Tag Archives: privacy

Data Privacy in 2022: Taking stock and moving forward

At the beginning of 2022, we are looking back on a busy and tumultuous year in the data privacy landscape. A glance at the discussions that took place during the 2022 Privacy Day – as well as throughout 2021 – can offer helpful insights for libraries’ own work to champion and speak up for privacy in the coming year.

The global scene: persistent challenges, important wins

One of the focuses of Data Privacy Day conversation was, of course, taking stock of recent developments and looking ahead to upcoming and planned initiatives. The past months have been punctuated with high-profile initiatives, decisions and news around data privacy.

First of all, the Pegasus spyware revelations and the ensuing fallout continue to unveil the full extent of its impacts. Throughout 2021, several countries – including Canada, Australia, and most recently France – moved to protect their citizens’ data from Clearview AI, a facial recognition tech company which scraps images of people from across the web (and recently announced that they have collected 10 billion such images) to train its AI.

Meanwhile in Kenya, a recent decision of the High Court recently ruled that their Data Protection Act applies retrospectively, calling for a data protection impact assessment of a Digital ID system. The European Parliament pushed for a ban on digital ads targeted on the basis of such sensitive user characteristics as health or religion.

The new privacy law in China has been noted, inter alia, to have important extra-territorial implications, while in Australia, consultations for a review of the Privacy Act 1988 is underway.

All of these raise issues and questions that shape the shared digital environment in which all stakeholders – including libraries – operate.

Privacy: illustrating interdependencies between fundamental rights

Whether explicitly or in passing, we are also seeing an ongoing conversation about the ways data privacy – especially as understood within the framework of the fundamental right to privacy – interacts and relates to other key rights and policy priorities.

An obvious example comes, of course, from the healthcare sector – the discussions on how to strike the right balance between data privacy considerations and measures to curb or slow down the spread of the COVID-19 virus. The most interesting voices in such scenarios are those that advocate for ways to not see such crucial goals as a trade-off with privacy, but rather to find ways to safeguard and deliver on both (including by drawing on privacy-by-design and privacy-by-default principles).

We also see important recognition of the ways privacy enables other fundamental rights. The 2021 UNESCO Media & Information Literacy Curriculum for Educators & Learners, for example, outlines the many links between privacy and development at both personal and societal levels, as well as with access to information and freedom of expression.

These arguments and considerations are very well known to library and information professionals, who customarily regard privacy as part of intellectual freedom in their professional code of ethics. This has many implications for day-to-day library work and service delivery choices – but also, crucially, for their work as digital literacy and privacy educators.

Privacy literacy in 2022

The idea of privacy-related skills as part of media literacy also finds reflection at the policy level – for example, in the new UK DCMS Online Media Literacy Strategy, where it has a very prominent place.

For libraries as digital skills and media and information literacy educators (and intellectual freedom advocates), privacy upskilling initiatives continue to look like a natural part – or extension – of their work. To this end, it is always helpful for libraries to keep a hand on the pulse of what the privacy literacy landscape looks like today!

This is a complex landscape of however. For example:

Efforts to collect data and better understand the links and changes in motivation, knowledge and practice continue. For example, drawing on a 2020 survey among North American consumers, McKinsey concludes that most users have fairly low trust levels when it comes to how companies use their data. At the same time, while tools that help people control their personal data are more widely available, not everyone is equally quick to make use of them. Over 60% of respondents said they have cleared cookies and their browsing history, and more than 40% have disabled cookies altogether, or have deleted or edited a post they have made in the past. But other possible privacy measures – e.g. temporary email addresses, encrypted communication – were used by fewer respondents.

The 2020 Australian Community Attitudes to Privacy Survey, for example, concluded that “Australians have a very strong understanding of why they should protect their personal information (85% agree) but are less sure how they can do this (49% agree). Three in 5 (59%) care about data privacy, but don’t know what to do about it.” Here, 29% of survey respondents have read a privacy policy in full and 23% made a request for their personal information to be deleted – and more than half said that they have deleted an app or denied it access to information to safeguard their privacy.

Another interesting relationship here is that between digital skills levels and overall trust and confidence. For example, the UK strategy referenced earlier quoted that, while “73% of users described themselves as ‘very confident’ or ‘fairly confident’ managing their data online, 44% of respondents who described themselves as confident were unaware that data could be collected through smartphone apps, and 20% were unaware of the existence of cookies altogether”.

Different user group profiles and needs: of course, privacy literacy and knowledge is not equally accessible and familiar across different user groups and cohorts. The Australian Community Attitudes to Privacy Survey also showed that older users were significantly more likely to rate their knowledge or privacy and data protection rights as very good or excellent (e.g. 15% of those in the 65+ bracket, compared to 31% of users aged 18-24).

In the EU, a recent Eurobarometer survey included a question asking whether the respondents knew how their fundamental rights – such as to privacy and freedom of expression – should also be respected online. The responses also showed some variations across socio-demographic groups as well, including e.g. linked to formal education attainment and frequency of internet use.

The granularity of privacy attitudes and beliefs: at the same time, publications like the 2021 report about students’ attitudes and behaviours by the Future of Privacy Forum draw attention to the importance of better understanding the unique privacy needs and expectations of different user groups.

The report highlighted, for example, specific concerns the members of this user group may have around academic and professional prospects in relation to privacy, some available data on the types of information they consider as necessitating particular protection, the confidence they have in different data processors, and so on.

Libraries are helping

This data suggest that there is continued interest (and need) for more knowledge and information around online privacy among users. In the Eurobarometer survey mentioned earlier, a very strong majority – 76% of respondents – said they would find it useful or very useful to know more about their rights online.

Given the diversity of the privacy literacy landscape, the equitable and no-barrier learning opportunities that many libraries work to offer can make an important difference. In a video presented by Polish library experts at the 2021 Internet Governance Forum, participants of public library-based digital skill courses for seniors shared what they learned and took away from these workshops, with one of the attendees pointing out:

“An interesting thing that I did not know so far is that I can check what the internet ‘knows’ about me. And it turned out it knew too much!”

The innovative, interactive and flexible learning opportunities around data privacy which libraries offer highlight their unique strength in identifying and helping meet community needs. We look forward to seeing these efforts continue and grow, and celebrate the dedicated work of educators, activists and inquisitive users!

