Sessions Summary

Tuesday, May 25th: Day 1 Introduction and Primer on Data Ecosystems & Regulatory Frameworks

Session 1: Mapping Data Ecosystems to Understand how Data is Collected, Used and Shared

Summary: The session was hosted by Teki Akuetteh Falconer (Africa Digital Rights Hub) and Arturo Carrillo (George Washington University), who spoke about the current state of the personal data protection ecosystems, both in the African and Latin America region.

Highlighting data protection in the African context, Teki Falconer pointed out that although legislation has advanced in this regard in recent years and several countries in Africa currently have data protection laws and other measures to protect privacy (most of them inspired by European legislation), there is still a lot of room to improve. Based on her experience as the first Executive Director of the Data Protection Commission of Ghana, she believes there is much to do in terms of awareness raising, regulatory compliance and consumer education. This is especially critical considering the rapid growth of Internet usage in the African region; especially social media platforms that collect data from their users as part of their business models. Although different civil society organizations are addressing these issues, greater coordination is needed between them at the local and regional level. View Teki’s full presentation here.

In the case of Latin America, Arturo Carrillo pointed out that although most of the countries in the region have personal data protection laws, most of them are incapable of addressing the range of acute challenges posed by new data collection practices enabled by new technologies. This is especially true, as many of the largest data collection and processing companies are not based in the countries, largely outside of national jurisdiction. Currently, several countries including Chile and Argentina are entering in processes to review their laws. Furthermore, Brazil has recently approved its law, as has Ecuador. This situation invites us to think about the possibility of having a common framework for the region that ismore comprehensive and effective. View Arturo’s full presentation here.

Main ideas: Although there has been progress in enacting legislation in both Africa and Latin America, compliance with these legislative frameworks is still weak. It is necessary to create greater awareness amongst local actors about the importance of data protection, not only within the private sector but also amongst government and policymakers. We must also take into account the legislative experiences of other regions, such as Europe, and think about issues like the implementation of the Right to be forgotten, the extension of ARCO rights, and more. There seems to be space to promote coordinated proposals at the regional level.

Thursday, May 27th: Day 3 Panels on Data Protection Advocacy & Enforcement Issues

Session 5: Responsive, Inclusive, & Creative Data Protection Advocacy: Building Diverse Privacy & Data Protection Constituencies

Summary: This panel session included Eliana Quiroz (Internet Bolivia), Lua Cruz (Idec), Diogo Moyses Rodrigues (Idec), Linda Bonyo (Lawyers Hub), and Alexandrine Pirlot de Corbion (Privacy International) and was moderated by Laura Schwartz-Henderson (Internews). The objective was to discuss how to respond to the political changes around the protection of personal data and create support networks for defense.

Eliana Quiroz mentioned that the main problem in Bolivia is the lack of capacity amongst local actors to participate in the processes of consultation and development of data protection regulations. This situation is common throughout countries in both Latin America and Africa, according to Lua Cruz and Linda Bonyo, respectively. In the case of Brazil, Lua pointed out that there has been a process of almost 10 years since the regulation of the protection of personal data began to be proposed. On the other hand, Linda mentioned that during the process of sending comments to the Personal Data Protection bill in Kenya, most of the participants were from the private sector and very few from civil society. Alexandrine Pirlot indicated that Privacy International has worked on these issues trying to produce reports and other documents that other organizations could use to build their cases in their own countries.

Both Eliana and Lua pointed out that different changes are coming at the political level in their countries, and they consider that it is key to involve more actors in order to carry out effective advocacy. This includes perhaps a broader range of actors; for example, Lua pointed to consumer protection organizations as allies on the issue of personal data protection in Brazil. Linda indicated that there should be a regional approach to the issue, in order to produce regulations applicable to all countries in Africa, as it exists in the European Union. Finally, Alexandrine mentioned that one way to arouse interest and invite other actors to join the cause is to identify how data protection relates to their different agendas.

Main ideas: One of the most important challenges seems to be attracting new actors from civil society to join forces in advocacy actions.

Resources:

https://privacyinternational.org/learning-resources/privacy-matter

https://boristhebabybot.org/

Session 6: Navigating the Challenges to Enforcement of Data Protection in Developing Economies

Summary: The panel session featured Rafael Zanatta (Data Privacy Brazil), Eduardo Bertoni (Inter American Institute of Human Rights), Drudeisha Madhub (Mauritius, Privacy Commissioner), and Kuda Hove (Privacy International) and was moderated by Teki Akuetteh Falconer (Africa Digital Rights Hub). The objective was to discuss how to enhance enforcement of data protection regulations in developing economies.

Drudeisha Madhub began her presentation by noting that from her role as the Commissioner in the Data Protection Authority in Mauritius, she was able to observe various factors that affected the capacity for action in the public sector. For example, the lack of resources, the lack of enforcement capacity, as well as political interference from larger or more powerful entities within the government. Eduardo Bertoni agreed that his experience had been similar when he served in the Data Protection Authority in Argentina, but thanks to different regulatory changes promoted by civil society, this body gained more independence. Kuda Hove said that there are multiple initiatives at the international level that seek to improve the ability of governments to comply with their data protection laws, especially against the big social media platforms. There was an exchange between the speakers on the ever-present conflict between security narratives and privacy and how this could be changed into opportunities for more effective advocacy.

