Roundtable #21 | International Data Privacy Law in the Age of COVID-19

Τhe views in these articles are those of the individual authors and not of the Columbia Undergraduate Law Review

Section 1: International Conventions on Privacy Rights in the COVID-19 Era

The role of international organizations in regulating and enforcing global conventions and agreements is both potent and tenuous. On the one hand, institutions such as the United Nations and the European Union are backed by the power of legal jurisdiction over all states that subscribe to their authority. On the other hand, because this authority stems from the states themselves, the institutional capacity to meaningfully intervene and adjudicate in state matters is, to a certain extent, perpetually unsettled. This constant tension between legal mandate and practical capacity defines many international organizations. One of the many sensitive issues these organizations and conventions must tackle is the question of limits to the right to privacy, which has become a flashpoint in recent years due to the COVID-19 pandemic given the unprecedented level of data sharing and public health monitoring that states have undertaken to address the public health crisis.

The tensions inherent in pandemic-era legal tumult beg the question: what is the actual, tangible role of international organizations in determining issues of rights and liberties at the state level? As data privacy became a frontier for the interpretation of privacy rights declarations amidst the emergency conditions of the pandemic, it has become increasingly relevant that many states have taken measures to preserve their sovereignty over their own affairs. In theory, international organizations exist to ensure that states adhere to expectations, such as upholding the right to privacy. In practice, however, states reserve the right to act as they see fit in times of crisis, so that they may do what they judge to be in the interests of their people. What is the depth of states’ obligations to international institutions in drawing the line between data privacy protection and national security?

The International Covenant on Civil and Political Rights (ICCPR), adopted by the United Nations General Assembly as part of the International Bill of Rights, declares that “private and family life of individuals, as well as their home and correspondence” are protected from “unlawful interference”. Signatory states are required to submit reports on privacy rights to the UN’s Human Rights Committee, upon ratification at the ICCPR and at the committee’s request, which traditionally comes every four years. However, not all states associated with the ICCPR are subject to this reporting mechanism— for example, China is a signatory to the agreement, but never ratified it, and is thus under no compulsion to submit self-critical reports.

Critically, the ICCPR contains a mechanism by which states can declare reservations to the definition of data privacy it contains. For example, the U.S. declared reservations that the statutes of the ICCPR cannot restrict First Amendment rights, and also made specifications that the right to privacy is not self-executing and must be actively incorporated and implemented— thus, despite the fact that the U.S. did ratify the ICCPR, it still can decide when, how, and if it wants to subject itself to the standards of the covenant. The nature of state-submitted reports, the signatory loophole, and the widespread reservations indicate that discretion essentially lies with the states themselves. The ICCPR clearly, then, does not have much teeth; its power is more symbolic than formal, as these multiple mechanisms ensure that states are in the driver’s seat when it comes to interpreting and enforcing the agreement.

The right to privacy is also enshrined by the European Convention on Human Rights (ECHR) and the American Convention on Human Rights (ACHR). The former was ratified by all members of the Council of Europe (a precursor to the European Union which includes all European entities besides Russia, Belarus, Kazakhstan, Kosovo, and the Vatican City, which carries no formal legal power but is an influential promotional body), and states that “everyone has the right to respect for his private and family life, his home and his correspondence”; it also specifies that public authority can interfere with privacy rights for the promotion of public safety or national economic well being, protection of health, and the protection of rights and freedoms of others, all of which could be invoked as government concerns during the COVID-19 pandemic. The document offers no framework for what happens to privacy in situations like these, but it does make clear that public health supersedes privacy rights. The ECHR is interpreted by the European Court of Human Rights; this, too, lacks enforcement mechanisms as the court does not comprehensively monitor state compliance, and thus states have simply ignored its adjudications in the past.

The American Convention on Human Rights, meanwhile, has been ratified by 25 of the 35 members of the Organization of American States (which includes most states in the Western Hemisphere), with the most notable absences being the U.S. and Canada. The ACHR states that “no one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence… everyone has the right to the protection of the law against such interference or attacks”. Again, the ACHR lacks enforcement power, and state compliance is very low– out of the roughly ninety cases brought before regulatory commissions from 2002 to 2005, states complied with adjudication only six times.

