Holds that the government’s new Unified Data Bank violates data protection rules.
Since 2012, Chilean security forces have been trying to transfer all security-related information on citizens into a single database, including identity information, criminal records, past or present judicial proceedings, previous convictions, and investigations of any kind.
Thankfully, this month Supreme Court judge Sergio Muñoz Gajardo rejected a petition by the Ministry of Domestic Affairs to transfer data from judiciary databases – such as the status of current and past judicial proceedings and convictions – to the new Unified Data Bank. The judge also held that the current implementation of the Unified Data Bank to violate data protection rules, in particular under law 19.628.
Access applauds Judge Muñoz Gajardo’s decision. We believe that any government database should comply with data protection norms and should protect fundamental rights. Chile is not the only country implementing this kind of policy, and as governments around the world dream of centralized information banks, Judge Muñoz Gajardo’s decision should serve as a warning to any authority that seeks to violate fundamental rights.
Ruling sets a bold precedent for data protection
When the Chilean government introduced the national Unified Data Bank in 2012, it was responding to a call by then-president Sebastian Piñera for a tool to fight crime that included all information available about a suspect, including national ID numbers (RUN), criminal histories, judicial proceedings, and criminal records.
Judge Muñoz’s decision on January 21 clearly explained the reasons for denying the transfer of data to the database. Despite having signed an agreement to participate in the creation of this database back in 2012, the judge argued that the current implementation of the database is incompatible with Chilean data protection law 19.628 because it allows the government to use every citizen’s national ID number – which is considered to be sensitive personal information – as a data point.
Integrated databases are dangerous and ripe for abuse by authorities and criminals
Integrated databases containing sensitive information about citizens are dangerous for several reasons. Data protection principles demand that such databases should gather as little information as possible and be narrowly targeted. These databases have the potential to become enormous sources of personal data and metadata, and officials rarely take the time to eliminate information no longer needed for the purpose it was collected. Such databases may be used by an undetermined number of government agents. In Chile’s case, it is unclear who has access and what control measures are in place to avoid misuse.
Governments should guarantee the security and confidentiality of the information contained in any database. In this regard, the judiciary must have oversight over the implementation and usage of systems to access citizens’ personal data. This is clearly stated in the International Principles on the Application of Human Rights to Communications Surveillance, which Access supports.
No technical security measure is infallible. Concentrating large sets of personal and sensitive information into one single database increases the negative consequences of risks like malicious attacks, unscrupulous government access, and technical failures.
Lessons from Argentina and France
Unified citizen databases are not new to this space. In 2011, the government of Argentina proudly announced its plan for a massive digital database encompassing the data of all of its citizens. The Federal System of Biometric Identification for Security or “SIBIOS” is still being implemented and aims to gather biometric information — like images, DNA, and fingerprints of all citizens — and integrate it to the national identification system which will be available to several security forces in Argentina. So far, there’s very little transparency about the system’s implementation, resources, controls, or security measures.
In 2012 the French Constitutional Court struck down the provisions of a law allowing courts and police to develop a centralized national ID database, citing the need to protect the right to privacy and the presumption of innocence. In particular, they addressed the disproportionality between such invasive means and the objectives of the law and also expressed concerns about security and confidentiality in the development and management of the database.
We need more control over our data
Access firmly believes in the possibility of a balanced, legal approach to using user data for public security purposes. Governments must explain how they link databases and must provide strong judicial controls for the sharing and accessing of personal information. All custodians of personal and sensitive data have an obligation to provide guarantees for security and confidentiality, and to allow any citizen to access and update personal information.
In our view, the Unified Data Bank in Chile and the SIBIOS system in Argentina fail these tests, but are still being implemented nonetheless. Spread the word to demand governments commit to effective data protection now.
photo: Open Knowledge Foundation