CLOSE

Data Privacy and Protection – MENA

  • The right to privacy is gaining prominence with increasing data flows and the concomitant need for the protection of personal information.

  • Although the MENA region lacks a dedicated regional convention on data protection, Convention 108 of the Council of Europe is open for accession by non-European states and has been acceded to by two state in the region.

  • States should ensure that their domestic legislation sets out standards for the lawful processing of personal information and that they maintain this legislation in line with data protection developments.

  • Linked to data protection are the privacy-related concepts of the ‘right to be forgotten’, encryption and limits on government surveillance.

  • Notably, the disclosure of journalistic sources as a result of state surveillance has a negative impact on freedom of expression and journalistic freedom.

Introduction

The right to privacy and the concomitant requirement to protect personal information or data has garnered significant attention since the dawn of the information age.  While the internet and online information-sharing and data collection increase at an exponential rate, legislative developments have failed to keep pace and adequately protect personal information.  However, some states have begun to adopt data protection-related instruments and regulations in an attempt to protect the privacy rights of their citizens.

This module focuses on data protection in the MENA region and the related concepts of the ‘right to be forgotten’, encryption and surveillance.

The Right to Privacy

There is increasing recognition that the right to privacy plays a vital role in and of itself and in facilitating the right to freedom of expression.  For instance, protection of the right to privacy allows individuals to share views anonymously in circumstances where they may fear being censured for those views, it allows whistle-blowers to make protected disclosures, and it enables members of the media and activists to communicate securely beyond the reach of government surveillance.

The right to privacy is guaranteed in article 12 of the Universal Declaration of Human Rights (UDHR).  The right to privacy is also guaranteed in article 17 of the International Covenant on Civil and Political Rights (ICCPR), which provides:

(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

(2) Everyone has the right to the protection of the law against such interference or attacks.

The right to privacy is intrinsically linked to the right to private and family life where they can express themselves freely without interference from others, whether official authorities or individuals. This right is enshrined in international law in Article 12 of the Universal Declaration of Human Rights:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.

This is closely echoed in Art. 17(1) of the International Covenant on Civil and Political Rights:

No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation.

Regional treaties have followed suit and the African Charter on Human and Peoples’ Rights frames the issue in the context of the inherent dignity of the human being:

Art. 5: Every individual shall have the right to the respect of the dignity inherent in a human being

Art. 6: Every individual shall have the right to liberty…

In a case in Algeria involving harassment of an individual, including slander, defamation and insult in person, in public and on YouTube, the aggrieved individual filed a lawsuit which resulted in a conviction of the defendant and compensation for the victim. The Court cited Art. 34 of the Algerian Constitution (Art. 39 of the 2020 Constitution) in which “the State guarantees the inviolability of the human entity” and considers any “breach of dignity”, and “infringements committed against rights and freedoms and violations of physical and moral integrity of a human being” punishable by law. The Court held that the defendant obtained private information and belongings of the aggrieved without her consent and posted them to public forums on the internet including on YouTube, which constituted harm to the victim’s honor and “a violation of her right to privacy live and to live in peace.” (1)

The issue of the right to privacy in general is quite well established in the decisions of many Courts in the Region, but the specific area of the right to privacy on the internet and the protection of data is relatively novel in several jurisdictions.

It is worth mentioning at the outset that, as was the case with the legitimacy of restrictions on the right to freedom of expression described in Module 3, restrictions on the right to privacy must also comply with the three-part test comprising, legality, legitimacy and proportionality.

These restrictions were severely tested throughout the Covid-19 pandemic during which a large number of applications and internet and mobile-tracing applications were deployed, as a result of which the right to privacy and data protection were largely overridden.(2) This has led to a severely weak framework for the protection of data privacy and data protection in the region, notwithstanding the fact that data privacy and data protection laws are relatively advanced and sophisticated in the protection they provide.(3)

As set out below, we consider specific aspects of the right to privacy and the impact that the internet has had on the enjoyment of this right.

Data Protection

Data protection laws are aimed at protecting and safeguarding the processing of personal information or personal data, which is defined in the EU’s General Data Protection regulation as “any information relating to an identified or identifiable natural person (‘data subject’)”. (4) An “identifiable natural person” is in turn defined as:

…one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data protection is one of the primary measures through which the right to privacy is given effect. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws, in particular those adopted within the European Union, restrict cross-border data transfers in circumstances where one state does not provide an adequate level of data protection.