Drudeisha offered that it is necessary to forge alliances between civil society organizations and officials in charge of data protection, so that both join forces when demanding compliance to governments. Rafael Zanatta pointed out that it is also important to create narratives that allow for the creation of stronger support networks. For example, in Brazil the citizen movement is very diverse and although there are many populations affected by the lack of protection of their data (LGTBIQ communities, Afro-descendants, etc.), they do not participate in advocacy efforts in these topics. Finally, Kuda suggested a regional approach to regulate data protection could be more effective in the long-term.

Main ideas: Perhaps the most important challenge is to advocate for independent Data Protection Authorities. There are several strategies that can be used, from participation in legislative reform processes and strategic litigation. Civil society organizations should, when possible, think of commissioners as potential allies.

Resources:

http://35.227.175.13/memoria/2019-a-saga-da-autoridade/

https://dataprotection.govmu.org/Pages/Home%20-%20Pages/Data-Protection-Training-Toolkit.aspx

Friday, May 28th: Day 4, Digital ID, Milestone tracker & Group projects

Session 7: Digital ID systems and data protection

Summary: The panel session featured Grace Mutung’u (Kenya ICT Action Network), Dorothy Mukasa (Unwanted Witness Uganda), Carlos Guerrero (Independent) and Thea Anderson (Omidyar Network) and was moderated by Teki Akuetteh Falconer (Africa Digital Rights Hub). The objective was to discuss the current deployment of Digital ID schemes and the role of data protection in mitigating risks around privacy, cybersecurity, freedom of expression and equity in these schemes.

Carlos Guerrero began his presentation by outlining research he had conducted on the development of Digital Identity in Peru and highlighted that the use of technologies such as biometrics have been implemented without public discussion and are based on overly vague laws. Grace Mutung’u pointed out that while the existence of Digital ID schemes by governments has become a problem due to their potential vulnerabilities, data protection laws represent an opportunity to prevent misuse. Dorothy Mukasa agreed with Grace and pointed out that in Uganda, her organization is working together with different public entities to ensure that the collection of data from citizens is carried out in compliance with the Data Protection Act of this country. In her turn, Thea Anderson pointed out that her organization has supported different initiatives, especially in Africa in order to identify those Digital ID developments that may represent a danger to privacy and other human rights.

Carlos also mentioned that the level of independence of the Data Protection Authorities must be improved and that public entities must be required to comply with data protection laws, especially those that perform mass collection, such as civil registry entities. Grace considers that there should be a greater inclusion of actors who can control that Digital Identity schemes are not used for the surveillance and persecution of human rights defenders. Dorothy and Thea agree that the current trend is that Digital Identity is increasingly present on governments’ agendas and that civil society organizations must work together to prevent its use from negatively impacting access to opportunities, health and other public services.

Main ideas: The main challenges seem to be the unstoppable advance of Digital Identity schemes and non-compliance with data protection regulations (when they exist). One window of opportunity seems to be joining forces with the local data protection ecosystem, to identify risks and demand that all the entities within government respect these regulations.

Resources:

https://hiperderecho.org//srv/htdocs/wp-content/uploads/2020/11/guerrero_identidad_digital.pdf

https://www.unwantedwitness.org/ugandas-national-id-system-an-access-hindrance-to-the-social-assistance-grants-for-empowerment-sage/

https://cis-india.org/internet-governance/blog/governing-id-a-framework-for-evaluation-of-digital-identity

Trends

• Increase in the use of personal data by public entities.
• Some of the uses of data by government bodies are unsafe and favor mass surveillance. Current data protection laws are inadequate because they contain broad national security exemptions.
• Processes of creation or modification of data protection laws are currently happening at the national level in Africa and Latin America.
• There is limited participation of civil society organizations in the debates on data protection regulation.
• There is a lack of capacity and interest to exercise advocacy actions on data protection.
• Advocates lack of diverse, multisectoral narratives to create awareness on data protection in different audiences.
• Data Protection Authorities struggle to establish independence from government.
• There is room to attract more local allies to the discussion on data protection.
• Support networks between organizations under construction are still weak at the local and national level.

Main challenges

• There is a need to improve transparency in public sector entities that collect personal data.
• It is necessary to propose data protection laws (or modify existing ones) so that they can cover current needs, such as avoiding mass surveillance, security breaches, etc.
• Capacity building is needed in civil society organizations to be able to participate effectively in legislative reform processes.
• Awareness needs to be raised about the importance of data protection in local actors.
• Advocacy efforts are needed to achieve greater political and financial independence from Data Protection Authorities.
• New allies must be attracted from both civil society, the private sector and even the government.
• Support networks need to be created and strengthened in order to make a significant impact on the national and regional data protection ecosystem.

Opportunities

• Several of the organizations already have contact with government officials and maintain a good collaborative relationship on different issues related to technology. Projects can consider the good or bad relationship with public sector entities to plan the strategy of their projects.
• In several countries, data protection laws are still being drafted or there is room to discuss modifications. This means that there are windows of opportunity to impact these processes.
• Several of the organizations are leaders in the field of human rights and technology in their countries and have gained recognition for their work. Ideally, they should use this position to reach out to other actors and involve them in their advocacy efforts.
• A little developed strategy that seems to respond well to current data protection challenges is to strengthen regional coordination spaces, in order to share experiences, good practices and funding opportunities.
• There are already several research papers, reports and other documents that can guide the activities planned by the organizations.