The fall of 2015 was marked by two key developments in the debate about laws on communications surveillance and the right to privacy. First, on October 6, the EU Court of Justice declared that the Safe Harbor Privacy Principles, which have facilitated the transfer of personal data from the European Union to the United States since 2000, were invalid. According to the Court, US laws that grant public authorities “access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Second, terrorist attacks in Ankara, Beirut, Paris, San Bernardino, and elsewhere reenergized calls among some government officials on both sides of the Atlantic for more sweeping surveillance powers and for the weakening of encryption tools.
These events underscore the balance that government authorities must strike as they seek to protect the fundamental right to privacy on the one hand and respond to legitimate national security and law enforcement obligations on the other. As lawmakers aim to conclude a new Safe Harbor regime by the end of January, and as communications surveillance bills are debated around the globe, there are several principles that we hope will inform deliberations.
For the multi-stakeholder Global Network Initiative, the international human rights standards on which our Principles are grounded should serve as the basis for laws that protect privacy and other human rights while pursuing law enforcement objectives. International law clearly establishes that interferences with the right to privacy must conform to the principles of legality, necessity, and proportionality, and effective remedies must be available for the alleged violation of this right. Moreover, as the European Court highlighted in its Schrems decision, the mobility of an individual’s data — which may be processed, transported, or stored outside of her own country or in the cloud — does not dilute the protections that it merits as part of her fundamental right to privacy.
In addition to these principles, laws governing communications surveillance should meet several other standards. First, government surveillance programs should be targeted and based on individual suspicion (recent judgments of the European Court of Human Rights speak to this point, for example, here and here). Bulk collection of communications data — both content and metadata — threatens privacy and freedom of expression rights and undermines trust in the security of electronic communications services provided by companies. This includes bulk collection by governments and mandates to companies or other third parties to store data that they would otherwise not retain.
Second, communications surveillance laws should not distinguish nationals from foreigners with regard to the privacy protections that they offer. When governments exercise “virtual control” over the digital communications of foreigners, such control entails an obligation to respect their privacy rights under the International Covenant on Civil and Political Rights. GNI has urged the United States to recognize the right to privacy of non-US persons and to strengthen reforms to effectively protect this right, and we are encouraged by progress in this regard. We urge other governments to do the same.
Third, communications surveillance should take place in accordance with independent judicial oversight that is adequately informed. This point is the subject of debate at the international level, and in several countries, officials from other government agencies fulfill this role. Nevertheless, international human rights law recognizes that an authority with sufficient independence from the executive should oversee communications surveillance programs (see here and here), and the judiciary is generally best equipped for this function. The GNI also recognizes that it is good practice to require a court to approve interferences with the right to privacy, such as the interception of communications content, before they take place. Moreover, governments should make publicly available the laws and legal interpretations authorizing electronic surveillance to enable oversight of government actions and inform public debate.
Fourth, similar standards should govern the interception of communications and the collection and use of the most sensitive types of metadata. Given the precise conclusions that can be drawn about an individual’s private life based on metadata, distinctions in the treatment of the two types of communications data are increasingly difficult to justify.
Fifth, governments should commit to more specific areas of transparency, which are a necessary first step in examining whether domestic laws adequately protect rights to privacy and freedom of expression. Specifically, governments should disclose information about the intelligence agencies and bodies that are legally permitted to conduct surveillance and the scope of their surveillance authorities, the oversight mechanisms that apply to these authorities, and aggregated information about the surveillance demands they make on companies. Governments should permit companies to disclose aggregated information on number of surveillance demands that they receive and how they respond to them on at least an annual basis. Companies should also be permitted to disclose technical requirements for surveillance that they are legally bound to install, implement, and comply with, such as requirements to design lawful intercept capabilities into communications technology or to decrypt encrypted communications.
Finally, companies and individuals should have the opportunity to present legal challenges to surveillance programs and to obtain effective remedies. States should make best efforts to notify subjects of surveillance that it has taken place as soon as practical, considering the needs of the specific pending investigation. Companies should be permitted to challenge orders that appear overbroad, and nondisclosure orders should not be issued unless government authorities make a factual showing to a court that harm would result from disclosure.
As governments worldwide debate new laws and policies that implicate the rights to privacy and freedom of expression, the GNI urges them to do so transparently and in consultation with a wide range of stakeholders.