EU Privacy Rules Should Examine Intent, Not Require Consent

By Vasant Dhar, Professor and Head, Information Systems Group, Daniel P. Paduano Faculty Fellow & Director, Center for Digital Economy Research and Arun Sundararajan, Associate Professor of Information, Operations and Management Sciences, NEC Faculty Fellow & Doctoral Coordinator, IOMS-Information Systems

An intent-based approach offers a good compromise between “explicit consent” (the consumer grants permission) and “implicit consent” (the firm assumes permission).

On Wednesday, January 25, the European Commission will require that companies secure explicit consent from consumers to use their personal information in new regulation that unifies privacy standards across the EU.

We disagree with this recommendation because it will be onerous for businesses, challenging for regulators to enforce, and fundamentally limits some of the inherent benefits of online experiences for users.

The question of who ‘owns’ the digital data that was part of a transaction is practically unsolvable and must be based on the context in which the data were exchanged. Therefore, we propose an intent-based approach as a pragmatic middle-ground solution to better protect consumers without stifling innovation. Here's why:

--The transaction costs associated with explicit consent are huge. People don't realize just how much data are being exchanged when one transacts or communicates online, much of which is necessary to offer users a seamless experience. Requiring explicit consent for every piece of user information is unrealistic. Further, this standard may favor entrenched businesses like Google and Facebook, whose scale and sheer user volume will make blanket consent more likely, but will discourage innovation by new entrants and smaller Internet players.

--An intent-based approach offers a good compromise between “explicit consent” (the consumer grants permission) and “implicit consent” (the firm assumes permission). Firms should think carefully about what “rights” consumers are implicitly granting when they share their data and use this consumer intention as the basis for how to act on the data.

--The intent-based approach protects consumers by giving them a “reasonable intent” to fall back on without creating the unnecessary transactions costs for companies associated with explicit consent. The offline world provides useful guidelines in this regard that can be used in the online world.

--We support the EU guidelines for reporting data breaches in a timely way, which align firm and consumer interests and will encourage firms to develop crisis management strategies in advance.

Dhar and Sundararajan are both researchers who explore how information technology transforms markets and corporate strategy, with expertise in privacy, social media, business intelligence and digital business models.