![Sample our Area Studies journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5922/TOC-Subject-Sample-2021-Area-Studies.jpg"})
Abstract
While the European Union has recently become a champion of privacy rights and data protection, by enacting its General Data Protection Regulation (GDPR) in 2018, there is a growing body of research on the costs and benefits of digitalisation in the aid industry. On the ‘cost’ side, risks associated with privacy and protection of personal data are clear. The purpose of this paper is to explore how the EU and European aid organisations can protect the privacy rights of individuals residing outside the EU’s borders, by scrutinising those GDPR articles that may be relevant from the perspectives of aid-implementing actors working outside the EU and the European Economic Area (EEA). This analysis of the important EU documents describing its foreign and development policies shows that promoting digitalisation outside of the EU seems to be more important to the EU than data protection. Furthermore, while aid organisations registered in the EU/EEA are supposed to comply with GDPR, the regulation’s territorial scope is not clear enough and the EU is not able to protect the privacy rights of individuals residing in the Global South, nor is it necessarily interested in doing so.
Acknowledgements
I am grateful for the questions and advice I received on the first version of this manuscript from Dag Wiese Schartum (Department of Private Law at University of Oslo), Balazs Szent-Ivanyi (Aston Centre for Europe at Aston University, Birmingham) and Lothar Fritsch (Department of Informatics at University of Oslo), and also for the useful comments during the review and revision phase. Funding. The research was supported eby Tempus Public Foundation (Hungary) within the Hungarian National Eotvos Scholarship (MAEÖ-00071-002/2020) ex post.
Disclosure statement
No potential conflict of interest was reported by the author.
Notes
1 Most cyberattacks targeting an organisation begin with so-called phishing, the purpose of which is to steal online credentials (username, password) to access (personal) data.
2 Parker (2020) devoted further research to a major hacking attack into the IT systems of the UN in Europe by exploring how the UN got hacked in summer 2019 and how it handled this breach, and by raising questions about the UN’s responsibilities regarding data protection and its diplomatic privileges.
3 For example: information-communication technologies (ICT), the utilisation of the location/geographic data of devices (geographic information system [GIS] technologies), tracking behavioural patterns on social media and big data analyses.
4 The right to privacy is defined in Article 12 of the UN’s Universal Declaration on Human Rights (No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks) and also in Article 8(1) of European Convention on Human Rights (Everyone has the right to respect for his private and family life, his home and his correspondence).
5 Virilio, Politics of the Very Worst.
6 Data protection policies of international organizations (WTO, IMF, UNHCR, ILO, IMO, ICRC, etc) could also be cited, but their bibliographic data is omitted for reasons of space. For illustration see ICRC Citation2016 and ICRC Citation2019. The same applies to references to various ‘data protection’ handbooks issued by international NGOs.
7 The term ‘large scale’ is not defined in GDPR, but European Data Protection Board guidelines on the interpretation of the GDPR recommend a set of factors be considered when determining whether the processing is carried out on a large scale, such as the number of individuals concerned (either as a specific number or as a proportion of the relevant population); the volume of data and/or the range of different data items being processed; the duration, or permanence, of the data-processing activity; and the geographical/territorial extent of the processing activity (Article 29 WP 2017, 10).
8 Some key terms: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. ‘Data processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (EU GDPR Citation2018, Article 4).
9 Competent data protection authorities of international organisations (organisations and their subordinate bodies governed by public international law) are listed on the EDPS website: https://edps.europa.eu/data-protection/notre-r%C3%B4le-en-tant-que-contr%C3%B4leur/international-organisations_en
10 Paragraph 64: ‘[i]t follows that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine’.
11 Paragraph 72: ‘EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice. Accordingly, a supervisory or judicial authority of a Member State remains competent to weigh up, in the light of national standards of protection of fundamental rights […] a data subject’s right to privacy and the protection of personal data concerning him or her, on the one hand, and the right to freedom of information, on the other, and, after weighing those rights against each other, to order, where appropriate, the operator of that search engine to carry out a de-referencing concerning all versions of that search engine’.
