Your NEW guide to surveillance human rights standards is here

On jurisdiction and extra-territoriality

Just like with other human rights, states are bound to respect individuals’ right to privacy even when acting outside their frontiers. The UN human rights bodies have been alerting to the risks that journalists and human rights defenders are facing and have been condemning instances where they were targets of extraterritorial surveillance. For instance, the UN Human Rights Council emphasized:

the particular risks with regard to the safety of journalists in the digital age, including the particular vulnerability of journalists to becoming targets of unlawful or arbitrary surveillance and/or the interception of communications, hacking, including government-sponsored hacking, malware, spyware, forced data handover or denial of service attacks to force the shutdown of particular media websites or services, in violation of the rights to privacy and to freedom of expression,

2. Also condemns unequivocally the extraterritorial targeting of journalists and media workers, including […] surveillance, and urges States to cease and/or refrain from such attacks or measures;

UN Human Rights Council Resolution on the Safety of Journalists, UN Doc A/HRC/RES/51/9 (6 October 2022)

While such statements ascertained the extraterritorial application of the right to privacy, human rights jurisprudence clarified states obligations for such transboundary surveillance. In the 2023 Wieder and Guarnieri case, the European Court of Human Rights found the UK to exercise jurisdiction because the interception of communications was purely carried out from UK territory. Europe’s top human rights court underlined that the assessment is made from the perspective of where the interference takes place, and not where the individual whose communications data is interfered with is located. The Court explained that:

93. […] in the specific context of Article 8, it could not seriously be suggested that the search of a person’s home within a Contracting State would fall outside that State’s territorial jurisdiction if the person was abroad when the search took place. While some of the elements of a person’s private life (for example, physical integrity) may not readily be separated from his or her physical person, that is not necessarily the case for all such elements.

Wieder and Guarnieri v the United Kingdom, Apps Nos 64371/16 and 64407/16, Judgment, European Court of Human Rights (12 September 2023)

The European Court therefore confirmed that any programme of data interception (or other secret surveillance programme) that the intelligence agencies operate from their territory must be fully compliant with the human rights of those subjected to such an interference irrespective of where the victims are. For the first time, the Court explicitly stated that these human rights obligations stand even when the programme’s effects span across state borders – the fact that the subjects of such interference might be located outside the territory of the state in question is immaterial in that regard.

Surveillance of public spaces

While the trend of placing public spaces under mass surveillance is on the rise, human rights bodies have been repeatedly confirming that individuals do not surrender their right to privacy by exercising their rights in the public sphere. 

Among others, the UN Office of the High Commissioner for Human Rights confirmed that:

43. Systematic surveillance of people in the public space online and offline, in particular when combined with additional ways to analyse and connect the obtained information with other data sources, constitutes an interference with the right to privacy and can have highly detrimental effects on the enjoyment of other human rights.

Report of the Office of the United Nations High Commissioner for Human Rights, The right to privacy in the digital age, UN Doc A/HRC/51/17 (4 August 2022)

The UN Office of the High Commissioner for Human Rights, also, provided further guidance on how the long-standing principles governing human rights, and the permissibility of interferences, would apply in the context of new technologies. In particular, the Office confirmed that:

52. General monitoring of people in public spaces is almost invariably disproportionate. Surveillance measures in public spaces should be targeted and should address a concrete legitimate aim, such as averting a specific threat to public safety or security that is significant enough to outweigh their adverse human rights impacts. Such measures need to be limited, focused on specific locations and times, for instance, when evidence indicates that a crime is likely to occur or that threats to public safety and security may emerge. No less privacy- invasive alternative should be available. It is essential to impose strict limitations on the duration of storage of captured data and the associated purposes for which such data is to be used. Remote biometric surveillance systems, in particular, raise serious concerns with regard to their proportionality, given their highly intrusive nature and broad impact on large numbers of people.

Report of the Office of the United Nations High Commissioner for Human Rights, The right to privacy in the digital age, UN Doc A/HRC/51/17 (4 August 2022)

Yet there has been a wide array of tools that states have at their disposal for surveying public spaces, from CCTV cameras to mobile phones monitoring and many others. Beyond clarifying the human rights principles applicable in public spaces surveillance, international instruments have been providing further clarity in relation to international human rights standards applicable on specific types of technologies, such as facial recognition technology and social media monitoring that have been increasingly employed.

Social media monitoring

Social media have increasingly been relied upon as a forum for mobilising social action and coordinating protests. It is precisely this convening function that renders them susceptible to increased surveillance by governments. Social media can reveal identities and affiliations of organisers, as well as all information relating to the protest. In its General Comment the UN Human Rights Committee has highlighted that:

62. The mere fact that a particular assembly takes place in public does not mean that participants’ privacy cannot be violated. The right to privacy may be infringed, for example, by facial recognition and other technologies that can identify individual participants in a crowd. The same applies to the monitoring of social media to glean information about participation in peaceful assemblies. Independent and transparent scrutiny and oversight must be exercised over the decision to collect the personal information and data of those engaged in peaceful assemblies and over its sharing or retention, with a view to ensuring the compatibility of such actions with the Covenant.

