The Next Frontier of the Right to Privacy in the Digital Age
Image attribution: By Blue Diamond Gallery CC BY-SA 3.0.
In March 2017, when the UN Human Rights Council requested the High Commissioner for Human Rights to prepare a report on the right to privacy in the digital age, including the responsibility of business enterprises, Cambridge Analytica was an obscure company among others. A year later the data exploitation scandal erupted, leading to plenty of soul searching by politicians in US, UK, Europe and elsewhere, pledges of enhanced privacy protection by Facebook, and investigation by data protection authorities, such as the UK Information Commissioner.
Rising to the challenge, the report of the High Commissioner released in August 2018 provides a description of the universal human rights framework to address the responsibility of companies to respect the right to privacy in the digital age. It requires companies to adopt policies, procedures and remedies and conduct human rights impact assessments of their operation.
Notably, companies should comply with principles of data protection when they deal with personal data of individuals. These principles are not new: they are embedded in many legislation around the world (notably not just the European Union General Data Protection Regulation.)
No matter how many times CEOs say that “privacy is very important to us”, companies often need to be compelled to act. And governments have obligations to adopt legislation to protect individuals against exploitation of their data by public and private entities. As the UN High Commissioner puts it: “one cornerstone of a State privacy protection framework should be laws setting the standards for the processing of personal information by both States and private actors.”
Challenges to the right to privacy
The High Commissioner’s report lists the main challenges of respecting and protecting the right to privacy in the digital age. Just to name a few:
- mass surveillance, which is “not permissible under international human rights law, as an individualized necessity and proportionality analysis would not be possible in the context of such measures”;
- government hacking for surveillance purposes that “poses risks not only for the right to privacy but also for procedural fairness rights” and “contributes to security threats for millions of users”;
- intelligence sharing, that “poses the serious risk that a State may use this approach to circumvent domestic legal constraints by relying on others to obtain and then share information” and which states has so far failed to properly regulate;
- biometric technologies, and the accompanied creation “of mass databases of biometric data” which raises significant human rights concerns as “such data is particularly sensitive, as it is by definition inseparably linked to a particular person and that person’s life”;
- Profiling, ‘scoring’ and ‘ranking’ of individuals that can be used for “assessing eligibility for health care, other insurance coverage, financial services and beyond.” In particular “opaque data-based decisions in high- stakes cases, for example in sentencing procedures and recidivism assessments, may threaten due process. Attempts to identify individuals as potential security threats in the context of predictive policing raise concerns, given the issues surrounding transparency, overbreadth, accountability and the potential for discriminatory outcomes”.
To discuss in more depth some of these challenges, Privacy International, together with the International Network of Civil Liberties Organisations, organised a side event at the 39th session of the Human Rights Council. Among the speakers were our partners, the Asociación por los Derechos Civiles and the Centre for Internet and Society, who presented their research and analysis on biometrics and on artificial intelligence.
What happens next?
Governments have an opportunity now to respond to the analysis of the UN High Commissioner for human rights. In the coming weeks, the UN General Assembly is due to negotiate a new resolution on the right to privacy in the digital age. Brazil and Germany will spearhead the efforts with the support of states such as Austria, Liechtenstein, Mexico and Norway.
Like previously adopted resolutions, we expect that this year the General Assembly will reflect on the current challenges on the right to privacy in the digital age. And that it will adopt the recommendations contained in the UN High Commissioner report.
That is what is needed if the UN wishes to remain relevant in the fast pacing digital environment.