Privacy & Data Protection
In the digital age, data plays an important role in our everyday life. It is present in a lot of obvious ways. But data collection can also be less visible. For example, data brokers. These businesses concentrate on creating comprehensive profiles of people for advertisers. A single profile might draw up to fifteen hundred data points. This can include a person’s gender, browsing history details, political interest and even health records. One U.S. based data broker; Acxiom claims to possess files on 10% of the world’s population. In 2013, Edward Snowden uncovered a vast regime of mass government surveillance programs opening a global conversation which is still unfolding today. Article 12 of the Universal Declaration of Human Rights treats privacy as a definite right. It says that “No one shall be subjected to arbitrary interference together with his privacy, family, home or correspondence. Everyone has the right to the protection of the law against such interference or attacks.“
Agreeing with what is privacy, has proved harder. Depending on the context we can see, it is the right to freedom of thought in conscience, the right to be left alone, the right to control one’s own body, the right to protect one’s reputation, the right to family life and the right to sexuality. There are other ambiguities. In legal terms, privacy isn’t an absolute right. This means privacy can be restricted for certain reasons for example to protect national security, public safety or if it is in conflict with other rights like the right to free expression. Another example could be of a public figure invoking privacy in disclosing his financial records. But data protection is not the same as privacy. Privacy is a broad concept referring to a condition which enables a basic foundation of human dignity and autonomy. Data protection is more specific. It is concerned with the ways the third party handles the information they hold about us, how it is collected, shared, stored, processed and used. In other words, privacy is the big picture and data protection is one part of it. Like privacy, data protection is also subject to limitations. For example, when a warrant is obtained allowing the officers to access the firm records of a suspect. Whereas, data protection is more firmly defined than privacy how it can be applied legally, and it can vary depending on the country you belong to.
The digital age has created new ways to collect, access, analyze and use data, often across multiple borders and jurisdiction and surprisingly this process challenges human rights. A notable challenge relates to the way companies use our data. The internet business model depends on people sharing their data in exchange for access to content services and social media platforms. By clicking agree to the terms of service users technically consent to this model. But in reality no one reads them. This creates a problem as no one knows what they are agreeing upon which creates opportunities for misuse.
Another challenge which is being faced relates to the gathering of private data by governments. Technology developers now enable the government to monitor our conversations, transactions and locations we visit. In some countries including Russia, Australia, Brazil and South Korea companies are legally required to store this data digitally for a long period making it easier for the government to get information about their citizens. These measures are often introduced within the name of fighting cyber-crime and terrorism. But without adequate protection this data can easily be abused to target citizens and activists, undermining freedom of expression and the right to association and assembly. These are the technologies we have now.
Emerging technologies like internet wearables and artificial intelligence are likely to pose new challenges to human rights. As human right defenders, we should be prepared for these. Accordingly, many bodies and forums are established for related discussions. National and Regional courts have a crucial role to play here. The European Court of Human Rights has imposed limits to stop and search practice by the police and the amount of time data can be legally retained. At the national level, it’s common to seek out a selected public body liable for privacy and data protection. This can be an independent post or an ombudsman. But it tends to find that privacy varies widely between different jurisdictions. For example, there’s no clear right to privacy in African Charter on Human and People’s Rights. However, there is a mechanism at the international level.
Following a U.N. Resolution on the right to privacy in the digital period the Human Rights Council has established a new special rapporteur for privacy and various internet policy forums like the Internet Governance Forum (IGF), the Council of Europe, the Organization for Economic Cooperation and Development (OECD) and conferences like HOPE, CYFY also contribute in shaping the scope of privacy in the digital age. And lastly, we have companies. The decisions of the companies can also have an impact on data protection and privacy rights. For example, by building end to end encryption into the software as WhatsApp did in early 2016.
Case Studies
Apple v. FBI
After the 2016 terrorist attack in the U.S. city of San Bernardino, the FBI asked Apple for the data stored on the iPhone of one of the suspects. However, Apple’s OS is encrypted and only accessible through a pin code. The FBI asked Apple to switch the system to allow them in. Apple refused, opening a lively debate on right to privacy versus security needs. The case was almost taken to the court but in the end, the FBI found vulnerability to crack the phone. In privacy terms, this was a legal setback. If the case had gone to court it could have led to popularizing the risks of weakening encryption for society and establishing what constitutes a legitimate limitation on privacy by the state.
Surveillance in Kenya
In Kenya, a mixture of invasive surveillance measures and a scarcity of adequate data protection facilitated a crackdown on civil society in 2013 which was documented by Peace Brigades International. Many human rights defenders had their offices raided, computers hacked and phones tapped by the government. One of the ways human rights defenders had been fighting back is by pushing for the ratification of Kenya’s first data protection law. If implemented properly this could limit the worst excesses of state surveillance. Kenya is by no means the only country to bring in the surveillance legislation justified by security concerns. But this example is a good demonstration of how seemingly abstract restriction on online privacy can have physical consequences in the offline world.
Hence the human right defenders must take up measures to strengthen and protect privacy and data protection. An easy first step is by taking security measures by ourselves. This can be as simple as using encryption and anonymity tools. Human rights defenders can also advocate for alternative digital business models which are based on the extraction and sale of data. Economic pressure on existing models is already growing. For example, over the last few years, the number of users using ad block software globally have exploded. This is pushing companies to less invasive advertising practices. Engagement in debates at the national and regional levels is crucial. Where privacy protections are weak, human rights defenders got to actively advocate for stronger ones and even where they’re stronger, we should form legislation in keeping up with new technologies like the internet developments. Automatically if we want things to change human rights defenders need to make these issues accessible and relatable and by being more creative the way we talk about them. When people see how data protection and privacy effects on a day to day basis, they may be more inclined to engage with these concepts.