RESOURCE HUB
DONATE
GET HELP

Data Privacy and Data Protection – South and South East Asia

  • The right to privacy is gaining prominence with increasing data flows and the concomitant need for the protection of personal information.

  • Although South and Southeast Asia lacks a dedicated regional convention on data protection, and there is no such convention for Asia overall, Convention 108 of the Council of Europe is open for accession by non-European states.

  • States should ensure that their domestic legislation sets out standards for the lawful processing of personal information and that they maintain this legislation in line with data protection developments.

  • Linked to data protection are the privacy-related concepts of the ‘right to be forgotten’, encryption and limits on government surveillance.

  • Notably, the disclosure of journalistic sources as a result of state surveillance has a negative impact on freedom of expression and journalistic freedom.

Introduction

The right to privacy and the concomitant requirement to protect personal information or data has garnered significant attention since the dawn of the information age.  While the internet and online information-sharing and data collection increase at an exponential rate, legislative developments have failed to keep pace and adequately protect personal information.  However, some states have begun to adopt data protection-related instruments and regulations in an attempt to protect the privacy rights of their citizens.

This module focuses on data protection in Asia and the related concepts of the ‘right to be forgotten’, encryption and surveillance.

The Right to Privacy

There is increasing recognition that the right to privacy plays a vital role in and of itself and in facilitating the right to freedom of expression.  For instance, protection of the right to privacy allows individuals to share views anonymously in circumstances where they may fear being censured for those views, it allows whistle-blowers to make protected disclosures, and it enables members of the media and activists to communicate securely beyond the reach of government surveillance.

The right to privacy is guaranteed in article 12 of the Universal Declaration of Human Rights (UDHR).  The right to privacy is also guaranteed in article 17 of the International Covenant on Civil and Political Rights (ICCPR), which provides:

1 No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2 Everyone has the right to the protection of the law against such interference or attacks.

In 2012, the Association of Southeast Asian Nations (ASEAN) member states issued a non-binding declaration reaffirming their commitment to respecting and promoting human rights. Article 21 of the ASEAN Human Rights Declaration closely mirrors the privacy protection in the UDHR, providing:

Every person has the right to be free from arbitrary interference with his or her privacy, family, home or correspondence including personal data, or to attacks upon that person’s honour and reputation. Every person has the right to the protection of the law against such interference or attacks.

Interestingly, in 2017, the Supreme Court of India declared that the right to privacy is protected as an intrinsic part of the right to life and personal liberty, and as part of the fundamental freedoms guaranteed by Part III of the Constitution of India.1 As such, although the Constitution of India does not expressly contain a right to privacy, the right can nevertheless be derived from other rights and freedoms that are constitutionally guaranteed.  

As with the right to freedom of expression, a restriction on the right to privacy must comply with the three-part test for such restrictions.  As noted by the Supreme Court of India in the 2017 judgment:

Right to privacy cannot be impinged without a just, fair and reasonable law. It has to fulfil the test of proportionality i.e. (i) existence of a law (ii) must serve a legitimate State aim and (iii) proportionate.2

As set out below, we consider specific aspects of the right to privacy and the impact that the internet has had on the enjoyment of this right.

Data Protection

Data protection laws are aimed at protecting and safeguarding the processing of personal information or personal data, which is defined in the EU’s General Data Protection regulation as “any information relating to an identified or identifiable natural person (‘data subject’)”.(3) An “identifiable natural person” is in turn defined as:

…one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data protection is one of the primary measures through which the right to privacy is given effect. In addition to giving effect to the right to privacy, data protection legislation also has a key role to play in facilitating trade amongst states, as many data protection laws, in particular those adopted within the European Union, restrict cross-border data transfers in circumstances where one state does not provide an adequate level of data protection.

In recent years, increasing attention to the issue of data protection has led to a number of Asian states enacting new privacy laws.(4) Since the onset of the COVID-19 pandemic, the greater reliance on digital technologies for remote working and contact tracing has raised novel challenges with respect to privacy and data protection, adding further momentum and urgency to the need to strengthen data protection laws.  Nonetheless, many states continue to protect individuals’ privacy only inadequately, especially from state surveillance activities.5

In relation to data protection, General Comment No. 16 on article 17 of the ICCPR (General Comment No. 16) provides as follows(6)

The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.  Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorised by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes.  Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files.  If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.

