The Right to Privacy
Module 1: General Overview of Trends in Digital Rights Globally and Expected Developments
In the last decade, there have been considerable developments relating to the exercise of the right to privacy online.
The last decade saw the coming into force of the General Data Protection Regulation (GDPR). The coming into force of the GDPR was a significant development as it exposed the increasing need to protect the right to privacy in the rapidly changing technological landscape. Human Rights Watch has noted that comprehensive data protection laws are vital for securing human rights. It further stated that the GDPR has developed new safeguards that are necessary for the advancement of human rights in a digital age. In particular, it protects people against gratuitous data collection. Since coming into effect, to date, approximately 95 000 complaints have been filed, and 59 000 breaches have been reported, with approximately 60 million euros worth of fines imposed.(1)
The California Consumer Privacy Act (CCPA) came into effect in January 2020, seeking to address how private companies are allowed to collect and use data of California residents. The CCPA allows residents of California to know:
- What personal information a data company has collected about them.
- What personal information third parties have obtained about them.
- The specific personal information a company has compiled about them.
- Specific inferences that have been made about them based on their personal information.(2)
The CCPA undoubtedly increases data privacy protections and sends a strong message that “[i]n a GDPR + CCPA world, negligence of data privacy protections will not be tolerated and will result in higher fines.”(3)
Beyond the GDPR and CCPA, other countries have started to data privacy laws which are aimed at protecting people’s data. The UN Conference on Trade and Development (UNCTAD) has found that of the 107 countries they reviewed (of which 66 were developing or transition economies):
- 57% of countries have data protection legislation.
- 10% of the states have draft legislation.
- 21% of countries have no legislation.
- 12% of countries have no data available.
UNCTAD further found that Africa ranks at the lower end of the spectrum, with ten of the reviewed countries having no legislation and five with draft legislation. The Democratic Republic of Congo was found to have no legislation for electronic transactions or cybercrime, and there was no data on consumer protection and privacy and data protection. Mozambique was found to have draft legislation for electronic transactions, no legislation regarding cybercrime and no data on consumer protection and privacy and data protection. Egypt has electronic transactions and cybercrime legislation and draft legislation for consumer protection, but no legislation relating to privacy and data protection. Kenya recently enacted the 2019 Data Protection Act, which provides for the regulation of the processing of personal data, the rights of data subjects and obligations on data controllers.
While many countries have data protection frameworks in place, there is a significant lack of implementation of these frameworks. A typical example would be South Africa. The Protection of Personal Information Act 4 of 2013 was signed into law in 2013, but the substantive provisions of the legislation are still not in force.(4)
Data Protection in Africa
Data Protection Africa (DPA) is an online tool that provides a full review of data protection laws in 32 African countries. The website allows lawyers, activists and individuals to navigate the data protection space and learn about:
- What constitutes personal information in a particular jurisdiction.
- How that information should be collected and processed.
- How that data can be transferred across borders.
- What breach notifications apply in a jurisdiction if data is leaked to an unauthorised third party.
- What steps can be taken to remedy such breaches, including the contact information of operational data protection authorities.
The GDPR and the CPAA have hopefully set the tone going forward and there is a high possibility that other states will follow suit. This is not necessarily because other states are eager to endorse the data protection status quo of the GPDR and the CPAA, but rather because cross border transactions and multinational corporations that function across multiple jurisdictions require data protection regulations. It appears that African states are recognising the need to enact data protection laws in light of this trend.
Mass and targeted surveillance practices are on the rise, and there is a notable absence of international legal frameworks and strict safeguards in place. Surveillance is a genuine affront to the right to privacy.
The European Court of Human Rights is currently seized with the matter of 10 Human Rights Organisations v. United Kingdom in which human rights defenders are challenging several issues relating to the powers of the British government to engage in surveillance. In South Africa, the Amabhungane Centre for Investigative Journalism NPC and Another v Minister of Justice and Correctional Services and Others case is presently challenging issues in relation to the South African surveillance regime, which was found to be unlawful and invalid. The case came before South Africa’s Constitutional Court in February 2020 in order for the Court to determine whether to confirm the unconstitutionality of specific provisions of the Regulation of Interception of Communications and Provisions of Communication Related Information Act.
These two developments indicate that the issue of surveillance is one of which the international community is aware. This could mean that states may be obligated to put in place more robust legal frameworks and strict safeguards relating to surveillance in the future.
Further to this, the use of video surveillance and closed-circuit television (CCTV) is becoming a common surveillance occurrence across the world. Increased security threats have generated excessive responses by state and non-state actors who justify the widespread use of CCTV. This form of surveillance and monitoring is susceptible to an array of abuses. The American Civil Liberties Union identified the following:
- Institutional abuse.
- Abuse for personal gain.
- Discretionary targeting.
- Location monitoring.
