Public-private partnerships and the technologies they deploy are often very opaque, with states and companies withholding excessive information. But transparency is essential to enable scrutiny of the exercise of a state's powers, and is a precondition to any challenge of authority and assertion of rights.
Transparency is core to and a preliminary requirement of any exercise and protection of human rights. Without appropriate transparency, the exercise of a state’s powers cannot be subject to proper public scrutiny. The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism has observed that “[t]he principle of transparency and integrity requires openness and communication about surveillance practices.” The Special Rapporteur also noted that “[o]pen debate and scrutiny is essential to understanding the advantages and limitations of surveillance techniques, so that the public may develop an understanding of the necessity and lawfulness of surveillance.”
PPPs, and the ongoing commercial relationship they set up, often suffer from a lack of transparency. Companies have commercial interests in preserving confidentiality in their proprietary systems and algorithms – and we have often seen states liberally use that justification to withhold as much information as possible about details of a surveillance or data analytics technology. But just like any public procurement process, PPPs require transparency at every step of their deployment – from public tender processes to policies around deployment of technologies, to the impact or results of deployments. This is essential for the public and civil society to grasp the extent of and the modalities of surveillance and government through data.
Safeguard 1 - Public information and documentation
All PPP documentation should be made publicly available – and where legitimate concerns around disclosure of sensitive information arise (such as state secrets or national security information), it should be made available on a confidential basis to relevant independent oversight bodies (with appropriate clearance/access rights) who can evaluate their adequacy and require changes if necessary (see for example in Argentina how the right of access to public information interacts with exceptions for reasons of national security - in Spanish only). Any redactions from these documents when made publicly available must be strictly justifiable, and reviewable by an independent oversight body if necessary or challenged. Public procurement contracts should be made public (this is already a requirement in many jurisdictions). Wider PPP documentation must provide meaningful information as to the substance of the partnership, to enable understanding of the impact on the public and citizens’ fundamental rights.
PPP documentation should typically include the following (depending on the nature of the technology and services provided, some assessments may or may not be required):
- Contracts, procurement information, Memorandums of Understanding (MoUs), and any other documents providing details of the partnership
- Data Sharing Agreements (‘DSA’) or Data Processing Agreements (‘DPA’)
- Human Rights Impact Assessments (‘HRIA’)
- Data Protection Impact Assessments (‘DPIA’) or Privacy Impact Assessments (‘PIA’)
- Algorithmic Impact Assessments (‘AIA’)
- Records of data processing
Authorities should keep an updated public record of surveillance technologies used or deployed within their jurisdiction. The record should contain details and purpose of the technologies, their coverage (geography, time), and identified risks to individuals’ rights and measures taken to mitigate those.
Very limited information publicly accessible – painstaking efforts from CSOs are required to obtain limited and restricted responses to requests for information
Example(s) of abuse
Palantir and the UK government: information about Palantir’s collaboration with UK government departments has been very limited. PI and other CSOs have repeatedly attempted to obtain further information but were given little additional and sometimes contradictory information.
Safeguard 2 - Waiver of confidentiality
Companies involved in PPPs should waive commercial confidentiality and make their technologies fully auditable by any third party, to enable understanding of (1) what data the company and its technology have access to, (2) how the technology analyses the data and draws conclusions (including disclosure of algorithm parameters), and (3) what role the technology performs in the public authority’s decision-making process. Such information should be available for public scrutiny prior to contracting. If details of the workings of a particular technology cannot be disclosed for specified and valid grounds of serious commercial harm to the company, an independent oversight body bound by duties of confidentiality should be granted full access to all details of the technology required to establish those details.
Commercial interests or intellectual property rights prevent disclosure of details of a technology or system
Example(s) of abuse
Amazon and the UK NHS: the contract obtained was largely redacted for reasons of Amazon’s commercial interest. After PI’s challenge, the UK’s data protection authority ordered partial disclosure.
Electronic voting in Paraguay: machines were made available for auditing, but neither the source code nor the hardware were open for auditing.
Safeguard 3 - Transparency over personal data processing
When personal data is envisaged to be processed as part of a PPP, any provisional or final documentation should include details of prospective and actual data processing activities, including at a minimum:
- Categories of data subjects (note the use of wide terms such as “members of the public” tends to demonstrate that authorities have not properly reflected on the impact of the processing)
- Types of personal data, with purposes of processing for each
- Sources of personal data (where the data will be obtained) and legal basis for obtaining from each of those sources
This information should be published in policies directed at populations whose data will be processed.
Lack of clarity about whether and what type of personal data is or will be processed
Example(s) of abuse
Palantir and the Cabinet Office for the Border Flow Tool: it took PI months and multiple Freedom of Information (‘FOI’) requests to understand what kind of personal data Palantir would be processing – the public contract only mentioned processing of data on “members of the public”.
Safeguard 4 - Transparency over company access to data
PPP contracts should give explicit details of the company’s access to data (whether for software maintenance, customer support, audit logs or emergency purposes), and provide for corresponding safeguards to ensure security and proper handling of the data. DPIAs should assess the risks of citizens’ data (especially if highly sensitive data) transferring to private hands and consider the suitability of associated access rights, security, retention and deletion measures.
Lack of clarity as to the type and level of access to data granted to the company
Example(s) of abuse
Palantir and the NHS: the contract contradicted the DPIA conducted with regards to Palantir’s access to data.
Safeguard 5 - Legal framework for access to information
Legislation guaranteeing suitable access to public interest information must exist or be passed. PPP documentation ought to be available for public consultation under such legislation. When a PPP is set up, a person or entity within the relevant public authority should be designated responsible for providing access to information about the deployment of a technology and related services, and their contact details should be available on any publicly accessible website notifying the deployment of the technology or within the public PPP documentation.
Public access to information about PPPs is often hindered by the lack of, or unsuitability of, a legal or procedural framework for access to information (e.g. FOIA legislation)
Example(s) of abuse
Huawei surveillance cameras in Valenciennes: PI’s numerous requests to the city of Valenciennes bounced around for months because no defined entity was designated as responsible to respond to our requests.