12 There were 30 posts and articles under the topic/keyword ‘development and humanitarian sector’, and 44 related to the GDPR (as of 20 November 2019). See https://privacyinternational.org/search?keywords=
13 See (and browse by the theme ‘solutions and innovations’) http://www.thenewhumanitarian.org/solutions-and-innovations?page=4
14 For more about the Responsible Data community and The Engine Room, an advisory group working on data and technology, visit their website at https://www.theengineroom.org/projects/responsible-data/
15 The Brussels Privacy Hub conducts research on and publishes guidelines for organisations providing humanitarian assistance on how to protect personal data of affected individuals and of their own personnel. See https://brusselsprivacyhub.eu/projects/data%20protection.html
16 See the posts under the theme/label ‘new technologies’ and ‘technology in humanitarian action’ published at https://blogs.icrc.org/law-and-policy/
17 An unstructured interview with the former and current heads of the Palestine desk at Norwegian People’s Aid was conducted in Oslo, 30 August 2019. I also exchanged an email on the subject ‘data protection agreement’ with Redd Barna (the local, Norwegian office of Save the Children; 13 March 2019) and had a longer email correspondence combined with a Skype discussion on privacy rights in Palestine with a representative of 7-amleh, an Israeli-registered NGO protecting Palestinian digital rights (spring and autumn 2019).
18 As Recital 112 (of the Regulation) allows, actors (data controllers) are allowed to use legitimate bases other than consent in case of data transfer: ‘[a]ny transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject’ (EU GDPR Citation2018).
19 Having reviewed over 100 articles, Vashistha et al. (2018) identified five factors – culture, knowledge gaps, unintended technology use, context, and usability and cost considerations – that shape people’s perceptions on security and privacy. They should likely be taken into consideration by donor countries and aid organisations too.
20 See, for example, how the privacy notices of the following randomly selected but well-known NGOs define their data subjects (the websites/pages were accessed in November 2019): Oxfam (UK): supporters, volunteers, visitors, staff, participants at events, see https://www.oxfam.org.uk/privacy-and-security/full-privacy-policy; Save the Children (UK): supporters and visitors of website, individuals interacting via social media, individuals donating money via third parties, see https://www.savethechildren.org.uk/misc/privacy-cookie-policy; Médecins Sans Frontières International: givers, donators, website visitors, survey participants, see https://www.msf.org/privacy-policy (Switzerland); Welt Hunger Hilfe (Germany): Spender/innen, Kooperationspartner/innen, Interessenten und sonstige Besucher unseres Online angebots, see https://www.welthungerhilfe.de/datenschutz/ (in German only); Swedish Organization for Individual Relief (Sweden): IM registrerar personuppgifter i samband med att du skänker en gåva eller köper en vara; att du beställer ett inbetalningskort; att du kontaktar oss via e-post, post, telefon; att du anmäler dig som volontär; att du blir medlem; att du anmäler dig till ett evenemang; att du öppnar ett mail från oss eller klickar på en länk i ett mail från oss, see https://www.imsweden.org/om-im/integritetspolicy/ (in Swedish only); Baptista Szeretetszolgalat (Baptist Aid, Hungary): ‘termeszetes szemelyek’, see http://www.baptistasegely.hu/adat/tartalom/1342/fajlok/ii.-bsz-ejsz-adatvedelmi-es-adatkezelesi-szabalyzat.pdf (in Hungarian only); Norsk Folkehjelp (Norway): medlemmer, fastgivere, enkeltgivere; besøkende til hovedkontoret, Oslo, see https://www.folkehjelp.no/Personvernerklaering. The Norwegian Fundraising Assosication (Norges Innsamlingsråd) drafted a code of conduct on personal data protection (Bransjenorm Frivillige organisasjoner og behandling av personopplysninger) that can be used/followed by Norwegian voluntary organisations. It does not mention the beneficiaries of Norwegian aid organisations living in the Global South, their privacy rights, or ways of protecting their personal data either: http://www.innsamlingsradet.no/wp-content/uploads/2016/02/Bransjenorm-personopplysningsloven-pr-180305-midlertidig-versjon.pdf
21 On the developments see the Legislative Train Schedule at http://www.europarl.europa.eu/legislative-train/theme-new-boost-for-jobs-growth-and-investment/file-mff-2021-2027-mff
22 The Digital Europe programme has complementarities and synergies with a number of other proposed instruments in the post-2020 MFF, notably Horizon Europe, Connecting Europe Facility (CEF2), EU Values Fund, Creative Europe (including the Media programme), InvestEU Fund, COSME, European Regional Development Fund (ERDF) European Social Fund + (including Youth Employment Initiative and basicdigital skills), Erasmus +, European Globalisation Adjustment Fund (basic and advanced digital skills), Internal Border Management Fund, Environment and Climate Action (COM) Citation2018-434, 10, 32) – some of these areas and instruments are also relevant from the perspective of international development too.
