Fighting for strong data protection around the world: a year in review
Happy International Data Protection Day! To celebrate, we’re taking you on a data protection world tour. Buckle up — it’s a wild ride.
In 2019, data protection made headlines worldwide. With India debating its first ever data protection law, Tunisians’ data leveraged for manipulation in national elections, a one year check-up on the implementation of the European Union General Data Protection Regulation (GDPR), and much more, it was an incredibly busy year for those of us defending data privacy.
Looking back, one thing remains clear: the more that our data are routinely collected, retained, and exploited, either by the private or public sector, the more urgent it becomes to implement strong data protection laws and policies to keep us safe. Whether it is our insurance and health records, social media chats, online purchases, location information, or other data that can be harvested and used for manipulation and control, our information is increasingly at risk and governments and companies must act now to protect it. The most vulnerable among us — such as activists, journalists, human rights defenders, and members of oppressed or marginalized groups — are the most at risk.
Raising the bar on data protection worldwide: a timeline
Throughout 2019, we at Access Now worked around the globe to improve data protection standards. Last year, governments continued to develop and update data protection legal frameworks. Unfortunately, in many cases, they failed to comply with robust standards, such as those in the GDPR. Much of our advocacy in regions like Latin America and the United States entailed advising against poorly designed laws and policies, while pushing for standards that better align with human rights principles.
So what were we up to in 2019? Our story begins with the GDPR . . .
- 21st: The French Data Protection Authority fined Google 50 million euros for lack of transparency and valid consent surrounding the use of data for ads personalization. This was the first large fine imposed under the GDPR.
- 23rd: The European Union and Japan signed a joint adequacy decision that allows for the transfer of personal data between the two jurisdictions.
- 30-31st: We participated in the Computer, Privacy and Data Protection Conference in Brussels, where we contributed to discussions on the implementation of the GDPR, the development of data protection laws in Africa, and more.
- 25th: Together with 11 civil society organizations, we called on the Tunisian Data Protection Authority to take steps to ensure it remains independent.
- 17th: One year after the Cambridge Analytica scandal, there had still been no major regulatory action to address the egregious data protection violations.
- 20th: When Honduras held its first Internet Governance Forum, we issued a call to use the event as a platform to unpack the country’s problematic data protection bill, which contained carve-outs for the public sector to collect and process citizens’ data without appropriate safeguards.
- 27th: We convened the Data Privacy Summit, a full-day conference in Washington, D.C., to examine the data privacy debate, the underlying technologies, and the relationships between privacy and security, civil rights, and safety. The conference aimed to find common ground with the ultimate goal of implementing a comprehensive data protection framework in the United States.
- 3rd: In collaboration with InternetBolivia.org, we published a guide for data protection in Bolivia to inform the public debate (in Spanish). We hosted a series of workshops in Bolivia on the need for strong data protection and spoke with local news outlets to deepen the public debate.
- 25th: The GDPR turned one. To celebrate, we had cake, but more importantly, we published our first report on the law’s implementation, with recommendations to ensure that users will enjoy its full benefits.
- 11-14th: We held RightsCon in Tunis, where data protection was at the center of many sessions. This year, we hope to see you from June 9-12 at RightsCon Costa Rica to continue building the discussion on how to strengthen data protection rights worldwide.
- 24th: At the National Assembly of Ecuador, we presented at an event attended by lawmakers to highlight the importance of a human rights-respecting data protection law.
- 29th: We submitted comments to the U.S. National Institute of Standards and Technology on its Privacy Framework, arguing for a stronger manual that would better protect individuals’ data. The U.S. lacks binding federal rules, so the Framework serves as a primary resource for companies, state agencies, and institutions.
- 22-31st: We went on a data protection tour in Latin America to advance arguments for user-centric data protection measures.
- Argentina: We met with data protection authorities, advisors to the President, and members of the opposition party to advocate for rights-respecting changes in the current data protection bill. Local media outlets covered our activities, bringing the public into the discussion.
- Paraguay: Thanks to the efforts of the NGO TEDIC, we met with Paraguayan legislators to address areas where a proposed bill fell short. The legislation, while branded as a data protection law, focused mainly on regulating the financial sector. Legislators acknowledged this shortcoming and agreed to propose a new bill.
- 1st-9th: The data protection tour in Latin America continued.
- Bolivia: We participated in the 2019 Latin America and the Caribbean regional Internet Governance Forum in La Paz, where we urged stakeholders to prioritize the need for a Bolivian data protection law.
- 7th: We criticized the U.S. Federal Trade Commission’s tardy $5 billion Facebook fine. The FTC decision was part of a settlement for a series of privacy violations linked to the misuse of data through Cambridge Analytica. The lengthy delay and the insufficient remedy indicates that the FTC cannot meaningfully protect privacy in the United States.
- 2nd: We sent an open letter to Facebook, asking for more transparency in advertising and other sponsored content on their platform, specifically in regard to the 2019 Tunisian elections. Facebook provided an official response to our letter.
- 12th: We contributed to a consultation from the Australian Government on the final report of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. The report, published in July, made bold suggestions to legislators on how to advance an array of proposals for strengthening privacy and data protection. In our submission, we focused on content governance and data protection-privacy issues, given their particular relevance for the advancement of individuals’ rights.
- 18th: We called on the European Commission to strike down the E.U.-U.S. Privacy Shield since the arrangement fails to protect data and privacy rights.
- 20-23rd: We participated in the International Conference of Data Protection and Privacy Commissioners in Albania, where we contributed to discussions with regulators from around the world on the impact of the GDPR globally and the ongoing debates in Latin America regarding the advancement of new privacy and data protection laws.
- 8th: After many years of deliberation, Kenya passed comprehensive data protection legislation. Our grantee, KICTANet, was actively involved in this debate and will continue to monitor the law’s implementation.
- 22nd: We contributed to a study that revealed how Jordanian internet service providers violate customers’ privacy. In response to the report, the Jordanian government moved forward with the introduction of a data protection bill.
- 29th: We issued a petition to demand data privacy positions from U.S. presidential candidates. The petition has so far received resounding support, and will be delivered to the presidential campaigns.
- 3rd: We led a coalition letter to the U.S. Senate Commerce Committee that outlines why the proposed “Consumer Online Privacy Rights Act” is one of the strongest pieces of privacy legislation under consideration in the U.S., as it would protect civil rights with strong anti-discrimination provisions.
- 11th: After a long process, the Indian Government introduced the Personal Data Protection Bill 2019 in the Indian Parliament. The bill was referred to a Joint Parliamentary Committee, which will submit its comments and proposals in February. This bill is similar to the Srikrishna Committee proposal that we reviewed.
- 11th: We co-hosted a U.S. Capitol Hill briefing on data privacy. The briefing, titled “Controlled and conditioned: How data abuse hurts the most vulnerable and threatens human rights,” included participation from Congresswoman Jan Schakowsky who provided opening remarks and announced draft data privacy legislation was forthcoming from the House Committee on Energy and Commerce.
As we look ahead to 2020, we remain committed to the goal of ensuring uncompromising privacy and data protections for all citizens around the world. Privacy and data protection are a cornerstone for human rights in the digital era, and our laws and policies must be adequate to protect it.