Report of the Office of the United Nations High Commissioner for Human Rights
In its resolution 68/167, the General Assembly requested the United Nations High Commissioner for Human Rights to submit a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data, including on a mass scale, to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session, with views and recommendations, to be considered by Member States. The present report is submitted pursuant to that request. The Office of the High Commissioner will also submit the report to the General Assembly at its sixty-ninth session, pursuant to the request of the Assembly.
I. Introduction 1 – 6 3
II. Background and methodology 7 – 11 4
III. Issues relating to the right to privacy in the digital age 12 – 41 5
D. Procedural safeguards and effective oversight 37 – 38 12
E. Right to an effective remedy 39 – 41 13
IV. What role for business? 42 – 46 14
V. Conclusions and recommendations 47 – 51 15
1. Digital communications technologies, such as the Internet, mobile smartphones and WiFi-enabled devices, have become part of everyday life. By dramatically improving access to information and real-time communication, innovations in communications technology have boosted freedom of expression, facilitated global debate and fostered democratic participation. By amplifying the voices of human rights defenders and providing them with new tools to document and expose abuses, these powerful technologies offer the promise of improved enjoyment of human rights. As contemporary life is played out ever more online, the Internet has become both ubiquitous and increasingly intimate.
2. In the digital era, communications technologies also have enhanced the capacity of Governments, enterprises and individuals to conduct surveillance, interception and data collection. As noted by the Special Rapporteur on the right to freedom of expression and opinion, technological advancements mean that the State’s effectiveness in conducting surveillance is no longer limited by scale or duration. Declining costs of technology and data storage have eradicated financial or practical disincentives to conducting surveillance. The State now has a greater capability to conduct simultaneous, invasive, targeted and broad-scale surveillance than ever before.1In other words, the technological platforms upon which global political, economic and social life are increasingly reliant are not only vulnerable to mass surveillance, they may actually facilitate it.
3. Deep concerns have been expressed as policies and practices that exploit the vulnerability of digital communications technologies to electronic surveillance and interception in countries across the globe have been exposed. Examples of overt and covert digital surveillance in jurisdictions around the world have proliferated, with governmental mass surveillance emerging as a dangerous habit rather than an exceptional measure. Governments reportedly have threatened to ban the services of telecommunication and wireless equipment companies unless given direct access to communication traffic, tapped fibre-optic cables for surveillance purposes, and required companies systematically to disclose bulk information on customers and employees. Furthermore, some have reportedly made use of surveillance of telecommunications networks to target political opposition members and/or political dissidents. There are reports that authorities in some States routinely record all phone calls and retain them for analysis, while the monitoring by host Governments of communications at global events has been reported. Authorities in one State reportedly require all personal computers sold in the country to be equipped with filtering software that may have other surveillance capabilities. Even non-State groups are now reportedly developing sophisticated digital surveillance capabilities. Mass surveillance technologies are now entering the global market, raising the risk that digital surveillance will escape governmental controls.
4. Concerns have been amplified following revelations in 2013 and 2014 that suggested that, together, the National Security Agency in the United States of America and General Communications Headquarters in the United Kingdom of Great Britain and Northern Ireland have developed technologies allowing access to much global internet traffic, calling records in the United States, individuals’ electronic address books and huge volumes of other digital communications content. These technologies have reportedly been deployed through a transnational network comprising strategic intelligence relationships between Governments, regulatory control of private companies and commercial contracts.
5. Following on the concerns of Member States and other stakeholders at the negative impact of these surveillance practices on human rights, in December 2013 the General Assembly adopted resolution 68/167, without a vote, on the right to privacy in the digital age. In the resolution, which was co-sponsored by 57 Member States, the Assembly affirmed that the rights held by people offline must also be protected online, and called upon all States to respect and protect the right to privacy in digital communication. It further called upon all States to review their procedures, practices and legislation related to communications surveillance, interception and collection of personal data, emphasizing the need for States to ensure the full and effective implementation of their obligations under international human rights law.
6. Also in resolution 68/167, the General Assembly requested the United Nations High Commissioner for Human Rights to submit a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data, including on a mass scale, to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session, with views and recommendations, to be considered by Member States. The present report is submitted pursuant to that request. As mandated by resolution 68/167, the Office of the High Commissioner (OHCHR) will also submit the report to the Assembly at its sixty-ninth session.
