Privacy is a fundamental human rights and the right to privacy is included in a range of international and regional human rights instruments. This right is often framed in general terms within the right to respect for private or family life, protection of the home and non-interference with correspondence. Privacy is not an absolute right and limitations can be introduced provided they meet certain criteria.
The right to privacy is recognised in a wide range of international human rights instruments including:
- the Universal Declaration on Human Rights (1948),
- the International Covenant on Civil and Political Rights (1966),
- the Convention on the Rights of the Child (1989), and
- the International Convention on the Protection of All Migrant Workers and Members of their Families (1990).
The UN Special Rapporteur on the right to privacy noted in 2018 that:
“none of the major human rights treaties expressly include protection of personal information as an aspect of the right to privacy. Nonetheless, it is increasingly argued that the principles of data protection are incorporated within the broader right to privacy in these treaties.”+ Read more
The notion of data protection originates from the right to privacy and both are instrumental in preserving and promoting fundamental values and rights; and to exercise other rights and freedoms – such as free speech or the right to assembly. Data is created whenever we use a computer, a smartphone or even everyday electronic devices that include sensors capable of recording information.
The UN General Assembly in 2013 adopted a resolution on the right to privacy in the digital era where it stated that: “the rights held by people offline must also be protected online.” The UN Human Rights Council recognised in 2016 that the right to privacy can enable the enjoyment of other rights and the free development of an individual’s personality and identity and an individual’s ability to participate in political, economic, social and cultural life, and that violations or abuses of the right to privacy might affect the enjoyment of other human rights.
Uniquely in human rights instruments, the EU Charter of Fundamental Rights includes Article 8, the right to the protection of personal data. This provides a range of protections in the collection and processing of personal data.
The UN Special Rapporteur on the right to privacy made reference in 2014 to the strong evidence of a growing reliance by Governments on the private sector to conduct and facilitate digital surveillance. Governments have used both formal legal mechanisms and covert methods to gain access to content, as well as to metadata. As a matter of example, the 2013 Snowden documents are worth mentioning.
As highlighted in the UN Guiding Principle on Business and Human Rights, Guiding Principle 11:
“Business enterprises should respect human rights. This means, they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.”
“Companies should assess whether and how their terms of service, or their policies for gathering and sharing customer data, may result in an adverse impact on the human rights of their users. Where enterprises are faced with government demands for access to data that do not comply with international human rights standards, they are expected to seek to honour the principles of human rights to the greatest extent possible…A central part of human rights due diligence as defined by the Guiding Principles is meaningful consultation with affected stakeholders. In the context of information and communications technology companies, this also includes ensuring that users have meaningful transparency about how their data are being gathered, stored, used and potentially shared with others, so that they are able to raise concerns and make informed decisions”.
The UN Special Rapporteur on the right to privacy has expressed concerned not only with the collection of big data but also that firms have the ability to sell or trade it and to link it to other data to produce a complex and detailed picture of a person’s life. Companies that collect consumer’s personal information and resell or share that information with others, the so-called Data brokers, generally takes place without consumers knowledge, a lack of transparency, indefinite retention of data and the use of this data for eligibility determination or unlawful discriminatory purposes. Cases of corporations selling or sharing personal data for purposes such as advertising, credit scoring and insurance risk scoring has also been reported. The Cambridge Analytica scandal is the latest example of this.
At the same time, companies have also been negatively impacted by data breach on their websites. Yahoo, for instance, have been subjected to the biggest data breach in history in 2013, where personal information on more than 3 billion user accounts were obtained. Likewise, in 2016, hackers collected 20 years of data on six databases property of the network Adult Friend Finder.
