How to Bridge the Gap? Corporate and Government Surveillance Examined at the UN
This piece was written by PI Legal Officer Tomaso Falchetta and originally appeared here.
On 21 November, the UN General Assembly Third Committee adopted the draft resolution on the right to privacy in the digital age. This came at the same time the UK passed a law (the Investigatory Powers Act) which codified what are arguably the most extreme surveillance powers in the history of any western democracy.
This is the third time the UN General Assembly has adopted a resolution on the topic, and as it did in 2014, the UN has called on all states to review their surveillance legislation, policies, and practices “with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law”.
This comes at a time in which governments around the world are adopting laws that give wider surveillance powers to state security agencies, beyond what is permitted under existing human rights law. Just to name a few, Privacy International had documented this trend in a range of countries, including in China, Colombia, France, Kenya, the Netherlands, Pakistan, Poland, Switzerland, and the United Kingdom.
So, which part of effective implementation of human rights law do governments need explained?
The past couple of years have seen a sharp increase in the scrutiny of surveillance laws and practices by human rights bodies, such as the UN Human Rights Committee. These bodies have developed analysis, raised concerns, and made concrete recommendations for reform. Governments no longer have the excuse that international human rights law does not provide a clear and universal framework for the promotion and protection of the right to privacy.
As the gap between States’ legal (and technological) capabilities and the applicable international human rights standards continues to grow, questions arise about companies and their increasing capabilities to generate, collect, process, and use personal data. In a very welcome development, the UN General Assembly draft resolution addresses the role of companies and the responsibilities of governments to regulate them, including by enacting effective data protection law.
The draft resolution urges companies to establish transparency policies. This step is fundamental: information on how companies collect, process, store, and share customer data, often remains unclear, opaque, or out-of-date. Users are not fully informed about what happens to their data, and often have no meaningful choice in controlling where their data is sent around the world, other than opting out of the digital platforms which are increasingly becoming the locus of economic and social life.
And companies, particularly telecommunication and internet service providers, often play a central role in facilitating surveillance, whether building and configuring telecommunications networks, selling surveillance technology, complying with requests for customer data, or monitoring social media. The resolution begins to address this, although the language adopted is still very cautious as not to upset the secrecy of state surveillance. So the General Assembly only goes as far as recommending states “to consider appropriate measures that would enable business enterprises to adopt adequate voluntary transparency measures with regard to requests by State authorities for access to private user data and information”.
Similarly, the draft resolution timidly approaches the issue of securing privacy of communications. While the final text adopted by the UN does not include specific reference to encryption and other privacy protection tools, it encourages companies to enable secure communication in their networks to protect against unlawful interception.
In summary, the draft resolution offers an important re-statement of the human rights framework that applies in assessing state surveillance measures, and it provides the building blocks to further develop a human rights analysis of the responsibilities of companies to respect the privacy of individuals. The General Assembly also suggests a concrete next step at the UN level, asking the Human Rights Council to convene an expert workshop with a view to contribute to a new report on the topic by the High Commissioner for Human Rights.
The draft resolution adopted by the Third Committee will be voted on by the plenary of the UN General Assembly in the next few weeks. Privacy International calls on all states to support this resolution.