Author: Deepika Srivastava, Bharati Vidyapeeth University, Pune

The centrality of personal data in the digital economy has increased concerns about individual control over information, privacy, and dignity. Consent and autonomy are central concepts within data protection frameworks. This paper discusses how autonomy is conceptualized under data protection law, how consent operationalizes autonomy, and how these concepts are reflected in legal regimes at the international and Indian levels. By exploring large‐scale data collection, profiling, algorithmic decision‐making, and behavioural targeting, the paper critically assesses the challenges to providing meaningful autonomy in practice. The study employs a doctrinal approach by reviewing statutory texts, comparative legal frameworks, and scholarly literature. It finds that although the law increasingly recognizes the concept of individual autonomy by means of rights and through consent requirements, there are gaps between formal legal protections and effective, meaningful control in practice. The article concludes by suggesting measures for strengthening autonomy through design, oversight, and structural governance.

Keywords: Consent, Autonomy, Data Protection, Privacy, GDPR, India, Digital Personal Data Protection Act

The digital era has brought a sea change in the way personal information is collected, processed, used, and monetised. Organisations across industries routinely harvest and process personal information to offer services, experiences, advertising, and to efficiently operate. While data-driven innovation holds immense promise, it also raises profound questions about privacy, individual control, and dignity. In response, data protection frameworks around the world identify the twin principles of consent and autonomy as central to protecting individuals in the digital sphere.

The concept of autonomy involves an individual's capability to make free, self-determining choices about his or her personal information. Consent refers to the means whereby the processing may be legitimised by the obtaining of the individual's decision or agreement. In conjunction, these twin concepts have the objective of ensuring that individuals are not passive subjects of data processing but active agents with meaningful control of their personal information.

In practice, however, this ideal is confronted by complex architectures of data flows, profiling, behavioural influences, and design features that reduce genuine choice. The question thus arises: to what extent do existing data protection frameworks succeed in protecting autonomy through consent, and what further measures are required? The paper addresses that question with a particular emphasis on the Indian legal framework alongside global benchmarks.

Data protection involves the protection of data and ensuring the restoration of crucial data in case the data becomes corrupted, compromised, or lost. The main aim of data protection is ensuring that crucial personal data is safe and guarded. This entails a series of techniques and tools that protect data against unauthorised access and data loss.

The data protection mechanism involves a wide range of data protection techniques, including data encryption and data access control systems, as well as data erasure and data management policies related to data availability and data access.

From an organisational point of view, it is imperative to carry out data privacy audits as an essential process in evaluating the treatment of personal information. Furthermore, the application of data lifecycle management best practices, covering data inventory and backup processes, is fundamental in upholding the integrity as well as the security of the data.

The main aims of this study are:

• To investigate the conceptual underpinnings of autonomy and consent within the data protection theory and law.

• The paper's central aim is to evaluate how legal frameworks operationalise consent and autonomy, with specific references to the European Union's General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act (DPDP Act).

• To explore the challenges facing meaningful autonomy in data processing contexts, from information asymmetries and design manipulations to algorithmic profiling.

• To identify gaps in the existing frameworks regarding the realization of individual autonomy and put forward recommendations for ensuring effective control and agency within the data ecosystem.

This study embodies a qualitative doctrinal research methodology, mainly comprising:

Doctrinal legal analysis: Careful analysis of central legal documents, like the GDPR and the Indian DPDP Act, on how consent and autonomy are defined and regulated.

Comparative legal study: A cross-jurisdictional comparison of the framing of consent and autonomy within the EU and India allows an identification of key convergences and divergences.

Literature review: Systematic review of scholarship in law, human-computer interaction, ethics, and data policy to understand empirical challenges, normative critiques, and proposed reforms.

Critical assessment: Drawing together the lessons above to identify practical barriers to autonomy, and considering further structural and regulatory reforms

Given the scope, the study does not involve empirical fieldwork or data collection; rather, it relies on secondary sources and legal analysis to construct an argument.

