Data protection & privacy
Privacy is a fundamental human rights included in a range of international and regional human rights instruments. This right is often framed in general terms within the right to respect for private or family life, protection of the home and non-interference with correspondence. Privacy is not an absolute right and limitations can be introduced provided they meet certain criteria.
The right to privacy is recognised in a wide range of international human rights instruments including:
- the Universal Declaration on Human Rights (1948),
- the International Covenant on Civil and Political Rights (1966),
- the Convention on the Rights of the Child (1989), and
- the International Convention on the Protection of All Migrant Workers and Members of their Families (1990).
The UN Special Rapporteur on the right to privacy noted in 2018 that:
“none of the major human rights treaties expressly include protection of personal information as an aspect of the right to privacy. Nonetheless, it is increasingly argued that the principles of data protection are incorporated within the broader right to privacy in these treaties.”
+ Read moreThe notion of data protection originates from the right to privacy and both are instrumental in preserving and promoting fundamental values and rights and exercising other rights and freedoms such as free speech or the right to assembly. Data is created whenever we use a computer, a smartphone or even everyday electronic devices with sensors capable of recording information.
In 2013 the UN General Assembly adopted a resolution on the right to privacy in the digital era where it stated that: “the rights held by people offline must also be protected online.” The UN Human Rights Council recognised in 2016 that the right to privacy can enable the enjoyment of other rights and the free development of an individual’s personality and identity and an individual’s ability to participate in political, economic, social and cultural life, and that violations or abuses of the right to privacy might affect the enjoyment of other human rights.
In 2019, the UN Human Rights Council and the General Assembly noted that “violations and abuses of the right to privacy in the digital age may affect all individuals, including with particular effects on women, as well as children and persons in vulnerable situations, or marginalized groups” and called on States “to further develop or maintain, in this regard, preventive measures and remedies for violations and abuses regarding the right to privacy in the digital age that may affect all individuals, including where there are particular effects for women, as well as children and persons in vulnerable situations or marginalized groups.”
Uniquely among human rights instruments, the EU Charter of Fundamental Rights includes Article 8, the right to the protection of personal data. This provides a range of protections in the collection and processing of personal data.
In 2014 the UN Special Rapporteur on the right to privacy made reference to strong evidence of a growing reliance by Governments on the private sector to conduct and facilitate digital surveillance. Governments have used both formal legal mechanisms and covert methods to gain access to content as well as to metadata, as the 2013 Snowden leaks revealed.
As highlighted in the UN Guiding Principle on Business and Human Rights, Guiding Principle 11:
“Business enterprises should respect human rights. This means, they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.”
The UN Special Rapporteur on the right to privacy stated in its 2014 report that:
“Companies should assess whether and how their terms of service, or their policies for gathering and sharing customer data, may result in an adverse impact on the human rights of their users. Where enterprises are faced with government demands for access to data that do not comply with international human rights standards, they are expected to seek to honour the principles of human rights to the greatest extent possible…A central part of human rights due diligence as defined by the Guiding Principles is meaningful consultation with affected stakeholders. In the context of information and communications technology companies, this also includes ensuring that users have meaningful transparency about how their data are being gathered, stored, used and potentially shared with others, so that they are able to raise concerns and make informed decisions”.
The UN Special Rapporteur on the right to privacy has expressed concerned not only with the collection of big data but also with firms having the ability to sell or trade it and to link it to other data to produce a complex and detailed picture of a person’s life. Companies that collect consumer’s personal information and resell or share that information with others, the so-called Data brokers, generally do it without consumers’ knowledge and with little or no transparency. Cases of corporations selling or sharing personal data for purposes such as advertising, credit scoring and insurance risk scoring have also been reported. The Cambridge Analytica scandal is the latest example of this.
At the same time, companies have also been negatively impacted by data breach on their websites. Yahoo, for instance, have been subjected to the biggest data breach in history in 2013, where personal information on more than 3 billion user accounts were obtained. Likewise, in 2016, hackers collected 20 years of data on six databases property of the network Adult Friend Finder.
