Migration and data protection

While data are important to understand migration, collecting, sharing and processing data pose risks associated with the right to privacy of data subjects if appropriate safeguards are not in place. Thus, it is important to use the best resources available that will enable informed migration policy while securing fundamental privacy rights and safety of data subjects.

The privacy and safety of a data subject are contingent on confidentiality of personal data. Confidentiality of personal data is especially important in sensitive contexts such as child migration, sex/human trafficking or migrant smuggling, where identification of a data subject can have life-threatening risks. Therefore, migration data controllers should ensure that applicable data protection and privacy laws are respected and proper safeguards are in place to prevent personal data reaching the wrong people.

Definition

The confidentiality of migration data and privacy of data subjects are ensured by laws and policies that are based on principles, regulations and standards in countries all around the world. Personal data should be processed in accordance with such data protection laws and policies to preserve the right to privacy of a data subject. Data protection is an evolving area of law that concerns the safeguarding of a person’s fundamental human rights in connection with the right to a private and family life as enshrined in the Universal Declaration of Human Rights. The right to data protection is also enshrined in the EU Charter of Fundamental Rights and the Treaty on the Functioning of the European Union, which give effect to individuals’ right to privacy by providing them with control over the way information about them is collected and used. 

Data protection is not only a fundamental human right but also one of the central issues for institutional ethics. Researchers, organisations and corporations are required to provide detailed information describing the treatment of data during their data analyses, collection, storing and distribution processes. At all stages during these processes, the used data must be protected, minimised, and destroyed in accordance with existing data protection principles (European Commission, 2018).

The following are definitions of data protection concepts according to IOM’s Data Protection Manual:

● Data protection - “the systematic application of a set of institutional, technical and physical safeguards that preserve the right to privacy with respect to the collection, storage, use and disclosure of personal data” (IOM, 2011). 

● Personal data - “any information relating to an identified or identifiable data subject that is recorded by electronic means or on paper” (IOM, 2011). 

● Data subjects - “individuals that can be directly or indirectly identified by the reference to a specific factor or factors. Such factors may include a name, an identification number, material circumstances and physical, mental, cultural, and economic or social characteristics” (IOM, 2011). 

● Consent – “oral declaration or written signature provided by data subjects, indicating a clear understanding and appreciation of the implication of an expressed agreement that allows for data collection and data processing. Consent occurs when data subjects agree to the collection of their personal data after having considered all the relevant facts associated with data collection and data processing” (IOM, 2011). Consent should be recorded, for example, in interviews, registration and application forms or electronic records.

Key Trends 

Legal sources 

The right to privacy is a human right. There are international, regional and national instruments that call for the respect and protection of the right to privacy. The following are existing legal instruments at the international and regional level:

International instruments

• Universal Declaration of Human Rights:  All of the data protection instruments at international, regional, national and local levels are based on the right to privacy, which is enshrined in the Article 12, Right to Privacy, of the Universal Declaration of Human Rights. 

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” 

Similar language can be found in other international legal instruments but specify the type of person to which the right to privacy is granted:

• International Covenant on Civil and Political Rights (Article 17))

• Convention on the Rights of the Child (Article 16)

• International Convention on the Protection of the Rights of All Migrant Workers and Members of their Families (Article 14) 

• Convention on the Rights of Persons with Disabilities (Article 22)

Regional instruments 

Europe 

● Article 8 of the European Convention on Human Rights (ECHR) establishes that “everyone has the right to respect for his private and family life, his home and his correspondence”.

● The Council of Europe’s Convention 108 ensures the protection of individuals with regard to automatic processes of personal data. The Council adopted this document as the first legally multilateral agreement on personal data protection in the world.

●  The European General Data Protection Regulation (GDPR) was approved on 15 April 2016 and entered into force on 25 May 2018, replacing Directive 95/46/EC, which serves as a guidance to harmonize the data protection laws among member states. The jurisdiction of GDPR is extended compared to the previous Directive as the rules apply to data controllers even outside the EU who process data of EU residents. It also reconsidered and redefined the consent policy and elaborated on the penalties in case of privacy breaches. Through its regulatory framework, Directive 95/46/EC aimed at ensuring data protection and enable the free flow of data from one member state to another. Since May 2018, the GDPR has been effective in all current 27 Member States of the European Union.

●  EU Charter of Fundamental Rights and the Treaty of Lisbon also specifically address the protection of personal data. The former has a binding legal effect on member states and the latter requires all EU institutions to protect the fundamental rights of individuals while processing their personal data.

