Poland’s commissioners for human rights and data protection, as well as a number of experts, have warned against the government’s plans to create a new “mega database”, which they say could violate the law and citizens’ rights.
They say that, by compiling information on things like earnings, health status, religion and education, it has similarities to China’s large-scale collection of data and could be use for political engineering in a manner similar to strategies employed by Cambridge Analytica.
However, the government argues that the platform would not be a database in itself but rather a system that would allow pseudonymised one-off compilations of data to support decision-making.
— Dziennik Gazeta Prawna (@DGPrawna) April 4, 2022
The Integrated Analytics Platform (ZPA) would combine data from almost all available public registries, including the Social Insurance Institution (ZUS) and National Health Fund (NFZ), according to the draft regulation.
“Thanks to the artificial intelligence algorithms used to analyse the data provided to the platform, it will be possible to generate useful information regarding citizens for public authorities in any configuration depending on the current needs of the authorities,” wrote the office of Poland’s human rights commissioner, Marcin Wiącek.
This raises serious doubts regarding its compliance with both the Polish constitution and international and European legal standards, continued the statement. “The processing of huge data sets by state organs may be associated with the system of social control that is now the domain of the People’s Republic of China,” it added.
The plan has also been criticised by Panoptykon, an NGO dealing with the protection of privacy rights. It has raised concern that the public will not have any control over what the data will be used for, as the regulation does not provide for public disclosure of which entities will use the data or for what purpose.
In a statement, Panoptykon warned that ZPA would give the government a “Polish Cambridge Analytica” that it could use to gather, analyse and exploit huge amounts of data about voters to its own advantage.
It also outlined potential scenarios in which the justice ministry could, for example, gather health data on pregnancies in order to help enforce the government’s tough anti-abortion position.
Poland's health ministry has proposed a decree which states a pregnancy must be registered in the Medical Information System, sparking outrage.
The opposition argues this would put pregnant women under surveillance by the government.https://t.co/4Fgl2pnWbW
— POLITICOEurope (@POLITICOEurope) November 25, 2021
The government has pushed back against such criticism, with the prime minister’s office saying that the analytics platform is not a database and will not collect data by itself, adding that a separate analytics environment will be created for the purpose of performing each analysis.
“This approach makes it impossible to use data that were not planned for a particular study,” it said in a statement. “Even more so, it will not be possible to combine data that come from different studies. The prepared pseudonymisation mechanism does not allow such actions.”
The aim of the project is “to increase the effectiveness of administration in selected areas of social and economic problems by supporting decision-making processes”.
Co za tydzień. W środę razem z @DGPrawna alarmowaliśmy o problemach z #ZPA i już tego samego dnia otrzymaliśmy odpowiedź @CyfryzacjaKPRM i zaproszenie na spotkanie. Do sprawy w kolejnych dniach dołączył się także @BiuroRPO. https://t.co/s2hxBz8Pjl https://t.co/AxhSfeylgU
— Fundacja Panoptykon (@panoptykon) April 12, 2022
But experts note the pseudonymisation mechanism can be reversed, and argue that data should be fully anonymised. Panoptykon says that arguing over whether to call the platform a database is a “technicality”. Whatever the case, it will give government departments access to large quantities of data.
Jan Nowak, Poland’s data protection commissioner, has also warned that the draft legislation in its current form does not guarantee the protection of personal data and compliance with rules for its processing under the provisions of the EU’s data protection regulation (GDPR), reports legal analysis website Prawo.pl.
The data protection commissioner’s office and the prime minister’s chancellery had not replied to requests for comment from Notes from Poland at the time of publication.
Alicja Ptak is senior editor at Notes from Poland and a multimedia journalist. She previously worked for Reuters.