RESOLUTION PC 211

FORUM: POLITICAL COMMITTEE

QUESTION OF: Measures to better regulate the use of personal data and artificial intelligence

SUBMITTED BY: Australia

CO-SUBMITTERS:Czech Republic, Denmark, Eritrea, Bolivia, DR Congo, Spain, Republic of Korea, Iceland, Palestinian Authority, Latvia, United States of America.

STATUSPassed

Political Committee,

Keeping in mind that Article 17 of the International Convention on Civil and Political Rights, a legally binding resolution, which states that “no one shall be subjected to arbitrary or unlawful interference with his privacy” and that “everyone has the right to the protection of law against such […] attacks”,

Emphasizing nations’ obligation to respect and abide by international human rights legislation, 

Guided by the fast-paced nature of technological advancements, including those in artificial intelligence, and consequently further recognizing the need for regular discussion and analysis of issues regarding privacy with regards to personal data as development occurs,

Fully aware of the extent to which involvement of artificial intelligence occurs in the daily lives of all, as well as the increasing dependency on technology and the consequent increasing risks for violations of human rights, specifically the right to privacy,

Noting also the continuous and perpetual nature of the creation of personal data, and the variety of ways, ranging from voluntary to unconsented, in which personal data can be collected,

Reaffirming the benefits which artificial intelligence can bring such as predictive abilities, increased productivity and efficiency, analysis capacities, avoiding human error among many others,

Bearing in mind that the development of artificial intelligence involves the need for personal data yet further recognizing the extent to which collection of personal data can be misused and involve subsequent breaches of privacy, 

Taking into account the frequent case that the user is often misinformed and lacks context when providing consent regarding the collection, processing, use of personal data,

