Speech by the Parliamentary Ombudsman during the conference ‘Protecting human rights in the digital age and in social media’

Published September 26, 2024

Speech by the Parliamentary Ombudsman during the conference ‘Protecting human rights in the digital age and in social media’

Published September 26, 2024

“Protecting human rights in the digital age”

Art 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and Limitations on the Use of Artificial Intelligence (AI)

INTRODUCTION

As a matter of principle, developments in AI should not be allowed to proceed unhindered without due regard to the fundamental rights of the person.

While AI offers significant potential benefits, it also raises ethical, and other concerns : job displacement, privacy and bias. Responsible development and deployment of AI are essential to harness its potential for the betterment of society.

Digital technologies create challenges as far as human rights and fundamental freedoms are concerned, as they can be used for wrong (or at least dubious) purposes, like the creation and spread of fake information.

However they can also be positively instrumental for capacity building, to empower people with skills andknowledge that are required to protect and safeguard what is good in society including the protection of human rights.

This presentation is an attempt to give reasonable answers by dealingwith issues relating primarily but not only to the application of Art 8 of ECHR within the context of AI.

THE LAW

Art 8

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

This provision, as others in the Convention which Malta has ratified, are part of the laws of Malta (Chapter 319).

We find provisions of similar content and quality in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union which state :

Art 7

Everyone has the right to respect for his or her private and family life, home and communications.

Art 8

1. Everyone has the right to the protection of personal dataconcerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

These as other provisions of the Charter are part of Maltese Law by virtue of the Lisbon Treaty.

CASE-LAW

I shall be limit myself to aspects of the interpretation given to the notion of private life by the Strasbourg Court within the framework of Art 8(1) of the Convention.

The essential object of Art 8 is to protect the person against arbitrary action by public authorities. There may also be positive obligations inherent in ensuring effective “respect” for private or family life. These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves. A fair balance has to be struck between the competing interests of the individual and of the community as a whole.

The case-law of the Strasbourg Courtcan be divided into five categories:

• Freedom from interference with physical integrity.

• Freedom from unwanted access to and collection of information.

• Freedom from serious environmental pollution.

• The right to be free to develop one`s identity.

• The right to live one`s life in the manner one`s choosing.

With regard to AI, one should pay particular attention to the second category.

As declared by the ECtHR, Art 8includes protection of the right to personal identity and to personal development.

The right to personal identity is closely linked to the right to the protection of personal data. In case of data processing, the right touches upon the right to equal treatment, and the right to protection against discrimination, stereotyping and stigmatisation.

The right to protection of personal data is not enshrined as an independent right in the ECHR. However ECtHR judgements consider that in general the right to protection of personal data falls within the framework of Art 8.

In order to meet the requirements of accessibility and foreseeability, national law must provide adequate protection against arbitrary behaviour, and define in sufficiently clear terms the discretion (or margin of appreciation) granted to the competent authorities and the manner in which such discretion should be used.

The Strasbourg Court has said that interference by the State must always be dictated by what is necessary in a democratic society. Therefore safeguards must be clearly defined, suitable to prevent abuse, and proportionate to achieve the intended objective.

Any State claiming a pioneering role in the development of new technologies has special responsibility for striking the right balance.

JUDGEMENT

THE HAGUE DISTRICT COURT 05/02/2020

REF. C/09/550982/HA ZA 18/388

FACTS

A Risk Indication System (SyRI) was devised by the Dutch Government as a statutory instrument to prevent and combat fraud in the field of social security and income-related schemes, tax and social security contributions and labour laws.

SyRI involved technical infrastructure and procedures that allow data to be linked and analysed anonymously in a secure environment so that risk reports can be generated.

It was said that the social security system is only sustainable if citizens in the Netherlands who are not entitled to benefits do not get any of them. Fraud undermines the principle of solidarity of the social security system that is financed with public money. Therefore the fight against fraud is crucial. That was the objective of the SyRI legislation.

The State argued that new technologies, including digital interventions linking files and data analysis using algorithms could offer more possibilities to the public authorities to exchange data to combat fraud.

