DIRECT Learning Series: strategies for meaningful engagement in the context of implementation of Digital ID systems

This workshop took place on August 28th, 2024, in the context of the Data Rights and Enforcement through Community Trust (DIRECT) Learning Series, an ongoing thematic series of workshops with members of the DIRECT consortium, supported by Internews. 

The main goal of the series is to address topics related to the protection of personal data from three guiding axes: i) capacity-building for civil society organizations to address challenges related to the development of personal data protection legislations; ii) responsiveness and direction of civil society organizations in defending data protection rights in different legislative contexts; and iii) enhancement of the resilience and sustainability of civil society organizations through the strengthening of networks and resources led and provided by partner organizations.

This session was facilitated by Data Privacy Brasil, and conducted by Grace Mutung’u, a independent researcher based in Kenya, who is specialized in the discussions around Digital IDs. In this sense, the main focus of this workshop was to discuss advocacy strategies within the scope of implementation of Digital ID systems in Global South Countries. The workshop started with a brief introduction by Internews and Data Privacy Brasil, and it was followed by an in-depth presentation made by Grace. 

Since this is a sensitive topic in several Global South countries, the main goal of this first thematic workshop was to:

• Build capacity for civil society organizations in the topic of Digital IDs;
• Discuss advocacy strategies in the intersections of data protection and Digital IDs;
• And to promote a Global South safe space for debating this issue. 

Grace’s presentation focused on how to deal with purpose creep and corporate power in the context of Digital IDs. Therefore, she started from the very definition of what a Digital ID is and how it is applied in the identity lifecycle, and it can be related to accessing several public and private services and public policies. 

In terms of general context, it was mentioned that most of the data protection regulations were built upon the experience of the European Union (EU)  with the General Data Protection Regulation (GDPR), due to the Brussel’s Effect. The EU and the GDPR set the common grounds for the development of such legislations and established the need for a clear purpose for collecting and processing personal data.

However, what is happening in the context of Digital IDs is a purpose creep, in which data collected and processed for other purposes have been used to power Digital ID systems. There are a few reasons for that, which might lead to violation of rights, such as the transition between analogical to digital data, the historical state power, the close relationship between public and private sector, storage of personal data for indefinite period, the mandatory use of Digital IDs for accessing several services and public policies, and national security as an argument for non-supervised and illegitimate access to personal data. Considering this, human rights impact assessments should be conducted in every new initiative powered by personal data, to avoid human rights violations and to address the risks emerging from new technologies.

Strategies for tackling purpose creep in the context of Digital IDs

There is a range of strategies, commonly applied by civil society organizations (CSOs) in the course of their work, that can be used to deal with purpose creep and private power in the context of Digital IDs. 

The first one is related to the development of research as a tool for building empirical foundations and helping decision-makers in the process of implementing a given technology. Also, the research results can be mobilized in litigation activities against public and private actors, which is another strategy that can be adopted by CSOs. Another possibility is to make requests for information, using freedom of information requests to formalize the research findings for the public branch, in order to gather information on technologies that use personal data. Alongside that it is important to raise public’s awareness to the risks of Digital IDs, however, these strategies need to engage in dialogue and be adapted to their target audience to ensure greater reach. One last strategy is related to policy advocacy activities in which  CSOs engage directly with legislative processes that address issues of data protection and Digital IDs and monitor legislations.

Collective knowledge on how to improve engagement and advocacy strategies within the scope of the implementation of Digital ID systems

After Grace’s presentation, a short activity was conducted with the participants through a Padlet, in which they were asked about what are the possibilities they foresee for engaging with the discussions on Digital IDs in the Global South. 

In summary, the answers revolved around learning with the experiences of other civil society organizations that conducted research and advocacy initiatives on the topic, as well as creating spaces for collectively learning, sharing and discussing experiences related to the implementation process of Digital IDs.

Other suggestions that came up during the exercise considered the development of best practices for conducting legal analyses of ongoing Digital IDs implementation, and direct engagement with ongoing legislative discussions about the topic, in order to guarantee the protection of privacy and personal data. Last but not least, the participants highlighted the importance of engaging with international processes such as the UN’s Global Digital Compact, in order to establish data protection considerations at an international level, when it comes to the implementation of Digital ID systems. 

Open Mic

In a context in which there is no data protection legislation, but have Digital ID systems implemented – which is the case of Paraguay –, it was asked what could be the recommendations to address the protection of personal data in the context of Digital IDs, in ongoing draft bill proposals for data protection. 

As an answer it was commented that Nigeria conducted an in-depth study regarding what has been done in African Countries in terms of data protection. The result was a legislation that is more advanced than the GDPR in terms of protecting the rights of data subjects, especially because it includes the duty of care, which recognize that there is always a power asymmetry between the data subject whose data is collected, sometimes even without their knowledge and consent, and the organization holding that data. It was also mentioned that this duty should be even higher when it is the government collecting data.

Other historical recommendations from CSOs are related to accountability and oversight instruments in every legal or legislative document that deal with collection and processing of personal data. Also, if there is use of Artificial Intelligence in Digital ID systems it is recommended to have transparency and explainability instruments to safeguard citizens rights.

Conclusions

The workshop and participant’s contributions showed the complexity related to the implementation of Digital ID systems, and it was helpful to present a range of strategies that can be mobilized to ensure the protection of citizens in such a context. Although engaging and advocating in this topic is not an easy task, it is important to have a better understanding on how CSOs can act directly in the process of implementing Digital IDs in their countries.