The Office of the United Nations High Commissioner for Human Rights (OHCHR) released a significant report last week analyzing the meaning of the human right to privacy in relation to electronic surveillance.  Until recently, human rights-based analysis of electronic surveillance has been notably under-developed, and the report is a valuable contribution to a growing field.  The report, “The right to privacy in the digital age,” expresses strong conclusions about a number of the fiercely debated surveillance issues of the last year, yet has received minimal coverage or analysis.  In this post, we highlight a few of the issues which would be of particular interest to Just Security readers.  At the end, we also raise some of the issues left unresolved in the OHCHR report.

1. Background to the report and U.S. attempts to weaken resolution language. The report was prepared pursuant to UN General Assembly resolution 68/167, which requested OHCHR to report on the right to privacy in the context of surveillance, digital communications, and the collection of personal data.  Germany and Brazil introduced a first draft of that resolution in October 2013 following the Snowden revelations. The General Assembly passed a revised resolution in December 2013 without a vote, but only after the United States and some of its Five Eyes allies lobbied– with some success – to water down some of the resolution’s language, particularly with respect to the extraterritorial obligations of states to respect privacy rights and around the rights implications of mass surveillance.  As we explain below, U.S. attempts to weaken the resolution language did not carry through to the OHCHR report.

2. The interception or collection of metadata may interfere with the right to privacy.  The report explicitly rejects the claim that, unlike content data, the collection or interception of metadata does not interfere with the right to privacy. OHCHR concludes that metadata “may give an insight into an individual’s behavior, social relationships, private preferences and identity that go beyond even that conveyed by accessing the content of a private communication” (¶19).  This is not too surprising a conclusion: the European Union Court of Justice’s Grand Chamber and its Advocate General, the U.S. Privacy and Civil Liberties Oversight Board, and the European Court of Human Rights have all concluded similarly.  Nevertheless, the OHCHR statement is a strong and important one, particularly in light of some views expressed by other UN experts shortly after the Snowden revelations that metadata collection may be less of a concern than content collection.

3. The “possession” of data is sufficient for an interference; “accessing” the data is not necessary.  The report also rejects the claim that the right to privacy is only interfered with when a state accesses, consults, or uses the data that it collects.  The OHCHR concludes that the possession of the personal data in and of itself constitutes interference (¶20). That conclusion is in close keeping with the European Court of Human Rights case of Amann v. Switzerland.

4. Mass surveillance necessarily interferes with privacy.  In recognition of the potential chilling effects of state mass surveillance, the OHCHR states that even “the mere possibility” of communications being captured creates an interference with privacy (¶20).  The “very existence of a mass surveillance programme,” the report says, interferes with privacy rights, as well as with freedoms of expression and association. (For more on the chilling effect, see the section “some unresolved issues” below).

5. The human rights-compatibility of surveillance rests on states demonstrating its “legality,” “necessity,” and “proportionality.”  Once a determination is made that privacy is interfered with, states are then required to demonstrate that surveillance meets the tests of legality, necessity, and proportionality.  States may be able to, for example, justify surveillance on national security grounds, but they must demonstrate satisfaction of the three tests. (¶20-24).  OHCHR concludes that under these tests:

  • mandatory third party data retention appears to violate human rights law (¶26);
  • data-sharing between law enforcement and intelligence agencies may be unlawful because surveillance that “may be necessary and proportionate for one legitimate aim may not be so for the purposes of another” (¶27).

6. Secret law is not properly “law.”  OHCHR explains that surveillance must be conducted pursuant to “publicly accessible law” that is “sufficiently precise” to enable a person to act in accordance with known law (¶¶28-29).  Thus, “secret rules and secret interpretations – even secret judicial interpretations – of law” are not properly “law,” (¶29) and cannot serve as the basis for a surveillance program’s legality.

7. Human rights law governs extraterritorial surveillance. There has been considerable debate on this blog and elsewhere (see, e.g. exchanges between Ryan Goodman and John Bellinger, as well as between David Cole,Ken Roth, Jennifer Daskal, Benjamin Wittes, and Orin Kerr) over the existence or nature of a global right to privacy, entailing governments’ extraterritorial responsibilities to respect privacy.  Following settled human rights law, the OHCHR states that governments must respect the privacy rights of any person within the state’s “power or effective control,” wherever those persons are located (¶32).  That does not, however, resolve the question of, for example, whether a state violates privacy rights through mass surveillance it carries out in other countries (where the individuals whose data is collected are not clearly themselves under the power or effective control of the surveilling state).  Noting the principle that a state may not take actions outside its territory that would be prohibited within its territory, the OHCHR goes on to find that:

“[D]igital surveillance therefore may engage a State’s human rights obligations if that surveillance involves the State’s exercise of power or effective control in relation to digital communications infrastructure, wherever found, for example, through direct tapping or penetration of that infrastructure. Equally, where the State exercises regulatory jurisdiction over a third party that physically controls the data, that State also would have obligations under the [ICCPR].”