Most comprehensive data protection laws typically make provision for the following principles:(7)

  • Personal information must be processed fairly and lawfully, and must not be processed unless the stipulated conditions are met.

  • Personal information must be obtained for a specified purpose (or purposes) and must not be further processed in any manner incompatible with that purpose.

  • Personal data must be adequate, relevant and not excessive in relation to the purpose (or purposes) for which it is processed.

  • Personal information must be accurate and, where necessary, kept up to date.

  • Personal information must not be kept for longer than is necessary for the purpose of collection.

  • Personal information must be processed in accordance with the rights of data subjects provided for under the data protection law, including the right to access, review and where necessary correct the data.

  • Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  • Personal data must not be transferred to another country that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

The Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’)(8) opened for signature on 28 January 1981 and was the first binding international instrument protecting against abuses stemming from the collection and processing of personal data. The purpose of Convention 108 is to “protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.(9) Convention 108 provides for the free flow of personal data between states parties to the Convention.

Convention 108 is open for accession by non-members of the Council of Europe. Although a number of non-European member states have acceded to it, no South or Southeast Asian states have yet done so.

In addition to giving effect to the right to privacy, data protection laws also typically facilitate a right of access to personal information.  In this regard, most data protection laws provide for data subjects to request, and be given access to, the information being held about them by a controller.  This mechanism can enable data subjects to ascertain whether their personal information is being processed in accordance with the applicable data protection laws, including whether the information held is correct, and whether their rights are indeed being upheld.

The Right to be Forgotten

The so-called ‘right to be forgotten’ — which is perhaps better described as ‘the right to erasure’ or ‘the right to be de-listed’ — entails a right to request commercial search engines, such as Google, to remove links to private information when asked.  The right to be forgotten progresses from the idea that the right to private life includes a right for past information about oneself, where there is no public interest in accessing, not to be profiled prominently on search results, even though the information will normally remain available on the websites where it is being held.

The leading case on this was decided in 2014, when the Court of Justice of the European Union (CJEU) handed down its ruling in the case of Google Spain v Gonzalez.(10) Mr Gonzalez, a Spanish national, lodged a complaint in 2010 with the Spanish information regulator.  The cause of Mr Gonzalez’s complaint was that, when an internet user entered his name into Google’s search engine, the user would obtain links to pages of a Spanish newspaper from 1998 referring to attachment proceedings against him for the recovery of certain debts.  Mr Gonzalez requested that the personal data relating to him be removed or concealed because the proceedings against him had been fully resolved and the reference to him was therefore now prejudicial.

The CJEU upheld the claim, relying on the EU data protection law in effect at the time.  The CJEU noted that the very display of personal information on a search results page constitutes processing of such information,11 and there was no reason why a search engine should not be subject to the obligations and guarantees laid out under the law.12 Further, it was noted that the processing of personal information carried out by a search engine could significantly affect the fundamental rights to privacy and to the protection of personal data when a search is carried out using a person’s name, as it enables any internet user to obtain a structured overview of information relating to that individual and establish a profile of the person.13 According to the CJEU, the effect of the interference “is heightened taking into account the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous.”14

The CJEU went on to hold that a data subject is permitted to request that information about him or her no longer be included in a list of search results where, having regard to all the circumstances, the information appears to be inadequate, irrelevant or no longer relevant, or excessive in relation to purposes of the processing carried out by the operator of the search engine, taking into account the public interest in accessing it.15 In such circumstances, the information should be delinked from search engine results.16

The right to be forgotten has also been recognised in domestic contexts.  For instance, Italy’s Supreme Court of Cassation has held that the public interest in an article diminished after two and a half years, and that sensitive private information should not be available to the public indefinitely.17 The case was brought before the European Court of Human Rights, which found the restriction on freedom of expression to be justifiable after declining to interfere with Italy’s Supreme Court of Cassation’s balancing of this right with the right to respect for one’s private life.18 The Belgian Court of Cassation has also recognised the right to be forgotten.19

There are, however, limits to the ambit of the right to be forgotten.  In 2017, the CJEU was seized with a request for a preliminary ruling in the case of Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni.20 Mr Manni, relying on the Gonzalez decision, sought an order requiring the Chamber of Commerce to erase, anonymise or block any data in the register of companies linking him to the liquidation of his company.  The CJEU declined to uphold Mr Manni’s request and held that in light of the range of possible legitimate uses of data in companies registers and the different limitation periods applicable to such records, it was impossible to identify a suitable maximum retention period.  Accordingly, the CJEU declined to find that there is a general right to be forgotten from public company registers.

