rights. If supplying personal data, including sensitive data, is an alternative to monetary payment, then that data is essentially being paid for. The intimate sphere is being bought. That can be compared – although it is also importantly different – to payment for use of a person’s body.
Social media companies then take on the role of the customer who offers money for sex. Most societies recognize that such offers are often, if perhaps not always, accepted only by those in situations of great need or vulnerability. They are not fair contracts between equals. They are a richer party taking advantage of the vulnerability of another. Most societies ban or regulate such contracts because they know that they will tend to be unfair or unconscionable. Most people only sell intimacy out of desperation.
Thus the payment option might help legitimate data processing where it is banal data that is at stake. But online lives also contain more personal and intimate data, and to allow that to be used as payments for transactions, in any context, is undesirable. On this, there should simply be a per se ban. Some people might genuinely want Facebook to know about the most private things they do online. They are probably a minority. When most click ‘accept’ to data-harvesting ‘privacy’ terms they do so because they see no other choice. That is not free consent.
Professor of European Law, Vrije Universiteit Amsterdam