This report is divided into two parts: an executive summary of activities undertaken during 2017-18 is the first, introductory part of the report. The second and main part is the final report on the work of the Big Data Open Data Taskforce established by the Special Rapporteur on the right to privacy.

The Special Rapporteur presented his interim report on Big Data – Open Data to the General Assembly in October 2017. The report reviewed the challenges to the human right to privacy from a defining feature of the digital era, that is, Big Data – Open Data. Since then, the introduction of the GDPR and the Facebook-Cambridge Analytica revelations have occurred.

Consultation with Government officials, civil society organizations, companies and individuals on the interim report occurred in Australia on 26 and 27 July 2018. It was preceded by a call for submissions on the interim report which concluded on 28 April 2018 and summarised for the consultation. Further input came from meetings with civil society organisations organised by the Australian Privacy Foundation and from submissions received after the consultation. 

Summary

The original recommendations made in 2017 (A/72/540) have been expanded based on the consultation, as follows:

a) Governments’ internal sharing of personal data be distinguished in legislation, policies and practices from releasing data to the public as Open Data.

b) Unless and until, it is possible to unambiguously determine if there is personal information within aggregated data, or that disaggregated data cannot be re-aggregated, then Open Data should not contain unit level records.

c) Work to create international standards for privacy preserving data sharing, and international standardisation activities must continue without delay, and be supported by Member States.

d) Research into Differential Privacy is necessary. It should be used for aggregate statistics and complex data types, and other privacy-preserving technologies such as homomorphic encryption and secure multiparty computation.

e) As an interim minimum response to agreeing to detailed privacy rules harmonised at the global level, Member States be encouraged to ratify data protection Convention 108+ using CETS223 and implement the principles contained there through domestic law without undue delay, paying particular attention to immediately implementing those provisions requiring safeguards for personal data collected for surveillance and other national security purposes.

f) As a matter of alignment of best practices, when reviewing and updating their domestic law as part of the transposition of Convention 108+, Member States outside the EU be encouraged to, if at all possible also incorporate safeguards and remedies found in the GDPR but not mandatory under Convention 108+.

g) Governments and corporations recognise the sovereignty of indigenous peoples over data that are about them or collected from them, and which pertain to indigenous peoples, knowledge systems, customs or territories, by always including formalised indigenous developed principles, a focus on indigenous leadership and mechanisms of accountability.

h) Member States review the adequacy of all legal and policy frameworks on AI for the protection of freedom of expression and the right to privacy; to foster strong multidisciplinary collaboration between statisticians, lawyers, social scientists, computer scientists, mathematicians and subject area experts, and to devise strategies to prevent or address any negative impact on the enjoyment of human rights emerging from the use of algorithms, automated processing, machine learning and AI.