Consent

Developing an online consent manifesto based on human rights.

Data processing is often legitimized without consent being informed, freely given, or specific. ‘Datafication’ of life means people are continuously generating data through their online and offline activities. Data is often collected with a secondary use in mind which is often unspecified or unknown. People may not be fully aware of the kind of data they generate, how that data is collected, retained, or processed and what the implications of such uses may be. These developments are at odds with the norms underpinning the central role assigned to individual consent for data gathering and use. This raises questions about the adequacy of existing legal mechanisms and safeguards.

Improving the consent model

Current research suggests that there is a considerable gap between the practice of informed consent and its intended goals. Suggestions for improvement and development of the consent model focus on reducing risks and encouraging participation of the individual data subject. How can people have ongoing knowledge, access, control and ownership of their personal data? How can  the individual manage the increasing complexity of the information ecosystem?  Do individuals need greater autonomy in this contractual relationship?

Informed consent and GDPR

Informed consent is one of six legal basis for data processing. Consent is defined in Article 4 (11) of the General Data Protection Regulation (GDPR) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

This means that in order to obtain freely given consent, it must be given on a voluntary basis. It must be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations. The data subject must also be informed about his or her right to withdraw consent at any given time. The withdrawal must be as easy as giving consent. Where relevant, the data controller also must inform the individual about the use of the data for automated decision-making, the possible risks of data transfers and must ensure adequate safeguards are in place to respect human rights.

Consent in a human rights context

The requirement that consent must be given to use personal data  is linked to the right to self-determination. The need to respect individual and group autonomy is located within the right to self-determination. Respect for individual autonomy underpins international human rights law, given the law’s focus on respecting and fulfilling individual rights and freedoms. This is demonstrated, for example, by the importance attributed to the rights to privacy and freedom of expression. In the context of data processing, an individual’s autonomy ‘should make him – master of all those facts about his own identity, such as his name, health, sexuality, ethnicity, his own image […] and also of the “zone of interaction” […] between himself and others. He is the presumed owner of these aspects of his own self’. [1.] To facilitate this autonomy, informational self-determination is a tool to allow the free development of an individual’s personality. This includes interaction with other members of society on a free basis and therefore enables free participation in society without fear of persecution.

Our research

We are looking into how these issues of consent online can be addressed and how we can influence policy to do so. Our aim is to bridge the gap between practice and intended goals of consent online by applying a human rights based approach. In this way we hope to make a practical difference to individuals and the protection of their human rights by any data controller.

It is important to see what practical difference is made to the features of valid consent by this linkage to such a central feature of human rights. To accomplish this HRBDT is working on a consent manifesto that establishes principles for consent online based on human rights. This will be complimented by a variety of academic papers that take a critical lens to the role that consent plays both online and offline and its significance.

 

[1.] Wood v. Commissioner of Police for the Metropolis [2009] EWCA Civ 414, para. 21.

Latest Posts

  • Nov302017

    HRBDT at the 2017 UN Business and Human Rights Forum

    On 27 November 2017, the Human Rights, Big Data and Technology Project, together with the Permanent Mission of the Federal Republic…

    Read more
    HRBDT
  • Sep042017

    HRBDT at the 2017 MyData Conference

    On 30 August 2017, Krisztina Huszti-Orban presented on ‘The Role of Consent in the Collection, Retention, Processing and Sharing of…

    Read more
    HRBDT
  • Jan302017

    HRBDT at the 2017 Computers, Data Protection and Privacy Conference

    On 26 January 2017, Pete Fussey spoke on a panel on ‘AI, Ethics and Privacy’, organised by the 4TU.Centre for…

    Read more
    HRBDT
  • Nov162016

    Human Rights in the Digital Age: The Perils of Big Data and Technology (Part II)

    Editor’s note: This post forms part of a larger series addressing key issues related to human rights, technology and big data.  Last…

    Read more
    HRBDT

Researchers

Publications

Publications

    Our Partners

    Queen Mary University of London
    University of Cambridge
    Eye Witness Media
    Universal Rights Group
    World Health Organisation
    Geneva Academy