Various measures have been taken at the international arena in order to guarantee the right to privacy. In 1990 the UN published its Guidelines concerning computerised personal data files, which stated that information about persons should not be collected or processed in unfair or unlawful way. More recently, the UN Secretary General launched the initiative Global Pulse on Big Data, in 2017. It functions as a network of innovative labs where research on Big Data for Development is conceived and coordinated. The platform has developed a set of Privacy Principles intended to help ensure that individuals whose data is used are not adversely affected by research. The OECD adopted in 2013 an updated version of its Privacy Guidelines that applies to personal data. The EU General Data Protection Regulation, that takes effect May 25th, 2018, has the purpose of protecting data collected on EU citizens. The legislation is reportedly the most comprehensive and progressive piece of data protection legislation in the world.
Globally, 107 States have legislation in place to secure the protection of data and privacy. In addition to laws, countries such as the United Kingdom, Australia and Canada have set an Information Commissioner in order to implement relevant legislation.
Various multi-stakeholder initiatives also seek to address the recent developments in the issue. The project MAPPING, financed by the European Union, is a platform that aims to contribute to the digital transition and to improve the innovation climate in the EU concentrating efforts in privacy, property and internet governance. The Global Network Initiative, composed by a group of companies, civil society organisations, investors and academics, has the objective of creating a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector.
The Electronic Frontier Foundation’s (EFF) 2017 Who has your Back survey evaluates the 26 major technology companies in the US on their policies related to transparency and privacy. Companies such as Dropbox, Pinterest, Sonic and Wordpress have a policy in place that requires the government to obtain a warrant from a judge before the company discloses the content of users communication. Other companies such as Tumblr, Microsoft, Google, Yahoo and Snap Inc. tell users when the US government seeks their data in advance of turning over any data unless prohibited by law. This notification gives user a chance to defend themselves against overreaching government demands for their data. Finally, companies including Lyft, Airbnb, Adobe and Apple have already made public commitment to invoke the available statutory procedure to have a judge review indefinite National Security Letters gag order the company receives. EFF stated in 2017 that:
“The tech industry as a whole has moved towards providing its users with more transparency, but telecommunications companies, which serve as the pipeline for communications and Internet service for millions of Americans, are failing to publicly push back against government overreach”.
In addition to that, trough the initiative Reform Government Surveillance Coalition, companies in the ICT sector such as Google, Apple, Facebook, Dropbox, Twitter and Linkedin have united in order to request that practices and laws regulating government surveillance of individuals and access to information be reformed.
- Human Rights Council, Report of the UN Special Rapporteur on the right to privacy, A/HRC/37/62, 2018: http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/AnnualReports.aspx
- Facebook and Cambrigde Analytica, What you need to know as Fallout Widens, 2018:
- Electronic Frontier Foundation, Who has your back, 2017: https://www.eff.org/who-has-your-back-2017
- Office of the Human Rights Commissioner for Human Rights, Surveillance, big data and open data top UN expert’s privacy agenda, 2017: http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=22271
- UN Cape Town Global Action Plan for Sustainable Development Data, 2017: https://unstats.un.org/sdgs/hlg/Cape-Town-Global-Action-Plan/
- UN General Assembly, Report of the UN Special Rapporteur on the right to privacy, A/72/43103, 2017: http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/AnnualReports.aspx
- Human Rights Council, The Right to Privacy in the digital area, 2014: https://www.justsecurity.org/wp-content/uploads/2014/07/HRC-Right-to-Privacy-Report.pdf
- US Federal Trade Commission, Data Brokers, A call for Transparency and Accountability, 2014: https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf
- The Guardian, NSA files: decoded, What the revelations mean for you, 2013: https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded#section/1
- OECD, Privacy Guidelines, 2013: http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
- Guidelines concerning computerised personal data files, 1990: http://www.refworld.org/pdfid/3ddcafaac.pdf
- United Nations Development Group, The Data Privacy, Ethics and Protection Guidance note on Big Data for Achievement of the 2030 Agenda: https://undg.org/wp-content/uploads/2017/11/UNDG_BigData_final_web.pdf
- Global Network Initiative: https://www.globalnetworkinitiative.org/
- UN Global Pulse, Privacy and Data Protection Principles: https://www.unglobalpulse.org/privacy-and-data-protection
- UNCTAD, Data Protection and Privacy Legislation Worldwide: http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx