6 March 2018
Ladies and Gentlemen:
It is an honour to present to the Human Rights Council my third Annual report. This report is intended to provide an overview of the way that the mandate has addressed key areas of focus over the first three years of its activities with much more detail being provided about different areas in the annexes provided.
The intersection of privacy with state security interests and surveillance in cyberspace, especially the ones manifested in the Snowden revelations since June 2013, led to the creation of the Special Rapporteur’s mandate in 2015. As the report will show, surveillance and privacy have received their fair share of my attention but the mandate has worked diligently and consistently on a much broader spectrum of privacy concerns over the past three years.
Especially insofar as surveillance and privacy is concerned, it is my strong view that, while international human rights law provides us with the basic set of universal, high-level principles and rights, certainly in the case of privacy, it does not currently offer the level of detail which is essential for us to operationalise the right in this fast-changing digital world. As a right which is not delineated by a universally accepted definition of privacy, its limits need to be defined by a detailed multi-tiered framework of interlocking laws which spell out our understanding of privacy in a particular sector of operation, whether this be health data or insurance data or social security data etc. This detailed multi-tiered framework would thus constitute the comprehensive legal framework for privacy which we are currently missing and which is essential for adequate protection of the right to privacy. One of these applied contexts, as we shall see, is that of domestic and extra territorial surveillance in cyberspace. I elaborate upon this later in my Statement.
In undertaking the mandate, I developed innovative means of fulfilling it. These include the creation of the annual International Intelligence Oversight Forum or IIOF up till now held in Romania and Belgium; the twice-yearly regional events on Privacy, Personality and Flows of Information to date held in New York, Tunisia and Hong Hong. I also created the Thematic Action Stream Task Forces on Big Data and Open Data, Health Data, Privacy and Personality, Security and Surveillance and the ‘Use of Personal Data by Corporations’, to provide a broader global approach to issues surrounding privacy.
These Streams are identifying contemporary obstacles to protecting the right to privacy, such as:
- technologically based incursions in the health sphere;
- smart devices as tools of evidence in the justice sphere;
- cyber-based violence, gender and other biases in algorithms in the social sphere; and
- biometric and other technological tools used in security and surveillance.
The preliminary Report on Big Data – Open Data contained in an annex to this report was presented to the General Assembly in October 2017. This identified key issues in the personal data industry such as secondary uses of data, profiling, artificial intelligence, machine learning, algorithmic bias and de-identification vulnerabilities. International consultation is currently underway on the Big Data and Open Data report which is expected to be finalised later in 2018.
Health privacy issues are being explored in the Task Force on Health Data and it will undertake a consultation on its directions in mid 2018, most likely in the US.
The Taskforce on “A better understanding of privacy” promotes privacy in the digital age. Regional consultations have occurred for Western countries in 2016, Middle Eastern and Northern African countries, and Asian in 2017, and one for Latin America is planned for May 2018. Sessions have been dedicated to gender perspectives on privacy.
Official country visits
Official country visits are an integral part of monitoring the right to privacy. I have conducted two official country visits - one to the United States of America (June 2017) and the other to France (November 2017). Preliminary reports have been issued and final reports will be presented to the Human Rights Council in March 2019 after follow-up exchanges with the Governments concerned.
Reporting on alleged violations, including challenges arising from new technologies
I have reported on alleged violations of the right to privacy.
Ladies and gentlemen, the situation around the world is mixed. In some places there have been extremely positive developments. For example, in August 2017, the Supreme Court of India handed down its decision in an important constitutional case known as the Puttaswamy judgement, ruling unanimously that privacy is a fundamental, unalienable and constitutionally protected right in India.
But elsewhere, the importance of promoting and protecting the right to privacy, and of effective remedies for breach of privacy consistent with international human rights obligations, appears contested. I refer by way of example, to the lack of remedies available for a woman who experienced a gross invasion of her privacy when her genitalia were photographed without permission by a healthcare worker on a personal phone for no professional purpose, during a gynaecological procedure. But there has been no action by the member State concerned despite Law Reform Commission reports for gaps in privacy remedies to be addressed.
