Right to privacy at the UN in 2017 - Don’t let your left hand know what your right hand is doing

Human Rights Council

2017 begun with a progressive Human Rights Council resolution on the right to privacy in the digital age, noting that profiling of individuals may lead to discrimination. It ended with a Security Council resolution on counter-terrorism, calling for profiling of all air travellers and widespread collection and sharing of personal data, as well as introducing biometric technologies on a mass scale.

May this be another example of the tension between human rights laws and counter-terrorism policies?

In recent years, human rights bodies at the UN have increasingly refined their analysis and recommendations on the human rights implications of modern forms of communications surveillance. While the Security Council resolutions on counter-terrorism routinely demand states to “full respect with human rights and fundamental freedoms” when implementing measures to combat terrorism offences, this language seems tokenistic at best if it is not followed by clear guidance on the limits on interference with the right to privacy.

For example, the UN Security Council resolution 2396 (2017) on ‘threats to international peace and security caused by terrorist acts’ requires all UN member states to develop systems for processing and analysing Passenger Name Records (PNR).

Privacy experts have long noted how metadata, such as PNR data, when aggregated, is able to reach very precise conclusions about the private lives of individuals, including their everyday habits and activities, places of residence and daily movements, and their social relationships. Such data can be used to profile individuals. In 2017 the UN Human Rights Council begun to address the consequences of profiling. The resolution reflects on growing consensus that communications data (the ‘who, what, where’ of a message) “can reveal personal information that can be no less sensitive than the actual content of communications”. Noting how such data can be used to profile individuals, the Council expressed concerns that it “may lead to discrimination as well as negatively impact individual’s economic, social and cultural rights”.

So significant human rights analysis is needed before states start collecting and sharing PNR data. For example, in 2017 the Court of Justice of the European Union judged the EU/Canada agreement on the transfer and processing of PNR data as not compliant with the right to privacy and the right to data protection recognized in the EU Charter on Fundamental Human Rights. The judgment notes that while the interferences with privacy may be justified in the fight against terrorism offences, “several provisions of the agreement are not limited to what is strictly necessary and do not lay down clear and precise rules.” And the Court goes on to specify such shortcomings in significant detail.

Similarly, in relation to intelligence sharing, the UN Security Council resolution in various places encourages the sharing of intelligence across jurisdictions.

Clearly, intelligence sharing does not per se violate international human rights law. When done appropriately, sharing of intelligence can enhance human rights protections by helping authorities to identify and curtail threats to the security of its population. However, there is no doubt that international human rights law must apply to intelligence sharing that interferes with the right to privacy and other human rights. The Human Rights Committee has repeatedly stated that laws and polices regulating intelligence sharing must be in full conformity with obligations under the Covenant. The Committee noted in particular the need to adhere to Article 17, including the principles of legality, proportionality and necessity”, as well as the need to put in place“effective and independent oversight mechanisms over intelligence-sharing of personal data”.

For example, last year, the Human Rights Committee confirmed that intelligence sharing must be regulated by law in full conformity with human rights and, in reviewing Pakistan’s compliance with the Covenant, the Committee expressed concerns about the provision in the 2016 Prevention of Electronic Crimes Act, which allows “the sharing of information and cooperation with foreign governments without judicial authorization or oversight”.

Of particular concern, the resolution urges “that Member States consider, where appropriate, downgrading for official use intelligence threat and related travel data related to foreign terrorist fighters and individual terrorists, to appropriately provide such information domestically […], and to appropriately share such information with other concerned States and relevant international organizations in compliance with international and domestic national law and policy”.

How would such downgrading work in practice and how would the sharing comply with human rights standards, including the protection against unlawful sharing of personal data?

In implementing PNR collection, intelligence sharing and other measures that interfere with the right to privacy, governments cannot simply point at the text of the Security Council resolution. They need to demonstrate that such measures are indeed necessary and proportionate to achieve that goal of "preventing, detecting and investigating terrorist offenses " and allow national and international independent bodies, including courts, to assess their compliance with human rights.