7. Bearing in mind resolution 68/167, OHCHR participated in a number of events and gathered information from a broad range of sources. On 24 February 2014, the High Commissioner delivered a keynote presentation at an expert seminar on “The right to privacy in the digital age”, which was co-sponsored by Austria, Brazil, Germany, Liechtenstein, Mexico, Norway and Switzerland, and facilitated by the Geneva Academy on International Humanitarian Law and Human Rights.
8. From November 2013 to March 2014, OHCHR engaged the United Nations University in a research project on the application of international human rights law to national regimes overseeing governmental digital surveillance. OHCHR is grateful to the University, and acknowledges its major substantive contribution to the preparation of the present report through the research project.
9. As part of an open consultation, on 27 February 2014, OHCHR addressed a questionnaire to Member States through their Permanent Missions in Geneva and in New York; international and regional organizations; national human rights institutions; non-governmental organizations; and business entities. In its questionnaire, OHCHR invited inputs on the issues as addressed by the General Assembly in its resolution 68/167. A dedicated OHCHR webpage was created in order to make available the questionnaire and all contributions for public consultation, as well as to provide further opportunity for input. Contributions were received from 29 Member States from all regions, five international and/or regional organizations, three national human rights institutions, 16 non-governmental organizations and two private sector initiatives.2
10. Many of the contributions referred in detail to existing national legislative frameworks and to other measures taken to ensure respect for and protection of the right to privacy in the digital age, as well as to initiatives to establish and implement procedural safeguards and effective oversight. Some contributions referred to challenges encountered in the implementation of the right to privacy in the digital age, and provided suggestions for initiatives at the international level. They included encouragement to the Human Rights Committee to update its relevant general comments, in particular on article 17 of the International Covenant on Civil and Political Rights; the establishment by the Human Rights Council of a special procedures mandate on the right to privacy; and/or the engagement of existing relevant special procedures mandate holders in joint or individual initiatives to address issues related to the right to privacy in the context of digital surveillance and to provide good-practice guidance.
11. Pursuant to the request made in General Assembly resolution 68/167, the present report offers reflections and recommendations based on an assessment of information available at the time of drafting, drawing also on the wealth of material reflected in the diverse range of contributions received.
III. Issues relating to the right to privacy in the digital age
12. As recalled by the General Assembly in its resolution 68/167, international human rights law provides the universal framework against which any interference in individual privacy rights must be assessed. Article 12 of the Universal Declaration of Human Rights provides that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” The International Covenant on Civil and Political Rights, to date ratified by 167 States, provides in article 17 that “no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation”. It further states that “everyone has the right to the protection of the law against such interference or attacks.”
13. Other international human rights instruments contain similar provisions. Laws at the regional and national levels also reflect the right of all people to respect for their private and family life, home and correspondence or the right to recognition and respect for their dignity, personal integrity or reputation. In other words, there is universal recognition of the fundamental importance, and enduring relevance, of the right to privacy and of the need to ensure that it is safeguarded, in law and in practice.
14. While the mandate for the present report focused on the right to privacy, it should be underscored that other rights also may be affected by mass surveillance, the interception of digital communications and the collection of personal data. These include the rights to freedom of opinion and expression, and to seek, receive and impart information; to freedom of peaceful assembly and association; and to family life – rights all linked closely with the right to privacy and, increasingly, exercised through digital media. Other rights, such as the right to health, may also be affected by digital surveillance practices, for example where an individual refrains from seeking or communicating sensitive health-related information for fear that his or her anonymity may be compromised. There are credible indications to suggest that digital technologies have been used to gather information that has then led to torture and other ill-treatment. Reports also indicate that metadata derived from electronic surveillance have been analysed to identify the location of targets for lethal drone strikes. Such strikes continue to raise grave concerns over compliance with international human rights law and humanitarian law, and accountability for any violations thereof. The linkages between mass surveillance and these other effects on human rights, while beyond the scope of the present report, merit further consideration.