Various measures have been taken at the international level in order to guarantee the right to privacy. In 1990 the UN published its Guidelines concerning computerised personal data files, which stated that information about persons should not be collected or processed in unfair or unlawful ways. More recently in 2017, the UN Secretary General launched the initiative Global Pulse on Big Data. It functions as a network of innovative labs where research on Big Data for Development is designed and coordinated. The platform has developed a set of Privacy Principles intended to help ensure that individuals whose data is used are not adversely affected. The OECD adopted in 2013 an updated version of its Privacy Guidelines that apply to personal data. The EU General Data Protection Regulation, that takes effect on May 25th, 2018, has the purpose of protecting data collected on EU citizens. The legislation is reportedly the most comprehensive and progressive piece of data protection legislation in the world.
Globally, 107 States have legislation in place to secure the protection of data and privacy. Countries such as the United Kingdom, Australia and Canada have an Information Commissioner to ensure compliance with such legislation.
Various multi-stakeholder initiatives in this field are worth mentioning. The project MAPPING, financed by the European Union, is a platform that aims to contribute to the digital transition and to improve the innovation climate in the EU concentrating efforts in privacy, property and internet governance. The Global Network Initiative, bringing together comprises a group of companies, civil society organisations, investors and academics, has the objective to create a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector.
The Electronic Frontier Foundation’s (EFF) 2017 Who has your Back survey evaluates the 26 major US technology companies on their policies related to transparency and privacy. EFF stated in 2017 that:
“The tech industry as a whole has moved towards providing its users with more transparency, but telecommunications companies, which serve as the pipeline for communications and Internet service for millions of Americans, are failing to publicly push back against government overreach”.
Trough the initiative Reform Government Surveillance Coalition, companies in the ICT sector such as Google, Apple, Facebook, Dropbox, Twitter and Linkedin have joined efforts to request that the laws and practices on government surveillance and access to information be reformed.
Adequate data is critical for measuring progress towards the SDGs, as well as progress on human rights. Data from business’ reporting can help fill the gaps in areas where SDG data is still lacking. Enhancing the use of information and communication technology under SDG target 17.8 can also support data gathering efforts considerably. However, data collection and the promotion of technology that could enable distribution and dissemination of personal data can have a significant impact on the right to privacy, as well as the flow of information across state boundaries and between various actors, thus posing great challenges in terms of regulation, misuse of personal information, privacy, discrimination and access to remedy.
DIHR has highlighted the importance of a human rights-based approach to data in the context of the 2030 Agenda. This approach provides guidance on its 6 key principles of privacy, accountability, transparency, self-identification, participation and disaggregation.
References
- Human Rights Council, Report of the UN Special Rapporteur on the right to privacy, A/HRC/37/62, 2018: http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/AnnualReports.aspx
- Facebook and Cambrigde Analytica, What you need to know as Fallout Widens, 2018: https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html
- Electronic Frontier Foundation, Who has your back, 2017: https://www.eff.org/who-has-your-back-2017
- Office of the Human Rights Commissioner for Human Rights, Surveillance, big data and open data top UN expert’s privacy agenda, 2017: http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=22271
- UN Cape Town Global Action Plan for Sustainable Development Data, 2017: https://unstats.un.org/sdgs/hlg/Cape-Town-Global-Action-Plan/
- UN General Assembly, Report of the UN Special Rapporteur on the right to privacy, A/72/43103, 2017: http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/AnnualReports.aspx
- Human Rights Council, The Right to Privacy in the digital area, 2014: https://www.justsecurity.org/wp-content/uploads/2014/07/HRC-Right-to-Privacy-Report.pdf
- US Federal Trade Commission, Data Brokers, A call for Transparency and Accountability, 2014: https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf
- The Guardian, NSA files: decoded, What the revelations mean for you, 2013: https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded#section/1
- OECD, Privacy Guidelines, 2013: http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
- Guidelines concerning computerised personal data files, 1990: http://www.refworld.org/pdfid/3ddcafaac.pdf
- United Nations Development Group, The Data Privacy, Ethics and Protection Guidance note on Big Data for Achievement of the 2030 Agenda: https://undg.org/wp-content/uploads/2017/11/UNDG_BigData_final_web.pdf
- Global Network Initiative: https://www.globalnetworkinitiative.org/
- UN Global Pulse, Privacy and Data Protection Principles: https://www.unglobalpulse.org/privacy-and-data-protection
- UNCTAD, Data Protection and Privacy Legislation Worldwide: http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx
What National Action Plans say on Data protection & privacy
Belgium
Section 5
Belgian framework relative to business enterprises and to human rights (Page 12-13)
In order to better identify the principal rights and responsibilities that Belgium engages itself to protect and to respect, the basic analysis concentrates on seven domains considered of the highest priority:
- The right to life, liberty, and personal security;
- The right to equality and non-discrimination;
- The right of labourers;
- The right to a clean and healthy environment;
- The right to protection of privacy and the private life;
- The protection of the consumer;
- The fight against corruption.
