Q&A: Considering human rights in data management and protection

17 Feb 2017

Dr John Lannon, lecturer at University of Limerick. Image: Alan Place

We picked the brain of Dr John Lannon – an ICT professional turned human rights researcher – to find out how data management can best consider citizens’ right to privacy.

Data Week

Dr John Lannon has had an interesting career journey that brought him from IT and software to electronics engineering, followed by peace and development studies, and, now, researching information management in the non-profit sector.

Lannon ended his 15-year career in private business when he took the decision to devote more time and energy – and his acquired technical expertise – to human rights activism. Since then, he has worked on a number of information management and ICT projects in the areas of international development and human rights protection, including a feasibility study for a missing child alert system to tackle cross-border trafficking in South Asia.

Later, Lannon joined the Centre for Project Management at the University of Limerick, where his current teaching and research interests cover knowledge and information management, human rights and development practice, and the use of social media for social good.

‘Privacy is a fundamental human right that must always be protected. Companies that put their own interests first may wittingly or unwittingly undermine this right if permitted to do so’

Do you see a privacy disaster on the horizon as cloud storage becomes more common?

When it comes to cloud storage, data privacy is in the hands of a third-party service provider. In reality, these are no guarantee of security or of privacy, but cloud services that provide encryption or other security tools to keep data safe are generally preferred.

The encryption schemes vary. For example, some encryption processes take place locally before uploading to the cloud, so the storage provider should not know what is being stored with them. In other cases, there is a trade-off between security, speed and massive storage. And, very often, even with many of the big names in cloud storage, encryption is not an option.

It is important for cloud storage users to understand the storage service provider’s privacy policy. Some say they will only examine stored data if they have reason to believe it includes illegal or copyrighted material, or if law enforcement authorities request access. And, in most cases, they will insist on a court order before investigating or turning data over to the authorities.

In other cases, the storage provider may not be so quick to hand access to data to the authorities. In the United States, for example, at least nine police investigations were blocked by Apple’s privacy policy in 2013, prompting the authorities to consider a blanket ban on any device that cannot be accessed by the police, albeit after authorisation by a judge. This wasn’t the first time the US government tried to limit the use of powerful encrypting tools. But it is symptomatic of a worrying trend that undermines the privacy that individuals should be able to enjoy.

‘The inclination of states to violate privacy in the name of security and law enforcement is now even greater than ever’

The use of any online or cloud-based service that stores records of a user’s actions has privacy implications. Criminals intent on gaining unauthorised access to data can do so regardless of where the data is stored. Businesses that offer a degree of personal privacy can still profit from every online interaction with their services (for example, using cookies and local shared objects or via location information collected by a mobile app). And the inclination of states to violate privacy in the name of security and law enforcement is now even greater than ever, as NSA whistleblower Edward Snowden demonstrated in his exposé of the extent of US government surveillance on its citizens.

Privacy is a fundamental human right that must always be protected. Companies that put their own interests first may wittingly or unwittingly undermine this right if permitted to do so. This was demonstrated by reaction to the EU’s recently proposed broadening of privacy protections in electronic communications, including tracking by advertisers, to promote a digital single market. The criticism by companies that feel they will suffer competitive disadvantage in comparison to other markets, and that the proposed measures will damage the potential of Europe’s data-driven economy, shows that many businesses are prepared to compromise on privacy, if allowed to do so, in order to achieve their business objectives.

What of Ireland’s curious position as the gatekeeper of data protection in Europe – are we equipped to handle this responsibility?

Ireland is now touted as the data capital of Europe, with data centres popping up all along the the high-speed fibre running across Dublin from north to west. The climate, the tax rates, relatively easy access to the necessary real estate, and the clustering effect all make it an ideal location for all the big players such as Microsoft, Facebook and Google. On the other hand, they present challenges for the energy grid, while providing very little by way of employment or benefit to the local population.

‘On the other hand, data centres present challenges for the energy grid, while providing very little by way of employment or benefit to the local population’

In terms of data protection, there are implications for the data controllers who control the contents and use of personal data (and are typically clients of cloud-based technology providers) and for data processors – the ones responsible for managing, storing and processing personal data on behalf of the controller, ie the cloud service provider.

