Privacy in the Era of Surveillance
Good evening. We are beginning our discussion. The next 60 minutes, we will spend together discussing privacy in the era of total surveillance. My name is Vita Volodovska, I am the senior legal counsel at the Digital Security Lab.
This Ukrainian NGO works in two main directions: first of all, we support NGOs, journalists, and civil rights activists regarding issues of digital safety. The second important focus of our activities is creating a nurturing environment for development and protection of digital rights and freedoms in Ukraine. Today, we will discuss one of these digital rights: the right on privacy. Our discussion is being held within the Data Ctrl Centre project initiated by Goethe Institute Ukraine, which is aimed on promotion of media awareness and protection of personal data on the Internet. This project also features an online and offline exhibition, which is aimed to draw attention to the ways we share our personal data, and who and in what ways uses them subsequently. Right now I’m at the pavilion where the offline exhibition takes place.
Due to the latest quarantine restrictions, you can visit it on business days. It is located at the M17 Contemporary Art Center in Kyiv. You can also visit the online exhibition at any time. The project website features new exhibits every day, so please take a look. I would like to introduce my colleagues who will join this discussion and share interesting insights from their countries.
Galina Arapova is a media law expert, director and senior media lawyer at the Mass Media Defence Centre. This well-known Russian organization focuses on freedom of speech. Galina is also the head of the Public Commission on Media Complaints and the High Level Panel of Legal Experts on Media Freedom, which was founded in 2019. My Belarusian colleague, Alexey Kozliuk, is a civil rights activist, lawyer, and researcher from the Human Constanta team.
He is also the program director of the Mass Communications Foundation and author of educational materials and events in the sphere of information access and freedom on the Internet, privacy, and personal data protection. Alexey was also an intern at the ICNL (International Centre for Non-Commercial Law), working with limitations of access to content under various jurisdictions. Good evening, I’m delighted to see you all.
Let’s start our discussion without further ado, because these issues are really important. At present, privacy concerns are being ardently discussed not only in the expert circles, but also by the wider audience. People are interested in the ways their personal data end up in the hands of Internet corporations, how they use these data, and how it impacts our rights and everyday lives. Today, I would like to begin with the ways government collects our data, because the state was historically the main stakeholder of our data and the ways we communicate in society.
On the one hand, the state is bound by international human rights conventions that ensure each citizen can realize his or her rights and potential. On the other hand, the state also ensures public interests, protects national security and public safety. This year has also added health care to the list of our main concerns.
The question is, how to find the delicate balance? To what extent is the state entitled to our personal data in order not to cross the boundary, for instance, hinder the opposition or limit freedom of speech? On the one hand, global trends we witness nowadays, such as the EU General Data Protection Regulation, suggest that some states are ready to enhance our personal data protection, e.g. from the Internet corporations that use these data in their business models. On the other hand, we often hear voices in favor of limitations of the freedom of Internet as we know it, because Internet crimes, perpetrations against children etc. are on the rise. There are many initiatives that advocate weakening of encryption, introduction of backdoors that would allow intruding into communication and obtaining the data that are presently encrypted. Some of these contemporary trends may lead to better protection of personal data, while others might create serious threats. Moreover, one can say that the states inclining towards authoritarian rule actually collect personal data in order to strengthen their power, limit freedom of speech, weaken the voices of opposition, and protect their authoritarian regimes. In particular, this is realized through the extent of the Internet regulation.
Galina, I would like to hand this over to you, since Russia is one of the countries where Internet regulations and the amount of legislation setting rules both for the citizens and for the Internet platforms is quite massive. What initiatives exist nowadays in Russia, and what threats for personal data protection and freedom of speech do you see as a media expert? Galina, you are welcome. Good evening, colleagues. Thank you for invitation, Vita. I would like to start with my very first slide, please. Indeed, Russia has a large number of legislation, regulating both the private sphere and dissemination of data on the Internet. In recent years, Russia has passed a package of legislation that further limits dissemination of information online, with regard both to the content and the entities disseminating information.