In recent years, increasing attention to the issue of data protection, spurred by both mass data leaks, a proliferation of national authorities using electronic ID databases and Covid-19 applications, has led to a number of states in the MENA region enacting new privacy and data protection laws, or amending older ones. laws. Since the onset of the COVID-19 pandemic, the greater reliance on digital technologies for remote working and contact tracing has raised novel challenges with respect to privacy and data protection, adding further momentum and urgency to the need to strengthen data protection laws.(5)  

In relation to data protection, General Comment No. 16 on article 17 of the ICCPR (General Comment No. 16) provides as follows:(6)

The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.  Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant.  In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes.  Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files.  If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.

Most comprehensive data protection laws typically make provision for the following principles:(7)

  • Personal information must be processed fairly and lawfully, and must not be processed unless the stipulated conditions are met.

  • Personal information must be obtained for a specified purpose (or purposes) and must not be further processed in any manner incompatible with that purpose.

  • Personal data must be adequate, relevant and not excessive in relation to the purpose (or purposes) for which it is processed.

  • Personal information must be accurate and, where necessary, kept up to date.

  • Personal information must not be kept for longer than is necessary for the purpose of collection.

  • Personal information must be processed in accordance with the rights of data subjects provided for under the data protection law, including the right to access, review and where necessary correct the data.

  • Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  • Personal data must not be transferred to another country that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

In 2019, the Israeli Coordination of Government Activities in the Territories (COGAT) (which is the Israeli military’s civil administration are in the Occupied Palestinian Territories) launched the ‘Al-Munasiq’ app to offer Palestinians from the occupied territories access to civil services including applications for stay and entry permits to Israel for work and other purposes. According to the terms of the use of the app, Palestinian users are required to consent to the collection and use of their data “for any purpose, including for security purposes”(8), including geolocation data, messages and files stored on the phone and access to the camera. The Israeli civil society rights organisation HaMoked applied to the High Court of Justice of Israel claiming that the app violated the users’ right to privacy and dignity under Israeli and international law. The Court dismissed the petition on the grounds that actual harm had not been proven.(9)

The Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’)(10) opened for signature on 28 January 1981 and was the first binding international instrument protecting against abuses stemming from the collection and processing of personal data. The purpose of Convention 108 is to “protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”. (11) Convention 108 provides for the free flow of personal data between states parties to the Convention.

Convention 108 is open for accession by non-members of the Council of Europe. Although a relatively small number of non-European member states have acceded to it, Morocco (2019) and Tunisia (2017) are the only two from the MENA region to have done so. (12)

In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to personal information.  In this regard, most data protection laws provide for data subjects to request, and be given access to, the information being held about them by a controller.  This mechanism can enable data subjects to ascertain whether their personal information is being processed in accordance with the applicable data protection laws, including whether the information held is correct, and whether their rights are indeed being upheld.

The Right to be Forgotten

The so-called ‘right to be forgotten’ — which is perhaps better described as ‘the right to erasure’ or ‘the right to be de-listed’ — entails a right to request commercial search engines, such as Google, to remove links to private information when asked.  The right to be forgotten progresses from the idea that the right to private life includes a right for past information about oneself, where there is no public interest in accessing, not to be profiled prominently on search results, even though the information will normally remain available on the websites where it is being held.

The leading case on this was decided in 2014, when the Court of Justice of the European Union (CJEU) handed down its ruling in the case of Google Spain v Gonzalez. (13) Mr Gonzalez, a Spanish national, lodged a complaint in 2010 with the Spanish information regulator.  The cause of Mr Gonzalez’s complaint was that, when an internet user entered his name into Google’s search engine, the user would obtain links to pages of a Spanish newspaper from 1998 referring to attachment proceedings against him for the recovery of certain debts.  Mr Gonzalez requested that the personal data relating to him be removed or concealed because the proceedings against him had been fully resolved and the reference to him was therefore now prejudicial.

