Data Protection in Humanitarian Action

[00:00:03] Margaux: Welcome to UVA Data Points. I’m your host, Margaux Jacks. In this episode, we explore data governance in the humanitarian sector. Our guests are Massimo Marelli, Head of the Data Protection Office at the International Committee of the Red Cross, and Ana Beduschi, a Professor of Law and Strategic Lead on the Fair and Inclusive Society at the Institute for Data Science and Artificial Intelligence (IDSAI) at the University of Exeter. The conversation is led by Aaron Martin Assistant Professor of Data Science here at UVA. Together, they share insights on how data regulation is shaping privacy and security for vulnerable communities and the role of international frameworks in addressing these challenges. [00:00:49] Aaron: I think it would be good for us to kick off to sort of discuss the origins of the book, the inspiration for bringing together the contributors and sort of what motivated the effort. Massimo, do you have any ideas about the origin stories of the book? [00:01:04] Massimo: Yes, of course. Thanks. Thanks, Aaron. I think the initial idea was really to take the opportunity of the 10 years, 10 years of data protection in humanitarian action in the sense of data protection regulatory frameworks, particularly those of the ICRC, the International Committee of the Red Cross and the UNHCR. The High Commissioner for Refugees, 10 years ago, adopted their first comprehensive regulatory framework on personal data protection 10 years ago. Also, the Global Privacy assembly, which is this really the assembly of all the data protection authorities and privacy commissioners in the world, passed an important resolution on privacy and international humanitarian action, bringing together a commitment from data protection authorities, having identified some criticalities in this space to accompany the humanitarian sector in this area. So really the idea was marking the 10 years, taking this moment to look back, look back at what data protection has brought as a framework of analysis, as a comprehensive framework of rights of individuals in terms of enabling the humanitarian sector to embrace responsible digital transformation. It's been 10 years of profound digital transformation and data protection really contributing to that. Maybe one other element that perhaps came up a little bit more, as we were already working on it, was the reflection around how much the humanitarian sector is changing right now. At the moment, we're a bit of a. At a crucial juncture of this sector with many things being questioned, with resets and budget cuts and accelerating even further digital transformation. While at the same time there's a sense of somehow the brakes and the safeguards being part of the cuts, or probably not the priority number one. So we thought it was really a good moment to look back at what those safeguards have enabled the humanitarian sector to do in embracing digital transformation more responsibly. [00:03:17] Aaron: Thank you, Massimo. Anna, would you like to add anything? [00:03:20] Ana: Yeah, I would like to say it is a very interesting area to be looking at. In my own research I had analyzed how different aspects of digital technologies intersect in the humanitarian space, how we have like this landscape that has been changing quite a lot and where digital technologies, including artificial intelligence, have become more and more used and some of these digital technologies became more and more embedded in humanitarian action. So for me that, that was a very, a very interesting topic to be working on own together with you and Massimo. [00:04:07] Aaron: I think I would also like to note, just for those who haven't looked closely at the book yet, is that it's actually quite important that the book is led by an interdisciplinary team of editors. Anna, you are a professor of law. Massimo of course leads the ICRC's data protection office. And I work in a data science school. And so there's a lot of talk about interdisciplinarity in sort of crossing sort of different sectors, academic and non-academic and doing research and so forth. But I think the book actually does a great job of bridging disciplines, bridging sectors. We've managed to accomplish something quite important in the volume itself. So, I want to flag that as well for those who perhaps haven't looked at our bios. So next question would be how would you describe the book? High level in a sentence or two for those who perhaps are flirting with the idea of downloading the open access online version, or even better, buying a copy from the Routledge webpage? Are there key takeaways or a sentence or two that you think would best describe what the book is about, what it accomplishes, why folks should read it? [00:05:25] Ana: That's an interesting question, Aaron. I think it's hard to say in one or two sentences, but maybe it could be seen as kind of a guide to understand how data protection actually can be used not just as a constraint, because in general people think that it's a constraint, but it can also be this kind of tool to enable humanitarian action in a principled way. And it's interesting to read about the challenges that certain actors have faced. So very, very candid kind of accounts of, of the challenges, but also how, how, how they can overcome those challenges and how they can lean on the protection laws to, to do that. So maybe that's from my perspective, but I, I, I'm conscious that I'm bringing it to the legal side. So I, I suppose you guys have a different idea. [00:06:29] Massimo: I do. [00:06:30] Aaron: In fact, for