The Ministry of Telecommunications and Information Society, coordinating the efforts of the current Ecuadorian government, is leading the creation of a Digital Transformation Policy that is aligned with the already published Digital Transformation Agenda of Ecuador. A few days ago, the working tables for its elaboration were closed and a latest draft version is available. The execution of this policy necessarily brings challenges for the protection of personal data. In this article, these challenges are addressed from two perspectives: the protection of personal data as (A) a cross-cutting issue in all of politics and as (B) a thematic vertical within it.
As a starting point, the Digital Transformation Policy (hereinafter, "the policy") is made up of a series of principles, an approach, pillars and axes aimed at meeting certain objectives. This clarification is highly relevant because the principles and the approach have a transversal role in the policy, and it is precisely to them that the first commentary in this article will be linked. For its part, regarding one of the pillars and axes of the policy, another series of comments will be addressed.
A. THE TRANSVERSALITY OF PERSONAL DATA PROTECTION
In relation to the transversality of data protection, it is necessary to emphasize its role as a principle and approach, in addition to a reductionism contained in one of the policy specific objectives.
Data protection as a principle
The digital transformation policy includes a series of principles, among which are: "the person as the center of digital transformation" and "security, protection and empowerment, a secure digital environment". In both cases, the protection of personal data is a necessary element.
With regard to the centrality of the individual (human centric), this is not possible without respect for their fundamental rights, among which is the protection of personal data that is expressly recognized in articles 66.19 and 92 of the Ecuadorian Constitution. In the specific context of the digital transformation, an express reference to the protection of personal data would have been desirable, perhaps together with closely linked rights that play a key role in these contexts, such as the right to privacy.
On the other hand, personal data protection is also a necessary prerequisite for a "safe digital environment". In this case, the reference to data protection is imperative because the pertinent part of the policy provides: “security, protection and empowerment, a secure digital environment. Everyone should have access to digital technologies, products and services that are secure and protect privacy [intimidad] by design.” Regarding this sentence, it should be noted:
- The expression "by design" needs its complement: "and by default".
- The expression "Privacy [intimidad] by design" is an issue that does not properly mesh with Ecuadorian legislation, which in the Personal Data Protection Law does not refer to "privacy by design" but to "data protection by design and by default”.
- The previous point is relevant because the Ecuadorian Constitutional Court expressly stated in its Decision No. 2064-14-EP/21, that "privacy (intimidad)" and "personal data protection" are not the same right, but are two independent rights, although closely related (n. 184). As a footnote, in the Ecuadorian legal system uses the expression "intimacy" and not exactly "privacy".
Data protection as an approach
In any case, these omissions described in the previous section (not referring expressly to data protection and referring only to privacy) do not exempt the obligation of the policy to guarantee the fundamental right to personal data protection, since it is understood that this is part of what the policy describes as its approach:
“The center of this policy is digital transformation, which is based on the generation of economic and social value, through the use of Information and Communication Technologies (ICT). To achieve this goal, it is necessary, first, to respect and comply with human rights”
Furthermore, personal data protection, as noted above, was expressly recognized in the Ecuadorian Constitution in articles 66.19 and 92, so even if the policy had failed to expressly refer to this approach, the obligation to respect and guarantee this fundamental right would persist. This is because in the Ecuadorian legal regime, due to several constitutional provisions, both the public power and the actions of private individuals have fundamental rights as the limit (negative obligation – “not to do”) and constrain (positive obligation – “to do”) for their actions.
Reductionism in the specific objectives
As a third point, one of the specific objectives of the policy is: "Strengthen the Ecuadorian cyberspace, trying to guarantee the security of citizens' personal information". This is doubly reductionist.
On the one hand, it reduces personal data protection to the mere protection of its security (personal data confidentiality, integrity, and availability). On the other hand, it limits this "security" to cyberspace, which is also not correct because data protection is not restricted to this environment and, most importantly, because digital transformation is not reduced to "cyberspace" but involves processes, people, and technology.
