Developing an online consent manifesto based on human rights.
Data processing is often legitimized without consent being informed, freely given, or specific. ‘Datafication’ of life means people are continuously generating data through their online and offline activities. Data is often collected with a secondary use in mind which is often unspecified or unknown. People may not be fully aware of the kind of data they generate, how that data is collected, retained, or processed and what the implications of such uses may be. These developments are at odds with the norms underpinning the central role assigned to individual consent for data gathering and use. This raises questions about the adequacy of existing legal mechanisms and safeguards.
Improving the consent model
Current research suggests that there is a considerable gap between the practice of informed consent and its intended goals. Suggestions for improvement and development of the consent model focus on reducing risks and encouraging participation of the individual data subject. How can people have ongoing knowledge, access, control and ownership of their personal data? How can the individual manage the increasing complexity of the information ecosystem? Do individuals need greater autonomy in this contractual relationship?
Informed consent and GDPR
Informed consent is one of six legal basis for data processing. Consent is defined in Article 4 (11) of the General Data Protection Regulation (GDPR) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
This means that in order to obtain freely given consent, it must be given on a voluntary basis. It must be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations. The data subject must also be informed about his or her right to withdraw consent at any given time. The withdrawal must be as easy as giving consent. Where relevant, the data controller also must inform the individual about the use of the data for automated decision-making, the possible risks of data transfers and must ensure adequate safeguards are in place to respect human rights.
Consent in a human rights context
The requirement that consent must be given to use personal data is linked to the right to self-determination. The need to respect individual and group autonomy is located within the right to self-determination. Respect for individual autonomy underpins international human rights law, given the law’s focus on respecting and fulfilling individual rights and freedoms. This is demonstrated, for example, by the importance attributed to the rights to privacy and freedom of expression. In the context of data processing, an individual’s autonomy ‘should make him – master of all those facts about his own identity, such as his name, health, sexuality, ethnicity, his own image […] and also of the “zone of interaction” […] between himself and others. He is the presumed owner of these aspects of his own self’. [1.] To facilitate this autonomy, informational self-determination is a tool to allow the free development of an individual’s personality. This includes interaction with other members of society on a free basis and therefore enables free participation in society without fear of persecution.
We are looking into how these issues of consent online can be addressed and how we can influence policy to do so. Our aim is to bridge the gap between practice and intended goals of consent online by applying a human rights based approach. In this way we hope to make a practical difference to individuals and the protection of their human rights by any data controller.
It is important to see what practical difference is made to the features of valid consent by this linkage to such a central feature of human rights. To accomplish this HRBDT is working on a consent manifesto that establishes principles for consent online based on human rights. This will be complimented by a variety of academic papers that take a critical lens to the role that consent plays both online and offline and its significance.
[1.] Wood v. Commissioner of Police for the Metropolis  EWCA Civ 414, para. 21.
- HRBDT is delighted to co-organise with @UN_GP_RtoP a three-day Round Table with social media and tech companies on… https://twitter.com/i/web/status/1268130084621291521
- HRBDT Director Prof Lorna McGregor is looking forward to speaking at this critical seminar today organised by… https://twitter.com/i/web/status/1265585380012830720
- In their latest blog @ahmedshaheed and Prof Lorna McGregor set out 5 urgent principles for responding to harm cause… https://twitter.com/i/web/status/1263813112043618305
- Here's the @HRBDTNews weekly roundup of #HumanRights #TechNews including #ContactTracingApp #digitalinclusion a… https://twitter.com/i/web/status/1263039647636230144
- How can we ensure that the rights of #refugees are protected during this pandemic? Awareness of the existing laws i… https://twitter.com/i/web/status/1262699194873241600
- Here's the @HRBDTNews roundup of the weeks #Humanrights #tech news stories including #ContactTracingApp… https://twitter.com/i/web/status/1259869449177509888