Maurer School of Law: Indiana University Maurer School of Law: Indiana University
Digital Repository @ Maurer Law Digital Repository @ Maurer Law
Articles by Maurer Faculty Faculty Scholarship
2013
Notice and Consent in a World of Big Data Notice and Consent in a World of Big Data
Fred H. Cate
Indiana University Maurer School of Law
, fcate@indiana.edu
Viktor Mayer-Schönberger
University of Oxford
Follow this and additional works at: https://www.repository.law.indiana.edu/facpub
Part of the Information Security Commons, and the Privacy Law Commons
Recommended Citation Recommended Citation
Cate, Fred H. and Mayer-Schönberger, Viktor, "Notice and Consent in a World of Big Data" (2013).
Articles
by Maurer Faculty
. 2662.
https://www.repository.law.indiana.edu/facpub/2662
This Article is brought to you for free and open access by
the Faculty Scholarship at Digital Repository @ Maurer
Law. It has been accepted for inclusion in Articles by
Maurer Faculty by an authorized administrator of Digital
Repository @ Maurer Law. For more information, please
contact rvaughan@indiana.edu.
Tomorrow’s privacy
Notice and consent in a world of Big Data
Fred H. Cate* and Viktor Mayer-Scho¨nberger**
Introduction
Just over four decades ago, the first information
privacy statutes were enacted. After intense discussions
in North America and Europe, at the end of the 1970s
a number of privacy principles emerged under the
concept of Fair Information Practices and later became
the foundation for the Organisation for Economic Co-
operation and Development (OECD) Guidelines on the
Protection of Privacy and Transborder Flows of Person-
al Data adopted in 1980. Those principles, which seek
to balance the ‘fundamental but competing values’ of
‘privacy and the free flow of information’, form the
basis of most privacy legislation around the world. At
their core, they require that the processing of personal
information be lawful, which in practice means that
either the processing is explicitly permissible under law
or the individual whose personal data is being pro-
cessed has—after being informed of the reason,
context, and purpose of the processing—given consent.
Intuitively, such an approach makes sense. It
empowers individuals so that they—rather than a
bureaucratic government agency—can exercise their
privacy rights as they see fit. Over the years, and espe-
cially in the context of the Internet, this system of
‘notice and consent,’ originally intended to be only one
of multiple ways through which the lawful processing
of personal data can take place, has become the domin-
ant mechanism.
Today, almost everywhere that individuals venture,
especially online, they are presented with long and
complex privacy notices routinely written by lawyers
for lawyers, and then requested to either ‘consent’ or
abandon the use of the desired service. That binary
choice is not what the privacy architects envisioned
four decades ago when they imagined empowered
individuals making informed decisions about the
processing of their personal data. In practice, it cer-
tainly is not the optimal mechanism to ensure that
either information privacy or the free flow of informa-
tion is being protected.
Equally challenging is the fact that in the age of ‘Big
Data’, much of the value of personal information is not
apparent at the time of collection, when notice and
consent are normally given. Because future uses would
require going back to individuals for their amended
consent, many future uses that have significant in-
dividual and societal benefits might be simply too
costly to undertake. Moreover, what used to be a rela-
tively simple relationship between individuals and the
* Editor; Distinguished Professor, C Ben Dutton Professor of Law, and
Director of the Center for Applied Cybersecurity Research and the Center
on Law, Ethics and Applied Research in Health Information, Indiana
University. E-mail: fred@fredhcate.org .
** Professor of Internet Governance and Regulation, Oxford Internet
Institute, University of Oxford.
International Data Privacy Law, 2013, Vol. 3, No. 2
TOMORROW’S PRIVACY
67
#
The Author 2013. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com
Abstract
† Nowadays individuals are often presented with
long and complex privacy notices routinely
written by lawyers for lawyers, and are then
requested to either ‘consent’ or abandon the use
of the desired service.
† The over-use of notice and consent presents in-
creasing challenges in an age of ‘Big Data’.
† These phenomena are receiving attention par-
ticularly in the context of the current review of
the OECD Privacy Guidelines.
† In 2012 Microsoft sponsored an initiative
designed to engage leading regulators, industry
executives, public interest advocates, and aca-
demic experts in frank discussions about the role
of individual control and notice and consent in
data protection today, and alternative models for
providing better protection for both information
privacy and valuable data flows in the emerging
world of Big Data and cloud computing.
