Produced by Internews. We know that these days everything is ‘datafied’: our shopping habits, our daily commutes, our relationships and interactions- companies and governments alike are collecting servers and servers of information about us- but why should we care about the policy and politics of data governance? What really is ‘data protection’? What is at stake? Who are the players? How can we ensure our data is respected and that the most egregious abuses of our data are protected against? And how do we make these issues, often highly technical and legal, compelling for the average citizen?
In this episode of Privacy is Global, Laura Vidal and Laura Schwartz-Henderson dive deep on the history of data protection policymaking and privacy advocacy priorities in countries around the world through conversations with experts and activists from Ghana, Nigeria, Bolivia, Brazil and Kenya. We discuss the importance of cultivating cultures of privacy not just to build the political will to pass comprehensive data protection legislation but also to ensure that these laws are adequately enforced.
Research and Interviews: Laura Schwartz-Henderson, Laura Vidal, Teki Akuetteh Falconer
Concept and script: Laura Vidal & Laura Schwartz-Henderson
Interviews: Gbenga Sesan, Eliana Quiroz, Bianca Kremer, Victor Kapiyo, Teki Akuetteh Falconer
Editing & Mixing: Laura Vidal & Ergi Shkëlzeni
Visual Design: Ura Design
Executive Producers for Privacy is Global: Laura Schwartz-Henderson and Laura Vidal
Sponsored by Internews and Heinrich-Böll-Stiftung Washington DC
[Intro]
Laura Henderson:
There are many stories about data that we know without knowing their stories about data. That’s part of the amazing work of the organizations participating in this podcast. They’re making us realize how much of what we already know, use, learn and share is related to our data.
Laura Vidal:
There are many examples of this, from simple daily life activities to the darkest moments of history. Have you ever thought of the Holocaust as a story, a horrific story about data? It is. It’s a story of punch cards and carefully made lists. Old School data collection.
Laura Henderson:
It was these registries of residents that enabled Nazis to carry out massacres with vicious effectiveness not only in Germany but also in the neighboring countries they occupied.
Laura Vidal:
Take the example of the Netherlands. The registry is made before and during the Nazi occupation enabled the process. Before the occupation 100,000 Jews lived in Holland. During the German occupation over 100,000 were deported, and only a little over 5000 survived. France went through the same process of data collection and deportation of its Jewish citizens. Today, the French state is still reluctant to collect ethnic data of both residents and citizens.
Laura Henderson:
When Germany thinks of data, the Holocaust loons, the Nazi’s rise to power in the 1930s led to domination over information technologies. This meant that the punch cards and the list that had been carefully taken door to door asking people for their nationalities, their native language, religion, and profession were counted by the early data processors made by IBM’s German subsidiary at the time.
Laura Vidal:
GDPR. The European General Data Protection Regulation, one of the best known and most referenced legislation in privacy around the world is a result of this history.
Laura Henderson:
Data collection and human rights abuses are not exclusive to Europe and its history. Of course, there is the history of colonial powers, collecting data and using that data to subject populations and countries around the world. In Rwanda, after the Belgian departure from the country, authorities decided to continue the colonial practice to include ethnic group identities on ID cards with rigid racial group identities. This facilitated the identification of victims during the Rwandan genocide, allowing for scaled and systematized killings in a horrifying way.
Laura Vidal:
More recently, the Rohingya in Myanmar and Bangladesh have been subjected to violence facilitated by registries and ID cards. In 2016, Muslim residents and citizens of the United States held their collective breath, when yet another initiative to open a registry of their communities was in the works. The initiative didn’t come to fruition but it came to show how data can make us vulnerable when power changes hands. This is something we’re seeing now as so many Afghans worry about their white database left behind by both the US Army and the Afghan government are now in the hands of the Taliban.
Laura Henderson:
In a time in which we create data by just being alive and just breathing there’s a lot that needs to be discussed about data protection, how the politics and policies around data play out in different parts of the world. How technology changes our perception of what is private, who are the actors abusing our data, and who is pushing to protect it.
Laura Vidal:
Welcome to Privacy is Global, brought to you by Internews and the [unintelligible: 03:46] foundation. We talk about privacy, data protection, advocacy, and legislation guided by civil society organizations around the world. I’m Laura, Laura Vidal.