A. The right to protection against arbitrary or unlawful interference with privacy, family, home or correspondence
15. Several contributions highlighted that, when conducted in compliance with the law, including international human rights law, surveillance of electronic communications data can be a necessary and effective measure for legitimate law enforcement or intelligence purposes. Revelations about digital mass surveillance have, however, raised questions around the extent to which such measures are consistent with international legal standards and whether stronger surveillance safeguards are needed to protect against violations of human rights. Specifically, surveillance measures must not arbitrarily or unlawfully interfere with an individual’s privacy, family, home or correspondence; Governments must take specific measures to ensure protection of the law against such interference.
16. A review of the various contributions received revealed that addressing these questions requires an assessment of what constitutes interference with privacy in the context of digital communications; of the meaning of “arbitrary and unlawful”; and of whose rights are protected under international human rights law, and where. The sections below address issues that were highlighted in various contributions.
1. Interference with privacy
17. International and regional human rights treaty bodies, courts, commissions and independent experts have all provided relevant guidance with regard to the scope and content of the right to privacy, including the meaning of “interference” with an individual’s privacy. In its general comment No. 16, the Human Rights Committee underlined that compliance with article 17 of the International Covenant on Civil and Political Rights required that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto. “Correspondence should be delivered to the addressee without interception and without being opened or otherwise read”.3
18. It has been suggested by some that the conveyance and exchange of personal information via electronic means is part of a conscious compromise through which individuals voluntarily surrender information about themselves and their relationships in return for digital access to goods, services and information. Serious questions arise, however, about the extent to which consumers are truly aware of what data they are sharing, how and with whom, and to what use they will be put. According to one report, “a reality of big data is that once data is collected, it can be very difficult to keep anonymous. While there are promising research efforts underway to obscure personally identifiable information within large data sets, far more advanced efforts are presently in use to re-identify seemingly ‘anonymous’ data. Collective investment in the capability to fuse data is many times greater than investment in technologies that will enhance privacy.” Furthermore, the authors of the report noted that “focusing on controlling the collection and retention of personal data, while important, may no longer be sufficient to protect personal privacy”, in part because “big data enables new, non-obvious, unexpectedly powerful uses of data”.4
19. In a similar vein, it has been suggested that the interception or collection of data abouta communication, as opposed to the content of the communication, does not on its own constitute an interference with privacy. From the perspective of the right to privacy, this distinction is not persuasive. The aggregation of information commonly referred to as “metadata” may give an insight into an individual’s behaviour, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication. As the European Union Court of Justice recently observed, communications metadata “taken as a whole may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.”5 Recognition of this evolution has prompted initiatives to reform existing policies and practices to ensure stronger protection of privacy.
20. It follows that any capture of communications data is potentially an interference with privacy and, further, that the collection and retention of communications data amounts to an interference with privacy whether or not those data are subsequently consulted or used.Even the mere possibility of communications information being captured creates an interference with privacy,6 with a potential chilling effect on rights, including those to free expression and association. The very existence of a mass surveillance programme thus creates an interference with privacy. The onus would be on the State to demonstrate that such interference is neither arbitrary nor unlawful.
2. What is “arbitrary” or “unlawful”?
21. Interference with an individual’s right to privacy is only permissible under international human rights law if it is neither arbitrary nor unlawful. In its general comment No. 16, the Human Rights Committee explained that the term “unlawful” implied that no interference could take place “except in cases envisaged by the law. Interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant”.7 In other words, interference that is permissible under national law may nonetheless be “unlawful” if that national law is in conflict with the provisions of the International Covenant on Civil and Political Rights. The expression “arbitrary interference” can also extend to interference provided for under the law. The introduction of this concept, the Committee explained, “is intended to guarantee that even interference provided for by law should be in accordance with the provisions, aims and objectives of the Covenant and should be, in any event, reasonable in the particular circumstances”.8 The Committee interpreted the concept of reasonableness to indicate that “any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case”.9
22. Unlike certain other provisions of the Covenant, article 17 does not include an explicit limitations clause. Guidance on the meaning of the qualifying words “arbitrary or unlawful” nonetheless can be drawn from the Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights;10 the practice of the Human Rights Committee as reflected in its general comments, including Nos. 16, 27, 29, 34, and 31, findings on individual communications11 and concluding observations;12 regional and national case law;13 and the views of independent experts.14 In its general comment No. 31 on the nature of the general legal obligation on States parties to the Covenant, for example, the Human Rights Committee provides that States parties must refrain from violation of the rights recognized by the Covenant, and that “any restrictions on any of [those] rights must be permissible under the relevant provisions of the Covenant. Where such restrictions are made, States must demonstrate their necessity and only take such measures as are proportionate to the pursuance of legitimate aims in order to ensure continuous and effective protection of Covenant rights.”15 The Committee further underscored that “in no case may the restrictions be applied or invoked in a manner that would impair the essence of a Covenant right.”
