Principle 3: Consent
No Consent - No Collection
Since people own data about themselves (Principle 1), and people have privacy rights over certain private domains (Principle 2), it’s often very important to have consent from the data subject before collecting private data. If consent is not given, the collection of the data will often be ethically problematic.
What is Data Consent?
This probably seems self-evident to most people. For example, if Jones somehow gains access to Smith’s medical records without getting Smith’s approval beforehand, then Jones has clearly behaved wrongly.
So, consent seems to be a very important component, if the collection of personal data is going to be ethically legitimate. In other words, consent seems to be a necessary condition for the legitimate collection of personal data.
But notice that it is also often a sufficient condition. This means, that if Jones has collected Smith’s consent beforehand, then we do not need any additional information in order to know that it was ethically legitimate for Jones to gain access to Smith’s information.
In most cases, however, the consent would need to be genuine and informed consent. This means that, if Jones threatens Smith to give him the medical records, or if Smith believes that he is consenting to something else, then the consent doesn’t count.
Cases of uninformed consent are, unfortunately, common in the tech world. Too often, the data subject is asked to confirm that they have read a very long terms-and-conditions form. Surprises can be intentionally hidden in the form since it is very unlikely that the data subject will actually read the whole thing.
In other cases, information has been collected without any form of consent, for example when producers of smart TVs spy on customers through the TV’s camera. See for example this Article.
Explicit Consent and Implied Consent
When talking about consent, it is important to make the distinction between explicit and implied consent. Explicit consent means that Smith has explicitly given Jones permission to gain access to Smith’s medical record.
Contrast this with the following example of implicit consent: Smith has voluntarily uploaded his medical record online, for everyone to see, so Jones now has access to the record. Has Jones now behaved wrongly? It seems not. By voluntarily uploading the record online, Smith has implicitly consented to people gaining access to the medical record.
Seluxit and Consent
When Seluxit gains access to data about people, it is most often not personal data, in the sense that it is traceable to an identifiable individual. Most often, the data is about how a specific device is being used. Nonetheless, Seluxit makes sure that the data subject has given explicit consent before Seluxit collects any data. And, Selulix strongly encourages customers to comply with this principle. In general, we stand by this principle: No consent – no collection.
No consent – no collection.