Laura Henderson:
And I’m also Laura, but Laura Schwartz Henderson. In our first episode, we discussed data protection in Brazil thanks to coding rights, and how facial recognition is facilitating oppression.
Teki Akuetteh:
You know, I’m just doing my job as I was programmed to do.
Laura Vidal:
And the last time we explored what issues regarding privacy and data protection were keeping our friends at paradigm initiative in Nigeria quite busy.
Bianca Kremer
When we’re talking about data protection, people might not take it as seriously. It’s like, okay, what’s that.
Laura Henderson:
What about today?
Laura Vidal:
Today we are going back to basics.
Laura Henderson:
So, as we said in our first episode, Privacy is Global wants to take its listeners on an exploration of data privacy and data protection around the world. And to do that we work in collaboration with many wonderful organizations to tell the stories of data politics in their countries and the strategies they are developing to protect data and push for more and better legislation.
Laura Vidal:
And we know how easy it is for this conversation to go well, everywhere. So we started the podcast in our first episode commenting on what privacy was to us, and why we think it is an ever-evolving concept that means so much to different people. A concept that has transformed over time and cultural contexts.
Laura Henderson:
Today, we want to dive into this complexity a little more, and to discuss briefly how these ideas, these perceptions, and the realities of data shape policy conversations. And also how legislation and regulation in this area could encourage people to be more aware and take more control over their data. This is way less technical than you may think. Many would be surprised. But beyond policy memos, legislative drafts, legal discussions, regulatory capacity, and technological complexity, our conversation has to do a lot with culture, political participation, and with how people can choose to have a real voice regarding how their information can be used by powerful actors, such as corporations and the state.
Laura Vidal:
GDPR has been a reference for many countries. But as you know now, it comes from a very particular history, and a particular way in which data is understood and privacy is embraced. This gets complicated as GDPR gets adapted to other regional contexts. And as we all come to understand data and privacy in ways that are locally and also globally.
Teki Akuetteh:
Model laws are good. But invariably, every country has its nuances. And we have to think about adopting these laws to meet those local nuances as well, which is very prevalent across Africa.
Laura Vidal:
This is Teki Akuetteh, the first Executive director of Ghana’s data protection commission. She has been significantly involved in the first few years of implementing Ghana’s Data Protection Act. One of the first in Africa.
Teki Akuetteh:
Every law has to have its context. Let me just give an example. Ghana adopted Data Protection Law because as a country, as with most African countries, we were positioning ourselves to look at the impact of ICT in accelerated development. One of the key things that you need to consider to create that enabling environment is to look at putting in place an enabling legal environment that can facilitate trust. Ghana’s law has one of the very peculiar provisions, which was particularly driven by the business process outsourcing ecosystem. Because at the time, the country had positioned itself to economically benefit from the business process outsourcing environment.
Laura Vidal:
And so one of the questions that had to be asked was, do we have in place enough laws to facilitate our engagement with other countries? Let’s take the example of call centers.
Laura Vidal:
Privacy and data have become such a topic of discussion globally. A topic that forces to see social and historical backgrounds that dominant groups have pushed to invisibility.
Bianca Kremer
It is important to mention that there has never been so much talk about privacy here. But not only about privacy, but data protection as well, which is the basic but also essential ingredient into building a culture of privacy in Brazilian society, which I think is the most important thing on this subject.
Laura Vidal:
This is Bianca Kremer from coding rights, telling us about Brazil, where there’s been legislation that passed after a very difficult debate. The legislation took a lot of inspiration from GDPR, the European piece of legislation. The use of data and the protection of freedoms in Brazil has a very complicated history connected to the history of Brazil’s inequalities. This was very much part of our first episode, by the way, where we talked about the social structures that ended up being the backbone supporting algorithms. This is as much about tech as it is about history. Here’s Bianca again.
Bianca Kremer
We are a nation with colonial heritage, and it is very important to point out that legal assets such as freedom, autonomy, and privacy have been historically constructed quite differently in our society, an amount of inequality of classes, and access to products and services of all kinds. And with the advent of emerging technologies, this scenario becomes even more evident. It is not wrong to say I believe that some of the main debates involving privacy data protection here involve the protection of fundamental rights and substantial equality.