Furthermore, other jurisdictions have refused to uphold a right to be forgotten vis-à-vis search engines.  In Brazil, for example, it was held that search engines cannot be compelled to remove search results relating to a specific term or expression;21 similarly, the Supreme Court of Japan declined to enforce the right to be forgotten against Google, finding that deletion “can be allowed only when the value of privacy protection significantly outweighs that of information disclosure”.22

In India, the law on the right to be forgotten remains unsettled. Certain judicial decisions have given effect to the right to be forgotten as a corollary of the right to privacy. For example, the Orissa High Court of the state of Odisha23 and the High Court of Kerala24 both found that survivors of sexual violence have a right to have certain online information removed (in the former case non-consensual images in the form of uploaded videos and photos and in the latter case identifying information in a judgment). In 2021, the High Court of Delhi issued an order to block search results for a judgment posted online relating a charge of which the petitioner had been acquitted.25 In contrast, in 2017, the High Court of Gujarat rejected a similar petition for the removal of a judgment.26 To date, India continues to lack a comprehensive legislative framework governing the right to be forgotten, although proposed legislation in the form of the Personal Data Protection Bill, first introduced in 2019, includes provisions codifying this right.27

According to Article 19’s Global Principles of Freedom of Expression and Privacy (Global Principles),28 the right — to the extent that it is recognised in a particular jurisdiction — should be limited to the “right of individuals to request search engines to delist inaccurate or out-of-date search results produced on the basis of a search for their name.”29 It states further that de-listing requests should be “subject to ultimate adjudication by a court or independent adjudicatory body with relevant expertise in freedom of expression and data protection law.”30

Encryption and Anonymity on the Internet

Encryption refers to an automated process of converting messages, information or data into a form unreadable by anyone except the intended recipient, and in doing so protecting the confidentiality and integrity of content against third party access or manipulation.31 With a “public key encryption” — the dominant form of end-to-end encryption for data in transit — the sender uses the recipient’s public key to encrypt the information, and the recipient uses her or his own private key to decrypt it.32It is also possible to encrypt data that is stored on one’s device, such as a laptop or smartphone.33

Anonymity can be defined either as acting or communicating without using or presenting one’s name or identity, or as acting or communicating in a way that makes it impossible to determine one’s name or identity, or using an invented or assumed name that is not associated with one’s legal or customary identity.34 Anonymity may be distinguished from pseudo‑anonymity: the former refers to taking no name at all, whilst the latter refers to taking an assumed name.35 Here again, it is common to reveal the identity to chosen users.

Encryption and anonymity are necessary tools for the full enjoyment of digital rights and enjoy protection by virtue of the critical role that they play in securing the rights to freedom of expression and privacy.  As described by the United Nations Special Rapporteur (UNSR) on freedom of expression:36

Encryption and anonymity, separately or together, create a zone of privacy to protect opinion and belief.  For instance, they enable private communications and can shield an opinion from outside scrutiny, particularly important in hostile political, social, religious and legal environments.  Where States impose unlawful censorship through filtering and other technologies, the use of encryption and anonymity may empower individuals to circumvent barriers and access information and ideas without the intrusion of authorities.  Journalists, researchers, lawyers and civil society rely on encryption and anonymity to shield themselves (and their sources, clients and partners) from surveillance and harassment.  The ability to search the web, develop ideas and communicate securely may be the only way in which many can explore basic aspects of identity, such as one’s gender, religion, ethnicity, national origin or sexuality.  Artists rely on encryption and anonymity to safeguard and protect their right to expression, especially in situations where it is not only the State creating limitations but also society that does not tolerate unconventional opinions or expression.

Encryption and anonymity are especially useful for the development and sharing of opinions online, particularly in circumstances where people may be concerned that their communications may be subject to interference or attack by state or non-state actors.  These are therefore specific technologies through which individuals may exercise their rights.  Accordingly, any restrictions on encryption and anonymity must meet the three-part test.