  1. Recommends the formation of an AD HOC Committee under the mandate of the International Telecommunication Union and in accordance with Article 12 of the UN Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights in order to:
    1. determine a universally accepted level of personal data of consumers shared, through means such as:
      1. determining the types of personal data to be shared, such as a home address, bank address, as well as data related to digital footprints, such as IP addresses, and cookies, etc
      2. forums accessible to citizens of the international community to put forth their concerns on the daily use of social media sites, in order to implement this into the creation of consensual standards of data accessibility
    2. increase transparency between global users and organizations upon the usage of personal data through:
      1. holding online events, seminars, and dialogue between data specialists and citizens of nations to keep them informed of the use of personal data and prediction based AI in providing services through a three-pronged approach of ensuring understanding of the functioning of prediction based AI, the use of personal data in creating models, and the need of accurate models
      2. holding negotiations with representatives of nations as well as representatives of leading social media conglomerates to abide by Data Protection Regulations and International Data Flows, created by the United Nations Conference on Trade and Development, as well as to limit the extent to which personal data can be used through compliance with stricter national and international jurisdiction
      3. urging social media conglomerates to create more accessible means of informing users of the extent to which their shared personal data will be used through interactive means such as videos, photographs, etc on the sites itself, not limited to the agreement of Terms and Conditions;
  2. Encourages the creation of a Task Force of experts from various nations such as Italy, the United States of America, Australia, and New Zealand, along with other Member States willing to participate, under the mandate of the ITU with the role of carrying out investigations into the role of ‘social media news’ and mobilization through the use of prediction AI to target particular groups in the case of the Italian referendum of 2017, the recent attack on the American Capitol, 2016 American Elections;
  3. Recognizes the need for the creation of an ad hoc committee under the mandate of UNESCO, collaborating with members of grassroots NGOs in rural areas of developing countries with an internet penetration of 50% or over in order to:
    1. spread awareness about the politicization of news, and spread of fake news on social media through means such as but not limited to: 
      1. COVID-compliant door to door interaction
      2. COVID-compliant gatherings in local educational institutions 
      3. TV broadcasts 
      4. informational surveys and fliers
    2. improve digital literacy in the population through the same means, addressing topics such as, but not limited to: 
      1. confirmation bias
      2. echo chambers;
  4. Further recognizes the need for the creation of a subsidiary body under the Office of the United Nations High Commissioner for Human Rights (OHCHR) to further the framework created under the 2018 report for the Right To Privacy, specifically in the context of the sale of data such as but not limited to biometric information, in order to:
    1. survey digital markets buying such data in order to:
      1. understand the use of such data
      2. evaluate the legalities of the International Data Privacy Laws (IDPL)
    2. create a legal framework in correspondence with IDPL to:
      1. create more comprehensive regulation on limiting the access to personal data of users of internet services
      2. establish the legal limits of the sale of personal data and data harvesting,
      3. make stricter the imposition upon companies to restrict sale and violation of the privacy of users
    3. encourage member nations of the UN to conduct seminars for ministers and policymakers with regard to the personal data market and the ways in which it is collected from users as well as the repercussions of this practice;
  5. Requests the establishment of “Personal Data Protection Protocol” (PDPP) for the member states which lack data protection policies and are not in the European Union noting that the current General Data Protection Policy Regulation (GDPR) is in effect only for the European Union countries and, therefore, the aforementioned Protocol will function as the common set of laws which the member states needed and will stress that:
    1. any processing data must be lawful and fair and it must be transparent to the individuals that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data is or will be processed regarding the policy of data minimization
    2. the types of data of the natural person that will be protected by the frame of the Protocol such as but not limited to:
      1. biometric data
      2. political opinions
      3. health and genetic information
      4. racial and ethnic data
      5. sexual orientation
    3. the application of “pseudonymization” or “anonymization” to personal data which aims to reduce the risks to the data subjects, while also helping controllers and processors to meet their data-protection obligations
    4. such incentives will be created to apply pseudonymization when processing personal data while allowing general analysis as the collection of data is legal when:
      1. the controller processing the personal data will be obliged to indicate the authorized people within the same controller in order to clearly state third parties to whom the personal data will be available to
      2. the controller has taken necessary technical and organizational measures to ensure that additional information for attributing the personal data to a specific data subject is kept separately
    5. the notion of genetic data being defined as private data relating to the inherited or acquired genetic characteristics of a natural person which is provided through the analysis of a biological sample from the natural person and will not be enabled for controllers use for analysis purposes
    6. the processing of personal data should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected;
  6. Further requests the Member States to pay special attention to the security of healthcare-related data such as medical history since it is not perishable and hence presents a long-term risk and work towards means to protect and combat the problems created by the market for stolen healthcare data by means such as but not limited to: 
    1. educating developers and the firm’s employees in order to help them understand the problem as many large firms that should safeguard this data are relatively unaware about the means to improve the protections around this data by means such as but not limited to:
      1. seminars 
      2. panels with technology experts 
      3. awareness campaigns on various forms of media within the state
    2. creating new guidelines for data security on medical devices and/or databases, specific guidelines that recommend changes regarding stricter security of personal data before the app/device comes onto the market so as to prevent the risk of user data 
    3. improving communication between consumers, developers, and the regulatory boards of respective nations to ensure that vulnerabilities can be identified and fixed once the device is on the market;
  7. Encourages for the formation of an organization under the UN, which will be named the Commission of Artificial Intelligence privacy and Security (CAIPS), it will carry a group of experienced and specialised lawyers from all over the world in order to prevent any bias, these lawyers shall: pass resolutions aiming to alter the legislation of the terms and conditions of all websites with traces of AI, such as Google maps, in order to make them more user friendly by ways such as but no limited to:
    1. changing the word count to ensure that there is a limited number of words,
    2. altering the words of the terms and conditions to ensure that simple vocabulary is being used,
    3. making sure that only crucial information is being addressed without all the complicated legislation, the CAIPS will conduct thorough examinations of these terms so that they can guarantee the above requirements are met,
    4. establish an act in the case of an emergency, where personal data can be divulged to relevant authorities;
  8. Endorses the addition of “Introduction to Artificial Intelligence and Personal Data” to secondary level´s school program as a mandatory subject in all Member States, in order to start informing and teaching the future generation all the opportunities and also risks that AI has in relation with individuals´data, including education about:
    1. data protection in order to prevent suffering actions such as:
      1. scams,
      2. extortions,
      3. uploading data into compromised networks,
    2. citizens rights, to be aware of when entities are mismanaging their data, including but not limited:
      1. the sell of data to unauthorized entities,
      2. the use of unnecessary valuable information;
  9. Suggests the creation of yearly expertise seminars conducted by the United Nations High Commissioner for Human Rights (UNHCR) in coordination with the Association for Advancement of Artificial Intelligence (AAAI) to educate possible deployers of AI upon:
    1. The dangers and risks, both socially and legally, of artificial intelligence when developed and deployed without safety measures;
    2. Possible safety measures which can provide corporations the ability to continue using data while respecting privacy legislation such as but not limited to:
      1. Encryption practices, and needed perpetual modernization of such practices
      2. Data anonymization measures
      3. Data pseudonymization measures
    3. The limitations of the precautionary measures outlined above;
  10. Encourages the creation, monitored by the ‘AI for Good’ platform and funded by participating states, of international inclusive education,
    programs in higher education focusing on mastering responsible use of AI and personal data,
    societal campaigns focusing on:

    1. raising awareness on its potential for good in multiple aspects of their communities, if strategically and responsibly implemented
      interventions into businesses and companies exposing the incorporation of AI into corporate strategy and implementing personal data and AI as business tools,
  11. Requests for the integration of technology classes to national education systems in second level education institutions in conjunction with member nations, UNESCO and UNAIPDI and where this is not possible, Massive Open Online Courses (MOOC’s), such as Khan Academy and InZone to be used to outline measures including but not limited to:
    1. the global development of AI in general outlining the harmful and dangerous impacts on the safety of our personal data but also the extremely beneficial impacts of AI,
    2. potential career options in the area of AI so it can lead to a positive contribution to the development of AI and further lead to beneficial global development,
    3. how personal data has been previously used without consent and how to understand what terms and conditions you are signing up to in relation to the usage of your personal data when registering for a website or app;
  12. Supports the establishment of an UN-based cybersecurity agency that will especially work on personal data security called United Nations Protection of Personal Data Agency (UNPPDA) that will function to:
    1. establish UNPPDA bases in every possible country to provide a safer and easier connection between each unit and databases,
    2. protect each and every functioning AI company in the region from cyber attacks towards their personal data sources and databases to further avoid any personal data from falling in bad hands by creating separate UNPPDA teams from software professionals to be placed in every base,
    3. increase the safety of personal data transactions between databases and companies by creating teams that control and monitor those transactions through satellites and cables to prevent any cyber attacks on data transaction connections when they are at their most unsafe and unprotected phases;
  13. Encourages private or public banks to adopt or formulate:
    1. a proactive security incident notification software as well as a certified and
      updated encryption systems in order to avoid any possible act of cybercrime,
    2. a security system by:
      1. securing and backing up the customer’s data
      2. prohibiting employees from downloading and installing unauthorized
        software
      3. setting appropriate approval protocols under bank policies so that in this
        way any transaction that involves a wire transfer will involve two
        approvers
    3. training program for their employees upon matters such as but not limited to:
      1. prohibiting to share confidential information about the institution
      2. verifying the details of a vendor or a customer who has requested any
        changes to be made to the billing account
      3. making every employee aware of the threats of opening or downloading
        email attachments from unknown sources to avoid malicious programs to
        steal confidential information
    4. Monthly Hardware Quality Examination Test (MHQET) which will check
      whether:

      1. every workstation and Internet-enabled device used in the company has a
        firewall that is enabled
      2. the operating system on all PC’s receives security updates on a regular
        basis
      3. all PC’s are be installed with anti-virus software to detect any malware or
        malicious programs in the network
      4. all wireless networks are be secured and their passwords are
        well-protected;