Project Consent & PIMS

In our networked world the disclosure of personal information has long been a part of everyday life. People can't benefit from the digital services available without consenting to the use of personal details. However, the associated data protection policies are usually long and often remain unread because of their legal jargon, technical complexity and lack of time. As a result the content of such„ data protection terms and conditions “is more or less agreed to blindly. More and more requests for data protection consent also cause data owners to be overwhelmed by the need to make decisions, deadening them into a state of 'rational ignorance' and finally to a devaluation of the significance of providing consent. In real life the ideal data protection situation of 'informed consent' is a rarity.

Given the rising incidence of non-informed consent, uncertainty is growing on the part of consumers about how their personal data is actually handled. The situation also leads to asymmetries between what users know about themselves and what the data-processing services know. The trust that is placed in the industry using the data diminishes to the same extent. In view of the uncertainty on the part of consumers and the extended requirements of the EU's General Data Protection Regulation, companies at the same time have an increased need to gain more legal certainty and increase customer confidence by clearly documented and informed declarations of consent. Informed consent remains an absolutely crucial tool for information autonomy and ultimately a prerequisite for the exercise of the fundamental right to self-determination in terms of individual data.

How can the requirements of this development be satisfied? What role is played by the technology which is applied? To what extent can those who are affected be given back sovereignty over their data by the use of 'smart technology', and how can an improved possibility for providing consent be created? To what extent will it be possible – by means of technical consent supports and consent platforms to strengthen and ensure rights to information, automation of the approval process - to ensure the clarity and intelligibility of the consent as well as the transparency of data processing purposes?

It would be a great opportunity if in future the frequent inflationary and in part legally unsafe declarations of consent could be rendered manageable by means of a user-friendly technical solution. The principle of "Data protection through technology" (Art. 25 of the General Data Protection Regulation – DSGVO) accordingly also stipulates technical solutions in order to ensure transparency and with regard to consent. There is a great deal in favour of solving several current problems in the field of data protection by so-called "Personal Information Management Services" (PIMS) or 'Privacy Enhancing Technology' (PET).

The idea behind such approaches is that it should be possible for users to decide when, to whom, for what purposes, to what extent and for how long they transmit their data, and track the use of this data and, if necessary, withdraw their consent to its use. This would not only meet the requirements for 'informed consent' but also open up the way to so-called 'empowered consent'. So users could be put in a position to determine their own data protection preference settings. For business, especially for small and medium-sized companies, legal certainty would be created and costs for the necessary implementation of data protection regulations would simultaneously be reduced. The controlled disclosure of personal information, coupled with the ability to update the data dynamically, would also increase the quality of the data (smart data).

Depending on what aspect or focal points the individual projects are concentrated on, the use of automated consent processes could also implement many requirements of the General Data Protection Regulation - for example informed consent (Art. 4 para. 11), the use of data for specific purposes, data minimisation (Art. 5 para. 1), the right to data portability in machine-readable format (Art. 20 para. 1) and the security of data processing.