CCTV cameras are mostly unregulated and have a chilling effect on public life. The quality and sophistication of video surveillance is becoming more salient, but Privacy International warns that:
“Such developments in video technology will undoubtedly be applied in contexts that are beneficial. However, the egregious capabilities enabled by the improved technology must be of primary concern before rushing to implementation.”
The collection of biometric data and the use of facial recognition technologies
Biometric data collection entails the identification and authentication of a person based on unique biological characteristics. According to the 2020 Review of biometrics by Gemalto, biometric technologies are most frequently used for the following:
- Law enforcement and public security: identifying criminals, suspects and victims.
- Military: identifying enemies and allies.
- Border, travel, and migration control: identifying travellers, passengers, and nationality.
- Civil identification: identifying citizens, residents and voters.
- Healthcare and subsidies: identifying patients, beneficiaries, and healthcare professionals.
- Physical and logistical access: identifying owners, users, employees and contractors.
- Commercial applications: identifying consumers and customers.
The use of biometric technology is proliferating, and the use of encryption keys and passwords is declining. The pace at which biometrics are being implemented is a cause for concern. Ford predicts that states may not be equipped to deal with security and data storage challenges; alternatively, countries might be well equipped and are using biometrics for nefarious purposes. There are growing concerns that the frequent use of biometric technologies has become unduly intrusive, contributing to the bourgeoning network of surveillance technologies. Liberty has noted that:
“Use of big data and new technologies is often viewed as a panacea for the challenges that modern-day law enforcement faces. Technologies such as mobile fingerprint scanners, facial recognition and mobile phone data extraction, used in conjunction with one another and police super-databases, risk changing the relationship between the individual and the state, creating a society in which anonymity is the exception, and pervasive surveillance is the norm.”
The perpetual catch-22 with the rise of technology is equally relevant in relation to biometrics. The 2020 Report by Gemalto on biometric voter registration reveals that value can be gained from biometric technology, particularly in ensuring the improvement of electoral processes. Daily Maverick suggests that biometrics can potentially:
- Improve voter registration and identification.
- Produce a credible electoral register.
- Reduce electoral fraud.
Biometrics and elections in Africa
The 2012 and 2016 elections in Ghana relied on biometric technologies. Some voters found the experience easy and time-efficient; some said it encouraged them to vote, while others were frightened by the experience and did not vote as a result.(5)
The use of biometrics for voting is on the rise in Africa. Privacy International reports that Niger is the latest of over 30 African countries to adopt biometric technologies during elections.
Despite the potential to facilitate well-functioning free and fair elections, there are concerns around the use of biometrics in developing or transitioning economies, including high costs, limited data literacy, and ineffective data protection regimes.
European Digital Rights (EDRi) explains that facial recognition technology is a type of biometric identification which “uses statistical analysis and algorithmic predictions to automatically measure and identify people’s faces to make an assessment or decision.” EDRi, however, notes that facial recognition technology is criticised for reflecting social biases resulting in the racial profiling of individuals and the creation of assumptions regarding sexual orientation and gender identity.
The 2020 Report by Gemalto on the top seven trends recorded:
- Facial recognition technologies are increasingly used to identify and verify a person using their facial features by capturing, analysing, and comparing patterns based on the person’s facial details.
- Facial recognition technologies are predominately used for security and law enforcement, health and marketing and retail.
Forbes anticipates that facial recognition technology is here to stay, with expected industry growth of $3.2 billion (USD) in 2019 to $7 billion (USD) by 2024 in the United States.(6) Facial recognition will likely continue to be used for surveillance, with strong activism needed to ensure that appropriate safeguards are put in place.
Anonymity and encryption
In the 2015 Report of the UNSR on FreeEx, encryption and anonymity are meant to “provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks.” In the 2018 Follow-up Report, the UNSR stated that:
“the challenges users face have increased substantially, while States often see personal, digital security as antithetical to law enforcement, intelligence, and even goals of social or political control. As a result, competing trends and interests have led, on the one hand, to a surge in State restrictions on encryption and, on the other hand, increased attention to digital security by key sectors of the private Information and Communications Technology (“ICT”) sector.”
Forbes predicts that in 2020 “image security and privacy will percolate to become a top cybersecurity concern, driven by anonymity erosion.” Forbes quoted the CEO of 1Password, who predicts:
“In 2020, governments are going to take an even more active role in cybersecurity through encryption regulation. Governments have been clumsy in their attempts to legislate encryption because that technology has been light years ahead of those that are supposed to regulate it. Next year, they’ll be playing catch-up.”
Bloomberg published an article in February 2020 suggesting that India’s new rules on social media require large social media companies to reveal users’ identities if requested to do so by the Indian government. Bloomberg reports that the new rules could strip 400 million social media users of the anonymity.
As challenges to privacy rise, so will the need to secure anonymity and promote reliance on encryption technologies. These technologies will most likely continue to develop and become more sophisticated. As they do, the threat of increased state intrusions in the private lives of citizens may also rise.