The Right to Privacy in the Digital Age: Where Do Things Stand?
The UN Human Rights Council has convened for its 28th regular session, and its agenda includes revisiting Snowden-sparked debates about the right to privacy in international law. In explaining his actions, Snowden appealed to the Universal Declaration of Human Rights and human rights treaties. He wanted to expose the peril he believes pervasive government surveillance poses to the right to privacy, and his leaks catalyzed many privacy-related controversies.
For example, Snowden’s revelations about U.S. and British signals intelligence programs launched efforts in the UN and the European Union (EU) concerning the International Covenant on Civil and Political Rights (ICCPR), EU privacy law, and the European Convention on Human Rights (ECHR). The UN General Assembly adopted a resolution on the right to privacy in the digital age, and the High Commissioner for Human Rights and Special Rapporteur for the Promotion and Protection of Human Rights while Countering Terrorism issued reports. The EU made demands on the United States in the context of data-sharing relations. Privacy advocates challenged UK surveillance activities under the ECHR before a British tribunal and the European Court of Human Rights.
But, after much deliberation, debate, and diplomacy, where do things stand? Have the key Snowden villains—the United States and United Kingdom—altered their approaches to their international legal obligations? Has the UN succeeded in illuminating how international law handles privacy challenges posed by digital technologies? Have countries spared by Snowden’s disclosures, including authoritarian states notorious for not respecting privacy, embraced UN interpretations of the right to privacy and improved compliance with international law?
Looking across the post-Snowden landscape suggests that little has changed despite all the activity. UN human rights bodies have done what they often do—highlight painful gaps between what the UN claims international law requires and what governments do. In many countries where privacy has long been an empty right, it has been business as usual, or worse. The British government believes it has effectively defended its position in domestic litigation and wants stronger surveillance powers from Parliament. Changes in U.S. signals intelligence have occurred, some of which are unprecedented, but they owe more to factors other than international law.
In the United Nations
UN activities have followed a familiar pattern. The General Assembly’s resolution was contentiously negotiated, was claimed as vindication by countries that did not agree about what the resolution meant, and, tellingly, was adopted without a vote. UN officials asserted that existing international law provided compelling answers to all privacy-related questions raised by member states—an assessment, critics observed, that lacked analysis of state practice on complex issues, such as extraterritorial jurisdiction, what "arbitrary and unlawful" interference with privacy means, balancing secrecy and transparency in surveillance programs, and the extent of discretion governments have in confronting security threats. And, as often occurs and is happening again this month, a UN human rights perspective disconnected from the way states behave comes before the Human Rights Council, the membership of which typically includes a rogue’s gallery of states renown for their lack of interest in human rights, including privacy.
In Authoritarian Countries
Authoritarian governments do not appear to have had any "come to Snowden moments." Human Rights Watch condemned a proposed new Chinese counter-terrorism law because it would establish "a total digital surveillance architecture subject to no legal or legislative control" inconsistent "with international law and the protection of human rights." Just as Snowden began his temporary asylum in Moscow in the fall 2013, researchers described Russian surveillance capabilities as "an Orwellian network that jeopardizes privacy and the ability to use telecommunications to oppose the government." In 2014, Human Rights Watch asserted that Russia "took a leap backwards demonstrating little respect for its human rights obligations."
In the United Kingdom
A British tribunal rendered decisions in December 2014 and February 2015, which held that, after the British government provided transparency on safeguards it had in place, it was in compliance with the ECHR concerning receipt of surveillance information from the NSA. Given the storm Snowden stirred up about the UK’s signals intelligence activities, the change required for the tribunal to consider the government in full ECHR compliance was strikingly limited. Although they claimed victory, privacy advocates were upset the tribunal did not strike down the U.S.-UK information-sharing arrangement on substantive grounds. Whether the European Court of Human Rights reaches a different conclusion remains to be seen. To complement its recent wins in the courts, the British government has expressed interest in new legislation that would expand its surveillance powers.
In EU-U.S. Data-Sharing Relations
The EU used the Snowden-generated controversies to make demands on the United States in negotiating data-sharing arrangements, namely the Safe Harbor and "Umbrella" agreements. This scenario replays difficulties the EU and the United States have long had on privacy.The EU has not re-interpreted EU privacy law because of Snowden’s actions, but it has exploited the disclosures to strengthen its negotiating position with the United States. For its part, the United States has not altered its stance on its ICCPR obligations because it negotiates privacy deals with the EU.
In the United States
A February 2015 progress report from the Director of National Intelligence (DNI) highlights changes implemented since President Obama announced reforms in Presidential Policy Directive-28 (PPD-28) in January 2014. Some changes address concerns about the privacy of U.S. persons that are anchored in U.S. law not international law. Other changes relate to EU negotiating demands, such as the commitment to pursue legislation to permit nationals of designated countries to seek redress in U.S. courts for inappropriate handling of personal data.
Some reforms relate to debates about international law, particularly whether U.S. treaty obligations on privacy apply outside U.S. territory. Under PPD-28, the U.S. intelligence community now treats information collected on foreign nationals outside the United States under rules equivalent to those on the treatment of information on U.S. persons. David Medine, Chairman of the Privacy and Civil Liberties Oversight Board, argued that this decision is unprecedented because “no country on the planet [...] has gone this far to improve the treatment of non-citizens in government surveillance.”
But the Obama administration has not expressly grounded this move in international law. PPD-28 and the DNI’s progress report do not link this change to international law. Nor does the decision seem inspired by the UN’s, ECHR’s, or EU’s respective approaches to privacy in international law.
Rather, this shift might reflect a claim of American exceptionalism—the United States is undertaking something exceptional with privacy in the digital age that only America would dare to attempt, even after events as damaging as Snowden’s leaks. And, like all claims of American exceptionalism, it is highly provocative but, nevertheless, consequential for reasons well beyond international law.