Privacy is a fundamental human right included in a range of international and regional human rights instruments. This right is often framed in general terms within the right to respect for private or family life, protection of the home and non-interference with correspondence. Privacy is not an absolute right and limitations can be introduced provided they meet certain criteria.
The right to privacy is recognised in a wide range of international human rights instruments including:
The UN Special Rapporteur on the right to privacy noted in 2018 that:
“none of the major human rights treaties expressly include protection of personal information as an aspect of the right to privacy. Nonetheless, it is increasingly argued that the principles of data protection are incorporated within the broader right to privacy in these treaties.”
Read more
The notion of data protection originates from the right to privacy and both are instrumental in preserving and promoting fundamental values and rights and exercising other rights and freedoms such as free speech or the right to assembly. Data is created whenever we use a computer, a smartphone or even everyday electronic devices with sensors capable of recording information.
In 2013 the UN General Assembly adopted a resolution on the right to privacy in the digital era where it stated that: “the rights held by people offline must also be protected online.” The UN Human Rights Council recognised in 2016 that the right to privacy can enable the enjoyment of other rights and the free development of an individual’s personality and identity and an individual’s ability to participate in political, economic, social and cultural life, and that violations or abuses of the right to privacy might affect the enjoyment of other human rights.
In 2019, the UN Human Rights Council and the General Assembly noted that “violations and abuses of the right to privacy in the digital age may affect all individuals, including with particular effects on women, as well as children and persons in vulnerable situations, or marginalized groups” and called on States “to further develop or maintain, in this regard, preventive measures and remedies for violations and abuses regarding the right to privacy in the digital age that may affect all individuals, including where there are particular effects for women, as well as children and persons in vulnerable situations or marginalized groups.”
In 2014 the UN Special Rapporteur on the right to privacy made reference to strong evidence of a growing reliance by Governments on the private sector to conduct and facilitate digital surveillance. Governments have used both formal legal mechanisms and covert methods to gain access to content as well as to metadata, as the 2013 Snowden leaks revealed.
“Business enterprises should respect human rights. This means, they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.”
“Companies should assess whether and how their terms of service, or their policies for gathering and sharing customer data, may result in an adverse impact on the human rights of their users. Where enterprises are faced with government demands for access to data that do not comply with international human rights standards, they are expected to seek to honour the principles of human rights to the greatest extent possible…A central part of human rights due diligence as defined by the Guiding Principles is meaningful consultation with affected stakeholders. In the context of information and communications technology companies, this also includes ensuring that users have meaningful transparency about how their data are being gathered, stored, used and potentially shared with others, so that they are able to raise concerns and make informed decisions”.
The UN Special Rapporteur on the right to privacy has expressed concerned not only with the collection of big data but also with firms having the ability to sell or trade it and to link it to other data to produce a complex and detailed picture of a person’s life. Companies that collect consumer’s personal information and resell or share that information with others, the so-called Data brokers, generally do it without consumers’ knowledge and with little or no transparency. Cases of corporations selling or sharing personal data for purposes such as advertising, credit scoring and insurance risk scoring have also been reported. The Cambridge Analytica scandal is the latest example of this.
At the same time, companies have also been negatively impacted by data breach on their websites. In 2024 alone there have been a number of significant data breaches amongst private companies. E.g. in May 2024, Dell emailed customers to inform that that their data may have been compromised after an attack on its customer portal. According to Dell, while no financial information was accessed, customers home addresses and order information may have been compromised. Data purportedly from the breach is being offered for sale on hacker forums, suggesting details of 49 million customers have been obtained.
Various measures have been taken at the international level in order to guarantee the right to privacy. In 1990 the UN published its Guidelines concerning computerised personal data files, which stated that information about persons should not be collected or processed in unfair or unlawful ways. The OECD adopted in 2013 an updated version of its Privacy Guidelines that apply to personal data. The EU General Data Protection Regulation, that took effect on May 25th, 2018, aims to protect EU citizen data through several measures at EU, national and organizational level. The legislation is the most comprehensive and progressive piece of data protection legislation in the world, and has also been copied in other juristicstions. The Council of Europe Convention No. 108 on data protection is a Convention for the protection of individuals regarding automatic processing of personal data. It is the only international legally binding instrument for the protection of personal data. The Convention plays a crucial role in promoting the right to privacy and the protection of personal data worldwide, as it is open to non-member states of the Council of Europe.
Globally, 107 States have legislation in place to secure the protection of data and privacy. Countries such as the United Kingdom, Australia and Canada have an Information Commissioner to ensure compliance with such legislation.
Various multi-stakeholder initiatives in this field are worth mentioning. The Global Network Initiative, bringing together comprises a group of companies, civil society organisations, investors and academics, has the objective to create a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector.