The disseminators include not only citizens, but also platforms, messengers, social networks etc. Russian legislation introduced the notion of “organizers of dissemination of information”, which comprises any platforms that allow users to exchange messages online. The organizers of dissemination of information are also obliged to control users, collect information on their facts of communication, IP addresses, personal data etc. They also cooperate with security services, including the FSB.
The law on personal data exists in Russia for quite a long time. It was passed in 2006, and it’s been actively applied. The controlling entity in this sphere is the media regulator.
In Russia, this role belongs to Roskomnadzor, which not only registers mass media, but also controls dissemination of information online and keeps registers of terrorist organizations, personal data breachers, fake information etc. At the time, the law on personal data seemed quite strict. Nowadays, we understand that it’s quite innocent comparing to other regulations. Nevertheless, its main task was to ensure safety of personal data storage and processing. Presently, we see attempts to use this law against mass media and journalists. Journalists are charged with dissemination of personal data, or filing a law suit on diffamation and disclosure of personal details, instead of paying a lawyer and fighting their opponent on equal terms, people turn to the media regulator and file a complaint on their confidential data breach.
Under these circumstances, mass media editors have to deal with the media regulator, which acts on behalf of the state. This is a widespread practice. Our organization often helps journalists in such cases. So far, it’s been quite successful, but we are deeply concerned with this practice. In many ways, the Law on Personal Data is similar to GDPR. Many provisions of the Russian law use the same approaches. Still, the devil is in details. To me, these details are primarily in law enforcement practice.
We cannot rely on an independent court that would settle a dispute with regard to public interest, international standards, the practice of the European Court etc. The second law that should be mentioned is the Law on Information, Information Technologies, and Data Protection. We used to refer to this law with regard to access to information and transparency of data.
Nowadays, this law is mostly related to grounds for limitation and blockage of dissemination of data. This law mostly regulates the Internet. It contains an unpleasant demand about localization of storage of personal data of Russian citizens on the territory of Russian Federation. Correspondingly, this law also applies to large platforms, such as social networks.
All the personal data of Russian users of Facebook, Twitter, Linkedin, Google etc. are required to be kept on the territory of Russian Federation. Large players of this business are not very eager to separate Russian users from all the others. Besides, there is an evident problem: what about users with double citizenship? How should Facebook determine that this user is a Russian citizen, and his or her data should be kept on servers within the Russian Federation? What about foreign citizens who use social networks on the territory of Russian Federation from a café with a Russian IP address? What about diplomats in Russia or foreigners working in Russian firms? Numerous questions arise with regard to the application of this law. Nevertheless, this law already has its victims. LinkedIn was blocked in Russia precisely because it had ignored the requirements of the Russian media regulator concerning the storage of personal data of Russian users on Russian territory.
This is why LinkedIn is only available in Russia via VPN or Tor. The third large block of legislation is so-called “Yarovaya package”. It comprises 19 legislative amendments that are mostly motivated by struggle against terrorism. As we know, many countries limit their citizens’ rights and freedoms under pretext of anti-terror activities.
First of all, this influences the right on privacy and anonymity online. This was probably the right that was the most impacted by these anti-terror laws. So-called “Yarovaya package” is one of the most reactionary laws of the recent years, imposing a new level of surveillance, which I will briefly comment later. Finally, there are restrictions related to the pandemic, self-isolation regime, quarantine measures etc. Since March, when quarantine was introduced in different regions of Russia, we also witness efforts related to identification of citizens, attempts of controlling them and collecting their personal data by various government institutions that are supposed to control compliance to sanitary norms. This has already caused serious problems, especially in Moscow, which introduced a system of face recognition.
This is a new approach towards controlling citizens’ behavior, enhanced by the AI technologies. Again, this is motivated by taking care of citizens. Next slide, please.
