Our key achievements from 2024

It’s important to us at PI that we continue to create real change in the world. We want our work to matter, and we challenge ourselves continuously to verify that it does.

In 2024 we made substantial progress towards concrete systemic change. We challenged governments and corporations that exploit data and technology, pushed for new national and international policy standards, drove standard-setting action by courts and regulators. We educated and campaigned with others.

As a result, we produced significant impacts that directly affect people across the world. Here are some of our biggest achievements from last year.

Challenging governments and corporations

Stemming Big Tech’s buying spree
On 29 January 2024 Amazon terminated their plans to acquire iRobot. That decision came after the European Commission initiated a Phase II in-depth investigation and published its Statement of Objections pointing to potential harms of the merger onto competitors and consumers. PI was granted ‘third-person interest’ status by the European Commission for their review. We also contributed to through our regulatory submissions.

Higher international policy standards

Setting new standards of protections for elections
In June 2024, the Council of Europe committee overseeing its Data Protection Convention adopted guidelines on voter registration and authentication. Elections increasingly use technology and data, and we want these to be fair. The guidelines include positions that PI recommended to the Committee. These guidelines will serve as a reference point for the organisation and management of election processes in countries across the world.

Protecting our products’ security in the EU
On 12 March 2024, the European Parliament approved the Cyber Resilience Act, which defines cybersecurity requirements and standards for “products with digital elements”. We called for measures to ensure that people could count on their products being secure over time and that vulnerabilities were patched. The Regulation now obliges manufacturers to ensure "effective handling of vulnerabilities” for “no less than five years”; as well as to notify authorities about identified vulnerabilities and serious cybersecurity incidents.

Increasing transparency for security-aware consumer choices
On 20 February 2024, the European Council adopted the Directive on empowering consumers for the green transition. As a result of our advocacy the Directive reflects our demands, including that consumers will have information about the minimum period during which devices should receive security updates, accessible through a harmonised label.

Better national policies and regulations

Fighting for stronger protections in South Africa’s intelligence law
In a joint statement with other civil society, we urged the South African Parliament to reject the draft General Intelligence Laws Amendment Bill (GILAB). We also submitted our comments to the Parliament. On 26 March 2024, the National Assembly adopted the third version of GILAB incorporating some of our suggestions. A major win, aligned with our and national civil society’s requests, was the removal of the provision allowing security vetting of non-profit organisations, churches, and their personnel. Additionally, the Bill had improved the regulation of mass interception with stricter controls on data management and protections, recognising the safeguards under the Protection of Personal Information Act. Yet the the fight is not over, the Bill still has shortcomings that need to be addressed.

Progressing regulations on Nigeria’s Private Security Industry Bill
As a result of PI’s input to the Law Reform Committee for the Nigerian Security and Civil Defence Corps (NSCDC), the new draft of the Nigerian Private Security Industry Bill 2024 included new powers to regulate and oversee private surveillance. The current draft law includes private surveillance services as part of the services within the remit of NSCDC; requires that the companies using them need to have training, including on data protection; obliges companies to declare when they acquire and use surveillance equipment; and prohibits unlawful private surveillance.

Courts and regulators adopt decisions setting new standards

Clarifying legal protections against mass secret surveillance in Poland
Four years ago PI, together with Article 19 and EFF, intervened in the Pietrzak and others v Poland case to call out the Polish government’s unrestricted surveillance of communications data. On 28 May 2024, the European Court of Human Rights in its judgment found that Poland’s mass secret surveillance powers indeed violated the right to privacy under Article 8 of the European Convention on Human Rights. It condemned Poland’s operational control regime, retention and use of communications data, and secret surveillance regime under the Anti-Terrorism Act. The Court concluded, among other things, that the requirement on information and communications providers to retain users’ communications data for potential future access by the authorities interferes with the right to privacy. It also noted that the relevant national legislation was not sufficient to ensure proper protection of the right to privacy and thus was not “necessary in a democratic society”. This judgment articulates the need to reform Polish surveillance regulations. It also sets a precedent for other European countries operating in a similar fashion.

