The ‘missing women’ in data protection reporting
Virtually everything we do these days is recorded digitally. Like this, share this, pay here â€” all these actions are stored as data, combined, analyzed and built into profiles whether we are aware of this or not. Some is data we supply, some is data collected about us, and some is data generated about us. In the midst of all this data, it can come as a surprise to learn there are gaps.
A case in point is data on women, or rather, the absence of data about women. Caroline Criado-Perez in “Invisible Women â€” Exposing Data Bias in a World Designed for Men” has pointed to huge gaps in our knowledge about half the worldâ€™s population â€” that is, women. Decisions about what gets measured, the interpretation of results has seen what Criado-Perez calls â€œthe female-shaped â€˜absent presenceâ€™ â€” the gender data gap.â€�
The absence of data about womenâ€™s lives has affected planning for transport and public housing, the design of urban spaces and transit environments rendering these less suitable for women and significantly impacting their safety, mobility and employment. The absence of data on matters relevant to women is not restricted to “old” technologies, like public infrastructure services, but also to the development of wearables and even applications solely for womenâ€™s use.
Data is seen as a means to help solve many problems. Yet, when datasets reflect the environment in which they are produced and used, and when this environment under-reports and under-represents 50% of the population, the contribution of data is not as powerful or as helpful as it should be. Artificial intelligence algorithms trained on unrepresentative data can perpetuate biases and outdated stereotypes, particularly when the algorithms, while increasingly utilized, are neither transparent nor independently audited.
Womenâ€™s presence in datasets is one issue. Another is the protection of womenâ€™s personal information. Economic harm and severe physical and mental health effects can be consequences of privacy infringements of womenâ€™s personal information. Data breaches, unfortunately, are increasingly common occurrences.
The regulation of personal data was significantly reformed in the European Union in 2018, when the General Data Protection Regulation was introduced. It is binding on member states of the European Union and complaints lodged by citizens against violations of the GDPR are handled by the relevant data protection authority.
Since the GDPR came into force May 25, 2018, some 59,000 personal data breach notifications have been made to relevant data protection authorities. Countries such as Canada, Australia, the U.K. and the U.S. also have mandatory breach notification schemes.
Advocating to improve privacy and data regulation has been a function of the International Conference of Data Protection and Privacy Commissioners, which connects 122 privacy and data protection authorities. It promotes the improvement of personal data protection and privacy rights, the development of standards and cooperation among accredited members. Significant ICDPPC initiatives are formally decided by resolution by members.
Following the OECDâ€™s observation in 2013 that the evidence base available for policymaking in privacy was uneven and that privacy enforcement authoritiesâ€™ complaint data, breach statistics and other indicators could provide a potentially rich source of insight for policymakers, the ICDPPC committed to “closing the gaps in the available measures of data protection and privacy regulation.” It adopted a resolution to assist the development of internationally comparable metrics for data protection and privacy.
There is a significant body of research on womenâ€™s privacy experiences that points to these being different from that of men. In contrast, the experience of women in their interactions with data protection regulation is largely unreported.
To better understand what data and material are available on womenâ€™s interactions with DPAs, publicly available ICDPPC materials and the most recent annual reports of accredited members were reviewed where available or able to translate reliably.Â
We found that none of the ICDPPCâ€™s Working Group Reports, resolutions, declarations and communiques, representation at international organizations, committee documents or miscellaneous are explicitly related to women and data protection functions. While the ICDPPC has adopted resolutions for specific population groups, such as the resolution on Children’s Online Privacy Protection Act (2008) and Human Rights Defenders at Risk (2016), no resolutions or other documents were located on womenâ€™s data protection interactions or needs. Resolutions such as Developing New Metrics of Data Protection Regulation (2016) and Big Data (2014) make no mention of metrics concerning women or gendered aspects of data.
Our review of the most recent annual reports of accredited members, where available and able to be reliably translated, looked for data on womenâ€™s interaction with DPAs and initiatives such as consultations, reports or submissions concerning women and/or gender.
Whereas some annual reports had a female/male breakdown of staff composition, similar de-aggregation of complaints data to report numbers of women seeking data protection assistance was not found, except for one DPA.
Annual reports did generally describe particular individual investigations or case matters involving women, and others reported addressed womenâ€™s or gender privacy issues through consultations and submissions. Data de-aggregated by sex was found in DPA community awareness surveys, but these are rarely undertaken on an annual basis or specifically of women who have sought DPA assistance.
DPAs gather considerable data, including trends over time in total numbers of complaints, data breach statistics, and use of various forms of enforcement and sanctions. While useful for general assessment, these could be much richer and more useful for policymakers and reformers if inclusive of sex and gender variables.
We acknowledge that data on womenâ€™s interaction with data regulators may be available and analyzed within DPAs, and there may be additional DPAs that provide such data in their annual reports than we identified. Even so, available ICDPPC documentation and the published annual reports of DPAs do not suggest the participation of women as users of data protection services, despite their different privacy experiences, is recognized or reported.
Research has shown women experience privacy infringements differently to men, but we donâ€™t know of the interaction of women with the data regulatory sphere. How many women complain to DPAs? For what reason? And with what success?
We donâ€™t know if the matters women bring forward are more difficult to resolve or whether representations are more likely to be on behalf of others such as children and parents. We donâ€™t know what services are used or preferred.
Data on questions such as, “What do women report to DPAs?”; “What do they seek help with?”; “How do they seek help?”; and “How well are their needs met by the legislation?” would serve as an evidence base for public policy development, legislative reform, resource allocation and service delivery.