UN Human Rights Committee, General Comment No 37 (2020) on the Right of Peaceful Assembly (Article 21), UN Doc CCPR/C/GC/37 (17 September 2020)

In its 2022 report, the UN Office of the High Commissioner for Human Rights has called states to:

57. […] (c) Adopt adequate legal frameworks that govern the collection, analysis and sharing of social media intelligence that clearly define permissible grounds, prerequisites, authorization procedures and adequate oversight mechanisms;

Report of the Office of the United Nations High Commissioner for Human Rights, The right to privacy in the digital age, UN Doc A/HRC/51/17 (4 August 2022)

Facial recognition technologies

The 2024 Olympic Games have been used by the hosting country as an excuse for putting forward automated surveillance technologies, including facial recognition technologies (FRT), in public spaces, in the name of national security. Similarly, there are increasing accounts of FRT being used against protesters.

One such case was that of Glukhin, whose identification, location and arrest, and subsequently conviction, was enabled by the use of facial recognition technology. On 2023, the European Court underlined the particularly intrusive nature of FRT and emphasises the importance for such technology to be accompanied by adequate safeguards. In particular:

90. In the light of all the above considerations the Court concludes that the use of highly intrusive facial recognition technology in the context of the applicant exercising his Convention right to freedom of expression is incompatible with the ideals and values of a democratic society governed by the rule of law, which the Convention was designed to maintain and promote. The processing of the applicant’s personal data using facial recognition technology in the framework of administrative offence proceedings […] cannot be regarded as “necessary in a democratic society”.

Glukhin v Russia, App No 11519/20, Judgment, European Court of Human Rights (04 July 2023)

The European Court stated that the domestic law basis was overly broad, and that no procedural safeguards were provided. Further, given its particularly intrusive nature, the Court underlined that “the highest level of justification was required for the use of live facial recognition technology” – which was not met when a person had only been charged with a minor administrative offense, as was this case.

Spyware

While hacking technologies are usually employed under the pretext of preventing terrorism or combating serious crime, over and over again reports of UN bodies and experts (among others) have shown that they are rather directed at journalists, lawyers, political opponents, or ordinary citizens. Such use of surveillance technologies disrupts public participation and media freedom, and risks further erosion of democracy.

The use of Pegasus spyware by numerous states has unveiled the potential to erode people’s privacy, repress protests and freedom of expression, and to create a chilling effect for journalists and human rights defenders, with the use of spyware. This prompted the UN Office of the High Commissioner for Human Rights, among others, to warn against the use of spyware and alert that such technology would be most likely unlawful. Namely, the 2022 report stated that:

19. Even if legitimate goals are being pursued, such as national security objectives or the protection of the rights of others, the assessment of the necessity and proportionality of the use of spyware severely limits the scenarios in which spyware would be permissible. […]

Report of the Office of the United Nations High Commissioner for Human Rights, The right to privacy in the digital age, UN Doc A/HRC/51/17 (4 August 2022)

Also, the UN General Assembly, among others, has called on states to

[…] refrain from employing unlawful or arbitrary surveillance techniques, which may include forms of hacking,

UN General Assembly Resolution on the Right to Privacy in the Digital Age, UN Doc A/RES/77/211 (15 December 2022)

Encryption and anonymity tools

Encryption and anonymity tools have been a long-standing example of a measure enabling everyone to communicate freely and exercise their freedom of assembly, as well as allowing journalists to carry out their work. 

While states continue to push for measures seeking to undermine encryption protections, Human rights bodies have urged states to not impose barriers in using encryption tools nor interfere with their functioning. Also the UN General Assembly emphasized that

[…], in the digital age, technical solutions to secure and to protect the confidentiality of digital communications, including measures for encryption, pseudonymization and anonymity, are important to ensure the enjoyment of human rights, [Added further:]

12. […] that in the digital age, encryption and anonymity tools have become vital for many journalists and media workers to freely exercise their work and their enjoyment of human rights, in particular their rights to freedom of expression and to privacy, including to secure their communications and to protect the confidentiality of their sources, and calls upon States not to interfere with the use by journalists and media workers of such technologies and to ensure that any restrictions thereon comply with the obligations of States under international human rights law;

UN General Assembly Resolution on the Right to Privacy in the Digital Age, UN Doc A/RES/77/211 (15 December 2022)

In 2024, in a historic judgment, the European Court of Human Rights upheld the safeguards against indiscriminate surveillance and barred the possibility to decrypt communications. In Podchasov case, the European Court was faced with a case where the relevant state authorities had requested the decryption of communications relating to six terrorist suspects.
 

The Court reiterated the inherent risks of arbitrary interference to the individuals’ right to privacy in cases of secret surveillance, where the capacity for the given individuals or the broader public to exercise oversight is diminished. It stressed that:

80. […] the requirement to decrypt encrypted communications, as applied to end-to-end encrypted communications, cannot be regarded as necessary in a democratic society. In so far as this legislation permits the public authorities to have access, on a generalised basis and without sufficient safeguards, to the content of electronic communications, it impairs the very essence of the right to respect for private life under Article 8 of the Convention. The respondent State has therefore overstepped any acceptable margin of appreciation in this regard.

Podchasov v Russia, App No 33696/19, Judgment, European Court of Human Rights (13 February 2024)

The Court further underlined that any interception of communications data (provided that legitimate aims are pursued) needs to be coupled with adequate safeguards. In this case however, decrypting specific communications requires weakening the encryption of all communications. As the Court alerted:

77. […] Weakening encryption by creating backdoors would apparently make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications. Backdoors may also be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications.

Podchasov v Russia, App No 33696/19, Judgment, European Court of Human Rights (13 February 2024)

In essence the Court underlined that its indiscriminate effects and inherent risks render even targeted decryption disproportionate.