3.4 Data protection in the world
TABLE OF CONTENTS
- 3.4.1 Ever more legislation, not always protective
- 3.4.2 The non-protective legislative framework in the United States
- 3.4.3 The UN system
Keep in mind
It is difficult to navigate among the multiple, more or less protective, frameworks, on the management of personal data that may apply to your operational fields: to help you navigate this, there are tools that walk you through the existence of legislation and levels of protection around the world.
The GDPR is the most protective framework for people’s rights and there are other, equivalent, legislation.
When laws or practices are questionable regarding personal data, as is the case in the United States or in many autocratic countries, increased attention is needed to assess risks, minimise collections and contractually secure sharing.
The protection of personal data in Europe is governed by the GDPR. Around the world, there are other standards on personal data, which are multiplying and taking different forms, thus complicating NGO compliance. This section presents the general context of data protection around the world and the tools that are available to learn about the country or countries of intervention of humanitarian actors, as well as the specific cases of the United States and the UN system.
3.4.1 Ever more legislation, not always protective
Around the world, an increasing number of countries are adopting laws to provide a framework as to how data is processed, as you can see in the capsule below.
This creates the impression that data protection is increasingly strong in the world, whereas some countries are putting laws in place that do not protect people’s rights. At this stage, the GDPR is the most advanced legislation on the topic and has implemented a system of adequacy to compare the levels of protection found in laws around the world (CNIL).
This map provides a measure of the degree of data protection in the world, based on its “adequacy” with European legislation (the GDPR). When a country’s laws are not considered “adequate”, organisations can inform themselves and, if necessary, position themselves strategically: for instance, if a country’s laws require organisations to transfer data on affected populations to the authorities, for no legitimate or dubious reason, it may decide to suspend its activities because it considers the risk too high compared to the benefits of the assistance it provides.
In countries of intervention where data protection is not as strong as that of the GDPR, it also means that sharing data in this context is risky and that specific tools allow for greater protection. These tools are discussed in subsection 3.5 on data sharing and transfer.
3.4.2 The non-protective legislative framework in the United States
In the United States, a law called the “Cloud Act” was passed in March 2018 allowing the US government (including intelligence) to access data, in a geographical area broader than server data, through multinational firms for example (regardless of their location in the world, for example if the organisation is American, but also if it is foreign and processes data with American organisations). It might also relate to data likely to “threaten public order” and allows the US government to conclude bilateral agreements with non-democratic States in this respect.
The EU considers personal data transfers to the United States to be illegal (the CJEU invalidated so-called “privacy shield” agreements between the EU and the United States in 2020 and you can check this FAQ on the decision). This means that data transfers to the United States do not comply with certain basic data protection principles.
Henceforth, before any data can be transferred, whatever the responsibilities of an organisation with regard to data (processor or controller), it is imperative (according to the French CNIL):
- to assess the conditions governing the transfers
- to implement appropriate measures to ensure that this data is subject to “equivalent” protection
You can also refer to these transfer impact assessment templates for the United States.
3.4.3 The UN system
The United Nations has its own legal framework for the processing of personal data: The Principles on Personal Data Protection and Privacy. It applies to all personal data that the United Nations processes or uses and to all UN agencies and bodies.
These principles follow the same general rules as those of the GDPR and were adopted in 2018:
- Fair and legitimate processing: personal data are processed within the mandate of the UN body in question; the legal bases are: consent, the “best interests” of the data subject, consistent with the mandates of the United Nations System Organization concerned; the mandates and governing instruments of the United Nations System Organization concerned or; any other legal basis specifically identified by the United Nations System Organization concerned.
- Purpose specification: personal data should be processed for specific purposes, which must be established and clear
- Proportionality and necessity: the processing of personal data should be relevant, limited and adequate to what is necessary in relation to the specified purposes
- Retention: a retention period must be established, personal data should only be retained for the time that is necessary for the specified purposes.
- Accuracy: personal data should be accurate and up to date
- Confidentiality: personal data should be processed with due regard to confidentiality
- Security: appropriate organizational, administrative, physical and technical safeguards and procedures should be implemented to protect the security of personal data
- Transparency: processing of personal data should be carried out with transparency to the data subjects, as appropriate and whenever possible.
United Nations System Organizations should have adequate policies and mechanisms in place to adhere to these Principles, and the majority of them do. United Nations System Organizations may transfer personal data to a third party, even though the partner is expected to uphold these Principles.
In practice, there are cases – more or less isolated depending on the United Nations agencies/bodies – where it is clear that some have not respected these Principles. A few of these problematic situations have even been publicly documented (often concerning an unauthorized data transfer to undemocratic States). Beyond that, some of them continue to propose clauses or annexes in data processor contracts that allow them – if signed as they are by NGOs – to recover all the personal data they have collected in the context of the projects, or even to ask for them independently of the clauses (such as the list of affected populations, the CRM database, etc.) - this practice is quite questionable from a legal standpoint, not to mention the ethical side. Elements can of course be shared on a case-by-case basis, such as in audits, as long as they have an appropriate legal basis, but this must be given serious consideration: can the data be anonymized for instance, can a precise sampling be defined, etc. Indeed, sharing personal data engages the responsibility of NGOs towards the affected populations whose data they hold.
Best practices in case of non-compliance with the protection of personal data by a UN agency, such as an unjustified request to an NGO, for the provision of data:
- Refer the agency to its own data protection policy or general principles, valid for all UN entities, or contact their DPO
- To the maximum extent possible, offer to share aggregated or anonymized data, or based on limited sampling
- Seek clarification on the use of the required data
Nevertheless, nothing will compare with protecting oneself contractually upstream by checking the clauses that you agree to sign. Keep in mind that your priority above all is to “do no harm” to the affected populations whose data you hold.
Examples of policies/guidance that can be referred to in the case of a contradictory injunction:
Key points on the UN System’s data protection principles:
The United Nations has its own legal framework, (which nonetheless comes close to that of the GDPR), which means that it will always be more complicated to file a complaint if it ever proves necessary.
Keep in mind that they have legal constraints, political pressures and interests to follow that may in some contexts run counter to some of the principles of humanitarian action. Forewarned is forearmed: better to contractually frame your planned data sharing and remind them of their own responsible data management policies where appropriate.