On the occasion of Data Protection Day 2021, this post explores what the future of data protection could look like. But let’s start with: what is data protection?
Data protection: we have all heard of it but it is not always clear what it means or why it matters.
Data protection is about making sure that your information is safe online. It is ensuring that you know who is seeing it and why, and that you keep control of it. As we are often forced to share more of our data online, some governments have protected that data through legislation. In 2020, we saw Brazil finally starting to apply its data protection law after years of work by civil society and academics.
And while the level of protection is growing globally, the gaps that remain are exposing us to abuse and misuse of our information. Here are just few examples of the unacceptable abuses of our privacy and data in 2020:
- Companies using phone location data to track and spy on Black Lives Matter protesters;
- Amazon abusing our shopping data to crush the competition — small businesses;
- The World Food Program collecting migrants’ biometric data, requiring refugees to hand it over to “buy” food in camps in Jordan;
- Easyjet exposing the data of 9 million customers in Europe in a massive data breach; and
- The São Paulo Metro operator in Brazil scanning crowds and turning commuters into guinea pigs for facial recognition technology, to test a new emotion and gender “detection” tool.
We don’t want abuses like these to be the norm, making the future of data protection a digital dystopia. Privacy is a cornerstone of human rights in the digital age. When we fail to protect data, it hurts everyone — including when our personal information is used to target disinformation campaigns that damage our democracies. Abuse of our data especially hurts those of us who are under-served, such as those living in poverty, people with disabilities, or migrants, or specifically targeted for discrimination and abuse, like people of color, people in religious minority groups, and members of the LGBT community, among others.
The bottom line: as long companies freely exploit our data for profit, and governments get access to the information in ways that do not comport with international human rights principles and standards, we must stand up and fight for our privacy and data protection rights.
But instead of reliving 2020 (no thanks!), we want to explore how data protection could evolve around the world in 2021. We have identified five key issues that will be making headlines this year. These are things we must keep an eye on to defend the right to privacy and protect our personal data.
1. Governments and companies will use immunity passports and tracing apps in their response to COVID-19
We said we weren’t going to talk about 2020. But sadly, we do have to talk about COVID-19. In response to the pandemic, many governments are using or proposing the use of exposure notification and contact tracing applications to track who may have been infected. During a global public health crisis, the question is not whether governments will use our health data to fight the pandemic but how it will be done.
Putting aside several hiccups in the planning and roll-out of digital tools for fighting COVID-19, governments must take action to protect our data, now and in the future. Despite the warnings of privacy advocates, some governments, like Bahrain, have turned COVID-19 technology into spying tools. In Hungary, the government passed emergency legislation to suspend the application of some data protection rights. More recently, Singapore made the shocking announcement that law enforcement would use data from the TraceTogether COVID-app used by 80 percent of the population.
Make no mistake: these are blatant privacy abuses. They disregard the recommendations of data protection regulators and privacy experts around the world. Early in 2020, Access Now developed guidance to help governments develop these tools with safeguards to protect people’s health data and strictly limit the sharing or reuse of information related COVID-19. One year later, we are disappointed to see what were fully predictable mistakes and abuses.
In 2021, we expect to see the debate heat up on the use of so-called immunity passports. As vaccines are distributed worldwide, governments are considering asking people to use a digital document to prove “immunity” to COVID-19. The concept of the immunity passport was originally to identify who had already been infected and would therefore have some measure of immunity. Now it has morphed into a digital receipt of a vaccination. In either case, schemes like this risk exposure of people’s private health data and discrimination. There is no definitive scientific evidence to show these passports will keep anyone any safer from infection. But we nevertheless anticipate discussion about how they might work. It includes exploring questions like how long such “passports” would be valid, what information should be included in it, and what standards should apply to their creation and use.
2. Countries will promote data sovereignty
Wondering what “data sovereignty” means? Don’t worry, we are too. Yet it’s set to become a data protection buzzword in 2021. In general, when policy-makers talk about technological sovereignty, it is often in response to the actions of US tech giants like Google or Facebook, whose decisions impact people all around the world and make some governments feel powerless. So data sovereignty could be a good idea then, right? Potentially, yes; when it comes to protecting privacy and data, ending the world’s dependence on Big Tech could be a positive development. It would also be good if the discussion on sovereignty resulted in shared efforts to build infrastructure and services that are decentralised, secure, and protect people’s rights by default.
But it is clear that it is not exactly what most governments have in mind. In fact, for many years, countries like China or Russia have been using the term “sovereignty” to counter the notion of an “internet governance” model that is global, open, and free. In keeping with their efforts to maintain close control of citizens’ data, the objective of these countries is not to protect people’s privacy but to solidify power and perpetrate human rights abuses.
Let’s take a look at countries in Europe or Latin America, for instance. The EU and Chile have been working to build “sovereign” or “national” data clouds. This could enable regional companies and public authorities to stop depending on Amazon Web Services or Microsoft Azure. However, the EU has announced that Palantir — a US company known for its dreadful human rights track record — would help build GAIA X, the EU Cloud project. That’s not necessarily a positive step.