Libraries and Human Rights in 2021: Evolving circumstances, constant commitment

Every year, international Human Rights Day on 10 December commemorates the adoption of the Universal Declaration of Human Rights by the UN General Assembly in 1948. This year’s theme – Reducing inequalities, advancing human rights – is a strong call to action to deliver on equality and fundamental rights for all, particularly in times of crisis. As libraries uphold their commitment to promoting and championing human rights, this day offers an opportunity to reflect on progress made, continuing efforts, and new developments.

Libraries’ relationship with human rights is multidimensional – in no small part shaped by their overarching commitment to free and equitable access to information, as well as their everyday work relating to the rights to culture, science, civic participation, education, and free expression. On the other hand, libraries’ work itself can depend on an enabling environment around them which respects fundamental rights.

Meanwhile, the broader human rights landscape continues to evolve – with both new initiatives to defend fundamental rights, as well as events and developments that challenge these in new ways.

Consider some of the ongoing human rights discussions taking place today: the ways that online algorithmic content delivery and curation systems can impact the rights to privacy and to freedom of expression; the implications of mis- and dis-information (and some responses to it!) on freedom of opinion and expression; the effects of digitisation (and the growing involvement of private sector actors which often accompanies it) on the right to education, or the ways the COVID-19 pandemic impacted the cultural sector and people’s enjoyment of cultural rights (and digital cultural opportunities that try to offset some of these setbacks), and others.

These are just a few of the recent human rights developments that can have an impact on library work – on the roles that library services play in delivering on fundamental rights, on day-to-day library practices, on new services they develop, and so on.

As both library processes and the communities around them change and evolve, new human rights considerations, implications and good practices emerge.

What can this look like in practice? The members of the FAIFE Human Rights Working Group – Buhle Mbambo-Thata, Fiona Bradley and Margaret Brown-Sica – have highlighted several examples of emerging human rights considerations which impact libraries, drawing on examples from three regions – Sub-Saharan Africa, Australia in Asia-Oceania, and Canada and the USA in North America. While some emerging human rights issues are experienced across the regions, others are more specific to one or more countries:

  • Oceania and Australia, among other regions, are already experiencing the effects of climate change – more extreme weather, rising waters, and intense bushfires. Access to environmental information as defined under UDHR Article 19 and the Aarhus Convention are essential. Yet, libraries face many technical, legal, and cost barriers to provide information, particularly in local languages.
  • Australia has adopted legislation outlawing modern slavery in supply chain and business practices. This means that libraries, and all other organisations, must evaluate their suppliers’ compliance with ensuring that no books, materials, furniture or other items have been produced with forced labour. Some library vendors are required to report their own practices annually (see, for example, a RELX Modern Slavery Act Statement).
  • The Asia-Oceania region has also spearheaded numerous laws and initiatives that seek to address online harms and content. These impact the types of content libraries, including public libraries, may offer, and the steps they may need to take to prevent access to such content. Some recent developments in this area include the Christchurch Call, a series of commitments by government and tech companies to combat extremist online content, and a collaboration between Australia and Fiji on eSafety and reducing online harms. In the meantime, both the Australian Library and Information Association and public libraries in Australia support a range of activities around eSafety, particularly for children – from cybersafety checklists for libraries to Safer Internet Day campaigns, and other ways to promote responsible and safe use of the internet and ICT.
  • Access to information remains a crucial and fundamental human right – and such access is increasingly mediated by the internet. Libraries rely on digital tools more and more often to deliver services, particularly during the COVID-19 pandemic, when physical access has often been restricted. However, for political reasons, internet blackouts and shutdowns continue to occur, hindering access to library services – including recently in several countries in Sub-Saharan Africa and other regions.
  • There has been a positive development in the protection of personal information in South Africa through the implementation of the Protection of Personal Information (POPI) Act, which prohibits use of personal information without the consultation of the owner. This falls into a broader trend of new-generation data privacy laws that aim to deliver on the fundamental rights to privacy in the evolved digital environment, which libraries also operate in.
  • The United States has recently seen a resurgence in efforts to ban books, particularly in school libraries. The focus has been on materials that document and discuss the lives of people who are gay/queer/transgender or Black, Indigenous or persons of color. The American Library Association has issued a statement addressing this issue: “We are committed to defending the constitutional rights of all individuals, of all ages, to use the resources and services of libraries. We champion and defend the freedom to speak, the freedom to publish, and the freedom to read, as promised by the First Amendment of the Constitution of the United States.” 
  • Canada marked its first National Day of Truth and Reconciliation on September 30, 2021. The Canadian Federation of Library Associations (CFLA-FCAB) published a report which urges action by libraries to deliver on Indigenous Rights, and highlights the many measures that can help achieve this. These focus in particular on decolonising libraries and spaces (which includes, for example, ensuring that space planning and design are culturally appropriate, territorial acknowledgements, library programming created in collaboration with local Indigenous stakeholders, and more), and decolonising access and classification (i.e. addressing biases and integrating Indigenous epistemologies into knowledge organisation and information retrieval systems) as part of this movement.

As the examples above show, there is a wide range of emerging, changing and evolving human rights considerations and good practices that shape library practices today. Maintaining dialogue and sharing experiences within the global library field remains a valuable tool to find effective ways to deliver on human rights commitments – so, on this Human Rights Day, we encourage and welcome you to share your own thoughts and perspectives on emerging human rights trends!

What key human rights considerations are prominent in your own local, national or regional library fields? What new developments have shaped your views on library human rights commitments? What good practices can help navigate this changing landscape?

You can join the discussion by using hashtags #Libraries4HumanRights and #StandUp4HumanRights – and we look forward to continuing these important conversations both today and throughout the year!

GDPR, three years on: five lessons on data privacy and libraries

When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in major changes in the policy dialogue and practice around data privacy – both inside the EU and globally. Three years on, libraries continue to work to uphold their ethical commitments to privacy in the evolving policy landscape.

The GDPR’s third anniversary gives occasion to reflect on the progress made so far, where discussions on data privacy, confidentiality and security stand today, and the implications of this for libraries. This blog presents five lessons:

1) Change is afoot, in Europe and beyond: The oft-cited trend of an emerging new generation of privacy laws continues; with legislation introduced, amended or currently under review in different parts of the world – from Canada to Brazil, Singapore to Australia.