According to the UNSR on freedom of expression, while encryption and anonymity may frustrate law enforcement and counter-terrorism officials and complicate surveillance, state authorities have generally failed to provide appropriate public justifications to support restrictions on their use or to identify situations where such restrictions are necessary to achieve a legitimate goal.37 Outright prohibitions on the individual use of encryption technology disproportionately restrict the right to freedom of expression as they deprive all online users in a particular jurisdiction of the right to use these tools to carve out a space for opinion and expression, regardless of whether or not they are being used for unlawful ends.38 Likewise, state regulation of encryption may be tantamount to a ban, for example through requiring licences to use encryption, setting weak technical standards for encryption or controlling the import and export of encryption tools.39

The UNSR on freedom of expression has called on states to promote strong encryption and anonymity, and noted that decryption orders should only be permissible when they result from transparent and publicly-accessible laws applied solely on a targeted, case-by-case basis to individuals (not to a group of people), and subject to a judicial warrant and the protection of due process rights of individuals.40

Government-led Digital Surveillance

Communications surveillance encompasses the monitoring, intercepting, collecting, obtaining, analysing, using, preserving, retaining, interfering with, accessing or similar actions taken with regard to information that includes, reflects, arises from or is about a person’s communications in the past, present, or future.41 This relates to both the content of communications and metadata about them, such as their location and connection points.  In respect of the latter, it has been noted that the aggregation of metadata may give deep insight into an individual’s behaviour, social relationships, private preferences and identity.  Taken as a whole, it may allow very precise conclusions to be drawn concerning the private life of a person.

UN Human Rights Committee General Comment No. 16 provides: “Compliance with article 17 requires that the integrity and confidentiality of correspondence should be guaranteed de jure and de facto”.42 Surveillance — both bulk (or mass) collection of data43 or targeted collection of data — interferes directly with the privacy and security necessary for freedom of opinion and expression, and must be considered against the three-part test to assess its legitimacy.44 In the digital age, Internet and Communications Technologies (ICTs) have enhanced the capacity of governments, corporations and individuals to conduct surveillance, interception and data collection, such that the ability to conduct such surveillance is no longer limited by scale or duration.45

A resolution adopted by the UN General Assembly (UNGA) on the right to privacy in the digital age emphasised that unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, are highly intrusive acts, violate the right to privacy, can interfere with the right to freedom of expression and may contradict the tenets of a democratic society, especially when undertaken on a mass scale.46 It noted further that “surveillance of digital communications must be consistent with international human rights obligations and must be conducted on the basis of a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.”47

In order to meet the condition of legality, many states have taken steps to reform their surveillance laws to authorise surveillance activities.  According to the Necessary and Proportionate Principles (a series of principles on the application of human rights to surveillance elaborated by experts and privacy groups), communications surveillance should be regarded as a highly intrusive act, and in order to meet the threshold of proportionality, the state should be required at a minimum to establish the following before a competent judicial authority prior to conducting any surveillance:48

  • There is a high degree of probability that a serious crime or specific threat to a legitimate aim has been or will be carried out.

  • There is a high degree of probability that evidence relevant and material to such a serious crime or specific threat would be obtained by accessing the protected information sought.

  • Other less invasive techniques have been exhausted or would be futile, such that the technique used is the least invasive option.

  • Information accessed will be confined to that which is relevant and material to the serious crime or specific threat.

  • Any excess information collected will not be retained, but instead will be promptly destroyed or returned.

  • Information will be accessed only by the specified authority and used only for the purpose and duration for which authorisation was given.

  • The surveillance activities requested and techniques proposed do not undermine the essence of the right to privacy or other fundamental freedoms.

Surveillance constitutes an obvious interference with the right to privacy.  Further, it also constitutes an interference on the right to hold opinions without interference and the right to freedom of expression.  With particular reference to the right to hold opinions without interference, surveillance systems, both targeted and mass, may undermine the right to form an opinion, as the fear of unwilling disclosure of online activity, such as search and browsing, likely deters individuals from accessing the information needed to form opinions, particularly where such surveillance leads to repressive outcomes.49

The interference with the right to freedom of expression is particularly apparent in the context of journalists and members of the media who may be placed under surveillance as a result of their journalistic activities.  As noted by the Secretary-General of the UN, this can have a chilling effect on the enjoyment of media freedom and renders it more difficult to communicate with sources and share and develop ideas.50 The use of encryption and other similar tools have become essential to the work of journalists to ensure that they are able to conduct their work without interference.

