Data and Control: Protecting Rights, Protecting People

Long Read
Data protection

To celebrate International Data Privacy Day (28 January), PI and its International Network have shared a full week of stories and research, exploring how countries are addressing data governance in light of innovations in technology and policy, and implications for the security and privacy of individuals.

At the core of data protection debates, there is a power play between empowering individuals to control their data and empowering those who use (or want to) use their data.

By regulating data processing it provides avenues for individuals to exercise their rights if there is any unlawful interference in this power play.

If there is no regulation, or if it is weak, inefficient or abused, personal data turns into yet another mechanism for those in power to exert and retain control of our data, and ultimately many aspects of our lives.

In the face of powerful actors, including the state, the private sector and other entities, people might feel powerless and feel a degree of resignation about how their data might be used and indeed misused. As individuals, we are being increasingly embedded, by design — not by choice — into ever-more data-intensive systems, be it the obligations to be enrolled in a mass biometric identification system to access welfare services, through to facing increased scrutiny of your identity to access from financial services.

But data protection, if well-regulated and enforced, can give us power and protection. A few days ago, as we celebrated Data Privacy Day 2018, we welcomed the fact that there are now 126 countries worldwide which have comprehensive data protection laws.

Unfortunately, the reality of the current legal and regulatory frameworks, as explored by the Privacy International Network, tells a different story. There are still many countries across the world that have yet to adopt comprehensive data protection frameworks and of the 126 that have one, many experience challenges with upholding and enforcing the highest data protection standards and need to be reformed. The majority of countries that are yet to adopt or improve their data protection frameworks are having to do so in a context of weak democratic institutions and limited rule of law, and yet they are the biggest consumers, adopters and testers of innovations in technology and policy.

Governments and private companies alike tend to frame regulation of their data intensive activities as impediments and burdens to their businesses and their profits. Any meaningful restriction to those activities tend to be portrayed as an unnecessary obstacle to achieving economic development, stability and order, or even national security. Protecting our rights over our data has yet to make it to the top of their priorities. Maybe some day.

Countries such as Argentina, India and Pakistan manage some of the largest biometric databases in the world. Others like Paraguay and Chile are implementing biometric border management systems, and Lebanon is starting to implement a smart city programme. These are only some of the many examples we have been documenting.

Yet, only half of these countries have comprehensive data protection frameworks. The other half need to urgently reform their legislation, as they fail to comply with basic data protection and privacy standards.

As outlined in various research produced by the Privacy International Network and showcased this week, there is a need to initiate legislative processes to adopt comprehensive data protection frameworks, and to reform those that already exist.

Laying Down The Foundation For Reform

Research conducted by TEDIC into nine public databases revealed that public servants in Paraguay have a poor understanding about the processing of their personal data and the measures they should be taking to protect that data. Such findings call into question the effectiveness of Paraguay’s legislation on data protection and support the need for reform to address its many loopholes.

Similarly, there is a need for reform in Chile and Argentina, both countries that have data protection laws. Research by Derechos Digitales and the Asociación por los Derechos Civiles illustrates how each respective legal framework is outdated and ill-equipped to face current and emerging data protection and privacy issues, such as the use of biometric technology and drones. This means that they are failing to provide the necessary protections to guarantee and secure individuals’ power to control their data. On the contrary, the half-hearted effort actually puts people at risk, as they are encouraged to trust in a flawed system to protect them.


Preparing For A Legislative Process

In research produced by SMEX about the current legal and policy landscape on data protection in Lebanon, they reveal that the personal data of Lebanon citizens is vulnerable to being unlawfully accessed and leaked due to the absence of a comprehensive data protection law, which would impose obligations on data processors and controllers. Currently there is little or no recourse for the victims of those data breaches and leaks.

The Centre for Internet and Society (CIS) has been at the forefront of the data protection debate in India, working for almost a decade to inform policy-makers of the need for such a law in India. With its population of 1 billion people, the Indian government has created the largest biometric database — Aadhaar — in the world. In addition to exploring issues around Aadhaar, CIS has been re-thinking, questioning and exploring internationally recognised data protection principles to understand their potential and limitations for the Indian context.

Similarly, in Pakistan, where discussions for a data protection law have been long running, Bytes for All (B4A) has been exploring the main privacy and data protection issues such as biometrics, particularly in relation to the National Database & Registration Authority (NADRA). Similar to the situation in India, civil society organisations in Pakistan have been considering what the best regulatory mechanisms would be.

Escalating Our Work To New Spaces

Over the course of our work with our international network on data-intensive systems, Privacy International also engaged with stakeholders, nationally and internationally, around the question of data protection across the world. We raised awareness about the need for the above subjects to be addressed as human rights issues by attempting to integrate them within the UN human rights monitoring mechanisms such as the Universal Periodic Review under the ambit of the Human Rights Council as well as the Human Rights Committee which oversees the implementation of the International Covenant on Civil and Political Rights. In 2017 we welcomed the recommendations made by the Human Rights Committee that Pakistan should adopt a comprehensive data protection law in line with international standards.

We also engaged with the national data protection authorities on reform of the law in Argentina and mechanisms for effective enforcement in The Philippines. In countries like Brazil, Uganda and Indonesia we have been engaging with CSOs to advocate for the adoption of data protection laws that are currently absent. Recognising the role of international entities and regulators, we have also monitored and where possible engaged with the work of the Council of Europe, the Association of Francophone Data Protection Authorities as well as the 39th International Conference of Data Protection and Privacy Commissioners.

The diverse work carried out by PI and our international network of partners highlight a wide range of urgent reforms that are needed in existing regulatory and legal frameworks on data protection, and indeed highlight the need for protections to be introduced where there are currently none — all to ensure that the individual can retain control of their data.

For further information on the State of Privacy across the world, we invite you to refer to the collaborative research project produced by the Privacy International Network.