Home > Issues > Data protection and privacy

Data protection and privacy

Privacy is a fundamental human rights and the right to privacy is included in a range of international and regional human rights instruments. This right is often framed in general terms within the right to respect for private or family life, protection of the home and non-interference with correspondence. Privacy is not an absolute right and limitations can be introduced provided they meet certain criteria.

The right to privacy is recognised in a wide range of international human rights instruments including:

the Universal Declaration on Human Rights (1948),
the International Covenant on Civil and Political Rights (1966),
the Convention on the Rights of the Child (1989), and
the International Convention on the Protection of All Migrant Workers and Members of their Families (1990).

The UN Special Rapporteur on the right to privacy noted in 2018 that:

“none of the major human rights treaties expressly include protection of personal information as an aspect of the right to privacy. Nonetheless, it is increasingly argued that the principles of data protection are incorporated within the broader right to privacy in these treaties.”

+ Read more

The notion of data protection originates from the right to privacy and both are instrumental in preserving and promoting fundamental values and rights; and to exercise other rights and freedoms – such as free speech or the right to assembly. Data is created whenever we use a computer, a smartphone or even everyday electronic devices that include sensors capable of recording information.

The UN General Assembly in 2013 adopted a resolution on the right to privacy in the digital era where it stated that: “the rights held by people offline must also be protected online.” The UN Human Rights Council recognised in 2016 that the right to privacy can enable the enjoyment of other rights and the free development of an individual’s personality and identity and an individual’s ability to participate in political, economic, social and cultural life, and that violations or abuses of the right to privacy might affect the enjoyment of other human rights.

Uniquely in human rights instruments, the EU Charter of Fundamental Rights includes Article 8, the right to the protection of personal data. This provides a range of protections in the collection and processing of personal data.

The UN Special Rapporteur on the right to privacy made reference in 2014 to the strong evidence of a growing reliance by Governments on the private sector to conduct and facilitate digital surveillance. Governments have used both formal legal mechanisms and covert methods to gain access to content, as well as to metadata. As a matter of example, the 2013 Snowden documents are worth mentioning.

As highlighted in the UN Guiding Principle on Business and Human Rights, Guiding Principle 11:

“Business enterprises should respect human rights. This means, they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.”

The UN Special Rapporteur on the right to privacy stated on its 2014 report that:

“Companies should assess whether and how their terms of service, or their policies for gathering and sharing customer data, may result in an adverse impact on the human rights of their users. Where enterprises are faced with government demands for access to data that do not comply with international human rights standards, they are expected to seek to honour the principles of human rights to the greatest extent possible…A central part of human rights due diligence as defined by the Guiding Principles is meaningful consultation with affected stakeholders. In the context of information and communications technology companies, this also includes ensuring that users have meaningful transparency about how their data are being gathered, stored, used and potentially shared with others, so that they are able to raise concerns and make informed decisions”.

The UN Special Rapporteur on the right to privacy has expressed concerned not only with the collection of big data but also that firms have the ability to sell or trade it and to link it to other data to produce a complex and detailed picture of a person’s life. Companies that collect consumer’s personal information and resell or share that information with others, the so-called Data brokers, generally takes place without consumers knowledge, a lack of transparency, indefinite retention of data and the use of this data for eligibility determination or unlawful discriminatory purposes. Cases of corporations selling or sharing personal data for purposes such as advertising, credit scoring and insurance risk scoring has also been reported. The Cambridge Analytica scandal is the latest example of this.

At the same time, companies have also been negatively impacted by data breach on their websites. Yahoo, for instance, have been subjected to the biggest data breach in history in 2013, where personal information on more than 3 billion user accounts were obtained. Likewise, in 2016, hackers collected 20 years of data on six databases property of the network Adult Friend Finder.

