The Right to Privacy
Module 1: General Overview of Trends in Digital Rights Globally and Expected Developments
In the last decade, there have been considerable developments relating to the exercise of the right to privacy online.
The last decade saw the coming into force of the General Data Protection Regulation (GDPR). The coming into force of the GDPR was a significant development as it exposed the increasing need to protect the right to privacy in the rapidly changing technological landscape. Human Rights Watch has noted that comprehensive data protection laws are vital for securing human rights. It further stated that the GDPR has developed new safeguards that are necessary for the advancement of human rights in a digital age. In particular, it protects people against gratuitous and excessive data collection. From the time it came into effect until 2019, approximately 95 000 complaints were filed, and 59 000 breaches were reported, with approximately 60 million euros worth of fines being imposed.(1)
Another flagship data protection law, the California Consumer Privacy Act (CCPA), also came into effect in January 2020, seeking to address how private companies are allowed to collect and use the data of California residents. The CCPA allows residents of California to know:
- What personal information a data company has collected about them.
- What personal information third parties have obtained about them.
- The specific personal information a company has compiled about them.
- Specific inferences that have been made about them based on their personal information.(2)
The CCPA undoubtedly increases data privacy protections and sends a strong message that “[i]n a GDPR + CCPA world, negligence of data privacy protections will not be tolerated and will result in higher fines.”(3)
The GDPR and CCPA set off a wave of other countries passing revised or new data privacy laws which are aimed at protecting people’s data in the modern age. The UN Conference on Trade and Development (UNCTAD) has found that of the 194 countries they reviewed:
- 71% of countries have data protection legislation.
- 9% of the states have draft legislation.
- 15% of countries have no legislation.
- 5% of countries have no data available.
Mapping the state of data protection in Africa
Data protection legislation is crucial to protecting the right to privacy in the digital age. The progression of legislation and regulation in this area has been rapid in Africa in recent years.
dataprotection.africa is an open, online resource that aims to provide a detailed analysis of the governance of data protection across the continent, mapping and analysing the legislation in place in all 55 member states of the African Union.
dataprotection.africa allows lawyers, activists, and individuals to navigate the data protection space and learn about:
- What constitutes personal information in a particular jurisdiction.
- How that information should be collected and processed.
- How that data can be transferred across borders.
- What breach notifications apply in a jurisdiction if data is leaked to an unauthorised third party.
- What steps can be taken to remedy such breaches, including the contact information of operational data protection authorities.
While many countries have data protection frameworks in place, there is a significant lack of implementation of these frameworks, with many countries failing to establish or appoint data protection authorities to enforce these laws.(4)
Cross-border transactions and multinational corporations that function across multiple jurisdictions require data protection regulations, demonstrating the importance of data protection to enabling trade. African states are increasingly recognising the need to enact data protection laws and the focus should now shift towards ensuring the content of these laws meaningfully enables fundamental rights as recognised in international human rights law and ensuring that laws and implemented and enforced.
Mass and targeted surveillance practices are on the rise, and there is a notable absence of international legal frameworks and strict safeguards in place. State-led surveillance is frequently implemented without underlying legal regulation and in a way that lacks transparency and accountability, initiatives which are a genuine affront to the right to privacy.
|United Kingdom||South Africa|
|The ECtHR has addressed the British government’s powers to engage in surveillance, holding that the country’s bulk surveillance programme was a violation of the right to privacy and the right to freedom of expression under the European Convention on Human Rights due to a lack of independent oversight, an overly broad application of surveillance, and a failure to sufficiently protect journalists’ confidential communication.(5)||In South Africa, the Constitutional Court in 2021 declared various provisions of the domestic surveillance law to be unconstitutional as a result of a complaint brought by an investigative journalist whose communications had been monitored by intelligence officials; the Court ordered a range of amendments to improve transparency, safeguards, and oversight mechanisms state surveillance operations.(6)|
These two developments indicate that the issue of surveillance is a continued concern for digital rights, especially in the context of increased global digital reliance and data flows – but also that effective litigation and advocacy can result in important protections and safeguards. States may be obligated to put in place more robust legal frameworks and strict safeguards relating to surveillance in the future to avoid such challenges.
