Where the UN rapporteur on the right to privacy can have the most impact

Two years after the first revelations of Edward Snowden, the UN Human Rights Council has decided to appoint a special rapporteur on the right to privacy, with a particular focus on issues arising in the digital age. The key issues and human rights standards regarding surveillance of digital communications have been the subject of numerous reports, resolutions and cases in recent times (some of which I explored in an earlier post), possibly creating the impression that there is little new ground for the rapporteur to cover when preparing reports and conducting other monitoring activities.

There are a number of timely and emerging issues that the new special rapporteur might address, but the circumstances that gave rise to the mandate’s creation continue to be those that merit exploration the most. The resolution recognizes “the need to further discuss and analyse . . . procedural safeguards, effective domestic oversight and remedies, . . . as well as the need to examine the principles of non-arbitrariness and lawfulness, and the relevance of necessity and proportionality assessments in relation to surveillance practices” and mentions the enhanced “capacity of governments, companies and individuals to undertake surveillance, interception and data collection.” International standards on these points seem to be clear – the European Court of Human Rights, the UN High Commissioner and others have developed guidelines for drafting clear, precise, and accessible laws governing the interception of communications – yet states continue to introduce laws that would expand rather than limit the circumstances under which surveillance can take place. Consequently, reinforcing these standards and highlighting specific examples of good policy practice would not be a redundant task.

The special rapporteur on the right to privacy could similarly elucidate standards on effective oversight of surveillance programs. The UN High Commissioner and special rapporteurs Scheinin and La Rue have indicated that effective oversight should involve the judiciary, the legislature, and independent civilian agencies. In cases involving Germany and the United Kingdom, the European Court has held that while review by an independent judiciary is ideal, oversight by the legislature and independent commissions can be consistent with Article 8 of the European Convention. But over the past two years, questions have been raised about the independence and effectiveness of entities that develop close ties with intelligence agencies on the basis of classified information, receive evidence and input from only one side of the investigation, and may not have a clear mandate to consider the impact of surveillance programs on the privacy rights of persons beyond the state’s borders.   Along the same lines, whether and how individuals might be notified that their communications were intercepted after surveillance has ceased in order to facilitate access to remedy – a principle that the European Court has recommended but not required and that UN rapporteur La Rue embraced – also merits further exploration.

Standards governing the collection and retention of metadata and the extraterritorial application of the right to privacy have also featured prominently in the debate about the right to privacy in the digital age and continue to be salient issues. The UN High Commissioner, the European Court of Human Rights, and the Inter-American Court of Human Rights have all established that the collection of metadata constitutes an interference with the right to privacy, regardless of whether the data is subsequently searched. The Court of Justice of the European Union declared the EU Data Retention Directive invalid in light of its broad provisions requiring the retention of a range of communications metadata without sufficient limitations on the authorities’ access to or use of that data. The UN High Commissioner went a step further, indicating that the mandatory retention of metadata “appears neither necessary nor proportionate.” Nevertheless, states continue to propose and pass mandatory data retention laws, and the European Commission does not appear likely to propose new legislation in the immediate future. With regard to questions of extraterritoriality, while the issue received intense focus prior to the drafting of the UN High Commissioner’s report, it has receded from prominence in recent months. This is likely due to the report’s embrace of the power or effective control test where the right to privacy is concerned (and perhaps also to modest changes by the U.S. government to its policies surrounding the collection of communications data of non-U.S. persons).

In addition to these issues at the core of the right to privacy in the digital age, the new UN rapporteur may choose to explore the use of specific technologies and methods of data collection, such as the increasing use of drones by public and private actors, the building of large biometrics databases, and the loosely-regulated sale of surveillance technologies to repressive regimes. The mandate might also look to shed further light on how private sector practices affect the right to privacy. Private sector cooperation with and sales to governments, as well as company collection and use of personal data, have been subject to increasing scrutiny, and the fact that international standards are less established in this regard may motivate a new special rapporteur to begin with this topic.

While the novelty of new technologies and the responsibility of the private sector may be appealing topics for the new rapporteur to probe in initial reports, there is value in adding substance to the core principles of legality, necessity, proportionality, and effective oversight. It is an opportune moment to make recommendations in this vein: the U.S. Congress is debating legislation in advance of the expiration of the USA PATRIOT Act’s provision allowing for the bulk collection of telephony metadata (although a decision is likely to come before the rapporteur begins). The United Kingdom’s temporary data retention law will expire at the end of 2016, and the European Union may decide to move forward on a new data retention regime. In the name of countering terrorism, states are regularly proposing laws that would expand surveillance capacities. For now, providing meaningful guidance on laws and policies governing state communications surveillance may be the most effective way for a new rapporteur to advance the right to privacy in the digital age.