Irish Lawmakers Realizing The GDPR's Consent Requirements Seem A Bit Onerous, Want To 'Infer' Consent
from the oh-wait,-that-takes-work dept
Once again, we find lawmakers who seemingly championed “strong privacy” rules like the GDPR suddenly freaking out when they realize such laws might apply to government bodies as well. Once again, we have Jason Smith at Indivigital to thank for highlighting the latest mess. This time it involves Irish lawmakers trying to figure out how different government agencies can share data between those agencies in order to provide better services. But, here’s the problem: doing so without “consent” would seem to violate the basic concepts of the GDPR, so the Minister of State for Public Procurement, Open Government and eGovernment, Patrick O’Donovan, decided to try to take the easy way out and say that the government should be able to “infer” consent, if someone made use of the government service in the past:
?That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State.?
Now, personally, I agree that this seems like a perfectly reasonable standard for inferring consent under most reasonable conditions. But the problem is that the GDPR generally does not view things that way. This is yet another example of where people who view privacy through a singular lens of “don’t do anything at all with my data,” often fail to realize how extreme that position is, and how it limits perfectly normal functions.
But, in this case, it comes across as just another example of where governments are saying, “do as I say, not as I do…”
Filed Under: consent, data privacy, data protection, eu, gdpr, ireland, patrick o'donovan, privacy
Comments on “Irish Lawmakers Realizing The GDPR's Consent Requirements Seem A Bit Onerous, Want To 'Infer' Consent”
Disagree completely
I don’t think that it’s reasonable to assume that just because I use one government service, that they should be able to share that data with other services.
And I think that we do need to take an extreme position with privacy, since once your data is shared, it’s not possible to unshare it.
If they want to share data, they can ask permission explicitly. I see nothing wrong with that.
Re: Disagree completely
I disagree with the bit about “limiting perfectly normal functions” being accidental or bad. I know what’s considered “perfectly normal” these days; much of that is exactly what I want to prevent.
Re: Disagree completely
As an example, Canadian tax forms for years have had two checkboxes on the front page:
1) Are you a citizen?
2) If yes, can we register you to vote?
It’s a reasonable way to get people registered. All you have to do is check a box to consent; there’s no real burden here that would justify automatic or opt-out sharing.
What are the Irish examples? The linked web page is not loading.
Re: Re: Voter registration is bollocks
I don’t understand this even the slightest.
Here in Switzerland, when you’re a citizen above the age of 18, you’re a voter. Always. You don’t have to “register” or whatever nonsense. You’re already registered as citizen, why would you need to re-register to partake in your rights as citizen?
Re: Re: Re: Voter registration is bollocks
Quite simply, so your agency is not usurped by someone else claiming to be you at the ballot box. In other words, to prevent identity ‘theft’.
Re: Re: Re:2 Voter registration is bollocks
(Which, just to note, would be more legitimately referred to as “identity fraud”.)
And also so that you can choose which political party’s members-only elections (i.e., primaries) you are permitted to participate in.
Re: Re: Re: Voter registration is bollocks
In Canada, they’ll mail you a voter card to tell you where to vote, and it can be used as proof of address. Those who haven’t pre-registered can still vote, if they have other proof.
Contractual Basis?
Just for fun, let’s assume GDPR applies to them in full.
If a person’s request to a government agency necessarily requires processing, there is a basis for this in the GDPR already: to perform under a contract.
The government could probably use this basis for all processing that is actually necessary to fulfill the constituent’s request.
Legitimate interests might justify some analysis thereof. Sharing… I don’t know if legitimate interests justifies sharing information among agencies.
At any rate, even if you could just infer consent, you’d have a new problem: your basis for processing is now consent, which is very inconvenient. Consent under GDPR is always revocable and cannot be made contingent on providing the service, which means all the government agencies sharing information on the basis of consent would need to tag all such data with some identifier which allows them to find and delete it later if the constituent revokes!
Good thing they don’t subject themselves to the GDPR rules that they think are so great when applied to everyone else! ( ͡° ͜ʖ ͡°)
Consent is easy…
NO MEANS NO!
You can not infer consent, because consent can be withdrawn at any time and you have to honor that!
They want the right to ruin everyone else who told them the law was stupid & is trying to live up to a standard they decided they don’t have to, because they are special.
If the law does not apply to EVERYONE the law is broken.
Re: Re:
“Consent is easy… NO MEANS NO!”
But that data you are wearing is sooo provocative!
Some rules only work in the extreme.
Once a RED light meant stop. Period.
Now, due to political intervention a RED light means stop and the turn right on red.
Before one could walk across the street.
Now if one attempts to walk across the street the only safe time is when there are no cars present because there is always some nut case that will turn the corner at 40 MPH.
Privacy is the same way. It is all or nothing. If there are exceptions to the rule some one will exploit those exception to such an extent that there is none.
Re: Re:
Hey I’m not a nutcase… I’m qualifying.
Re: Re:
You are still supposed to stop before turning right on red. Too many people don’t, just as too many people turning left on an unprotected turn don’t yield to opposite traffic turning right.
Problem with privacy is there’s a lot of “supposed to”s that can’t be undone once the cat’s out of the bag.
Re: Re:
I see your point, but the examples are weak.
1) A red light still means stop.
2) Political intervention? Insufficient data. Traffic safety is sorta their job – no?
3) It was never safe to cross a street without due diligence.
These are not examples of government overreach.
Re: Re:
The red light still means stop. It used to also mean "don’t go", unconditionally; it’s only this part that’s changed. AFAIK, it’s illegal everywhere to turn right at a red light without first stopping. This could be better enforced; in many areas it’s illegal to run a yellow light when safe to stop, and I’ve never seen that enforced either.