Adequate data is critical for measuring progress towards the SDGs, as well as progress on human rights. Data from business’ reporting can help fill the gaps in areas where SDG data is still lacking. Enhancing the use of information and communication technology under SDG target 17.8 can also support data gathering efforts considerably. However, data collection and the promotion of technology that could enable distribution and dissemination of personal data can have a significant impact on the right to privacy, as well as the flow of information across state boundaries and between various actors, thus posing great challenges in terms of regulation, misuse of personal information, privacy, discrimination and access to remedy.
DIHR has highlighted the importance of a human rights-based approach to data in the context of the 2030 Agenda. This approach provides guidance on its 6 key principles of privacy, accountability, transparency, self-identification, participation and disaggregation.
What National Action Plans say on Data protection & privacy
Belgium (2017 - open)
Section 5
Belgian framework relative to business enterprises and to human rights (Page 12-13)
In order to better identify the principal rights and responsibilities that Belgium engages itself to protect and to respect, the basic analysis concentrates on seven domains considered of the highest priority:
The right to life, liberty, and personal security;
The right to equality and non-discrimination;
The right of labourers;
The right to a clean and healthy environment;
The right to protection of privacy and the private life;
Pillar II baselines: Human rights as a moral and ethical obligation
Scope and content of the obligation to respect human rights [page 30]
For businesses, there are three dimensions to respect for human rights:…
Do not contribute to violations of human rights: A business does not commit violations itself, but acts in a way that facilitates or smooths the way for violations. This may encompass:…
The disclosure of customers’ personal data to an undemocratic regime.
Finland is involved in international work in UN decision-making bodies related to communication technologies (such as WSIS and the World Summit on the Information Society) as well as in other central international organisations (such as the Internet Governance Forum, IGF). The objective of Finland is to reinforce the administrative system of an open and inclusive network so that freedom of speech is ensured in the development of the international information society.
2. The State and Companies
2.2 The State and the protection of privacy [page 23]
The protection of privacy that is particularly related to electronic communications has received plenty of attention in recent public discussion. The right to privacy, the protection of personal data and the protection of confidential messages are fundamental human rights. The extent of data collection related to electronic communications has led to public discussion. Privacy questions related to electronic communications are particularly important in Finland, where the ICT infrastructure enjoys a strong position. This strength has played a significant role in the fact that Finland has been able to attract international ICT investments.
As a follow-up measure, the working group proposes that:
a roundtable discussion be organised on how to ensure the protection of privacy in Finland with the authorities, ICT companies and the civil society. Principal responsible party: Ministry of Transport and Communications, autumn 2014.
II. Business’s Responsibility to Respect Human Rights
The International Framework
5. Employee Representatives [page 43]
… The act on job security [Act of 14 June 2013] has several additional provisions for improving the information given to employees and reinforcing social dialogue in businesses and groups. Works councils must now be consulted on companies’ strategic goals…To prepare this consultation, databases must be created for employee representatives to assemble all useful information that is regularly communicated to works councils. Information must be kept up-to-date and have a forward-looking focus based on data and trends for the next three years. Employee representatives given access to companies’ sensitive and strategic data must comply with strict confidentiality requirements …
III. Access to Remedy
Judicial Mechanisms
1.4. Proceedings
Collective actions [page 51]
… Given the different fields of application mentioned in the bill, collective actions will become a tool allowing plaintiffs to stop or remedy discrimination in the labour field and elsewhere including with respect to the provision of services, accommodation, transport, etc. Collective actions will also be possible in the environmental, health, and personal data protection fields.
Objective 25.12.1: Ensure knowledge of business sector concerning human rights protection mechanisms, including personal data protection and finest standards for strengthening women.
Objective indicator: Presentation of the communicative strategy.
Activity: Elaborating effective communication strategy concerning personal data protection, women strengthening and standards of human rights protection.
Section 2. Current legislative and regulatory framework
Data Protection [page 14]
The office of the data Protection Commissioner (DPC) is responsible for upholding the general principle that individuals should be in a position to control how data relating to them is used. The Commissioner is also responsible for enforcing obligations upon data controllers. Owing to the significant number of multinational tech companies based in Ireland, Ireland’s Data Protection Commissioner has responsibility for oversight of a large amount of data and has been involved in some high profile cases. The government is committed to supporting the data Commissioner in their role and, over recent years, has provided a fourfold increase in the funding for the work of the Commission.