23 The External Investment Plan (adopted in 2016), the main source of financing of which is the European Development Fund, would have deserved a place as digitalisation is one of its priority investment areas, but has been left out of the analysis for reasons of space.
24 For example, during the Humanitarian Networks and Partnerships Week (HNPW) (Geneva, February 2019), the European Commission’s Civil Protection and Humanitarian Aid Operations department (ECHO) hosted a panel discussion (Do No Digital Harm: Toward Data Responsibility in Humanitarian Action) on data responsibility in humanitarian action, jointly with the United Nations Office for the Coordination of Humanitarian Affairs (OCHA). The participants acknowledged that ‘humanitarian organisations collect and share more data than ever before. How the humanitarian community handles this data revolution to inform decisions and improve lives will be a key determinant of its future effectiveness. In order to “do no harm”, humanitarians must be able to navigate the technical and ethical issues involved with working with data about crisis-affected people. Data responsibility involves understanding the risks and harm that can come from collecting and processing data about affected people and making informed decisions about storing and using such data’. More about this can be found at https://ec.europa.eu/echo/content/do-no-digital-harm-toward-data-responsibility-humanitarian-action_en
25 By various means, such as adopting the EU Human Rights Guidelines on Freedom of Expression Online and Offline (Council of the European Union – Foreign Affairs Council, 9647/14; 12 May 2014) and the Council Conclusions on the Action Plan on Human Rights and Democracy 2015–2019 (Council of the European Union – Foreign Affairs Council 10897/15; 20 July 2015).
26 EU contracting partners (organisations) are expected sign a funding agreement, annex II of which specifies the General conditions applicable to European Union-financed grant contracts for external actions. Article 1(5) of version ‘august 2018, e3h2_gencond_en.doc’ (p4) says that ‘[g]rant beneficiaries and contractors must ensure that there is no detection of subcontractors, natural persons, including participants to workshops and/or trainings and recipients of financial support to third parties, in the lists of EU restrictive measures’. Available at https://www.archipelago-eutf.eu/fileadmin/user_upload/Calls/796-APL-1-2019/Info/EN/Annex_II_gencond_en.pdf or https://ec.europa.eu/trustfundforafrica/sites/euetfa/files/annex_g_-_annex_ii_-_general_conditions_0.pdf (accessed 16 May 2020).
Additional information
Funding
Notes on contributors
Beata Paragi
Beata Paragi is an Associate Professor at the Corvinus University of Budapest. She was a Visiting Researcher at the Hebrew University of Jerusalem and an EU Marie Curie research Fellow at the Fafo Research Foundation, Oslo. Her publications include papers published in Current Anthropology, Journal of Intervention and Statebuilding and Alternatives, and a recent monograph, Foreign Aid in the Middle East: In Search of Peace and Democracy (2019, I. B. Tauris – Bloomsbury).