Surveillance and press freedom
In recent years, the use of sophisticated surveillance technology on mobile phones has gained increasing prominence amidst concerns about its extensive abuse to monitor political opponents and activists. In 2021, news broke that at least 180 journalists had been targeted for surveillance by the Pegasus spyware, a system that can be remotely installed on a smartphone enabling complete control over the device.(7) The prevalence and seeming unrestricted usage of such technologies is deeply concerning for the right to freedom of expression, particularly considering its usage in many contexts in which the safety of journalists continues to be seriously at risk.
The Supreme Court of India in 2021 ordered an independent inquiry into allegations that the government deployed the Pegasus spyware against various journalists, politicians and dissidents, and found that the free press’s democratic function was at stake, and that “such chilling effect on the freedom of speech is an assault on the vital public watchdog role of the press, which may undermine the ability of the press to provide accurate and reliable information.”(8)
The use of video surveillance and closed-circuit television (CCTV) is also a common surveillance occurrence across the world, including in combination with facial recognition technology (FRT). State and non-state actors frequently invoke security threats to justify the widespread use of video surveillance and FRT. This form of surveillance and monitoring is susceptible to an array of abuses.
The American Civil Liberties Union has identified the following:
- Institutional abuse.
- Abuse for personal gain.
- Discretionary targeting.
- Location monitoring.
Such surveillance is often unregulated or under-regulated and can have a chilling effect on public life, and risks being abused to monitor critics or activists, to target marginalised groups, and to collect excessive data, often without consent. The quality and sophistication of video surveillance are also becoming more salient, with concerns, for example, that data from video surveillance systems can be combined with other forms of private and public information to create incredibly detailed profiles of people. Conversely, while such surveillance systems are often invasive, the potential inaccuracy and fallibility of the technology is also a concern, with a growing body of evidence that FRT systematically misidentifies certain populations and is vulnerable to racial bias.
European Digital Rights (EDRi) explains that facial recognition technology is a type of biometric identification that “uses statistical analysis and algorithmic predictions to automatically measure and identify people’s faces to make an assessment or decision.” EDRi, however, notes that facial recognition technology is criticised for reflecting social biases resulting in the racial profiling of individuals and the creation of assumptions regarding sexual orientation and gender identity.
The 2020 Report by Gemalto on the top seven trends recorded:
- Facial recognition technologies are increasingly used to identify and verify a person using their facial features by capturing, analysing, and comparing patterns based on the person’s facial details.
- Facial recognition technologies are predominately used for security and law enforcement, health and marketing, and retail.
Forbes anticipates that facial recognition technology is here to stay, with expected industry growth of $7 billion (USD) in 2024 in the United States.(9) Facial recognition is increasingly being used for surveillance. Fortunately, a wave of activism has recently begun to raise awareness about the potential rights implications of these technologies, with some notable successes in both litigation and policy change.
Legal challenge to FRT
In August 2020, British civil liberties organisation Liberty brought a legal challenge against the use of facial recognition technology by police in South Wales. The Court of Appeal ruled that the use of facial recognition technology breaches privacy rights, data protection laws, and equality laws and that there were “fundamental deficiencies” in the legal framework governing its use.(10) In 2019, San Francisco became the first major city in the United States to ban government use of face surveillance technology, with various cities across the world following suit. On calling for such bans, activists frequently cite the discriminatory effects of such technology and its potential risks to privacy, freedom of expression, information security, and social justice.
The collection of biometric data
Biometric data collection entails the identification and authentication of a person based on unique biological characteristics. FRT is considered a form of biometric data that is specifically widely used for surveillance purposes. According to the 2020 Review of biometrics by Gemalto, biometric technologies are most frequently used for the following:
- Law enforcement and public security: identifying criminals, suspects and victims.
- Military: identifying enemies and allies.
- Border, travel, and migration control: identifying travellers, passengers, and nationality.
- Civil identification: identifying citizens, residents and voters.
- Healthcare and subsidies: identifying patients, beneficiaries, and healthcare professionals.
- Physical and logistical access: identifying owners, users, employees and contractors.
- Commercial applications: identifying consumers and customers.