Laura Henderson:
So this is about precessions, mentalities. That’s why it’s so important that people, in general, can grasp the importance of privacy in a moment in which globally so much information about us is being extracted and put to use or potential use. It seems that people’s awareness about privacy and their attitudes about privacy is key, especially if we want legislation to work. Here’s Victor Kapiyo, from KICTANet in Kenya.
Victor Kapiyo:
The mindsets are very important, and changing the attitudes towards privacy amongst members of the public, regulators, and government that I think over and above all, you can have strong laws. But when people have poor attitudes towards respecting privacy, then we’re not going to be making progress. In Swahili, the word for privacy is [unintelligible: 11:15], which means secret. And the challenge usually is that people ask you if you don’t have a secret, then why do you have to hide? So dealing with changing that mindset of the public to accept that it is okay to have privacy, and it is normal, as opposed to giving away all the information and people requesting for information without any regulation.
Laura Vidal:
Kenya also has a data protection law passed in 2019. And facing many challenges in practice. A data Commissioner was appointed almost a year after the law was enacted. The issues the Commissioner needs to confront are important. There are issues of implementation of institution independence, we’ll get back to that. However, one of the most important challenges comes as Victor explained with the public conception of privacy. And Kenya is not alone in this. Nigeria also faces complicated conversations regarding privacy.
Laura Henderson:
Nigeria has a data protection regulation, but activists have been pushing to pass a comprehensive data protection law, while also working with the private sector, government, and citizens to promote a better understanding of what data protection means and why it is important.
Gbenga Sesan:
One challenge in itself is the dominant perception of privacy as a Western idea, which it is not. And I think that is something that civil society and other stakeholders must walk on.
Laura Henderson:
That was Gbenga Sesan from paradigm initiative from Nigeria, a country where enforcing data protection and regulatory oversight is extremely complicated. As it’s often the government, that’s the perpetrator of data leaks and collects a huge amount of data on its citizens for a variety of purposes.
Gbenga Sesan:
In Nigeria, there are at least 6 government agencies, almost identical [unintelligible: 13:11] biometric data of citizens for various things, from voting to bank operations, to driver’s licenses, to international passports. And so you have all of this data. And also don’t forget, Nigeria is about 200 million people. And there’s this massive data collection going on about 50 million so far have been registered on what is called the National Identity number, which is run by the National Identity [inaudible: 13:37]. So all of this is happening at the same time, while Nigeria does not have a data privacy or protection law.
Laura Vidal:
Let’s jump the Atlantic and go to Bolivia, where organizations like Internet Bolivia worked through 2019 to create draft data protection legislation and mobilize policymakers only to see privacy issues become much less of a priority, both in terms of legislation and in the public conversation. Bolivia’s political and social landscape has been quite polarized and complicated. From days of civil protests that followed the disputed 2019 Bolivian general election to the complicated resignation of President Evo Morales that came after. Bolivia had on top of it all the covid 19 pandemic. Eliana Quiroz from internet Bolivia explains how this context can be even more challenging given the lack of awareness around privacy among Bolivians.
Eliana Quiroz:
Neither the government nor the civil society or the companies know much about it or not much about it with that [unintelligible: 14:57]. Because when talking with officials and authorities and civil society and also the companies. They have concerns, but they don’t label these concerns as privacy issues. For example, when talking with people or authorities, they tell us about some cases that they receive daily. Online harassment, for example, or threads or access to private information without consent. And they understand there’s a problem there, but they don’t see it as a privacy issue.
Laura Henderson:
Let’s add yet another complication, security. A lot of governments talk about data privacy as something that could limit what they can do in terms of security, and the tradeoffs between safety and security and personal privacy and civil liberties, which ends up being a pretty difficult conversation and a tricky negotiation between governments and civil society. Here’s Gbenga again explaining how we need to.
Gbenga Sesan:
Break this dichotomy between security and privacy. As you may know, in Nigeria, of course, a few other African countries we’ve had [unintelligible: 16:02] security challenges, either with terrorism or with increased crime and things like that. And so the security agencies always talk about the fact that it’s security first. And if you’ve mentioned privacy, the question is, what do you have to hide? If you have nothing to hide? Why are you talking about privacy? But interesting enough security and privacy work hand in hand.
Laura Vidal:
And here’s Bianca Kremer from Coding rights, once again, highlighting how this false dichotomy is playing out in Brazil.