Chile
The Chilean NAP does not make an explicit reference to Data Protection and Privacy.
Colombia
The Colombian NAP does not make an explicit reference to Data Protection and Privacy.
Czechia
Pillar II baselines: Human rights as a moral and ethical obligation
Scope and content of the obligation to respect human rights [page 30]
For businesses, there are three dimensions to respect for human rights:…
- Do not contribute to violations of human rights: A business does not commit violations itself, but acts in a way that facilitates or smooths the way for violations. This may encompass:…
The disclosure of customers’ personal data to an undemocratic regime.
Denmark
2. The State Duty to Protect Human Rights
2.3 Actions Taken
Protection of human rights in the business sphere in Danish legislation [page 12]
The Danish Data Protection Act helps to uphold the right to respect for private life.
Finland
1. The State Obligation to Protect Human Rights
1.3 Activities in the EU [page 14]
Finland is involved in international work in UN decision-making bodies related to communication technologies (such as WSIS and the World Summit on the Information Society) as well as in other central international organisations (such as the Internet Governance Forum, IGF). The objective of Finland is to reinforce the administrative system of an open and inclusive network so that freedom of speech is ensured in the development of the international information society.
2. The State and Companies
2.2 The State and the protection of privacy [page 23]
The protection of privacy that is particularly related to electronic communications has received plenty of attention in recent public discussion. The right to privacy, the protection of personal data and the protection of confidential messages are fundamental human rights. The extent of data collection related to electronic communications has led to public discussion. Privacy questions related to electronic communications are particularly important in Finland, where the ICT infrastructure enjoys a strong position. This strength has played a significant role in the fact that Finland has been able to attract international ICT investments.
As a follow-up measure, the working group proposes that:
- a roundtable discussion be organised on how to ensure the protection of privacy in Finland with the authorities, ICT companies and the civil society. Principal responsible party: Ministry of Transport and Communications, autumn 2014.
France
II. Business’s Responsibility to Respect Human Rights
The International Framework
5. Employee Representatives [page 43]
… The act on job security [Act of 14 June 2013] has several additional provisions for improving the information given to employees and reinforcing social dialogue in businesses and groups. Works councils must now be consulted on companies’ strategic goals…To prepare this consultation, databases must be created for employee representatives to assemble all useful information that is regularly communicated to works councils. Information must be kept up-to-date and have a forward-looking focus based on data and trends for the next three years. Employee representatives given access to companies’ sensitive and strategic data must comply with strict confidentiality requirements …
III. Access to Remedy
Judicial Mechanisms
1.4. Proceedings
Collective actions [page 51]
… Given the different fields of application mentioned in the bill, collective actions will become a tool allowing plaintiffs to stop or remedy discrimination in the labour field and elsewhere including with respect to the provision of services, accommodation, transport, etc. Collective actions will also be possible in the environmental, health, and personal data protection fields.
Georgia
Objective 25.12.1: Ensure knowledge of business sector concerning human rights protection mechanisms, including personal data protection and finest standards for strengthening women.
Objective indicator: Presentation of the communicative strategy.
Activity: Elaborating effective communication strategy concerning personal data protection, women strengthening and standards of human rights protection.
No responsible agency.
Partnership agency: Stratcom.
Germany
The German NAP does not make an explicit mention to Data Protection and Privacy.
Ireland
Section 2. Current legislative and regulatory framework
Data Protection [page 14]
The office of the data Protection Commissioner (DPC) is responsible for upholding the general principle that individuals should be in a position to control how data relating to them is used. The Commissioner is also responsible for enforcing obligations upon data controllers. Owing to the significant number of multinational tech companies based in Ireland, Ireland’s Data Protection Commissioner has responsibility for oversight of a large amount of data and has been involved in some high profile cases. The government is committed to supporting the data Commissioner in their role and, over recent years, has provided a fourfold increase in the funding for the work of the Commission.
Italy
The Italian NAP does not make an explicit reference to Data Protection and Privacy.
Lithuania
The Lithuanian NAP does not make an explicit reference to Data Protection and Privacy.
Luxembourg
Introduction (pg. 8)
The National Data Protection Commission is another chosen interlocutor in the implementation of the NAP because of aspects of its mission concerning the fundamental rights and freedoms of individuals and the respect for privacy.
