In March 2015, the United Nations Human Rights Council created a new special procedure on the right to privacy, appointing its first Special Rapporteur on the topic, Professor Joseph Cannataci, in July 2015. Last week, the Special Rapporteur presented the Human Rights Council with his first report and engaged in an interactive dialogue with the Council. He also provided an outline of the main features of his report at a side event at the Council organised by Austria, Brazil, Germany, Liechtenstein, Mexico, Norway, Switzerland and the Geneva Academy of International Humanitarian Law and Human Rights with former US Ambassador to the Human Rights Council, Eileen Donahoe as the chair and myself, Carly Nyst and Faiza Patel as panellists (report forthcoming). As a first report, the Special Rapporteur acknowledges that it is still very much ‘preliminary’ (para. 3). At the same time, he provides a detailed outline of the themes he proposes to focus on during his mandate. In this blog, I reflect on the scope of the mandate, the choice of themes and suggest ways in which the Special Rapporteur might develop some of the themes during his mandate.
The Scope of the Mandate
- Privacy and Personality across cultures
- Corporate on-line business models and personal data use
- Security, surveillance, proportionality and cyberpeace
- Open data and Big Data analytics: the impact on privacy
- Genetics and privacy
- Privacy, dignity and reputation
- Biometrics and privacy
The number and range of themes identified is ambitious. However, in my view, the Special Rapporteur’s selection strikes a good balance between continuing to prioritise the risks to the right to privacy posed by security and surveillance and taking a wider view of the impact of big data and new technologies on human rights outside of the security context which has not received adequate attention to date.
Why is it important to continue to prioritise surveillance and security? In many ways, the Special Rapporteur’s report reiterates the concerns already raised in the two General Assembly resolutions (68/167 and 69/166), Human Rights Council resolution 28/16 and an Office of the High Commissioner for Human Rights (OHCHR) report. It could therefore be argued that it adds nothing new to the debate. However, this would miss the point. The protection of the right to privacy in the context of state surveillance, particularly extraterritorial and mass surveillance, needs to be kept squarely on the agenda of the Human Rights Council as not all states have implemented the Human Rights Council and General Assembly’s recommendations, including as set out in the General Assembly’s second resolution that they should:
(b) take measures to put an end to violations of those rights and to create the conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law;
(c) review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law;
(d) establish or maintain existing independent, effective, adequately resourced and impartial judicial, administrative and/or parliamentary domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data;
(e) provide individuals whose right to privacy has been violated by unlawful or arbitrary surveillance with access to an effective remedy, consistent with international human rights obligations;
This special procedure provides a key vehicle to continue to monitor and respond to ongoing threats to privacy (and other rights) and address them at the international level. Indeed, many states confirmed the priority that should be given to this topic within the interactive dialogue.
Does the priority of state security and surveillance mean that the other issues identified for thematic study make the scope of the mandate too broad? While one might argue that the Special Rapporteur will have enough to do focusing on state security and surveillance, in my view, this would be too narrow a focus for a mandate that was borne out of an assessment of a risk to privacy in the digital era. The Special Rapporteur underscores that the impact on privacy and rights potentially goes well beyond state security and surveillance. The Special Rapporteur highlights that personal data has ‘become a commodity’ and ‘is now one of the world’s largest industries’ including ‘in sectors traditionally considered to be sensitive such as that of medical and health data’. Indeed, the use of personal data ‘has increased to an extent where the private individual is neither conscious nor consenting to the sale or multiple re-sales of his or her data’ (para 9). He further notes that:
‘it was only when recently risks to privacy threatened the income potential of the business model that some corporations took a stricter, more privacy-friendly approach’.
We do not yet know the views of states on this widened mandate since the report was only published the day before the Council session meaning that a number of states were unable to comment on its content fully. However, this wider framing of the mandate is critical, particularly as we do not yet know the full implications of the collection, storage, amalgamation, sharing and re-purposing of content data and metadata by private companies. The Special Rapporteur will be able to contribute to a deeper understanding of these implications by collecting evidence into how the acquisition and use of this data affect rights’ protection, particularly economic and social rights such as the right to health and the right to housing, and by recommending frameworks and systems for transparency in relation to how this information is used. While he does not make specific mention of the UN Guiding Principles on Business and Human Rights (the Ruggie Principles), the issues raised in his report should invigorate efforts to implement the Principles within this sector, looking at how obligations such as due diligence, corporate governance structures and human rights impact assessments should be carried out in this area as well as connecting to regulatory debates within the internet governance sectors of the Internet Governance Forum and the World Summit on Information Society.