Downloaded from https://academic.oup.com/idpl/article-abstract/3/2/67/709124
by Indiana University-Bloomington Law Library user
on 23 March 2018
processors or users of their personal data has often
become complicated as datasets are combined and data
processors and users change. That also makes it even
harder for individuals to fully grasp the complexity of
the situation they are asked to assess. Finally, Big Data
is not only big, but also collected and processed so
often as to make opportunities to consent an unaccept-
able burden for most individuals. (To take just one
example, the New York Times reported in 2012 that one
US company that few people have ever heard of
engages in more than 50 trillion transactions involving
recorded personal data every year.
1
)
Taken together, these realities challenge the domin-
ant current privacy mechanism of notice and consent.
They can leave individuals’ privacy badly exposed, as
individuals are forced to make overly complex deci-
sions based on limited information, while data proces-
sors can perhaps too easily point to the formality of
notice and consent and thereby abrogate much of their
responsibility. At the same time, current privacy
mechanisms can unduly interfere with the innovation
potential of data use. These challenges require a ration-
al reassessment of the privacy landscape, as well as an
evaluation of the optimal mix of mechanisms available
to protect information privacy in a world that is begin-
ning to realize the latent value of Big Data.
To help foster that reassessment, in 2012 Microsoft
sponsored an initiative designed to engage leading reg-
ulators, industry executives, public interest advocates,
and academic experts in frank discussions about the
role of individual control and notice and consent in
data protection today, and alternative models for pro-
viding better protection for both information privacy
and valuable data flows in the emerging world of Big
Data and cloud computing.
Between May and August of 2012, Microsoft hosted
a series of regional privacy dialogues in Washington,
DC, Brussels, Singapore, Sydney, and Sa
˜
o Paulo. These
dialogues involved a total of 78 participants drawn in
almost equal proportions from government, academia,
advocacy, and industry (including editors of this
journal and members of its editorial board). Each dis-
cussion was moderated by a privacy scholar from the
region: Professor Fred H. Cate in Washington, DC,
Professor Viktor Mayer-Scho
¨
nberger in Brussels, former
A ustralian Privacy Commissioner Malcolm Crompton in
Sydney and Singapore, and Professor Nelson Remolina
Angarita in Sa
˜
o Paulo . The discussions followed the
Chatham House Rule, under which participants were
welcome to use the information learned there, but
agreed not to disclose the source or name of the individ-
ual or institution involved.
Following the five regional events, in September
2012 Microsoft welcomed more than 70 privacy and
data protection experts from government, industr y,
non-profit organizations, and academia to a global
privacy summit in Redmond, Washington. Drawn from
19 countries on five continents, the participants came
together to consider the future of data sources and uses
and practical steps to enhance privacy protection.
Many had participated in the regional discussions, and
all received in advance of the summit a summary of
the key points from those discussions.
This article briefly summarizes the key points of dis-
cussion during the regional privacy dialogues and the
global privacy summit. It is based on a report that was
reviewed by the participants prior to being released, but
neither that report, nor this article, purport to reflect
any consensus of the participants or the views of any
individual participant or organization, including Micro-
soft. The complete report, including a list of all partici-
pants and their affiliations, is available online.
2
The regional privacy dialogues
Despite considerable variety in the five regional discus-
sions in Washington, DC, Brussels, Singapore, Sydney,
and Sa
˜
o Paulo, there was significant overlap concerning
key issues. There was a widely shared sense that notice
and consent either have, or are perceived as having,
become the dominant means of data protection. Even
in countries in which notice and consent are not the
primary data protection tools provided by law, they
have nevertheless assumed undue importance in policy
debates and popular discussions about data protection.
As a result, or perhaps as a cause, ensuring individual
control over personal data is widely perceived as the
goal of data protection and is often highlighted as such
by political leaders and commentators.
Further, there was broad general agreement that
privacy frameworks that rely heavily on individual
notice and consent are neither sustainable in the face of
dramatic increases in the volume and velocity of infor-
mation flows nor desirable because of the burden they
1 Natasha Singer, ‘You for Sale: Mapping, and Sharing, the Consumer
Genome’, N.Y. Times, 17 June 2012, at BU1, available at ,http://www.
nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of-
consumer-database-marketing.html?pagewanted=all&_r=0. accessed 5
March 2013.
2 The report is available at , http://download.microsoft.com/download/9/
8/F/98FE20D2-FAE7-43C7-B569-C363F45C8B24/Microsoft%20Global%
20Privacy%20Summit%20Report.pdf. accessed 5 March 2013.