Part III – NAP
3. Government’s Response (p.28)
A preliminary diagnosis allows for the identification of the potential risk of negative impacts on human rights that activities in the private sector may have … – including in the information and communication technologies – including the field of artificial intelligence – data protection …
3.1. A dialogue with non-governmental actors (pg. 29)
Corporate Social Responsibility (CSR), to which a number of Luxembourg companies have already subscribed, as well as risk management and data protection are important entry points for initiating a dialogue with the private sector.
3.2. A joint work program (pg.31)
A structured dialogue to be organized by the Interministerial Committee between all the actors involved allows:
…
- To note the level of existing corporate commitment, particularly through efforts in areas of … data protection
Netherlands
The Dutch NAP does not make an explicit reference to Data Protection and Privacy.
Norway
The Norwegian NAP makes no explicit reference to Data Protection and Privacy.
Poland
Pillar I: The State’s duty to respect human rights
5. Planned changes in national legislation:
Addition of general principles in administrative proceedings:
Rules governing the liability of Internet intermediaries for hate speech and violation of freedom of speech [page 26]
The Ministry of Digital Affairs plans to draft a regulation to counteract restrictions on the freedom of speech, on the one hand, and to block illegal content on the Internet, on the other. Legislative work is being carried out that clarifies the procedure for notice and takedown of the illegal content online, as well as strengthens legal safeguards for freedom of speech in the activities of electronic service providers. These efforts address i.a. issues related to hate speech or incitement to violence, as well as the use of unauthorised technical restrictions on freedom of speech in social media.
Pillar III: Access to Remedy
1. Current situation regarding access to legal remedies
Protection under civil law [page 38]
…By applying these civil-law instruments, those affected can seek judicial protection of their personal interests, as well as claims for damages (personal or property).
According to Article 23 of the Civil Code (CC), the personal interests of a human being, in particular their health, freedom, dignity, freedom of conscience, name or pseudonym, image, privacy of correspondence, inviolability of home, and scientific, artistic, inventive, or improvement achievements are protected by civil law, independent of protection under other regulations. Article 24 § 1 and 2 CC stipulates that any person whose personal interests are threatened by another person’s actions may demand that the actions be ceased unless they are not unlawful. In the case of violation, they may also demand that the person committing the violation perform the actions necessary to remove its effects, in particular that the person make a declaration of the appropriate form and substance. Under the terms of the Civil Code, one can also claim monetary recompense or payment of an appropriate amount of money for the social cause indicated (Article 448 CC). If damage has been caused due to a violation of personal interests, the injured party may demand a remedy in accordance with general principles (Article 415 et seq. CC). The prerequisites for protecting personal interests that must be met together are: the existence of a personal interest, the threat or violation of that interest, and the unlawfulness of the threat or the violation. The first two premises must be proven by the plaintiff seeking protection, while the defendant can defend themselves, demonstrating that they did not act unlawfully. The distribution of the burden of proof is therefore favorable to the plaintiff. The legislator introduced the presumption of unlawfulness of the violation of personal interests (Article 24 § 1 CC). However, claims cannot be made if the perpetrator demonstrates that the occurrence of one of the circumstances rules out the unlawfulness of the action, and they thus indicate the circumstances that justified the violation of a particular personal interest. The provisions of Articles 23 and 24 CC suggest that the protection of personal interests is comprehensive. Its exercise may take on a different character and be pursued through various measures, which may be both non-financial and financial in nature. Non-financial protection measures include: a) – claim for cessation; b) – claim for removal of the effects of a violation; c) – assertion lawsuit; Financial protection measures include: d) – claim for redressing non-financial damage; e) – claim for recompense for property damage; f) – claim for restitution of unjust enrichment; g) –claim for non-performance of an agreement; h) – claim for non-performance of an agreement (contractual liability).
Slovenia
Principle 2 – States sets expectation for respecting human rights
Respect for human rights in the business sector is also required by the laws governing…privacy protection. (pg.10)
South Korea
C. Current Status
1. Domestic Status [page 3]
- Revision of 「Procurement Business Act」 and addition of an article promoting corporate social responsibility on January 2016.
* Article 3-2 (Encouraging Social Responsibility)
The administrator of the Public Procurement Service may reflect social and environmental values such as … consumer protection in the procurement process to encourage corporate social responsibility.