My report sets out the mandate’s achievements including joint communications issued with other mandate holders on situations in Honduras, Mexico, Spain, Haiti and Egypt.
As a ‘young’ mandate, it’s been important to increase awareness of the right to privacy and I have participated extensively in privacy events, delivering over 100 addresses worldwide since August 2015 engaging with multiple stakeholders around the world including individuals, civil society organisations; standard setting bodies, various governments, Permanent Missions to the United Nations in Geneva; other Special Procedures mandate holders; officials of the Office of the High Commissioner for Human Rights; researchers; academics and professional bodies.
I have also used the means normally availed of by other Special Rapporteurs in promoting and protecting privacy, including Letters of Allegation to States, and to follow up individual complaints.
Recently, I have provided formal feedback to various Member States for example,
- the Government of the United Kingdom on the Investigatory Powers Act 2016 and its Proposed Response to the ruling of the Court of Justice of the European Union;
- to the Indian Government on its White Paper on Data Protection legislation;
- to Parliaments for example, two inquiries of the Australian Parliament
- In late 2017, I submitted an Amicus Curiae brief to the United States Supreme Court on the Microsoft case.
Future activities and opportunities
Subject to decisions concerning the mandate, I will report on alleged violations of the right to privacy, to seek remedies consistent with international obligations for complainants raising alleged violations of privacy, work with Member States and non-governmental organisations to identify and to give a voice to complainants who do not have access to domestic remedies.
Further annual reports will outline emerging issues and the work of the Thematic Taskforces. I will undertake official visits to the United Kingdom in June, and Germany in the autumn of 2018.
I turn now to:
Acknowledging the seriousness of surveillance as a threat to the enjoyment of the right to privacy, I have co-led international efforts in developing a comprehensive international legal framework to regulate surveillance in cyberspace, thus also advancing prospects for cyberpeace.
A legal instrument, complementary to other pieces of existing cyberlaw such as the Convention on Cybercrime of the Council of Europe, could provide concrete safeguards to privacy on the Internet, while resolving long-standing problems like jurisdiction in cyberspace and enable the international community to guide and assess the use of such technology and practices.
Together with the European Union-supported MAPPING project, I have explored options for such a draft legal instrument on surveillance and privacy.
Work to date has been very successful and encouraging, but the support behind the actual form and content of the Legal Instrument is not yet sufficiently uniform to make a recommendation that the document as it stands should be immediately considered by the Human Rights Council.
With continued effort and time, this is achievable and a viable option to place before the Human Rights Council in the relatively near future, i.e. possibly even by 2021.
It is my strong view that an instrument of some form is necessary, whether as soft law in the form of a recommendation or possibly more appropriately, as an international multilateral treaty. The latter solution would go some way towards creating a clear and comprehensive legal framework on privacy and surveillance in cyberspace which would operationalise the respect of the right to privacy, domestically and across borders.
Despite the growing support and the pressing need for such a legal instrument, realistic timing needs to be accommodated especially given the current international mood regarding surveillance in Cyberspace. Although it does not seem possible or realistic to do so, some Member states have to date insisted on excluding privacy as a priority consideration when discussing cybersecurity. Moreover, a number of powerful states appear to be allergic to anything which in any way could constrain their ability to carry out surveillance in cyberspace free from what would otherwise be termed to be adequate levels of proportionality, necessity, oversight and accountability. Member States with an interest in this legal instrument are therefore invited to contact me directly.
Recommendations to the Human Rights Council
I ask the Human Rights Council to note the achievements across the mandate and future proposed activities.
I particularly request the Human Rights Council to note the progress towards international standards on government-led surveillance; the successful creation of the International Intelligence Oversight Forum, and the intention to contribute to the development of an instrument in the medium term, for consideration by the United Nations.
And, lastly, that the Human Rights Council recommend to the General Assembly that fresh vigour be applied to all UN efforts to enhance the intersection of privacy with security and state behaviour in cyberspace, with the mandate of the UN Special Rapporteur on Privacy.