me, what's interesting about the book is that it captures reflections by humanitarian practitioners about the realities of trying to protect data as part of humanitarian action. But these are complemented by these analyses by key regulatory stakeholders, for example, from the Council of Europe or the European Data Protection Supervisor, as well as external observers, external critics in some cases, who are also interested in these issues. So that sort of gathering of voices and perspectives is quite unique, not something you find in a lot of academic publications. So it's a critical reflection on what's worked well and what could work better, I think, going forward in terms of protecting humanitarian data. Massimo, any insights on your side? [00:07:20] Massimo: Just to echo what you said, I think it's really this interdisciplinarity, this multitude of perspectives is very important because it also comes from a part of the experience of these 10 years where humanitarian practitioners facing very challenging questions and dilemmas in the use of technologies, realize that unlike, probably even more so than in the past, the challenges that are facing the humanitarian sector cannot be solved by humanitarians alone. And it's been an important part of this journey, these 10 years to really take start from that awareness and realize that in order to solve these challenges, we really need to bring together different stakeholders. We need to bring together humanitarian practitioners that really operate on the ground and see these challenges live and are really close to the reality and the challenges of applying data protection principles, but also delivering humanitarian programs in complex, volatile settings. We need to bring together data protection authorities that have the experience of also tackling some of these challenges from a regulatory perspective, perhaps in very different contexts, but still bringing useful experience about what it means to apply these principles concretely. We need to bring together technologists, whether from academia or from private sector companies, and leverage their understanding and true understanding of, of technology, understand what challenges might arise from deploying some technologies that might not necessarily be very mature for deployment in humanitarian settings, but also understand how to take the state of the art one step further? We need to bring together civil society organizations, big praise for the huge work that civil society organizations are doing day in and day out on the ground. Perhaps the first ones who can really pick and start to see some dynamics that might be leading to problems in the use of technologies by the humanitarian sector. Indeed, part of the trigger for the work in this space was the very important report by Privacy International in 2013, aiding surveillance, that was really starting to highlight some of these, these tensions and challenges. [00:09:54] Aaron: Something that also comes to mind. You know, we've worked quite closely on these issues together, of course, during the editing of the book and in our sort of previous research and practice. But could either of you perhaps speak to the importance of these issues for non humanitarians. So in other words, why should someone who isn't a humanitarian, or who perhaps doesn't consider themselves very interested in humanitarian affairs, humanitarian action, be concerned with developments around data and technology in the humanitarian sector? So I guess, in other words, what is it about the sector's experiences that might inform thinking, policymaking, intervention in other. [00:10:43] Ana: Spaces from a very critical perspective, often we see that some of these areas, like some of the context in which humanitarians deploy these digital tools, sometimes we see that as being used as a little bit of an experimentation for digital technologies or experiments. We can see that happening in this field as let's deploy some technologies in those contexts, see what happens, and then see whether it can be applied more generally to the rest of the populations. And often that can be problematic, it can be unethical, it can be very problematic, especially if you don't have the context of having, for example, data protection frameworks, legal frameworks that are strong in the countries or regions where these digital technologies are being deployed. So it's super important to have this approach of having principles of data protection that would apply in these areas that the humanitarian actors would take into consideration and actually that would enable them to deploy these tools not in a way that would be detrimental to the populations that they're serving, but something that would make sense and then could be replicated beyond the humanitarian sphere. So I think this change of mindset is something that I saw being discussed as well in terms of how humanitarian actors can take those operational challenges of the field and pressures to increase digitization, but also deploy new technologies in this field and how they can do that in, in a way that respect their mandates and, and also these general principles of humanitarian action and of data protection. So that's, that's quite interesting. [00:12:56] Aaron: That's great. Anna, Massimo, do you have any thoughts? [00:12:59] Massimo: Yeah, I reason why not, not humanitarians or people who are not working in this sector should engage and, or could find interesting in engaging. I think there are plenty and I part also we see it in our, in our engagement with academia. For example, we, whenever we