 Autonomy

From a normative point of view, autonomy means that individuals can govern themselves, make decisions based on understanding, free from improper external influence, and retain control over matters essential to their lives. In the language of data protection, more often referred to as “informational self-determination”, one would say that it is the right of individuals to decide for themselves when, how, and to what extent their personal information is disclosed (Bordages, 1989; van Kolfschooten, 2024). Autonomy in data protection thus signifies that individuals are not objects of data but rather subjects with dignified decision-making powers.

 Consent

Consent is a mechanism in law that allows individuals to grant permission for the processing of their personal information and is thus an expression of autonomy. Any valid consent must meet the criteria of freely given, specific, informed, unambiguous, and revocable under GDPR Art. 4(11); Art. 7.

The requirement for "clear affirmative action" brings into strong relief that passive or coerced acceptance is inadequate to meet the autonomy standard. There is recognition in the literature that consent needs to be part of an overall rights and protections framework to facilitate autonomy (Manganello, 2020).

European Union: GDPR

Under GDPR, consent is defined in Article 4(11) as: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she … signifies agreement to the processing of personal data relating to him or her"

Article 7 also lists requirements: consent needs to be distinguishable from other matters; withdrawal should be easy; and must not be conditional on service provision, under Article 7(4).

The GDPR consequently situates consent within a regime of rights- access, rectification, erasure, portability - and obligations - transparency, accountability - meant to protect autonomy.

General Data Protection  Regulation

General Data Protection Regulation (GDPR) is a European Law which is designed to protect the privacy and security of personal data. It includes all the rules on how to collect, process and store data. It also ensures how to ensure users rights. 

Key components of GDPR are; lawfulness, transparency, purpose limitation, storage limitation, data minimization, security, accountability and data accuracy. 

The Digital Personal Data Protection Act, 2023 received assent on 11 August 2023 in India.

It defines valid consent under Section 6 of the Act as "free, specific, informed, unconditional and unambiguous with a clear affirmative action", adding that the data principal has a right to withdraw consent at any time, which shall be as easy as giving it.

Additionally, the Act introduces the concept of a "Consent Manager"-essentially, a registered intermediary that will allow natural persons to provide, review, and withdraw consent to strengthen autonomy mechanisms.

The DPDP Act therefore reflects international best practices while also meeting unique Indian multilingual contextual needs, such as the requirement for notices in 22 official languages.

India took a major step in protecting digital data privacy. The Government of India has notified The Digital Personal Data Protection Rules 2025, fully operationalising the DPDP Act, 2023. India’s first dedicated law for digital privacy. It means that companies, Governmental departments and digital platforms now have clear rules on how they can collect, store and use personal data of individuals. This law gives important rights for digital users like, ability to give, withdraw, or review consent for data. Some take immediate effect like consent, grievance handling. While more complex obligations including audits and impact assessments for major platforms, will be implemented over months. Special safeguards are in place for children and people with disabilities and the rules also clarify how the data can move across borders. And also in case of any breach platforms must immediately inform both users and the Data Protection Board of India which will function as a fully Digital-First body.  

Shreya Singhal v. Union of India 2015: This is a landmark case which revolves around Section 66A of Information Technology Act, 2000, which states that any person provides any kind of information publicly through the use of internet which is offensive and causing annoyance, danger and obstruction or injury or insult in that case that person will be punished under that law. Shreya Singhal challenged this section by stating that it is violative of Fundamental Right of Speech and Expression under Article 19(1)(a). And the terms used under this law are very arbitrary in nature. 

The Supreme Court held that the whole law is not unconstitutional but used the Doctrine of Severability and held Section 66A of IT Act, 2000 unconstitutional and the words used under this Act are arbitrary and vague. 

The following recommendations come out of the need to bridge formal autonomy protections and genuine control:

1. Privacy-by-Design & Default

As in many areas of modern life, embedding privacy and autonomy in system architecture from the outset can reduce reliance on notice-and-consent alone. Default settings should favour minimal data collection and allow opt-in rather than opt-out models.

2. Simplified, Understandable Notices

Consent interfaces should use clear language, standardized icons, layered disclosures, and localized formats; this is especially important in multilingual contexts such as India. Assurance that the user is aware of what they consent to is essential for autonomy.