● The European Parliament and the Council also established Regulation (EC) No 45/2001 that ensures the protection of individuals’ right to privacy while processing of personal data by the institutions and bodies of the European Union. This regulation established the European Data Protection Supervisor, an impartial supervisory authority, which enforces and reinforces EU data protection and privacy standards.

Other regional legal instruments

●  Americas - American Convention on Human Rights (Article 11) 

●  Asia – The Association of Southeast Asian Nations (ASEAN) Human Rights Declaration (paragraph 21) 

●  The ASEAN Framework on Personal Data Protection (2016) is important for Asian countries and is a multilateral data protection and privacy framework in the region developed to accommodate different data protection and privacy regulations. 

●  The Asia Pacific Economic Cooperation (APEC) Privacy Framework was approved in 2004 and the second iteration of the framework was published in 2015. It is a set of principles and guidelines that establish effective privacy protections to avoid any obstacles to the flow of information, and to ensure continued trade and economic growth in the APEC region of 27 countries. The APEC Privacy Framework was the basis for the APEC Cross-Border Privacy Rules system (CBPR). The CBPR seeks to ensure the continued free flow of personal data across borders, while establishing a voluntary accountability mechanism to guarantee protection and security of personal data. Six countries currently participate in CBPR: Canada, Japan, Republic of Korea, Mexico, Singapore and the United States.

●  Africa - African Charter on the Rights and Welfare of the Child (Article 10)

●  The African Union Convention on Cyber Security and Personal Data Protection was adopted by the member states of the African Union in 2014 to guarantee that member States respect the basic freedoms and rights of individuals when processing personal data. The Convention sets out obligations relating to conditions governing personal data processing and establishes basic principles. 

●  The Personal Data Protection Guidelines for Africa was published in 2018 as a joint initiative of the Internet Society and the Commission of the African Union. It was developed to facilitate the implementation of the Convention in the African Union Specialized Technical Committee on Communication and ICT Ministerial Declaration (AU/CCICT-2). The guidelines set out 18 recommendations that are meant to be a blueprint for evolving process of developing policy, operational guidance and best practice, as data protection is a broad and ever-changing domain.

Data protection frameworks in some international and multilateral organizations working on migration

United Nations

● United Nations system organizations adopted specific guidance on protection of personal data in 2018: the UN Principles on Personal Data Protection and Privacy of 2018.

● UN General Assembly (UNGA) Guidelines for the Regulation of Computerized Personal Data Files, as adopted by Resolution A/Res/45/95 of 14 December 1990.

● In July 2015, the Human Rights Council appointed the first-ever Special Rapporteur on the right to privacy. The Special Rapporteur is mandated by Human Rights Council Resolution 28/16 amongst other things to report on alleged violations of the right to privacy and submit an annual report to the Human Rights Council.

● In October 2018, the Special Rapporteur for the promotion and protection of the right to freedom of opinion and expression released a report on the implications of artificial intelligence (AI) technologies for human rights, which found that especially vulnerable groups are the most likely to be disadvantaged by artificial intelligence content moderation systems. 

● In January 2019, UNGA adopts the right to privacy in the digital age, noting that especially children and women are more vulnerable to have their privacy violated. 

● The  General  Conference  of  the  United  Nations  Educational,  Scientific  and  Cultural  Organization  (UNESCO) produced a  first  draft  text of the recommendation on the ethics of artificial intelligence in 2020

●  In 2020, UNICEF released its Policy on Personal Data Protection which establishes a framework for the processing of personal data throughout UNICEF's offices globally and ensure that individuals' privacy rights are honored and their data appropriately protected.

International Organization for Migration (IOM)

● IOM’s Migration Data Governance Policy governs the organization’s use of migration data and information. This Policy outlines the standards that ensure that IOM is principled in having a migration data governance framework for continued accountability, transparency and efficiency regarding migration data use and sharing (IOM, 2017).

● IOM processes beneficiaries’ personal data in accordance with IOM’s Data Protection Manual, which elaborates on the practical implementation of the IOM Data Protection Principles. These documents, along with other complementary materials, guide IOM staff in processing personal data of migrants. The main objective of these documents is to protect the beneficiaries’ right to privacy  while processing personal data.

United Nations High Commissioner for Refugees (UNHCR)

• The Policy on the Protection of Personal Data of Persons of Concern to UNHCR sets out the principles and rules relating to how UNHCR processes the personal data of refugees, asylum-seekers and other persons of concern. Its purpose is to ensure that UNHCR’s processing of personal data is consistent with the 1990 United Nations General Assembly’s Guidelines for the Regulation of Computerized Personal Data and other relevant   international instruments. 

