Data-Intensive Systems Are Upon Us

April 19, 2018

Jam Jacob is Policy and Legal Advisor to the Foundation for Media Alternatives (FMA), a Philippines-based NGO and member of the Privacy International Network.
A lot of government initiatives today involve policies and technologies that rely heavily on data. They include the development of smart cities, national ID systems, device/SIM card registration systems, and the use of big data analytics. Unfortunately, these advancements are marked by problems such as their lack of transparency and accountability mechanisms, adequate implementing policies, the availability of or access to remedies, and proper measures to inform the public as to how they actually work. These, in turn, give rise to secondary issues: (1) use of data to profile individuals, leading to discrimination (and even oppression, in some cases); (2) increase in the surveillance of individuals, including activists and journalists; and (3) exposure of certain populations to further risks after their identities are revealed.
In the Philippines, the government has announced plans to adopt a mandatory SIM card registration system. This poses a number of problems, which FMA outlined in our latest briefing paper. There also remains the larger issue of how data-intensive systems can be developed and implemented in a way that does not violate the right to privacy.
There are two suggestions that I think are relevant to this debate:
The government should always provide a proper discussion forum. There has to be a time and place where all relevant issues about each system are taken up: Is it really necessary to address or solve the problems it is meant to solve? If it is, is it the best one available? If it has negative implications, what will be done in order to prevent or at least minimise such impact? These are questions that need to be answered before the system is adopted, and not after. Yes, the right to privacy is not absolute, but there is always that responsibility to make sure that whatever measure is being proposed, it should be the last resort and the least intrusive means possible.
If the decision is to adopt a data intensive system, make it compliant with international standards on data protection. A privacy by design approach should be adopted. We have all these data protection or data privacy principles that ought to be integrated by default into each data intensive system. For instance, collection should be transparent. The system should only collect the information necessary for its purposes. It should only be used for legitimate purposes. And then, of course, there is the responsibility of ensuring the security of all collected data.
As Filipinos, the consequences of not taking these suggestions seriously are grave and should not be hard to fathom. We have the 2016 COMELEC data breach to look back to. There, we had a data processing system that involved millions of personal data, with little to no safeguards in place. Many factors may have led to that incident, but not having the appropriate debates to tackle its vulnerabilities and potential threats was certainly one of them. Also, by now, that system’s failure to comply with our data privacy law is already a foregone conclusion. As part of the affected population, we owe it to ourselves to not let that happen again.
Learn more about the risks and history of data-intensive systems, and discover how to challenge and question these initiatives with Privacy International’s newest free course!