3. Granular, Revocable Consent and Real Control Tools

 Data principals must possess genuine capability to withdraw or alter consent with ease. Such tools as dashboards, break-out of processing categories, consent logs, and audit trails enhance transparency and control. The Indian concept of a Consent Manager could operationalize such control. 

4. Addressing Behavioural and Design Influences Dark patterns and manipulative user

interface designs that undermine voluntariness of consent should be monitored and regulated by regulators. This shall include the bans on forced consent, bundling, and making consent a pre-condition for access when unrelated to service. 

5. Algorithmic Transparency and Purpose 

Limitation Autonomy is compromised when there are unforeseen or opaque uses of data. Governance frameworks should, therefore, require algorithmic impact assessments, transparency mechanisms, and limitations on end-uses to ensure that individuals understand and can contest processing. 

6. Robust Enforcement & Institutional Oversight

 Legal articulation should be supported by efficient enforcement. Bodies such as the Data Protection Board in India, and the national Data Protection Authorities in Europe, must have powers, resources, and independence to investigate and impose sanctions on misuse of the consent mechanisms. This is a phased rollout of the Indian DPDP regime and has underlined the requirement for timely and effective implementation.

7. Digital Literacy and Empowerment 

Meaningful choice is enhanced when individuals are empowered through education about data rights, consent implications, and digital autonomy. Literacy initiatives can reduce information asymmetries and strengthen autonomy in practice. 

The twin principles of consent and autonomy form the bedrock for modern data protection frameworks. It is autonomy that ensures dignity and self‐determination on the part of the individual when faced with pervasive data processing; consent then becomes a means to operationalize the same, providing an avenue through which an individual can authorise and control processing of their personal information. Legal regimes like the GDPR and India’s DPDP Act embed these values into a rights‐ and obligations‐based framework aimed at protecting autonomy. In practice, however, autonomy remains a mirage. Users experience information overload, power imbalances, design manipulations, algorithmic complexity, and weak enforcement. Consent in many digital contexts is becoming symbolic rather than substantive. 

To really safeguard autonomy, regulatory frameworks need to go beyond the formalism of consent and embed structural, technical, and institutional safeguards. Privacy-by-design, simpler notices, granular consent tools, regulation of dark patterns, algorithmic transparency, and robust enforcement all form part of the solution. In the Indian context, the DPDP Act is a promising step-evidenced by explicit consent criteria, multilingual notice requirements, and innovative Consent Manager mechanisms-yet subject to implementation timelines, resource constraints, and evolving processing practices. Ultimately, meaningful autonomy in a data-driven era requires human-centeredness at its core-data protection frameworks must recognize individual rights, but in function, make them real. If privacy is to remain not just a right on paper but a lived reality, the balance between data innovation and individual agency must be kept.

• DPO-India Blog. (2024, January xx). Consent Management under India’s DPDP Act: Best Practices for Organisations. DPO-India. https://www.dpo-india.com/Blogs/consent-management-india-dpdp-act/

• Krog, [Initials]. (2024, April xx). Understanding the deontic logic of GDPR consent & autonomy. LinkedIn. https://www.linkedin.com/pulse/understanding-deontic-logic-gdpr-consent-autonomous-legal-krog-96dhfManganello, G. (2020).

• Consent and the illusion of autonomy in EU data protection (Master’s Thesis). LIACS. https://theses.liacs.nl/pdf/2019-2020-ManganelloG.pdf

• Simple Analytics. (2022, December 12). GDPR 101: When is consent valid? https://www.simpleanalytics.com/blog/gdpr-101-when-is-consent-valid

• van Kolfschooten, H. B. (2024). A health-conformant reading of the GDPR’s right not to be (fully) informed. PMC (National Center for Biotechnology Information). https://www.ncbi.nlm.nih.gov/articles/PMC11347939/

• “Digital Personal Data Protection Act, 2023.” (2023). The Gazette of India. Retrieved from https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

• “General Data Protection Regulation.” (2016). EU Regulation 2016/679. Retrieved from https://gdpr-info.eu/art-4-gdpr/