Addressing access to remedy in the digital age: Corporate misconduct in sharing and processing personal data

Event report

The moderator, Prof. Sheldon Leader, Director of the Essex Business and Human Rights Project and member of the Human Rights Centre at the University of Essex, introduced the panellists and stated that the session would discuss the transfer of data between businesses and government agencies, and the implications that has on human rights.

Leader said that despite business-to-business transactions, the state is at centre as the regulator. In light of this, Leader stressed the need to ensure access to remedy in the context of data-sharing in response to requests by public authorities, justified on grounds of national security or law enforcement interests.

Prof. Changrok Soh, Director of the Human Rights Centre at Korea University, and Member of the Advisory Committee to the Human Rights Council, commented that technology is vital to modern humanity, but that it poses a threat when personal data is misused. Soh said that safeguarding privacy can help to hide data from hacking. He said that technology and the industrial revolution have expanded human rights concerns because of the changes in the way humans interact, and this has had an impact on the power structure of society.

Soh argued that state agencies need to agree on which data can be shared with them to avoid human rights violations. He pointed out that there is some relief in encrypted data since the use of encryption encourages opinions and self-expression. New forms of human rights abuses in the digital age could be avoided if platforms are created where companies, governments, and civil society work together towards this goal.

Soh also mentioned that another solution could rest in international guidance on data regulation, and that there is a need to define new ways of protection when it comes to government overtures on privacy.

Dr. Krisztina Huszti-Orban, Senior Researcher, working with the Human rights, big data and technology Project, Human Rights Centre, University of Essex, noted that there are difficulties in regulating data usage in the technology era. Huszti-Orban pointed on the need to establish a relationship between privacy and data rights, and the ability to regulate the transfer of data. For example, the General Data Protection Regulation (GDPR) is able to regulate data that can be shared, but are policies adequate to protect data in the current age of technology? Regulation demands that individuals are responsible and assume control and autonomy, but it is difficult for individuals to track data. She stated that harm to individuals comes after the aggregation of pieces of data over a long period of time, which is difficult to control because it cannot be tracked to single source.

Huszti-Orban explained that the situation is complex because the regulatory instruments available cannot fully control all sources of data. There is a need to have domestic policies that are in tandem with international law. The basic principle of the UN is to respect human rights. This can be enforced if states have the legislation to enforce this. Data has cross border effects and as such is regulated by bilateral arrangements between states, but this can only be effective if there are both domestic and international laws to regulate data violations.

Huszti–Orban stated that informal data sharing between businesses poses a threat to human rights. Such arrangements can be helpful in quickening processes but there can also be harmful effects.

Different types of data are given different levels of protection, but there is a need to manage all data with sensitivity, and this poses a challenge. It is important to know that there are always human rights violations if data is not protected.

Companies can do a lot to protect data, for example, to challenge a government’s request if it sees that there are violations. However, rubber-stamping of data requests by judges is a problem, and there is a need to find other means to protect human rights. Companies normally do not have full information on international human rights law on how best they can handle issues of human rights when faced with issues of national security.

Sharing data with governments on human rights defenders, the opposition and critics can have serious human rights abuse implications. Huszti-Orban pointed out that companies have no excuse not to protect data, because sometimes data shared can lead to crimes against humanity by governments. 

Mr Bernard Shen, Assistant General Counsel, Microsoft, highlighted that Microsoft is always eager to share information on data management. Shen stated that their core responsibility is on maintaining trust in data usage. Control demands that meaningful information on privacy policies is provided to end users to allow them to give meaningful consent, but reasonable expectations from users must be taken into consideration in protecting privacy. Customers must also be provided with channels to provide feedback. Microsoft handles complaints by referring them to the complaints desk, where they are managed according to the laws of the country they come from.  

According to Shen, there is no direct access to Microsoft data, and any government access is by request. Requests from governments come with a secrecy order to not to inform customer that they are accessing data, and in 2016, Microsoft filed a lawsuit with the US District Court challenging the US government’s use of indefinite and overly broad secrecy orders, saying they should only be used on state security issues and that customer must be informed. Government cross-border requests also need to be clarified by the courts. Data is also protected by encrypting.

Governments and stakeholders need to work together on the necessary legislation on how best data can be protected.

Ms Nighat Dad, Founder and Executive Director at Digital Rights Foundation, commented that there is a lack of safeguards and remedy in developing countries. For example, in Pakistan, there is no data protection law and the culture of data protection is missing. Technology companies tend to respect the culture of data protection when in developed countries, but not when in developing countries. Governments also lack knowledge on the data mining capacities of the companies and hence lack regulation. Companies in the global south have a free hand in managing data. Big tech companies need to establish similar practices as they do in the global north.

In many instances where confidentiality is required, national security agents have become strong, demanding any data in the name of national security and the fight against terrorism. States cite many laws and companies fear repression. National security does not mean violating peoples’ rights. Moreover, companies can and should be held accountable when it comes to their sharing of data with governments.