The Right to Data Protection as a Fundamental Right – Estonian perspective
Prof. Dr. Ülle Madise, Chancellor of Justice of Estonia
Ladies and gentlemen,
To give the Estonian perspective to the right to data protection as a fundamental right, I would start from the year 1997. Twenty years ago, five years after adopting new constitution and re-establishing rule of law. Data protection, privacy, secrecy of communication and all the other fundamental rights.
I had started working at the Ministry of Justice. In public law department. One of my first serious fights there was in the field of data protection and privacy as a fundamental right.
The issue was the Estonian Population Register.
More specifically: should registration of the actual home address be mandatory?
But: there was also a rather strong public resistance to it, because we just had got rid of Soviet inscription system called propiska. Propiska was a kind of residency permit and a tool to limit migration inside the country. You had to have it. It was the law. As it went – and still goes – in totalitarian regimes: You had to abide every law however stupid or repressive in case You did not want to get punished. So the Soviet army could more easily hunt down young men avoiding compulsory military service or clean-up works at Chernobyl nuclear power plant.
We had got rid of the Soviet Union but its shadows still haunted us. As a result, Estonia decided for a hybrid if not ineffectual solution: reporting your actual home address is compulsory, but there is no punishment for reporting wrong address.
Trust me, there are thousands of people in Estonia with several addresses, one official – the wrong one- and the other actual. There are several reasons from . Sometimes it creates problems, but usually not.
The other question was: if the registration is mandatory, should the data in the Population Register be available to the public? Could government sell personal data, incl home addresses?
I represented constitutional point of view and tried to explain and defend privacy as a fundamental right.
My older colleague from the Ministry of Interior told me: „Dear child, please remember: If you have nothing to hide, you have nothing to fear “.
I am quite sure you would not hear such kind of argument any more.
The next big fight was almost ten years later. Our Data Protection law again. „Why do you think that the photos of small kids dancing at a kindergarten party should not be open in the web? Parents’ consent or protection with password – why such restrictive requirements? Are you silly?“ – Today nobody asks why. Rather – how?
Awareness of privacy concerns in online world has certainly risen.
Still users trust websites and social networking sites way too much. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale. We have all heard about micro targeting, right? It means, that smart guys sitting at their offices in California have long ago created algorithms for sending the so-called preferred content to our smartphones and tablets. Moreover, they sell our preferences not only to supermarkets or car vendors but also to political campaigns.
And here’s where the reality about privacy checks in. I have read about a story where a father got a phone call from a teen pregnancy advisory group offering time for a meeting. Something had gone wrong with microtargeting or phone numbers. The girl, daughter of that father, had found out that she’s pregnant and had “googled” for information. And definitely her father was not the first person she wanted to consult about such a delicate matter. What could be more private?
Clearly, we should use the data to create better services, conducting scientific research, discovering terrorist and other criminal networks.
But there should remain a clear line between public and private interests. A right to remain private, to have private thoughts and, yes, secrets; the teenager’s right to get information about her health and pregnancy, privacy is the cornerstone of being a human being. That right must be observed and protected, no matter what.
Ladies and gentlemen,
Did you know that by the year 2020 we are going to have 57 times more data than there are grains of sand in the world? Not all the grains contain personal data, but …
I know it sounds controversial but unfortunately we must accept the fact, that data, incl personal data are collected and we are almost helpless to control it. Especially in private sphere. It might be clever to concentrate the energy on how to avoid and discover misuse of personal data.
People are ready to accept contract conditions allowing to collect and process their personal data. It has been studied whether people read the conditions before ticking the box. No, they do not.
Some people argue, of course I hope they are completely wrong, that private sector and/or undemocratic governments collect and store everything, including private messages. If this statement is true, personal data becomes a tool for blackmailing, disrupting friendships and families, and the general trust.
If the data are in the cloud or in the internet, where are they exactly? Under which jurisdiction?
And the point I am going to make is – until the digital gap exists we must maintain old-fashioned services for those who do not have any internet access or do not trust internet.
Even further: maybe we should not rely entirely on the internet, e-services, e-databases?
Try to imagine, for example, a smart building with computer driven ventilation, heating and lifts, automatic locks and key-cards etc. What happens when the system is compromised or hacked, the lifts do not work, the doors do not open, and the ventilation is closed off? As we know, in really so-called smart buildings you can’t open the windows.
The question is: when does the system becomes too smart to be dangerous. But here, I guess, we are only a short step apart from artificial intelligence and singularity and this is already a whole different topic for another very important conference.
So let me return to data protection and privacy rights.
The central questions are:
How to regulate gathering of personal data and how to urge – people, owners of the data – to consider whether or not to tick the box and give away personal data?
How to store personal data safely?
How to prevent misuse (internal and external control mechanisms)?
How to educate people about their rights, incl the fact they own their data and have the right to check the use of their data, ask and get answers from every data processors, be it public or private?
I would like to use health services as an example. In Estonia we have a nationwide system that integrates data from different healthcare providers to create a common medical record for each patient. The system also compiles data for national statistics, so the relevant ministry can measure health trends, track epidemics.
What a system! Let us imagine something happens with you. You can get help faster and in critical moments time could be the only thing that really counts. Your personal health record includes data from your blood type to used medicines and allergies.
But should we be afraid that our diagnoses might leak to private banks or insurance companies and influence the interest rate of my bank loan? Privacy, hacking, government snooping – these are all frightening aspects for patients, for everyone.
I have witnessed attempts from insurance companies to get access to the e-health data. That’s the real gold mine for them, isn’t it.
Two years ago together with our national Data Protection Agency we managed to stop a plan of private insurance companies to get access to personal health data. It is not difficult to imagine what would have happened if the parliament had not agreed with us.
E-services offer excellent opportunities for bringing transparency. Every step can be traceable, be it e-health or national population registry.
The benefits of eHealth will be achieved only through the information sharing. Data sharing would ensure faster and better diagnosis, treatment and monitoring. But sharing, however, requires rigorous procedures to be followed because the data is considered highly sensitive medical and therefore also private information.
Estonia has fully implemented digital prescriptions and over 90% of patients were fully satisfied with the new system. Digital prescription is an example how IT enables to optimize processes, to save resources and to be customer-oriented. Another good example of eHealth services is electronic medical record.
Just a week ago, international research team informed that the chip that is used in our identity card has a significant vulnerability. The same type of chip is used also in the ID-cards and banking cards in several other countries. Yes, I am talking about the same cards that allow access to the e-Health or e-Prescription system. It is sad that during last two days some of our politicians and opinion leaders have used the situation and tried to persuade us that it was time to switch back to paper.
Just the opposite: we must find and fix the bugs and problems and learn to live in the changed world.
The cyber environment is changing all the time.
While offering digital services the state must constantly seek a balance and assess the risks. Same applies to users.
In cyber world it is impossible to guarantee complete security. And security depends very much on user awareness.
I am going to conclude by underlining some essential truths we have to bear in mind while developing our new digital society and future services:
First, no society can forget its past. No country is ready to throw away its achievements. Let us not underestimate this while talking about common EU data regulation.
Second, Estonia has managed successfully two things at the same time: protecting privacy and developing new and effective e-services. It means – this is possible.
Third, do not be afraid of limits. We could do better and continue improving our science, education, health care and economy with the help of new digital services and shared information.
Finally fourth: in digital matters the reasonable position lies somewhere between paranoia and stupid rashness.