approach, particularly on the technical side of things, computer science experts, cybersecurity engineers, the idea of engaging with humanitarian organizations is something they find very interesting and appealing because we provide extreme circumstances where really the concerns they have for security, for confidentiality, for data protection by design are critical because not getting it right can have extreme consequences. So people working in research in this area sometimes find difficulties even socializing their work because they are working on such extreme solutions and security features that you Might wonder why all this attention or all this care we provide use cases where clearly it matters and where clearly things going wrong can have very significant consequences. So we provide, in a way, good use cases for their work. Tech sector companies, I think it's really important for them to engage because while the vast majority of companies that are developing products develop them in context where there is high resilience and their target customer is a customer that lives in places with very high resilience, where they're coming from a strong regulatory framework that enables recourse to justice for individuals who are affected by wrong outcomes or social cohesion and ties that provide protection for people. The consequences might not be extremely severe for data mishandling. The same technology will end up being used also in places where these resilience mechanisms may not be the same. And it's very important for tech companies to be aware of that and also to include these concerns and this, this awareness in the design of their tool. I think more generally, anybody also who not necessarily working in the humanitarian sector, we'll see in the humanitarian sector very vividly how data protection really is an essential tool for the building of trust between people and entities that process their data. The reality of data protection as a tool for accountability of organizations that hold data is very important and I think it's that the humanitarian sector can provide very stark and important observations and lessons for everybody. [00:16:07] Aaron: That's great, Massimo, you didn't use the term, but I think another important concept is the notion of vulnerability. And I think it's actually quite instructive for non humanitarians and sort of folks sort of working outside the humanitarian sector to better understand the relationship between vulnerability and data and the protection of data. Not all data subjects are the same, of course, and I think the sector's learnings and experiences with, for example, consent as a, as a sort of legal basis for the collection of personal data. It's realization about the limitations of consent in certain contexts I think are quite important as well as the understanding of the human impacts of data breaches. Right. I think these are all quite instructive to folks who perhaps are not working in this sector per se, but of course care about the relationship between people and their data and want to protect it accordingly. You mentioned previously that the book was produced quite quickly. In fact, I think the turnaround was less than a year. Could you, Massimo, sort of explain to the reader the importance of the 10 year milestone and why we were quite keen to get the book out and in the world in 2025? [00:17:30] Massimo: Yeah, no, I Think I hinted to that a bit in the introduction. I mean, it's a very important moment 10 years into the data protection in humanitarian action work stream to take stock of where we are coming from, what we have learned, what has worked, what hasn't worked and what could work if we were trying harder. And I think it was also a good moment because it's a humanitarian sector that is very much calling into question or it's a moment when everything about the humanitarian sector has been called into question. Being able to crystallize what we have learned from what data protection has brought to the sector I think is very, very important right now. So this is really why it was so important to have it out so quickly. And now it's also a good place now to really acknowledge all the incredible work that has been done by so many people. It really wouldn't be possible to achieve the publication of a collection of this quality without a huge commitment from, I mean the managing editors. But there was also an advisory group of people who have been working with us and the humanitarian sector for a long time. Routledge, the publisher, has done an incredible work turning all this around and of course first and foremost the authors who all embraced the roller coaster ride and joined us in this very short and intense journey, which was really a collective journey. It really went beyond the. Here is my contribution to a. Let's think together about how all our contributions can fit together and give a coherent narrative about what we have seen in the last 10 years. The workshop that we held in Cambridge around March time was a very important moment to create that sense of community and bring together stakeholders that are otherwise engage in very different types of activities and professions in their day to day life. [00:19:52] Aaron: Just a quick follow up. And Anna, this of course is for you as well. Massimo mentioned, you know, this. This being a reflection on a decade of experience, lessons learned and in particular you mentioned sort of insights into what's not worked necessarily quite well for the sector in terms of the governance of data, the protection of data and so forth. Are there specific examples