The use of biometric technology is proliferating at a rapid rate, causing significant concern with regard to human rights. States are often ill-equipped to deal with the security and data storage challenges that come with collecting and storing such sensitive personal information, and examples of biometrics being used either for nefarious purposes or to the exclusion of already-marginalised populations abound. There are also growing concerns that the frequent use of biometric technologies has become unduly intrusive, contributing to the bourgeoning network of surveillance technologies. Liberty has noted that:
“Use of big data and new technologies is often viewed as a panacea for the challenges that modern-day law enforcement faces. Technologies such as mobile fingerprint scanners, facial recognition and mobile phone data extraction, used in conjunction with one another and police super-databases, risk changing the relationship between the individual and the state, creating a society in which anonymity is the exception, and pervasive surveillance is the norm.”
As with most technologies, the positive potential is significant, but the potential for rights violations is often ignored or underestimated. The 2020 Report by Gemalto on biometric voter registration argues that value can be gained from biometric technology, particularly in ensuring the improvement of electoral processes, with some advocates arguing that biometrics can potentially:
- Improve voter registration and identification;
- Produce a credible electoral register; and
- Reduce electoral fraud.
Biometrics and elections in Africa
The 2012 and 2016 elections in Ghana relied on biometric technologies. Some voters found the experience easy and time-efficient; some said it encouraged them to vote, while others were frightened by the experience and did not vote as a result.(11)
The use of biometrics for voting is on the rise in Africa, particularly in elections contexts. Examples include Niger, Kenya, and Ghana, amongst others. A long list of other African countries has reportedly either implemented or is considering implementing biometric systems for elections. The Collaboration for International ICT Policy for East and Southern Africa (CIPESA) has documented the deployment of other national biometric technology-based programmes in 16 African countries in recent years.
Despite the potential to facilitate well-functioning free and fair elections, there are concerns around the use of biometrics in developing or transitioning economies, including high costs, limited data literacy, and ineffective data protection regimes, causing serious risks to privacy. There have also been examples of high levels of exclusion of certain populations and abuse by governments embracing the trend of rising digital authoritarianism.
Anonymity and encryption
The 2015 Report of the UNSR on FreeEx highlights that encryption and anonymity are meant to “provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks.” In the 2018 Follow-up Report, the UNSR stated:
“the challenges users face have increased substantially, while States often see personal, digital security as antithetical to law enforcement, intelligence, and even goals of social or political control. As a result, competing trends and interests have led, on the one hand, to a surge in State restrictions on encryption and, on the other hand, increased attention to digital security by key sectors of the private Information and Communications Technology (“ICT”) sector.”
As society’s reliance on digital technologies has increased, users have become increasingly aware of the value of encryption as a tool to protect private communications in the digital era. This is particularly true for users such as journalists, activists, and lawyers, for whom the protection of communications is not merely a personal but also a professional imperative. In parallel with the rise in digital surveillance and cybercrimes discussed above, encryption has become a protective tool for the average internet user rather than something specialised, technical, and out of reach, as it was a few years ago. The United Nations Special Rapporteur on Freedom of Expression has highlighted that “encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection.”(12)
Simultaneously, the rise of social media as a powerful platform for communication has enabled greater anonymity. States, particularly law enforcement agencies, have begun to push back against this growing use of encryption and anonymity, ostensibly in the interest of safety and security.
The pros and cons of anonymity
While threats to encryption are frequently seen to be mere fronts to authoritarian attempts to control the flow of information and disproportionate efforts to crack down on crime, online anonymity has also drawn contested debates about the need to ensure accountability for online harms while protecting freedom of expression in digital spaces. For example, social media users in LGBTQIA+ communities have cited the importance of online anonymity to facilitating safe discussions about sexuality in environments where such discussions might put them at risk.
Rules on social media passed in India in 2020 reportedly require large social media companies to reveal users’ identities if requested to do so by the Indian government, potentially stripping 400 million social media users of anonymity. CIPESA has reported that state agencies in several African countries can request for decryption of data held by service providers, potentially undermining the very essence of encryption services.
As challenges to privacy rise, so will the need to secure anonymity and promote reliance on encryption technologies. These technologies will continue to develop and become more sophisticated, but as they do, the threat of increased state intrusions in the private lives of citizens and attempts to weaponise and abuse such technologies are also likely to increase.
Recent case law from the ECtHR on anonymity
In 2021, the ECtHR ruled in the case of Standard Verlagsgesellschaft mbH v Austria (no. 3) that the Supreme Court of Austria’s ruling requiring that a media company disclose the identities of registered users that had made comments on its site was a violation of its freedom of expression, because it had failed to take into account the political nature of the comments and to run a test balancing the competing interests.(13)