Just a few words about the Law on Personal Data. In spite of the fact that the media regulator actively controls realization of this law and deals with complaints on its violations, there are two public registers available online. Both are the responsibility of Roskomnadzor. One of these registers contains operators of personal data – any organizations that collect data of people besides their employees. These include schools, medical institutions, various service organizations, and editorial boards of mass media, since they work with sources of information.
Russian media dislike this fact. This undoubtedly is an additional tool of control over journalists. Besides, there is the register of perpetrators of rights of personal data subjects. It comprises organizations that were fined or somehow punished for breaches of personal data. The next slide contains a bit of statistical information. Just look at the scale. Unfortunately, data for 2019 and 2020 have not been published yet. However, these are the Roskomnadzor data about violations of the law on personal data for 2018.
A huge number of protocols every year. Almost 4 million rubles in fines. Citizens mostly complain on organizations that bother them, for instance, by spreading inappropriate advertisements. Sometimes they complain about collector agencies or public utility operators, sometimes it’s about website owners. This is less relevant for mass media, but it is still a huge and ever-updating register of organizations that breached personal data, and mass media are also on the list.
I consider these activities on protecting and protocolling personal data breaches somewhat excessive, although I agree with European governments on the necessity to introduce new rules in order to protect Internet users from dissemination of their data. Of course, the Internet provides many opportunities for malicious usage of personal data, especially since the owners of various platforms have technical possibilities to analyze, generate, collect huge massives of data of the Internet users and use them according to their ethical standards. This surely requires a legislative answer. However, we should consider that citizens’ right for privacy should neither be compromised by commercial users or the state, nor can it remain absolute. There should be a really delicate balance. I would also like to tell that… Next slide, please.
As I’ve said, LinkedIn was and still is blocked in Russia. However, the latest scandal in relation to the law on localization of personal data is the case with Telegram. I’m sure everyone heard that Russian government has been persecuting the Telegram messenger. The messenger was blocked in Russia, which led to blockage of thousands or even hundreds of thousands other sites, because the government was blocking sites by IP addresses in order to hunt Telegram down. Thousands of websites could have been using the same IPs. Everyone was impacted: banks, Burger King, or anyone who shared the IP address with Telegram.
Everyone was following the Roskomnadzor hunt for Telegram with popcorn. The funny thing is, two years later, the government announced that they stop blocking Telegram and quietly retreated to its previous position. Of course, during this period, Telegram has become larger and stronger, gaining popularity not only in Russia, but also in other, even not Russian-speaking countries. Interestingly, the lawyers representing Telegram have filed a complaint to the European Court, and it was recently communicated. In any case, we are waiting for the European Court verdict, and it will be interesting, because it’s a case of blocking a messenger due to its non-compliance with localization requirements. These violations were mostly related to refusal to provide the encryption keys for the messages.
I will elaborate on this on the next slide. I will also tell about our pain, the Yarovaya package with its amendments to 19 laws. Surely, this package is quite reactionary with regard to the right on privacy, anonymity online, confidentiality of phone conversations, messaging, and post deliveries, as well as rights on freedom of speech, religious freedom, and missionary activities. Quite a number of human rights was jeopardized by these amendments. The specific feature of Russian legislation is… Russia is not the only country introducing requirements for mobile, Internet providers, and other active players of the Internet market.
Russia was not the only country demanding from these entities to collect information about users, accumulate it in databases, and provide them to the state if necessary. Again, the devil is in details. In other countries, these data can be provided with a court warrant, and it’s mostly about metadata on communication between persons A and B (for how long they spoke, at what time, how many times etc). But it’s not about the content of these conversations. Russia went further, demanding from mobile and Internet providers as operators of data dissemination to collect the entire content.
That is, they record phone conversations, text messages etc. Security service, which has access to these data, is also entitled to conduct investigation. This is an obvious object for criticism from the international community and Russian lawyers and human rights activists. Security services, including the FSB, can access these data without court decision.
