In a recent article published by the European Financial Review Sabrina Rau explored some of the risks to individuals in the digital society and suggested how we can learn from the international human rights framework to implement effective safeguards. Safeguards that enable us to benefit from scientific progress while mitigating risks to human rights through effective due diligence.
Data is not good or bad. Data can be the greatest asset and opportunity to learn and innovate but also dangerous if processed and used without human rights safeguards. It is the manner in which data is collected, processed and shared and the purpose for which this is done that determine its potential as an advantage or danger. Our lives are increasingly online and linked through smart devices and the internet of things (IOT).[i] From smart speakers to smart phones, from social media to cloud storage, our data is collected in various formats by a variety of data controllers that include states, businesses, NGOs and others. Your employer, bank, healthcare provider, social media platforms and others all collect data on us in an effort to “personalise” services and provide us with every day “convenience.” Yet, at what price?
Data collection and processing can provide numerous benefits in our everyday lives and on a larger scale allows business to better understand their customers and states to better understand their citizens. The United Nations (UN) Sustainable Development Goals (SDGs), for example, use set indicators measured against a tremendous amount of data points to establish and better understand the progressive realisation of human rights.[ii] “Data is knowledge” is a common expression and one that holds true in today’s society, but is all gathering of data legitimate? Does data collection and processing pose a threat to our human rights? Can businesses do anything to reduce the risks of potential malpractice in the collection, processing and sharing of data?
The risk to privacy is often highlighted with new technologies and in relation to data breaches but the processing and sharing of data can have serious implications on a wide array of human rights well beyond privacy.
Why we need to talk about human rights and not ethics
Human rights are important for understanding issues around data protection. The risk to privacy is often highlighted with new technologies and in relation to data breaches but the processing and sharing of data can have serious implications on a wide array of human rights well beyond privacy. Human rights are “rights inherent to all human beings, regardless of race, sex, nationality, ethnicity, language, religion, or any other status.”[iii] International Human Rights law lays out the obligations of governments to protect these rights and freedoms. Human Rights include the right to work, right to effective remedy, freedom of thought, freedom of assembly, right to education, right to benefit from scientific advancement and many more.[iv]
The universal declaration of human rights and other human rights conventions together form a basis of rights and freedoms every human being is entitled to. Knowing these freedoms and rights allows us to identify when a harm has occurred. Most importantly, human rights are universal, indivisible, interdependent and interrelated. While ethics are often spoken about in company values and in relation to data processing and AI, they are not necessarily universal and can be extremely subjective, making them difficult to comply with and assess industry wide. It is for this reason that it is more effective to speak about human rights rather than ethics when it comes to the opportunities and challenges of data processing.
In the context of data processing the right to privacy and freedom of expression are commonly spoken about through data breaches or content moderation such as in the case of Cambridge Analytica and InfoWars.[v] An infringement on the right to privacy typically does not stop at the interference with your personal data. If a data controller shares data with another entity who uses it for another purpose and aggregates it with data gathered somewhere else, the merging can result in harmful outcomes for the individual such as affecting the right to work, right to health and others. In this way data, and particularly big data and AI, can greatly affect the enjoyment of human rights.[vi]
While data protection is one of the objectives of GDPR which coincides well with human rights, the other objective of GDPR is the free movement of data which more closely reflect commercial and global competition objectives
Why GDPR is not enough
One interpretation of the General Data Protection Regulation is that it is a human rights instrument hindering and limiting businesses and other data controllers from their work. GDPR, however, does not prohibit data processing but merely limits the means through which data processing occurs. While GDPR contains elements that reflect a human rights based approach, in practice the focus on human rights can many times be lost due to the competing objectives of GDPR. While data protection is one of the objectives of GDPR which coincides well with human rights, the other objective of GDPR is the free movement of data which more closely reflect commercial and global competition objectives.
On a positive note GDPR contains human rights language including recitals on the right of data subjects. This includes the right to receive information, the right to access data about the data subject, the right to rectification, the right to erasure of any data held about the data subject, the right to data portability and the right to object.[vii] It also includes requirement of transparency, and assessments of necessity and proportionality which are directly borrowed from human rights law. It may appear through these references that this is a strong rights guidance, however implementation is made complex by the competing objectives.
The underlying assumption throughout GDPR is that data is being collected. The rights of the data subjected are all consistent with opt-out features, illustrating the clear assumption that data is being processed. This is unlike the consent requirement which has a strict opt-in model.
Because of the commercial objectives of the free flow of data to remain competitive internationally, its implementation is a challenge in a number of ways. One way in which this is evident is through the ineffective use of consent online. Obtaining consent is easier for data controllers than it is to justify the other six legal grounds for processing data.[viii] The reason for this is that GDPR places an excessive burden on the individual to be their own data manager with little negotiating power against large data controllers and relatively little information on the complex data processing.