The CJEU upheld the claim, relying on the EU data protection law in effect at the time.  The CJEU noted that the very display of personal information on a search results page constitutes processing of such information (14) and there was no reason why a search engine should not be subject to the obligations and guarantees laid out under the law.(15) Further, it was noted that the processing of personal information carried out by a search engine could significantly affect the fundamental rights to privacy and to the protection of personal data when a search is carried out using a person’s name, as it enables any internet user to obtain a structured overview of information relating to that individual and establish a profile of the person.(16) According to the CJEU, the effect of the interference “is heightened taking into account the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous”.(17)

With regard to de-listing, the CJEU held that the removal of links from the list of results would also negatively impact the potentially legitimate interests of internet users to access that information, part of their right to freedom of expression.(18) This would require a fair balance to be struck between that interest and those of the data subject, taking into account the nature of the information, its sensitivity for the data subject’s private life, and the interest of the public in accessing the information, which would vary according to the role played by the data subject in public life.(19)

The CJEU went on to hold that a data subject is permitted to request that information about him or her no longer be included in a list of search results where, having regard to all the circumstances, the information appears to be inadequate, irrelevant or no longer relevant, or excessive in relation to purposes of the processing carried out by the operator of the search engine, taking into account the public interest in accessing it.(20) In such circumstances, the information should be delinked from search engine results.(21)

Following this case, in October 2014, Jordan signed a joint declaration establishing a partnership with the European Union and its member states, during which it participated in a policy debate on the right to be forgotten.(22) Almost a decade later, Jordan issued its first comprehensive law to regulate the collection and processing of personal data, the Personal Data Protection Law, No. 24 of 2023, which specifically provides for the right to erasure or redaction of personal and private data, which is a core element of the right to be forgotten.(23)

Tunisia has a similar provision in its laws but does not provide this as a right that can be activated by the person whose data is being held, and states instead that “personal data must be destroyed upon the expiration of the period set for its conservation, or if the purposes for which they have been collected has passed, or when they become unnecessary for the activity of the [data] controller.”(24)

Kuwait’s Law No. 20 of 2014 related to electronic processes contains a chapter entitled ‘Privacy and Data Protection’, Art. 36(a) of which provides for the right to erase and amend any personal data.(25)

Art. 5 of Qatar’s Personal Data Privacy Protection Act 2016 goes into much more detail and provides for: the withdrawal of consent for processing of personal data (notably after it had been given initially); to object to the processing of data if it is not necessary to achieve the purposes for which it was collected, or if processing is objectively excessive, discriminatory, unfair or there is a violation of the law; to request deletion or erasure of the data in the cases referred to above; and to request correction of the data held.(26)

The right to be forgotten has also been recognised in domestic contexts.  For instance, Italy’s Supreme Court of Cassation has held that the public interest in an article diminished after two and a half years, and that sensitive private information should not be available to the public indefinitely.(27) The case was brought before the European Court of Human Rights, which found the restriction on freedom of expression to be justifiable after declining to interfere with Italy’s Supreme Court of Cassation’s balancing of this right with the right to respect for one’s private life.(28) The Belgian Court of Cassation has also recognised the right to be forgotten.(29)

There are, however, limits to the ambit of the right to be forgotten.  In 2017, the CJEU was seized with a request for a preliminary ruling in the case of Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni.(30)  Mr Manni, relying on the Gonzalez decision, sought an order requiring the Chamber of Commerce to erase, anonymise or block any data in the register of companies linking him to the liquidation of his company.  The CJEU declined to uphold Mr Manni’s request and held that in light of the range of possible legitimate uses of data in companies registers and the different limitation periods applicable to such records, it was impossible to identify a suitable maximum retention period.  Accordingly, the CJEU declined to find that there is a general right to be forgotten from public company registers.

