A top U.N. office just released “The Right to Privacy in a Digital Age,” a scathing new report that emphasizes the problems inherent in mass surveillance, and the vital importance of protecting privacy in the digital world. It represents a historic and unambiguous rebuke of overreaching government surveillance programs by the world’s top human rights authority.
The report, issued by the United Nations Office of the High Commissioner for Human Rights (OHCHR), is the result of a UN General Assembly resolution from December 2013 addressing global concern about government surveillance activities around the world and their chilling impact on digital rights. This week’s report observes that many states lack adequate legal and procedural safeguards for human rights and ineffective oversight of surveillance programs, all of which which have “contributed to a lack of accountability for arbitrary or unlawful interference in the right to privacy.”
The OHCHR report repeatedly cites the International Principles on the Application of Human Rights to Government Surveillance for the proposition that surveillance laws must be available to the public, “sufficiently precise,” and “tailored to specific legitimate aims,” in addition to having “effective safeguards against abuse.” The Principles, which Access helped to draft and organize, have been endorsed by more than 400 civil society organizations around the world.
In her speech announcing the report, U.N. High Commissioner for Human Rights Navi Pillay explained that “the report makes it clear that in a large number of States, national legislation and oversight of digital surveillance programs are inadequate. This contributes to a lack of accountability for arbitrary or unlawful interference with the right to privacy.”
Pillay acknowledged that the Principles can serve as interpretive guidance of Article 17 of the International Covenant on Civil and Political Rights.
The report also echoes many strong position shared by Access, including:
(1) Mass surveillance inherently interferes with privacy and related rights, and is presumptively arbitrary and unlawful
(2) Government surveillance programs must respect the rights of citizens and non-citizens alike
(3) Data sharing regimes may contravene human rights law
(4) Data retention mandates are neither necessary nor proportionate
(5) The private sector has an affirmative responsibility to promote human rights in the context of communications information.
Mass surveillance is inherently invasive, and presumptively arbitrary and unlawful
The OHCHR report underscores that mass surveillance both threatens the right to privacy and also implicates a number of fundamental freedoms including the “rights to freedom of opinion and expression, and to seek, receive and impart information; to freedom of peaceful assembly and association; and to family life.” The Report states that because “[t]he very existence of a mass surveillance programme . . . creates an interference with privacy,” the onus is on governments to prove that these programs are “neither arbitrary nor unlawful.”
Moreover, the report found that mass or bulk surveillance programs are inherently arbitrary, even when they are lawfully implemented and serve a legitimate governmental purpose. The OHCHR says that it is not sufficient that surveillance measures “are targeted to find certain needles in a haystack.” Rather, such measures must be considered in light of the “impact of the measures on the haystack, relative to the harm threatened.” In other words, surveillance measures must be necessary, adequate, and proportionate.
With regard to the legality of surveillance, the report emphasizes that a program that is “legal” under domestic law is still unlawful if it contravenes international laws. Access has argued that several U.S. surveillance programs run afoul of obligations under international law, including in a report submitted to the OHCHR. Although ostensibly conducted under the authority of Executive Order 12333, Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act, U.S. mass surveillance programs are inconsistent with the rights enshrined in the International Covenant on Civil and Political Rights (ICCPR), and violate the right to privacy guaranteed under Article 17 of that treaty.
Government surveillance must respect the rights of citizens and non-citizens alike.
The report observes that while non-discrimination is an unambiguous tenet of international human rights law, enshrined in Article 27 of the ICCPR, legal systems around the world provide differing privacy protections for users based on citizenship and residency. The OHCHR asserts that, as it applies to privacy, Article 27 requires governments to ensure “that any interference with the right to privacy complies with the principles of legality, proportionality and necessity regardless of the nationality or location of individuals whose communications are under direct surveillance.”
Access has been a strong critic of discrimination in surveillance laws, and has submitted public comments to the independent U.S. Privacy and Civil Liberties Oversight Board (PCLOB) advocating for the fundamental freedoms of both U.S. and non-U.S. persons. Regrettably, PCLOB’s recent report declined to evaluate the impact of U.S. foreign intelligence surveillance programs on non-U.S. persons. This OHCHR Report is a strong signal to PCLOB and other oversight boards that it is inappropriate to disregard the impact government surveillance has on the rights of non-citizens.
Data sharing regimes may contravene human rights law
According to the OHCHR, the increased sharing of data between law enforcement and intelligence agencies heightens the risk that human rights law violations (specifically Article 17 privacy violations) will occur. This is because communications surveillance may be necessary and proportionate for one purpose, but not another. In the absence of sufficient safeguards, data-sharing regimes increase the risk that data collected for a legitimate purpose may be used for illegitimate or inappropriate purpose.
Due to the increased risk of privacy and human rights violations, Access recently urged the U.S. President to veto legislation that provides for increased information sharing without other privacy safeguards.
Mandatory third-party data retention is neither necessary nor proportionate.
The OHCHR report found that requiring private actors to retain data “just in case” the government needs them “appears neither necessary nor proportionate.” This report cites to a recent Court of Justice of the European Union’s (CJEU) finding that the E.U.’s Data Retention Directive was invalid under Charter of Fundamental Rights of the E.U. Both the CJEU ruling and the OHCHR report recognize that data retention mandates undermine the fundamental right to privacy, as well as related and dependent rights.
This finding by the OHCHR lends support to a position advanced by Access, in accordance with the Integrity of Communications and Systems Principle, that ex ante data retention or collection should never be mandated by law. Access has repeatedly fought the passage of data retention mandates, including campaigning against such a provision in Mexico.
Notably, the issuance of the report immediately preceded the U.K.’s adoption of the “Data Retention and Investigatory Powers Act,” or DRIP, a new data retention law, which Access has opposed. Commissioner Pillay called out the law, writing, “to me it’s difficult to see how the UK can now justify rushing through wide-reaching emergency legislation which may not fully address the concerns raised by the [CJEU], at time when there are proceedings ongoing by the U.K.’s own investigative powers tribunal on these very issues.”
The private sector is expected to honor human rights principles “to the greatest extent possible”
The report recognizes that private companies play an integral role in preventing abusive governmental surveillance practices, as governments rely on communications providers to both conduct and facilitate digital surveillance. Companies provide governments with access to physical communications infrastructure as well as digitally stored data. In light of this global trend toward “privatizing” surveillance, companies run the risk of being complicit in or otherwise furthering human rights abuses.
The OHCHR finds that private companies must “honour the principles of human rights to the greatest extent possible, and to be able to demonstrate their ongoing efforts to do so.” Among other recommendations, the report urges companies to interpret government surveillance requests “as narrowly as possible,” to seek clarification where the scope or legal basis for the request is uncertain, provide transparency reports to better inform users about government demands. Access supports and promotes both increased transparency reporting in the information and communications sector, as well as the practical implementation of business and human rights guidelines.
The OHCHR report signifies the growing understanding that government surveillance programs are incompatible with human rights law. It’s an unequivocal call for surveillance programs to conform to international human rights law. Access strongly supports the OHCHR’s findings and urges both governments and communications providers around the world to heed the OHCHR call to cease undermining fundamental freedoms.
The report will be presented by the High Commissioner to the Human Rights Council at its next session in September, and to the General Assembly at its 69th session in October.