Developing an online consent manifesto based on human rights.
Data processing is often legitimized without consent being informed, freely given, or specific. ‘Datafication’ of life means people are continuously generating data through their online and offline activities. Data is often collected with a secondary use in mind which is often unspecified or unknown. People may not be fully aware of the kind of data they generate, how that data is collected, retained, or processed and what the implications of such uses may be. These developments are at odds with the norms underpinning the central role assigned to individual consent for data gathering and use. This raises questions about the adequacy of existing legal mechanisms and safeguards.
Improving the consent model
Current research suggests that there is a considerable gap between the practice of informed consent and its intended goals. Suggestions for improvement and development of the consent model focus on reducing risks and encouraging participation of the individual data subject. How can people have ongoing knowledge, access, control and ownership of their personal data? How can the individual manage the increasing complexity of the information ecosystem? Do individuals need greater autonomy in this contractual relationship?
Informed consent and GDPR
Informed consent is one of six legal basis for data processing. Consent is defined in Article 4 (11) of the General Data Protection Regulation (GDPR) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
This means that in order to obtain freely given consent, it must be given on a voluntary basis. It must be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations. The data subject must also be informed about his or her right to withdraw consent at any given time. The withdrawal must be as easy as giving consent. Where relevant, the data controller also must inform the individual about the use of the data for automated decision-making, the possible risks of data transfers and must ensure adequate safeguards are in place to respect human rights.
Consent in a human rights context
The requirement that consent must be given to use personal data is linked to the right to self-determination. The need to respect individual and group autonomy is located within the right to self-determination. Respect for individual autonomy underpins international human rights law, given the law’s focus on respecting and fulfilling individual rights and freedoms. This is demonstrated, for example, by the importance attributed to the rights to privacy and freedom of expression. In the context of data processing, an individual’s autonomy ‘should make him – master of all those facts about his own identity, such as his name, health, sexuality, ethnicity, his own image […] and also of the “zone of interaction” […] between himself and others. He is the presumed owner of these aspects of his own self’. [1.] To facilitate this autonomy, informational self-determination is a tool to allow the free development of an individual’s personality. This includes interaction with other members of society on a free basis and therefore enables free participation in society without fear of persecution.
We are looking into how these issues of consent online can be addressed and how we can influence policy to do so. Our aim is to bridge the gap between practice and intended goals of consent online by applying a human rights based approach. In this way we hope to make a practical difference to individuals and the protection of their human rights by any data controller.
It is important to see what practical difference is made to the features of valid consent by this linkage to such a central feature of human rights. To accomplish this HRBDT is working on a consent manifesto that establishes principles for consent online based on human rights. This will be complimented by a variety of academic papers that take a critical lens to the role that consent plays both online and offline and its significance.
[1.] Wood v. Commissioner of Police for the Metropolis  EWCA Civ 414, para. 21.
- The population of London will now be subject to biometric identity checks as they go about their day-to-day lives.… https://twitter.com/i/web/status/1220702379722657792
- Based on the test facial recognition deployments, there are significant concerns regarding the necessity of this ro… https://twitter.com/i/web/status/1220702378338459648
- Our report found a presumption of the part of officers to intervene with the public, even when an initial determina… https://twitter.com/i/web/status/1220702377101221891
- The effectiveness of this technology as a policing tool must also be questioned. Our report found an error rate of… https://twitter.com/i/web/status/1220702375905841152
- A key issue is the lack of safeguards and guidance on how the technology will be used and who it will target. For i… https://twitter.com/i/web/status/1220702374739808256
- In our opinion, the common law is overly vague and inadequate. It does not provide the protection against arbitrari… https://twitter.com/i/web/status/1220702373561147392