U-M celebrated Privacy Day for the fifth year through a month’s worth of programming co-convened by ITS Information Assurance and the School of Information. At U-M’s 2022 Privacy Day keynote presentation, Dr. Gabriela Zanfir-Fortuna, vice President for Global Privacy at the Future of Privacy Forum, walked her audience through the key concepts of privacy and data protection and provided real-life examples of how policies and legislation can protect personal information. A self-proclaimed “data protection geek,” Zanfir-Fortuna drew on her international experience and expertise to paint a compelling picture of the importance of data protection.
Some of her key points on the history of data protection include:
- Data protection law does not equal privacy. Data protection legislation does not forbid data collection; its purpose is to establish “rules of the road” for how we use personal data in a way that respects the fundamental rights of individuals. Privacy, on the other hand, can be thought of as a shield that protects the personal sphere of an individual with the goal of not allowing access to details of one’s family life, for example.
- Fair Information Practice Principles (FIPPs) were conceived in the 1960s and 1970s primarily in the United States and Western Europe and started to make their way into reports and laws (see the 1973 Report on the Records, Computers, and the Rights of Citizens). These principles were hugely influential in the development of data protection legislation and can be found in modern data protection laws around the world.
- The right to personal data protection is now a constitutional right in many countries, such as the European Union (since 2000), Mexico (since 2009), and Brazil (since 2021).
- There are 55 countries around the world that have signed Convention 108, the only international treaty for the protection of individuals with regard to automatic processing of personal data. The United States is not one of them.
Across Europe in particular, data protection laws are being leveraged to account for technology challenges posed by facial recognition, machine learning, and artificial intelligence.
- As part of the pandemic response in Bulgaria, schools wanted to use facial recognition with temperature measurement. The Bulgarian Data Protection Authority (DPA) deemed it unlawful, due to a power imbalance that favored schools over students, which rendered student consent invalid.
- In Germany, the DPA did not allow a job application assessment tool to select candidates for interviews because there was no meaningful human intervention in the selection.
- In Portugal, cases on student proctoring software found that the lack of clear human assessment criteria led to rubber stamping the algorithmic suggestions. This was deemed unlawful by the Portuguese DPA.
To learn more, particularly about how and why the U.S. lags behind Europe in data protection legislation, watch the recording of Zanfir-Fortuna’s keynote: Beyond Privacy: Fairness in How Personal Data is Used in Our New Digital World.
To see how ITS Information Assurance celebrated Data Privacy Day in January 2022, check out the recordings of different virtual events that featured students, educators, and professionals working in the field of data privacy: Privacy@Michigan Data Privacy Day 2022.