Second Dialogue on Data Collection
The second dialogue of the Road to Bern via Geneva initiative entitled ‘Protecting data against vulnerabilities: Questions of trust security and privacy of data’ was held online on 22 April 2020. The event was organised by the Permanent Mission of Switzerland to the UN in Geneva and the Geneva Internet Platform (GIP), and was co-hosted by the International Committee of the Red Cross (ICRC) and World Intellectual Property Organization (WIPO).
In his introductory remarks Amb. Jean-Pierre Reymond, Chargé de Mission, Head of Innovation Partnerships, Permanent Mission of Switzerland in Geneva, noted that the World Data Forum in Bern is a good opportunity to discuss the use of datasets and official statistics to decisively foster sustainable development goals (SDGs) implementation. The Road to Bern via Geneva dialogues aim to bring contributions of Geneva and the international community in Geneva to the Forum by identifying challenges and solutions regarding the entire data cycle through four dialogues on: data collection, data protection, data sharing, and data use.
On mapping possible contributions to the Data Forum, Amb. Reymond highlighted five key points:
Francis Gurry, Director General, World Intellectual Property Organization (WIPO) talked of the security, privacy, and property aspects of data governance. He noted that data is integral to economic production and distribution, as well as in the production and distribution of cultural works, and social and political communication. These trends are only being reinforced by regulatory measures being put into place to contain the Coronavirus: there is an increase in economic production and distribution in the virtual mode, increased reliance on cultural works, and most social and political discourse takes place virtually.
Without data security, we can have no trust in the digital economy and society. One of the prime policy challenges in the field of security and data is the entanglement of military intelligence and economic activities. Gurry defined privacy as Samuel Warren and Louis Brandeis did in The Right to Privacy - as the ‘the right to be left alone’. He further noted that since Warren and Brandeis, there has been a massive increase in opportunities to invade privacy and the technological means and business models that can invade privacy. On property, Gurry highlighted that existing legal frameworks protect trade secrets. However, this borders on the abuse of the relationship; and there are many economic and social relationships which depend on the trust in the protection of confidential data. An international initiative is needed to define the parameters and limits of this area. The question of property rights in relation to data - that is, who gets the value added from data - remains to be answered in the future.
Dennis Murathaty, Chief Security Officer, WIPO, presented data protection challenges that apply to the field of intellectual property. Using the example of the Patent Cooperation Treaty (PCT) filing process, Murathaty underscored organisations’ need to address data protection beyond just privacy concerns. Organisations must have the ability to (a) continuously assess data protection attributes relevant to their business, (b) implement corresponding measures in response to the rapidly changing cyber-threat environment, (c) maintain data protection throughout the data lifecycle.
Vincent Cassard, Deputy Head, Data Protection Office, International Committee of the Red Cross (ICRC) spoke about the implementation of personal data protection in the humanitarian context. The first big challenge for the ICRC is responsible data sharing, and the key question is anonymisation of the data. The second challenge is the use of biometric data, and the ICRC uses it in a limited manner based on risk analysis, in cases such as recovery of missing people, dead people, tracing of family members separated by conflicts, etc. The third challenge is cloud computing, the ICRC wants to avoid the loss of privileges and immunity of personal data that comes with cloud computing processes.
Christine Adam, Division Head, Office of the Legal Counsel, Office of Legal Affairs, International Organization for Migration, posed the question: are the existing data protection legislations and policies sufficient to address technological digital advances? One school of thought thinks we need new legislation for these technologies, but as more technologies emerge, this might bring forth the proliferation of technology-specific legislation and cause fragmentation of law. Additionally, the level of ethical considerations to be included in those regulations is unclear. The other school of thought says that the existing legislation already encompasses new advances. This broad approach generally works fine, Adam noted.
She also underlined cloud computing as a challenge, noting that there are two causes of concern: (a) the level of control over the data in the cloud, (b) the absence of transparency with regards to data processing by cloud computing service providers. Cloud computing service providers may process data in different countries, and this might cause data to lose its status of privileges and immunities. Data also may be intercepted while in transit. Additionally, states and law enforcement authorities might access the data of international organisations illegally. She noted that international organisations have the obligation to protect their beneficiaries as they are better versed in these issues. She concluded that data protection considerations must accompany new technologies.
Behind every piece of data the World Food Programme (WFP) collects is a person, Enrica Porcari, Chief Information Officer and Director of Technology UN World Food Programme stressed. She noted that a balance between efficiency (collecting, storing, sharing, using, type of data) and effectiveness (what type of data helps explain the context) in field operations must be struck. A balance between privacy and providing people with tools and opportunities to participate in social and economic inclusion is also necessary. Porcari highlighted that data can be a tool for inclusion; and noted that connectivity can be a tool for inclusion and self-assertiveness. Beneficiaries want to become active members of this discourse, not just individuals whose data is collected. However, in many contexts, Internet connectivity is enabled by a private company and users already give away a huge amount of data. The question arises how to strike a balance between the efficiency of interactions and the risks of platforms collecting our data.