Meanwhile, outside of international conventions, analysis by the UN Conference on Trade and Development indicates that 71 percent of countries have enshrined rights to privacy and data protection through legislation, with another 9 percent of countries currently with similar legislation in the draft stage. The analysis also notes that “in many contexts, the concept of privacy has been combined with data protection, which understands privacy in terms of management of personal information”. This is particularly relevant for questions and concerns with modern governance, as it demonstrates how deeply entangled privacy rights and data privacy have become. According to this same analysis, “the legal protection of privacy varies greatly around the world”, as different countries and organizations provide different levels of clarity and different mechanisms for enforcement regarding their enshrined definitions of privacy. In the European Union, for example, governments are widely understood as major industry actors in determining regulatory strategy, whereas the U.S. has undertaken a laissez-faire, corporate-style approach to data regulation. 

Overall, it seems that states and entities interpret privacy through the lens of their own prevailing interpretation of the government’s responsibilities. Of the major covenants and agreements on human rights, the ICCPR carries the most weight due to the influence of the UN, but, as stated above, it is undermined in multiple ways. Because many definitions of privacy have declared exceptions in cases of public health, the COVID-19 pandemic provided inarguable justification for interpretations of privacy to be adjusted or waived.

When considering the novel directions that governments have taken in redefining boundaries around data privacy amidst the urgent existential threat of the pandemic, it is important to understand the larger boundaries and umbrellas they are—or are not— operating under. Governments do not only have to adhere to the definitions of privacy they legislated and adjudicated upon themselves; they also, theoretically, must adhere to the guidelines of the international conventions they have placed themselves under. However, agreeing to adhere to these guidelines is not the same thing as actually adhering to them. The authority that international structures wield is a direct result of the consent of the concerned parties, and discretion at the state level is well-fortified and becomes particularly shored up when states experience times of crisis.

by Simon Panfilio

Section 2: Digital Contact Tracing and Applications of Privacy Law in Israel 

The United Nations and similar international institutions derive their legal power from their member states, who commit to adhering to institutional standards and regulations. However, this juridical power is contingent on the efficacy of the institution’s compliance mechanisms and the cooperation of state legislatures, severely constraining the authority of international humanitarian law. Particularly during times of crisis, states are empowered to make their own decisions independent of the United Nations in an effort to promote national security. This power became abundantly clear during the COVID-19 pandemic, as UN member states adopted strikingly different data privacy policies in response to their unique security needs. Israel offers a valuable lens through which to examine the efficacy of international human rights covenants, as its status as a democracy seems to imply adherence to UN privacy regulations. However, Israel’s invasive surveillance policies violate International Covenant on Civil and Political Rights (ICCPR) standards and reflect a vague definition of privacy that relies on outdated legislation.

On March 17, 2020, the Israeli government enacted the Emergency Regulations (Authorization of the General Security Service to Assist the National Effort to Reduce the Spread of the Novel Coronavirus), 5780-2020, a set of reforms that authorized the General Security Services (GSS) to digitally monitor Israeli citizens for the purposes of contact tracing. Under the auspices of the Prime Minister's Office, the GSS functions as Israel’s domestic secret service and typically acts to prevent terrorist attacks and violent threats to Israeli national security. While the GSS is primarily a security force, legal precedent gives the force expanded powers during times of emergency. For example, the COVID legislation primarily references Section 20 of the Public Health Ordinance, which authorizes the Minister of Health to categorize a contagious disease as a severe threat and enact broad legislation to curb its spread. This ordinance was originally instituted by the British Mandate in 1940 before the founding of the state of Israel, yet is still utilized by Israeli cabinets to pass emergency reforms. 

In addition to the Public Health Ordinance, the Emergency Reforms rely on Section 39 of Israel’s Basic Laws (Israel’s quasi-constitutional documents). During periods of national emergency, Section 39a empowers the government to enact legislation “for the defense of the State, public security and the maintenance of supplies and essential services.” This power extends to legislation that overrides existing statutes, which can be temporarily modified or suspended. Since Israel has technically been in a state of emergency since its independence, the government was able to immediately enact emergency regulations at the height of the pandemic even though their surveillance tactics infringed on the privacy of its citizens. Initial regulations, for example, granted the GSS direct access to cellular location data from providers’ databases to inform citizens in the event of a government-mandated quarantine. GSS committed to deleting all data after the crisis had passed, but this provision was never enforced: GSS Law does not require judicial oversight of the agency’s activities. Israel's ongoing state of emergency allowed the government to utilize the Basic Laws, which empower the government to violate existing legislation in the name of public safety. 