The law on postal communication was also amended by Yarovaya package. According to these amendments, Russian federal post and private postal companies, including DHL, are obliged to check all the postal packages for forbidden items, such as weapons, drugs, or money. Evidently, this is a serious invasion into the privacy of citizens and their right on confidentiality of postal deliveries. Next slide, please. Our main concern with regard to Yarovaya package is that mobile providers have to keep the full content during 6 months. For instance, everything Vita wrote me about this event can potentially be preserved, and security services can access this information, assuming that Google won’t keep our messages confidential (I’m a Gmail user).
All text and audio messages, images, sounds, videos, and other electronic messages are preserved for 6 months. The metadata are kept for 3 years since the first communication fact. Of course, this is a matter of deep concern, as it seriously undermines the citizens’ right on privacy and violates human rights. Since law enforcement has access to this information, it is a serious threat for everyone, first and foremost for activists, opposition politicians, journalists, bloggers. Next slide, please. Lastly, I would like to say where we are headed to next.
The system of face recognition, which is being actively introduced in Russia for several years now, reached its peak during the pandemic, when the government openly and quite self-assuredly started talking about the necessity of face recognition systems usage. They fine citizens, referencing to face recognition systems that evidence their violation of the demand to stay at home during the pandemic. Moscow is the testing ground for the system. It is introduced via so-called Smart City System, which comprises about 170 information systems and resources.
In fact, the government has at its disposal a huge massive of data collected through mobile providers. As soon as quarantine restrictions were introduced in Moscow and Nizhniy Novgorod, citizens had to install mobile applications. If a person was infected with coronavirus or had contacts with someone infected, he or she had to receive a special QR code via this app in order to go out to the street. In case a person failed to do this, there were problems.
This QR code and stations of mobile providers allowed tracking citizens’ movement. Thus, via these QR codes and mobile operators’ data, the government could obtain data about movement of Moscow citizens around the city. For now, this is only about Moscow dwellers, because visitors of the city are not users of this system. Their movement can be tracked via surveillance cameras instead of this coronavirus application. Besides, the government can also analyze data from the websites that citizens read via the city WiFi and compare them with data on rides involving shared bicycles, kick scooters, and cars.
It also actively monitors mobile numbers, taxi, and carsharing data. Thus, it’s a huge data pool, which is formed through private companies that are obliged to provide these data to the government. They have to do this for fear of losing their license.
Unfortunately, under these circumstances, they will rather provide these data than refuse for sake of respect for their clients’ anonymity. These are my main points for now. I must say that the face recognition system is actively discussed by Russian lawyers and civil rights activists. They’ve already filed two complaints to the European Human Rights Court.
My colleagues oppose the usage of this face recognition system, referring to violations of the rights on privacy and private life (Article 8 of the European Convention). We will definitely observe this case, but I don’t think the government will give up on these measures and its intentions to track their citizens. For instance, they can use these technologies to recognize faces at protest actions or in the Moscow subway. The Moscow city council has announced that every car in the Moscow subway will have 8 additional surveillance cameras. Each of them will transfer data to a single center, which will recognize faces and track citizens’ routes. This will provide the government and law enforcement with more information on citizens’ private life.
In short, this is the picture of what we are dealing with now. I have to admit that the law on personal data, the localization law, and the “Yarovaya package” are all actively used to various extents. The face recognition system is a new trend, but we see that all of them are piece by piece reducing the citizens’ rights on privacy and anonymity. This is a serious concern. Russian civil rights activists raise this question at the Council of Europe and the European Court, but to no avail, at least for now.
To those who are interested, I suggest reading the European Court ruling on Roman Zakharov vs. Russian Federation. This was the ruling of the Grand Chamber of the European Court. This is a case on surveillance through collection of personal data via mobile and Internet providers. This interesting, fundamental case gives an opportunity to seriously consider the legal framework of the state interference into a person’s right on dissemination and access to information online. Thank you, this is all for now. If you have any questions, I will be happy to answer.