…
Spain
The Spanish NAP does not make an explicit reference to Data Protection and Privacy.
Sweden
Annex: Measures taken
The state as actor [page 22]
Internet freedom and privacy are among the great global issues of the future. It is fundamental for Sweden that the human rights that apply offline also apply online. Sweden has taken initiatives to strengthen the dialogue with business on internet freedom. As a result of a Swedish initiative, the OECD Guidelines for Multinational Enterprises now call on companies to support human rights on the internet. In addition, Sweden was part of the group of countries that tabled resolutions on internet freedom in the UN Human Rights Council in 2012 and 2014. These resolutions were adopted unanimously. The Stockholm Internet Forum organised by Sweden in 2012, 2013 and 2014 has focused entirely on issues of internet freedom.
Switzerland
The Swiss NAP does not make an explicit reference to Data Protection and Privacy.
Thailand
The Thai NAP does not make an explicit reference to Data Protection and Privacy.
United Kingdom
The UK 2013 NAP
2. The State Duty to Protect Human Rights
The existing UK legal and policy framework
The Data Protection Act 1998, which applies to companies and ensures respect for the privacy of individuals.
New actions planned
The Government will do the following to reinforce its implementation of its commitments under Pillar 1 of the UNGPs:
(v) In line with the UK Cyber Exports Strategy, develop guidance to address the risks posed by exports of information and communications technology that are not subject to export control but which might have impacts on human rights including freedom of expression on line.
The UK 2016 Updated NAP
2. The State Duty to Protect Human Rights
The existing UK legal and policy framework
- Examples of wide ranging legislation protecting human rights in the business context include… the Data Protection Act 1998 which applies to companies and ensures respect for the privacy of individuals.
Actions taken [page 9]
- To give effect to the UN Guiding Principles, the Government has:
(ix) strengthened international rules relating to digital surveillance, including leading work in the Wassenaar Arrangement to adopt new controls on specific technologies of concern. Specifically new controls were agreed on:
equipment and software for creating and delivering “intrusion software” designed to be covertly installed on devices to extract data. “internet surveillance systems” which can monitor and analyse internet traffic and extract information about individuals and their communications.
3. Government expectations on business
Actions taken to support business implementation of the UNGPs [page 15]
- To help businesses to fulfil their responsibility to respect human rights the
Government has:
(iii) partnered with the Cyber Growth Partnership industry guidance on assessing human rights risks relating to cyber security exports, with techUK and input from civil society. https://www.techuk.org/images/CGP_Docs/Assessing_Cyber_Security_Ex port_Risks_website_FINAL_3.pdf
Government commitments
Box – Cyber Export Guidance [page 17]
The expansion of ‘cyber space’ has brought huge economic and social benefits. However, it also poses risks and new opportunities for hackers, criminals and terrorists. To help mitigate these risks, companies have developed security products and services which defend networks from malicious activity. In many countries, such as the UK, these products are used legitimately, including by law enforcement authorities, in accordance with domestic and international law obligations. However, in some countries which do not adhere to their international human rights obligations, there is a risk that the same products are used in ways that could breach state’s legal obligations, e.g. to restrict freedom of expression or to contribute to internal repression.
Normally, exports that could cause harm, such as arms, are covered by the export-licensing regime. However, many cyber capabilities, products and services are not listed. This problem was recognized by the Cyber Growth Partnership a joint body representing industry, academia and government. The FCO worked with techUK, a technology trade association, and the Institute for Human Rights and Business to produce practical guidance for companies on managing human rights risks.
“Assessing Cyber Security Export Risks: Human Rights and National Security” was published in November 2014. It is the first guidance for this sector in the world, and sets out:
- the different sorts of potential harm associated with particular cyber capabilities;
- a process to help companies assess country specific risks and to evaluate business partners and re-sellers; and potential mitigation options for avoiding or reducing risks.
United States
The National Action Plan
Recognising positive performance
Outcome 4.1: Recognize RBC Best Practices
Promoting Human Rights in the ICT Sector [page 22]: The impact and importance of business conduct in the ICT sector has grown as social, commercial, educational, and recreational interactions increasingly take place online. State, working with other agencies and stakeholders, will develop a regular mechanism to identify, document, and publicise lessons learned and best practices related to corporate actions that promote and protect human rights online. State will also foster continued engagement among relevant stakeholders to support ongoing dialogue and collaboration on respecting human rights within the ICT sector. Implementing department or agency: State