Furthermore, other jurisdictions have refused to uphold a right to be forgotten vis-à-vis search engines.  In Brazil, for example, it was held that search engines cannot be compelled to remove search results relating to a specific term or expression;(31) similarly, the Supreme Court of Japan declined to enforce the right to be forgotten against Google, finding that deletion “can be allowed only when the value of privacy protection significantly outweighs that of information disclosure”.(32)

In contrast, a District Court in Israel ordered that Google must remove search results that are tantamount to defamation. In a complex case, a website published a news item after a lawyer was found guilty and convicted in relation to disciplinary proceedings against him by the Israeli Bar Association. The lawyer who represented the Bar Association against the defendant was successful, but was wrongfully identified in the article as the person convicted, and hence appeared in google search results as the convicted lawyer. Google’s algorithms mistakenly identified the successful lawyer as the convicted lawyer and auto-completed search results to reflect this. The case at the first instance did not find google liable for defamation for reproducing the incorrect information in search results, since the Court held that it was merely replicating information from another site. However, on appeal, the Tel Aviv District Court held that both the website and the search engine were liable for defamation.(33)

According to Article 19’s Global Principles of Freedom of Expression and Privacy (Global Principles),(34) the right — to the extent that it is recognised in a particular jurisdiction — should be limited to the “right of individuals to request search engines to delist inaccurate or out-of-date search results produced on the basis of a search for their name.”(35) It states further that de-listing requests should be “subject to ultimate adjudication by a court or independent adjudicatory body with relevant expertise in freedom of expression and data protection law.”(36)

One major challenge to the right to be forgotten is the situation where court case decisions that are indexed and available in online legal databases and search engines are required for the ability to find court decisions and to be fully informed about the “full scope of the law”. This was concluded by the Supreme Court of Israel in a decision in which it held that blocking access to court decisions would be a disproportionate obstacle to finding the relevant decisions and therefore to fully understanding the scope of the domestic law.(37)

Encryption and Anonymity on the Internet

Encryption refers to an automated process of converting messages, information or data into a form unreadable by anyone except the intended recipient, and in doing so protecting the confidentiality and integrity of content against third party access or manipulation.(38)  With a “public key encryption” — the dominant form of end-to-end encryption for data in transit — the sender uses the recipient’s public key to encrypt the information, and the recipient uses her or his own private key to decrypt it.(39)  It is also possible to encrypt data that is stored on one’s device, such as a laptop or smartphone.(40)

Anonymity can be defined either as acting or communicating without using or presenting one’s name or identity, or as acting or communicating in a way that makes it impossible to determine one’s name or identity, or using an invented or assumed name that is not associated with one’s legal or customary identity.(41) Anonymity may be distinguished from pseudo‑anonymity: the former refers to taking no name at all, whilst the latter refers to taking an assumed name.(42) Here again, it is common to reveal the identity to chosen users.

Encryption and anonymity are necessary tools for the full enjoyment of digital rights and enjoy protection by virtue of the critical role that they play in securing the rights to freedom of expression and privacy.  As described by the United Nations Special Rapporteur (UNSR) on freedom of expression:(43)

Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief.  For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments.  Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities.  Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment.  The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.  Artists rely on encryption and anonymity to safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also society that does not tolerate unconventional opinions or expression.

Encryption and anonymity are especially useful for the development and sharing of opinions online, particularly in circumstances where people may be concerned that their communications may be subject to interference or attack by state or non-state actors.  These are therefore specific technologies through which individuals may exercise their rights.  Accordingly, any restrictions on encryption and anonymity must meet the three-part test.

According to the UNSR on freedom of expression, while encryption and anonymity may frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public justifications to support restrictions on their use or to identify situations where such restrictions are necessary to achieve a legitimate goal.(44)  Outright prohibitions on the individual use of encryption technology disproportionately restrict the right to freedom of expression as they deprive all online users in a particular jurisdiction of the right to use these tools to carve out a space for opinion and expression, regardless of whether or not they are being used for unlawful ends.(45)  Likewise, state regulation of encryption may be tantamount to a ban, for example through requiring licences to use encryption, setting weak technical standards for encryption or controlling the import and export of encryption tools.(46)

The UNSR on freedom of expression has called on states to promote strong encryption and anonymity, and noted that decryption orders should only be permissible when they result from transparent and publicly-accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a group of people), and subject to a judicial warrant and the protection of due process rights of individuals.(47)

Government-led Digital Surveillance

Communications surveillance encompasses the monitoring, intercepting, collecting, obtaining, analysing, using, preserving, retaining, interfering with, accessing or similar actions taken with regard to information that includes, reflects, arises from or is about a person’s communications in the past, present, or future.(48)  This relates to both the content of communications and metadata about them, such as their location and connection points.  In respect of the latter, it has been noted that the aggregation of metadata may give deep insight into an individual’s behaviour, social relationships, private preferences and identity.  Taken as a whole, it may allow very precise conclusions to be drawn concerning the private life of a person.