The problem of consent online
According to GDPR, consent should be “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”[ix] While this may sound good, in practice this is difficult in a number of ways.
Informed consent requires the data subject to be given the information required to make an informed decision about what they are agreeing to and the associated risks. When it comes to an online context, however, the lack of foreseeability, specificity, clarity and accessibility make informed consent particularly challenging.[x]
“Freely given” consent speaks to the data subject’s control and choice. However, a person cannot meaningfully opt out of being part of the information society nor has a negotiating position when it comes to the terms of the data collection. This is mainly due to the existing power imbalances between data controllers and data subjects and often the monopolies that certain businesses have over particular services and the networking effect.[xi] The “unambiguous indication” requirement of consent is also dependant on the context in which the data is collected and the nature of the information collected.[xii]
In order to benefit from scientific progress and not stagger innovation, acquiring adequate safeguards for data processing is key.
While it may appear that consent is completely ineffective in the online/digital context, it is worth questioning the role of consent in other parts of our society. When framing this in terms of human rights, one can consider questions of autonomy and self-determination. Respect for individual autonomy underpins international human rights law, given that the law focuses on respecting and fulfilling individual rights and freedoms. Considering the central role that consent plays in our society and the lack of meaningfulness online, we should think further about when consent is appropriate to use in a digital society.
In order to benefit from scientific progress and not stagger innovation, acquiring adequate safeguards for data processing is key. Rather than relying on ethical principles, which as noted earlier are too subjective and not measurable, the UN guiding Principles on Business and Human Rights (UNGPs) offer a framework through which adequate safeguards can be put in place mainly through effective due diligence processes.
How the UNGPs can be part of the solution
The UNGPs are the only official guidance the United Nations Human Rights Council have endorsed for States and Businesses. They do not create new human rights obligations but rather explain how existing human rights standards can be upheld. The three pillars of the UNGPs are:
- The State duty to protect human rights
- The corporate responsibility to respect human rights
- Access to remedy
States in the first instance have a duty to protect human rights from third party harm according to the UNGPs. This may include regulations and policies that require mandatory due diligence practices and monitoring such as some countries already have put in place. Furthermore, knowledge sharing and providing expertise to policy makers to understand how data processing works is key to promoting policies that are conscious of the risks or data processing practices.
When it comes to the responsibility of businesses and corporations the actions look a little different. Businesses are not responsible for protecting human rights but are required to “respect” them. This means that they should avoid infringing on the human rights of others and address adverse human rights impacts they are involved in throughout their value chain and their business relationships.[xiii]
According to the UNGPs, a business should have (1) a public policy commitment to human rights, (2) a human rights due diligence process and (3) a process to enable the remediation of any adverse human rights impacts they cause or contribute to.[xiv] Having these elements in place allows for clear measurable standards to be in place through which due diligence processes go though. A due diligence process must “identify, prevent, mitigate and account for how they address their impacts on human rights.”[xv] Further detail and guidance exist on how these due diligence processes must be carried out, but important aspects of them are the range of activities that must be covered as part of the process and the nature and context of its operations that may have human rights impacts. Another important aspect is that a due diligence process should be ongoing “recognising that the human rights risks may change over time as the business enterprise operations and operating context evolve.”[xvi]
Drawing the connection between effective due diligence processes and data processing, it is important to better understand the complexity of data processing, and specifically data sharing, to understand the risks and human rights harms that may be suffered at different levels as a result.
Human Rights Safeguards are the way forward
The benefit of businesses committing and applying the UNGPs within their business operations, including in their data processing is that it creates more measurable reporting guidelines that make human rights compliance easier to understand and evokes a race to the top of good corporate human rights performance. Data processing should have effective impact assessments that assess the risk on an ongoing basis, in the same way as other supply chains. The first step is to understand the potential harms that can be caused by data processing beyond privacy. The second step should be the implementation of a human rights due diligence process that assesses risks at every part of the process, from data collection, to storage, analysis, processing and sharing, and that monitors and assesses these practices in an ongoing manner. Implementing these safeguards allows data to be an instrument for innovation while having the right safeguards in place to respect human rights.
A due diligence process must “identify, prevent, mitigate and account for how they address their impacts on human rights.
[ii] SDG Indicators, found at https://unstats.un.org/sdgs/indicators / indicators-list/
[iv] Universal Declaration of Human Rights found at www.ohchr.org/ EN/UDHR/Documents/UDHR_Translations/eng.pdf
[vii] GDPR Articles 12-23
[ix] GDPR Article 4 (11)
[xi] HRBDT, Consent Background Paper
[xii] HRBDT, Consent Background Paper
[xiii] UNGP, Art. 13
[xiv] UNGP Art. 15 (a)
[xv] UNGP Art. 15 (b)
[xvi] UNGP Art. 17 (c)