Re: Intervention
Wait, are you saying that right on red is government overreach and we don’t need government interfering with our traffic rules?
Once they get that foot in the door, they won’t stop.
If they “infer” consent with this, then they’ll want to infer consent with the next thing, and the next, and the next…
Not sure what all the fuss is about. Hard to believe that a government agency can’t find legal justification for the processing in question under the recognized bases of “legal obligation”, “vital interests”, “public task”, or “legitimate interests.”
Re: Re:
That’s how the NHS in the UK is managing to keep functioning and not grind to a halt. Consent goes a long way, but within reason – it’s not consent for the health service to do anything it wants, only what is appropriate and proportional.
If the law doesn’t include such inferred consent then it’s illegal and if they run with this “infer” thing it’s just another selectively enforced piece of crap. *grabs popcorn* Anybody want some?
Open the floodgates
When someone starts to infer the right to share data, they will then infer with whom they can share that data with. The chain of inferences then becomes unmanageable and the data will then become universally known. There needs to be some limits to any suggestion of inference, the problem then becomes how to control those. Look at how our browsing habits and third party knowledge has become ‘we own all your data’. This isn’t right.
Re: Open the floodgates
The horses have already left the barn
As soon as you grant inferred consent, the government will make sure that all it’s various branches have that consent. That is hardly the purpose of privacy to give everyone and their brother access to data by using one service.
In the US of course if they followed this, then the NSA and everyone else has access automatically with government approval and no public oversight at all. Kinda sounds like what we have now.
A lot of people complain about this, but it makes some sense. I used to get food stamps, when my income warranted it. At the same time, I used to get Medi-Cal (Californian Medicaid) under the Obamacare expansion.
Despite Medi-Cal normally going through the same agency as Food Stamps…it doesn’t in the case of the Obamacare expansion (or did not back when I was getting it in 2014).
I was trying desperately to determine how to apply to Obamacare Medi-Cal, when I got a letter telling me I qualified based on info from my food stamps. And while that mess is due to mismanagement, the ability to disseminate my information to other agencies to determine my qualifications for other services, and speed up intake to my other services is excellent.
That said, they need to do what everyone should be doing, explaining to me the savings in my time and effort if we allow different agencies to access my info, allow me to opt-in to sharing my data on a per agency basis, and provide easy opt out tools, at least an easy phone number to manage my data prefrences.
Inferred consent in this case, is ridiculous no matter how you look at it.
All your data is belong to us
Opt out of sharing?
I’m pretty much with Mike here – under most circumstances “inferred” consent seems reasonable.
But obviously many disagree.
For me, whether sharing is OK depends on the data. Lots of things I’m fine with being shared, as I consider them more-or-less public info.
Other things, not.
It should be up to me – and each citizen – which data falls in which category.
So – how about a checkbox?:
[x] OK to share this data for (some reasonably limited set of related purposes)
[ ] Not OK to share this data for any other purpose
Re: Opt out of sharing?
Do you think that your credit rating has anything at all to do with your capability to properly and safely operate a motor vehicle?
Do you think that paying utility bills late means that you will should be forced into paying more for a loan?
Do you think your genetic makeup is a basis for determining how much you should pay for health insurance?
Stay tuned for answers to these questions and more.
… I do not think the situation is as cut ‘n dried as you imply.
Re: Re: Opt out of sharing?
(a) A little bit, but not much. (People who are irresponsible with credit are probably more likely to be irresponsible with driving too. But I don’t expect a very strong correlation.)
(b) Yes, of course. (Tho I object to the word “forced”. Nobody is “forced” to take a loan. But surely payment history goes to the riskiness of the loan, and I do expect lenders to take that into account in their offers.)
(c) Yes, obviously. This directly predicts expected medical expenses.
Re: Opt out of sharing?
As I read it the problem isn’t that it can make sense, but that the standards they are using aren’t consistent.
Could Facebook ‘infer’ consent or are they required to get a clear and unambiguous granting of permission?
Is Google allowed to ‘infer’ that someone who’s used their service for one thing has consented to that information being used for another thing, or are they likewise required to get explicit permission for any given use?
If they want to say that it’s fine for the government to ‘infer’ consent, then unless they are willing to grant that same ability to companies and individuals running impacted platforms they’re being hypocritical in using two sets of interpretations of the law, one for them, and one for everyone else.
It’s kind of like in ‘merka where “cruel and unusual” is meaningless because even torture is “usual” now.
Notice how Mansick doesn't distinguish between gov't and corps?
I don’t think that he can.
Gov’t will do with your data pretty much whatever wants, de facto. — Oh, part of it may be intended to clog up the system and deny benefits, but that’s often what gov’t wishes.
Re: What was the name of your failed band?
Different if done on a computer?
Years ago, I was doing some db work for a state public housing department in Australia. This involved identifying housing that required maintenance or refurbishing (anything from new kitchen to painting walls) and assigning that work to an approved contractor.
One problem I remember was that the department rental agent would not let us go into certain houses. The reason was that they knew those were used by drug dealers and they were scared to go in there.
Being a naive IT guy and not well versed in the public sector, I suggested telling the police. Oh no, I was told, we have strict privacy guidelines so we cannot do that.
The privacy concerns were so onerous that I could not even obtain the tenants’ names so that my we could send a personalised letter telling them that we were to do maintenance on the property. And that was sharing information within the same govt department.
Now I don’t know what the situation is in Ireland, but certainly in Australia govt departments have privacy guidelines that preclude sharing information.
However, I would not be surprised if things are different for information gathered on the internet, because it’s on a computer.