Several states in the MENA region have legislated prohibiting the use of encryption without the permission of the security authorities. In this context Art. 64 of Egypt’s Telecommunications Law (Law No. 10 of 2003) criminalised the use of encryption, with penalties of imprisonment and a fine. The same law permits access by security authorities to the records of telecommunications providers. In addition to this, the Counterterrorism Law (Law No. 94 of 2005) permits prosecutors to surveil and record telecommunications and online communications without the need for a warrant or permit. Together this makes for an extremely precarious environment that threatens the right to online privacy.

There have been several reports that have suspected that the Jordanian Government, or institutions affiliated to the government, have been involved in the use of ‘Pegasus’ spyware, made by the Israeli NSO Group, against journalists, members of civil society, human rights defenders, lawyers and rights activists.(49)

AccessNow identified at least 16 journalists and independent media organisations in Jordan that were either attacked with surveillance spyware or whose devices were hacked with Pegasus spyware between 2019-2023.(50)  Several reports suggest that journalists and media professionals were specifically targeted based on their previous work and coverage of politically sensitive incidents in Jordan or issues related to denouncing the Israeli occupation, or Jordan’s normalisation deal with Israel. The use of such spyware is a flagrant infringement of the right to privacy, the right to freedom of expression and the right to freedom of the press and media. Whether performed by the state or state institutions, there is a very delicate balance to be struck between the obligation to strengthen and safeguard national security and the right of the public to be informed through the work of the press and journalists. In such cases, Courts are relied upon to provide the balancing between these conflict rights and obligations. Judicial decisions are required to take into account considerations of of necessity, proportionality and the minimum level of intervention that is necessary to ensure national security, while safeguarding the enjoyment of the core essence of the fundamental rights whose violation is challenged.

Although several organisations claim to have forensic evidence of the Jordanian government’s or Jordanian state institutions’ involvement in the use of the spyware against journalists in Jordan, no case seems to have been registered to date in domestic courts in Jordan. Regarding the same spyware, in October 2024, the High Court of the United Kingdom permitted a UK-based Saudi Human Rights defender to bring a case in the UK courts against the government of Saudi Arabia for using spyware against him, and may have implications for cases against use of the spyware in Jordan.(51) UN Human Rights Committee General Comment No. 16 provides: “Compliance with article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto”.(52)  Surveillance — both bulk (or mass) collection of data(53) or targeted collection of data — interferes directly with the privacy and security necessary for freedom of opinion and expression, and must be considered against the three-part test to assess its legitimacy.(54) In the digital age, Internet and Communications Technologies (ICTs) have enhanced the capacity of governments, corporations and individuals to conduct surveillance, interception and data collection, such that the ability to conduct such surveillance is no longer limited by scale or duration.

A resolution adopted by the UN General Assembly (UNGA) on the right to privacy in the digital age emphasised that unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, are highly intrusive acts, violate the right to privacy, can interfere with the right to freedom of expression and may contradict the tenets of a democratic society, especially when undertaken on a mass scale.(55)  It noted further that “surveillance of digital communications must be consistent with international human rights obligations and must be conducted on the basis of a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.”(56)

In order to meet the condition of legality, many states have taken steps to reform their surveillance laws to authorise surveillance activities.  According to the Necessary and Proportionate Principles (a series of principles on the application of human rights to surveillance elaborated by experts and privacy groups), communications surveillance should be regarded as a highly intrusive act, and in order to meet the threshold of proportionality, the state should be required at a minimum to establish the following before a competent judicial authority prior to conducting any surveillance:(57)

  • There is a high degree of probability that a serious crime or specific threat to a legitimate aim has been or will be carried out.

  • There is a high degree of probability that evidence relevant and material to such a serious crime or specific threat would be obtained by accessing the protected information sought.

  • Other less invasive techniques have been exhausted or would be futile, such that the technique used is the least invasive option.

  • Information accessed will be confined to that which is relevant and material to the serious crime or specific threat.

  • Any excess information collected will not be retained, but instead will be promptly destroyed or returned.