Various measures have been taken at the international arena in order to guarantee the right to privacy. In 1990 the UN published its Guidelines concerning computerised personal data files, which stated that information about persons should not be collected or processed in unfair or unlawful way. More recently, the UN Secretary General launched the initiative Global Pulse on Big Data, in 2017. It functions as a network of innovative labs where research on Big Data for Development is conceived and coordinated. The platform has developed a set of Privacy Principles intended to help ensure that individuals whose data is used are not adversely affected by research. The OECD adopted in 2013 an updated version of its Privacy Guidelines that applies to personal data. The EU General Data Protection Regulation, that takes effect May 25^th, 2018, has the purpose of protecting data collected on EU citizens. The legislation is reportedly the most comprehensive and progressive piece of data protection legislation in the world.

Globally, 107 States have legislation in place to secure the protection of data and privacy. In addition to laws, countries such as the United Kingdom, Australia and Canada have set an Information Commissioner in order to implement relevant legislation.

Various multi-stakeholder initiatives also seek to address the recent developments in the issue. The project MAPPING, financed by the European Union, is a platform that aims to contribute to the digital transition and to improve the innovation climate in the EU concentrating efforts in privacy, property and internet governance. The Global Network Initiative, composed by a group of companies, civil society organisations, investors and academics, has the objective of creating a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector.

The Electronic Frontier Foundation’s (EFF) 2017 Who has your Back survey evaluates the 26 major technology companies in the US on their policies related to transparency and privacy. Companies such as Dropbox, Pinterest, Sonic and Wordpress have a policy in place that requires the government to obtain a warrant from a judge before the company discloses the content of users communication. Other companies such as Tumblr, Microsoft, Google, Yahoo and Snap Inc. tell users when the US government seeks their data in advance of turning over any data unless prohibited by law. This notification gives user a chance to defend themselves against overreaching government demands for their data. Finally, companies including Lyft, Airbnb, Adobe and Apple have already made public commitment to invoke the available statutory procedure to have a judge review indefinite National Security Letters gag order the company receives. EFF stated in 2017 that:

“The tech industry as a whole has moved towards providing its users with more transparency, but telecommunications companies, which serve as the pipeline for communications and Internet service for millions of Americans, are failing to publicly push back against government overreach”.

In addition to that, trough the initiative Reform Government Surveillance Coalition, companies in the ICT sector such as Google, Apple, Facebook, Dropbox, Twitter and Linkedin have united in order to request that practices and laws regulating government surveillance of individuals and access to information be reformed.

References

Human Rights Council, Report of the UN Special Rapporteur on the right to privacy, A/HRC/37/62, 2018: http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/AnnualReports.aspx
Facebook and Cambrigde Analytica, What you need to know as Fallout Widens, 2018:

https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html

Electronic Frontier Foundation, Who has your back, 2017: https://www.eff.org/who-has-your-back-2017
Office of the Human Rights Commissioner for Human Rights, Surveillance, big data and open data top UN expert’s privacy agenda, 2017: http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=22271
UN Cape Town Global Action Plan for Sustainable Development Data, 2017: https://unstats.un.org/sdgs/hlg/Cape-Town-Global-Action-Plan/
UN General Assembly, Report of the UN Special Rapporteur on the right to privacy, A/72/43103, 2017: http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/AnnualReports.aspx
Human Rights Council, The Right to Privacy in the digital area, 2014: https://www.justsecurity.org/wp-content/uploads/2014/07/HRC-Right-to-Privacy-Report.pdf
US Federal Trade Commission, Data Brokers, A call for Transparency and Accountability, 2014: https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf
The Guardian, NSA files: decoded, What the revelations mean for you, 2013: https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded#section/1
OECD, Privacy Guidelines, 2013: http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
Guidelines concerning computerised personal data files, 1990: http://www.refworld.org/pdfid/3ddcafaac.pdf
United Nations Development Group, The Data Privacy, Ethics and Protection Guidance note on Big Data for Achievement of the 2030 Agenda: https://undg.org/wp-content/uploads/2017/11/UNDG_BigData_final_web.pdf
Global Network Initiative: https://www.globalnetworkinitiative.org/
UN Global Pulse, Privacy and Data Protection Principles: https://www.unglobalpulse.org/privacy-and-data-protection
UNCTAD, Data Protection and Privacy Legislation Worldwide: http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx

What National Action Plans say on Data protection and privacy

Belgium

Section 5

Belgian framework relative to business enterprises and to human rights (Page 12-13)

In order to better identify the principal rights and responsibilities that Belgium engages itself to protect and to respect, the basic analysis concentrates on seven domains considered of the highest priority:

The right to life, liberty, and personal security;
The right to equality and non-discrimination;
The right of labourers;
The right to a clean and healthy environment;
The right to protection of privacy and the private life;
The protection of the consumer;
The fight against corruption.