that the listener might be interested in learning about of things that perhaps just didn't work out as planned or things that didn't meet the bar in terms of data protection? [00:20:28] Ana: Yeah, I think throughout the book we find especially the chapters by people working in the humanitarian sector. So the book being a mix of different authors from different backgrounds. I particularly find it super interesting the ones that, that are the chapters by authors from the humanitarian side. So. So humanitarian actors themselves because they would tell us the challenges that they. That that they face and things like building a, a platform, a system, a digital system, that. Then how do we square that with being in the field and having to comply with a number of data protection rules and principles? And how do you translate that into practice? That's quite relevant because we have this tendency, I don't know, I'm speaking for myself as an academic and as a lawyer, to think in terms of law as something that of course, everybody will understand and comply. Right. But the reality of the application of that law and compliance can be quite different. And also in places where the legal frameworks are not extremely well developed to fall back into these sets of principles that data protection has. So I, I find it quite, quite fascinating to see that play in action, and I find it quite interesting. But I also wanted to add one aspect which is that of course this is like looking back and trying to reflect on this decade of engagement in this field, but it's also thinking ahead, thinking of what are the emerging technologies, the new and emerging technologies that are becoming more and more prevalent in this field. Thinking about artificial intelligence, but also with AI thinking about emotion recognition thinking, thinking about other aspects of, in particular artificial intelligence, that, that will become more and more important in this field. So how can that be a little bit also included in this reflection about how data protection is essential in this field? That was also something that I found fascinating indeed. [00:23:08] Aaron: And I think it's important to note we had contributions, as you mentioned, from some important regulatory stakeholders. I've mentioned already that the European Data Protection Supervisor provided both a forward but also a kind of reflective piece that is essentially the book's conclusion. And that piece, of course, is among other things, about the data protection implications of artificial intelligence for the humanitarian sector and, and the organizations that, that work within it. And I, I don't know if it was intentional. I, I imagine it was that we, of course, had that sort of reflection on AI be the, the sort of final piece in the book. I was very struck by the final sentence in that chapter which says, AI does not happen to us. Choices made by people determine its future. And I thought that was actually incredibly powerful in terms of the message to the reader, and also a sort of call to arms for the sector. And I do reckon that the next 10 years of humanitarian data protection will involve a lot of soul searching around AI, its appropriateness, humanitarian action and intervention, but also what can be done from a protection standpoint to ensure the data is not misused or abused by the organizations that are building these tools and deploying them. In different contexts. What problems do you hope this book will help solve? I know that's a loaded question, but I imagine we didn't write this book simply for its academic value. There is meant to be practical value in the the book and its its key takeaways. Massimo, are there particular areas that you think this book will lend itself to in terms of practice and and practical solutions? [00:25:09] Massimo: I think there's many. At different levels. Data protection is often seen as a legalistic, theoretical, compliance related exercise. And I think that is a problem. That is a problem because it misses the point of what data protection is about and what it can do for the humanitarian sector. Data protection is really about ensuring the respect of the dignity of individuals, the respect of the rights when their data is handled by organizations, which is at the core of what humanitarianizations should be doing and are doing and exist for in the first place. There is perhaps sometimes a little bit too much awareness of the how much the humanitarian sector has gone through over the many years of work towards respecting people and their data to realize that the digital paradigm is changing things radically. And maybe the tools that we have had in the past to apply principles like do no harm maybe not sufficient anymore. And data protection comes as an immense asset for the humanitarian sector to adapt and tackle this objective, which is really to respect people and to protect them when also using new technologies. So perhaps the first problem that it can solve is to give some concrete examples and cases and clear visibility about what doing this in practice involves and brings. There are chapters, for example, on highlighting how people affected by humanitarian emergencies in some cases are actually starting to use data protection framing and tools to pursue accountability and to question data processing by humanitarian organizations. And this is a valuable thing for humanitarian organizations themselves that are trying to solicit that accountability and use it. I think it can also help solve problems around framing. So as I mentioned, we really work at different levels because we're trying to have a complete overview of what data protection has done for the sector. It also helps to shed some light on some legal tensions that exist from the point of view of international organizations, which are an important actor operating in humanitarian emergencies and operate in the international legal sphere, but they're also operating in context where domestic legislation prevails. And so we hope that the contributions that exist in the book, some of the chapters that really look at interactions between the United nations and the European Union, specifically with regard to the GDPR or on Convention 108, or the role of data protection authorities, that can bring some light to that maybe one last problem or question that the book can help with is also to highlight how much data protection authorities can be involved and can support the humanitarian setting. Ultimately, the objective of data protection authorities and humanitarians is very similar. It's there to uphold dignity of individuals in the same manner. As I highlighted earlier, we found that the engagement to data protection authorities is very important, and they're also very interested in this engagement. Ultimately, data protection authorities have jurisdiction over their own country and to enforce their own laws. But there is a sense that there are many parts of the world where either data protection laws are not in place yet or they're not enforced because of the humanitarian emergencies that are taking place. And an engagement of the data protection authority community with the humanitarian sector gives them the possibility to reach further and to bring the benefits the data protection has. Also in those places where vulnerabilities are high and resilience mechanisms, including data protection frameworks, is low. [00:29:34] Aaron: That's very interesting, Massimo, and I'm glad you brought the conversation back to the role, both the current role and sort of potential future role of data protection authorities in governing data practices in the sector, working together to address common challenges across countries and jurisdictions and so forth. I am particularly struck by the emergence of of the regional networks of data protection authorities that will come together to kind of share notes and experiences to learn from one another about what works well and what doesn't work well in terms of supervision of data protection in different parts of the world. There are, for example, important networks in places like Africa and Latin America and Asia and of course in Europe. I would love to hear both of your thoughts on the possibility for increased engagement at the network level among data protection authorities in the area of humanitarian action. We of course are aware of the global privacy assembly’s activities in this space, and that is an international organization, an international conference that does a lot in terms of raising awareness of these issues. But do you see potential for increased engagement at the regional level and if so, what do you think it would take to get this issue on the agenda? Because of course there are lots of competing priorities. There's a lot happening in the world of data protection and privacy enforcement across, for example digital economy, AI, cross border data flows, etc. Are there things that we can do as experts to sort of raise awareness among DPAs and the representatives of the importance of these issues and the need to sort of discuss them at that regional level? [00:31:33] Ana: That an interesting question, Aaron. I bet Massimo will have more to say about it from the more like diplomacy level. But one thing that I wanted to Flag in relation to this point that you made about these regional networks and going more like, towards this regional aspect is that we should be thinking more in terms of context and the difference in the practices in different regions of the world. So avoiding having a Western centric or European centric GDPR type of so general data protection regulation, which is an EU European Union regulation centered kind of focus. And there are a number of different and very relevant and interesting practices and regulatory frameworks emerging in different areas of the world. For example, Latin America, which is where I'm originally from, it is an area that people are engaging with within the humanitarian context, but. But more broadly as well. So speaking for like a more broad context is quite. There is a lot happening and so we shouldn't forget that this is happening, and that global majority countries and regions are quite able to, to be at the forefront of those discussions and not just following them. So that was just one, one small point about that. But I think it's great to have dialogue in this field and ideally putting the humanitarian action context into that because many of these regions have, for example, questions relating to migration and how they process, for example, migration or migration within Latin America. Use that example. Again, there is a lot of mobility in that context of people and digital technologies can be used to help support the work of organizations in the field. Now that doesn't exist in a vacuum and it should not exist without or outside of the regulatory frameworks that are in place. So it would be important to, to have those perspectives being quite there. Right, quite informing the discourse. And we have some of these approaches in the book and some in the blog post series that is accompanying the book. Massimo might have more insights on that question. [00:34:24] Massimo: No, I absolutely