Commissioner White gave the following remarks at the Computers, Privacy, & Data Protection (CPDP) 2022 Conference on 23 May 2022 as moderator and provocateur for a panel titled, "The Future at the Intersection of Knowledge Creation, Research, and Individual Sovereignty". These remarks are not intended to represent the opinion of PrivCom or panelists. (Check against delivery.)
For just a moment, Let’s forget about the “future” in our session title – because right here, right now, in 2022, we live in a time of observational data. Much has been written about the surveillance economy and how organisations capitalise off of measuring the online and real-world behaviours of individuals. We – all of us – are being quantified to new extremes, with new potential for harm.
The use of observational insights is not a new phenomenon. The entire basis of the scientific method relies on observation and quantitative measurement – the measurement of reality itself, the physical world, and certainly individual persons. The satisfaction and comfort of our modern lives has depended on noticing that when someone ate one thing they were ill … and then another thing made them better, then seeing the trend, and taking advantage of the pattern.
Modern data protection laws give individuals a sovereignty or decision-making power regarding the various facts and statistics that are collected together that refer to them. This is also not an entirely unprecedented phenomenon, as researchers of human subjects are familiar with the review and approval process needed before they get an individual’s consent to participate.
But in giving individuals the protection of the state or a right of ownership over observations about themselves, are we in fact giving them a sovereignty over a slice of reality – the ability to control how others may perceive the world?
Data has been called the “new oil” or the “new electricity”, but the way we have historically treated observational data, for scientific research or knowledge creation, functions in our society more like analogies of shared spaces like common grazing land or international waters. Anyone could potentially access or use the resource, and no one can explicitly own it. And, The resource can be prone to abuse in ways that harm people, because no one has direct responsibility.
Looking out my window, I’m struck by views of the sea and I recall how maritime laws established how nations might control a slice of the common ocean. At one time, the distance that a cannonball could be fired from the coastline was considered sovereign territory, but that gradually expanded over time until we reached an agreement under the twentieth-century Law of the Sea.
We as a global society had to decide what was a common resource - and then what could legitimately be claimed by one party. In a similar way, the Outer Space Treaty established an agreement that one cannot claim ownership over celestial objects, and instead we should consider the use of these resources for all humankind.
We are fast approaching (if we have not already passed) the point where that conversation is needed in terms of data protection and observational technology, and we must decide how far the cannon shot of an individual’s claim can reach. Is it time for a Convention on the Law of the Seas for Data?
Even specific data are reusable resources – they are not consumed when used. Therefore, there is the potential that knowledge creation and research could continue to make use of personal information in a non-exclusive way that allows multiple parties, and even our communities as a whole, to benefit from the use.
But – that same personal data can also be reused infinitely for harm to individuals.
To achieve beneficial goals, we must have difficult conversations about topics such as the appropriate use of data in research, how we might consider algorithmic processing as potentially distinct and separate from the application of insights, and to what extent individual sovereignty around personal information is beneficial and should be preserved. In the context of modern privacy and data protection laws, this means discussing questions of necessity and the full range of fundamental rights in the digital age.
The GDPR (along with our own comprehensive privacy law in Bermuda) was created in 2016. As of CPDP 2022, we are almost as close to 2030 as we are to 2016, and we still have quite a bit to resolve when it comes to the rapid advance of technology and growth of observational data.
What do we agree on? How can we ensure that a potential use of personal information is trustworthy and fair – and how can we make sure that observational technology and knowledge creation serve all humankind?
Alexander McD White
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."