The UIA at the United Nations

by Jutta F. Bertram-Nothnagel

The United Nations General Assembly and the Right to Privacy in the Digital Age

On 18 December 2013, during its sixty-eighth session, the United Nations General Assembly adopted by consensus for the first time a resolution on “The right to privacy in the digital age” (UN Doc. A/RES/68/167). In the wake of Edward Snowden’s revelations, the original draft for the resolution (UN Doc. A/C.3/68/L.45) had been jointly introduced in the General Assembly’s Third Committee by Brazil and Germany, also on behalf of 10 additional co-sponsoring States. (The Third Committee is responsible for social, humanitarian and human rights issues.) Co-sponsorship for the revised version (UN Doc. A/C.3/68/L.45/Rev.1) approved by the Third Committee had grown to 56 States before the resolution moved to the plenary (Report of the Third Committee, UN Doc. A/68/456/Add.2, Section K.)

On 25 November 2014, during the General Assembly’s sixty-ninth session, the Third Committee approved for the second time a draft resolution on “The right to privacy in the digital age”. (See also United Nations, Meeting Coverage and Press Releases, GA/SHC/4126, p. 2, 8-9, http://www.un.org/press/en/2014/gashc4126.doc.htm)

Adoption of the resolution by the plenary of the General Assembly is expected in the course of December 2014.

The 2014 draft resolution had been introduced by 27 co-sponsoring States (UN Doc. A/C.3/69/L.26 of 31 October 2014), a revised version by 39 co-sponsoring States (UN Doc. A/C.3/69/L.26/Rev.1 of 19 November 2014), including by Brazil and Germany, the original main sponsors. Shortly before approval by the Third Committee, co-sponsorship had grown to 66 States (Journal of the United Nations No.2014/228 of 27 November 2014).

Both the 2013 and 2014 resolutions reaffirm in their first operative paragraph “the right to privacy, according to which no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, and the right to the protection of the law against such interference, as set out in article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights”. The third operative paragraph affirms “that the same rights that people have offline must also be protected online, including the right to privacy”. In the 2014 as in the 2013 resolution, States are called upon to “take measures to put an end to violations of those rights and to create conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law”. States are also called upon to review their procedures, practices and legislation “with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law”. Thus, it would not be sufficient that interferences with the right to privacy, or interferences with any other affected human right, are just backed by any kind of formal legislative act. The law required for and permitting such interference must itself be in accordance with international human rights law. (Law does not authorize slavery, apartheid or tyranny without loosing its authority and name.)

Yet recognition and understanding about international human rights law,  – what exactly is required to respect, protect and ensure human rights in the digital age  –, has not kept up with the speed of technological development and the formidable degree of intrusion and large-scale assault on human dignity that such development enables. Moreover, greater recognition and understanding are made difficult by lack of transparency about the tools, measures and objectives for digital surveillance. The all too convenient claim that one has nothing to worry about if one has nothing to hide, is either naïve or obfuscating or outright sinister. It puts up blinders against the dangers to human dignity, freedom and life and the presumptuousness and ruthlessness of intruders who misunderstand, manipulate, exploit, suppress or kill those intruded upon. The risks to human rights defenders are particularly serious, as also underlined in the 2014 resolution. On a more basic and maybe most fundamental level, interferences with the privacy of human beings are interferences with their spontaneity, their intimacy and their soul. This is particularly true for mass surveillance, including for the bulk collection of information whose content may or may not be studied. The specter of the Orwellian State looms large.

To advance understanding, the 2013 resolution requested the United Nations High Commissioner for Human Rights to “submit a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data, including on a mass scale, to the Human Right Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session, with views and recommendations, to be considered by Member States”. The High Commissioner based the report (UN Doc. A/HRC/27/37, UN Doc. A/69/276) on a broad range of sources, including by inviting United Nations Member States, international and regional organizations, national human rights institutions, non-governmental organizations and business entities to respond to a questionnaire on the issues as brought up in the resolution. The contributions received are available at:
http://www.ohchr.org/EN/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx   

The High Commissioner’s report informed the 2014 considerations in the Third Committee, as did the report by the Human Rights Council’s Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism (UN Doc. A/69/397). The latter report focuses in its section III on the use of mass digital surveillance for counter-terrorism and on the implications of bulk access technology for the rights to privacy. An earlier report by the Human Rights Council’s Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression (UN Doc. A/HRC/23/40 and Corr.1) had already contributed to the discussion in 2013 and did so again in 2014.

The High Commissioner’s report covers a wide array of topics, ranging from the meaning of the human right to privacy to the attributes of law required to protect the right, from limitations on intrusions to safeguards and oversight, and from remedies to corporate responsibility. As might be expected, not all States shared the observations and conclusions of the High Commissioner.

A number of the differences between the various 2013 and 2014 original and revised versions of the resolutions indicate the main points of debate.  Only a few of these points can be highlighted here.

