Unlike the deductive content approach adopted for the analysis of the conceptual model of consent, the inductive content approach is not structured and coding is freely invented by the author. Hence, classification is impacted by author’s biases. The coding regarding the issue of revocation was designed based on the assumption that the revocation controls may be symmetrical to the existing controls for giving consent. The first attempt to analyse the transcripts comprised of four categories
in analogy to the four categories identified in the analysis of the consent concept. During this step, I tried to allocate excerpts of the text into the four categories. In the case were an excerpt seemed not appropriate to fit in one of the categories, I would create a novel one, based on the information from the transcript. The second step was to process again the data by focusing on recognising and merging similar categories. For example a category named as revoking data, was merged with the category deletion of data. I repeated the process several times until I crystallised the differences of various interpretations of the revocation concept. At the conclusion of the analysis the remaining categories were numbered to eight, indicating that the assumption of the apparent duality of consent and revocation does not always involve a symmetry; there exist scenarios in which consent for data to be collected or used has not been explicitly given, and yet an individual has the right to perform revocation.
Consider the case of SPAM or advertising e-mails sent to individuals’ accounts without obtaining their initial consent. In such cases individuals may have a right to demand a halt, however, the mechanism for exercising that right may not be readily (if at all) available. Similarly, there are cases in which, once consent has been given, revocation may not be allowed. This is true, for instance, in the case of profiles submitted to national DNA databases in the UK (although for some, this will be conceived of as a form of forced consent or even consentless collection as they will have no option but to comply).
The analysis of data revealed that there are limited references to revocation controls and these only focused on opt-out choices. Control over personal data held regarding an individual, from the individual’s point of view, can be understood as the ability torevokeeither the data or certain permissions to process and disseminate the data, or both. Consequently, revocation has many different flavours, with subtle differences depending on how the data and the associated consent must be altered. The principal results of the analysis is a novel taxonomy of revocation. Four fundamental types of revocation are identified(1-4 below), and another four types of revocation can be derived from the first ones (5-8 below).
1. No Revocation at all: personal data remains static, and once it has been dis- closed, it is either physically impossible to revoke (how could someone ever re- voke their reputation) or prohibited for various reasons (e.g., law-enforcement, data from police’s DNA data-base).
in any way. Certain privacy rights are enshrined in national and European legislation; it is worth mentioning here how our model incorporates some of the stipulations of the EU Data Protection Directive 95/46/EC [2]. In article 12, for example, the directive mentions “the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data” [2]. Rectification is a variant of revocation in the sense that a data subject may request the deletion of incorrect data held about him or herself and have it replaced with other data.
3. Revocation of permissions to process data: data subjects withdraw consent that would enable an enterprise to process or analyse their personal data for a specified purpose. EU Data Protection mentions “blocking,” which corre- sponds exactly to revocation of permissions to process data in our model. 4. Revocation of permissions for third party dissemination: data subjects with-
draw consent that would enable an enterprise to disclose information to a third party.
5. Cascading revocation is a variation on any of the above kinds of revocation, whereby the revocation is (recursively) passed on to any party to whom the data has been disclosed. Through this mechanism, data subjects are able to revoke data by only contacting the enterprise that they had disclosed their data to originally. It should be remarked that offering such a service is only practicable if data is only disclosed to organisations which themselves offer such a control.
6. Consentless revocation: personal data for whose storage and dissemination no consent has been explicitly given by the data subject, but which may need to be revoked. Again, any of the fundamental types of revocation may be invoked. This form of revocation is introduced to capture the privacy problems identified by Solove [236]. The need to revoke consentless data emerges mainly when a breach in privacy has occurred and the data subject experiences one of the acknowledged problems. For example, a picture of Jane drunk at a party was uploaded onto Facebook without her consent. As a consequence her reputation is ruined. She takes legal action in order to have the photograph removed from the site.
7. Delegated revocation: This is a kind of revocation which is exercised by a person other than the individual concerned, such as an inheritor or par- ent/guardian.
8. Revocation of identity (Anonymisation): data subjects may be happy for per- sonal data to be held for certain purposes as long as it is not linkable back to them personally. Anonymisation may be regarded as a variant of revocation, in that data subjects request a change to data held so that it is no longer personally identifiable.
The last four revocation types are derivative, while the others are basic; for in- stance, revocation of permissions to process data may be delegated and consentless. Cascading revocation is an ideal that is difficult to implement in practice∗.