Developing an online consent manifesto based on human rights.

Data processing is often legitimized without consent being informed, freely given, or specific. ‘Datafication’ of life means people are continuously generating data through their online and offline activities. Data is often collected with a secondary use in mind which is often unspecified or unknown. People may not be fully aware of the kind of data they generate, how that data is collected, retained, or processed and what the implications of such uses may be. These developments are at odds with the norms underpinning the central role assigned to individual consent for data gathering and use. This raises questions about the adequacy of existing legal mechanisms and safeguards.

Improving the consent model

Current research suggests that there is a considerable gap between the practice of informed consent and its intended goals. Suggestions for improvement and development of the consent model focus on reducing risks and encouraging participation of the individual data subject. How can people have ongoing knowledge, access, control and ownership of their personal data? How can  the individual manage the increasing complexity of the information ecosystem?  Do individuals need greater autonomy in this contractual relationship?

Informed consent and GDPR

Informed consent is one of six legal basis for data processing. Consent is defined in Article 4 (11) of the General Data Protection Regulation (GDPR) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

This means that in order to obtain freely given consent, it must be given on a voluntary basis. It must be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations. The data subject must also be informed about his or her right to withdraw consent at any given time. The withdrawal must be as easy as giving consent. Where relevant, the data controller also must inform the individual about the use of the data for automated decision-making, the possible risks of data transfers and must ensure adequate safeguards are in place to respect human rights.

Consent in a human rights context

The requirement that consent must be given to use personal data  is linked to the right to self-determination. The need to respect individual and group autonomy is located within the right to self-determination. Respect for individual autonomy underpins international human rights law, given the law’s focus on respecting and fulfilling individual rights and freedoms. This is demonstrated, for example, by the importance attributed to the rights to privacy and freedom of expression. In the context of data processing, an individual’s autonomy ‘should make him – master of all those facts about his own identity, such as his name, health, sexuality, ethnicity, his own image […] and also of the “zone of interaction” […] between himself and others. He is the presumed owner of these aspects of his own self’. [1.] To facilitate this autonomy, informational self-determination is a tool to allow the free development of an individual’s personality. This includes interaction with other members of society on a free basis and therefore enables free participation in society without fear of persecution.

Our research

We are looking into how these issues of consent online can be addressed and how we can influence policy to do so. Our aim is to bridge the gap between practice and intended goals of consent online by applying a human rights based approach. In this way we hope to make a practical difference to individuals and the protection of their human rights by any data controller.

It is important to see what practical difference is made to the features of valid consent by this linkage to such a central feature of human rights. To accomplish this HRBDT is working on a consent manifesto that establishes principles for consent online based on human rights. This will be complimented by a variety of academic papers that take a critical lens to the role that consent plays both online and offline and its significance.


[1.] Wood v. Commissioner of Police for the Metropolis [2009] EWCA Civ 414, para. 21.

Latest Posts

  • Dec012017

    UN Forum on Business and Human Rights 2017 – Addressing Access to Remedy in the Digital Age: Corporate Misconduct in Sharing and Processing Personal Data

    2017 United Nations Forum on Business and Human Rights  Addressing Access To Remedy In The Digital Age: Corporate Misconduct In…

    Read more
  • Nov302017

    HRBDT at the 2017 UN Business and Human Rights Forum

    On 27 November 2017, the Human Rights, Big Data and Technology Project, together with the Permanent Mission of the Federal Republic…

    Read more
  • Sep042017

    HRBDT at the 2017 MyData Conference

    On 30 August 2017, Krisztina Huszti-Orban presented on ‘The Role of Consent in the Collection, Retention, Processing and Sharing of…

    Read more


Our Partners

Queen Mary University of London
University of Cambridge
Eye Witness Media
Universal Rights Group
World Health Organisation
Geneva Academy