In the last decade, there have been considerable developments relating to the exercise of the right to privacy online.

Data Privacy

The last decade saw the coming into force of the General Data Protection Regulation (GDPR). The coming into force of the GDPR was a significant development as it exposed the increasing need to protect the right to privacy in the rapidly changing technological landscape. Human Rights Watch has noted that comprehensive data protection laws are vital for securing human rights. It further stated that the GDPR has developed new safeguards that are necessary for the advancement of human rights in a digital age. In particular, it protects people against gratuitous and excessive data collection. From the time it came into effect until 2019, approximately 95 000 complaints were filed, and 59 000 breaches were reported, with approximately 60 million euros worth of fines being imposed.(1)

Another flagship data protection law, the California Consumer Privacy Act (CCPA), also came into effect in January 2020, seeking to address how private companies are allowed to collect and use the data of California residents. The CCPA allows residents of California to know:

• What personal information a data company has collected about them.
• What personal information third parties have obtained about them.
• The specific personal information a company has compiled about them.
• Specific inferences that have been made about them based on their personal information.(2)

The CCPA undoubtedly increases data privacy protections and sends a strong message that “[i]n a GDPR + CCPA world, negligence of data privacy protections will not be tolerated and will result in higher fines.”(3)

The GDPR and CCPA set off a wave of other countries passing revised or new data privacy laws which are aimed at protecting people’s data in the modern age. The UN Conference on Trade and Development (UNCTAD) has found that of the 194 countries they reviewed:

• 71% of countries have data protection legislation.
• 9% of the states have draft legislation.
• 15% of countries have no legislation.
• 5% of countries have no data available.

While many countries have data protection frameworks in place, there is a significant lack of implementation of these frameworks, with many countries failing to establish or appoint data protection authorities to enforce these laws.(4)

Cross-border transactions and multinational corporations that function across multiple jurisdictions require data protection regulations, demonstrating the importance of data protection to enabling trade. African states are increasingly recognising the need to enact data protection laws and the focus should now shift towards ensuring the content of these laws meaningfully enables fundamental rights as recognised in international human rights law and ensuring that laws and implemented and enforced.

More Resources on Data Protection

Surveillance

Mass and targeted surveillance practices are on the rise, and there is a notable absence of international legal frameworks and strict safeguards in place. State-led surveillance is frequently implemented without underlying legal regulation and in a way that lacks transparency and accountability, initiatives which are a genuine affront to the right to privacy.

United Kingdom	South Africa
The ECtHR has addressed the British government’s powers to engage in surveillance, holding that the country’s bulk surveillance programme was a violation of the right to privacy and the right to freedom of expression under the European Convention on Human Rights due to a lack of independent oversight, an overly broad application of surveillance, and a failure to sufficiently protect journalists’ confidential communication.(5)	In South Africa, the Constitutional Court in 2021 declared various provisions of the domestic surveillance law to be unconstitutional as a result of a complaint brought by an investigative journalist whose communications had been monitored by intelligence officials; the Court ordered a range of amendments to improve transparency, safeguards, and oversight mechanisms state surveillance operations.(6)

These two developments indicate that the issue of surveillance is a continued concern for digital rights, especially in the context of increased global digital reliance and data flows – but also that effective litigation and advocacy can result in important protections and safeguards. States may be obligated to put in place more robust legal frameworks and strict safeguards relating to surveillance in the future to avoid such challenges.

The use of video surveillance and closed-circuit television (CCTV) is also a common surveillance occurrence across the world, including in combination with facial recognition technology (FRT). State and non-state actors frequently invoke security threats to justify the widespread use of video surveillance and FRT. This form of surveillance and monitoring is susceptible to an array of abuses.

The American Civil Liberties Union has identified the following:

• Institutional abuse.
• Abuse for personal gain.
• Discretionary targeting.
• Voyeurism.
• Location monitoring.

Such surveillance is often unregulated or under-regulated and can have a chilling effect on public life, and risks being abused to monitor critics or activists, to target marginalised groups, and to collect excessive data, often without consent. The quality and sophistication of video surveillance are also becoming more salient, with concerns, for example, that data from video surveillance systems can be combined with other forms of private and public information to create incredibly detailed profiles of people. Conversely, while such surveillance systems are often invasive, the potential inaccuracy and fallibility of the technology is also a concern, with a growing body of evidence that FRT systematically misidentifies certain populations and is vulnerable to racial bias.

European Digital Rights (EDRi) explains that facial recognition technology is a type of biometric identification that “uses statistical analysis and algorithmic predictions to automatically measure and identify people’s faces to make an assessment or decision.” EDRi, however, notes that facial recognition technology is criticised for reflecting social biases resulting in the racial profiling of individuals and the creation of assumptions regarding sexual orientation and gender identity.

