Privacy is a fundamental human rights included in a range of international and regional human rights instruments. This right is often framed in general terms within the right to respect for private or family life, protection of the home and non-interference with correspondence. Privacy is not an absolute right and limitations can be introduced provided they meet certain criteria.
The right to privacy is recognised in a wide range of international human rights instruments including:
- the Universal Declaration on Human Rights (1948),
- the International Covenant on Civil and Political Rights (1966),
- the Convention on the Rights of the Child (1989), and
- the International Convention on the Protection of All Migrant Workers and Members of their Families (1990).
The UN Special Rapporteur on the right to privacy noted in 2018 that:
“none of the major human rights treaties expressly include protection of personal information as an aspect of the right to privacy. Nonetheless, it is increasingly argued that the principles of data protection are incorporated within the broader right to privacy in these treaties.”+ Read more
The notion of data protection originates from the right to privacy and both are instrumental in preserving and promoting fundamental values and rights and exercising other rights and freedoms such as free speech or the right to assembly. Data is created whenever we use a computer, a smartphone or even everyday electronic devices with sensors capable of recording information.
In 2013 the UN General Assembly adopted a resolution on the right to privacy in the digital era where it stated that: “the rights held by people offline must also be protected online.” The UN Human Rights Council recognised in 2016 that the right to privacy can enable the enjoyment of other rights and the free development of an individual’s personality and identity and an individual’s ability to participate in political, economic, social and cultural life, and that violations or abuses of the right to privacy might affect the enjoyment of other human rights.
In 2019, the UN Human Rights Council and the General Assembly noted that “violations and abuses of the right to privacy in the digital age may affect all individuals, including with particular effects on women, as well as children and persons in vulnerable situations, or marginalized groups” and called on States “to further develop or maintain, in this regard, preventive measures and remedies for violations and abuses regarding the right to privacy in the digital age that may affect all individuals, including where there are particular effects for women, as well as children and persons in vulnerable situations or marginalized groups.”
Uniquely among human rights instruments, the EU Charter of Fundamental Rights includes Article 8, the right to the protection of personal data. This provides a range of protections in the collection and processing of personal data.
In 2014 the UN Special Rapporteur on the right to privacy made reference to strong evidence of a growing reliance by Governments on the private sector to conduct and facilitate digital surveillance. Governments have used both formal legal mechanisms and covert methods to gain access to content as well as to metadata, as the 2013 Snowden leaks revealed.
As highlighted in the UN Guiding Principle on Business and Human Rights, Guiding Principle 11:
“Business enterprises should respect human rights. This means, they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.”
“Companies should assess whether and how their terms of service, or their policies for gathering and sharing customer data, may result in an adverse impact on the human rights of their users. Where enterprises are faced with government demands for access to data that do not comply with international human rights standards, they are expected to seek to honour the principles of human rights to the greatest extent possible…A central part of human rights due diligence as defined by the Guiding Principles is meaningful consultation with affected stakeholders. In the context of information and communications technology companies, this also includes ensuring that users have meaningful transparency about how their data are being gathered, stored, used and potentially shared with others, so that they are able to raise concerns and make informed decisions”.
The UN Special Rapporteur on the right to privacy has expressed concerned not only with the collection of big data but also with firms having the ability to sell or trade it and to link it to other data to produce a complex and detailed picture of a person’s life. Companies that collect consumer’s personal information and resell or share that information with others, the so-called Data brokers, generally do it without consumers’ knowledge and with little or no transparency. Cases of corporations selling or sharing personal data for purposes such as advertising, credit scoring and insurance risk scoring have also been reported. The Cambridge Analytica scandal is the latest example of this.
At the same time, companies have also been negatively impacted by data breach on their websites. Yahoo, for instance, have been subjected to the biggest data breach in history in 2013, where personal information on more than 3 billion user accounts were obtained. Likewise, in 2016, hackers collected 20 years of data on six databases property of the network Adult Friend Finder.
Various measures have been taken at the international level in order to guarantee the right to privacy. In 1990 the UN published its Guidelines concerning computerised personal data files, which stated that information about persons should not be collected or processed in unfair or unlawful ways. More recently in 2017, the UN Secretary General launched the initiative Global Pulse on Big Data. It functions as a network of innovative labs where research on Big Data for Development is designed and coordinated. The platform has developed a set of Privacy Principles intended to help ensure that individuals whose data is used are not adversely affected. The OECD adopted in 2013 an updated version of its Privacy Guidelines that apply to personal data. The EU General Data Protection Regulation, that takes effect on May 25th, 2018, has the purpose of protecting data collected on EU citizens. The legislation is reportedly the most comprehensive and progressive piece of data protection legislation in the world.
Globally, 107 States have legislation in place to secure the protection of data and privacy. Countries such as the United Kingdom, Australia and Canada have an Information Commissioner to ensure compliance with such legislation.
Various multi-stakeholder initiatives in this field are worth mentioning. The project MAPPING, financed by the European Union, is a platform that aims to contribute to the digital transition and to improve the innovation climate in the EU concentrating efforts in privacy, property and internet governance. The Global Network Initiative, bringing together comprises a group of companies, civil society organisations, investors and academics, has the objective to create a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector.
The Electronic Frontier Foundation’s (EFF) 2017 Who has your Back survey evaluates the 26 major US technology companies on their policies related to transparency and privacy. EFF stated in 2017 that:
“The tech industry as a whole has moved towards providing its users with more transparency, but telecommunications companies, which serve as the pipeline for communications and Internet service for millions of Americans, are failing to publicly push back against government overreach”.
Trough the initiative Reform Government Surveillance Coalition, companies in the ICT sector such as Google, Apple, Facebook, Dropbox, Twitter and Linkedin have joined efforts to request that the laws and practices on government surveillance and access to information be reformed.
Adequate data is critical for measuring progress towards the SDGs, as well as progress on human rights. Data from business’ reporting can help fill the gaps in areas where SDG data is still lacking. Enhancing the use of information and communication technology under SDG target 17.8 can also support data gathering efforts considerably. However, data collection and the promotion of technology that could enable distribution and dissemination of personal data can have a significant impact on the right to privacy, as well as the flow of information across state boundaries and between various actors, thus posing great challenges in terms of regulation, misuse of personal information, privacy, discrimination and access to remedy.
DIHR has highlighted the importance of a human rights-based approach to data in the context of the 2030 Agenda. This approach provides guidance on its 6 key principles of privacy, accountability, transparency, self-identification, participation and disaggregation.