Thank you, Galina, for this elaborated and interesting presentation. Thank you for bringing up Roman Zakharov case, as we often refer to this precedent in Ukraine nowadays. In 2014, during the Revolution of Dignity in Ukraine, our parliament passed its own “Yarovaya package”. These norms mostly copied Russian legislation. For instance, the Security Service of Ukraine could also gain access to telecommunication systems without court warrant.
This access was supposed to be direct and automated. So, they had physical possibility to access data at any moment, regardless of the court warrant. These laws from 2014 were declared void.
However, from time to time we see new initiatives that try to bring back these possibilities to the Security Service of Ukraine, justifying it with national security, including military actions in the Eastern Ukraine and annexation of Crimea. Even though the Security Service should have a court warrant, it’s still automated access, which results in mutually exclusive points, because, as the European Court has ruled in Roman Zakharov’s case, it will be practically impossible to control the lawfulness of their actions. So this point is particularly relevant for us. Alexey, I would like to ask you about the current processes in Belarus.
They naturally urge the government to pay more attention to the citizens’ personal data and introduce surveillance technologies. Do you have these trends? How is this realized? Good evening everyone. Thanks for inviting me to discuss such an interesting topic, which is super relevant now. Indeed, all the points concerning Russian Federation can apply to Belarus to some extent. As for trends and current situation, Belarusian government has had everything up and running for a while now.
Additional restrictions and trends are unlikely, because the mobile infrastructure is already overregulated. The amount of restrictions and intrusions into citizens’ privacy can only be surpassed by Chinese model. Same as Russia, we have the real-time investigating and tracking system, which enables security services and other law enforcement to connect to citizens’ communications and networks in real time. Concerning obligatory data storage, this is an economic issue rather than political or security-motivated.
Providers are not required to store the content of data. They keep metadata. Recalling the history of “Yarovaya package” in Russia, they also had significant economic issues. Many people, organizations, and companies have increased their capital due to working on this infrastructure.
Fortunately, Belarus has no money to install surveillance cameras with face recognition everywhere, store all the data from its telecommunication infrastructure, or create the “Great Belarusian Firewall” China-style, which would separate the country from the outside Internet. There was such an attempt from 9 to 11 of August. On 9 August, there were elections of the President of the Republic of Belarus. Then-acting President Aleksandr Lukashenko has obviously lost the election and resorted to mass falsifications, and then to suppression of protests that resulted from these falsifications.
In order to conceal information on the events in Belarus on the election day and the following days, quite complex system of traffic filtration was used for the first time in Belarus. This system was supposed to limit the usage of messengers and encrypted connections by citizens. However, this did not work out. Instead, they’ve introduced a shutdown,
purposefully disconnecting the country from the Internet. It lasted until first victims on August 12. In fact, the entire country was under informational isolation, because no foreign Internet services were available.
The means of avoiding the traffic blockage were also limited significantly. Only some of them were available to very experienced users. People had to exchange this software almost hand-to-hand. I have a picture of a handwritten announcement on the front door: if you want to install Sifon on your device, please visit apartment No… This sure was an interesting experience, especially since European countries have never experienced a general shutdown.
This was the first and hopefully the last experience for our region. There are many interesting cases. There are constant attempts to impose more restrictions. I would like to address Russian experience of special relations with corporations that oblige them to share required data with security services. Certainly, Belarus has similar processes as well.
However, if we compare the information markets in Russia and Belarus, neither of them have a sufficient scale that would make Facebook or Google violate their principles and start cooperating with our governments. However, attempts and restrictions are always taking place. With regard to this, I am more concerned with the processes on the level of the Eurasian Union, e.g. the Agreement on Data. On the one hand, it contained some progressive provisions, including the GDPR norms on citizens’ data protection from corporations. On the other hand, it created the possibility to negotiate on behalf of the entire Eurasian Union rather than separate countries.
Surely, the Eurasian Union has a greater market than all these separate countries. Consequently, we might face a situation where corporations would have to take these requirements into consideration. The members of the Eurasian Union may find common ground and the leverages on corporations.