In addition, with the ‘Privacy Shield’ framework for data exchange between the EU and the USA overturned, policy discussions around the privacy and security of cross-border data flows also remain high on the agenda. As such, mutual adequacy decisions and other arrangements further shape the global and local policy environments around data privacy.

Within Europe, Stakeholders are paying close attention to the outcomes of the implementation and ongoing enforcement of these policies. On the one hand, the past months saw a sustained growth in the number of breach notifications submitted and fines issued within the GDPR framework.

On the other hand, as a recent GDPR implementation progress report by Access Now notes, many complaints from private individuals are yet to be addressed; and data protection authorities and EU bodies flag some crucial challenges in enforcement – e.g. in the cross-national collaboration mechanism, national differences in implementation, and others.

The report highlights that GDPR is ‘still in its infancy’; but it is a flagship regulation that continues to have a significant impact on the global data privacy policy field. As such, for libraries around the world, it is worthwhile to keep up with these key developments as they continue to navigate their work with user (and employee) data.

2) It is not only governments that are changing their approaches: another emerging trend is private tech companies increasingly stepping into the roles of data protection stakeholders, and changing how online data flows unfold – e.g. with Apple’s software update and Google’s planned steps to reduce third-party tracking.

However, the reactions to these seem to be mixed – some celebrate the anticipated privacy gains, others express concerns over big tech having far-reaching capacity to act as data privacy regulators, and in particular whether private companies can ever be as accountable as public regulators. This does also raise questions about whether those companies already able to draw on the lessons of previous data collection will enjoy unfair advantages compared to competitors. Others noted that the benefits from privacy measures introduced by private companies may not be distributed equally – for example, with those who are able to afford more expensive devices ultimately enjoying higher privacy standards.

3) The relevance of GDPR and other privacy protections is greater than ever, including in libraries: it was under the framework of GDPR that the leap to digital during the pandemic took place. There are examples of how it helped inform the choice of medium for online programming (e.g. ruling out some channels, like WhatsApp). There are also examples of GDPR having an impact on whether some initiatives – like organised outreach to potentially vulnerable library users – were on the table.

But of course, as privacy remains an important consideration in many public discussions during the pandemic (e.g. contact tracing, vaccine passports), for countless librarians there is a heightened sense of responsibility and vigilance around data privacy.

As such, the year saw professional discussions, guides and toolkits put together to help libraries navigate privacy challenges during the pandemic – from contact tracing and temperature checks to supporting educators in protecting student privacy online.

When planning these adjustments and responses, going back to the basics – understanding the key building blocks of privacy today – can be helpful. For example, GDPR has helped shape the understanding of what personal data encompasses today – e.g. not just the obvious categories like names and addresses but also, for instance, graphic and photographic data, and so much more. It commits to principles like data minimisation – a concept which wasn’t new to libraries, of course, but nonetheless helpful in thinking about any organisation’s data management processes, and reducing risks and harms. All these elements and concepts can be helpful for libraries in structuring their thoughts on what privacy means today – even for those not falling under GDPR’s jurisdiction.

4) But it’s not always easy to enforce privacy: some of these measures are, of course, a matter of internal processes and are comparatively easier for libraries to implement (e.g. choosing a medium for online programming; maintaining strict policies and procedures in situations when contact tracing is required).

However, the past months also saw reflections on how it is significantly more difficult for libraries to keep up privacy standards, initially developed in an analogue world, in digital processes which involve powerful third parties.

These were exemplified in the library concerns around the surveillance capacities of academic library vendors (e.g. the ways vendors may use library patron data far beyond anticipated purposes, or even proposals for more intrusive data collection in academic libraries to enforce copyright).

Some of the proposed paths to solving these challenges include, of course, better understanding these phenomena, and supporting libraries’ work to renegotiate or recalibrate relationships and agreements with outside vendors.

5) Privacy and performance should not be seen as mutually exclusive: too often, it is easy to see privacy as a zero-sum game. However, this is not inevitable.

This was echoed during the discussions about public health interventions reliant on large-scale data collections: trading away privacy for other benefits is not always a helpful framing. Instead, built-in privacy which preserves and ensures trust in such public health interventions can help them find broader acceptance, while a lack of trust can undermine their success.

As a Data Privacy Toolkit by the Pacific Library Partnership puts it in the library context,

“Positive-sum verses “all or nothing” outcomes: taking a “we can have privacy or we can have this other thing” approach to privacy discussions leaves little to no room for discussions that address the privacy needs and concerns of everyone involved.”

 

The discussion about data privacy, of course, remains both technical and complex, and can at times feel overwhelming. But between ongoing efforts to identify practical measures libraries can take, their advocacy efforts, and an overarching commitment to privacy as a key part of their professional ethics, the work to ensure libraries deliver on this commitment continues!

Data Privacy Day 2021: Standing by Key Library Values in Challenging Times

28 January marks the annual Data Privacy Day, dedicated to raising awareness and celebrating this crucial right in communities across the globe. The past year saw important shifts and developments in discourses around privacy – and now is a good time for libraries to reflect and consider next steps.

Where does privacy discourse stand at the beginning of 2021?

Data protection, privacy and security continue to be among the key elements of discussions around how we should govern and regulate the internet and other digital technologies. Over the past months, significant developments in this area include:

  • The growing new generation of privacy laws and regulations around the world. The way in which the personal data of more and more of the world’s population is collected, stored and used is now subject to new privacy regimes which attempt to respond to a digital world. A recent report by Internet & Jurisdiction and ELAC, for example, points out that in Latin America and the Caribbean alone, there are several states reforming or modernising their data protection legislation or discussing bills at present. 2020 saw a new privacy act in New Zealand and the entry into force of the Californian Consumer Privacy Act, and more legislative measures can be expected around the world.
  • Data privacy considerations of COVID responses. Of course, measures taken to try to slow the spread of the COVID-19 pandemic have also been at the heart of the discussion on data privacy.

Looking at this issue through a human rights lens, the UN Human Rights Council Special Rapporteur on the Right to Privacy recently examined two key privacy aspects of pandemic responses – data protection and surveillance. While the report clarifies that much more data is needed to assess the necessity and proportionality of various measures, it is nevertheless crucial to keep in mind the dangers of non-consensual methods and the danger of function creeps – including in technology-based responses.