Bianca Kremer
We are led to believe that there is no harm in giving up privacy in favor of, I suppose, collective security, or something like that, and of having nothing to hide. And this goes against the construction of the culture of privacy itself. And I was wondering, we need to define data protection here in Brazil, especially, is a fundamental right. And I think it’s not clear yet for the population. It is important for human dignity. And this is why I believe that when we understand the importance of data protection in these terms we’ll be less concerned about the legislation and tax itself, but the construction of collective importance of the protection of this field of human interactions.
Laura Henderson:
So we need a culture shift to get people to care and pass legislation. Is passing privacy legislation the end goal we’re all working for? For every country in the world to pass human rights-respecting data protection legislation. Well, yes, that would be great. But that’s not it. Once legislation is passed, there is so much more that needs to be considered when it comes to how regulations are administered and enforced.
Laura Vidal:
So what does it mean to have regulatory capacity?
Laura Henderson:
Think about it. These laws are complicated. And what is possible from a technological perspective is always changing. As we innovate and data processing capacities increase, meaning that you need a strong and nimble regulatory ecosystem capable of implementing and interpreting complex data protection legislation and ensuring powerful actors comply with the law.
Laura Vidal:
Gbenga spoke about it. He’s focusing on Nigeria, but that’s something that can be applied to many other regional contexts. What happens with regulatory bodies is very political, which means political circumstances and crises are also important and complicated aspects of regulation in practice. Here’s Gbenga.
Gbenga Sesan:
So there’s a politics of geopolitical zones in Nigeria. A lot of federal appointments have to be balanced based on 6 geopolitical zones. And so when you want to have a new agency those zones [unintelligible: 18:58] represented, so produces the commissioner, who produces the deputy commissioner and things like that. And I worry that could lead to a balkanization of the institution itself. And of course, there is a competing government interest, different government agencies who have interest between the justice ministry, communications ministry on all that. But I hope that we can manage those interests. Stakeholders are also called for an independent institution, a Data Protection Authority that is independent. Because many of the violations, as I said earlier, have been perpetrated by government institutions. And I’ll give one practical example of where a government institution was supposed to be corrected by another government institution. So the Immigration Service released the information of someone who applied for a passport on Twitter before that citizen was even handed the passport including sensitive information including the biometric page of that passport. And then the [unintelligible: 20:00] agency said that they will take care of the case. But unfortunately, that didn’t make any progress. So what you have is a violation of privacy rights by the government, by private sector institutions, and by other institutions. And because there is no data privacy and protection law no one gets punished. And that leads, of course, to a state of data abuse impunity.
Laura Henderson:
And this is something that Victor is seeing in Kenya as well.
Victor Kapiyo:
I think the first major challenge that is there is for the data commissioner’s office to assert its independence. Currently, they don’t have a big budget enough to roll out all its functions. They still have a very skeleton staff. And given the magnitude of responsibility, they will not be able to conduct their functions appropriately. They also don’t have an office, they are just being housed by the ICT regulator, the communications authority. So the task they have is rolling out the complaint management and enforcement compliance mechanism to tackle the rather carelessness and recklessness in how data is being handled across different sectors because that is the task they have.
Laura Vidal:
And Bia in Brazil.
Bianca Kremer
One of our biggest challenges is the autonomy of this authority because it is linked to the presidency of the Republic and we are living in a political moment of great polarization and conservatism.
Laura Henderson:
Polarization. That’s an important aspect of this discussion. We have social challenges, but also political ones. And polarized politics can distract from real debates and hijacked efforts to build and enforce legislation. To build a holistic legal and regulatory regime civil society needs to negotiate with government entities. And these bodies are also the ones who collect and use a great deal of citizen data and are often guilty of abusing and failing to protect this data.
Eliana Quiroz:
I guess the polarization in Bolivia is also a challenge because we are trying to push multi-stakeholder debate and even the government itself is polarized. So they don’t legitimize all the stakeholders to invite them to the discussion. And as the multi-stakeholders don’t have enough information, they don’t push the right to participate in the debate.
Gbenga Sesan:
But say that we citizens and the civic sector, and I’m biased here.
Laura Vidal:
We’re now listening to Gbenga.
