Moving beyond consent in data privacy law. An effective privacy management system for Internet services
This thesis looks for a way to overcome the failure of consent as a means of addressing privacy problems associated with online services. It argues that consent to collection and use of personal data is an imperfect mechanism for individual authorisation because data privacy in relation to online services is a dynamic, continuous process. If people are to have autonomous choice in respect of their privacy processes, then they need to be able to manage these processes themselves. After careful examination of online services which pinpoints both the privacy problems caused by online service providers and the particular features of the online environment, the thesis devises a set of measures to enable individuals to manage these processes. The tool for achieving this is a Privacy Management Model (PMM) which consists of three interlocking functions: controlling (which consent may be a part of), organising, and planning. The thesis then proposes a way of implementing these functions in the context of online services. This requires a mix of regulatory tools: a particular business model in which individuals are supported by third parties (Personal Information Administrators), a set of technical/architectural tools to manage data within the ICT systems of the online service providers, and laws capable of supporting all these elements. The proposed legal measures aim to overcome the shortcomings of procedural principles by implementing a comprehensive model in which substantive legal principle underpins a bundle of statutory-level laws which enable privacy management functions. Those are explained against the background of the General Data Protection Regulation. All of this is designed to change the way decision-makers think about Internet privacy and form the theoretical backbone of the next generation of privacy laws.