U.N. targets tech companies with call for data protection and transparency

Many countries are choosing leaders that are distrustful of neighbors, closing themselves off, and increasing surveillance. In its own quiet way, the United Nations just sent a strong message to these and other governments worldwide: you should support companies rolling out encryption, allow them to open up about surveillance requests, and don’t require companies to hold onto user data purely to enable surveillance. Oh, and you’d better pass data protection legislation now.

Of course, it didn’t use those words exactly. But we know what they meant. It was another strong statement from the U.N. General Assembly on the right to privacy.

On Monday the U.N. General Assembly’s Third Committee, which addresses human rights, unanimously passed a resolution on “The right to privacy in the digital age.” This new resolution pushes the U.N. Human Rights Council — the world’s top human rights body — to continue on its path of giving our privacy the attention it deserves. Specifically, with more than 60 co-sponsors, the resolution calls for the Council to convene experts and contribute to an upcoming report on privacy by the U.N. High Commissioner for Human Rights.

You may remember that the U.N. General Assembly made similar resolutions on privacy in 2013 and 2014, largely focusing on government surveillance and mass data collection.

However, businesses, not just governments, impact our right to privacy, and the new resolution sets out expectations for companies to prevent harms and promote human rights. It explores territory not covered in the previous privacy resolutions: the responsibilities of “individuals, governments, business enterprises, and private organizations” to safeguard, minimize collection of, and disclose how they process and share user data.

How we got here: privacy after Snowden at the U.N.

After the Snowden revelations of mass surveillance in 2013, which showed that even the heads of world governments were being spied on, Brazil and Germany co-authored a resolution on “The right to privacy in the digital age,” which the U.N. General Assembly unanimously approved. It detailed the privacy violations that today’s technology enables, such as over-broad government surveillance, and highlighted the need for better legal protections. It also called upon the U.N. High Commissioner for Human Rights to issue a report on the subject, which she did. The subsequent 2014 resolution then called for the creation of a long-term U.N. office — or “special rapporteur” — on the right to privacy.

There was a break from passing resolutions in 2015, as Joseph Cannataci , the new Special Rapporteur on the right to privacy, developed his mandate. This year there is a welcome return to privacy and a broader focus.

What’s in the resolution: a call to protect data and minimize data collection

The U.N. is essentially calling for comprehensive data protection legislation in every country. The resolution tells governments to develop laws and remedies against “unlawful and arbitrary collection, processing, retention or use of personal data” by “individuals, governments, business enterprises, and private organizations,” including “addressing harm from the sale or multiple re-sales or other corporate sharing of personal data, without the individual’s free, explicit and informed consent.”

Some of the world’s largest countries, such as India and the United States, lack just this type of comprehensive legislation that protects sensitive data across the board.

Coded language on encryption?

The resolution also calls upon governments to “refrain from requiring business enterprises to take steps that interfere with the right to privacy.” We read this as a call for governments to refrain from seeking mandates to weaken encryption or put backdoors in our technology, a timely statement. The U.N. doesn’t let companies themselves off the hook either, encouraging them “to work towards enabling secure communication and the protection of individual users against arbitrary or unlawful interference of their privacy, including by developing technical solutions.” We know what this is code for: multi-factor authentication, end-to-end encrypted communications, open source platforms, and secure storage of data at rest, among other ways companies protect user data.

Unfortunately, the U.N. fell short in its praise of the groundbreaking report by David Kaye, Special Rapporteur on the right to freedom of opinion and expression, on encryption and anonymity. Rather than “welcoming” the report, the General Assembly simply “takes note of” his report as well as those by Special Rapporteur Cannataci.

Transparency for the win

The resolution could not be clearer: companies need wide latitude to disclose activity that impacts people’s human rights. It welcomes “measures taken by business enterprises, on a voluntary basis, to provide transparency to their users about their policies regarding requests by State authorities for access to user data and information.” Specifically, companies are called to “inform users about the collection, use, sharing, and retention of their data” that impact their rights. Companies do this through transparency reports, such as those listed on Access Now’s Transparency Reporting Index.

Reaching SDGs requires open connectivity

Also new to this year’s resolution is recognition of the Sustainable Development Goals (SDGs), also known as the Global Goals, passed in September 2015. The resolution “recognizes the global and open nature of the internet” and other technologies as critical for achieving economic growth and development. In short, they’re necessary to reach the SDGs.

What’s next? We hold government and businesses accountable to protect our rights

In December, the U.N. General Assembly will adopt this updated resolution promoting the right to privacy in the digital age, which emphasizes the responsibilities of private companies to protect user data. Then it’s up to the world’s governments, and businesses — with prodding from members of civil society like ourselves — to implement its recommendations. For our part, we’ll press the U.N, Human Rights Council to follow through with the expert workshop, and also contribute to the High Commissioner’s report, fighting for the rights of users at risk everywhere.