Article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights make it clear that unlawful or arbitrary interferences with privacy are impermissible. Law must protect against arbitrariness. Law cannot heal arbitrariness and must not cover it up.  Examining the meaning of “arbitrary” or “unlawful”, primarily by evaluating authoritative sources such as the General Comments and Concluding Observations of the Human Rights Committee (the treaty body of the International Covenant on Civil and Political Rights) and international and regional jurisprudence, the High Commissioner’s report concludes in particular that permissible interferences with the right to privacy must be necessary for and proportionate to a legitimate aim. The essence of the right must not be impaired. The original version for the 2014 resolution shared this assessment, stating so succinctly. But while many States concurred, not all did. Differences of opinion on the requirements of necessity and proportionality were even apparent among the “Five Eyes” (Australia, Canada, New Zealand, United Kingdom and United States). As a result, the revised version became decidedly weaker. It now merely repeats that any interference must not be arbitrary or unlawful,  “bearing in mind what is reasonable to the pursuance of legitimate aims” and recalls, in a rather convoluted and treaty-based fashion, that “States that are parties to the International Covenant on Civil and Political Rights must undertake the necessary steps to adopt laws or other measures as may be necessary to give effect to the rights recognized in the Covenant”.  Whereas the original 2014 version envisions “further practical guidance, grounded in international human rights law, on the principles of necessity, proportionality and legitimacy”, the revised version speaks of “the need to examine the principles of non-arbitrariness and lawfulness, and the relevance of necessity and proportionality assessments in relation to surveillance practices”. Deliberations about the criteria of necessity and proportionality are likely to remain intense, as they will with regard to the essence of the right. The mere reasonableness of an intrusion, even when sanctioned by law, can hardly suffice to justify a limitation of fundamental and inherent rights, no matter how legitimate the objective.  At the same time, proportionality alone may be too easy a threshold as well, especially when the legitimate objective of privacy intrusions concerns protection against such serious and massive threats to life as terrorism can pose in the digital age. Necessity, on the other hand, if advanced solely as an abstract and absolutist requirement, may have appeared to some States as too difficult to establish, even post-facto and even, or especially, when the threat has not materialized. Here the international community will do well by developing better common understandings and common guidelines about the procedural and substantive specifics for the concept of necessity,  – in particular about one concrete condition, the need to first examine and implement human-rights-based alternatives for the pursuit of legitimate aims, i.e. before an intrusion into privacy could be justified under the necessity requirement. Importantly in this context, the revised 2014 version notes not only that “the prevention and suppression of terrorism is a public interest of great importance”, it reaffirms at the same time that “States must ensure that any measures taken to combat terrorism are in compliance with their obligations under international law, in particular international human rights, refugee and humanitarian law”.

While both the 2013 and 2014 resolution express deep concern “at the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights”, both also fail to state more clearly the responsibility of States in their extraterritorial reach. Whereas the original 2014 version notes at least that “a State’s exercise of power or effective control over communications infrastructure, regardless of its location, may engage its human rights obligations relating to the right to privacy” and emphasizes that human rights obligations apply to regulatory jurisdiction “over private parties that physically control data, regardless of their location”, the revised version neglects to highlight the irrelevance of location and relevance of effective control. Yet a State arguing that its intrusive extraterritorial reach is unfettered by the right to digital privacy (or for that matter, a State arguing for such unfettered reach with regard to foreigners) does not only disregard that human rights are inherent to everyone everywhere, such a State diminishes rather than enhances its own status. As much as responsible and principled authority may be esteemed, dark and unbound power is feared and despised. Disconcerting too, the arguments of a State in support of unfettered extraterritoriality endanger the rights of its own citizens and its own State order: Not only do citizens communicate worldwide and digital communications and data spin around the globe, the door is opened to other States to argue and act likewise,  – including States that may not be allies.

One of the preambular paragraphs in the 2013 resolution emphasized that “unlawful or arbitrary surveillance and/or interception of communication, as well as unlawful or arbitrary collection of personal data, as highly intrusive acts, violate the rights to privacy and to freedom of expression and may contradict the tenets of a democratic society.” The original version for 2014 added detail to the list of highly intrusive acts towards personal data by expressly including “data about communications, known as metadata” and elaborated that the surveillance, interception and collection of data may contradict the tenets of a democratic society “especially when undertaken on a mass scale”.  Yet the corresponding paragraph in the revised final 2014 Third Committee version softened the expanded wording to “including when undertaken on a mass scale”.  The reference to metadata was deleted. Instead a new preambular paragraph offered a less categorical but also more telling assessment by “[n]oting that while metadata can provide benefits, certain types of metadata, when aggregated, can reveal personal information and can give an insight into an individual’s behaviour, social relationships, private preferences and identity.”

As did the 2013 resolution, the 2014 resolution calls upon States to establish oversight mechanisms, with the latter resolution being more specific and expansive. Tellingly, here too a reference to metadata in the original 2014 version no longer appears in the revised version.

Similar deletions are apparent elsewhere. References to mass surveillance, metadata and non-discrimination in a new 2014 paragraph on access to effective remedy disappeared from the revision. Nevertheless, the explicit call for access to effective remedy represents strong progress over the 2013 resolution. Such remedy would at the least entail apology and an end to the intrusion. Overstretched reasoning, callous belittling of the violation or the tantrum of a child caught with its hands in a cookie jar would not do.

The 2014 resolution recognizes that “the exercise of the right to privacy is important for the realization of the right to freedom of expression and to hold opinions without interference and the right to freedom of peaceful assembly and association, and is one of the foundations of a democratic society.”  Vice versa, violations of the right to privacy typically entail violations of other human rights. Strangely, the link to the right to life expressed in the original 2014 version is missing in the revision. Yet as much as digital technology both enhances and endangers freedom, it both enhances and endangers life. Specifically, it can protect health and well-being and it can facilitate ‘disappearances’ and killings.

In light of the differences of opinion and the continuing shortcomings in clarity, it is particularly valuable that insight about the right to privacy in the digital age will be driven further forward: The 2014 resolution encourages “the Human Rights Council to remain actively seized of the debate, with the purpose of identifying and clarifying principles, standards and best practices regarding the promotion and protection of the right to privacy, and to consider the possibility of establishing a special procedure to that end.”

The General Assembly will remain seized of the matter.

So will the world.

Evading all digital technology, declining its promise outright is neither a realistic nor a moral option anymore. How then to differentiate between the gift and the Trojan horse? For starters, it helps to listen to Cassandra.

Jutta F. Bertram-Nothnagel, UIA Director of the Relations with Intergovernmental Organizations
13 December 2014