With the digital transition that we are witnessing, businesses and human rights interrelate more and more. New technological solutions render massive amounts of information and services accessible at our fingertips and add unprecedented convenience to our lives. But they can also challenge individuals’ privacy, pose new threats to safety and security, and produce undesirable effects on vulnerable groups such as children, on democratic processes and on the overall wellbeing of societies. Being major actors that both foster and implement innovation, businesses have a major share in responsibility for the impact – of direct, immediate and global nature, - that modern technologies bring with them.
In line with the UN Guiding Principles on Business and Human Rights and the “Protect, Respect and Remedy” Framework, digital platforms should respect the human rights of their users and affected parties in all their actions. This open forum will discuss to what extent these principles are abided in relation to the use of digital technologies. While considering the interdependence of all human rights, the open forum will focus specifically on the rights to privacy and to data protection which are among those that are the most affected. It will examine the different ways in which they are impacted by the functioning of digital platforms, their business models and practices, and will look at the respective roles of businesses and state actors in the protection of these rights.
While on the internet the actual increase in privacy-related risks and infringements is unprecedented, it appears that substantive debate on the related roles and responsibilities of digital platforms which are at the epicentre of these developments, is somewhat missing. Discussions mostly arise with regard to specific incidents, such as the Cambridge Analytica scandal, and often focus only on a very narrow perspective such as the amount of fine issued by a regulator. Landmark international instruments, such as the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) continue to be seen as having a bearing on legislators only. In the meantime, ‘free’ services offered in exchange for personal data have become a widespread practice and a basis for highly profitable business models. As a result, they are hardly ever subjected to a thorough critical assessment as to compatibility with international privacy and data protection standards.
The situation is further exacerbated by the fact that the concept and level of protection of those rights vary considerably from country to country, from region to region. In such circumstances, which standard is to be followed by online platforms? National? Regional? Sectorial? Global?
Furthermore, legislative solutions related to the protection of privacy and personal data range from strict regulation imposing extraterritorial jurisdiction, heavy fines on data controllers, or nationally controlled and forced data localisation regimes to free flow of data schemes with appropriate level of protection guaranteed. Left on their own to find solutions that comply with applicable legislation, satisfy their customers and maintain the profitability of their professional activities, what approach shall digital platforms take?
The open forum will aim to contribute to an inclusive dialogue between different stakeholders and representatives from various regions to take stock of the different expectations, concurring interests and diversity of views on what governments and other state actors should do and what digital platforms should do to guarantee the right to privacy and data protection. It will look at national and regional differences in the interpretation of the right to privacy and to the protection of personal data, and notably at the differences in the practical implementation of the underlying legislation. Taking stock of the international frameworks and practices that are already in place, the open forum will discuss how they can best serve the protection of internet users’ rights. It will also pay attention to the role of businesses in relation to accessions by states to existing international data protection frameworks and to the ways how businesses can adjust their policies to meet the privacy expectations of their customers.
Starting from the premise that the protection of privacy and personal data is fundamental to the enjoyment and exercise of most internationally recognised human rights and fundamental freedoms, the open forum will seek answers to the following questions:
- What are the responsibilities of business platforms vis-à-vis the right to privacy and data protection? What would be the level of privacy and data protection they should aim for on the internet? Which standard should be followed by internet intermediaries? National? Regional? Sectorial? Global?
- Are business models based on ‘free’ services offered in exchange for personal data compatible with international privacy and data protection standards?
- Which measures are to be taken by intermediaries to guarantee an appropriate level of protection and the overall effective exercise of data subject's rights?
- What should governments do to ensure that the expected level of protection is met by digital platforms? How can they ensure this outside of their borders?
- Are the measures that are taken by countries regional organisations so far addressing those issues adequately? Where are the gaps?
- Is a global treaty for privacy needed or does the convergence of privacy laws suffice?
- To what extent are national and regional differences to be considered when determining the level of protection? Is privacy really a universal human right or a privilege for some countries’ citizens?
- What are the measures businesses have already taken? What are good and bad practices?
Background paper
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108)
Council of Europe Committee of Ministers Recommendation (2018)2 on the roles and responsibilities of internet intermediaries