  • Privacy and the ‘leap to digital’. And of course, there is the broader reality of a rapid ‘leap to digital’ that many countries experienced during the pandemic, with the urgency of moving online risking coming at the expense of a full exploration of the implications of the choices made. From organisations and businesses grappling with the data privacy implications of remote work, schools and others needing to bear in mind what leaving cameras on during lessons could reveal about pupils and teachers alike; and to social, leisure or study activities that people carry out online – all these raise important considerations.

Libraires, of course, have fully felt the impacts of these trends. Librarians, just like the communities they serve, have faced the trends set out above, in particular as regards the need to shift to working from home – with all the staff data privacy implications this entails. For those remaining open, some have been asked or required to collect, store and process health and/or visitor data.

Many have broadened their offering of digital materials for users to lend, which emphasises the importance of longstanding discussions about third party vendor privacy policies – for example around the data that publishers and others collect about how readers use materials.

Already in the first half of the year, patron privacy considerations were particularly pressing for school and academic libraries, with urgent questions around student data and remote learning.

Similarly, other efforts – from online storytimes to homework help – all come with crucial choices on how to protect patron privacy.

The global library field responds. When faced with these questions, the library field has seen a vast array of active and vigilant responses. Libraries have spoken out about the importance of patron privacy – from the Japanese Library Association’s Intellectual Freedom Committee to CILIP’s Policy Statement on COVID-19 that highlights, inter alia, the importance of upholding the right to privacy when implementing measures to curb the spread of the pandemic.

Members of the global and national library fields – e.g. in Italy, the US and Czechia – collected and disseminated useful information, including suggestions and ideas on how to navigate privacy considerations during the pandemic. They also shared practical guidance, key questions and good practices around the new patron privacy considerations.

Standing by key library values. It is encouraging to see that libraries continue to be strong privacy champions and advocates even in these times, finding more ways to support the privacy and digital wellbeing of their communities.

From Singapore to the Netherlands, we have seen traditional online safety and security skills support programmes migrate online – for example, as published tip-sheets or courses, or live webinars. New ideas are being explored – from awareness-raising virtual exhibits to the potential of a library VPN for patrons.

Ensuring library capacity and resources – a key priority. These responses demonstrate the evolving application of twin library priorities – safeguarding patron data in library processes, and helping build their communities’ awareness and skills to defend their own privacy, outside of library environments. However, as the past year showed,  the new circumstances – particularly the shift to digital – raise challenging new questions and demands.

News from Finland, for example, points out that many libraries need to address patron privacy in new ways – including questions which may require legal advice. Similarly, Public Libraries Victoria discusses libraries’ experiences with helping seniors navigate online services –  a crucial part of their offering; however, the shift to digital here can also put increased pressure on library staff in navigating complex privacy questions when offering hands-on support.

This highlights the importance of making sure that libraries have the capacity and resources to carry out these tasks. This includes, inter alia, IT resources – since cybersecurity and data privacy and fundamentally linked. As libraries face new and increasing tasks and duties – to meet the demand and expand digital offerings while maintaining data privacy and security – it is crucial that they have the resources to do so.

 

Many key challenges and developments of 2020 continue to impact the work of libraries around the world. As they continue to face these, libraries maintain their support and ethical commitment to privacy – and we look forward to another year of active dialogue and exchange of good practices in support of data privacy!

The EU General Data Protection Regulation, Two Years On

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force in the EU. This marked a fundamentally new approach to data protection, privacy, security and user rights. Naturally, libraries as controllers of user data – patron registration data, library website uses, and much more – saw new obligations, responsibilities and processes that they needed to implement. Two years on, where does GDPR stand, and how will it continue to impact the library field?

The implementation and enforcement of GDPR has given rise to a flurry of activity over the past two years. Access Now points out that more than 140000 complaints have been submitted between May 2018 and May 2019 alone. Those found guilty of breaching its provisions have been held to account, with 231 fines or other sanctions levied over the past two years.

Indeed, just a few days ago, the Irish Data Protection Commissions issued a draft decision regarding Twitter’s GDPR compliance, moving closer towards the completion of a major cross-border GDPR case. Earlier, national authorities have already administered fines to Facebook, Google and WhatsApp; and several countries across the world introduced data privacy legislation inspired by GDPR or the global conversation it had launched.

Nonetheless, despite these arguably positive stories of authorities acting to protect privacy,  the Access Now report also points out the challenges that GDPR implementation has faced – such as the resource constraints Data Protection Authorities may face or the challenges of cross-border cases. Similarly, in their Open Letter marking the second anniversary of GDPR, European Digital Rights calls for more action to address the GDPR enforcement gaps.

Keeping Up with Events

The timing is helpful. A formal review of GDPR is due for its second anniversary. In addition, the area of data regulation will likely see more significant activities in the coming months and years. Just a few months ago, the European Commission led by Ursula van der Leyen has unveiled an ambitions EU Data Strategy, which will aim to facilitate data flows throughout the EU and enable broader use of data in services and products.

As a result, in 2021, Europe can expect a proposal of an EU Data Act; which will of course be linked to GDPR when it comes to such questions as data sharing and user rights (e.g. portability).

Of course, the current pandemic has also raised questions pertaining to GDPR. The COVID crisis has, for example, prompted questions about the more extensive use of health data for research purposes, employee data, or tracing applications and geolocation – and how these relate to the privacy and security protections guaranteed by GDPR rules.

The European Data Protection Supervisor has reiterated that GDPR is designed to be a broad legislation, with rules and regulations which are applicable to crises situations such as this. Nonetheless, there will be a lot of value in an evaluation of the degree to which violations of the right to a private live have been justifiable, and whether tougher or clearer rules are necessary.

Libraries and GDPR, looking ahead

This points us to the question of what these developments can mean for libraries. With the demand for digital library offerings and services surging during COVID, it is particularly important to keep in mind the need to at all times ensure the privacy and security of user data that such activities generate.

GDPR highlights the importance of “privacy by design”, meaning that privacy and security measures are taken into consideration and embedded into the design of new data processing operations from the outset. Similarly, data controllers need to ensure the privacy and security of users’ data when making use of any new third-party platforms or services.

