The Human Rights Council Has Another Chance To Take A Strong Stance To Protect The Right To Privacy. Will It Take It?

News & Analysis
Covers of Privacy International work

Over the next two weeks, the 25th session of the Universal Period Review Working Group will take place in Geneva. The Universal Period Review is a key mechanism of the UN Human Rights Council to remind UN Member States of their responsibility to respect and implement all human rights and fundamental freedoms.

Amongst others, Hungary, the United Republic of Tanzania, Thailand, and Ireland will be reviewed. Privacy International, in collaboration with national civil society organisations in each of these four countries, has submitted joint stakeholder reports presenting our concerns about the protection and promotion of the right to privacy and related issues, as well as recommendations.

 

Thailand

Thailand currently does not have a specific law on interceptions of communications, and such operations are currently regulated in a fragmented manner under various laws. A new privacy and surveillance bill was presented in late 2014 in an attempt to address this dysfunction. However, the Bill is highly problematic as it allowed for mass surveillance of online activities by permitting the extensive and unregulated surveillance powers under the Martial Law Order No. 29 to become law.  Concerns around the Bill are heightened with mounting evidence of the Thai Government’s expansion of surveillance capabilities and increased monitoring of human rights defenders, journalists, and activists on social media. Having presented these issues and others in detail in their joint submission, the Thai Netizen Network and Privacy International conclude that if Thailand’s current government is committed to ensuring a return to democracy for Thailand and its people, it must ensure its compliance with international human rights law and standards, particularly for the protection of the right to privacy.

 

United Republic of Tanzania

The joint stakeholder report submitted by Tanzania Human Rights Defenders Coalition (THRDC), the Collaboration on International ICT Policy in East and Southern Africa, (CIPESA) and Privacy International focused on presenting how the current legal regime which regulates communication surveillance in Tanzania fails to comply with international law and standards. There is no requirement for judicial authorisation nor any independent oversight mechanism of communication surveillance under the various acts which regulate communication interception. The recently adopted Cybercrimes Act of 2015 is currently being challenged by THRDC, who filed a Constitutional Petition in National Court. The 2015 Act’s vague provisions leave room to broad interpretation, it does not provide for judicial authorisation, and it expands the powers of the police, allowing them to resort to intrusive methods such as permitting keystroke monitoring in real time. This is heightened with the lack of transparency around the Government’s existing capacity to conduct surveillance. Further, there is evidence the Government was in contact with an Italian company, Hacking Team, to purchase intrusive surveillance software.

 

Hungary

The Hungarian Civil Liberties Union (HCLU) and PI have raised concerns with the communications surveillance conducted by four intelligence agencies set-up by law for the purposes of national security. These agencies are not required to obtain judicial authorisation, and their operations are not subject to any effective oversight. In May 2014, following the judgement of Hungarian Constitutional Court that ruled in a case brought by two Hungarian citizens that the current legal framework was not contrary to the Constitution the case was taken to the European Court of Human Rights. The applicants argued that the law subjects them “to unjustified and disproportionately intrusive measures….in particular for want of judicial control.”  On 12 January 2016, the Court judged that the legislation on secret anti-terrorist surveillance introduced in 2011 did not have sufficient safeguards to prevent abuse and the scope of measures could permit mass surveillance, and unanimously ruled that there had been a violation of Article 8 of the Convention.

Other areas of concern include the obligations put on communication providers to enable interception and the continuing mandatory data retention policy contrary to the April 2014 decision of the Court of the Justice of the European Union. The decision invalided the EU Directive on Data Retention. While the surveillance infrastructure of the Government remains unknown, there has been evidence produced that shows the Government sought and purchased malware in order to conduct Computer Network Exploitation (also known as hacking). In light of this evidence, there have been further calls for transparency of the capabilities of the Hungarian Government and its security and intelligence apparatus.

Finally, the current legal framework fails to provide the necessary level of protection of whistle-blowers. Under current law, whistle-blowers may still face prosecution for disclosing information which exposes wrongdoings of public or private bodies.

 

Ireland

The current legal regime regulating surveillance in Ireland fails to include a general requirement for prior judicial authorisation. While the inclusion of judicial authorisation in Section 1 of the Criminal Justice (Surveillance Act) 2009 was a welcomed development, such authorisation can be bypassed in Section 7 in case of urgency. User notification is not included in law, and the Postal Packets and Telecommunications Messages (Regulation) Act 1993 actually prohibits user notification under a secrecy provision. This renders access to complaint mechanisms and redress challenging. Furthermore, Irish law does not provide for any oversight of state surveillance by Parliament or any other independent statutory body.

In terms of its surveillance capabilities, it remains unclear whether the Irish state can or does require direct access to telecommunication provider networks. There is evidence that it has been attempting to purchase surveillance malware. In their submissionDigital Rights Ireland, and Privacy International called for further scrutiny of the Ireland’s state surveillance policies and practices.

There has been a strong momentum in the last few years across human rights mechanisms of the UN, including with the creation of the UN Special Rapporteur on privacy, as well as relevant and timely recommendations from the Human Rights Committee. Whilst key recommendations on the right to privacy have been emerging, they have not beenmainstreamed within the UPR mechanism, and we ask the Committee to use this opportunity to push for such fundamental rights to be upheld.

Follow the 25th session of the Universal Period Review on Twitter and with #UPR25 hashtag.