Regina Scartazzini Ditsch, Legal Service Unit, Swiss Statistics Office, spoke about balancing between disclosing as much (detailed) information as possible and ensuring data protection - in particular statistical confidentiality - completely. Data aggregation is not a guarantee to ensure data protection, because as technology gets more elaborate, it can allow the identification of an individual by linking different datasets.
Balthasar Staehelin, Deputy Director-General, the International Committee of the Red Cross (ICRC) stated that many roads can lead to Bern; yet beyond the destination, travelling from Geneva is unique as Geneva offers its unique perspective. Many international organisations (IOs) face similar tech-related challenges regardless of their mandate and focus. They should all ensure that people are at the centre of any tech-related conversation. Maintaining trust of the people is crucial in the digital age for all institutions. Trust is the most precious commodity, and it is not easy to gain but it is easy to lose it, it comes by foot but can leave rapidly on horseback. The two fundamental components of trust are humanity and inclusiveness. These values, which are values the Geneva ecosystem was built upon, must be preserved as they are critical in the digital age.
Data responsibility and data protection are crucial for the resilience and legitimacy of humanitarian action. Data responsibility and data protection are about individuals’ dignity when processing their information, being accountable to populations, and enabling the agency of individuals. Staehlin noted that all stakeholders should translate data responsibility into concrete standards and best practices. Additionally, they should make sure that the use of new technologies do not further expose or cause harm to individuals, by deploying them after implementing data protection measures and impact assessment. The governments and the private sector have to play their respective role for the development of safeguards and ethical review processes to ensure technologies do not create additional vulnerabilities and harm. New models of partnerships are needed, allowing stakeholders who use new technologies to achieve sustainable development goals (SDGs) to do so with the highest security and privacy standards in place.
Paul-Olivier Dehaye, Director, PersonalData.IO spoke about the handling of data during the COVID-19 epidemic.The first round were medical responses, followed by social and then digital responses caused by the virus. Dehaye explained how smartphone Bluetooth contact tracing apps work, noting that the apps record close interactions that might have led to an infection. These records are saved as ‘tokens.’ The main question is who should get the value behind these 'tokens'; more specific questions include who should control these tokens, how will they get shared with other parties, how will they get processed, and what kind of computation is possible. Dehaye noted the tech giants require states to validate the use of apps, but states might not be the ones that have the most legitimacy to make this decision. He also noted that the questions of immunity passports and how they will be issued are crucial. He also stressed that data is only a reflection of reality and it is systematically imperfect, and that we should therefore be aware of uncertainties in data. He concluded by remarking that if states try to compete with digital platforms and try to go digital themselves, they will lose; unless they act in solidarity against platforms’ will being imposed on them.
Jean Yves Art, Senior Director, Strategic Partnerships, Microsoft, underlined that data sharing can help address societal issues and SDGs, but it must be shared in a safe and secure way. Speaking of technological developments, he noted that encryption works well to protect data, but encrypted data is hard to use and process. However, technical solutions have been developed to protect data while it is being processed in the cloud. Another approach is federated learning, which is to leave data on the devices and push the technology solutions to where the data is. Next, Art noted that many organisational measures that enable data protection while enabling its processing are in place. One of those is the hybrid cloud model, where data is kept on the premise and cloud computing is used for less sensitive applications. Another approach is the dedicated host approach, where certain servers in data centres are dedicated to a certain organisation which can then choose its own data policies. Speaking about legal measures, Art warned that if an IO goes into the cloud computing model, the data is no longer in the hands of the IO, but in the hands of the cloud service provider, therefore raising the questions of the immunities and privileges of the data. There are things that can be done to make sure that data keeps its privileges and immunities: IOs can specify that inviolability of the data extends to the digital environment wherever and by whomever the IO’s data is held; and this provision can be cemented by an agreement between the cloud service provider and the IO on the obligation of the service provider not to disclose the data to third parties unless the data owner IOinstructs it to do so. Another solution Art has put forward is bilateral agreements between Switzerland and other countries that host servers where IO data is stored.
Humans must be put back at the centre and any data protection solutions that are provided must be human and people-centric, stressed Sophie Kwasny, Head of the Data Protection Unit of the Council of Europe. Kwasny underlined that some of the core data principles that were drafted decades ago are still relevant, such as the definition of personal data in Convention 108, but also noted that the present and future digital environment must be taken into context. The right to data protection has changed, she noted, as we are already in the third generation of data protection, which was addressed in Convention 108+. Kwasny warned that biometric data is now classified as sensitive data, and pushing digital identities solutions based on biometric data in parts of the world that do not have data protection laws and authorities is a problem that awaits solution. Data flows need to be facilitated in a secure manner, ensuring that the level of protection afforded is the same. For this, more data protection laws based on common principles are needed. This is what Convention 108 was built for, and it can be used as a common basis that can be built upon as it has global reach and already gathers European, African, and Latin American countries and continues to expand.