The disclosure of journalistic sources through surveillance can have serious negative consequences for the right to freedom of expression due to confidential sources losing trust that journalists will be able to conceal their identities.51 This is the same for cases concerning the disclosure of anonymous user data. Once confidentiality is undermined, it cannot be restored. It is, therefore, of utmost importance that measures that undermine confidentiality are not undertaken arbitrarily.

Surveillance activities carried out against journalists risk fundamentally undermining the right of source protection to which journalists are otherwise entitled.52

The increased use of digital technologies and increasingly sophisticated surveillance tools have raised additional challenges for maintaining the anonymity of sources, including due to the risk of unintended source disclosure as a result of surveillance of communication devices.53 For example, certain journalist sources in the US have been identified through telephone and email records.54 (For more on the protection of journalist sources, please see Module 10 of this training course).

Conclusion

As more of the world moves online, data protection is becoming increasingly necessary. In South and Southeast Asia, some headway has been made with increasing numbers of states now having privacy laws in place.  However, with the rapid growth in data harvesting, legislators are some way behind in fully protecting and promoting privacy and personal data protection.  As we move forward, digital rights activists have a significant role to play in ensuring that states keep up-to-date with data protection developments and enact legislative frameworks which fully protect and promote people’s rights to privacy.

References

  1. Justice K.S. Puttaswamy and Another v Union of India and Others, Petition No. 494/2012, 24 August 2017 (accessible at: http://supremecourtofindia.nic.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf).
  2. Id. at para 232(vi).
  3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC at Article 4(1) (accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679).
  4. For an overview of regional trends, see Deloitte, ‘The Asia Pacific Privacy Guide 2020-2021: Stronger Together’(2020) (accessible: https://www2.deloitte.com/ph/en/pages/risk/articles/asia-pacific-privacy-guide.html) and Graham Greenleaf, ‘Advances in South Asian Data Privacy Laws: Sri Lanka, Pakistan and Nepal’, (2019) Privacy Laws & Business International Report, 22-25 (accessible at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3549055).
  5. Digital Reach, ‘Digital Rights in Southeast Asia 2021/2022’, (2022) (accessible at: https://digitalreach.asia/event/report-launch-digital-rights-in-southeast-asia-2021-2022/); Smitha Krishna Prasad & Sharngan Aravindakshan (2021) ‘Playing catch up – privacy regimes in South Asia’, The International Journal of Human Rights, 25:1, 79-116, p. 105 (accessible at: https://www.tandfonline.com/doi/full/10.1080/13642987.2020.1773442).
  6. General Comment No. 16 at para. 10.
  7. Information Commissioner’s Office, ‘Data protection principles’ (accessible at: https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/).
  8. Accessible at https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1.
  9. Article 1 of Convention 108.
  10. Google Spain SL and Another v Agencia Española de Protección de Datos (AEPD) and Another, Case No. C-131/12, 13 May 2014 (accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131).
  11. Id at para 57.
  12. Id at para 58.
  13. Id at para 80.
  14. Id.
  15. Id. at para 94.
  16. Id. at para 94.
  17. Plaintiff X v PrimaDaNoi, Case No. 13161, 22 November 2015 (accessible at: https://globalfreedomofexpression.columbia.edu/cases/plaintiff-x-v-primadanoi/).
  18. Application no. 77419/16 (2022) at 69-70 (accessible at: https://hudoc.echr.coe.int/eng#{%22fulltext%22:[%22Biancardi%20v.%20Italy%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-213827%22).
  19. P.H. v O.G., Case No. 15/0052/F, 29 April 2016 (accessible at: https://www.huntonprivacyblog.com/wp-content/uploads/sites/18/2016/06/download_blob.pdf). For a discussion of the case, see Hunton & Williams, ‘Belgian Court of Cassation rules on right to be forgotten’, 1 June 2016 (accessible at: https://www.huntonprivacyblog.com/2016/06/01/belgian-court-of-cassation-rules-on-right-to-be-forgotten/). For more on the right to be forgotten, see NT1 & NT2 v Google LLC in the UK (2018) (accessible at: https://www.judiciary.uk/wp-content/uploads/2018/04/nt1-nt2-v-google-press-summary-180413.pdf).
  20. Case No. C-385-15, 9 March 2017 (accessible at: https://curia.europa.eu/juris/document/document.jsf?text=&docid=188750&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=446798).
  21. Ministra Nancy Andrighi v Google Brasil Internet Ltd and Others, 2011/0307909-6, 26 June 2012 (accessible at: https://www.internetlab.org.br/wp-content/uploads/2017/02/STJ-REsp-1316921.pdf).
  22. The Japan Times, ‘Top court rejects ‘right to be forgotten’ demand’, 1 February 2017 (accessible at: https://www.japantimes.co.jp/news/2017/02/01/national/crime-legal/top-court-rejects-right-forgotten-demand/#.WqZQXehubIV).
  23. Subhranshu Rout v. State of Odisha, High Court of Orissa, BLAPL No.4592 of 2020 (2020), (accessible at: https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2021/01/Official-Judgment.pdf).
  24. The Case of the Rape Survivor’s Right to Be Forgotten, Kerala High Court in the Civil Writ Petition No. 9478 of 2016 (2017), as summarised by Columbia Freedom of Expression due to absence of availability of original decision (accessible at: https://globalfreedomofexpression.columbia.edu/cases/the-case-of-the-rape-survivors-right-to-be-forgotten-india/).
  25. Jorawar Singh Mundy v. Union of India and Others, (2021) W.P. (C) 3918/ 2020 (2021) (accessible at: https://www.livelaw.in/pdf_upload/16186364774292021-393948.pdf).
  26. Dharamraj Bhanushankar Dave v. State of Gujarat, Special Civil Application No. 1854 of 2015 (2017), (accessible at: https://indiankanoon.org/doc/156866860/).