Chile

Colombia

Czech Republic

Pillar II baselines: Human rights as a moral and ethical obligation

Scope and content of the obligation to respect human rights [page 30]

For businesses, there are three dimensions to respect for human rights:…

Do not contribute to violations of human rights: A business does not commit violations itself, but acts in a way that facilitates or smooths the way for violations. This may encompass:…

The disclosure of customers’ personal data to an undemocratic regime.

Denmark

Finland

1. The State Obligation to Protect Human Rights

1.3 Activities in the EU [page 14]

Finland is involved in international work in UN decision-making bodies related to communication technologies (such as WSIS and the World Summit on the Information Society) as well as in other central international organisations (such as the Internet Governance Forum, IGF). The objective of Finland is to reinforce the administrative system of an open and inclusive network so that freedom of speech is ensured in the development of the international information society.

2. The State and Companies

2.2 The State and the protection of privacy [page 23]

The protection of privacy that is particularly related to electronic communications has received plenty of attention in recent public discussion. The right to privacy, the protection of personal data and the protection of confidential messages are fundamental human rights. The extent of data collection related to electronic communications has led to public discussion. Privacy questions related to electronic communications are particularly important in Finland, where the ICT infrastructure enjoys a strong position. This strength has played a significant role in the fact that Finland has been able to attract international ICT investments.

As a follow-up measure, the working group proposes that:

a roundtable discussion be organised on how to ensure the protection of privacy in Finland with the authorities, ICT companies and the civil society. Principal responsible party: Ministry of Transport and Communications, autumn 2014.

France

II. Business’s Responsibility to Respect Human Rights

The International Framework

5. Employee Representatives [page 43]

The act on job security [Act of 14 June 2013] has several additional provisions for improving the information given to employees and reinforcing social dialogue in businesses and groups. Works councils must now be consulted on companies’ strategic goals…To prepare this consultation, databases must be created for employee representatives to assemble all useful information that is regularly communicated to works councils. Information must be kept up-to-date and have a forward-looking focus based on data and trends for the next three years. Employee representatives given access to companies’ sensitive and strategic data must comply with strict confidentiality requirements.

III. Access to Remedy

Judicial Mechanisms

1.4. Proceedings

Collective actions [page 51]

Given the different fields of application mentioned in the bill, collective actions will become a tool allowing plaintiffs to stop or remedy discrimination in the labour field and elsewhere including with respect to the provision of services, accommodation, transport, etc. Collective actions will also be possible in the environmental, health, and personal data protection fields.

Georgia

Objective 25.12.1: Ensure knowledge of business sector concerning human rights protection mechanisms, including personal data protection and finest standards for strengthening women.

Objective indicator: Presentation of the communicative strategy.

Activity: Elaborating effective communication strategy concerning personal data protection, women strengthening and standards of human rights protection.

No responsible agency.

Partnership agency: Stratcom.

Germany

Ireland

Section 2. Current legislative and regulatory framework

Data Protection [page 14]

The office of the data Protection Commissioner (DPC) is responsible for upholding the general principle that individuals should be in a position to control how data relating to them is used. The Commissioner is also responsible for enforcing obligations upon data controllers. Owing to the significant number of multinational tech companies based in Ireland, Ireland’s Data Protection Commissioner has responsibility for oversight of a large amount of data and has been involved in some high profile cases. The government is committed to supporting the data Commissioner in their role and, over recent years, has provided a fourfold increase in the funding for the work of the Commission.