This reductionism may have a transversal impact on the practical execution of the policy in general, so it is important that the final text is corrected. In any case, even if this reductionism is maintained, every public entity is still obliged to protect personal data, going beyond its security and the mere environment of cyberspace.
In summary, personal data protection must be guaranteed at all times and must be consider when specific actions are proposed to implement what is stated in the pillars and axes of the policy. Likewise, all projects and activities that are generated within the different public entities based on this policy must consider personal data protection, both by virtue of a constitutional obligation and by virtue of having an adequate approach that is aligned with the aforementioned policy.
Digital transformation cannot be human-centric or provide a secure environment without protecting personal data, and this protection always encompasses more than just the security of personal data in cyberspace.
B. DATA PROTECTION AS A “VERTICAL”
Data analytics in the infrastructure axis
Notwithstanding the transversal role described above, it is necessary to highlight the role played by personal data protection within one of the axes of the policy: Infrastructure. The aforementioned axis contains various guidelines, among which are two that specifically correspond to “Interoperability and data processing”.
"3. Process data from the National System of Public Records or from any other source, to perform data analysis processes, in order to provide services to the public sector, the private sector and people in general, as well as generate products, reports, or studies, among others.
4. Implement a new technological architecture that leverages the interaction of state entities, optimizing the processing, analysis and exchange of information and services, oriented to public and private entities and the citizen, as the basis of digital transformation in Ecuador.”
A first point to note is that the policy, in this matter, is not exactly oriented to data protection per se, but rather to a (legitimate) use of certain data (some of them personal) that appear in public records.
However, the fact that the center of this axis is not expressly oriented to data protection but to the use of these, does not exempt them from the obligation to protect the existing personal data, since this protection is a requirement of the Constitution, the Personal Data Protection Law and of the policy itself (in its approach, principles, and specific objectives, as already noted). Special emphasis should be placed on the express reference to "data analytics" as this tells us about a processing activity that undoubtedly falls within the assumption established in article 42 of the Data Protection Law: the obligation to carry out, prior to the start processing, a personal data processing impact assessment.
Other projects with an impact on personal data protection
In addition to what is described in the previous section, there are other projects that must be considered with respect to their personal data protection implications. Two of these projects are: the single medical record (historia clínica única) and the program "Infancia con Futuro" (Childhood with future). In both there is a large-scale sensitive data processing, for which is imperative to carry out an impact assessment.
Regarding the unique clinical history, it should also be added that the use of Blockchain technology has even been expressly referred to, which adds even more complexity to the treatment. On the other hand, regarding "Infancia con Futuro", the scope of this program, as described in the launch of the Digital Transformation Agenda, is extremely extensive, since it wishes as part of its program to collect data from the gestation and throughout the development of the individual after his birth, centralizing this information in a single database.
Both cases merit extensive examination. In any case, it is necessary to highlight the important role of personal data protection in the work that the government and the public sector have been doing. Although the Ecuadorian government has made efforts to comply with personal data protection, there is still a lot of work to be done in all the areas that the policy presents.
The new digital transformation policy that Ecuador will publish must address personal data protection both transversally and “vertically”. Regarding the former, there are several adjustments that must be made in relation to the express reference to personal data protection and the adequacy of concepts to properly cover the personal data protection fundamental right. The latter in order not to reduce it to the personal data security (or to cyberspace) or confuse it with the right to privacy. Regarding the protection of data as "vertical", there is a clear indication that the entities headed by the National Directorate of Public Registries must carry out a processing impact assessment for the case of data analytics. This project is a complex matter, and it must analyze the scope of the objectives that the government sets with it. Along with the above, there are projects that require attention to data protection, even with data processing impact assessments: the single medical record and the database that is to be generated within the “Infancia con Futuro” program.
Article provided by INPLP member: Pablo Arteaga (Dentons Paz Horowitz, Ecuador)
Dr. Tobias Höllwarth (Managing Director INPLP)