This meeting was the starting point for a project to be conducted by the Global Data Justice team, based at Tilburg University, NL and funded by the European AI Fund. The purpose of the project is to map, research and report on transitions by technology firms as a result of opportunities and markets created by the pandemic.

We convened a group of civil-society organisations and experts from European countries, as the starting point for a network based on shared interests which we hope to grow during 2021. Participating organisations included the Bureau for Investigative Journalism (UK), the Hermes Center (IT), EDRi (BE), Tactical Tech (DE), Algorithm Watch (DE), Bits of Freedom (NL), APTI (RO), Privacy International (UK), Data4Change (UK), and independent expert Tanya O’Carroll. This report outlines the discussion and starting points for both research and action which emerged from that meeting, but also serves as an invitation to other organisations and researchers to engage with and debate this process.

Sphere transitions and transgressions: the starting point for our discussion

A decade ago, technology firms were easily categorisable as such. They developed and applied technology around a defined set of concerns centering on data analytics, data management, communications and the internet. Today, this is no longer true. Over the last decade technology firms have used their infrastructures and capacity to expand into spheres such as transport, urban planning, international development, humanitarian aid, identification systems, news, politics and entertainment. Since 2020, the COVID-19 pandemic has brought a new impetus to this expansion across formerly well-defined borders. It has consolidated business models based on continual expansion and transition from sector to sector. The nature of technology firms is also changing: the most successful are now players on the economic scale of countries, operating fluidly across the spheres of logistics, analytics and digital infrastructures. Some are characterised by an overall security focus, others by a focus on content recommendation and provision, or on identification and financial systems. But there is no longer any predictability about where their infrastructural, logistic and analytic power will take them next.

This shift has implications for regulating and governing technology. For example, a surveillance and security firm which makes a strategic move into public health by processing and providing health information, distributing vaccines or optimising the flow of equipment and goods in the sector, does not automatically come under the same scrutiny as established healthcare companies. Similarly, a firm that moves from law enforcement into education may require a different kind of regulatory scrutiny. The pandemic has seen firms switching from a situation where they are constrained by national security frameworks to one where they have to comply with medical ethics, or from solely complying with data protection law to being responsible for the political representation of marginalised groups. Although their business model remains the same, their sphere of action and influence may expand radically.

Some of this is to be expected: innovation often involves transitions to new spheres of activity and influence, and successful firms will often seek to capture new markets. The pandemic, however, has challenged the ability of regulators and civil society to scrutinise these transitions appropriately. The conditions of unusually rapid repurposing of technology offers an important chance to evaluate what constitutes legitimate versus illegitimate use of corporate power on the national scale, and whether there are checks and balances in place to make sure innovation remains within the boundaries of the law and of the public interest.

The Global Data Justice Project invited a group of CSOs and experts to pool knowledge about how these ‘sphere transgressions’ (for more on this conceptualisation, see Sharon 2020) are manifesting across the EU, and how the pandemic is facilitating this new space for action and expansion on the part of technology firms.

Our central questions are:

  • When does a sector transition become a transgression? What are the determining characteristics that make it an object for research and advocacy?
  • Can the tools we have available in the EU to govern the application of technology in society address this type of expansion of corporate power?
  • If not, what new strategies are needed to scrutinise and control it?

How is sphere transition/transgression manifesting in the EU currently?

While the empirical research for the project is currently underway, by way of examples involving both large tech and small tech firms, we can begin to appreciate the scale and severity of sector transitions/transgressions.

The U.S. company Palantir, founded in the wake of the September 11, 2001 attacks, is known to provide data analytics solutions to the U.S. Department of Homeland Security and Immigrations and Customs Enforcement. In Europe, it provides solutions to the French security agency (GDIS), and Europol uses its Gotham software for its counter-terrorism efforts. In the context of the pandemic, where many believe big data is crucial to managing and containing the spread of the virus, Palantir has pivoted to offering its analytics solutions to the public health sector.

In the UK, following its courtship of the NHS starting in the summer of 2019, Palantir was contracted in March 2020 to provide its Foundry software to power the NHS’s COVID-19 data store. In December 2020 that contract was extended for two years. This partnership has been criticised for a lack of transparency and for the access it may give the company to UK patient data. In the Netherlands, as of February 2021, Palantir has provided its Foundry software to Fieldlab Zuid6, the Safety Information Exchange Program of the country’s six south safety regions.

But it is not just large firms like Palantir that are actively pursuing new opportunities and markets in the context of the pandemic. Guardtime—a self-described ‘scaleup’—is a blockchain firm founded in Estonia, which has pivoted from enterprise applications for audit, compliance and cybersecurity to embark on a project to develop digital vaccination certificate for widespread use. In October 2020, the WHO and Estonian government launched a pilot scheme for digitally verifiable international vaccination certificates to support the country’s vaccination program. Guardtime is the technical leader of the project, which it is marketing as VaccineGuard.

Input from CSOs and experts

The February meeting with CSOs and experts was an opportunity to add to our mapping of sector transgressions across the EU, so as to better understand and conceptualise the phenomenon. Participants brought up examples of transgressions from their jurisdictions, and discussed what these might have in common. For example, they highlighted how across the EU facial recognition and thermal imaging firms are repurposing their hardware and software to provide various solutions to the public sector: body temperature detection in public spaces, as well as mask and social distancing detection. Others observed an ongoing ‘brand lift’ by companies involved in cybersecurity and lawful interception, most of which are not household names, which are now expanding their services during the pandemic to include health data analytics. The project was also encouraged to monitor Google’s recent acquisition of Fitbit and what this might mean for the former’s further extension into the health domain during and after the pandemic. Examples of consultancy firms that typically did not work on public health matters but were now working in health data analytics were also mentioned. Another area of interest was in EdTech where participants noted how tech companies are not only investing in this space but also providing their platforms to create digital classrooms.

Finally, participants stepped into the shoes of regulators, legislators and civil society, to identify the tools and approaches these could take to address the issues brought up by sphere transgressions. Those imagining regulatory responses considered the relative advantages and disadvantages of engaging national authorities and those at the EU and international level (namely EDPS and the Global Privacy Assembly). Those playing the role of legislators discussed the role of public procurement, competition and data protection rules at the EU level, and those asked to think as CSOs discussed the usefulness of freedom of information requests, of considering companies’ activities in light of their mission statements, and of mapping out companies’ lobbying activities.

What turns a transition into a transgression?

In thinking about the factors and characteristics that make something a transgression and not a transition, we seek to identify certain threshold points. These are points that raise questions about the nature of control, power, dominance and accountability that arise when technology firms enter new domains, and as a result of their infrastructural capacities crowd out previous expertise and ethical considerations, which in many regards are performed by state, and state supported institutions.

The act of a transgression is not a one-off event, but is an ongoing process that occurs from when firms first enter into a new sphere of interest, and then establish their power in that field. Keeping this in mind, we are interested in mapping the process of the transgressions across a period of time. We wish to identify how at different moments, certain moves and strategies are made by corporations to cement their positions. This can be at the time when they ‘volunteer’ or are ‘invited’ to repurpose their data infrastructures to serve a particular end or when they use their infrastructural dominance to be able to establish market dominant positions over particular kinds of services. By mapping the journey that these firms take, we would also like to examine how there are different factors that influence the normalisation of the transgression over a period of time.

Through this project, we seek to examine how to develop layers of scrutiny (to form a kind of checklist) that can be applied to technology firms such that innovation is not just presumed to be advantageous but is interrogated and evaluated for when it can become exploitative. This would involve examining not just the legitimacy of the move into a domain but also the legitimacy to continue to remain and influence a new domain.

Next steps

We invite the organisations who were part of this initial discussion to think further with us about how these transitions and transgressions are manifesting in their own national domains or fields of interest. We would also like to issue an open invitation to other interested organisations - particularly, but not limited to, civil society organisations - to join this network of common interests and to contribute both examples and ideas for how to deal with this issue. We are especially interested in how this differs across national contexts, since some of what constitutes a transgression is determined by contextual norms and historical factors. We (the Global Data Justice team) will be organising workshops and discussions around this topic during 2021, and we welcome collaborators and opportunities to network with those already working on related issues.

If you would like to help us document different examples of sphere transgressions, please send us a short description in around 200-300 words with details of, and any available links to, the case. (NB your explanation does not have to be in English!) We will be happy to include your input in our evolving resource, and share the final resource with you. Please write to us at info [at] globaldatajustice.org to submit an entry, or just to connect about the project. We look forward to hearing from you.