SyRI carries out different processing operations on personal data, gathers large-scale data and generates risk notification about people likely to commit fraud, which is called “risk report”.

By means of the risk report, a legal or natural person is considered to be worth investigating in relation to possible fraud, unlawful use and non-compliance with legislation. With the deployment of SyRI, files at the disposal of government agencies are linked in a structured manner in order to be able to identify related abuses in specific areas.

In the case in point, a number of addresses in a particular district in a municipality were investigated by the intervention team for benefit fraud or tax fraud. The aim of the project was to contribute to the improvement of the living climate in that district. For this reason, the projects also explicitly had to focus on providing care and support to people who show that they care.

The legitimacy of the legislation sustaining SyRI was contested.

THE JUDGEMENT

The Court ruled that SyRI violated Art 8 of the ECHR.

The Court considered the lawfulness of the interference within the context of the right to privacy, and found that SyRI legislation did not satisfy the condition of “necessary in a democratic society”. The risk reports have significant consequences on persons` lives in the sense that they indicate that a specific person is worthy of investigation related to fraud.

The case focused not just on data processing operations in the deployment of the SyRI and its technical safeguards, but also other significant issues including : the mutual exchange of personal data by administrative bodies, the provision of personal data to the Minister, and profiling.

The Court considered that the provisions of Convention have to interpreted in the light of the general principles of the Charter and the GDPR as these in some respects give further protection.

Regarding the concrete assessment of interference in the light of the EU data protection principles, the Court considered that the risk model, the indicators and the data that wereactually processed were neither public nor known to those involved, and had a significant effect on the private life of the person to whom the report was referring.

In the course of the proceedings, the Court availed itself as amicus curiaeof the services of Professor Philip Aston, United Nations Special Rapporteur who submitted a brief dated 26 September 2019. He was requested to advise whether the emphasis on poor and marginalized groups in Dutch society was justified. Professor Aston concluded that:

“The SyRI system, as well as the use of other digital technologies in the Netherlands and many other countries that are transforming welfare states into ‘digital welfare states’ pose significant potential threats to human rights, in particular for the poorest in society. These systems should be scrutinized accordingly, not just by the courts, but by governments, legislators and the whole of society.

The data which was made subject to processing in SyRI were:

*data with which a work performed by a person can be determined.

*data showing that an administrative fine was imposed on a natural or legal person, or that another administrative measure had been taken.

*information enabling the identification of tax obligations of the person concerned.

• information intended to identify the ownership and use of movable and immovable property.

• information concerning grounds for exclusion from assistance or benefits.

• data making it possible to determine the (actual) place of residence or place of business of a natural or legal person.

• identification data: In the case of a natural person :

name, address, postal address, date of birth, sex and administrative characteristics;

In the case of a legal person:

name, address, postal address, legal form, location and administrative characteristics.

• integration data: data which make it possible to determine whether a person is subject to integration obligations.

• compliance data: data that make it possible to record the compliance history of a natural or legal person with regard to legislation and regulations.

• education data: data with which the financial support for the funding of education can be determined.

• pension data: data regarding pension entitlements to be determined.

• reintegration data: data with which it can be determined whether reintegration obligations have been imposed on a person and whether these obligations are complied with.

• indebtedness data: data making it possible to determine the debts, if any, of a natural or legal person.

• benefits, allowances and grants data: data making it possible to establish the financial support of a natural or legal person.

• permits and exemptions, which are data making it possible to identify the activities for which a natural or legal person has requested or obtained consent.

• health insurance data, i.e. only the data with which it can be determined whether a person is insured under the Health Insurance Act.

THE ROLE OF THE MINISTER

The Minister can determine whether a request for deployment of SyRI satisfies the conditions at law.

Before the start of the SyRI project, a so-called kick-off meeting takesplace.

If a natural person or legal entity with an increased risk is not the subject of a risk report, his or her data will be destroyed within four weeks of completion of the analysis.