World Food Programme (WFP)

• The WFP Guide to Personal Data Protection and Privacy was published in 2016 and relays basic principles and operational standards for the protection of beneficiaries’ personal data in WFP’s programming. The guide recognizes that protecting personal data is a fundamental part of WFP’s duty of care to beneficiaries and prospective beneficiaries. It was developed for all WFP personnel involved in the processing of data. 

International Committee of the Red Cross (ICRC)

• The ICRC Rules on Personal Data Protection were adopted in 2015. The Rules seek to safeguard individual’s personal data, especially in armed conflicts and humanitarian emergencies, and recognizes it is an essential part of protecting people’s lives, dignity and physical and mental well-being. The Rules apply to all ICRC activities and operations, for beneficiaries, staff, donors and partners. The document went through a revision in 2019 due to regulatory, social and technological developments in the field of data protection.

Organization for Economic Cooperation and Development (OECD)

• OECD’s guidelines govern the protection of privacy and transborder flows of personal data, including that of migrant data. Adopted in 1980, the guidelines recognize that the extensive and innovative uses of personal data can bring greater economic and social benefits, but also increase privacy risks, which warrants general guidance concerning the collection and management of personal information.

OECD revised its guidelines in 2013 based on its Data Protection Principles for the 21^st Century which acknowledge potential pitfalls in the big data and information privacy protection paradigm. In particular, it questions once effective “notice and consent” requirements. It also recognizes that the scope of notice and consent is very narrow and thus, data controllers have more room to maneuver, which might potentially lead to misuse of information.

World Bank Group

• The World Bank Group’s Personal Data Privacy Policy set forth seven principles consistent with international data protection standards and governs the processing of personal data by its 5 institutions.

 International initiatives on data protection

● The UN launched the Global Pulse initiative in 2009 to scrutinize how data in conjunction with the real-time analytics technology can provide a better understanding of, for example, vulnerabilities and inequalities associated with human mobility. As is already an acknowledged fact, privacy protection is a challenging and yet important condition in sensitizing data. Thus, Global Pulse created a set of privacy principles that data controllers should follow. It also established a Data Privacy Advisory Group as a forum to discuss critical issues related to privacy, information security and data protection issues. 

● The Data Protection in Humanitarian Action project, run by the Brussels Privacy Hub and the International Committee of the Red Cross (ICRC), explores the relationship between data protection law and humanitarian action. The project also identifies concerns related to privacy and security of data subjects and proposes solutions in the form of guidance or policies. The project’s latest output is the Handbook on Data Protection in Humanitarian Action. 

● The Vrije Universiteit Brussel and the Université de Namur and Tilburg University established Computers, Privacy and Data Protection (CPDP) non-profit platform in 2004. This annual conference brings together academics, lawyers, policy-makers, practitioners, national and international civil servants from around the world to exchange ideas and discuss the latest emerging issues related to privacy and data protection. 

● International Data Privacy Law (IDPL) is a peer-reviewed journal that publishes scholarly articles on various cross-cutting themes related to data protection and privacy. The journal is global in scope.

Strengths & limits of the data 

There is a growing international interest in data protection. As new technologies are being developed and used, collection and processing of data becomes easier and faster, which in turn also raises questions in relation to privacy rights and protection of personal data. 

In recent years, more than 100 data protection laws have been adopted at national and regional level. The majority of countries, including some EU member states, have fragmented data protection legislation at the national level (Clarke, 2011; Rudgard, 2011). International and intergovernmental organizations have also sought to implement data protection frameworks, which are becoming increasingly harmonized. 

Data collection is important to identify migration patterns and trends and provide humanitarian assistance to those in need. Nonetheless, the need to protect and safeguard the privacy rights of migrants cannot be overlooked in the process. Data protection safeguards and tools should be in place to protect the privacy rights of individuals

The growing importance of innovative migration data, combined with efforts to boost the quality and frequency of data to achieve the migration-pertinent Sustainable Development Goal (SDG) targets, has made data protection a top priority. Migration data has the potential to provide real-time data on topical issues to improve high-level decision making and enable more appropriate responses.

International organizations and states involved in collection and processing of migration data have to establish effective and appropriate safeguarding tools to ensure the privacy and security of data subjects in digital space. IOM has developed its own internal data protection policy to processes the personal data of millions of beneficiaries in order to fulfill its mandate  (IOM Data Protection Manual, 2010).

However, protection of personal data is not applied uniformly around the world.. Thus, it gives rise to divergences in application. Inconsistent implementation of personal data protection legal instruments may aid perpetrators and jeopardize the privacy of a data subject. Moreover, the evidence base on the protection of personal data in the digital space should be built up in order to efficiently implement personal data protection legal instruments.