This is what worries me. As for the events and restrictions related to the pandemic, I think we will have an opportunity to discuss this today. So that’s it for now.
Thank you very much, Alexey. I think it’s about time we address the issue of pandemic. The Freedom on the Net Report by Freedom House, which was published several weeks ago, states that one of the threats this pandemic poses to personal data protection is the usage of surveillance technologies, including those that were considered “too much” until recently. Among these technologies are tracking of contacts, face recognition etc. Due to their large scale, these methods are quite invasive. Unfortunately, the pandemic has “untied hands” for usage of these technologies.
Therefore, sensitive personal data are being collected and used both by governments and private companies that share these data with the state or receive them from the state for research purposes etc. I remember that, in the beginning of April, more than 100 civil rights organizations from all over the world issued a joint statement, urging governments to respect human rights in their struggle against COVID-19 pandemic. For instance, they have formulated principles that have to be taken into account when introducing quarantine restrictions and technological measures. They’ve stated that any such measures should comply with the law and transparency principles, have reasonable proportions, be limited in time, and that protection and anonymity of collected data should be ensured.
Alexey, I know that your organization conducted a research on the impact of struggle against the pandemic on freedoms in various countries. Your Pandemic Big Brother project even features an interactive map, which shows technical solutions employed by various states during the pandemic. Please elaborate on this project and the details of your research. Indeed, when this story has just begun, we understood that the epidemic will be used by the enemies of freedom and privacy to justify the usage of new technologies for control over citizens’ behavior and intrusion into privacy.
Together with colleagues, we started to monitor this situation. On our website, there is an interactive map that summarizes different cases of restrictions of rights and freedoms related to the pandemic. These are mostly digital rights and freedoms, such as freedom of expression online, access to information, and privacy. We also monitor cases of surveillance and usage of various data collection methods. If you open this map, you’ll see that it is still mostly red. Some restrictions are still not lifted.
Our idea was that, as soon as these time-limited restrictions will be lifted, we will make the map green again. Unfortunately, we still have no reasons to suppose that the situation will get back to the pre-epidemic times. Moreover, many experts are concerned that these restrictions will never be lifted. Instead, they will become deeply rooted into our lives and used for other purposes. Unless we roll this situation back, we will have to live in this new reality. It can only be changed through significant public pressure and monitoring of the grounds for invasions of privacy.
As soon as these grounds become irrelevant, corresponding measures should be cancelled. We periodically publish digests on situation in various countries. We’ve also conducted a research on the region of Eastern Europe and Central Asia, in which we’ve analyzed the approaches of different countries to the epidemic challenges in the context of digital freedoms. This research is available on our website in Russian and English. Summarizing its results, we’ve divided these countries into several groups. Obviously, our region has different approaches towards restrictions.
Some countries, such as Georgia and Moldova, adhere to democratic principles in their quarantine restrictions. The second group uses certain methods of digital surveillance. It includes Ukraine, Armenia, and Azerbaijan.
The third group raises the most concerns, as it has introduced harsh methods of digital surveillance and restrictions of freedom of speech. It includes Russia, Kazakhstan, Uzbekistan, Tajikistan, and Kyrgyzstan. Finally, there is the most interesting group of COVID-dissidents. They officially keep silent on the measures they use. Since they deny influence of the epidemic on situation in their countries, they unwillingly introduce quarantine measures and digital surveillance. However, this does not prevent them from tracking the dissemination of information and manipulating the statistics.
These countries are Belarus and Turkmenistan. It is important to analyze these trends in order to be aware not only of the restrictions that contradict human rights, but also of adequate restrictions that can be justified in the struggle against the epidemic. I would like to talk about the EU approach to applications that track citizens' compliance with quarantine restrictions and self-isolation regime. Most of them are based on technologies introduced by Apple and Google.
