Consent

Developing an online consent manifesto based on human rights.

Data processing is often legitimized without consent being informed, freely given, or specific. ‘Datafication’ of life means people are continuously generating data through their online and offline activities. Data is often collected with a secondary use in mind which is often unspecified or unknown. People may not be fully aware of the kind of data they generate, how that data is collected, retained, or processed and what the implications of such uses may be. These developments are at odds with the norms underpinning the central role assigned to individual consent for data gathering and use. This raises questions about the adequacy of existing legal mechanisms and safeguards.

Improving the consent model

Current research suggests that there is a considerable gap between the practice of informed consent and its intended goals. Suggestions for improvement and development of the consent model focus on reducing risks and encouraging participation of the individual data subject. How can people have ongoing knowledge, access, control and ownership of their personal data? How can  the individual manage the increasing complexity of the information ecosystem?  Do individuals need greater autonomy in this contractual relationship?

Informed consent and GDPR

Informed consent is one of six legal basis for data processing. Consent is defined in Article 4 (11) of the General Data Protection Regulation (GDPR) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

This means that in order to obtain freely given consent, it must be given on a voluntary basis. It must be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations. The data subject must also be informed about his or her right to withdraw consent at any given time. The withdrawal must be as easy as giving consent. Where relevant, the data controller also must inform the individual about the use of the data for automated decision-making, the possible risks of data transfers and must ensure adequate safeguards are in place to respect human rights.

Consent in a human rights context

The requirement that consent must be given to use personal data  is linked to the right to self-determination. The need to respect individual and group autonomy is located within the right to self-determination. Respect for individual autonomy underpins international human rights law, given the law’s focus on respecting and fulfilling individual rights and freedoms. This is demonstrated, for example, by the importance attributed to the rights to privacy and freedom of expression. In the context of data processing, an individual’s autonomy ‘should make him – master of all those facts about his own identity, such as his name, health, sexuality, ethnicity, his own image […] and also of the “zone of interaction” […] between himself and others. He is the presumed owner of these aspects of his own self’. [1.] To facilitate this autonomy, informational self-determination is a tool to allow the free development of an individual’s personality. This includes interaction with other members of society on a free basis and therefore enables free participation in society without fear of persecution.

Our research

We are looking into how these issues of consent online can be addressed and how we can influence policy to do so. Our aim is to bridge the gap between practice and intended goals of consent online by applying a human rights based approach. In this way we hope to make a practical difference to individuals and the protection of their human rights by any data controller.

It is important to see what practical difference is made to the features of valid consent by this linkage to such a central feature of human rights. To accomplish this HRBDT is working on a consent manifesto that establishes principles for consent online based on human rights. This will be complimented by a variety of academic papers that take a critical lens to the role that consent plays both online and offline and its significance.

 

[1.] Wood v. Commissioner of Police for the Metropolis [2009] EWCA Civ 414, para. 21.

Latest Posts

  • Nov072019

    Upcoming Event – Your Data: Why Should You Care?

     3 December 2019 6.00 – 7.30 pm FirstSite, Colchester Admission is free and all are welcome to attend. Refreshments will…

    Read more
    HRBDT
  • Dec172018

    Those pop-up ‘I agree’ boxes aren’t just annoying – they’re potentially dangerous

    Have you noticed the increasing number of pop-ups asking you to consent or “agree” when you visit a website? Do…

    Read more
    HRBDT
  • Oct162018

    Free, Informed and Unambiguous Consent in the Digital Age: Fiction or Possibility?

    On 10 July, the Human Rights, Big Data, and Technology Project (HRBDT) co-hosted an event in London with the Law…

    Read more
    HRBDT

Publications

Publications

    Our Partners

    Queen Mary University of London
    University of Cambridge
    Eye Witness Media
    Universal Rights Group
    World Health Organisation
    Geneva Academy