Regulatory & Policy Considerations The following section examines the regulatory and policy environment for the implementation of a CDR project for humanitarian purposes. The regulatory environment impacts a CDR program in two ways: 1) the degree to which it facilitates access to CDR data by a humanitarian agency or another third-party organization (it is important to note that preventing access may at times be appropriate and necessary to protect displaced populations); and 2) the degree to which it provides protection for displaced people and other affected persons. Three main categories of policy influence both access to and protection of CDR data: international governing frameworks; national privacy and data protection laws; and rules granting emergency powers to the national government. This section examines these policies as well as the different models of data sharing agreements between stakeholders that are impacted by these policies. Relevant Policies
There is no explicit international legal framework governing the use of CDR, though relevant guidelines and regulations can help inform proper use. In 2010, IOM became one of the first international organizations (IOs) to produce a mandatory data protection policy, the IOM Data Protection Principles, which were further elaborated into the Data Protection Manual. IOM’s Data Protection Manual guides the organization’s use of personal data based on “relevant international standards, in particular the core data protection principles as recognized by many States, and through research on policies and procedures in other organizations”.27 Other humanitarian organizations such as ICRC and OCHA also produce guidelines for data protection and the ethical use of humanitarian data.28 The “Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data” of 1981 (updated 2018) is a Council of Europe treaty that sets international standards for automatic processing of personal information, though none of the case study countries in this report are party.29 In terms of regional agreements, the 2016
General Data Protection Regulation of the European Union (GDPR) is considered to be the most comprehensive set of regulations for data protection.30 With respect to data sharing to humanitarian actors and stakeholders, “reasons of public interest,” as discussed in Article 49 of the GDPR (which provides guidance on data transfer), may serve as the legal basis for the transfer of CDR data.31 National data protection laws (including data protection policies) generally provide low data protection, could facilitate CDR access, and vary among the case studies. Domestic privacy policies determine data sharing and protection possibilities and constraints, affecting potential CDR use. In most case study countries, citizens have a legally enshrined right to privacy. However, it is unclear how broad privacy rights apply to data, particularly CDR data, in countries where data protection is not explicitly codified. This is further complicated by the various types of data sharing agreements and which specific actors would be permitted to access CDR data. For example, the Bahamas’ Data Protection Act (2003) outlines European Union (EU)-level privacy regulations.32 Under this law, telecommunications companies are not allowed to share even aggregate data without a court order from the Attorney General; IOM or another humanitarian organization could likely secure CDR data through this legal process if it has the support of the government and if this action is in line with IOM’s privileges and immunities. Conversely, some countries lack any data protection laws, policies, or relevant regulatory bodies. Of the ten case study countries, only two, the Bahamas and the Philippines have national data privacy laws.33 In Micronesia, interview respondents suggested that even the concept of data protection is fairly nascent, and regulation has yet to emerge.34 Most other case study countries fall between these examples and have limited data protections in place. For example, Honduras has a draft data protection law in the legislature and an Ombudsman system which has dealt with complaints on an ad hoc basis.35 In some cases, civil society is increasingly pressuring the government Regulatory and Policy Considerations
21