Italy

Lithuania

Netherlands

Norway

Poland

Pillar I: The State’s duty to respect human rights

5. Planned changes in national legislation:

Addition of general principles in administrative proceedings:

Rules governing the liability of Internet intermediaries for hate speech and violation of freedom of speech [page 26]

The Ministry of Digital Affairs plans to draft a regulation to counteract restrictions on the freedom of speech, on the one hand, and to block illegal content on the Internet, on the other. Legislative work is being carried out that clarifies the procedure for notice and takedown of the illegal content online, as well as strengthens legal safeguards for freedom of speech in the activities of electronic service providers. These efforts address i.a. issues related to hate speech or incitement to violence, as well as the use of unauthorised technical restrictions on freedom of speech in social media.

Pillar III: Access to Remedy

1. Current situation regarding access to legal remedies

Protection under civil law [page 38]

…By applying these civil-law instruments, those affected can seek judicial protection of their personal interests, as well as claims for damages (personal or property).

According to Article 23 of the Civil Code (CC), the personal interests of a human being, in particular their health, freedom, dignity, freedom of conscience, name or pseudonym, image, privacy of correspondence, inviolability of home, and scientific, artistic, inventive, or improvement achievements are protected by civil law, independent of protection under other regulations. Article 24 § 1 and 2 CC stipulates that any person whose personal interests are threatened by another person’s actions may demand that the actions be ceased unless they are not unlawful. In the case of violation, they may also demand that the person committing the violation perform the actions necessary to remove its effects, in particular that the person make a declaration of the appropriate form and substance. Under the terms of the Civil Code, one can also claim monetary recompense or payment of an appropriate amount of money for the social cause indicated (Article 448 CC). If damage has been caused due to a violation of personal interests, the injured party may demand a remedy in accordance with general principles (Article 415 et seq. CC). The prerequisites for protecting personal interests that must be met together are: the existence of a personal interest, the threat or violation of that interest, and the unlawfulness of the threat or the violation. The first two premises must be proven by the plaintiff seeking protection, while the defendant can defend themselves, demonstrating that they did not act unlawfully. The distribution of the burden of proof is therefore favorable to the plaintiff. The legislator introduced the presumption of unlawfulness of the violation of personal interests (Article 24 § 1 CC). However, claims cannot be made if the perpetrator demonstrates that the occurrence of one of the circumstances rules out the unlawfulness of the action, and they thus indicate the circumstances that justified the violation of a particular personal interest. The provisions of Articles 23 and 24 CC suggest that the protection of personal interests is comprehensive. Its exercise may take on a different character and be pursued through various measures, which may be both non-financial and financial in nature. Non-financial protection measures include: a) – claim for cessation; b) – claim for removal of the effects of a violation; c) – assertion lawsuit; Financial protection measures include: d) – claim for redressing non-financial damage; e) – claim for recompense for property damage; f) – claim for restitution of unjust enrichment; g) –claim for non-performance of an agreement; h) – claim for non-performance of an agreement (contractual liability).

Spain

Sweden

Annex: Measures taken

The state as actor [page 22]

Internet freedom and privacy are among the great global issues of the future. It is fundamental for Sweden that the human rights that apply offline also apply online. Sweden has taken initiatives to strengthen the dialogue with business on internet freedom. As a result of a Swedish initiative, the OECD Guidelines for Multinational Enterprises now call on companies to support human rights on the internet. In addition, Sweden was part of the group of countries that tabled resolutions on internet freedom in the UN Human Rights Council in 2012 and 2014. These resolutions were adopted unanimously. The Stockholm Internet Forum organised by Sweden in 2012, 2013 and 2014 has focused entirely on issues of internet freedom.

