Ever experienced getting a phone call from a stranger trying to sell you something? What if you decided to apply for a frequent flyer program of one airline and one month later you receive a phone call from a credit card company that this airline has made a deal with? The salesperson at the end of the line asks you whether you have a plan to travel in the next few months with this airline you recently became a member of, because there is a special promotion for the credit card he is offering. We know that it is not hard to guess where the credit card company got your contact information from (and perhaps your other personal information too). Do you think that this is right?
The answer lies within one word. It’s called “consent.”
If you remember that you gave permission for the airline to share your information with its partner or affiliated companies, that’s fine. But the ugly truth is that our data is often collected, used, and shared without our consent. The privacy policy or terms of use of companies in general can be so super-lengthy that no-one actually reads it, and you cannot say “No” to it either, despite the length, because that would stop you proceeding to the services or products that you want. As a result, you end up clicking “Accept” without paying attention to the content. Sound familiar?
In reality, you had no choice. A study in 2012 found that it would take 76 work days for an average Internet user to read all the privacy policies that she or he encounters in a year. It’s simply impractical to read them all because of their length, and those companies usually do not bother to highlight or shorten them to be more user-friendly. When the privacy policies or the terms of use are too long, users can give away their data without realizing what the companies will do with it. This is a real problem in the digital era.
We should be given a free choice as users, and consent has to be affirmative. Lengthy terms of use and privacy policies lead to what is called “forced consent.” Even though the wording is there, it’s so long that we’re given no choice but to “accept” — otherwise we cannot use the service and products. We should realize that this practice does not amount to consent.
Forced Consent ≠ Consent
Here are some examples of “informed consent.” When we browse a website, we find a pop-up box about the use of cookies that appears on the bottom of the site. If we are able to choose how we would like the cookies to work while we are browsing the site with a clear explanation for each type of cookie — what it is and what it does — that is called “informed consent.” This is because we give permission for the internet cookies to take note of our online behavior on the site. Another example is when you are asked whether you give permission to a person or a company to use your photo to promote an event or other content. If you are uncomfortable with having your photo visible to the public and they respect your decision, that is also informed consent.
Sometimes, however, things are more complicated. Recently, Thai authorities ordered all people living in the three southernmost provinces and four districts in a nearby province to register their SIM cards with a facial recognition application. As the area is known for an ongoing insurgency, the authorities said that the registration is for public safety and national security proposes. Those who fail to register will not be able to use their phone numbers. This also applies to those from outside the area who pass through. Since phones are so essential in everyday life, people have chosen to obey the order. It is not known how secure the database is, where the personal information is stored, who can have access to it and for what purpose the information is allowed to be accessed or processed. Even though people provide the information themselves, this should not be considered as consent — since consent should be given freely without any pressure.
Another example is the case of Facebook on personal data and privacy of users. Many of us use Facebook these days as a primary channel for us to connect with people. As Facebook’s revenue depends so much on advertisements, our personal data is harvested heavily on the site before being monetized for ads. Facebook Messenger is also a messaging platform where information is heavily harvested. Facebook offers a Term of Service to their users. However, this Term of Service regarding how the data is collected and used by the company is not usually read by people, and the link to it is also not easily found on the site. In this case, Facebook can do more in terms of gaining data consent by simplifying their Term of Service and makes it easier to be found and read by users.
We need to understand that data is a personal asset. No one should be able to take it away from us without our consent. What if someone just came up to you and took away your nice new shoes, your cute little puppy or the bag of apples you just bought from a store without even asking? In the analog world, that would be considered as a wrongful action and most would consider it illegal. In the digital world, however, channels that take our personal data are more complicated. It is not a physical thing, so it does not feel like an immediate loss to us. However, that does not mean it is not important.
According to the General Data Protection Regulations (GDPR), consent has to be freely given, specific, informed, and unambiguous. In order to qualify as free consent, it must be given voluntarily. It should not be forced or extracted under any inappropriate pressure or influence that can affect the outcome of that choice.
Sometimes we can protect ourselves, but that is often beyond our reach because comprehensive data protection requires cooperation between different stakeholders. A country that respects human rights should enable a mechanism of data protection in which personal data is automatically protected. The issue of personal data protection has gained more attention in many Southeast Asian countries since the European Union adopted its General Data Protection Regulation (GDPR). None of the existing laws in Southeast Asia, however, offer equivalent protection. This is because state actors are usually exempt from respecting personal data privacy when they claim that public safety and national security are at stake. The regulation on data protection should apply to all sectors that deal with personal information and privacy regardless of who should be held responsible. We need a GDPR-equivalent regulation on personal data protection that applies to all countries in Southeast Asia and clearly defines what constitutes “personal data.” People have a right to privacy in both the private and public sectors. Given the political situation in countries throughout the region, however, it looks like we still have a long way to go.
This article is published under Creative Commons license CC-BY-NC-ND 4.0.