The Data Protection Acts place responsibility for data security on the data controller. But definitions of personal data and the rules for its collection and use vary between countries.

As a result, global businesses that act as data collectors have a variety of legal and enforcement frameworks they must comply with. In addition, the strength of the powers invested in the data protection authorities vary; for example, in their ability to conduct investigations, act on complaints and impose fines when they discover an organisation has broken the law. So too does their independence from government.

As the EU pushes towards advanced data protection reforms, aiming to streamline the legislation in individual countries, we are approaching the point where unified EU regulation will apply across all countries. Companies operating across the EU will only deal with one national Data Protection Agency, ie the one in the member state where they have their main business. This will have implications for Ireland. Companies storing or with data stored in Ireland who are answerable to the Irish Data Protection Agency will be subject to alignment with emerging EU data protection legislation.

Already, companies have to pay careful attention to the gap in privacy standards between the US and the EU and Ireland, with the latter giving far more attention to protecting its citizens’ personal data in legislation.

What would you like to see in place to protect users and their data?

Responsible companies will always protect their customers’ personal data, not only because it’s an important business asset, but because they have a moral as well as legal obligation to their customers to treat their data in a manner that respects their privacy. Nonetheless, data subjects are constantly frustrated by the extent to which their privacy is being eroded, even as the companies guilty of undermining their privacy seek to build trusted digital relationships with their customers.

In addition to new proposed rules on user consent for storing personal data that move away from implied consent towards more explicit forms of consent, there is a need for better education of consumers on how they can protect themselves, particularly online. More is needed to oblige data controllers to provide full and transparent information about what is being recorded and tracked, and to make it easier for consumers to avoid or opt out of such practices.

When personal data like shopping habits, medical history, credit records, social networks, location data and so on are collected and analysed, underlying patterns can provide information that businesses – and indeed, governments – use to profile individuals. This has the potential to gravely undermine individuals’ right to privacy. In particular, data and metadata from personal devices and from internet of things products and solutions can be used to derive personal information that can be used in unauthorised and extremely damaging ways.

The proposed EU General Data Protection Regulation is a worthwhile step towards strengthening citizens’ fundamental rights while facilitating business. Any organisations controlling data need to work towards ensuring compliance before its introduction in 2018.

But, for individuals, there are a number of areas that need careful attention. One is the far-reaching concept of ‘monitoring the behaviour’ of EU residents by tracking their digital activities. Another is the transfer of personal data to countries outside the EU/EEA that do not provide the same standard of data protection.

Without such precautions, the high standards of data protection established by the Data Protection Directive would quickly be undermined, given the ease with which data can be moved around in international networks.

‘The mass subjection of a population or group to indiscriminate monitoring is a violation of privacy’

Dr John Lannon, Human Rights and Development Practice, University of Limerick

Dr John Lannon, lecturer at the Centre for Project Management at KBS, University of Limerick. Image: Alan Place

Finally, a few words on surveillance.

Increasingly, surveillance is being used to spy on individuals, either by government, companies or other private individuals. A government’s collection of sensitive information, typically in the name of national security, presents major threats to individuals’ privacy, as well as to freedoms of expression and association.

The mass subjection of a population or group to indiscriminate monitoring is a violation of privacy. Once data gets into the government’s hands, it can be retained for years, and the extent to which it is accessed and used can be changed in secret without the public knowing. In particular, communications surveillance – the monitoring, interception, collection, preservation and retention of information – is now becoming more commonplace and more sophisticated, and capable of collecting even more data than ever before.

When a government wishes to conduct communications surveillance, it must only be done in accordance with clear and transparent law. However, in many countries, the laws governing surveillance and the processes around its conduct are unclear. Often the laws are vague and allow for broad interpretation. Courts can authorise surveillance in secret and individuals can be monitored without being notified that they were placed under surveillance.

In many cases, laws governing communications surveillance have become outdated in the face of powerful new technologies. Another problem is that legislators and the judiciary often do not understand communications technology and surveillance capabilities. These and other issues need to be addressed by governments around the world in order to protect the fundamental rights of their citizens.