GDPR Misconception No. 3: Consent, Consent, Consent

This post is also available in: Deutsch (German)

Translated with

In recent months we have given our consent to data protection declarations, cookie policies, general terms and conditions, contract amendments and many more. I admit it, also I do not read all data security explanations, with which I agree. Even if one knows how such declarations are drawn up and what they contain, they primarily mean annoyance for the person concerned (not even spoken of the economic damage caused by reading alone). Because we all know it: we have practically no possibility to use services without confirming these explanations. Are we really in a position to assess the implications of the consents we give? This is not primarily a data protection issue. But what is consent? When we as a customer use an online service, the provider will include a privacy statement that we are required to sign as part of the contract. If we want to do that, we usually have to make a digital decision: Yes or no (to basic contract and privacy policy). The whole thing becomes difficult if the company is dominant in the market or if there are no alternative offers (typical monopoly or oligopoly situation). Consent after data protection means that the data subject agrees with the processing methods as documented by the data controller. If this is not the case, the data subject should be able to exclude individual forms and methods of processing. To this end, the data controller must provide transparent information on how he works with the data and which processors (subcontractors) he consults. This procedure requires full knowledge of data management (cf. MC 4). In today’s systems, however, the level of networking is so high that this is wishful thinking. Even if I have individual opt-in switches, this does not mean that the processing really corresponds to my wishes. Refreshing are the always new, absurd representations of opt-in possibilities on websites of providers.

You are allowed to operate 50 virtual switches and thus decide on all possible forms of processing (see MC 9). That would mean that one would inquire exactly about the associated software parts and also still understand what happens! Nobody can and will do this (see MC 4). Even the provider will not always know exactly what consequences the switching on/off of a service actually has. Below the line this means the following: Either I let myself in with the offerer or I let it remain! Fortunately, there are alternatives to the known data kraken in many areas. Nevertheless it pushes the people out of convenience (and from miserliness) again and again to services, which have the largest market share. These providers systematically use their market power. The current tendency to offer all software only as a cloud version further contributes to the fact that the individual user has practically no power (control = information governance) over his data. The only alternative is either to install and operate everything locally, or to look for local providers who are trustworthy and with whom they can negotiate a reasonable contract (Don’t forget: All business is still local). But even for the small provider things are getting hairy now. Usually there is a basic contract for a service offered by the provider (contractor) (“we offer CRM in the cloud”).

The customer, here a company, orders this offer on the basis of the basic contract. At the same time, the provider asks the customer to sign an order processing contract describing the contractor’s handling of the personal data (because the sense and purpose of CRM might be to collect personal data, among other things). Here the GDPR is once again playing into the hands of the big oligopolies. If you look at the whole thing from the point of view of a small software provider, then you also see the absurdity that the right of consent creates. According to the GDPR, it is theoretically possible to withdraw consent for processing at any time. What does this mean in a practical context? A data subject (in the case described above, any employee of a customer, a potential customer, etc.) could therefore insist that his data be removed from an existing system and deleted. In fact, the practice is different. In 80% of all cases there are legal storage obligations which prevent the revocation (even from the data protection law itself, see MC 8). It is completely absurd to demand that subcontractors may be involved if everyone concerned agrees. Theoretically the customer would have to agree each time in the apron  

Article by Michael Erner (M100, in Deutsch):Die Wahrheit über Einverständniserklärungen

Verbinden wir uns!

Oh, hallo 👋
Schön, Sie zu treffen!

Mein Newsletter mit aktuellen Sicherheitsfragen und Themen rund um die Datenstrategie. Bitte melden Sie sich hier an.

Wir senden keinen Spam! Erfahre mehr in unserer Datenschutzerklärung.

Leave a Reply

Your email address will not be published. Required fields are marked *