The technology they have jointly developed allows, on the one hand, track the spreading of the epidemic, and on the other hand, avoid intrusion into our privacy as much as possible. Getting back to your first question – the principles on which the struggle against COVID should be based. I will mention them again, because many experts share these principles. They include deliberation, justification, adequacy, legitimacy, transparency, purposefulness, time limits, information safety, non-discrimination, and public participation. All together, these principles will sufficiently ensure that the epidemic won’t be used to limit our privacy forever.
Thank you, Alexey. During your presentation, we’ve received an interesting question from our viewer. Does Article 15 of the Human Rights Convention justify the face recognition systems usage? Is the epidemic a pretext to breach the provisions of the European Convention and use face recognition systems? Is this a question to both of us? If you want, I can start answering. You and Galina may add something. As Alexey has said, and as we always say as civil rights activists, we do not reject the issues of national security, healthcare, and public safety. We are not saying that all of this has to be sacrificed for sake of privacy or freedom of expression. The problem is, how to enact the principles and find the balance that will protect public interest without crossing the red line.
If we cross it, we may say that the interests of national security will also be violated. Human rights and freedoms are also elements of constitutional order and national security. In the end of his presentation, Alexey mentioned the principles these technologies have to comply with. Usage of face recognition systems per se is not entirely forbidden.
However, their implementation has to be justified. This essentially means that the state has to prove there’s no other way to achieve its goals, which makes it to use this invasive technology. There was one more question. I wanted to address it to Galina. I will read it out loud, and you may address it in your speech.
Is citizens’ permission required to make them part of this system? Is this system of personal data processing based on their permission or legislation alone? Who’s next, Galina or Alexey? I will briefly answer the question about Article 15 of the European Convention. You probably know that at least nine countries from the Council of Europe have informed Secretary General of the Council of Europe about their breach of part of their international obligations due to pandemic restrictions. At least these 9 countries have stated that they do not intend to comply with some of their international obligations and violate part of human rights, restricting them more than they were supposed to as the Convention members. However, many other countries do this without informing the Council. I am sure that the number of restrictions imposed by Russia has reached the point of non-compliance.
Nevertheless, Russia did not inform the Council that it resorts to Article 15. Neither did Ukraine. Besides, it is supposed to be used in case of war or state of emergency. None of the regions of Russia declared the state of emergency due to the pandemic. De jure there are no grounds for resorting to Article 15. De facto we see quite strict restrictions.
Answering your question about citizens’ consent, the government introduces restrictions that are aimed on protection of health and sanitary conditions by passing relevant bills, without additional consent from the citizens. Not only processing of personal data, but also introduction of new technologies that, I’m convinced, will stay with us after the pandemic, occur without citizens’ consent. Unfortunately, they are being actively introduced even without the pandemic as a pretext.
They become “a cherry on the pie”. For instance, voice recognition technologies and face recognition technologies are used by the banks. They offer it as a convenient way of interaction between the client and the bank, when, instead of your ID, you are identified with your face and voice. Many people think this is a cool and convenient technology.
But we understand that these data end up in the hands of organizations that collect them, and users have no influence on subsequent usage of these data. Of course, this is a matter of our deep concern. I will add to Galina’s words.
Even if the requirements of Article 15 are fulfilled, we should be aware that face recognition systems are quite expensive technologies. Of course, no-one will introduce them temporarily, just for several months or years of the pandemic. They will look for new applications and usages of these systems. From the practical point of view, experts warn that rolling back all these technological solutions that intrude into our privacy would be difficult. It will be hard to get back to the pre-pandemic situation with human rights protection, in spite of all the efforts on personal data protection, GDPR, and other legislation that are also being introduced in Ukraine. Do you have a comment, Alexey? Yes, Galina has elaborated on the European context of human rights protection.
I would like to add something about GDPR in order to understand the larger context, which is different for the Council of Europe and beyond it. Speaking about the Council of Europe, we are still waiting for practical precedents, and we won’t learn about them soon. So far, we can only guess whether we have the third component of the test, that is, proportion of restrictions, and their necessity in democratic society. This is a matter for discussion, but I agree with my colleagues that such an invasive technology as face recognition is not proportionate. Moreover, it will be used after the pandemic, which is a separate problem. In the EU, GDPR elaborates on the collection and processing of personal data, including the mechanism for personal data collection for healthcare purposes.