IV. Italian ongoing activities and future commitments
Children’s and adolescents’ rights
“The Italian Government supports public and private sector initiatives to promote attention, inclusion and protection of children’s and adolescents’ rights in business practices with the aim of integrating them into all aspects of the value chain – from investment practices, supplier relations, marketing, end-product safety, data protection 41 and privacy protection, to the impact of business activities on communities, market and the environment” (p. 40)
ANNEX 1 – Accountability Grid and Assessment Tools for the Implementation of the NAP
“21. (…) The inclusion of children’s rights in business practices includes: the provision of “family friendly policies” designed to support workers in their role as parents/caregivers (smart working, paid parental leave, social protection and adequate wages for all); the introduction of measures to monitor the presence of minors in the workplace; the adoption of Child Safeguarding Policies/Codes of Conduct to foresee, report and take charge of potential risk situations for minors who come into contact with the company; the provision of security guarantees for digital environment (data protection, access to age-appropriate content, privacy protection).” (p. 64)
C. Human Rights Associated with the Development of New Technologies
(Existing framework/Measures taken )
As measures that have already been conducted, when consulted about the information on human rights violations, such as defamation and privacy infringement on the Internet, the Government has advised victims on the methods for requesting the disclosure of the sender’s information and the deletion of the information by providers. In case the victims find it difficult to recover from the damage caused by abusive content, efforts are made to remedy the damage by requesting providers to delete such abusive information. With respect to these initiatives, sufficient attention is paid to take into account gender equality perspectives as well as diversity and inclusiveness.
(Future measures planned)
(a) Address online defamation and privacy infringement, including hate speech
Continue efforts such as requesting providers to delete abusive information in case human rights violations, including defamation and privacy infringement on the Internet, are observed. [Ministry of Internal Affairs and Communications, Ministry of Justice]
(…)
(c) Promote discussion on the use of AI from the perspective of protection of privacy
Continue efforts to promote discussion regarding the use of AI and privacy protection at international conferences and other occasions. [Personal Information Protection Commission; Ministry of Economy, Trade and Industry]
Part II: Specific objectives of the National Action Plan 2020-2022
1. The state duty to protect human rights
(…)
1.15. Protection of human rights in business in the context of new information and communication technologies (ICT), including artificial intelligence (AI)
Context
One of the risk sectors recognised in the NAP2 is the new information and communication technologies, including artificial intelligence. This sector is developing very rapidly worldwide in the context of increasing digitalisation.
In his report to the UN General Assembly in 2018, Mr David Kaye, UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, analysed the topic of artificial intelligence (AI) in more detail. Within this framework, each State is obliged to uphold human rights, including the right to freedom of opinion, freedom of expression and access to information, the right to privacy, the obligation of non-discrimination and the right to an effective remedy.
In Europe, the General Data Protection Regulation (GDPR) has been the main legal instrument regulating the collection and use of data since its introduction in 2018. In Luxembourg, the supervisory authority is the Data Protection National Commission (CNPD) [Commission nationale pour la protection des données].
Objectively verifiable indicators
× GDPR
Verification sources
× European legislation and institutions
× CNPD [Commission nationale pour la protection des données] – UEL [Union des Entreprises Luxembourgeoises] / INDR [Institut National pour le Développement durat et la Responsabilité sociale des entreprises]
Expected results
× Regular consultations with the CNPD [Commission nationale pour la protection des données]
× Increased understanding and awareness of the link between human rights and ICT, including AI
Implementation timeline
Duration of NAP 2
Means of implementation
× CNPD [Commission nationale pour la protection des données]
× UEL [Union des Entreprises Luxembourgeoises] / INDR [Institut National pour le Développement durat et la Responsabilité sociale des entreprises]
× Civil Society, including ALNU [Association Luxembourgeoise Pour les Nations Unies]
The 2020-22 NAP states the second edition of the National Action Plan complements the first NAP. Additional information about the first NAP can be found here.
The Nigeria NAP provides a list of existing constitutional obligations, domestic legislation, internation obligations, and police and administrative steps. This breakdown only looks at the list of challenges and the implementation of the 3 pillars of the UNGPs.
The Nigerian NAP on Business and Human Rights does not address Data protection & privacy.
CHAPTER 1: National Action Plan on Business and Human Rights
1.5. COVID-19 and the NAP (page 11)
‘Additionally, the COVID-19 pandemic has had a major impact on the nature of business in terms of the increasing amount of corporate activity moving to the digital realm, and the rapidly increasing role of freelance work and the gig economy. In light of these rapid changes, it is imperative that human rights are given the same level of importance in the digital economy. It is crucial that the rights of workers in the digital economy are respected, and ethical guidelines concerning data protection and privacy are adhered to.’
