Watching The Watchers: Accessing and Challenging Control Over Our Data
Privacy International is celebrating Data Privacy Week, where we’ll be talking about privacy and issues related to control, data protection, surveillance and identity. Join the conversation on Twitter using #dataprivacyweek.
Exercising the right to privacy extends to the ability of accessing and controlling our data and information, the way it is being handled, by whom, and for what purpose. This right is particularly important when it comes to control of how States perform these activities. In fact, the first data protection regulations in many countries were as a means to remake their democratic institutions after ruthless dictatorships.
Whilst data protection regulations across the world tend to have a similar set of core principles, governments and the public sector in general tend to benefit from blanket exemptions or very broad exceptions. Some of them are justifiable, based on the challenges related to the need to use citizens’ data to deliver certain public goods, but these needs are also commonly overstated, and lead to diverse number of abuses and human rights violations.
Such is the case of intelligence and surveillance organisms in every country, where in the name of national security, they engage in massive information gathering and processing, while enjoying excessive secrecy and lack of oversight and accountability. All of this underscores the need for meaningful control mechanisms.
There is an urgent need to create and enforce control mechanisms that are accessible, clear and inclusive to enable people to know how their data is being collected, processed and shared by public institutions, particularly within law enforcement and intelligence organisms, giving people effective redress mechanisms and the right to access, rectify, and even cancel or oppose their data when necessary.
In order to have a strong fundamental right to privacy, we need transparency on when and how institutions are using our personal information. This is also related to how we can protect and promote all of our fundamental rights, particularly those of freedom of expression, access to information, and freedom of assembly and association.
Our work and the research of our partners in Argentina, Chile, Colombia, Mexico, and South Africa, explore different dimensions of this issue, by researching about how this oversight works, the tools, methodologies and practices used by the surveillance apparatus, and how personal data is handle, by using transparency and access to information mechanisms to learn about and challenge these practices.
Argentina: The Change That Doesn’t Arrive
Our partners from the Asociación por los Derechos Civiles (ADC) in Argentina, conducted research on the Argentinian intelligence system, which is long overdue of reforms to improve both its work and its respect of fundamental rights. Eighteen months after the appointment of a new government in Argentina, the intelligence system’s agenda has been marked by reforms on the control of their wiretapping activities, a reform of the statute ruling their staff, and the designation of new authorities.
Nevertheless, these failed to bring the change necessary in terms of transparency, efficiency, integrating democratic processes within the system, but quite the opposite. Instead of a reliable system that counts with citizen’s trust, ADC’s report reveals that the reform process has actually been used to tighten governmental control over intelligence services.
Chile: Data Retention and Human Rights
One of our Chilean partners, Derechos Digitales, focused their research on data retention and mobile phone registration schemes across Latin America.
Data retention in general, and mobile subscriber data in particular, affect human rights such as the right to privacy and freedom of expression and opinion. Any implementation of data retention policies should at least comply with a series of pre-requisites that guarantee the full enjoyment of these human rights, starting by justifying whether these policies are necessary and proportional.
The study also performed a comparative data retention policy analysis considering Mexico, Brazil, Colombia, Peru, Argentina and Chile, evaluating them against international human rights standards in the inter-American context, setting parameters and experiences to assess similar initiatives in the Americas, such as a bill mandating the creation of a biometric database of mobile subscribers in Paraguay, which was eventually vetoed by the Paraguayan President.
Read report: “Retención de datos y registro de teléfonos móviles” (in Spanish)
Mexico: Unleashed Government Surveillance
Our partners in Mexico, Red en Defensa de los Derechos Digitales (R3D), has been researching on laws, regulations and practices related to state surveillance, to determine which agencies have such capabilities and which safeguards are being applied to their work.
R3D has been intensively using public information requests directed to government entities and the IFT (Federal Institute on Telecommunications) as means of collecting primary data for their research. They found that in more than 90% of the cases surveillance was used without previous judicial authorization, less than one percent of the investigations that used surveillance were resolved. Their findings were published in a report entitled “Estado de Vigilancia” (State of Surveillance), published in late 2016.
The research conducted by R3D was complemented with the emergence of evidence of the use of malware in a surveillance campaign against civil society activists, human rights defenders and other political and diplomatic actors. The story, (featured on the front page of the New York Times) had great impact. In addition, R3D will soon publish further research about the use of malware by the Government, showing how extended the proliferation of illegal use of surveillance in the country still is.
Read report: “El Estado de Vigilancia. Fuera de Control” (in Spanish)
South Africa: Challenging the Big Brother
Our partner, Right to Know Campaign (R2K) has been working to challenge state surveillance in South Africa on several fronts.
Their research has been focused, among other issues, on the RICA (Regulation of Interception of Communications and Provision of Communication-related Information) Act, through several briefs, analysis and discussion events held across the country.
Among RICA provisions (and in line with Derechos Digitales’ research), there is the mandate to create a SIM card registration database. A report commissioned by our partners and published in South African media starts by saying “Strictly enforced sim card registration can have devastating effects on the poor, our country’s economic growth, the safety of your private information, and last, but not least — your credit record”, reflecting the shortcoming of such systems.
These issues were raised by R2K and Privacy International in a joint submission to UN Universal Periodic Review Working Group and the process resulted in South Africa receiving two recommendations on its surveillance practices and calling for oversight of its intelligence agencies.
Read: “Missed Call: Rica registration ‘useless’ for crime prevention purposes”
Colombia: Privacy In A Transitional Context
With the signing of the Peace Agreement in 2016, Colombia is facing new challenges and questions. One of them is about what privacy means in a transitional context. And one of our partners in the country, DeJusticia, has been exploring these tough questions. A central issue that has emerged has been to see what will be done with the personal data registered in intelligence archives over the last four decades.
Given the Colombian reality, there is no one-size-fits-all solution, but the criteria will vary depending on many factors, such as who possess those files, whether the data is about victims or perpetrators of human rights violations, or if those files were already handed to the truth commission that was set.
In this context, some of the data protection principles (like Freedom and Transparency Principles) will apply just to the intelligence archives already in possession of the Truth Commission, but not to the active ones. Similarly, victims and perpetrators should not have the same level of control over their data, given that the human rights violations in which they were involved are part of the historical memory construction process, and therefore in some cases the publication supersedes their personal interests.
Strategic Dissemination For Transparency and Accountability
Since 2013, Privacy International has been engaging with its Network in human rights reporting mechanisms such as the Universal Periodic Reviewunder the ambit of the Human Rights Council as well as the Human Rights Committee, which oversees the implementation of the International Covenant on Civil and Political Rights (ICCPR). On the basis of research and policy analysis, we presented joint and individual submissions on the right to privacy in various countries.
Recently these have included submissions on India, South Africa, Brazil, Tunisia, Argentina, Morocco, Pakistan and the Philippines amongst others. In the case of the UPR, we were glad to see our concerns presented as recommendations to South Africa, Tunisia and India with all three requested to ensure that all communications surveillance requires a test of necessity and proportionality.
Similar recommendations were submitted to Paraguay and Lebanon in 2016. In addition, South Africa and India received a second recommendation asking them to take the necessary steps to ensure that all the operations of intelligence agencies are monitored by an independent oversight mechanism.
Pakistan received recommendations from the Human Rights Committee on issues PI and its partners had presented in their own respective submissions, including the need to ensure that surveillance activities comply with its obligations under the Covenant. The Committee also recommended that Pakistan adopt a comprehensive data protection law in line with international standards.