We blogged earlier about the “data call” initiated by the U.N. High Commissioner on Human Rights in response to paragraph 5 of General Assembly Resolution 68/167 on the right to privacy in the digital age. Contributions received to date by governmental and non-governmental stakeholders have now been posted on the High Commissioner’s website. I leave to others to analyze the more technical aspects of some of the contributions, but here are some overarching observations of relevance to the conversation we’ve been having and posts we’ve featured on the right to privacy:
1. Although these rights are framed in the various multilateral treaties as rights to privacy, assembly/association, free expression, conscience, and the sanctity of communications and of the home, many states (e.g., Guatemala, Germany, Hungary) conceptualize the bucket of rights implicated by mass and targeted surveillance more broadly as rights to dignity, autonomy, self-determination, and/or personality. The Council of Europe and other submissions noted that the treaty formulations of rights to privacy and correlative rights make no online/offline distinction.
2. Many European states noted that the fundamental right to privacy has constitutional expression but is also a part of their domestic legal framework by virtue of their membership in the European Convention on Human Rights (Article 8 (right to respect for private and family life)) or the Charter of Fundamental Rights of the European Union (Articles 7 (Respect for Private and Family Life) and 8 (Protection of Personal Data)). Data integrity in particular is subject to the Data Protection and other directives of the European Union, Parliament and Council, although the issue remains under review in Europe. The 1981 Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) is open to accession to non-European States; it currently has 46 parties (more background here).
3. States cited to applicable criminal law provisions penalizing invasions of the privacy of correspondence, unlawful or abusive interception of data, or unlawful access to computer systems.
4. Not surprisingly, most states indicated that there were national security/law enforcement exceptions to rights to privacy allowing for the surveillance, interception, and/or collection of personal data. That said, security and law enforcement forces are subject to the proportionality principle mandating that the least restrictive means be employed to achieve a legal aim. Moreover, any infringement must be necessary to achieve an important aim (e.g., to avert a concrete danger) and may not be “arbitrary.” The German submission noted that under German law,
there is no such thing as irrelevant data since the technical possibilities of linking data allow conclusions to be drawn, based on any information (including data that, in and of themselves, have no importance), concerning the data subject, his or her path in life and personality.
5. Some states provide the same restrictions on private entities as on public entities in terms of informational privacy and integrity. The Council of Europe noted that European states are obliged not only to
refrain from interfering with individual rights, but are also under a positive obligation to provide an effective system of protection from interference by third parties.
6. Most states have an independent oversight mechanism—such as an ombudsman, board or (especially in Europe) a Data Protection Agency—to provide protections against interferences and entertain complaints of alleged violations. Germany mandates that persons subject to surveillance of their telecommunications are generally to be notified thereafter. Some states allow for restitution, including for non-material personality rights violations (e.g., Hungary).
7. A joint submission by Austria, Liechtenstein, Slovenia and Switzerland directly addressed the issue of extraterritoriality and noted that the right to privacy in the digital era is
under greater threat from abroad than from within a State. This is inter alia due to the fact that States typically apply more stringent restrictions to domestic surveillance, interception and data collection, and that States generally simply collect more data abroad, especially in a national security context.
Rather than the state’s control of territory or even the person, the joint submission argues that what matters is the ability of the state to exercise effective control over “the protected value associated with that person.” Thus, the rules governing the extraterritorial application of human rights obligations apply where states exercise “partial control, i.e. control over certain aspects of a person’s human rights.” The joint submission also calls upon the Human Rights Committee to focus specifically on this issue by updating its General Comments no. 16 and 31 in order to translate the concepts and principles of effective control in the physical world into a standard of virtual control over the right to privacy and related rights in the digital world. (This call was echoed in the Center for Democracy & Technology (CDT) submission). The text also calls upon the relevant special procedure mandate holders to jointly develop guidelines and best practices for ensuring the promotion and protection of the right to privacy in the digital age and particularly in the context of surveillance, interception, and the collection of personal data, including on a mass scale.
8. Amnesty International also focused its submission on the issue of extraterritoriality and the ICCPR. Amnesty argued that when the conduct complained of by the state actually occurs within the confines of the state, even if the person affected happens to be outside the state, there is no need to consider the extraterritorial application of the ICCPR stricto sensu or even to parse Article 2(1). Thus, in the context of privacy rights in the digital era, the actual surveillance (and thus breach) in many instances happens within the territorial state, even if the effects or impact on the individual are extraterritorial. By this approach, the “extraterritorial” application of the ICCPR refers only to those interferences that both (a) occur outside of the state’s territory and (b) affect the enjoyment of rights outside of the territory. Like the Austrian joint submission, Amnesty argues that what matters is the state’s effective control over the enjoyment of the right in question. With respect to surveillance and privacy rights, the relevant state obligations are triggered when the state exercises effective control over the individual communication that is subject to surveillance or interference. Control over the individual becomes relevant only once liberty and physical integrity rights are implicated.
9. Many submissions made a point of raising concerns about mass or bulk collection of communications data. The CDT text states bluntly that:
Bulk collection of communications data is contrary to Article 17 of the ICCPR.
Article 17 reads:
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.
CDT noted three trends driving the paradigm shift away from particularized or targeted monitoring in favor of systemic or bulk collection:
- The storage revolution and big data analytic capabilities;
- Globalized internet-based service providers whose networks are based in or traverse the United States in a way that grants a particular competitive advantage to the US government in terms of bulk collection;
- The sky-rocketing power of national security authorities in the face of terrorism fears.
The submissions so far offer an incredibly useful cache of data for folks interested in comparative work in this space.