Last week, I took part in this side event at the Human Rights Council’s 37th ordinary session called, “Digital identity, smart cities, and other data intensive systems: the implications for the right to privacy”.
It was held at the Palais de Nations in Geneva, Switzerland, with attendees including representatives from a number of permanent missions to the United Nations, like Brazil, Germany, and Austria, which are all members of the Privacy in the Digital Age Core Group.
The event’s principal organizers were Privacy International and the Association for Progressive Communications (APC). Our group, Foundation for Media Alternatives, works regularly with both. We are, in fact, a member of APC, and we are also part of this so-called Privacy International Network.
The thrust of the forum was simple: a lot of government initiatives today involve policies and technologies that rely heavily on data. They include the development of smart cities, national ID systems, device/SIM card registration systems, and the use of big data analytics. Unfortunately, these advancements are marked by problems such as their lack of transparency and accountability mechanisms, adequate implementing policies, the availability of or access to remedies, and proper measures to inform the public as to how they actually work. These, in turn, give rise to secondary issues: (1) use of data to profile individuals, leading to discrimination (and even oppression, in some cases); (2) increase in the surveillance of individuals, including activists and journalists; and (3) exposure of certain populations to further risks after their identities are revealed. The event offered a venue for discussing these matters to the government representatives and civil society members in attendance.
Our panel was composed mainly of non-government organizations. With Deborah Brown of APC as moderator, my co-speakers were colleagues from the Digital Asia Hub (Malavika Jayaram), Privacy International (Francisco Vera), and Fundacíon Karisma (Juan Diego Castañeda). Rounding up our group was the UN Special Rapporteur on the Right to Privacy, Joseph Cannataci.
After some brief opening remarks from the Permanent Representatives of Germany and Brazil, Deborah turned the floor over to Malavika who discussed how biometric identity systems are currently being used here in Asia, and their implications on the right to privacy. Such systems are gradually being introduced across the region, presumably to provide various public services.
She was followed by Francisco whose task was to speak on the impact of smart cities on privacy and prevailing social inequalities. This recent fascination with so-called smart cities is supposedly driven by the desire of proponents to improve efficiency, sustainability, and security in both the public and private sectors.
Juan Diego, meanwhile, aired his organization’s concerns regarding the Colombian government’s plans to utilize big data for its own purposes. It was in 2016 that the government announced its efforts to design such a strategy. Last year, the draft of the strategy was published and disclosed to the public.
And then it was my turn to speak about our government’s plan to adopt a mandatory SIM card registration system. I was asked to elaborate on the impact of this proposal on the privacy rights of Filipinos, and then discuss any steps or solutions that I felt should be taken to address our concerns.
As the last speaker, the UN Special Rapporteur had the unenviable task of responding to the issues raised by all of us who preceded him. He was also asked to discuss his work briefly, and what steps he has taken, if any, to address the concerns that were brought up.
Afterwards, several questions were fielded by the audience. Quite a number revolved around one particular issue: how to keep using data intensive systems—given the benefits they offer—while making sure that they do not violate the people’s right to privacy.
In addressing the questions raised and as a part of my own talking points, I offered two suggestions that I think are relevant when dealing with data intensive systems:
The government should always provide a proper discussion forum. There has to be a time and place where all relevant issues about each system are taken up: Is it really necessary to address or solve the problems it is meant to solve? If it is, is it the best one available? If it has negative implications, what will be done in order to prevent or at least minimize such impact? These are questions that need to be answered before the system is adopted, and not after. Yes, the right to privacy is not absolute, but there is always that responsibility to make sure that whatever measure is being proposed, it should be the last resort and the least intrusive means possible.
If the decision is to adopt a data intensive system, make it compliant with international standards on data protection. A privacy by design approach should be adopted. We have all these data protection or data privacy principles that ought to be integrated by default into each data intensive system. For instance, collection should be transparent. The system should only collect those information necessary for its purposes. It should only be used for legitimate purposes. And then, of course, there is the responsibility of ensuring the security of all collected data.
As Filipinos, the consequences of not taking these suggestions seriously are grave and should not be hard to fathom. We have the 2016 COMELEC data breach to look back to. There, we had a data processing system that involved millions of personal data, with little to no safeguards in place. Many factors may have led to that incident, but not having the appropriate debates to tackle its vulnerabilities and potential threats was certainly one of them. Also, by now, that system’s failure to comply with our data privacy law is already a foregone conclusion. As part of the affected population, we owe it to ourselves to not let that happen again.
This article first appeared on GMA News Online on March 13, 2018 10:03 pm.