International Data Privacy Law, 2013, Vol. 3, No. 268
TOMORROW’S PRIVACY
Downloaded from https://academic.oup.com/idpl/article-abstract/3/2/67/709124
by Indiana University-Bloomington Law Library user
on 23 March 2018
place on individuals to understand the issues, make
choices, and then engage in oversight and enforcement.
In short, ensuring individual control over personal data
is not only an increasingly unattainable objective of
data protection, but in many settings it is an undesir-
able one as well.
The discussions also addressed the advent of Big
Data, the increasingly ubiquitous nature of data collec-
tion and use, and the technological developments that
expand our capacity to interconnect, analyse, identify,
and extract new and unanticipated value from even old
or seemingly worthless data as factors that require new
approaches to data protection. A key sentiment
expressed in all of the discussions is that those new
approaches must shift responsibility away from data
subjects towards data users, and towards a focus on ac-
countability for responsible data stewardship, rather
than mere compliance while ensuring that expectations
and protection of privacy is preserved.
As to additional mechanisms to ensure privacy, one
of the most widely discussed alternatives was focusing
more attention on the ‘use’ of personal information
rather than on its ‘collection’, given the increasingly
pervasive nature of data collection and surveillance, in-
expensive data storage and sharing, and the develop-
ment of valuable new uses for personal data. Many
participants were careful to note that focusing on the
use of personal data does not mean that there should
not be responsibilities or regulation relating to data
collection, nor should a focus on data collection in spe-
cific or sensitive circumstances be abandoned. Rather,
in most situations, a more practical, as well as sensitive,
balancing of valuable data flows and more effective
privacy protection is likely to be obtained by focusing
more attention on appropriate, accountable use.
Many of the dialogues devoted considerable time to
what constitutes a ‘use’ of personal data, what uses
should be permitted or prohibited (or should require
some greater form of authorization, for example, spe-
cific affirmative consent), and by what standards these
determinations should be made. As many participants
noted, the failure to build consensus around the stan-
dards that data protection laws should implement cur-
rently impedes effective regulation and efforts at
international harmonization.
There seemed broad agreement that uses should
include disclosure, but there was uncertainty about
whether uses should include analysis of data within an
institution if the data are not used to make a decision
or create new information. Similarly, there was nearly
universal agreement that the ‘harms’ or ‘impacts’ that
data protection laws should be designed to avoid must
not only include physical and financial injury but also
broader concepts consistent with protecting privacy as
a human right—such as reputational or social harm
and the chilling effect of surveillance, but there was
little consensus as to precisely which other impacts
should be included or how they might be determined.
At the same time, while recognizing privacy as a
human right and the need to more clearly define
impacts, there was recognition of the need to resolve
conflicts with other fundamental rights. For example,
privacy can be in conflict with the right to engage in
free speech or to live in a society free from the threat
of terrorism. The quest needs to be for more effective
and efficient protection of privacy, not a weakening of
the protections that existing frameworks are intended
to provide, even if they do not always do so successfully.
In addition to considering how the standards to
guide data protection should be determined, the parti-
cipants also devoted considerable energy to the ques-
tion of how those standards should be implemented as
a matter of both law and individual entity policy. There
was broad agreement that implementation should be
practical, flexible, and focused on data users ensuring
and demonstrating accountability for their responsible
use of personal data.
Despite the limits of notice and consent, many parti-
cipants noted that this mechanism might continue to
play a role in the future, even if in a modified form
from today. For example, notice may be a key tool for
transparency, although this may suggest that disclosure
to a regulator or a central, accessible repository might
be more efficient than individual notice. Similarly,
consent may be necessary for the use of certain types of
data or for certain uses of data. Some participants
expressed the hope that by reserving notice and
consent for more appropriate uses, individuals might
pay more attention when this mechanism is used. Rec-
ognizing that notice and consent will have continuing
value in certain settings also reflects an ‘evolutionary’
rather than ‘revolutionary’ approach to updating data
protection principles, which many of the participants
found desirable. As a result, while all of the dialogues
were clear that merely fine-tuning notice and consent
will not provide the sort of new approaches to data
protection widely thoug ht necessary, this does not
suggest that notice and consent should not be
improved however possible so that when used, they are
more effective.
One key element of responsible data stewardship
that emerged at all five events was the need for better
security to protect personal data against unintended
access, loss, alteration, or disclosure. Any new model
Fred H. Cate and Viktor Mayer-Scho
¨
nberger
.
