The Office of the United Nations High Commissioner for Human Rights (OHCHR) conducted a consultation on the right to privacy in the digital age, convening an expert workshop in Geneva from 19-20 February 2018 and invited relevant stakeholders to submit contributions for a report on the right to privacy in the digital age. The Human Rights, Big Data and Technology Project participated in the expert workshop and submitted inputs to OHCHR. The report has now been published. This post will highlight the key elements of the expert workshop, outline HRBDT’s contributions, and summarise OHCHR’s outcome report.
Background of the consultation
In Human Rights Council Resolution 34/7 on the right to privacy in the digital age, the High Commissioner was requested to “organise an expert workshop with the purpose of identifying and clarifying principles, standards and best practices regarding the promotion and protection of the right to privacy in the digital age, including the responsibility of business enterprises in this regard, and to prepare a report thereon”. This follows from the first report by the High Commissioner in 2014, which examined “the protection and promotion on the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale”.
Key elements of the expert workshop
The expert workshop opened with a keynote by Peggy Hicks, the Director for Thematic Engagement, Special Procedures and Right to Development at OHCHR. Peggy Hicks emphasised that privacy protection lies at the intersection of human rights and digital technology, a core and pressing issue that remains a priority for OHCHR. She posed the following questions to participants as a springboard for the substantive sessions to follow:
- How can governments be supported to tackle the difficult challenges of dealing with complex issues in this context effectively?
- What global principles should govern the protection of privacy of personal data, and how much can we rely on consent in a data-driven world?
- What safeguards can we build in to protect the rights of individuals through laws, regulations and institutions?
- When violations have occurred, what redress will victims have?
The workshop consisted of the following sessions:
- Setting the scene: role of the right to privacy within the human rights framework and for civic space protection
- Surveillance and communications interception
- Securing and protecting online confidentiality
- Processing of personal data by individuals, governments, business enterprises and private organisations
- New and emerging issues
- Safeguards, oversight and remedies
The workshop covered the applicable legal framework, referring to Article 17 of the International Covenant on Civil and Political Rights and other guidelines including the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (also known as Convention 108), and the tests for legality, necessity, proportionality and standards including transparency. The adequacy of the existing applicable legal framework and challenges for effective implementation was extensively discussed throughout the workshop. Other issues discussed included extraterritoriality, encryption and State circumvention, the risks and opportunities of data, consent, anonymity, discrimination, and particular issues relating to the rights of the child. There was general agreement on the urgency of these issues and the importance of public discussion and awareness.
Co-director of the HRBDT Project Lorna McGregor reflected in her remarks at the workshop that it is timely to reflect on how the issues identified in the OHCHR 2014 report on the right to privacy in the digital age have evolved, and what is needed to effectively apply the international human rights framework to the many challenges posed by the digital age.
She pointed out that the standard practice is to interpret and apply the existing framework to this current context. However, there are implementation challenges at the national level and by corporations. This is due to a lack of regulation in certain areas, for example intelligence-sharing between States, and a lack of transparency and notification regarding potential rights violations.
Speaking in the final session on safeguards, oversight and remedies, she emphasised the importance of the right to remedy as a means for challenging practices and understanding compatibility with international human rights law. It is critical for individuals and groups to be able to bring arguable claims for violations and to receive substantive and effective remedy, but remedies continue to be poorly discussed and are not squarely in the discussion about rights implications in the digital age.
HRBDT contributions to the OHCHR report on the right to privacy in the digital age
Members of the HRBDT Project submitted contributions to the OHCHR report on the right to privacy in the digital age. The submission focused on the seriousness of violation of the right to privacy, and on challenges in the implementation of obligations to establish procedural safeguards, effective oversight and remedies for State and businesses’ practices in the digital age.
The submission highlighted that the risks to privacy are often minimised by certain narratives, and the seriousness and full implications of unlawful or arbitrary interference with the right to privacy underplayed. Interferences with privacy can also impact on the exercise and enjoyment of all other rights. The permanence of digital data means that breaches of the right to privacy can also have ongoing risks to rights into the future. OHCHR’s forthcoming report can play a central role in reframing understandings of the nature of harm posed by interferences with the right to privacy.
National frameworks currently do not exist or fail to adequately reflect the requirements of international human rights law on safeguards, oversight and remedies in the digital age. Existing frameworks either do not fully cover the scope of business and State activities in this context, or do not comprehensively cover the different interactions and sharing of information between businesses and States or are limited to focusing on isolated phases of the data process. Detailed articulation by OHCHR in this forthcoming report of international human rights law standards and application of procedural safeguards and effective oversight of States and businesses in all contexts can strengthen national implementation efforts.
We reiterated the criteria necessary for State surveillance activities to be compatible and compliant with international human rights law, and key elements for authorisation and oversight. At the same time, the centrality of businesses in the collection, fusion, retention and sharing of data and the profiling of individuals has serious implications for the effective exercise and enjoyment of human rights and necessitates procedural safeguards and effective oversight, drawn from the UN Guiding Principles on Business and Human Rights (.pdf).
Finally, we emphasised that it is critical for remedies to feature centrally in policies and practice in the digital age, and on the agenda of States and business enterprises. The right to an effective remedy applies irrespective of borders and encompasses prevention, redress, and deterrence.
OHCHR report on the right to privacy in the digital age
OHCHR’s most recent report on the right to privacy in the digital age starts by contextualising it against developments and use of data-driven digital technologies, and international and regional responses to the ensuing challenges. The report is intended to provide guidance on how to address some of these pressing challenges, as identified later in the report.
Understanding of the right to privacy in the digital age is re-articulated in the report. Information privacy is highlighted as of particular importance, but the protection of the right to privacy is broad. The sphere of protection is not limited to private, secluded spaces, and extends to public spaces and publicly available information. The report notes that the right to privacy may be implicated by the analysis and aggregation of both substantive information and metadata but may be impacted even by the generation and collection of data relating to a person’s identity, family or life. The report also notes the centrality of the right to privacy to the enjoyment and exercise of human rights online and offline, and its importance for a democratic society and the realisation of a range of other rights.
Equal protection of the right to privacy for everyone is emphasised in the report. The international human rights standards and norms regarding protection of the right to privacy, and the narrow limitations surrounding legitimate interferences of the right are re-articulated. A brief treatment of extraterritorial obligations for protection of the right is also included.
The report identifies several key trends and concerns in relation to interferences with the right to privacy. First, there is increased reliance on personal data by Governments and business enterprises. Growing digital footprints, data sharing and fusion practices between business enterprises and States, the collection of biometric data, and growing analytical power are discussed in this respect. Second, State surveillance and communications interception is another trend. Mass surveillance, State access to the user data of business enterprises, hacking, attempts at weakening encryption and anonymity, intelligence-sharing, and cross-border access to data held by business enterprises are highlighted as concerns in this regard.
The responsibilities of States are elaborated, as the report details what the State responsibility to respect and duty to protect the right to privacy in the digital age entails, and the requirements for adequate safeguards and effective oversight. Here, the report elaborates on overarching frameworks protecting against undue interferences, procedural safeguards and oversight for surveillance and communications interception including independent authorisation and oversight, and transparency. The responsibilities of business enterprises are also set out in the report, with reference to policy commitments, human rights due diligence, and remediation requirements.
Finally, the report fleshed out how the right of access to an effective remedy applies in the context of privacy violations. Judicial and non-judicial mechanisms are mentioned. The report recognised that challenges may impede access to remedial avenues but emphasised the importance of notifying individuals whose rights have been affected. The report concluded by noting the significant and far-reaching effects of privacy infringements, with reference to new and ongoing risks to rights into the future.