3. Regulators will look jointly at data protection and competition to rein in Big Tech
It’s safe to assume that in 2021, behavioural advertising will remain a primary source of revenue and driver of online content, so we expect to see policy on data protection and competition/antitrust to overlap more. For those of you who’ve been following the debate on data policy for years, this is not a groundbreaking prediction. Competition authorities around the world have increasingly looked into how large companies’ data collection practices influence their power and potential to abuse their market position. During a landmark antitrust hearing held in the US in 2020, nearly every question members of Congress asked Google, Amazon, Facebook, and Apple was about their market power and data. How much data do you have? Do you use your web tracking capabilities to identify and crush the competition? Do you access and use the data of sellers on your platform to your advantage? And so on.
In the quest for a sustainable tech environment, we should see data protection and competition as two sides of the same coin. If lawmakers continue to let companies harvest our personal data with little restraint, it not only negatively impacts our rights but also reinforces these companies’ power. To avoid concentrating power and harming rights, competition authorities must work closely with data protection authorities and experts when evaluating mergers.
As Google is acquiring FitBit, it will also get a trove of health data, albeit with some conditions on its use. These conditions are not sufficient to protect people’s information. Facebook famously promised not to share WhatsApp data when it acquired it in 2014, but it broke this promise in 2016, and there are negative repercussions to this day. As companies abuse our personal data to consolidate power, lawmakers must develop solutions that put people back in control of their information and prevent this repeated pattern of harmful exploitation.
4. Governments will have to conduct surveillance reforms to ensure sustainable international data transfers
As companies operate globally, they rely on legal mechanisms to be able to move personal data while still protecting people’s rights. In 2020, the US lost its main mechanism that allowed companies to move data from the EU to the US. The EU’s highest Court struck down the so-called Privacy Shield for failing to provide adequate safeguards for the rights to privacy, data protection, and access to remedy (oh, and we told you so every year since 2016). Due to its departure from the EU, a.k.a. Brexit, the UK is about to lose its access to the EU single market and with it the possibility of moving data from the EU.
Both countries are now seeking new data transfers deals with the European Union in 2021. For this to happen, the US and the UK will need to undergo significant surveillance reforms to prevent EU data from being disproportionately accessed by US and UK authorities. Attempts at short-term fixes will merely land us back in the Court of Justice of the European Union with the same result. If these parties are tired of engaging in the Sisyphean task of negotiating (inadequate) data transfers protections, they will finally push for real legislative change.
South Korea will also seek to finalise its data transfer deal with the EU. Both regions came close to an agreement in 2019 but then, well, 2020 happened. A number of Latin American countries may also need to review their existing data transfer deals with the EU, including Argentina and Uruguay. Others such as Chile may start discussions.
As many countries fear the increased scrutiny of courts analysing the validity of these deals, we often hear calls from leaders in G20 or G7 meetings to make data flows a priority. This often translates into a push to have these discussions within the context of trade deals. This must be prevented. Protecting personal data is about protecting human rights. These issues cannot be discussed within trade agreements which only consider the economic value of data and forget the humans behind it. Countries should discuss data transfers measures within frameworks that are designed to protect people’s rights and are provided for under data protection laws.
5. Countries that lack strong data protection laws will take steps to fix that problem
To finish on a positive note, in 2021 we foresee that the following countries will take steps to adopt a comprehensive data protection law:
- The United States
- Tunisia
- More optimism. After joining the Convention 108 on data protection in 2017, we have been expecting Tunisia to advance a modern data protection law. There have been drafts and discussions and we now need to move these forward.
- Ecuador
- The country could be one of the first to adopt a modern data protection law in 2021. Work is underway as we speak and there is still room for improvements.
- India
- It has been a long time coming but India seems to be taking concrete steps toward the adoption of its first data protection law. Read more on why India needs this law here.
The list could go on to include Australia, Paraguay, Bolivia, Costa Rica, and more. Many of these countries have been debating data protection laws for several years now. We hope that 2021 will be the year lawmakers move these discussions forward as global convergence on data protection continues to increase. A key driver of this convergence is the Council of Europe Convention 108 and 108+. It is the only international treaty on data protection. It has been ratified by more than 50 countries around the world. The treaty is turning 40 years old this year and we celebrate its creation every year on January 28. We encourage governments to sign and ratify the Convention 108+ to help advance data protection rights around the world.
Oh, and for any lawmakers wondering where to start when drafting a data protection law: here is our guide.
What’s next?
These are only five of the issues we see trending for the future of data protection in 2021. But there are other issues with a data protection element that are shaping the digital future, from facial recognition to artificial intelligence, telecommunications surveillance, work-place surveillance, the encryption debate, and more. Throughout the year we will strive to keep you updated. Stay tuned!