W7y8w3

Protected informationThe Principles make clear that it is time to movebeyond the fallacy that information about communicationsdoes not pose as serious a threat toprivacy as the content of communications. Informationabout communications, also called metadata,subscriber information or non-content data, caninclude the location of your mobile phone, clickstreamdata, 5 search logs, or anonymous onlineactivity. Individually, these can be just as invasiveas reading your email or listening to your phonecalls. When combined and analysed en masse, thepicture painted by such data points can be far morerevealing than the content of the communicationsthey accompany. In spite of this reality, pre-internetage (in fact, postal service-based!) legal conceptionshave persisted in some legal systems, offeringless or, in some instances, no protection at all to informationthat is not classified as “content”. Whatis important is not the kind of data that is collected,but its effect on the privacy of the individual.As explained in the Legal Analysis and BackgroundMaterials which have been prepared for thePrinciples:The Principles use the term “protected information”to refer to information (including data) thatought to be fully and robustly protected, even ifthe information is not currently protected by law,is only partially protected by law, or is accordedlower levels of protection. The intention, however,is not to make a new category that itselfwill grow stale over time, but rather to ensurethat the focus is and remains the capability ofthe information, alone or when combined withother information, to reveal private facts about aperson or her correspondents. As such, the Principlesadopt a singular and all-encompassingdefinition that includes any information relatingto a person’s communications that is not readilyavailable to the general public.This concern has been addressed by the latestreport of the Office of the High Commissioner forHuman Rights (OHCHR), which made clear that:From the perspective of the right to privacy, thisdistinction between [content and metadata] isnot persuasive. The aggregation of informationcommonly referred to as “metadata” may givean insight into an individual’s behaviour, socialrelationships, private preferences and identitythat go beyond even that conveyed by accessingthe content of a private communication.5 en.wikipedia.org/wiki/ClickstreamGiven the revealing nature of metadata and contentalike, states should be restrained from uncheckedinterference with any protected information: fromrevealing a speaker’s identity if it is not public; fromwantonly vacuuming up the websites or social mediaone has visited; from stockpiling informationon all the people one has communicated with; andtracking the “when”, “from where”, and “for howlong” of all our digital activities. In the pre-internetage, the much more limited amount and kind of“metadata” available to law enforcement was treatedas less sensitive than content, but given currentcommunications surveillance capabilities, this canno longer be the case.Communication surveillanceMuch of the expansive state surveillance practicesconfirmed during the past year depend onconfusion over whether actual “surveillance” hasoccurred and thus whether human rights obligationseven apply. Some have suggested that ifinformation is merely collected and kept but notlooked at by humans, no privacy invasion has occurred.Others argue that computers analysingall communications in real time for key wordsand other selectors does not amount to “surveillance”for purposes of triggering legal privacyprotections. Still others seek to reduce privacyprotections to “harmful uses” of information. Suchlegal variations can mean the difference betweenreasonable and carefully targeted investigationsand a surveillance state built on the continuousmass surveillance of everyone.In the digital age, where the most sensitiveportions of our lives are constantly communicatedover digital networks, it has never been moreimportant to ensure the integrity of our communications.It means little whether the interferencetakes the form of real-time monitoring of internettransmission, hacking into individuals’ mobile devices,or mass harvesting of stored data from thirdparty providers. The mere recording of internettransactions – even if ultimately unviewed – canhave serious chilling effects on the use of our mostvital interactive medium. We have to ensure thatall acts of communications surveillance are withinthe scope of human rights protections and, hence,are “necessary and proportionate”.On this front, the OHCHR report made clearthat:[A]ny capture of communications data is potentiallyan interference with privacy and, further,that the collection and retention of communicationsdata amounts to an interference withprivacy whether or not those data are subsequentlyconsulted or used. Even the merepossibility of communications information beingcaptured creates an interference with privacy,with a potential chilling effect on rights, includingthose to free expression and association.To remedy this issue, the Principles define “communicationssurveillance” as encompassing themonitoring, interception, collection, analysis, use,preservation and retention of, interference with,or access to information that includes, reflects orarises from a person’s communications in the past,present or future.Scope of applicationThe Principles also address a long-standing problemarising from narrow interpretations adoptedby some states regarding the extraterritorial applicationof their human rights obligations. Somehave argued that the obligation to respect privacyand other human rights of individuals effectivelystops at their national borders. In a world of highlyintegrated digital networks, where individual interactionsand data routes defy any semblance ofterritorial correspondence, such distinctions aremeaningless. The Principles therefore apply tosurveillance conducted within a state or extraterritorially,and regardless of the purpose for thesurveillance – including enforcing law, protectingnational security, gathering intelligence, or anothergovernmental function.The OHCHR’s report explicitly underscores theprinciple of non-discrimination:Article 26 of the International Covenant on Civiland Political Rights provides that “all personsare equal before the law and are entitled withoutany discrimination to the equal protectionof the law” and, further, that “in this respect,the law shall prohibit any discrimination andguarantee to all persons equal and effectiveprotection against discrimination on any groundsuch as race, colour, sex, language, religion, politicalor other opinion, national or social origin,property, birth or other status.”In this regard, the OHCHR’s report stresses theimportance of “measures to ensure that any interferencewith the right to privacy complies withthe principles of legality, proportionality and necessityregardless of the nationality or location ofindividuals whose communications are under directsurveillance.”The 13 PrinciplesThe substantive Principles are firmly rooted inwell-established human rights law. Generally, anylimits on human rights should be necessary, proportionateand for a set of permissible purposes.These limits must be set out in law, and cannot bearbitrary.Under international human rights law, eachright is divided in two parts. The first paragraphsets out the core of the right, while the secondparagraph sets out the circumstances in whichthat right may be restricted or limited. This secondparagraph is usually called the “permissible limitations”test.Regarding the right to privacy, the UN SpecialRapporteur on Counter-Terrorism 6 and the UN SpecialRapporteur on Freedom of Expression 7 havestated that the “permissible limitations” test underArticle 19 of the International Covenant on Civil andPolitical Rights (ICCPR), among other articles, isequally applicable to Article 17 of the ICCPR, whichprohibits the arbitrary or unlawful interference withprivacy rights.The OHCHR report has neatly summarised theseobligations with respect to Article 17 of the ICCPR:To begin with, any limitation to privacy rightsreflected in article 17 must be provided for bylaw, and the law must be sufficiently accessible,clear and precise so that an individual may lookto the law and ascertain who is authorized toconduct data surveillance and under what circumstances.The limitation must be necessaryfor reaching a legitimate aim, as well as in proportionto the aim and the least intrusive optionavailable. Moreover, the limitation placed on theright (an interference with privacy, for example,for the purposes of protecting national securityor the right to life of others) must be shown tohave some chance of achieving that goal. Theonus is on the authorities seeking to limit theright to show that the limitation is connected toa legitimate aim. Furthermore, any limitation tothe right to privacy must not render the essenceof the right meaningless and must be consistentwith other human rights, including the prohibitionof discrimination. Where the limitation doesnot meet these criteria, the limitation would beunlawful and/or the interference with the rightto privacy would be arbitrary.6 UN Special Rapporteur on the Promotion and Protection of HumanRights and Fundamental Freedoms While Countering Terrorism, A/HRC/13/37.7 UN Special Rapporteur on the Promotion and Protection of theRight to Freedom of Opinion and Expression, A/HRC/23/40.12 / Global Information Society Watch Introduction / 13