agree. I was going to say the same with regard to the importance of contextualizing some of the principles and requirements that often get translated literally and they're all driven by the same objectives we mentioned earlier, the respect of the individual, which tend to have a universal aspiration and yet when they're translated in different parts of the world, they take different meaning or there are different ways of safeguarding and protecting these objectives. And I think chapter by Professor Miyashita that focuses on Asia is very interesting in the perspective. Also the blog, as you mentioned, that looks at the Latin America perspective is also very interesting how to engage with the regional network. I think one of the stakeholders that has been sponsoring and supporting this initiative, the Global Privacy assembly and the Working Group aid, is really a key to that. It's true it has a global constituency, but it's composed of the same members that then gather and shape regional fora as well. We have had plenty of interactions also, for example, with the French Speaking association of Data Protection Authorities, the Ibero American Network of Data Protection Authorities that are very, very active and part of these communities. So the working group AID that is one of the sponsors of this initiative can be an incredible bridge for the different regional networks as well. [00:36:08] Aaron: Final question before we wrap up. Are there any sort of key takeaways from the book, things that you would like to leave the audience with in terms of both the book and its importance to to contemporary discussions around data protection, but more broadly the importance of these issues to the global community? I think for me, one of the most important issues facing society is the increased number of conflicts and crises that are emerging around the world. We sometimes, especially in the United States, lose sight of everything that's happening globally. But there are incredibly important developments happening outside the United States and in some cases inside that implicate both privacy and data protection in important ways. And I do hope that this book offers a modicum of guidance and advice to people involved in resolving those conflicts and thinking through the appropriate role that technology will play in governing them. And I hope in 10 years time we have a lot to show for the the lessons learned from, from this volume and the the discussion that it's brought about. [00:37:30] Ana: Thank you, Aaron. That's a good point. And building on that, indeed, we shouldn't lose focus and understand that there are a number of conflicts and situations of crisis around the world that are important to take into consideration and that we will have more and more of a demand for digitization and using digital technologies and tools to support the action of those that are going to be engaged in providing relief or aid in this field. And so doing that in a way that is principled, in a way that is respecting the human dignity of the communities that are affected already, that are already affected and already in a vulnerable situation. So you don't want to have another layer of problems and harm happening to them because these actors are using digital technologies. So I think it's important and this is this type of reflection we see throughout the book in different contexts, in different type of scenarios and analysis of different regions as well. And I think that's the key takeaways that we need to think about how to make sure that these populations will not be having another layer of harm in the uses of digital technologies and using data protection as a tool to enable this action, not just as a legal constraint or a legal compliance type of mechanism. [00:39:22] Massimo: Yeah, no, I fully agree. And maybe just again to build on this and to start from where, to finish with where we started. One of the key messages for me really is that data protection is an incredible lens of analysis, a tool, a way of looking at our dilemmas and problems to navigate complex questions. Ultimately there to ensure the respect of the dignity individuals their rights and to ensure accountability of the humanitarian sector and the application of the principle of do no harm. Now, not to be repetitive, I would also like to take it maybe from the other side as an encouragement for all the people who are working in this sector and trying to apply and to bring data protection to humanitarian programming, but perhaps even further than in humanitarian programming, to not forget this as and when they're applying data protection frameworks, it is reassuring to rely on principles and rules. But let's not forget what those rules are there. They're not there for the sake of the rules. They're there for the respect of the individuals. And I think it's important to keep it in mind also at a time when these rules are currently being revised in some parts of the world. And sometimes the questions come Wonderful. [00:40:43] Aaron: Thank you both so much for this engaging discussion. I look forward to reading more about the book and the conversations that it provokes online and in the various meetings that I'm sure will take place over the coming months about these issues at different levels. [00:41:02] Margaux: Thanks for listening to this episode of Data Points. More information can be found at datascience.virginia.edu. if you're enjoying UVA Data Points, be sure to give us a rating and review wherever you listen to podcasts. And we'll be back soon with another conversation about the world of data science.