  • Information will be accessed only by the specified authority and used only for the purpose and duration for which authorisation was given.

  • The surveillance activities requested and techniques proposed do not undermine the essence of the right to privacy or other fundamental freedoms.

Surveillance constitutes an obvious interference with the right to privacy.  Further, it also constitutes an interference on the right to hold opinions without interference and the right to freedom of expression.  With particular reference to the right to hold opinions without interference, surveillance systems, both targeted and mass, may undermine the right to form an opinion, as the fear of unwilling disclosure of online activity, such as search and browsing, likely deters individuals from accessing the information needed to form opinions, particularly where such surveillance leads to repressive outcomes.(58)

The interference with the right to freedom of expression is particularly apparent in the context of journalists and members of the media who may be placed under surveillance as a result of their journalistic activities.  As noted by the Secretary-General of the UN, this can have a chilling effect on the enjoyment of media freedom and renders it more difficult to communicate with sources and share and develop ideas.(59) The use of encryption and other similar tools have become essential to the work of journalists to ensure that they are able to conduct their work without interference.

The disclosure of journalistic sources through surveillance can have serious negative consequences for the right to freedom of expression due to confidential sources losing trust that journalists will be able to conceal  their identities.(60)  This is the same for cases concerning the disclosure of anonymous user data.  Once confidentiality is undermined, it cannot be restored.  It is, therefore, of utmost importance that measures that undermine confidentiality are not undertaken arbitrarily. Surveillance activities carried out against journalists risk fundamentally undermining the right of source protection to which journalists are otherwise entitled.(61) The increased use of digital technologies and increasingly sophisticated surveillance tools have raised additional challenges for maintaining the anonymity of sources, including due to the risk of unintended source disclosure as a result of surveillance of communication devices. For example, certain journalist sources in the US have been identified through telephone and email records.

Conclusion

As more of the world moves online, data protection is becoming increasingly necessary. In the MENA region, more and more states are legislating for stronger privacy and data protection laws.  However, with the rapid growth in data harvesting, legislators are some way behind in fully protecting and promoting privacy and personal data protection.  As we move forward, digital rights activists have a significant role to play in ensuring that states keep up-to-date with data protection developments and enact legislative frameworks which fully protect and promote people’s rights to privacy. Furthermore, Courts in the region have been slow in recognising these rights to their full extent and there is a lack of sophisticated and coherent jurisprudence on these rights.