OHCHR thus finds that states have extraterritorial obligations where they have a certain degree of power or control over the technical or physical means by which privacy rights are interfered with, whether or not the state has power or control over the individual rights-bearer as such.  Generally, the extraterritorial application of human rights law is explained in terms of the power or control of the state over the person whose rights are at stake, rather than of the means of respecting or violating those rights.  Many discussions of extraterritoriality take place around situations in which a right (e.g. not to be tortured) is inseparable from the rights-bearer’s physical body and where it would generally only be violated where the victim and the perpetrator were in close physical proximity to each other.  The OHCHR’s interpretation of the extraterritorial application of privacy rights seems to recognize that privacy is a right that is readily separated from the body, and that the scope of its protection should match the nature or means of its potential violation. (See this from Martin Scheinin for human rights case law supporting this claim).

8. The rights afforded citizens and non-citizens must be equal.  OHCHR is clear that international human rights law does not permit discrimination on the basis of nationality, and that, where citizens and non-citizens are in the state’s territory, or equally impacted by a state’s exercise of power or effective control, states owe them the same obligations.

9. States must ensure effective safeguards and oversight. The report devotes considerable space to explaining the safeguards that states must put in place to ensure surveillance does not fall foul of international human rights law. For example, the report says that states should have in place “use limitations” to ensure information gathered for a legitimate purpose is not passed along to another party that then uses it for a different purpose.  In addition, the report notes the importance of effective oversight, and, without specifically naming the United States, finds that judicial review in some countries has “amounted effectively to an exercise of rubber-stamping” (¶38).

10. Companies may be complicit in human rights abuses.  In an indication of the growing importance and understanding of the human rights obligations and implications of corporate activity, the OHCHR devotes an entire section of the report to the business-related human rights issues raised by surveillance.  Citing to the widely accepted Guiding Principles on Business and Human Rights, the report notes that companies must respect human rights through their “global operations regardless of where its users are located,” and notes that some of the reported business activities raise concerns that some companies risk complicity in human rights violations (¶43).   OHCHR offers some general guidance for companies, including that they should provide users “meaningful transparency about how their data are being gathered, stored, used and potentially shared” (¶46).

11. Some unresolved issues.  The report leaves a number of issues unaddressed, including:

  • What are the surveillance implications for other rights? OHCHR explicitly notes, briefly, that surveillance may implicate others rights (e.g. the right to life, to freedom of opinion, of peaceful assembly) (¶14). As an example, the report offers: “Other rights, such as the right to health, may also be affected by digital surveillance practices, for example where an individual refrains from seeking or communicating sensitive health-related information for fear that his or her anonymity may be compromised.”  However, the section is under-developed (as the report itself notes), and given the many impacts that surveillance can have on rights other than privacy, it would be worthwhile for future OHCHR reports to explain in greater detail the relevant law and state responsibilities.
  • Can a state receive surveillance data obtained unlawfully? OHCHR states that a state has the responsibility to ensure other states or entities are not violating the privacy rights of people in its jurisdiction. What the report does not spell out, however, is whether states must put in place safeguards to ensure that they do not receive from another state or entity personal data that was gathered outside the bounds of international human rights law. Given the amount of inter-state intelligence sharing taking place, this is an important issue.
  • Is privacy a customary international law right? OHCHR does not explicitly state whether the right to privacy is recognized under customary international law (i.e., binding on a state regardless of its ratification of the International Covenant on Civil and Political Rights).  The report might be read as coming close, in noting that privacy is protected under various international and regional treaties, and in national-level laws, and in concluding that “there is universal recognition” of its “fundamental importance.” (¶13).  However, the report does not address the question of contrary state practice.
  • How does surveillance chill rights?  The OHCHR report references the chilling impact of surveillance. In addition, it notes (¶1) that new communication technologies may promote rights directly, as well as facilitate the work of human rights defenders to document and improve respect for rights.  Particularly since the Snowden leaks, many human rights advocates have discussed and noted the chilling impacts of surveillance on their work, but these impacts of surveillance are largely anecdotal.  Valuable future OHCHR work could more systematically study the chilling impacts of state surveillance.
  • How do privacy rights operate during armed conflict? The report does not address privacy rights specifically in the context of armed conflict.  Given that at least some electronic surveillance operations are occurring in the context of armed conflicts (e.g., in Afghanistan) and in the context of what some states claim are armed conflicts (e.g. the U.S.’ controversially claimed transnational armed conflict with al Qaeda), this is a notable gap.