In the previous blog, part one, we dived into the ethics around marketing, and whether it is possible to use the existing tools for marketing in a way that respects and upholds the best interests of personal privacy and data protection.
In this blog, we are going to explore three topics:
- An example of a GDPR nightmare which we recently encountered at cheqd;
- Why consent is broken in the digital world; and
- How the latest proposed regulatory developments in privacy and data protection may improve the current state of play.
Entering the Lion’s Den
We recently attended an identity event that champions privacy, data protection and the autonomous control of digital identities. Following the conference we received the following email:
Now, ironically, for a conference revolving around privacy and controlling how your personal data is shared with, all attendees had, without consent, their personal information taken and sold.
To attend the event there were blanket terms and conditions which were necessary to accept and there was no explicit ‘opt-in’ for marketing purposes, which is required as a specific purpose under the GDPR. Or in other words, having your data processed for marketing purposes was a precondition of signing up, in direct violation of Article 7 GDPR.
And this is by no means a one-off…
Consent is broken
Individuals generally have to navigate through ‘clickwraps’ or ‘browsewraps’ to access a service. If they do not accept the terms and agree to legal jargon, then they often cannot use the service, or at least not quickly.
This makes it difficult to give meaningful consent.
Furthermore, the rules for when consent is needed are convoluted and easy to get wrong. The table below highlights what type of provision is needed for what purpose.
For people to enforce their own data protection rights and hold companies accountable, they need to understand the rules first. Similarly, for companies to respect and uphold better standards on data protection and privacy, they must be able to have confidence that they can carry out marketing without feeling like they are doing something unethical. The current state of digital marketing benefits neither the marketer nor the individual.
For data subjects to be truly empowered to harbour more control over their personal data, significant change needs to happen. We believe that greater control of data needs to be given to data subjects, since privacy at its heart, is all about control. And this is what cheqd and new digital identity paradigms are currently seeking to achieve.
Improvement on the horizon
The European Commission has proposed a framework for an EU-wide digital identity framework, allowing businesses and citizens to take much greater control of their digital identity, by being able to hold verified attributes and claims in a digital wallet.
The European Digital Identity Wallet is being designed to store and process Credentials to enable Europeans to access services using a digital identity, without oversharing personal data. This will give individuals much greater control over the data they share — almost empowering them as data controllers for their own data.
From the current information about these legislative changes, we believe that the new law will recommend the same technology, or at least compatible privacy-by-design technology to what cheqd natively supports, namely Self-Sovereign Identity (SSI). And we want to work closely with the EU and UK to make sure the technical stacks built on top of our Network are directly compliant and semantically interoperable.
A State of Limbo
It’s a strange time in the privacy and data protection world. The necessary change is on the horizon, with new technical innovations and proposed legislation— however, there is a lack of clarity about the specifics of the changes or when exactly they will come into force.
But, we have confidence that things will improve.
All we can do right now is sit tight, make sensible suggestions, using open standards and frameworks to support what we believe to be a more privacy-preserving future.
It’s new ground, and it’s exciting. We’re all freestyling, in a regulatory limbo; hopefully to the tune of a more privacy-preserving and user-centric future.