The future of consumer data protection in the E.U. Rethinking the “notice and consent” paradigm in the new era of predictive analytics

The new E.U. proposal for a general data protection regulation has been introduced to give an answer to the challenges of the evolving digital environment. In some cases, these expectations could be disappointed, since the proposal is still based on the traditional main pillars of the last generation of data protection laws. In the field of consumer data protection, these pillars are the purpose specification principle, the use limitation principle and the “notice and consent” model. Nevertheless, the complexity of data processing, the power of modern analytics and the “transformative” use of personal information drastically limit the awareness of consumers, their capability to evaluate the various consequences of their choices and to give a free and informed consent. To respond to the above, it is necessary to clarify the rationale of the “notice and consent” paradigm, looking back to its origins and assessing its effectiveness in a world of predictive analytics. From this perspective, the paper considers the historical evolution of data protection and how the fundamental issues coming from the technological and socio-economic contexts have been addressed by regulations. On the basis of this analysis, the author suggests a revision of the “notice and consent” model focused on the opt-in and proposes the adoption of a different approach when, such as in Big Data collection, the data subject cannot be totally aware of the tools of analysis and their potential output. For this reason, the author sustains the provision of a subset of rules for Big Data analytics, which is based on a multiple impact assessment of data processing, on a deeper level of control by data protection authorities, and on the different opt-out model.