Jonas Belina, Diplomatic Officer, Humanitarian Policy, Human Security Division, Swiss Federal Department of Foreign Affairs briefly presented the Humanitarian Data and Trust Initiative for the protection and responsible use of humanitarian data. The aim of the initiative is to connect technological expertise with policy research to drive and catalyse collective action of humanitarian organisations, states, and academia. Specific aims of the initiative are: (a) accelerating the responsible deployment of technology, so that data technology can be adopted; (b) minimising risks of vulnerable people stemming from potential misuse of technology in the humanitarian sector, and access to humanitarian data by third parties who abuse it; (c) developing principles and building consensus among participating states and humanitarian organisations about processing of data that is collected.
Jovan Kurbalija, Founding Director of DiploFoundation and Head of the Geneva Internet Platform (GIP), opened the third session of the second Road to Bern dialogue by briefly presenting a comparative survey of 32 data protection and privacy policies undertaken by the GIP team. Out of 32 documents mapped, 14 are from Geneva-based organisations and 17 are data privacy and protection specific. Data protection principles that show up in these documents are: purpose (of collecting, sharing, using data), security, fairness, lawfulness, confidentiality, proportionality, transparency, and privacy.
Kurbalija pointed out that most participants have indicated their support for fostering the development of principles of data governance by bringing in the Geneva-angle and sharing data policies of international organisations (IOs).
Alica Daly, Senior Policy Officer on Artificial Intelligence and Data, World Intellectual Property Organization (WIPO), noted that the Convention 108 is a good place to start in terms of what the Geneva ecosystem can bring into principles for data protection and overall data governance. She also noted that balancing data access and data protection, as well as balancing data collection and data protection could also be brought into the principles.
Yannick Heiniger, Partnerships Manager, International Committee of the Red Cross (ICRC) noted that data protection should not be reduced to only legal or technical measures. Alongside organisational measures, they are part of the same data protection framework. Technology is a tool, not the end of the societal conversation. There are existing legal frameworks that we need to reinforce, such as the Council of Europe’s (CoE) Convention 108. Building on the reflections of Staehlin, Heininger warned that while there is a space of collaboration between IOs; new models of engagement, accountability, and a new framework for funding are needed.
Distilling for Bern:
The second dialogue built on the five sets of questions initiated during the first Road to Bern...via Geneva dialogue: (a) the principles of data governance, (b) the creation of a sandbox for data collection, (c) the adjustment of existing data policies, (d) the need for the creation of a ‘UN Data one-stop shop’, (e) the focus on capacity development. In addition to these issues, the Second Dialogue highlighted the four following points:
- The need to specifically confirm data protection immunity on data used and held by IOs.
- The importance of leveraging Geneva’s multi-stakeholder dynamics to ensure inclusive data protection discussions.
- The importance of using existing legal and policy instruments to address arising concerns regarding data protection (e.g. the importance of adopting instruments such as CoE’s Convention 108)?
- The need for a holistic and balanced approach in addressing various aspects of data governance: namely avoiding data protection regulation only for a specific aspect, such as trade rules, cybersecurity or human rights.
In response to the points above, the participants have put forth a set of recommendations focusing on Geneva’s specific role in ensuring data protection and possible contributions to the upcoming UN World Data Forum (October 2020 in Bern). The following elements were mentioned:
- Data protection should not be regarded as a mere technical or legal issue: it relates to human dignity and enjoyment of human rights.
- Data protection is context specific: non-emergency and emergency situations (e.g. humanitarian and outbreak situations) need to be addressed differently. Different contexts require different needs, therefore entail different data protection principles.
- Geneva can bring its multistakeholder approach and dynamics to Bern: the private sector and civil society need to play a role in adopting data protection rules and developing a common understanding of what data protection is.
- The private sector and civil society need to be included in existing UN open data groups to tighten digital co-operation and co-ordination across different sectors. Moreover, vulnerable communities’ voices and representation is essential to build trust when devising policies, norms, and standards.
- Once a shared understanding of data protection is established, the specific responsibility of each actor needs to be determined.
- Incentives for the private sector need to be created and promoted to ensure increased interoperability and harmonisation among technical sectors; an example could be publishing and sharing standard machine-readable data and codes.
- The Geneva environment and the Permanent Missions in Geneva in particular can play a crucial role in amplifying the focus on legal frameworks and immunity principles of data as well as strengthening technical work on datasets.
- The discussion at the UN World Data Forum in Bern should include civil society and the private sector, not only the statistical community.
- Current legal frameworks are very relevant for privacy, human rights, and data protection: there is no need to ‘reinvent the wheel’, the aim is to ensure different actors use the same regulations on data protection (e.g. the importance of adopting instruments such as CoE’s Convention 108).