Session
With the digital transition that we are witnessing, businesses and human rights interrelate more and more. New technological solutions render massive amounts of information and services accessible at our fingertips and add unprecedented convenience to our lives. But they can also challenge individuals’ privacy, pose new threats to safety and security, and produce undesirable effects on vulnerable groups such as children, on democratic processes and on the overall wellbeing of societies. Being major actors that both foster and implement innovation, businesses have a major share in responsibility for the impact – of direct, immediate and global nature, - that modern technologies bring with them.
In line with the UN Guiding Principles on Business and Human Rights and the “Protect, Respect and Remedy” Framework, digital platforms should respect the human rights of their users and affected parties in all their actions. This open forum will discuss to what extent these principles are abided in relation to the use of digital technologies. While considering the interdependence of all human rights, the open forum will focus specifically on the rights to privacy and to data protection which are among those that are the most affected. It will examine the different ways in which they are impacted by the functioning of digital platforms, their business models and practices, and will look at the respective roles of businesses and state actors in the protection of these rights.
While on the internet the actual increase in privacy-related risks and infringements is unprecedented, it appears that substantive debate on the related roles and responsibilities of digital platforms which are at the epicentre of these developments, is somewhat missing. Discussions mostly arise with regard to specific incidents, such as the Cambridge Analytica scandal, and often focus only on a very narrow perspective such as the amount of fine issued by a regulator. Landmark international instruments, such as the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) continue to be seen as having a bearing on legislators only. In the meantime, ‘free’ services offered in exchange for personal data have become a widespread practice and a basis for highly profitable business models. As a result, they are hardly ever subjected to a thorough critical assessment as to compatibility with international privacy and data protection standards.
The situation is further exacerbated by the fact that the concept and level of protection of those rights vary considerably from country to country, from region to region. In such circumstances, which standard is to be followed by online platforms? National? Regional? Sectorial? Global?
Furthermore, legislative solutions related to the protection of privacy and personal data range from strict regulation imposing extraterritorial jurisdiction, heavy fines on data controllers, or nationally controlled and forced data localisation regimes to free flow of data schemes with appropriate level of protection guaranteed. Left on their own to find solutions that comply with applicable legislation, satisfy their customers and maintain the profitability of their professional activities, what approach shall digital platforms take?
The open forum will aim to contribute to an inclusive dialogue between different stakeholders and representatives from various regions to take stock of the different expectations, concurring interests and diversity of views on what governments and other state actors should do and what digital platforms should do to guarantee the right to privacy and data protection. It will look at national and regional differences in the interpretation of the right to privacy and to the protection of personal data, and notably at the differences in the practical implementation of the underlying legislation. Taking stock of the international frameworks and practices that are already in place, the open forum will discuss how they can best serve the protection of internet users’ rights. It will also pay attention to the role of businesses in relation to accessions by states to existing international data protection frameworks and to the ways how businesses can adjust their policies to meet the privacy expectations of their customers.
Starting from the premise that the protection of privacy and personal data is fundamental to the enjoyment and exercise of most internationally recognised human rights and fundamental freedoms, the open forum will seek answers to the following questions:
- What are the responsibilities of business platforms vis-à-vis the right to privacy and data protection? What would be the level of privacy and data protection they should aim for on the internet? Which standard should be followed by internet intermediaries? National? Regional? Sectorial? Global?
- Are business models based on ‘free’ services offered in exchange for personal data compatible with international privacy and data protection standards?
- Which measures are to be taken by intermediaries to guarantee an appropriate level of protection and the overall effective exercise of data subject's rights?
- What should governments do to ensure that the expected level of protection is met by digital platforms? How can they ensure this outside of their borders?
- Are the measures that are taken by countries regional organisations so far addressing those issues adequately? Where are the gaps?
- Is a global treaty for privacy needed or does the convergence of privacy laws suffice?
- To what extent are national and regional differences to be considered when determining the level of protection? Is privacy really a universal human right or a privilege for some countries’ citizens?
- What are the measures businesses have already taken? What are good and bad practices?
Background paper
Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108)
Council of Europe Committee of Ministers Recommendation (2018)2 on the roles and responsibilities of internet intermediaries
Council of Europe
Moderator:
Joe McNamee, independent expert, member of the former Council of Europe Committee of experts on internet intermediaries
Speakers:
Jan Kleijssen, Director, Information Society – Action against Crime, Council of Europe
Alexandria Walden, Global Human Rights & Free Expression Policy Counsel, Google (TBC)
Fanny Hidvégi, Europe Policy Manager, Access Now
Rami Efrati, Senior Cyber Fellow, Tel-Aviv University and former Head of the civilian division, Israel National Cyber bureau, prime minister’s office
Florence Raynal, Deputy Director, Head of Department of European and International Affairs, CNIL
Peter Kimpian, Council of Europe
GOAL 5: Gender Equality
GOAL 9: Industry, Innovation and Infrastructure
GOAL 10: Reduced Inequalities
GOAL 16: Peace, Justice and Strong Institutions
Report
This open forum will focus specifically on the rights to privacy and data protection – as impacted by the functioning of digital platforms, their business models and practices, and the respective roles of businesses and state actors in the protection of these rights. It will aim to clarify the commonly acceptable level of protection of these rights, and the necessary steps to be taken by businesses and state actors to meet this level. It will address the following questions:
- What would be the appropriate level for privacy and data protection on the internet?
- What are the responsibilities of digital platforms vis-à-vis the right to privacy and data protection?
- What should states do to ensure that the expected level of protection is met by digital platforms?
The panelists agreed that the level of privacy and data protection is very uneven across the globe. There was also wide consensus among the panelists that self-regulation by private actors is not enough to solve data and privacy protection issues on the internet. While international legal instruments, such as the Council of Europe Convenion 108, and also the EU GDPR, regulate the field, closer cooperation between governments and private actors was deemed necessary to ensure meticulous implementation. Some panelists felt that there was a need for more regulation too - e.g., for completing the GDPR reform.
Several lines of action were mentioned by the panellists:
- a systematic reform addressing micro-targeting;
- completing the GDPR reform;
- careful regulatory framing for facial recognition other AI-based technologies;
- closer attention to safety and security of vulnerable groups (in particular children and women) in the online environment.
The Council of Europe has recently finalised the modernisation of its Convention 108, which now offers reinforced protection for individuals, in coherence with other relevant frameworks, such as the GDPR.
CNIL informed the participants about the ongoing work on a "one stop shop" system of work for DPAs which is also meant for improving cooperation with other stakeholders.
The panel agreed that enforcement of existing legal frameworks was crucial for advancing the protection of human rights in the digital environment, in particular the rights to privacy and data protection. Meticulous abidance by law and its enforcement is equally needed both from the side of government and private actors.
Onsite participants - approximately 200, gender balance - roughtly 50/50 (%)
Online participants - unknown. No questions from online participants.
The session, among other things, discussed how to address violence against women on the internet, which is currently largely left unpunished. A representative from Google informed the audience about the tools that the company employs to address the issue.