Israel’s surveillance policies first encountered legislative difficulties in April 2020 when several non-governmental organizations (NGOs) filed a joint petition to the high court, claiming that GSS surveillance lacked transparency and violated the privacy rights of Israeli citizens. In Adv. Shahar Ben Meir v. Knesset, the high court determined that the GSS could not continue their program without specific legislation authorizing digital contact tracing. Judges cited Section 39c in their ruling, which stipulates that the Minister of Health can only enact emergency reforms independently during times when it is impossible to convene the cabinet. Furthermore, Section 39f constrains the power of emergency rulings by limiting their effect to a period of three months in the absence of supplementary legislation. Drawing on Israel’s Basic Laws, the court found that Israel was initially justified in its broad understanding of national security to include public health emergencies. However, once the threat is no longer immediate and the cabinet has had sufficient time to deliberate, explicit statutory authorization is required to allow electronic surveillance under the nondelegation doctrine. 

Political context was also an essential factor in the court’s ruling. When the emergency regulations were first passed, Israel was governed by a caretaker government. Although the Basic Laws provide for expanded government actions during national emergencies, caretaker governments have limited power compared to elected cabinets. The court took Israel’s political instability into account in Adv. Shahar Ben Meir v. the Knesset, ruling that the temporary government must draft official legislation if it wanted to continue its surveillance policies. The cabinet took the court’s advice, and the Foreign Affairs and Defense Committees approved an official extension of the GSS’s cyber tracking policies. 

At first glance, the court’s conclusion appears to constrain the power of the GSS to infringe on the privacy of Israeli citizens. However, in reality, the decision led to the enshrinement of COVID-19 surveillance policies in Israeli law, which policymakers fear will normalize extreme surveillance measures in the future. While GSS security measures previously relied on temporary emergency legislation, the court’s ruling influenced the government to pursue permanent legislation in favor of intrusive electronic surveillance. In her decision, Chief Justice Esther Hayut stated that stopping the spread of the coronavirus pandemic falls within the definition of national security, paving the way for the government to authorize future surveillance programs. Furthermore, the majority decision failed to establish clear legal obligations concerning contact tracing in the event of health emergencies. The broad latitude the court gave the Israeli government is in violation of Article 17 of the International Covenant on Civil and Political Rights (ICCPR), which grants citizens freedom from “arbitrary or unlawful interference with [their] privacy” and “protection of the law against such interference.” Under Article 17, government tracking programs are ipso facto unlawful until domestic legislation is passed to regulate surveillance. Since GSS actions are not formally reviewed by an external agency, there is a lack of legal protection against its surveillance and a complete absence of transparency and accountability for unwarranted infringement on citizens’ privacy. Even though Israel’s cabinet officially authorized the GSS surveillance program, Article 17 still criminalizes “arbitrary” interference. Specifically, legislation must prohibit generalized surveillance by specifically outlining the precise circumstances in which interference with personal privacy is permitted.

Given the broad powers of the GSS to track potential COVID-19 patients and the lack of accountability for the GSS’ actions, Israel’s surveillance program violates Article 17 of the ICCPR. Policymakers worry that Israel’s violation of international humanitarian law in the name of national security indicates its shifts towards a “surveillance democracy,”  under which the cabinet will continually approve invasive tracking programs in order to achieve its political goals. Now that Adv. Shahar Ben Meir v. The Knesset has officially legalized the GSS COVID-19 tracking program, the security arm is empowered to engage in surveillance whenever it identifies a credible security threat. Precedents set during the pandemic have shown that Israel can institute wide-sweeping surveillance measures with little legal resistance, leaving citizens afraid that this power will be used for less altruistic purposes than defense against contagious diseases. 

Specifically, critics of the GSS’s program have argued that their policies will have broad political implications during Israel’s frequent election cycles. In the past, Israel’s majority party Likud has been accused of installing video cameras in polling stations in order to deter minority populations from voting. In the wake of Israel’s COVID-19 measures, citizens fear that Likud’s surveillance tactics will encounter no legal challenges if they claim that their actions are in the name of national security. Israel’s broad definition of privacy in times of national emergencies allowed it to act aggressively to gather data on infected COVID-19 patients but simultaneously left its democratic future uncertain. While it is unclear whether Israel will continue to engage in surveillance under the guise of privacy threats, its legal decisions during the pandemic indicate that democratic status does not necessarily imply adherence to UN privacy regulations.

by Rachel Landesman

Section 3: US Surveillance During COVID-19

During the COVID-19 pandemic, public health organizations and technology companies implemented public health surveillance systems and various data collection methods to track and monitor the spread of COVID-19. According to the World Health Organization, public health surveillance is the “continuous systematic collection analysis and interpretation of health-related data” used as an early warning system for potential outbreaks or to monitor and track progress on a current spread. Though the country was amidst a public health crisis, the United States had to take into account individual privacy boundaries when conducting surveillance as a public health measure.