  • 1. B.L. vs. T.M., Decision No. 10874/11, the Court of Constantine, Algeria
  • 2. Data Protection and Privacy Laws in MENA: A Case Study of Covid-19 Contact Tracing Apps (2021). https://smex.org/wp-content/uploads/2021/02/210210_JoeyShea_Report_Covid-19ContactTracingApps_EN_Draft5.pdf
  • 3. ‘Exposed and Exploited: Data Protection in the Middle East and North Africa.’ https://www.accessnow.org/wp-content/uploads/2021/01/Access-Now-MENA-data-protection-report.pdf
  • 4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC at Article 4(1) (accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679).
  • 5. Data Protection and Privacy Laws in MENA: A Case Study of Covid-19 Contact Tracing Apps (2021). https://smex.org/wp-content/uploads/2021/02/210210_JoeyShea_Report_Covid-19ContactTracingApps_EN_Draft5.pdf
  • 6. General Comment No. 16 at para. 10.
  • 7. Information Commissioner’s Office, ‘Data protection principles’ (accessible at: https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/).
  • 8. ‘Israel tells court would stop forcing Palestinian laborers to give access to phone data’. Haaretz. May 15, 2020. https://www.haaretz.com/middle-east-news/palestinians/.premium-over-50-000-palestinians-forced-to-give-phone-data-to -israel-1.8844580
  • 9. Decision of the Israeli High Court, 17 May 2020 – not available publicly. https://hamoked.org/document.php?dID=Updates2175
  • 10. Accessible at https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1.
  • 11. Article 1 of Convention 108.
  • 12. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108). https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=108
  • 13. Google Spain SL and Another v Agencia Española de Protección de Datos (AEPD) and Another, Case No. C-131/12, 13 May 2014 (accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131).
  • 14. Id at para 57.
  • 15. Id at para 58.
  • 16. Id at para 80.
  • 17. Id.
  • 18. Id at para 81.
  • 19. Id.
  • 20. Id. at para 94.
  • 21. Id. at para 94.
  • 22. Council of the European Union. (2014). Press Release: 3336th Council meeting, Justice and Home Affairs. Retrieved from: https://www.iem.gov.lv/sites/iem/files/press-release-3336th-council-meeting-justice-and-home-affairs-luxembourg-9-and-10-october-2014-provisional-version-home-affairs-issues1.pdf
  • 23. Art. 4B(5), Personal Data Protection Law (Law No. 24 of 2023). https://www.modee.gov.jo/ebv4.0/root_storage/en/eb_list_page/pdpl.pdf
  • 24. Art. 45, Organic law No. 2004-63 (27 July 2004). https://ictpolicyafrica.org/en/document/1bmfv348zkf
  • 25. Law No. 20 of 2014 Concerning Electronic Transactions. https://cyrilla.org/en/entity/doplobfh504wtlwnilhht1emi?page=1
  • 26. https://bit.ly/419W0Si
  • 27. Plaintiff X v PrimaDaNoi, Case No. 13161, 22 November 2015 (accessible at: https://globalfreedomofexpression.columbia.edu/cases/plaintiff-x-v-primadanoi/).
  • 28. Application no. 77419/16 (2022) at 69-70 (accessible at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22Biancardi%20v.%20Italy%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-213827%22]}
  • 29. P.H. v O.G., Case No. 15/0052/F, 29 April 2016 (accessible at: https://www.huntonprivacyblog.com/wp-content/uploads/sites/18/2016/06/download_blob.pdf). For a discussion of the case, see Hunton & Williams, ‘Belgian Court of Cassation rules on right to be forgotten’, 1 June 2016 (accessible at: https://www.huntonprivacyblog.com/2016/06/01/belgian-court-of-cassation-rules-on-right-to-be-forgotten/). For more on the right to be forgotten, see NT1 & NT2 v Google LLC in the UK (2018) (accessible at: https://www.judiciary.uk/wp-content/uploads/2018/04/nt1-nt2-v-google-press-summary-180413.pdf).
  • 30. Case No. C-385-15, 9 March 2017 (accessible at: https://curia.europa.eu/juris/document/document.jsf?text=&docid=188750&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=446798).
  • 31. Ministra Nancy Andrighi v Google Brasil Internet Ltd and Others, 2011/0307909-6, 26 June 2012 (accessible at: https://www.internetlab.org.br/wp-content/uploads/2017/02/STJ-REsp-1316921.pdf).
  • 32. The Japan Times, ‘Top court rejects ‘right to be forgotten’ demand’, 1 February 2017 (accessible at: https://www.japantimes.co.jp/news/2017/02/01/national/crime-legal/top-court-rejects-right-forgotten-demand/#.WqZQXehubIV).
  • 33. Ami Savir v. Google, Case No. TA 49918-05-12 (5 July 2015). https://globalfreedomofexpression.columbia.edu/cases/ami-savir-v-google-israel/
  • 34. The Global Principles (accessible at: https://www.article19.org/data/files/medialibrary/38657/Expression-and-Privacy-Principles-1.pdf) were developed by civil society, led by ARTICLE19, in cooperation with high-level experts from around the world.
  • 35. Principle 18(1) of the Global Principles
  • 36. Id at principle 18(2).