If you are introducing new digital services or processes to your library, it’s crucial to consider whether these might entail collecting any new personal data, or processing it differently. On what grounds would the new data be processed? Are third party suppliers also respecting privacy?

We are yet to see the long-term impact of the pandemic on library services – including the question of whether this large-scale shift to digital will be sustained. In the meantime, it is crucial for libraries to continue putting privacy and security first in any new services or offerings, and keep an eye on any possible future legislation in the field of data regulation!

Right to Information Recognised in New European Court Rulings

Image: Group of scholars studying books. Text: A Right to Information: Finding a Good Balance with the Right to Be ForgottenTwo much anticipated rulings have come from the Court of Justice of the European Union. Both are ‘preliminary rulings’, effectively requests to the Court to offer clarification on what EU law – in this case the ‘right to be forgotten’ doctrine created by the Court in 2014 and placed in legislation in the General Data Protection Regulation of 2016.

As a reminder, the right to be forgotten refers to the right of individuals to ask that particular stories not be included in search results for their name. The idea is to ensure that there is a way of avoiding that search engines automatically give prominence to information that is unduly invasive of privacy.

IFLA has released a statement on the subject, underlining that the right to remove search results risks undermining access to information for internet users. While the IFLA statement notes that in some situations, a right to be forgotten may make sense, it argues strongly that this should be the exception, not the norm, and stresses concern about the impacts of leaving this choice to private actors.

The two cases in question come from France, and its Conseil national de l’informatique et des libertés (CNIL) – the national digital data protection authority. In the first (C-507/17), the CNIL itself was in dispute with Google about whether, once there had been a decision to award the right to be forgotten, this should only be applied within Europe, or whether Google should be obliged to apply it on all versions of its search engine, around the world.

The second (C-136/17) asked whether the ban on ‘processing’ (doing things with) certain types of personal data, such as that about religious beliefs or politics, should also apply to search engines.

 

The Right to Information

In the first case, the Court decided that there was no obligation to remove relevant links from search engines around the world, rather than just in France or the EU (global delisting). This is an important decision, and one that IFLA itself supported, given our own statement on the subject.

Significantly, the Court explores the question of the costs of global delisting: ‘However, it states that numerous third States do not recognise the right to dereferencing or have a different approach to that right. The Court adds that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. In addition, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.’

This definitely a welcome point for libraries, and one that underpins the final decision of the European Court, given its explicit recognition of a right to information of internet users around the world.

In the second case, the Court does note that the bar on processing highly personal information applies also to search engines to the extent that they process it.

However, it also argues that the exceptions to this bar do too – in a case where including a link in search results is essential if a balance is to be found between the rights of individuals and of information seekers, then this can be OK.

Therefore, in cases where the subject of the information has a prominent role in public life, it may well be acceptable to maintain search results, in order to ‘protect[…] the freedom of information of internet users potentially interested in accessing that web page by means of such a search.

 

But No Resolution Yet

In both cases, the final decision rests with the French courts. The European Court has given guidance on how to take this, but leaves enough margin of appreciation the judges in Paris. As a result, in the case of global delisting, despite all of the arguments to suggest that this is a questionable move, the judgement still says that there’s nothing saying that this cannot still be requested.

Similarly, the judgement on highly personal data suggests that it is for the French judges to determine whether Google has taken sufficient care in working out whether it was necessary to include the relevant links in its search results. As a result, we will not know the final results for a while yet.

Clearly Google itself is a lightning rod. Its size and reputation make it a bogeyman for many. However, it is worth noting that the judgements apply not just to Google, but also to any other company or information service offering search functionality.

As seen in the Le Soir judgement in Belgium in 2016, the idea of the right to be forgotten can also be applied to a service offering search into digitised old newspapers.

Crucially, while Google may be in a position to apply the rules set out, it may be harder for others to do the same. For example, in the judgement on highly sensitive data, the Court argues that a search engine should be able to rearrange results about court judgements in order to ensure that the most recent information comes first.

If the rules around offering search services become more complicated, the risk is that it’s the smaller players who will fall foul of the rules, not Google, reducing the choice of information seeking tools available to users around the world.

 

Facial Recognition, Libraries, and Intellectual Freedom

FAIFE is marking the 20th anniversary of the IFLA Statement on Intellectual Freedom. As part of this, Jonathan Hernandez-Perez, a FAIFE member from the National Autonomous University of Mexico (UNAM) has shared the below blog on the subject of facial recognition technology, and what it means for libraries and their values. 

 

Facial recognition is one of the current obsessions of the tech industry, with regular high-profile product launches meaning that it is also high on the public agenda. It has developed rapidly over the last years, making it possible to undertake tasks that usually take hours in just the blink of an eye.

Yet as the number of public spaces that use this technology keeps rising, so too do the public’s concerns about privacy and surveillance, leading to many  more negative media headlines and an intense social media debate. This blog explores what facial recognition technology is, the questions it raises, and what this means for libraries.

 

What is Facial Recognition?

Facial recognition is a type of technology that allows the verification and identification of a person through analysis of his/her facial features. This technology has been with us since long before the coming of the internet.

With the intention of obtaining a definition of the “criminal face” during the 19th century, several facial patterns of ex-convicts and criminals were gathered. Fortunately, the idea that the measurements of someone’s head are associated with criminal tendencies has long been rejected.

However, some of the techniques involved have been enriched and improved, involving a greater number of actors and interests, leading to current technology that makes our daily lives more comfortable, from the basics of unlocking our cellphones or automatically “tag” a friend in a picture, to the more complicated issues, such as airport check-ins, tools to validate our identities at ATMs, or even means of gauging emotional responses. It turns our face, our emotions, and expressions into a bar code.

Furthermore, facial recognition has the potential to be combined with other technologies in order to combine and enhance the tracking that happens in the digital and physical sphere.

 

Enabling Surveillance, Hidden Bias

The convenience allowed for by facial recognition comes with a price, and in the digital era the cost is our privacy. This is because nowadays, our facial expressions – the very essence of human social and emotional interaction – have become an object of experimentation, propaganda, and database development. Arguably, we are only partially aware of the extent and consequences this technology could have in a very short time period, particularly because biometric technologies are still not widely understood.