During the pandemic, the Centers for Disease Control and Prevention (CDC)—a federal agency under the Department of Health and Human Services—implemented national case surveillance, which collected data on cases of a specific disease or of individuals infected with a certain condition that may pose a threat to public health. Such data included information like demographics, hospitalizations, symptoms, and testing results. Case surveillance generally started at the local and state level, working with healthcare providers, labs, and public health departments to collect data. The gathered information provided insight into trends and epidemiology, and was ultimately used to monitor, control, and prevent these diseases. The CDC also implemented contact tracing, which identified and notified people exposed to COVID-19, especially if they had come in close contact with an infected person. The infected person’s information, however, remained confidential. The ultimate goal of contact tracing was to provide those at risk of COVID-19 with guidance on monitoring potential symptoms and self-quarantining. Generally, public health surveillance aimed to monitor COVID-19 by examining the trends in demographics, exposures, and outcomes to help the nation better control the disease spread. 

Technology was also heavily used to collect phone location data and other smartphone-created data to notify those exposed to COVID-19. Specifically, location data was used to identify and analyze movement patterns and areas with a potential virus spread. Technology companies heavily used data for digital contact tracing. For example, Apple and Google collaborated together to create an app for smartphones that used local Bluetooth connections to trace people’s locations and meetups. Individuals who tested positive for COVID-19 would input it on the app. The app would then notify the smartphones of people in that vicinity at that time to take appropriate measures. However, digital contact tracing was contingent on mass app adoption and reliance on Bluetooth technology. It was largely a failure in the US due to a lack of development and coordination by the federal government, distrust in tech companies and the government over personal data, and questions over consumer privacy, trust, and legal rights. 

Though collected data was generally anonymized to protect individual privacy, the implementation of public health surveillance instigated a debate over Fourth Amendment rights and the right to privacy. According to the United States Constitution, the Fourth Amendment states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things.” While the right to privacy is not explicitly expressed in the Constitution, certain constitutional amendments establish certain aspects of privacy. For example, the Fourth Amendment grants a right against unreasonable searches and seizures of one’s home, possessions, and personal information. The Fifth Amendment provides a right to privacy regarding personal information. The First Amendment provides a right to privacy through freedom of thought and decision-making without unconstitutional interference. These deliberations prompted certain privacy considerations related to public health and data collection efforts, especially by the government. 

When invoking the Fourth Amendment, citizens are protected against unreasonable searches and seizures by the government without a warrant or probable cause. However, public health surveillance raises questions about the Fourth Amendment, when it comes to protecting civil rights. The Fourth Amendment third-party doctrine initially established that there is no expectation of privacy in voluntarily-disclosed information to third parties, like phone records, since it was provided on one’s own accord. Thus, the government is able to access information held by third parties, like phone location records or emails, without a warrant. However, the Supreme Court limited this doctrine in the 2018 Carpenter v. United States case when it ruled that accessing cell phone location data without a warrant violated the Fourth Amendment as people have a reasonable expectation of privacy in their physical movements. Therefore, law enforcement must obtain a warrant to access sensitive digital information. This expanded privacy protections, especially with digital information voluntarily shared with third parties. 

However, privacy concerns are also fueled by historical precedent, especially since location data is picked up indiscriminately. In the wake of 9/11, Congress enacted the PATRIOT Act that increased mass surveillance, allowing wiretapping and increasing accessibility for law enforcement to acquire a search warrant in any place a terrorism-related activity happened. Additionally, Section 702 of the Foreign Intelligence Surveillance Act allows the government to conduct surveillance of people outside the U.S. by collecting foreign intelligence information, or information related to the activities and intentions of foreign governments needed for the U.S. to protect its national security interests. Given the interconnectedness of American citizens and those abroad, however, one in every two people whose information was picked up by the National Security Agency was an American citizen or in the U.S., even if it was collected inadvertently.