  • 37. Hashavim H.P.S. Business Data v. Directorate of Courts. Case No. HCJ 5870/14, Supreme Court of Israel, 12 November 2015. https://globalfreedomofexpression.columbia.edu/cases/hashavim-h-p-s-business-data-v-directorate-courts/
  • 38. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32, 22 May 2015 (UNSR Report on Anonymity and Encryption) at para 7 (accessible at: http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx). For further discussion and resources, see UCI Law International Justice Clinic, ‘Selected references: Unofficial companion report to Report of the Special Rapporteur (A/HRC/29/32) on encryption, anonymity and freedom of expression’ (accessible at: https://bit.ly/4bcdhia).
  • 39. Id
  • 40. Id
  • 41. Electronic Frontier Foundation, Anonymity and encryption, 10 February 2015 at p 3 (accessible at: https://www.ohchr.org/Documents/Issues/Opinion/Communications/EFF.pdf).
  • 42. Id
  • 43. UNSR Report on Anonymity and Encryption above n 33 at para 12.
  • 44. Id. at para 36.
  • 45. Id. at para 40.
  • 46. Id. at para 41.
  • 47. Id. at paras 59-60.
  • 48. Necessary and proportionate: International principles on the application of human rights to communications surveillance, 2014 (Necessary and Proportionate Principles) at p 4 (accessible at: https://necessaryandproportionate.org/files/2016/03/04/en_principles_2014.pdf).
  • 49. ‘Peace Through Pegasus: Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware’, 5 April 2022, https://www.frontlinedefenders.org/sites/default/files/jordanpegasusreport.pdf; ‘Between a hack and a hard place: how Pegasus spyware crushes civic space in Jordan’, 1 February 2024. https://www.accessnow.org/publication/between-a-hack-and-a-hard-place-how-pegasus-spyware-crushes-civic-space-in-jordan/ and https://www.accessnow.org/wp-content/uploads/2024/01/Public-Pegasus-infections-in-Jordan-in-2022-and-2023-a-technical-brief.pdf; ‘Scoop: Israeli cyber firm NSO negotiates with Jordanian intelligence’, 21 April 2021, https://www.axios.com/2021/04/21/israeli-cyber-firm-nso-negotiates-with-jordan
  • 50. ‘Between a hack and a hard place: how Pegasus spyware crushes civic space in Jordan’, 1 February 2024, https://www.accessnow.org/publication/between-a-hack-and-a-hard-place-how-pegasus-spyware-crushes-civic-space-in-jordan/
  • 51. ‘High Court grants permission to Yahya Assiri to bring a spyware based legal claim against the Kingdom of Saudi Arabia over Pegasus and Quadream cyberattacks’, 21 October 2024, https://www.bindmans.com/news-insights/news/high-court-grants-permission-to-yahya-assiri-to-bring-a-spyware-based-legal-claim-against-the-kingdom-of-saudi-arabia-over-pegasus-and-quadream-cyberattacks/
  • 52. General Comment No. 16 at para 8.
  • 53. Revelations by whistle-blowers, such as Edward Snowden, have revealed that the National Security Agency in the USA and the General Communications Headquarters in the United Kingdom had developed technologies allowing access to much global internet traffic, including records in the United States, individuals’ electronic address books and huge volumes of other digital communications’ metadata. These technologies are deployed through a transnational network comprising strategic intelligence relationships between governments and other role-players. This is referred to as bulk or mass surveillance. For more on the privacy concerns raised by the Snowden revelations, see Report of the Special Rapporteur on the right to privacy, UN Doc. A/HRC/34/60 (2017) (accessible at: https://documents-dds-ny.un.org/doc/UNDOC/GEN/G17/260/54/PDF/G1726054.pdf?OpenElement).
  • 54. 2016 Report of the UNSR on Freedom of Expression on Contemporary challenges to freedom of expression, UN Doc. A/71/373 at para 20 (accessible at: https://undocs.org/Home/Mobile?FinalSymbol=A%2F71%2F373&Language=E&DeviceType=Desktop&LangRequested=False).
  • 55. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, A/HRC/23/40 (2013) (accessible at: https://bit.ly/4bb5SQ4).
  • 56. UNGA, ‘Resolution on the right to privacy in the digital age’, A/C.3/71/L.39/Rev.1, 16 November 2016 (2016 UN Resolution on Privacy) (accessible at: https://daccess-ods.un.org/tmp/3401807.84463882.html).
  • 57. Id.
  • 58. Above at n 43, p. 8.
  • 59. UNSR Report on Anonymity and Encryption, above n 33 at para 21.
  • 60. Report of the Secretary-General on the UN to the UNGA, ‘Report on the safety of journalists and the issue of impunity’, A/70/290, 6 August 2015 (2015 Report of the UN Secretary-General) at paras 14-16 (accessible at: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/247/06/PDF/N1524706.pdf?OpenElement).
  • 61. For more, see Big Brother Watch v United Kingdom in the ECtHR (2018) (accessible at: https://globalfreedomofexpression.columbia.edu/cases/big-brother-watch-v-united-kingdom/).