A particular worry is the degree to which facial recognition technology enables mass surveillance. In 2013 the IFLA Trend Report stated that expanding data sets – for example of faces – held by governments and companies will support the advanced profiling of individuals, while sophisticated methods of monitoring and filtering communications data will make tracking those individuals cheaper and easier, warning that serious consequences for individual privacy and trust in the online world could be experienced. This now appears to be coming true.

In 2014, Insecam demonstrated the possibility of illicitly obtaining images from security and surveillance cameras that use weak passwords. This poses a particular threat to public privacy since they are placed in public spaces. Meanwhile, in 2016, a Russian photographer carried out an experiment to show how easy it was to identify strangers in the streets using only one picture to identify them. More recently, FaceApp, which takes your photo and gives an idea of how you’ll look decades from now, put back into focus the privacy vulnerabilities of mobile applications.

The consequences of the implementation of facial recognition technologies have come into the spotlight with the recent protests in Hong Kong, showing how our faces can become a weapon either for persecution or prosecution. Responding to public pressure, some cities have begun to ban the use of facial recognition software by state agencies; San Francisco, Somerville, and Oakland are the first cities in the United States with a regulatory law over this topic.

A further concern is around the risk of bias in facial recognition technologies. These systems are usually trained on a different number of faces from specific groups of people with similar facial characteristics (Mostly Caucasian) which could lead to the failure of people recognition in a more diverse environment, and in a legal way, this could lead possible mistaken identification entailing people to crimes they didn’t commit.

This matter involves race, gender identity, and sexual orientation issues which makes it more threatening and harmful, there are a number of examples of how this technology is developing an automated racism.

 

Impacts for Libraries

This year IFLA celebrates the 20th anniversary of the “IFLA Statement on Libraries and Intellectual Freedom”. It is as crucial as ever to underline one of its key principles:

Library users shall have the right to personal privacy and anonymity. Librarians and other library staff shall not disclose the identity of users or the materials they use to a third party.

This principle is relevant at the moment because today, privacy and mass surveillance are some of the most pervasive and threatening issues we face. Certainly, we risk seeing facial recognition turn from being a “fad” into a normal practice and would eventually be part of a new common sense and part of our mainstream culture. This would imply an important loss of privacy.

Libraries have always worked to keep up to speed with new technology and to make best use of the possibilities it offers. Therefore, facial recognition will also impact in their services.

Facilitating the registration, loan, and access to information resources could be a very attractive reason to implement this kind of technology in libraries. Companies are already selling biometric software for book loans and some libraries have been using these systems for a couple of years now.

In the near future, libraries may be able to offer material based on our facial expression, then, our face could become a personal card that does not belong to us, associated with all the data about books read, web pages consulted, and topics we are passionate about. If we are not aware of the extent of this information, it could become a big threat to our privacy.

As a result, the use of this technology in libraries is a matter that should be analyzed in the light of user freedoms and rights, and the potential damage it could do to privacy and intellectual freedom, values that libraries have defended for years.

Therefore, libraries must provide digital secure spaces where our movements are not tracked and develop privacy programs for librarians and their community. An interesting example is the Library Freedom Institute, which teaches librarians and patrons how to protect their privacy online and how to influence public policies on this matter.

 

Conclusion

Although we may share similarities with other people all over the world, every face has its own interesting and unique features. Thousands of databases are daily fed with biometric information and we are taking part into this dynamic through our daily digital behavior. But the problem shouldn´t be attached to the user. Knowing the value of our data or agreeing on the terms and conditions companies impose it’s not enough, neither is derision or banning some apps or software.

What is required is having strong legal frameworks and policies that protect individual rights for limiting such tracking. Libraries can both lead the way in their practice, and push for the right laws and regulations in their advocacy.

Intellectual Freedom in Japan

FAIFE is marking the 20th anniversary of the IFLA Statement on Intellectual Freedom. As part of this, we had a chat with Yasuyo Inoue, expert advisor to the FAIFE Committee and Professor of Library Science at Dokkyo University, to find out more about intellectual freedom in Japan from her personal perspective.

1) What do you and your colleagues understand by ‘intellectual freedom’ in Japan?

知的自由 means ‘Intellectual freedom’ in Japanese. It includes free expression, free access to information at libraries and free access to information at national/local government offices. It is linked to the same concepts as those discussed in IFLA FAIFE and is essential for libraries in Japan.

2) How important an issue is it for libraries, and for the general population, in Japan?

The Japan Library Association adopted in 1954 its own statement on intellectual freedom in libraries. The Association has furthermore noted the IFLA Statement on Intellectual Freedom at Libraries, given that this concept is a core value for Japanese libraries including public, school and academic libraries.

Generally speaking, people in Japan are often more interested in free expression rather than free access to information in libraries. In Japan people think that libraries are only a place for studying and are mainly for students. It is difficult for many to imagine that libraries – especially public libraries – are public spaces for communication and information flow.

3) What have been the biggest questions and controversies in recent years?

There have been several cases of intellectual freedom being threatened in Japan.

In 2005, the Supreme Court ruled that libraries have the right to decide which books or documents are to be selected and provided. This was related to the case of the Funabashi Library, where a librarian made available more than 100 books with rather right-wing content without following the appropriate method.

In 2013, the manga book titled “Barefoot Gen”, as well as elementary school libraries holding copies of this book were attacked by an extreme-right wing group. The group claimed that the book included excessive violent expression and were not suitable for small children. The group insisted that the book should be removed from the shelves of all school libraries! It later came out that the group wished the book banned, not due to the violence, but because of the main character disliked the Emperor of Japan because of the war and the atomic bombs. Even so, still more and more people are signing petitions to local governments to ban this manga book from the shelves at school libraries.

In January, the copyright law was changed because of the ratification of the Trans-Pacific Partnership (TPP), to which Japan is a signatory. The issues of digitisation, notably in order to preserve materials was addressed, with a decision to wait a further 20 years to start the process of digitisation. Though public libraries are an exception, private companies, NGOs and other organisations are facing many challenges. This is a huge issue, in particular for disabled people and to free access to information in general.

