Data Privacy in the Post-Pandemic World – Trends and Projections in the Global Immigration Environment
Sonya B. Cole and Laura Weingort (Fragomen Knowledge Team), with Aaron Tilden (Fragomen Data Privacy Office)
Unprecedented growth in digital risk introduced by the pandemic, combined with an uptick in immigration activity and increasingly sophisticated data privacy laws has made it imperative to find ever more robust measures to protect the personal information of individuals seeking immigration benefits.
Since the start of the pandemic, governments have increasingly transitioned immigration and medical information verification processes to digital systems. This has led to unprecedented growth in the digital footprint of immigration-support systems, such as digital vaccination passports, contact tracing applications and digital health platforms. Travellers are now asked to share personal medical data online with governments, international organisations and even third-party private companies as a prerequisite to basic travel and mobility.
In a March 2022 Fragomen survey, 82 out of 167 surveyed countries had a digital health platform for COVID-19 test results/vaccination status/other COVID-19-related information providing/tracking.
In addition, remote work has also grown at a swift rate in the last two years. Employees with sensitive client information are now working in different parts of the world, connected to more online networks outside traditional company servers, and working in the cloud more often.
Governments have become more reliant on online platforms to monitor compliance with immigration requirements. Deadlines for missed renewal of documents are system-flagged and related notifications of fines or other violation consequences are increasingly sent out automatically.
With the increased online presence of sensitive personal information associated with different stakeholders increasing their collection, management and compliance tracking of traveller data and confidential records, security hacks and data breaches became more prevalent. In fact, in the beginning months of the pandemic, the number of ransomware attacks in the world as a whole increased by 148 percent and phishing attacks increased by 510 percent from January to February 2020 (McKinsey).
Prior to the start of the pandemic the General Data Protection Regulation (GDPR) was implemented in 2018, setting the gold standard for data privacy regulation. The GDPR was enacted to unify the laws of the European Union, providing a common framework for data protection. Among other important regulatory elements, it imposes fines against those who violate its privacy and security standards, with amounts reaching into the tens of millions of Euros for abuse or failure to protect of protected personal information.
Examples of other countries’ recently implemented data privacy laws are Brazil’s Lei Geral de Proteçao de Dados, implemented in September 2020; Egypt’s data protection Law No. 151, endorsed by its President in 2020; Canada’s proposed Digital Charter Implementation Act, which is moving through the legislative process and China’s Personal Information Protection Law (PIPL), which entered into force as of November 2021.
The image below shows just how much data privacy legislation has grown across the globe.
Image from UN Conference on Trade and Development website, last updated December 2021
What is blockchain and why is it relevant here?
Blockchain is a technology that operates on a shared, indelible ledger which facilitates the process of recording transactions and tracking assets. The underlying technology can be used for various applications, including the transfer and verification of digitised immigration related documents. As every record created in the blockchain is indelible, its authenticity can be verified by the entire community authorised to use the platform, instead of a single centralised authority. Blockchain technology thus establishes trust between independent parties and allows those parties to share trusted information without any intermediary institutions becoming involved, essentially providing a digital verification mechanism for people to prove their identity and share information and documents. In the field of immigration and refugee management, the use of blockchain could revolutionise immigration and global mobility in that it has the potential to (1) add efficiencies to the immigration process; and (2) reduce fraud in immigration applications and processes.
For more information on the blockchain discussion, access Fragomen’s podcast, the Immigration Conversation.
Conflicts with existing privacy laws
Notable conflicts do, however, arise between blockchain and existing data privacy laws. The following are three primary areas of concern:
- First, many existing privacy laws operate on a framework which involves the designation of a Controller or an entity that is responsible for determining the purpose and means of processing personal data. This could be problematic in a decentralised network, where anyone could theoretically participate, and the controllership role is less obvious.
- Second, is the question of whether encryption and hashing techniques used in blockchain networks are sufficient to meet the strict anonymity requirements of existing data privacy laws.
- Third, since data is indelible on a blockchain network, a data subject may not be able to successfully exercise their Right to be Forgotten (a requirement of GDPR and other data privacy laws).
There are of course potential mitigations that could be used to address these concerns. However, to date, regulatory authorities have largely refrained from providing guidance towards reconciling existing data privacy laws with emerging decentralised technologies like blockchain.
What’s next in blockchain?
The digital transformation of travel and immigration is happening rapidly, and blockchain is one part of it. But the evolution of blockchain in immigration will be gradual. Richer economies will implement these technological changes sooner and the cost of implementation may sharpen the divide between richer and poorer economies, benefitting the former and potentially hindering travel and global employment of citizens of the latter. On the other hand, though blockchain is arguably built on the premise of data protection and personal consent, policy makers and users must still build confidence in how personal data will be issued and shared and how the potential for abuse or errors will be mitigated.
Blockchain breakthroughs can also be expected in refugee and asylum law, particularly important with the recent outflux of over five million Ukrainian refugees into Europe, and with more refugee crises due to inevitable environmental disasters in the future. An intricate facet of humanitarian migration is the loss of personal identity that is frequently the result of institutions that have ceased to exist or documents that are unavailable because of the circumstances of forced migration. Blockchain can be a tool for digital proof of identity relevant to many types of personal data (citizenship, health, birth, education), expediting and validating identity and eligibility checks.
Conclusions for travellers and employers
Travellers and immigrants should be careful in the use of digital platforms by governments to collect their personal identification and medical information. These third-party systems are often susceptible to both fraud and hacking - and there have been numerous examples of misuse worldwide. However, with little choice but to use the systems governments require to gain entry into a country, employers of traveling workers and foreign nationals should do their research to ensure travelers are aware of potential security vulnerabilities associated with such systems. As instances of misuse are increasingly published online by governments, red flags associated with digital systems in certain countries or regions can be readily found.
Travellers and employers must rely on government agencies themselves (and the third parties they hire) to police their digital systems. It will be many more years before blockchain technology becomes a commonplace protection in immigration processes. Part of a travelers’ assignment acceptance consideration may soon become whether the destination country adopts strict data privacy rules/consequences for violations to protect their data and identity.
Until blockchain technology is more readily adopted by governments, confidential traveler information and other important data remains at risk in the digital space.