23. These authoritative sources point to the overarching principles of legality, necessity and proportionality, the importance of which also was highlighted in many of the contributions received. To begin with, any limitation to privacy rights reflected in article 17 must be provided for by law, and the law must be sufficiently accessible, clear and precise so that an individual may look to the law and ascertain who is authorized to conduct data surveillance and under what circumstances. The limitation must be necessary for reaching a legitimate aim, as well as in proportion to the aim and the least intrusive option available.16 Moreover, the limitation placed on the right (an interference with privacy, for example, for the purposes of protecting national security or the right to life of others) must be shown to have some chance of achieving that goal. The onus is on the authorities seeking to limit the right to show that the limitation is connected to a legitimate aim. Furthermore, any limitation to the right to privacy must not render the essence of the right meaningless and must be consistent with other human rights, including the prohibition of discrimination. Where the limitation does not meet these criteria, the limitation would be unlawful and/or the interference with the right to privacy would be arbitrary.
24. Governments frequently justify digital communications surveillance programmes on the grounds of national security, including the risks posed by terrorism. Several contributions suggested that since digital communications technologies can be, and have been, used by individuals for criminal objectives (including recruitment for and the financing and commission of terrorist acts), the lawful, targeted surveillance of digital communication may constitute a necessary and effective measure for intelligence and/or law enforcement entities when conducted in compliance with international and domestic law. Surveillance on the grounds of national security or for the prevention of terrorism or other crime may be a “legitimate aim” for purposes of an assessment from the viewpoint of article 17 of the Covenant. The degree of interference must, however, be assessed against the necessity of the measure to achieve that aim and the actual benefit it yields towards such a purpose.
25. In assessing the necessity of a measure, the Human Rights Committee, in its general comment No. 27, on article 12 of the International Covenant on Civil and Political Rights, stressed that that “the restrictions must not impair the essence of the right […]; the relation between right and restriction, between norm and exception, must not be reversed.”17 The Committee further explained that “it is not sufficient that the restrictions serve the permissible purposes; they must also be necessary to protect them.” Moreover, such measures must be proportionate: “the least intrusive instrument amongst those which might achieve the desired result”.18 Where there is a legitimate aim and appropriate safeguards are in place, a State might be allowed to engage in quite intrusive surveillance; however, the onus is on the Government to demonstrate that interference is both necessary and proportionate to the specific risk being addressed. Mass or “bulk” surveillance programmes may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate.
26. Concerns about whether access to and use of data are tailored to specific legitimate aims also raise questions about the increasing reliance of Governments on private sector actors to retain data “just in case” it is needed for government purposes. Mandatory third-party data retention – a recurring feature of surveillance regimes in many States, where Governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access – appears neither necessary nor proportionate.19
27. One factor that must be considered in determining proportionality is what is done with bulk data and who may have access to them once collected. Many national frameworks lack “use limitations”, instead allowing the collection of data for one legitimate aim, but subsequent use for others. The absence of effective use limitations has been exacerbated since 11 September 2001, with the line between criminal justice and protection of national security blurring significantly. The resulting sharing of data between law enforcement agencies, intelligence bodies and other State organs risks violating article 17 of the Covenant, because surveillance measures that may be necessary and proportionate for one legitimate aim may not be so for the purposes of another. A review of national practice in government access to third-party data found “when combined with the greater ease with which national security and law enforcement gain access to private-sector data in the first place, the expanding freedom to share that information among agencies and use it for purposes beyond those for which it was collected represents a substantial weakening of traditional data protections.”20 In several States, data-sharing regimes have been struck down by judicial review on such a basis. Others have suggested that such use limitations are a good practice to ensure the effective discharge of a State’s obligations under article 17 of the Covenant,21 with meaningful sanctions for their violation.