Though the U.S. ratified the International Covenant on Civil and Political Rights (ICCPR), the country must actively incorporate and implement the right to privacy. However, the interpretation and enforcement of the ICCPR are mostly in the control of the states, where data privacy laws vary from state to state. Only five states—California, Colorado, Connecticut, Utah, and Virginia—have comprehensive consumer data privacy laws, with provisions to access and remove personal data, among other measures. For example, the California Consumer Privacy Act (CCPA) gives consumers the right to know what personal information a business is collecting and how it is being used and shared, the right to delete stored personal information, and the right to opt out of sharing that information. Even then, CCPA does not apply to nonprofit organizations or governmental agencies. Additionally, with no federal data protection regulation, one state law’s protection does not necessarily provide privacy for all citizens across the nation, leading to inconsistent data protection. 

Specifically in Congress, certain senators expressed concerns over the degree to which individual information would be used for public health purposes and introduced bills that increased protection over data gathering. For example, the COVID-19 Consumer Data Protection Act of 2020, introduced by Senator Roger Wicker (R-Mississippi), would “prohibit covered entities from collecting, processing, or transferring an individual’s personally identifiable information for the purpose of contact tracing with respect to COVID-19 without first obtaining the individual’s affirmative consent to use such information.” Similarly, the Public Health Emergency Privacy Act introduced by Senator Richard Blumenthal (D-Connecticut) would increase requirements on the privacy and confidentiality of COVID-19 health data, including opt-in consent and minimizing collected data. Yet, these bills presented their own flaws and did not move past their introduction stage in the Senate, though they gesture at a federal attempt in enhancing privacy protections at the national level during the pandemic. 

Governmental public health surveillance, though, did fall under the Fourth Amendment’s Special Needs Doctrine, an exception to the Fourth Amendment in which the government wasn’t required to have a warrant or probable cause to conduct surveillance under two specific circumstances. First, it had to show that there was a “special need” beyond standard law practices in which the search or seizure is necessary. Second, it had to show that obtaining a warrant or showing probable cause would serve as a hindrance to the state’s interest. In regards to public health, the Supreme Court has ruled under Ferguson v. City of Charleston in 2001 that public health generally falls under the Special Needs Doctrine because the government has a legitimate and compelling interest in serving the public’s welfare and achieving public health goals rather than fulfill traditional law enforcement objectives. In the context of the COVID-19 pandemic, the public health goals of governmental epidemiological surveillance programs were high in stake: stopping the virus’s spread, monitoring outbreaks, and preventing hundreds of thousands of deaths. These searches and surveillance would have to be “narrowly tailored, likely to succeed, strike a reasonable balance between privacy interests and public policy goals, and limit the discretion of government agents conducting searches.” Narrowly tailored surveillance looked like gathering only the minimum amount of information needed, avoiding collecting excessive or unnecessary personal information, limiting the time duration on data storage and access to gathered data, and overall limiting individual privacy intrusion. 

Overall, the concerns and challenges that arose around data privacy during the COVID-19 pandemic in the United States demonstrated the shortcomings of a lack of comprehensive data protection privacy laws. The lack of consistent state laws across the country or federal regulation caused citizens to be unfamiliar with and concerned about how their data would be stored and protected when collected by government agencies, healthcare providers, and technology companies. While certain laws were introduced in Congress during the pandemic, these implications perhaps show the need for clear and comprehensive legislation to balance both public health needs while maintaining privacy rights.

by Karen Zhang

Section 4: How COVID-19 Reveals the Weaknesses of Data Privacy Law

Data privacy law is devoted to reconciling a fundamental trade-off between collecting accurate individual data that can be used by governments, the public, and corporations and alternatively having such data collection come at the expense of individual privacy. The balancing act between these two factors–and which to give preference to if necessary–proves to be a brutal challenge for both lawmakers and technology companies during a crisis such as the COVID-19 pandemic. In the world’s return to post-pandemic normalcy, the immediate concerns of COVID-19 are gradually fading from public view. However, the impact of the pandemic on privacy law internationally will have ramifications that will reverberate beyond the end of the COVID-19 pandemic.

This roundtable has shown that countries like Israel and the U.S. have taken a reactive approach to data privacy protections, leaving individuals’ data vulnerable and only lightly protected by ad hoc laws.  This contrasts with the approach taken by the E.U., whose General Data Protection Regulation (GDPR) offers a viable privacy framework. Reproductive rights, the protection of undocumented immigrants, and surveillance using phone tracking are all matters of individual data privacy that have been called into question as a result of the actions taken internationally during the pandemic. While urgent change is needed on the international scale, it must take a malleable form that can account for rapid developments in technology. For example, Italy’s data protection agency has relied on a temporary ban on ChatGPT to regulate it, as legislation on artificial intelligence remains underdeveloped. Though the issue of faulty data privacy legislation persists internationally, it is equally apparent in the U.S.

Specifically in the U.S., the lack of comprehensive federal data privacy law has enabled tech companies to lobby against individual state laws on data privacy. For example, Amazon, Apple, Google, Microsoft, and Facebook collectively registered 23 lobbyists during Utah legislative sessions in 2021 and 2022, propelling the passing of the Consumer Privacy Act through the Utah State legislature: the act is considered more lenient than privacy protections in other states such as California and Virginia. While the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA) have enabled slightly stricter consumer protections, these only apply to each respective state’s residents. These existing state laws in the U.S. place responsibility on consumers to opt out of the collection and use of sensitive personal information. Amendments made to the CCPA that went into effect in January 2023, for example, established a consumer’s right to “direct businesses to only use [one’s] sensitive personal information…for limited purposes, such as providing [one] with the services [one] requested.” Current state laws rely on users to opt out of data collection services, which is more advantageous to businesses compared to the opt-in system utilized in the GDPR, which outlines consent as one legal basis businesses may use for data processing. By requiring businesses to attain consent through this opt-in system, the GDPR allows for more control in the hands of consumers, as they must decide which businesses are entitled to their information. In the opt-out system utilized in the U.S., however, only the most careful of consumers deliberately decide how their data will be used by corporations.

The uncertainty caused by the lack of comprehensive data protection laws in the U.S. should be cause for concern. Indeed, the COVID-19 pandemic showed that this lack of protections enabled loose standards for data collection. On the international level, China’s privacy laws serve as a reminder of the consequences when federal laws are inadequate in guaranteeing a person’s right to privacy. Adopted in 2021, China’s Personal Information Protection Law (PIPL) regulates the collection of personal data on an extraterritorial level as the GDPR and CCPA do. Also similar to the GDPR and CCPA, the PIPL loosely defines the concepts of sensitive personal information and data anonymization. Anonymization, for example, “refers to the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered.” This definition of anonymization relies on the assumption that it is possible for personal data to be completely anonymized in the first place. 

However, research shows that it is impossible to truly anonymize data, especially with the sheer scale of data that would be available through a population as large as China’s. Researchers at Imperial College London and Belgium’s Université Catholique de Louvain, for example, found that 99.98 percent of Americans could be re-identified using just 15 demographic attributes even after a dataset had undergone anonymization processes. It is also impossible to truly anonymize spatiotemporal data, which includes the smartphone tracking data used during the pandemic to create surveillance reports, COVID-19 exposure alerts, and the collection of metadata. Researchers at MIT and Université Catholique de Louvain found, for example, that four spatiotemporal points are enough to identify 95 percent of individuals in a dataset. The PIPL, then, presents unattainable standards for anonymization, meaning that it cannot be truly enforceable. Rather, it illustrates the ways in which broad invasions of citizens’ privacy can be obfuscated behind vague, weak legislation.

While the realities of privacy legislation may inspire pessimism, we can use the status quo as an opportunity to remember the limitations of legislation. Across completely different systems country-to-country, and under international bodies such as the UN, legislators have shown major discrepancies in understanding technological privacy mechanisms, meaning that data privacy rights rely on loose, unstandardized legislation. If privacy is an inherent human right, then legislation must not attempt to chase the latest developments in technology, such as artificial intelligence. Legislation cannot move quickly enough to beat technological developments to the punch; expecting it to do so further risks treating policy and technology as oppositional forces. Rather, legislation must prioritize definitions of privacy that are informed by technology experts, truly prioritize individuals rather than corporations, and understand how context may shift the privacy mechanisms necessary for a successful balance of privacy and accuracy. In doing so, nations and international institutions can demonstrate their capability to act as guardians of citizens’ privacy rights, rather than invaders.

by Faiza Chowdhury

This Roundtable was edited by Artem Ilyanok, Samantha Velasquez and Will Foster.