Notice and consent in a world of Big Data
TOMORROW’S PRIVACY
69
Downloaded from https://academic.oup.com/idpl/article-abstract/3/2/67/709124
by Indiana University-Bloomington Law Library user
on 23 March 2018
of data protection must ensure a high degree of
confidence that personal data will be appropriately
protected. While standards for data security are increas-
ingly being implemented around the globe, there was
discussion about the need to ensure that security stan-
dards remain flexible, given the constantly evolving
nature of security challenges, and that they be more
substantive than focused on providing notice to people
whose data may have been compromised. Again, a key
goal of many participants is to shift the responsibility
for data protection away from the data subject towards
the data user.
A number of discussions touched on the enforce-
ment of data protection laws and policies. Participants
agreed that enforcement is a critical element of
data protection, but some placed special emphasis on
enforcement as a way to transform ‘self-regulation’
into ‘co-regulation’, by giving the force of law to insti-
tutional or sectoral privacy undertakings that meet
minimum requirements. There was also discussion of
the extent to which relying on multinational enforce-
ment mechanisms (such as designated lead enforce-
ment agencies, an international enforcement body, or
binding arbitration) might help build cross-border
accountability and trust while reducing the costs of
enforcement and avoiding duplicative enforcement.
Discussions at all five events addressed the need for
greater harmonization and interoperability in data
protection across national borders in a way that does
not lead to a ‘race-to-the-bottom, lowest-common-
denominator’ result. Harmonization and interoperabil-
ity have assumed even greater importance with the
growth of cloud computing and e-commerce, which
often involve instant flows of data across geographic
boundaries. One advantage of developing new
approaches to data protection based on widely shared
twenty-first-century standards of appropriate data stew-
ardshipisthatitmightwellleadtomoreconsistent
privacy protection across borders and greater harmon-
ization of privacy practices and obligations. Moreover,
greater harmonization and interoperability are potential-
ly effective tools for maximizing the scarce resources
available for data protection and enforcement, and for
ensuring that individuals enjoy commensurate levels
of privacy protection—and that their rights can be
vindicated affordably and easily—no matter where they
travel, browse, or shop, or where their data are stored.
It is always risky to try to summarize rich and varied
discussions among talented privacy professionals, but
two themes seemed to dominate most of the discussions
at all five locations: that society should, to the greatest
extent possible, shift responsibility for protecting privacy
from the individual data subject to the data user, and
that the tools used to do so should be as flexible,
efficient, practical, interoperable, and sensitive to
competing values and realities as possible to achieve
responsible data stewardship.
The global privacy summit
The global privacy summit began w ith presentations on
innovative new uses of personal data by Craig Mundie,
chief research and strategy officer at Microsoft; Leroy
Hood, president of the Institute for Systems Biology;
Kush Parikh, senior vice president of business develop-
ment at Inrix; and Kenn Cukier, data editor at the
Economist, but the bulk of the summit was spent in
interactive discussions reflecting on the themes identi-
fied in the regional workshops and considering how
best to address them in practice.
The participants were able to respond to speakers,
pose questions, and interact with one another not only
face to face, but also using an interactive tool that
allowed participation by everyone and permitted every
idea to be captured (anonymously and with consent).
To facilitate maximum engagement, discussions took
place as a single large group as well as in seven smaller
groups, in all cases with professional facilitators and
rapporteurs. Every effort was made to ensure not only
that all voices were heard and all interjections included,
but also that the discussion progressed toward a prac-
tical and useful outcome.
After the summit, participants had another two
weeks to review the presentations and documents
online and add additional comments to the record. In
addition, participants had the opportunity to review
and comment on the draft report on which this article
is based. The remainder of this article seeks to capture
the major themes that emerged during the summit.
Given the breadth and depth of the discussions, this
article is necessarily selective, and while it is based on
the discussions in Redmond, it does not purport to
reflect a consensus view of the participants.
Significant challenges
Participants identified a number of privacy challenges
in the near future, but five broad themes emerged:
† There was considerable concern about the need for
greater public awareness of privacy issues, increased
transparency about the uses of personal data, and
more effective education about privacy and the valu-
able uses of personal data. There was broad agree-
ment that even if data protection systems come to
International Data Privacy Law, 2013, Vol. 3, No. 270
TOMORROW’S PRIVACY
Downloaded from https://academic.oup.com/idpl/article-abstract/3/2/67/709124
by Indiana University-Bloomington Law Library user
on 23 March 2018