Furthermore, the Japanese government has planned to raise the sales tax rate to 10%. Publishers are demanding books and other media commodities should be excepted from this raise. To this the Government answered that if the publishers stop making “harmful books”, they may be ready to act. The publishers insist that this reaction is against free expression.

We have also recently seen several cases of library users’ private information being compromised.

Earlier this year, the police of Tomakomai city searched library users’ reading records without warrant. The library had agreed to show the documents, though the act by the police was illegal.

Also the company CCC has publicly admitted that they provide clients’ private information to authorities. This company manages several public libraries and provides its own card, for which clients can get points every time they buy something or use it as library card.

4) What do you think are the biggest challenges for intellectual freedom in the coming years?

I see the biggest challenges as big data and the protection of private information. This is a huge issue for libraries, and it is important that we get involved. Participating in Internet Governance Forum activities is a great way to do this.

I also see copyright issues and free access to information, especially related to AI as big challenge.

Furthermore, is the lack of full-time professional librarians who are trained in intellectual freedom in libraries an issue, as well as the increase in privatised public libraries.

5) What role do you see libraries playing in relation to intellectual freedom in 10 years’ time?

In Japan, future librarians will be more like social workers and educators who make services for the people facing difficulties to get access to the information they need. There will also be more services for reading-challenged people, seniors and foreigners/immigrants who cannot read Japanese.

 

A Right to Anonymity?

A Right to Anonymity - ImageWith recent reforms in Austria set to remove the possibility to leave anonymous comments on the internet, the question of the right to anonymity is on the agenda.

The justification for the reforms in Austria is concern about the rise of ‘hate speech’, and the sense that anonymity can give people the possibility to spread discriminatory views without consequences. If there’s a risk of being identified and caught, the argument goes, people will moderate their speech.

Civil liberties groups have, however, opposed this, pointing out that it is often the usual victims of hate speech – marginalised groups, those in vulnerable positions – who have benefitted most from the opportunity to use the Internet without giving up their identities.

How does this affect libraries, both as concerns their values and their practice?

Anonymity is included as a concept in IFLA’s own Statement on Intellectual Freedom, which is celebrating its 20th Anniversary this year:

‘Library users shall have the right to personal privacy and anonymity. Librarians and other library staff shall not disclose the identity of users or the materials they use to a third party’.

Talking about privacy and anonymity is perhaps a little awkward. In effect, anonymity is rather one means – a particularly effective one – of ensuring privacy. If you are never identified in what you do, then there is no possibility of someone else learning about your preferences or activities.

For example, it is the difference between paying for your groceries with a credit or debit card, and paying with cash. Paying with a card leaves a trace which a shop or card provider can use to build a profile. Paying with cash leaves no trace. It is far easier to be anonymous in the latter case.

 

Of course, privacy can be achieved without anonymity. There are conditions under which personal data collection is acceptable – and even desirable.

Indeed, this is recognised in legislation such as the General Data Protection Regulation in Europe. This both looks to ensure that no more data is collected than necessary (data minimisation), and that what data is collected is done with consent, and then stored and used properly.

In short, privacy implies a mixture of anonymity in some cases, and careful and ethical collection and management of data in others.

The question then is of how to decide when we should opt for anonymity, and when not, acknowledging that the highest level of privacy comes from keeping people anonymous.

 

Anonymity vs Data Protection

There are some interesting examples in the wider world that offer some insights into this question. For example, it is seen as normal that we need to identify ourselves in order to buy and drive a car. Nonetheless, the list of who owns which car is not made public.

However, if we were asked for the same in order to ride a bicycle, this would seem shocking.

Why is this? The reason likely lies in the fact that it is far more likely that someone can do harm in a car than on a bicycle. In order to catch those who are driving too fast, or causing accidents, giving the police a means of identifying the owner of a car can be seen as justifiable (if not perfect).

A second example comes from contrasting medical records with information about how someone travels around within a country.

We generally accept that medical professionals should have access to records about allergies, conditions and past treatment in order to improve our care. We of course expect that these are properly looked after.

In contrast, in most parts of the world, we don’t expect to be tracked as we move around within the cities, regions or countries we live in. While, of course, our phones often do this for us, when we become aware of it, we often remember to update our settings to prevent this.

In short, while there may be some situations where being tracked is helpful (for example to find missing people or to make using online maps easier), many given the option will choose anonymity.

In this case, even though medical information is arguably far more personal than travel information, we accept this breach of anonymity because it brings real benefits.

What about libraries?

Many libraries do not require identification for someone to be able to enter a building and use resources on site (although policies do vary when it comes to using library computers). However, in order to borrow books, a library card is necessary, implying a loss of anonymity.

The justification is that lending only works when there are limits on what any individual can borrow, and that there is a time-limit on this. This is only possible with an account attached to a person.

The IFLA statement implicitly recognises this divergent approach, accepting that in addition to anonymity in some circumstances, libraries will also hold personal information which could (but shouldn’t, at least not without consent) be shared with third parties.

How does this choice apply when it comes to using – and expressing yourself – on the internet?

 

The Man Without an IP Address

Clearly the argument of the Austrian government is that the harm done by online hate speech is cause enough to oblige people to use their real names.

At first, this logic is attractive. Hate speech does indeed do harm to people who may already be vulnerable, and it is important to stop it when it risks leading to real harm.

However, it is not necessarily the case that identifying a person stops this from happening – in the end, it is taking down the content itself that resolves the issue. This can be done through notice and (transparent) moderation.

The subject of hate speech itself is also difficult. While there may be some black-and-white cases, there are many more nuanced ones where it is hard to draw a clear distinction. Just because something is rude or offensive for some, it does not necessarily make it hate-speech.

This recalls the situation with other reasons often given for restricting content, such as security (many governments claim that any criticism of their actions is a security threat) or morality (used in many situations to repress LBGTQI expression).

It is clear of course that perhaps some sources of hate speech will think twice if they need to share their identities. But this does not necessarily stop them holding such views, or carrying out acts motivated by them.

Furthermore, we also have to accept that removing the right to anonymity risks opening the doors to other moves away from anonymity as default, and so weakening a key protection for vulnerable individuals and groups.

People who have found a community and a voice online that has been denied to them in the physical world risk losing it when their names are shared. Through this, they can become the victims of attacks on their persons and property.