“The WhistleB platform guarantees Whistleblowers the highest level of protection and anonymity. If the notifiers themselves do not provide their data – it is impossible to identify them. Moreover, it should be pointed out that personal data provided by Whistleblowers are not made available to external entities. The connection between the Office of Competition and Consumer Protection, the application and the Whistleblower is encrypted and password-protected. Metadata are automatically removed from the files attached. Therefore, the IP of the notifier’s computer cannot be determined. The provider of the above-mentioned tool does not have access to the content placed on the platform. Access to information is two-step, and only a designated group of persons employed in the Office of Competition and Consumer Protection have access passwords.”
Revision of 「Procurement Business Act」 and addition of an article promoting corporate social responsibility on January 2016.
* Article 3-2 (Encouraging Social Responsibility)
The administrator of the Public Procurement Service may reflect social and environmental values such as … consumer protection in the procurement process to encourage corporate social responsibility.
Internet freedom and privacy are among the great global issues of the future. It is fundamental for Sweden that the human rights that apply offline also apply online. Sweden has taken initiatives to strengthen the dialogue with business on internet freedom. As a result of a Swedish initiative, the OECD Guidelines for Multinational Enterprises now call on companies to support human rights on the internet. In addition, Sweden was part of the group of countries that tabled resolutions on internet freedom in the UN Human Rights Council in 2012 and 2014. These resolutions were adopted unanimously. The Stockholm Internet Forum organised by Sweden in 2012, 2013 and 2014 has focused entirely on issues of internet freedom.
Continue promoting international human rights dialogue and cooperation (page 9)
‘Taiwan will continue to carry out human rights consultations and dialogue with the European Union. In the area of digital human rights, as talks with the European Union regarding a GDPR adequacy decision for Taiwan move forward, we will move methodically toward the establishment of an agency tasked with responsibility for promoting the protection of personal information.
In the future, Taiwan will continue seeking to strengthen international human rights dialogue and cooperation with more countries.’
Examples of wide ranging legislation protecting human rights in the business context include… the Data Protection Act 1998 which applies to companies and ensures respect for the privacy of individuals.
Actions taken [page 9]
To give effect to the UN Guiding Principles, the Government has:
(ix) strengthened international rules relating to digital surveillance, including leading work in the Wassenaar Arrangement to adopt new controls on specific technologies of concern. Specifically new controls were agreed on:
equipment and software for creating and delivering “intrusion software” designed to be covertly installed on devices to extract data. “internet surveillance systems” which can monitor and analyse internet traffic and extract information about individuals and their communications.
3. Government expectations on business
Actions taken to support business implementation of the UNGPs [page 15]
To help businesses to fulfil their responsibility to respect human rights the
The expansion of ‘cyber space’ has brought huge economic and social benefits. However, it also poses risks and new opportunities for hackers, criminals and terrorists. To help mitigate these risks, companies have developed security products and services which defend networks from malicious activity. In many countries, such as the UK, these products are used legitimately, including by law enforcement authorities, in accordance with domestic and international law obligations. However, in some countries which do not adhere to their international human rights obligations, there is a risk that the same products are used in ways that could breach state’s legal obligations, e.g. to restrict freedom of expression or to contribute to internal repression.
Normally, exports that could cause harm, such as arms, are covered by the export-licensing regime. However, many cyber capabilities, products and services are not listed. This problem was recognized by the Cyber Growth Partnership a joint body representing industry, academia and government. The FCO worked with techUK, a technology trade association, and the Institute for Human Rights and Business to produce practical guidance for companies on managing human rights risks.
“Assessing Cyber Security Export Risks: Human Rights and National Security” was published in November 2014. It is the first guidance for this sector in the world, and sets out:
the different sorts of potential harm associated with particular cyber capabilities;
a process to help companies assess country specific risks and to evaluate business partners and re-sellers; and potential mitigation options for avoiding or reducing risks.
Belgium (2017 - open)
Chile (2017-2020)
Colombia (2020-2022)
Czechia (2017-2022)
Denmark (2014-open)
Finland (2014-2016)
France (2017-open)
Georgia (2018-2020)
Germany (2016-2020)
Ireland (2017-2020)
Italy (2021-2026)
Japan (2020-2025)
Kenya (2020-2025)
Lithuania (2015-open)
Luxembourg (2020-2022)
Mongolia (2023-2027)
Netherlands (2022-2026)
Nigeria (2024-2028)
Norway (2015-open)
Pakistan (2021-2026)
Peru (2021-2025)
Poland (2021-2024)
Slovenia (2018-open)
South Korea (2018-2022)
Spain (2017-2020)
Sweden (2017-open)
Switzerland (2020-2023)
Thailand (2019-2022)
Uganda (2021-2026)
United Kingdom (2016-open)
United States (2024 - open)