  27. Ipleaders, Rachit Garg, ‘Personal Data Protection Bill, 2019 and the right to be forgotten’ (2022), (accessible at: https://blog.ipleaders.in/personal-data-protection-bill-2019-and-the-right-to-be-forgotten/#:~:text=The%20right%20to%20be%20forgotten%2C%20is%20the%20right%20of%20the,it%20is%20no%20longer%20needed ).
  28. The Global Principles (accessible at: https://www.article19.org/data/files/medialibrary/38657/Expression-and-Privacy-Principles-1.pdf) were developed by civil society, led by ARTICLE19, in cooperation with high-level experts from around the world.
  29. Principle 18(1) of the Global Principles.
  30. Id at principle 18(2).
  31. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32, 22 May 2015 (UNSR Report on Anonymity and Encryption) at para 7 (accessible at: http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx). For further discussion and resources, see UCI Law International Justice Clinic, ‘Selected references: Unofficial companion report to Report of the Special Rapporteur (A/HRC/29/32) on encryption, anonymity and freedom of expression’ (accessible at: http://www.ohchr.org/Documents/Issues/Opinion/Communications/States/Selected_References_SR_Report.pdf).
  32. Id.
  33. Id.
  34. Electronic Frontier Foundation, Anonymity and encryption, 10 February 2015 at p 3 (accessible at: https://www.ohchr.org/Documents/Issues/Opinion/Communications/EFF.pdf).
  35. Id.
  36. UNSR Report on Anonymity and Encryption above n 33 at para 12.
  37. Id. at para 36.
  38. Id. at para 40.
  39. Id. at para 41.
  40. Id. at paras 59-60.
  41. Necessary and proportionate: International principles on the application of human rights to communications surveillance, 2014 (Necessary and Proportionate Principles) at p 4 (accessible at: https://necessaryandproportionate.org/files/2016/03/04/en_principles_2014.pdf).
  42. General Comment No. 16 at para 8.
  43. Revelations by whistle-blowers, such as Edward Snowden, have revealed that the National Security Agency in the USA and the General Communications Headquarters in the United Kingdom had developed technologies allowing access to much global internet traffic, including records in the United States, individuals’ electronic address books and huge volumes of other digital communications’ metadata. These technologies are deployed through a transnational network comprising strategic intelligence relationships between governments and other role-players. This is referred to as bulk or mass surveillance. For more on the privacy concerns raised by the Snowden revelations, see Report of the Special Rapporteur on the right to privacy, UN Doc. A/HRC/34/60 (2017) (accessible at: https://documents-dds-ny.un.org/doc/UNDOC/GEN/G17/260/54/PDF/G1726054.pdf?OpenElement).
  44. 2016 Report of the UNSR on Freedom of Expression on Contemporary challenges to freedom of expression, UN Doc. A/71/373 at para 20 (accessible at: https://undocs.org/Home/Mobile?FinalSymbol=A%2F71%2F373&Language=E&DeviceType=Desktop&LangRequested=False).
  45. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, A/HRC/23/40 (2013) (accessible at: https://www.ohchr.org/sites/default/files/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf).
  46. UNGA, ‘Resolution on the right to privacy in the digital age’, A/C.3/71/L.39/Rev.1, 16 November 2016 (2016 UN Resolution on Privacy) (accessible at: https://daccess-ods.un.org/tmp/3401807.84463882.html).
  47. Id.
  48. Necessary and proportionate: International principles on the application of human rights to communications surveillance, 2014 (Necessary and Proportionate Principles) at p 8 (accessible at: https://necessaryandproportionate.org/files/2016/03/04/en_principles_2014.pdf).
  49. Report of the UNSR on Freedom of Expression, ‘Report on anonymity, encryption and the human rights framework’, A/HRC/29/32, 22 May 2015 (UNSR Report on Anonymity and Encryption) at para 7 (accessible at: http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx). For further discussion and resources, see UCI Law International Justice Clinic, ‘Selected references: Unofficial companion report to Report of the Special Rapporteur (A/HRC/29/32) on encryption, anonymity and freedom of expression’ at para 21 (accessible at: http://www.ohchr.org/Documents/Issues/Opinion/Communications/States/Selected_References_SR_Report.pdf).
  50. Report of the Secretary-General on the UN to the UNGA, ‘Report on the safety of journalists and the issue of impunity’, A/70/290, 6 August 2015 (2015 Report of the UN Secretary-General) at paras 14-16 (accessible at: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/247/06/PDF/N1524706.pdf?OpenElement).
  51. For more, see Big Brother Watch v United Kingdom in the ECtHR (2018) (accessible at: https://globalfreedomofexpression.columbia.edu/cases/big-brother-watch-v-united-kingdom/).
  52. According to principle 9 of the Global Principles, states should provide for the protection of the confidentiality of sources in their legislation and ensure that: (1) Any restriction on the right to protection of sources complies with the three-part test under international human rights law. (2) The confidentiality of sources should only be lifted in exceptional circumstances and only by a court order, which complies with the requirements of a legitimate aim, necessity, and proportionality. The same protections should apply to access to journalistic material. (3) The right not to disclose the identity of sources and the protection of journalistic material requires that the privacy and security of the communications of anyone engaged in journalistic activity, including access to their communications data and metadata, must be protected. Circumventions, such as secret surveillance or analysis of communications data not authorised by judicial authorities according to clear and narrow legal rules, must not be used to undermine source confidentiality. (4) Any court order must only be granted after a fair hearing where sufficient notice has been given to the journalist in question, except in genuine emergencies.
  53. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/70/361 (2015), para. 23 (accessible at: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/273/11/PDF/N1527311.pdf?OpenElement).
  54. See, for example, United States of America v. Sterling, 724 F.3d 482 (2013).

