Must consumers passively accept privacy policies/terms that permit businesses to share and use their personal information? Is all that patients can do just tolerate their medical and social welfare information being used for research by third parties without individual consent; besides withdrawing after the fact, is there no better way to ensure the right of consent?
The International Digital Human Rights Conference RightsCon was held in Taiwan this year and TAHR was selected to organize a roundtable discussion. Together with digital human rights citizen groups and experts from around the world, we collectively identify patterns of behavior that qualify as “bypassing the right to consent” in the areas of health, telecommunications, and the internet. We had a series of discussions on how we can regain our data autonomy. Additionally, we have been invited to collaborate and participate in various sessions on different topics, covering communications surveillance, digital identity, and the control of content online.
Taking back control over our health and digital communications information
In a roundtable discussion, we shared TAHR’s 10-year long lawsuit against the National Health Insurance Database’s constitution and its legislative amendment dynamics, as well as last year political parties used telecommunications information to analyze crowds at rallies and marches, after we collected evidence showing that telecommunications information used by the digital advertising industry could be linked with personal data from other sources, with the personal information meeting preparation office, we exchanged official documents with the Personal Information Protection Commission's Preparatory Office and the Communications Commission.
Participants from the Philippines shared that as of 2023 the government requires SIM card holders to register their real names in order to fight against SMS fraud. In both public or private sectors, cases of forced consent occur, or other reasons are used to bypass consent, excessively infringing on the right to consent. The terms “agree to all” or “allow all” for personal information tracking are widely used in various services, but consumers/users are not necessarily aware that they have the right to refuse.
Besides this round table discussion, in other sessions related to health data, Belgium participants emphasized the importance of “Consent by Design,” who recommended that the right of the data subjects to consent should be consider in research designs, an ongoing interactive relationship should be established to keep data subjects informed of research progress and propose suggestions and feedback on data use.
Data brokers and digital identity: Democratic society’s hidden worries
In various seminars before RightsCon, we shared the changes to the law made last year to enforce the preservation of network traffic records (browsing domains, apps, and other metadata), the Ministry of Justice has stated that the retention period is “at least one year.” We referred to past rulings in Europe, and raised concerns about indiscriminate retention and prolonged retention periods. The German citizen group GFF shared that after the ruling, Germany adopted mandatory retention for specific cases, rather than indiscriminately preserving all past online activities. Recently GFF has been concerned with the issues of data mining and analysis companies selling data to the police for predictive policing. Now it is known that Palantir provides the German police force with automated data analysis services, but the relevant law, personal information collected by companies, and the methods of automatically creating individual profiles are not transparent.
Protecting personal data is the basic foundation of technological solutions. Technological solutions that do not have this basic right written into their systems will lead to even more problems. This time they had the opportunity to participate in the ambivalent discussion of digital identity litigation. The participants each expressed that their country’s digital identity system was consistently making a comeback, but the system’s progress was still very restricted, as each lawsuit could only bring about a small amount of change. Kenya has experienced more than one lawsuit against the country’s digital identity policies. The country finally amended the personal data laws; however, the next digital identity policy did not undergo the personal data protection impact assessment required by the law. Kenya and France jointly filed a lawsuit against the digital identity and biometrics giant IDEMIA, only causing the company to add another form to its due diligence investigation. As courts block one problematic policy after another, advocating for digital identity policies to take human rights protections seriously requires citizen groups and experts around the world to join forces.
Translated by: Emma, Intern
Mandarin version :https://www.tahr.org.tw/news/3712