Connected to this wider context is the question of consent as a potential reason for overriding concerns about privacy. Again, the Special Rapporteur does not address consent in his report but it will be an important aspect to include in his work as he develops his mandate and has been somewhat neglected to date. The essential questions are these: when we provide data about ourselves online or simply use online services, do we consent to our data being used in future and unknown ways? If we do, does that mean we give away our privacy online and that companies have full discretion to do whatever they see fit with our data? If, on the other hand, we should not be understood to write a blank cheque for all future uses of our data, how can law and policy draw meaningful boundaries around the scope of what is consented to? Analysing the possibilities for developing models of consent that do not require the consumer to make a binary choice between having to accept that by accessing online or smart devices, they may have to ‘consent’ to unknown uses of data or to not using the services is critical. However, even where wide ‘consent’ is apparently provided, it will also be important for the Special Rapporteur and other international bodies to assess models for regulating the amalgamation, use and re-purposing of content and metadata and reinjecting the right to privacy into these usages. In the absence of such an approach, it will be difficult to meet the General Assembly’s expectation that the right to privacy is guaranteed the same protection online as offline.
Safeguards, Oversight and Remedies
Related is the question of safeguards, oversight and remedies which again have been emphasised by the General Assembly, Human Rights Council and OHCHR. The Special Rapporteur brings a new and crucial dimension to this by recognising that safeguards to the right to privacy and other rights cannot only come in the form of legal and policy safeguards but also in the form of technologies themselves. He commits that a major feature of his work will be to:
‘engage with the technical community in an effort to promote the development of effective technical safeguards including encryption, overlay software and various other technical solutions where privacy-by-design is genuinely put into practice’ (para 46(e)).
The Special Rapporteur mandate will again provide a useful space for identifying best practice by states as well as engaging with them for failures to establish oversight mechanisms and remedies. His mandate will also provide a forum in which to address issues such as extraterritoriality and the appropriate form of remedies where a victim has not been identified. Connecting to the wider focus of the mandate beyond surveillance, greater attention is needed into oversight and remedies against companies given their central role in this area as the primary collectors, holders and users of content and metadata as already discussed. Oversight and remedies may be different for companies and so specific application of these principles to companies is needed and fits with the wider current focus on the third – and least developed – pillar of the Ruggie Principles on the right to a remedy.
Definition of Privacy
One of the newer features to the debate is the Special Rapporteur’s observance that there is no explicit definition of privacy within the international human rights instruments that set out a right to privacy (or private life in the case of the European Convention on Human Rights). He argues that:
‘in some cases it may prove to be next to useless if we were to have 193 nations signed up to the principle of protecting privacy if we do not have a clear understanding of what we have agreed to protect’ (para 20)
and concludes that a re-freshened look at privacy is needed that explains what privacy means ‘to different people in different places in different circumstances across the planet’ (para 23).
The exercise of assembling the elements of the right to privacy may also sharpen our focus on the fundamental and foundational importance of the right to privacy under international human rights law. In his report, the Special Rapporteur aptly characterises the right to privacy as an ‘enabling’ right which ‘enables the achievement of an over-arching fundamental right to the free, unhindered development of one’s personality’ (para 8) as well as self-determination and autonomy. He also points to the role of privacy in furthering other rights (para 8). This role is often referred to as a gatekeeper or entry point or as Carly Nyst has previously noted the ‘precondition’ and guarantor’ of other fundamental rights. The point being that once privacy is interfered with, the potential arises that the information gained is used to violate a whole spectrum of rights. Indeed, two weeks ago the UN High Commissioner for Human Rights noted that:
‘It is neither fanciful nor an exaggeration to say that, without encryption tools, lives may be endangered. In the worst cases, a Government’s ability to break into its citizens’ phones may lead to the persecution of individuals who are simply exercising their fundamental human rights’.
When conceived as an enabler, gateway or guarantor, privacy plays a vehicular role. This is part of its identity and critical to our understanding of why the right to privacy matters. However, as John Reed reminded us last week on Just Security, we should not overlook the importance of privacy in and of itself regardless of its vehicular functions. Not everything we do in our private life furthers our personal development or guarantees another right but there are parts of our lives that should be private spaces unless we decide otherwise. We should thus view the right to privacy as an enabler and guarantor of other human rights as well as an end in and of itself.
The mandate is not only of key importance in keeping state security and surveillance on the agenda and widening the rights’ implications of big data and new technologies. It is also critical as a convenor of a large number of actors working on big data and new technologies within the UN as well as at the national, regional and international level in disparate and diffuse ways. As the Director of Human Rights in the Ministry of Foreign Affairs of Brazil noted at the Internet Governance Forum in Brazil in 2015, the complexity of internet governance needs to be brought to the Human Rights Council but human rights also needs to be mainstreamed beyond the Council. The Special Rapporteur will be key to bringing stakeholders together and ensuring the mainstreaming of privacy within and outside of the Council.