Table of Contents

Related Resources

MENA

ماژول‌های آموزشی درباره‌ی دادخواهی مربوط به آزادی بیان و حقوق دیجیتال

واحد آموزشی ۱: اصول اساسی حقوق بین‌الملل و آزادی بیان واحد آموزشی ۲: مقدمه‌ای بر حقوق دیجیتال واحد آموزشی ۳: دسترسی به اینترنت واحد آموزشی ۴: حریم خصوصی داده‌ها و حفاظت از داده‌ها واحد آموزشی ۵: افترا واحد آموزشی ۶:

Read more

MENA

وحدات تعليمية حول التقاضي بشأن حرية التعبير والحقوق الرقمية

الوحدة التعليمية 1: المبادئ األساسية للقانون الدولي وحرية التعبير الوحدة التعليمية 2: مقدمة في الحقوق الرقمية الوحدة التعليمية 3: الوصول إلى اإلنترنت الوحدة التعليمية 4: خصوصية البيانات وحماية البيانات الوحدة التعليمية 5: التشهير الوحدة التعليمية 6: خطاب الكراهية الوحدة التعليمية

Read more

Latin America

Privacidad y Protección de datos y vigilancia – Latinoamérica

Privacidad y Protección de datos y vigilancia Introducción El derecho a la privacidad y el requisito concomitante de proteger la información personal ha atraído una atención significativa en la era de la información. Si bien en Internet el intercambio de

Read more
Resource Hub
Donate