This can be done without a person’s consent. However, in this case, other principles of personal data collection have to be taken into account, such as minimization of data and limitation of purpose. These principles suggest that data should only be collected in the amounts that are required to achieve specific goals, and they can only be stored for the period of time necessary for these purposes. Article 9 of the GDPR leads us to conclusion that usage of face recognition technologies will be considered illicit on the level of the European Union. Usage of these technologies in the EU will be forbidden.
So these are different practices and approaches. With regard to human rights, face recognition technologies still have too many vulnerabilities that prevent them from being used, at least for now. Thank you. Unfortunately, we are short of time. But the viewers of this discussion would like to see a light in the end of this tunnel, so that we don’t leave them on this pessimistic note. Can you give some guidelines for action or provide positive examples that might help us win back our privacy and personal data protection? What every one of us can do today to protect his or her personal data? Galina? This is a difficult task.
Saying something positive, seeing the light in the end of the tunnel… I will agree with Alexey. If our governments adhered to human rights protection, the very idea of face recognition should have been forbidden. However, in parallel to the discussions of human rights protection in the context of new technologies, there are also discussions on efficiency of struggle against the pandemic in such countries as South Korea, which actively used this technology. Due to usage of contacts tracking and other technologies, this state was able to stop coronavirus infection from spreading within its borders. This is used as an argument in favor of these quick and efficient measures. What we have to discuss in this case is which country will have these data and how it will use them after the reason for collecting these data no longer exists.
As Alexey has said, there should be necessary amounts of data, time limitations etc. While this is still discussed on the international level, while the pandemic is not over, and many states are following the developments in face recognition technologies, introducing them into commercial and non-commercial spheres, there is only one thing we as citizens can do to protect ourselves. In any cases of communication, we should not allow to pass our data to third parties, [inaudible] including commercial companies such as banks. We should try and protect our information by all means available. If necessary, we can file our complaints to court.
Awareness is also crucial. It is important to educate citizens, explaining them the risks related to introduction of these technologies. Thank you. Alexey? Well, I’m an optimistic person, and some things do make me happy. The first one is that we are having this discussion now, even though such discussions were unimaginable 5 years ago, because one could only learn about digital rights at international conferences in English language. Nowadays, we have more possibilities to discuss this.
We know more about technologies. We know more about international standards, and this is very well. Unfortunately, we are lagging behind, but I hope we can still catch up. This is related to awareness. More and more people learn about their digital rights and are ready to defend them. Of course, this is a positive development.
Finally, the positions of companies and corporations on this surveillance capitalism, which has become a standard in e-commerce, brings us more and more allies among IT companies that are ready to introduce new technologies, helping us protect our privacy. These companies see their competitive advantage in this sphere and are ready to make privacy their motto and help us fight not only the government, but also other corporations. In general, I hope we will gain more and more allies. We will remember 2020 as an interesting point in the development of humankind, where we could have taken a wrong turn, but we still went in the right direction. For now, this is my personal optimism.
Nevertheless, as I’ve said before, there are trends that give reasons for this optimism. Thank you very much for this optimistic approach. Thanks to our speakers for their interesting insights and presentations. I would like to invite our viewers to the online exhibition at the DataCTRLCentre.com It features many interesting exhibits.
The exhibition is curated by popular science media Kunsht. It also features exhibits from Berlin organization Tactical Tech. It is related to what Galina said about the need to understand what are our personal data and how they are being used.
We should raise our awareness in the fields of media law and digital rights. If we know what to demand, it will be easier to voice our demands both to governments and private companies that collect our personal data. There will be more discussions within this project. Please follow the announcements on the website. There will be many interesting discussions on video surveillance and collection of personal data. Thank you for your attention and have a good evening.