Gbenga Sesan:
We need to pay a lot more attention to defining what will happen, especially what happened with 2020 being the year where a lot more data was collected, there was a lot more argument for data collection by governments and things like that. There were so many compromises in terms of data management, and data governance. We need to define what the new normal will be. The new normal cannot be the flagrant abuse of data privacy. The new normal and not be “the supervision of allegedly independent institutions” by supervising ministries. We have to make sure that the new normal is where data privacy is respected, especially with more data being collected by various stakeholders, including the government, the private sector, and others. And we are the ones that can define this new normal in various countries that we live in.
Laura Vidal:
Of course, none of these can happen without participation with all of those actors mentioned by Gbenga. Policymakers, regulators, companies, lawyers, and activists, but also citizens. We have to move from a regime of normalized data abuse to normalize data protection and engagement to prevent data abuse.
Laura Henderson:
And here’s why legislation and the ways it is designed to be implemented is also important. And also why we need to think differently about the approaches we take in our advocacy and the groups of people we work with to build consensus around this new normal. We’ve discussed how activists are pushing for national legislation but there is one case in particular that illustrates a very interesting way of making this happen. And it is working with policymakers and stakeholders at the municipal level. In Bolivia during the recent political crisis when national legislative efforts were stymied, Internet Bolivia went local. We’re talking about governance coming from the bottom up as well as from the top. Eliana explained a little bit further.
Eliana Quiroz:
We think that the best way to go is to mix two strategies, a bottom-up strategy, from the National Assembly, to the people, to the other stakeholders. But also a top-down strategy from the municipalities talking with the people who are living these issues daily. So, we are trying to push this complimentary strategy so we could have a strong public debate. Because we also think that if we had a bill, we have a law approved it will be very difficult to implement it. So, our base is to have a broad public discussion. So, we are working now trying to develop this [unintelligible: 25:35] the stakeholders. We are working as a foundation in some rural municipalities. And also in the city of La Paz. La Paz is the city where the government is based in Bolivia. And in every workshop that we are given and in every meeting, we are trying to develop some informed discussion. So in this way, we will have some legitimacy to propose a draft to the Legislative Assembly. And of course, we are working now with [unintelligible: 26:08] with some rural municipalities. And also the authorities there and we have new authorities since one month ago in Bolivia. And they are clearer than the national ones. Because they are receiving every day some concerns from the people. Everybody is new in the authorities. Now in Bolivia, we have national as well as local authorities brand new, like one month or four months ago. So I guess now the public discussion will shape a common wheel.
Laura Vidal:
But what is the common wheel? What is that culture of rights-respecting privacy? Do people care about their online privacy? And if they don’t, how do we get them to care?
Teki Akuetteh:
Getting them to care is simple. We care about things that we know and we understand.
Laura Vidal:
This is Teki.
Teki Akuetteh:
One of the key things that you need to do is demystify the subject because it can be very technical. And you can be demystified at various levels. You can demystify for the media, you have to demystify for the citizens, you have to demystify for the industry. Now, looking at the nature of the laws that we have, which are usually generic and have to be applied to different contexts. What it then means is that you need to isolate the different contexts and then communicate what privacy then means within those contexts. And that is extremely important because you suddenly move from people not seeing privacy and data protection as an abstract subject to them getting to a point where they now recognize privacy and data protection as an inherent part of them.
Laura Vidal:
And above all, collaboration.
Teki Akuetteh:
Collaboration is very important. One of the best things that I think that civil society can bring to the table is expertise. We are missing a lot of expertise on the data protection table. From the start, we need to be fully equipped capacity wise to collaborate and support the requisite government agencies in passing the right laws.
Laura Vidal:
And that is the end of our episode. Thank you so much for listening to Privacy is Global. You can follow us on social media at internewsadapt on Twitter, and internews_adapt on Instagram. There we keep you posted about our episodes and also about the organizations in charge of them. Many thanks to the experts that participated in this episode. Teki Akuetteh, Bianca Kremer, Victor Kapiyo, Gbenga Sesan and Eliana Quiroz. Laura Schwartz Henderson and I Laura Vidal are the Executive Producers and today’s hosts. The podcast is mixed by [unintelligible: 29:32], and some of the music was made by [unintelligible: 29:34]. We used it here under a Creative Commons license. Privacy is Global is part of the adapt project and is made in collaboration with Internews, and the [unintelligible: 29:46] foundation.