Switzerland

5. National Action Plan on Business and Human Rights

5.7 Pillar I: state duty to protect

5.7.2. Operation Principles: legislative and information policy measures

Guiding Principle 3 [pages 15-16]

PI4 Regulation of technologies for internet and mobile communication surveillance

Technologies for internet and mobile communication surveillance can be used for both civilian and military purposes, i.e. they are dual-use goods. They can be an element in state repression, for example, thereby exposing the business enterprises that manufacture or trade in them to an increased risk of becoming involved in human rights abuses. The export or brokerage of technologies for internet and mobile communication surveillance is governed by goods control legislation. On 13 May 2015, the Federal Council decided that a license to export or to broker such goods must be refused if there is reason to believe that the exported or brokered good will be used by the final recipient as a means of repression. The transfer of intellectual property, including expertise and the grant of rights, concerning technologies for internet and mobile communication surveillance was also made subject to license. The Federal Council regards the new legal foundation, and practice for granting export licenses, as appropriate to guarantee that human rights will be respected in connection with technologies for internet and mobile telecommunication surveillance. No further measures are planned.

United Kingdom

The UK 2013 NAP

2. The State Duty to Protect Human Rights

The existing UK legal and policy framework

The Data Protection Act 1998, which applies to companies and ensures respect for the privacy of individuals.

New actions planned

The Government will do the following to reinforce its implementation of its commitments under Pillar 1 of the UNGPs:

(v) In line with the UK Cyber Exports Strategy, develop guidance to address the risks posed by exports of information and communications technology that are not subject to export control but which might have impacts on human rights including freedom of expression on line.

The UK 2016 Updated NAP

2. The State Duty to Protect Human Rights

The existing UK legal and policy framework

Examples of wide ranging legislation protecting human rights in the business context include… the Data Protection Act 1998 which applies to companies and ensures respect for the privacy of individuals.

Actions taken [page 9]

To give effect to the UN Guiding Principles, the Government has:

(ix) strengthened international rules relating to digital surveillance, including leading work in the Wassenaar Arrangement to adopt new controls on specific technologies of concern. Specifically new controls were agreed on:

equipment and software for creating and delivering “intrusion software” designed to be covertly installed on devices to extract data. “internet surveillance systems” which can monitor and analyse internet traffic and extract information about individuals and their communications.

3. Government expectations on business

Actions taken to support business implementation of the UNGPs [page 15]

To help businesses to fulfil their responsibility to respect human rights the

Government has:

(iii) partnered with the Cyber Growth Partnership industry guidance on assessing human rights risks relating to cyber security exports, with techUK and input from civil society. https://www.techuk.org/images/CGP_Docs/Assessing_Cyber_Security_Ex port_Risks_website_FINAL_3.pdf

Government commitments

Box – Cyber Export Guidance [page 17]

The expansion of ‘cyber space’ has brought huge economic and social benefits. However, it also poses risks and new opportunities for hackers, criminals and terrorists. To help mitigate these risks, companies have developed security products and services which defend networks from malicious activity. In many countries, such as the UK, these products are used legitimately, including by law enforcement authorities, in accordance with domestic and international law obligations. However, in some countries which do not adhere to their international human rights obligations, there is a risk that the same products are used in ways that could breach state’s legal obligations, e.g. to restrict freedom of expression or to contribute to internal repression.

Normally, exports that could cause harm, such as arms, are covered by the export-licensing regime. However, many cyber capabilities, products and services are not listed. This problem was recognized by the Cyber Growth Partnership a joint body representing industry, academia and government. The FCO worked with techUK, a technology trade association, and the Institute for Human Rights and Business to produce practical guidance for companies on managing human rights risks.

“Assessing Cyber Security Export Risks: Human Rights and National Security” was published in November 2014. It is the first guidance for this sector in the world, and sets out:

the different sorts of potential harm associated with particular cyber capabilities;
a process to help companies assess country specific risks and to evaluate business partners and re-sellers; and potential mitigation options for avoiding or reducing risks.

United States

The National Action Plan

Recognising positive performance

Outcome 4.1: Recognize RBC Best Practices

Promoting Human Rights in the ICT Sector [page 22]: The impact and importance of business conduct in the ICT sector has grown as social, commercial, educational, and recreational interactions increasingly take place online. State, working with other agencies and stakeholders, will develop a regular mechanism to identify, document, and publicise lessons learned and best practices related to corporate actions that promote and protect human rights online. State will also foster continued engagement among relevant stakeholders to support ongoing dialogue and collaboration on respecting human rights within the ICT sector. Implementing department or agency: State