Making sense of privacy notices: lessons from financial services for an ‘assisted’ consent

DCU Law and Tech regularly publishes blog posts discussing the topics Law and Technology written by a variety of authors.

Andrés Chomczyk Penedo
Vrije Universiteit Brussel (Belgium)

1. Deciding about data in a complex reality

A privacy notice can be a dense document and its average length has constantly increased in the last few years. Because of this, they are often not read or misunderstood. However, they give an accurate picture of how our data is used. As we enter an age of complexity, we can only expect them to keep on growing. If data controllers are putting out there longer and longer privacy notices, shouldn’t they also be helping data subjects in making sense of them?

This question has become extremely relevant as data subjects’ informed consent is expected to play a fundamental role in enabling the EU data economy. Without meaningful and sensible information, people cannot make appropriate (and legally binding) decisions. Since data subjects are already fatigued from an overload of choices regarding their data, more difficult notices can prove a real challenge for making transparency effective in its purpose. While GDPR mandates for concise information in an easy-to-read language, perhaps it is not possible to break down the complexity of our daily lives.

If the complexity of these new activities cannot be simplified, how can data controllers obtain a proper informed consent? To answer this question, we can find inspiration in other areas with similar problems. For example, a complex legal document can be the prospectus of a publicly-traded company or even the credit sheet information when applying for a loan. As such, the financial services industry might have an answer for us.

2. Looking for inspiration elsewhere: the duty of assistance in financial services regulation

If we have a look into how information is provided in this industry, we will find similar practices to data protection and, consequently, similar problems, as shown by research on digital financial services. To address this, certain regulations have provided an alternative path. The financial services industry has developed a duty of assistance to help clients in certain scenarios when complex documents, such as prospectus or credit sheets, are involved in order to make adequate choices.

This duty of assistance is not equal across such a diverse and wide industry. In this respect, rules such as MiFID II, the Crowdfunding Regulation, the Consumer Credit Directive, and the Mortgage Credit Directive have put forward their own version of it. Nevertheless, they do share a common objective: helping a protected party to make a decision based on hard-to-understand information for the layman.

The involved harms and risks may be either ignored or misunderstood because of the difficulty posed by these disclosure documents. For example, a customer might be exposed to overindebtedness from a loan or invest in securities that have a higher chance of default than originally expected. As such, the entity that is putting the customer in front of that risk should help it out to assess the options on the table before making a decision.

In practice, this duty is meant to cover the broadness and generality of these complex documents and adjust the information to the client in an adequate manner according to his/her profile. To do so, each instrument relies on different criteria to classify the client, from their knowledge and experience in the field to their financial situation or economic objectives, and even their risk profile or environmental and social responsibility preferences, just to name a few. The whole purpose is to provide fit-for-purpose assistance when making sensible choices for that person, or at least the category to which said person belongs. This can be done on an automated basis, as provided by each specific piece of regulation. If we make a comparison with the data economy, this would mean that data controllers should be able to guide data subjects in the choices imposed by this economic model: with whom, what, and how data should be shared.

3. Is there room in GDPR for a duty of assistance?

The duty of assistance in the banking sector has an interesting end objective embedded into it: fostering prudential lending and the avoidance of overindebtedness by clients. A similar thing can be said about this duty in capital markets with regards to risk exposure. This duty acknowledges that banks or investment firms play a fundamental role in managing both micro and macro risk levels: securing consumer protection and protecting the financial system as a whole. With its particularities from legal system to legal system, both of these objectives are constitutionally protected.

If we have a look at GDPR, we can see that controllers, and to a lesser extent processors, have a duty to process personal data complying with it, but also in due respect for fundamental rights. In this sense, a duty of assistance for data subjects could also protect the right to data protection itself as well as other fundamental rights that could be compromised by poorly informed choices. This is particularly relevant as some of the risks that can take place are more ‘invisible’ in comparison to a financial risk, such as not being able to pay back a loan or losing invested personal savings.

In this respect, it is possible to argue that current practices can be seen as compliant with GDPR, but not with the underlying constitutional principles that GDPR is called to safeguard. The whole purpose of the GDPR is to guide processing activities in a manner that minimizes or prevents harm to fundamental rights. As such, ‘throwing’ a privacy notice to data subjects cannot be considered a measure effective enough for this purpose, as demonstrated by research from scholars and decisions from supervisory authorities.

While Articles 13 and 14 of the GDPR indicate what information must be provided, it is not indicated how such information should be given. While the status quo has been for quite some time a privacy notice, this doesn’t preclude the possibility of giving more personalized and specific information to the data subject. On the contrary, current practices on data protection transparency constitute a de minimis approach to transparency in general.

In this sense, Article 12 should be used as guidance to provide grounding to this duty of assistance. If a privacy notice provides the information indicated in Articles 13 or 14, as appropriate, but fails to meet the criteria in Article 12 (concise, transparent, intelligible, and easily accessible form, using clear and plain language), then an appropriate measure to supply such deficiencies could be introducing a duty of assistance to help data subjects.

4. A solution too good to be true?

This approach isn’t free of potential shortcomings. As data controllers engage in a more ‘influential’ manner over data subjects by helping them in making decisions, this begs the question of whether such consent, while properly informed, is truly free. This is related to the issue of nudging and whether a ‘nudged’ consent is a valid consent, as the same rationale can be applied to the proposed ‘assisted’ consent. Transparency, again, might prove to be the key distinguishing element between these two as data subjects are made aware of the assistance provided.

If such a duty can be grounded in the GDPR as proposed, it is possible to address one of the most criticized topics in data protection: the notice and consent model based in the idea of decisions taken by a reasonable and sensible individual. By doing so, the relationship between data subjects and data controllers could change dramatically towards a more engaged interaction between the two to accommodate more data-intensive activities. In this respect, it is possible to envisage a more democratic and participatory model for governing personal data.

More Blog Posts

Sri Lanka Enacts Its Data Protection Regime
Ashit Srivastava & Siddarth Chaturvedi
Dharmashastra National Law University, Jabalpur
On 10th March 2022, Sri Lanka’s Parliament passed the Personal Data Protection Act. With this, Sri Lanka also became the first…