2018 saw the General Data Protection Regulation introduced in May, but it also saw public bodies, security and law enforcement agencies awarding themselves ever increasing surveillance powers.
This statement was originally published on privacyinternational.org on 1 February 2019.
The Privacy International Network is celebrating Data Privacy Week, where we’ll be talking about how trends in surveillance and data exploitation are increasingly affecting our right to privacy. Join the conversation on Twitter using #dataprivacyweek.
Since 2014, the Privacy International Network has produced State of Privacy reports, a collaborative effort to record global privacy and related issues.
As we close Data Privacy Week this year, we’re pleased to share an update of the State of Privacy in 2018 presenting the most recent developments for 18 countries in Africa, Asia, Latin America, and the Middle East. Below we outline some key trends.
Data protection: here, there and everywhere
2018 was a very eventful year for data protection across the world, and not just because the new General Data Protection Regulation was adopted in Europe in May.
Various countries, including Kenya, Egypt, Pakistan and India, took initial steps to regulate the processing of personal data. Others, like Brazil, Lebanon and Uganda went even further and adopted bills which had been pending. A reformed law was approved in Tunisia, and similar processes were initiated in Argentina and Chile.
However, some countries are stagnating, as a draft data protection bill in Indonesia is still pending. And others, such as South Africa and the Philippines, are failing to act on the shortcomings in their own data protection frameworks.
Surveillance packaged in different shapes and sizes
Public bodies, security and law enforcement agencies are awarding themselves ever increasing surveillance powers through laws on cyber security and cyber crime, or laws regulating new areas such as social media, or with the adoption of ID systems.
The newly adopted Cybercrimes Law in Egypt provides authorities with further leeway to conduct comprehensive communications surveillance. Over 40 state and central government departments in India have deployed a social media monitoring tool called AASMA (Advanced Application for Social Media Analytics). It can collect and analyse “live data” on users from “multiple social networks” including Twitter, Facebook, YouTube, Flickr, and conduct sentiment analysis on this data.
In October 2018, the Philippine Statistics Authority finalised the implementing rules and regulations for a national ID. This means that soon enough this identity system with all its flaws and vulnerabilities will be rolled out nationwide and will become yet another surveillance tool available to the current administration.
Leaks (breaches) and leaks, but yet no one is turning off the tap!
Not a day goes by without news of a breach or leak of personal data, and yet governments and companies continue to create large data systems without prioritising security and privacy. In January 2018, news broke that access to the details such as names, addresses, and photos of 1.3 billion records on the UIDAI database in India were being sold for 500 rupees (USD 8).
In April it was reported that Lebanese embassies had exposed the personal data of Lebanese citizens abroad, leaving it easily accessible to third parties.
One month later, the online traffic fines website ViewFines reportedly had a breach of personal records of 943 000 South African drivers. And in June, financial services company Liberty disclosed that its email repository had been breached by a third party trying to demand a “ransom” in exchange for the data, exposing an unknown number of customers to risk.
And the examples never end….
But it’s not all gloom and doom
Despite ending 2018 with mixed feelings and some heightened areas of concern, we’re also pleased to see some positive developments which remind us that we must keep going.
Faced with growing opposition, a bill which proposed the implementation of a biometric identification system in Tunisia was withdrawn in January after concerns were raised about the lack of safeguards.
The Indian Supreme Court did rule that India’s biometric identity database – which has the biometric and personal details of over a billion people – was constitutional, but demanded alimitation on the use of Aadhaar by the private sector, and further stated that Aadhaar could not be made mandatory for SIM card registration and the opening of bank accounts.
Also in 2018, Article 19 of Chile’s Constitution, which protects the right to a private life, was reformed to add a specific right to the protection of personal data. And in November, the Mexican Supreme Court overturned a proposed law that aimed to expand the communications surveillance powers of the Center for Research and National Security, a national intelligence agency.
Every little bit helps. But it’s not enough for us yet so we won’t be going anywhere in 2019!