The Minister will destroy any remaining data not later than two years after the start of the SyRI project. The destruction will be recorded in an official report. Thedestruction order does not extend to the data in the risk notifications register. A retention period of two years after the registration of the risk report applies

THE PRIMARY CONSIDERATION

The District Court accepted the principle that new technologies can be used to prevent and combat fraud. There was also acceptance in principle that SyRI legislation is in the interest of economic welfare and therefore serves a legitimate purpose. However, the development of new technologies also means that the right to the protection of personal data becomes increasingly important. The existence of adequate legal protection of privacy in the exchange of personal data by (public) bodies contributes to public confidence in government, as does preventing and combating fraud.

Under Article 8 of the Convention, in the application of new technologies, the State has a particular responsibility to strike the right balance between, on the one hand, the benefits associated with the use of technologies to prevent and combat fraud and, on the other hand, the interference that this may cause in the exercise of the right to respect for private life.

The legislation must provide a sufficiently effective framework for the protection of the right to privacy, which includes the right to the protection of personal data, to enable all interests at stake to be consideredin a transparent and verifiable manner. The legislation should also allow any person to have a reasonable expectation that his or her private life will be sufficiently respected in the deployment of SyRI.

The Court found that the SyRI legislation did not meet that requirement.

OTHER FINDINGS

Transparency requires that information should be accessible and comprehensible.

The State did not provide objectively verifiable information to enable the Court to consider the view of the State on SyRI.

SyRI legislation did not cater for an information obligation on data subjects whose data were processed in order that those persons could reasonably be expected to know that their data was the object of processing.

Nor did the legislation in question provide for an obligation to inform data subjects individually, where appropriate, of the fact that a risk notification has been made.

The risk model and the risk indicators were ‘secret’ including data used in a concrete SyRI project. Nothing is public nor known by the persons concerned.

There is objective difficulty for a person to defend himself against a risk report that concerns him/her.

Likewise, it is difficult to see how a data subject whose data have been processed in SyRI, but who did not result in a risk report, can be aware that his or her data have been processed on correct grounds.

The fact that data did not lead to a risk notification does not detract from the required transparency with regard to that processing. The right to respect for private life also implies that a data subject must be given a reasonable opportunity to follow his or her data.

The District Court found that the SyRI legislation does not provide sufficient safeguards to protect the right to respect for private life in relation to the risk indicators and the risk model that can be used in a concrete SyRI project. Without an understanding of the risk indicators and the risk model, or at least without further legal safeguards to compensate for this lack of understanding, SyRI legislation does not provide sufficient guidance for the conclusion that the use of SyRI always makes interference in private life proportionate and therefore necessary in the light of the abuse and fraud that is intended to be combated, as required by Article 8(2) of the ECHR.

The judgement is res judicata.

THE PATH AHEAD

Although the existence of intelligence services with powers of secret surveillance are tolerated under the Convention, the practice of such services must prove necessary to safeguard democratic institutions. Any interference must be proportionate to the aims pursued, and supported by relevant and sufficient reasons. Indiscriminatecollection of information by Stateofficials about persons without their consent does interfere with their private life.

Because AI refers to the simulation of human intelligence processes by machines, especially computer systems, it is essential to approach the development and deployment of AI technologies with a human rights perspective. Reaching a reasonable balance requires collaboration between governments, technology developers, civil society organizations, and other stakeholders. We all have to strive strongly in favour of a human rights compliant and respectful AI that supports human development. There is nothing inherently wrong with the tech world owning technology, but there is something inherently worrying when developments negatively negatively impact opn the lives of people.

What solutions can we suggest so that the technology is in the service of human well-being ?

1. the invocation of the language of ethics

and

2. the language of human rights

Ethics is an inherently subjective issue. But using ethics to tame of technology could be a way forward.

Human rights must be put at the centre not to displace ethics but to promote further protection. To protect better human rights standards in practice, we require good law both as far as principles are concerned and in the way that law is written in order to avoid loopholes.The input of technical and legal experts is crucial to obtain a fair definition. Civil society as well has a vital role to play in identifying the negative consequences of AI on human rights.

The need for innovation is good provided no compromises are accepted to the detriment of human rights. A strongly human rights compliant and respectful AI, that is ultimately targeted to human thriving is going to be the most trustworthy AI. If AI earns trust, AI will ultimately win out.

Thank you.