Regulator and Courts condemning UK’s GPS tagging of migrants
In 2024, following our interventions and complaints, the UK Government’s policy of tagging migrants with GPS ankle bracelets was dealt serious blows:

• On 1 March 2024, the UK privacy regulator, the ICO, issued its decision on our complaint against the UK Home Office’s GPS tagging of migrants. The regulator found that the Home Office’s pilot of GPS electronic monitoring of migrants breached UK data protection law. The ICO also issued an enforcement notice and a warning to the Home Office for failing to sufficiently assess the privacy risks.
• On 12 March 2024, the High Court of England and Wales handed down the first court judgment on the GPS tagging of migrants, in which PI filed witness evidence.
  The court found that the Home Office had been unlawfully tracking the Claimant with a GPS ankle tag for over a year. The device was even broken for a period though the Home Office did not inform him of that, and having to wear a broken device was found to be a disproportionate interference with his right to private and family life.
• On 15 May 2024, a London Administrative Court handed down its judgment in a case brought by four people without British citizenship who had GPS tagging conditions imposed on them upon release from immigration detention at various points in 2022. The court found that GPS tagging of migrants was unlawful in several respects and breached their right to private life.

Precedent-setting on encryption and Russia
On 13 February 2024, the European Court of Human Rights issued its judgment in the case of Podchasov v. Russia. The Court ruled that “legislation providing for the retention of all Internet communications of all users, the security services’ direct access to the data stored without adequate safeguards against abuse and the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society”. PI intervened in the case by providing a technical and legal analysis of encryption and its key role in the protection of human rights. The Court’s reasoning relies on and cites PI’s submissions. (Listen to our podcast about this fascinating case.)

Ruling holds Colombia accountable for violating the right to defend human rights
In March 2024, the Inter-American Court of Human Rights issued a historic judgment declaring the Republic of Colombia responsible for human rights violations against several members of the Colectivo de Abogados y Abogadas José Alvear Restrepo (CAJAR) and their relatives. This decision marks the first acknowledgment within the inter-American context of a state’s international responsibility for violating the right of people to defend human rights. This violation, according to the Court, was committed through secretive and unlawful intelligence activities, among other methods. The Court reflected in its judgment the positions presented in our intervention, alongside other organisations, represented by the International Human Rights Law Clinic at the University of California, Berkeley, in the case.

Education and Campaigning

PI’s educational materials are helpful to other civil society organisations, data protection authorities, and academics
Over the last year, a number of other civil society organisations, academics and data protection authorities expressed interest or directly used our materials for educational or communications purposes. Among the used materials were: our research on non-fitted devices for immigration cases, generative AI and surveillance capitalism, a tech explainer on election technologies in Kenya, Digital Health explainer, our Long Read on Vertical tech integrations, our Report on the West African Police Information System, the use of protest surveillance into court, and studying under Surveillance: the securitisation of learning.

More scrutiny for big food delivery platforms
Together with 11 other organisations, we launched the Time to deliver answers campaign, calling on food delivery platforms (Just Eat Takeaway, Uber and Deliveroo) to respect their workforce, and improve the transparency and explainability around the algorithms they use. Although we have just started, one of the companies has already replied to us.

Challenging Facial Recognition in the UK
To help draw attention to the lack of adequate safeguards when police use facial recognition technology, our The End of Privacy in Public campaign asking people to write to their elected representatives about the use of FRT in their neighbourhoods. Hundreds of people wrote to their MPs in the UK parliament, prompting them not respond and engage in conversations about FRT.

Demanding Serco to review its business model
Together with organisations working in the migration sector, we deployed a campaign against Serco, calling out Serco’s role in GPS tagging of migrants for the UK Government. Our public action at Serco’s AGM and social media action resulted in public attention to the company’s business model and support of our demands.

Please consider supporting us as we continue our work to protect privacy and human rights around the world.