The 2020 Report by Gemalto on the top seven trends recorded:

• Facial recognition technologies are increasingly used to identify and verify a person using their facial features by capturing, analysing, and comparing patterns based on the person’s facial details.
• Facial recognition technologies are predominately used for security and law enforcement, health and marketing, and retail.

Forbes anticipates that facial recognition technology is here to stay, with expected industry growth of $7 billion (USD) in 2024 in the United States.(9) Facial recognition is increasingly being used for surveillance. Fortunately, a wave of activism has recently begun to raise awareness about the potential rights implications of these technologies, with some notable successes in both litigation and policy change.

The collection of biometric data

Biometric data collection entails the identification and authentication of a person based on unique biological characteristics. FRT is considered a form of biometric data that is specifically widely used for surveillance purposes. According to the 2020 Review of biometrics by Gemalto, biometric technologies are most frequently used for the following:

• Law enforcement and public security: identifying criminals, suspects and victims.
• Military: identifying enemies and allies.
• Border, travel, and migration control: identifying travellers, passengers, and nationality.
• Civil identification: identifying citizens, residents and voters.
• Healthcare and subsidies: identifying patients, beneficiaries, and healthcare professionals.
• Physical and logistical access: identifying owners, users, employees and contractors.
• Commercial applications: identifying consumers and customers.

The use of biometric technology is proliferating at a rapid rate, causing significant concern with regard to human rights. States are often ill-equipped to deal with the security and data storage challenges that come with collecting and storing such sensitive personal information, and examples of biometrics being used either for nefarious purposes or to the exclusion of already-marginalised populations abound. There are also growing concerns that the frequent use of biometric technologies has become unduly intrusive, contributing to the bourgeoning network of surveillance technologies. Liberty has noted that:

“Use of big data and new technologies is often viewed as a panacea for the challenges that modern-day law enforcement faces. Technologies such as mobile fingerprint scanners, facial recognition and mobile phone data extraction, used in conjunction with one another and police super-databases, risk changing the relationship between the individual and the state, creating a society in which anonymity is the exception, and pervasive surveillance is the norm.”

As with most technologies, the positive potential is significant, but the potential for rights violations is often ignored or underestimated. The 2020 Report by Gemalto on biometric voter registration argues that value can be gained from biometric technology, particularly in ensuring the improvement of electoral processes, with some advocates arguing that biometrics can potentially:

• Improve voter registration and identification;
• Produce a credible electoral register; and
• Reduce electoral fraud.

Anonymity and encryption

The 2015 Report of the UNSR on FreeEx highlights that encryption and anonymity are meant to “provide individuals and groups with a zone of privacy online to hold opinions and exercise freedom of expression without arbitrary and unlawful interference or attacks.” In the 2018 Follow-up Report, the UNSR stated:

“the challenges users face have increased substantially, while States often see personal, digital security as antithetical to law enforcement, intelligence, and even goals of social or political control. As a result, competing trends and interests have led, on the one hand, to a surge in State restrictions on encryption and, on the other hand, increased attention to digital security by key sectors of the private Information and Communications Technology (“ICT”) sector.”

As society’s reliance on digital technologies has increased, users have become increasingly aware of the value of encryption as a tool to protect private communications in the digital era. This is particularly true for users such as journalists, activists, and lawyers, for whom the protection of communications is not merely a personal but also a professional imperative. In parallel with the rise in digital surveillance and cybercrimes discussed above, encryption has become a protective tool for the average internet user rather than something specialised, technical, and out of reach, as it was a few years ago. The United Nations Special Rapporteur on Freedom of Expression has highlighted that “encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection.”(12)

Simultaneously, the rise of social media as a powerful platform for communication has enabled greater anonymity. States, particularly law enforcement agencies, have begun to push back against this growing use of encryption and anonymity, ostensibly in the interest of safety and security.

Rules on social media passed in India in 2020 reportedly require large social media companies to reveal users’ identities if requested to do so by the Indian government, potentially stripping 400 million social media users of anonymity. CIPESA has reported that state agencies in several African countries can request for decryption of data held by service providers, potentially undermining the very essence of encryption services.

As challenges to privacy rise, so will the need to secure anonymity and promote reliance on encryption technologies. These technologies will continue to develop and become more sophisticated, but as they do, the threat of increased state intrusions in the private lives of citizens and attempts to weaponise and abuse such technologies are also likely to increase.

More Resources on Surveillance & Encryption