With the pandemic forcing governments to transition immigration and medical information to digital systems, and with employers and foreign nationals taking up remote work in growing numbers, there has been unprecedented growth in the digital footprint of travelers and employees in the last two years. Data privacy concerns and related laws have also increased in line with this movement, and part of a travelers’ assignment acceptance consideration may soon become whether the destination country adopts strict data privacy rules. This article discusses these and other important related topics and projections. For more information, access Fragomen’s Worldwide Immigration Trends Report 2023, coming in January 2023.
Unprecedented growth in digital risk introduced by the pandemic, combined with an uptick in immigration activity and increasingly sophisticated data privacy laws has made it imperative to find robust measures to protect the personal information of travelers and immigrants.
Since the start of the pandemic, governments have increasingly transitioned immigration and medical information to digital systems. This has led to unprecedented growth in the digital footprint of digital vaccination passports, contact tracing applications and digital health platforms. Travelers are now asked to share personal medical data online with governments, international organizations and even third-party private companies before travel.
In a March 2022 Fragomen survey, 82 out of 167 surveyed countries had a digital health platform for COVID-19 test results/vaccination status/other COVID-19-related information providing/tracking.
-Image from Norton Rose Fulbright publication, last accessed March 1, 2022
In addition, remote work has also grown at a swift rate in the last two years. Employees with sensitive client information are now connected to online networks outside traditional company servers, and working in the cloud more often.
With the increased online presence of sensitive personal information, security hacks and data breaches became more prevalent. At the start of the pandemic, the number of ransomware attacks in the world increased by 148 percent (McKinsey).
In 2018, the General Data Protection Regulation (GDPR) set the gold standard for data privacy regulation. The GDPR was enacted to provide a common framework for data protection. Among other important regulatory elements, it imposes fines against those who violate its privacy and security standards, with amounts reaching into the tens of millions of Euros for abuse or failure to protect of protected personal information.
Examples of other countries’ recently-implemented data privacy laws are Brazil’s Lei Geral de Proteçao de Dados, implemented in September 2020; Egypt’s data protection Law No. 151, endorsed by its President in 2020; Canada’s proposed Digital Charter Implementation Act, which is moving through the legislative process and China’s Personal Information Protection Law (PIPL), which entered into force as of November 2021.
The image below shows just how much data privacy legislation has grown across the globe.
- Image from UN Conference on Trade and Development website, last updated December 2021
What is blockchain and why is it relevant here?
Blockchain is a technology that operates on a shared, indelible ledger which facilitates the process of recording transactions and tracking assets. Every record created in the blockchain can be verified by the entire community authorized to use the platform, instead of a single centralized authority, and it allows those parties to share information without any intermediaries.
In the field of immigration and refugee management, the use of blockchain could revolutionize immigration and global mobility in that it has the potential to add efficiencies and reduce fraud.
For more on blockchain, access Fragomen’s podcast, the Immigration Conversation.
Conflicts with existing privacy laws
Notable conflicts do, however, arise between blockchain and existing data privacy laws:
- First, many existing privacy laws operate on a framework which involves the designation of a Controller or an entity that is responsible for determining the purpose and means of processing personal data. This could be problematic in a decentralized network, where anyone could theoretically participate, and the controllership role is less obvious.
- Second, is the question of whether encryption and hashing techniques used in blockchain networks are sufficient to meet the strict anonymity requirements of existing data privacy laws.
- Third, since data is indelible on a blockchain network, a data subject may not be able to successfully exercise their Right to be Forgotten (a requirement of GDPR and other data privacy laws).
Though there are ways to address these concerns, to date, regulatory authorities have largely refrained from providing guidance toward reconciling existing data privacy laws with emerging decentralized technologies like blockchain.
Richer economies will implement blockchain and other technology in immigration processes soon but the cost of implementation may sharpen the divide between richer and poorer economies.
An intricate facet of humanitarian migration is the loss of personal identity from documents becoming unavailable due to the circumstances of forced migration. Blockchain can be a tool for digital proof of identity to prove citizenship, health, birth and education, particularly important with the recent outflux of over 5 million Ukrainian refugees into Europe, and with other refugee crises in the future.
Conclusions for travelers and employers
With little choice but to use the systems governments require to gain entry into a country, employers of traveling workers and foreign nationals should do their research to ensure travelers are aware of potential security vulnerabilities associated with such systems.
Travelers and employers must rely on government agencies themselves (and the third parties they hire) to police their digital systems. Part of a travelers’ assignment acceptance consideration may soon become whether the destination country adopts strict data privacy rules/consequences for violations so as to protect their data and identity.
Until blockchain technology is more readily adopted by governments, confidential traveler information and other important data remains at risk in the digital space.