At a less extreme level, the feeling of being watched can have a chilling effect on online behaviour, restricting people’s ability to follow their interests and develop their personalities. In any case, for a democratic government to take such a step, even for the most honest of intentions, simply risks legitimatising those who will use restrictions on anonymity to crack down on diversity and dissent.

 

The implication of the General Data Protection Regulation, as well as of IFLA’s Statements on Intellectual Freedom and Privacy in the Library Environment is that the default in any situation should be the highest possible level of privacy – i.e. anonymity.

It follows that the collection of data should be the exception, not the rule, and in this case be justified, with cases such as that of Austria provide an opportunity to remind ourselves what’s at stake.

Nonetheless, decisions about when it is acceptable to derogate from anonymity also appear in the work of libraries. It is important to be conscious of these, in order to take the best decisions for users.

Why Privacy Matters, For Everyone: Chose Privacy Week 2019

Choose Privacy Week was initiated by the American Library Association to draw attention to the importance of privacy, and what people can do about it. It is a great opportunity to learn about the important role librarians play in achieving this.

This year’s theme of Choose Privacy Week is “Inclusive Privacy: Closing the Gap”, and raises awareness of the privacy inequities imposed on vulnerable and historically underrepresented groups. It highlights how libraries can close the privacy gap for those who need it most.

Why Privacy Matters

Privacy is of course a right. As set out in Article 12 of the Universal Declaration of Human Rights, people should be able to live free of arbitrary interventions in their private life.

There is a good reason for this. The possibility to have a private life is central to much of what makes us human. In particular, it gives us the freedom to think, speak and access information freely.

IFLA’s submission to the UN Special Rapporteur on Privacy stresses this point, underlining that without privacy, there can be a powerful chilling effect on creativity and innovation.

Privacy has traditionally been seen as a means of protecting the individual against efforts by states to import control. However, increasingly, it is privacy in the face of companies that is coming to the fore.

Data collection has never been easier, and the companies whose services we use are increasingly able to draw conclusions about us on the basis of what they see. Indeed, many of these conclusions may reveal traits and preferences of which we are not necessarily conscious ourselves.

Clearly advertising has done this for years, but the possibility to do so in such a targeted, individual manner is new.

If this was only about advertising, it would not necessarily be so important, although clearly still has a certain ‘creepiness’ factor. However, more is at stake. It can also shape the content we see on line – which stories, posts or search-results are promoted.

Ironically, perhaps, the effort to personalise services comes at the cost of individuality and privacy, as a coded version of your personality is constructed, held on a server somewhere, and then used.

This is not just an issue on social media, but also in the research space. With efforts to move from institutional to personal log-ins to academic articles, the possibility for publishers and platforms to monitor use, and make their own efforts to tailor results and experience also arise.

This is a problem, because it means that we cannot assume that the person next to us is seeing the same thing as we would. Moreover, given that the algorithmic version of your personality can only work on the basis of past data, it does not allow for you to change in the future, potentially locking you into a particular set of preferences and interests.

 

Privacy Can’t Be A Luxury

Yet privacy – and the need for privacy – may not be equally distributed or equally shared.

A first challenge is for people who belong to a vulnerable or marginalised group. In many cases, they may feel the need to hide what it is that makes them unique, given political, cultural or social pressures in the society around them.

The internet has been a major source of support for many in this position, given the possibility to connect to those in a similar situation elsewhere, without having to use what may be a hostile public space.

To have these characteristics and interest coded and used to shape advertising and online experience (and potentially even inform governments) takes these gains away.

There may also be challenges for people on lower incomes, who may, for example, be more reliant on smart phones to access the internet (which pose a number of privacy concerns).

They can also be obliged to share more personal information anyway online in order to apply for government services or other programmes. A 2017 study on privacy, poverty and big data by Data & Society reveals some key trends.

Add to this stories of internet subscribers being asked to pay more for a privacy-friendly connection, or the fact that more expensive phone brands are using privacy as a selling point, and the potential connection between income and the right to a private life becomes clear.

Finally, there is often not a connection between the risks faced, and the ability to do something about it.

Recent privacy legislation, such as the General Data Protection Regulation in the European Union, gives important new rights to individuals. The success of this depends on people being sufficiently skilled and motivate to choose privacy.

Yet is seems clear that even where there is awareness, there may not be the skills – or even the attitude – necessary to act on it. As the Data & Society study shows, while there is demand, people with less money, less time, and less education may feel helpless in the face of companies and government agencies.

This is just as true in the case of right to be forgotten cases. While there is certainly a place for such rules in protecting people against unfair, irrelevant or incorrect information about them being found through search results, the risk is that it becomes a tool for those in positions of power to ‘edit’ the historical record.

 

How Libraries Can Help

A year ago IFLA and the FAIFE Committee used the momentum of the Chose Privacy Week to bring awareness to how personal data ownership affect libraries and library users and offered practical steps that individuals can take to keep their private lives private in regards to the General Data Protection Regulation.

A year after, there is still a need to work to ensure that everyone really is aware of, skilled and motivated to use their choice of privacy.

Libraries have an expertise in information management, and a responsibility to help others develop their own information literacy skills. With more and more library resources found online, libraries can not only offer a means of accessing information and expressing yourself in as private a way as possible, but can encourage privacy-friendly behaviours in their users’ own lives.

In short, the library is not only a trusted source of information but also a community support and can “close the privacy gap” for its users by providing a safe space, training and resources to help them take control of their private lives and data.

Here are a few steps that you can take to ensure the users privacy:

  • Make use of the privacy guidelines for libraries. In 2016, IFLA published the IFLA Statement on Privacy in the Library Environment. The Statement is intended to give guidance to libraries and information services in an environment that includes mass surveillance by governments and routine user data collection by commercial interests that provide content or services through the Internet.
  • Reduce data traces online. Greater care in choosing privacy settings, and simply better data hygiene can all help. And there are great tools such as the Data Detox Kit already available.
  • Apply tools to protect user privacy. ALA has created a list of resources on relevant tools, you can find the list here, while Scottish PEN has a Libraries for Privacy Toolkit.
  • Watch presentations and webinars on the subject. You can learn a lot by watching webinars such as the IFLA webinar on the GDPR, or the ALA video on raising privacy awareness in your library.
  • Help raise awareness throughout Chose Privacy Week!