Readers will recall that in its resolution on the right to privacy in the digital age the UN General Assembly had requested the Office of the High Commissioner for Human Rights to prepare a report for the next GA session on the various issues raised by mass electronic surveillance and the human right to privacy (see here for our previous coverage). An advance edited version of that report (A/HRC/27/37) is now available here. The report is rich, thoughtful and very much pro-privacy in the surveillance context, albeit not in a blind, fundamentalist way. It reaffirms that the right to privacy, as set out in Article 17 ICCPR or Article 8 ECHR, provides a framework within which the legality of surveillance measures needs to be assessed. While it acknowledges the legitimate governmental interests that surveillance may serve, it finds the existing institutional and legal arrangements in many states wanting and in need of further study and reform. Here are some of the highlights:
– It is important to consider linkages with other possible human rights violations, e.g. the collection of intelligence through surveillance that is later used for an unlawful targeted killing (para. 14).
– Interferences with the privacy of electronic communication cannot be justified by reference to some supposedly voluntary surrender of privacy on the Internet by individual users (para. 18).
– Collection of communications metadata can be just as bad in terms of privacy interference as the collection of the content of the communication (para. 19).
– Because of the chilling effect of surveillance: ‘The very existence of a mass surveillance programme thus creates an interference with privacy.’ (para. 20).
– Interferences with privacy can only be justified if they are not arbitrary and unlawful; the report adopts the general analytical framework of legality, necessity, and proportionality, and approvingly cites (in fn 14) the principles on surveillance and human rights adopted by a number of important NGOs (paras. 21-23).
– National security is a legitimate interest for justifying interferences with privacy, but ‘The degree of interference must, however, be assessed against the necessity of the measure to achieve that aim and the actual benefit it yields towards such a purpose.’ (para. 24).
– Mass surveillance programs are especially problematic on proportionality grounds (para. 25):
Where there is a legitimate aim and appropriate safeguards are in place, a State might be allowed to engage in quite intrusive surveillance; however, the onus is on the Government to demonstrate that interference is both necessary and proportionate to the specific risk being addressed. Mass or “bulk” surveillance programmes may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.
– Ditto re mandatory third-party data retention policies (para. 26).
– Intelligence and data-sharing arrangements may violate the right to privacy without appropriate safeguards (para. 27).
– In terms of the accessibility of the domestic legal framework ‘secret rules and secret interpretations – even secret judicial interpretations – of law do not have the necessary qualities of “law”. Neither do laws or rules that give the executive authorities, such as security and intelligence services, excessive discretion; the scope and manner of exercise of authoritative discretion granted must be indicated (in the law itself, or in binding, published guidelines) with reasonable clarity.’ (para. 29).
– The right to privacy applies to extraterritorial surveillance. Note just how expansive the report’s approach is, and in my view quite rightly so (para. 34):
It follows that digital surveillance therefore may engage a State’s human rights obligations if that surveillance involves the State’s exercise of power or effective control in relation to digital communications infrastructure, wherever found, for example, through direct tapping or penetration of that infrastructure. Equally, where the State exercises regulatory jurisdiction over a third party that physically controls the data, that State also would have obligations under the Covenant. If a country seeks to assert jurisdiction over the data of private companies as a result of the incorporation of those companies in that country, then human rights protections must be extended to those whose privacy is being interfered with, whether in the country of incorporation or beyond. This holds whether or not such an exercise of jurisdiction is lawful in the first place, or in fact violates another State’s sovereignty.
– Distinctions made in domestic law between the privacy rights of the state’s own nationals and foreigners are particularly suspect (paras. 35-36).
– Procedural safeguards and effective oversight are crucial. Judicial involvement is important but not a panacea (para. 38).
– In terms of remedies, the report does NOT clearly endorse an ex post facto notification requirement (para. 40).
– The involvement of private actors (e.g. telecommunications companies) in governmental surveillance measures is especially important. In particular (para. 45):
Where enterprises are faced with government demands for access to data that do not comply with international human rights standards, they are expected to seek to honour the principles of human rights to the greatest extent possible, and to be able to demonstrate their ongoing efforts to do so. This can mean interpreting government demands as narrowly as possible, seeking clarification from a Government with regard to the scope and legal foundation for the demand, requiring a court order before meeting government requests for data, and communicating transparently with users about risks and compliance with government demands. There are positive examples of industry action in this regard, both by individual enterprises and through multi-stakeholder initiatives.
– The report’s conclusions are as follows:
47. International human rights law provides a clear and universal framework for the promotion and protection of the right to privacy, including in the context of domestic and extraterritorial surveillance, the interception of digital communications and the collection of personal data. Practices in many States have, however, revealed a lack of adequate national legislation and/or enforcement, weak procedural safeguards, and ineffective oversight, all of which have contributed to a lack of accountability for arbitrary or unlawful interference in the right to privacy.
48. In addressing the significant gaps in implementation of the right to privacy, two observations are warranted. The first is that information relating to domestic and extraterritorial surveillance policies and practices continues to emerge. Inquiries are ongoing with a view to gather information on electronic surveillance and the collection and storage of personal data, as well as to assess its impact on human rights. Courts at the national and regional levels are engaged in examining the legality of electronic surveillance policies and measures. Any assessment of surveillance policies and practices against international human rights law must necessarily be tempered against the evolving nature of the issue. A second and related observation concerns the disturbing lack of governmental transparency associated with surveillance policies, laws and practices, which hinders any effort to assess their coherence with international human rights law and to ensure accountability.
49. Effectively addressing the challenges related to the right to privacy in the context of modern communications technology will require an ongoing, concerted multi-stakeholder engagement. This process should include a dialogue involving all interested stakeholders, including Member States, civil society, scientific and technical communities, the business sector, academics and human rights experts. As communication technologies continue to evolve, leadership will be critical to ensuring that these technologies are used to deliver on their potential towards the improved enjoyment of the human rights enshrined in the international legal framework.
50. Bearing the above observations in mind, there is a clear and pressing need for vigilance in ensuring the compliance of any surveillance policy or practice with international human rights law, including the right to privacy, through the development of effective safeguards against abuses. As an immediate measure, States should review their own national laws, policies and practices to ensure full conformity with international human rights law. Where there are shortcomings, States should take steps to address them, including through the adoption of a clear, precise, accessible, comprehensive and non-discriminatory legislative framework. Steps should be taken to ensure that effective and independent oversight regimes and practices are in place, with attention to the right of victims to an effective remedy.
51. There are a number of important practical challenges to the promotion and protection of the right to privacy in the digital age. Building upon the initial exploration of some of these issues in the present report, there is a need for further discussion and in-depth study of issues relating to the effective protection of the law, procedural safeguards, effective oversight, and remedies. An in-depth analysis of these issues would help to provide further practical guidance, grounded in international human rights law, on the principles of necessity, proportionality and legitimacy in relation to surveillance practices; on measures for effective, independent and impartial oversight; and on remedial measures. Further analysis also would assist business entities in meeting their responsibility to respect human rights, including due diligence and risk management safeguards, as well as on their role in providing effective remedies.