The world’s highest and most diverse political body has finally reacted to this summer’s revelations of mass Government surveillance programs. Last week, a subcommittee of the UN General Assembly (GA) adopted a resolution on “The right to privacy in the digital age”, which contains a strongly worded condemnation of online surveillance. The resolution, which can no longer be amended, will pass the whole 193-member General Assembly later this month.

The adoption of the privacy resolution will be an important development for a number of reasons:

  • It is the first major UN statement on the right to privacy in 25 years;
  • For the first time, the GA establishes that human rights apply irrespective of the medium;
  • The resolution establishes for the first time that the right to privacy is essential to the exercise of the right to free expression, which is one of the foundations of a democratic society;
  • It further notes that arbitrary surveillance violates the rights to privacy and may therefore contradict the tenets of a democratic society;
  • It makes clear that countries have obligations to keep their surveillance programs in check; and finally,
  • It enjoys very broad support: The resolution was co-sponsored by a large and diverse group of countries and adopted by consensus.

The establishment of the principle that human rights apply online as they do in the offline world may seem trite but it is arguably the most important element of the resolution. While it is not the first time this link was made in a UN context it sets an important precedent, which will help put pressure on countries with a bad track record on Internet freedoms.

It is also good news for Internet companies which are frequent victims of arbitrary government filtering and blocking. In many parts of the world, there is a lack of understanding and widespread disregard of human rights in the online environment. For example, whereas most Governments are sensitive to the problems involved in dissolving physical gatherings – it creates media attention and can have international consequences – they are far less hesitant to block a chatroom or a Facebook page where dissidents criticize the government. The GA resolution makes it clear that from a human rights perspective they are the same: in both instances the Government is violating the freedom of assembly. This will strengthen the position of Internet companies doing business in those countries who resist arbitrary restrictions on speech asserted by the government, especially where the country is a party to the human rights framework that the resolution extensively references.

Of course, GA resolutions are soft law and do not have the same weight as, say, a Security Council resolution. However, to assume that this makes them insignificant fails to recognize the dynamics of international politics. Many of the global rules we take for granted today were first expressed as GA resolutions, the most famous example being theUniversal Declaration of Human Rights (UDHR), which proclaimed the “equal and inalienable rights of all members of the human family” at a time when colonization was still the modus operandi in many parts of the world. GA resolutions not only set precedents, they also create a body of references for future agreements and often act as a precursor for binding international law. In short, General Assembly resolutions, especially those with broad support, carry a lot of political weight because they are reflective of world opinion and define the expected behavior of States – especially when they are adopted by consensus, as this one will be.

The privacy resolution deservedly received a lot of praise. It is, after all, a good outcome for those wanting to protect online freedoms and a good starting point for more robust protections. Nevertheless, it falls short from being truly great because it lacks teeth in some key areas: the extraterritorial obligations of States and the legal status of surveillance. The intense lobbying of the ‘Five Eyes’ countries – United States, United Kingdom, Canada, Australia, New Zealand – resulted in a considerable softening of the resolution.

Extraterritorial obligations of States

The modern Internet is a global, interconnected medium that is fundamentally based on trust. If users are going to trust sensitive information to Internet services, many of which have more users abroad than they do in their “home” country, users need to trust that those services act as responsible stewards of that data. In this environment, recognizing that States have at least some privacy obligations towards foreigners is key if we want to protect the commercial and social value of the Internet. If governments operate on the presumption that only their own citizens deserve protection from unwarranted surveillance we could effectively all become digital foreigners, subject to limitless surveillance by all governments except our own.

The drafters of the resolution were aware of these issues, as confirmed in an internal strategy note by the US delegation. According to that note, the original version of the privacy resolution suggested “that states have international human rights obligations to respect the privacy of foreign nationals outside the U.S.”

Unfortunately, the 5-eyes countries successfully argued that under the International Covenant on Civil and Political Rights (ICCPR), they only have to respect the human rights of their own nationals. While this seems objectionable from a moral and a business perspective because it fails to provide any real protection against privacy violations in the Internet Age, is it reasonable from a legal point of view?

According to Article 2(1) of the ICCPR, “Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant.”  As we know, most victims of mass surveillance are not located in the territory of the surveilling state. The question, then, is whether surveilling a foreign national renders that person subject to the surveilling state’s jurisdiction. Most experts would find that hard to support because surveillance does not constitute “effective control” over that person, one of the key elements to establish whether a State has jurisdiction. This line of argument therefore seems to lend support to the interpretation by the 5-eyes countries of the ICCPR.

Others, however, consider this to be splitting hairs. The UN Special Rapporteur on the freedom of expression, Frank LaRue, argues that existing human rights obligations already compel States to protect the privacy of foreigners. “For decades there has been a solid understanding that privacy in postal services should be respected by all States. Therefore, there are no reasons for questioning existing guarantees to privacy in telephone or Internet communications,” he noted. Those who support Mr. LaRue’s point of view would also argue that the spirit of the original ICCPR was to establish a universal right to privacy – not one that applies solely in respect to the State in whose territory one happens to be in. In addition to that, they argue that by referencing to both the UDHR and the ICCPR, the GA resolution implicitly rejects the 5-eyes argument that privacy rights derive only from a specific treaty which they, in turn, insist lacks extraterritorial implications.

Legal games aside, I would argue that in light of today’s technological possibilities, it would be entirely reasonable to extend at least some of States’ privacy obligations to individuals outside their jurisdiction. Otherwise, the trust deficit resulting from limitless surveillance would almost certainly diminish the Internet’s future commercial and social value. Internet users would be fair game in what could become a global arms race of online surveillance. For Internet companies, it would be a hopeless situation. They would be caught between the legitimate privacy expectations of their international users and a legal regime which makes it impossible for them to provide effective protections.

Mass surveillance not a human rights violation per se

In addition to avoiding references to extraterritorial protections, the 5-eyes countries also succeeded in softening the language that defined the legal status of mass surveillance. Whereas in the original version, mass surveillance was qualified as a human rights violation in itself, the revised version only refers to the “negative impact” mass surveillance may have on the “enjoyment of human rights”. The five allies further managed to replace all references to “illegal surveillance” with “unlawful or arbitrary surveillance.” The objective of this modification being that it will shift the focus away from international human rights law to national law. According to this view, “unlawful surveillance” is what’s not permitted under the laws of the surveilling State. And, as the US and the UK Government would argue, PRISM and TEMPORA are entirely legal under their national laws.

While the 5-eyes countries were able to make some key changes to the resolutions, it is not clear whether it was worth the trouble. The US and its allies spent a lot of political capital in New York to modify certain elements of the resolution but that did not change its core message, which is that out-of-control surveillance programs are a serious concern for human rights. The final version of the resolution still contains stern warnings of the dangers of mass online surveillance. And in the context of this summer’s revelations, the underlying meaning of the resolution is easy to decipher, even if no specific countries or agencies are mentioned.

One of the outcomes of the resolutions is that the UN High Commissioner for Human Rights will be requested to submit a report on the right to privacy in the context of surveillance. The GA will then discuss the report at its next session in 2014. This follows a well-known diplomatic strategy of using a relatively unproblematic text as a starting point for launching a process which could develop its own momentum. In addition to that, the UN’s Human Rights Council will adopt  a work program on online surveillance in the coming weeks. CCIA is in regular contact with the Secretariat and will continue to monitor the Council’s initiatives with regards to human rights online.

Email this to someoneShare on FacebookTweet about this on TwitterShare on Google+Pin on PinterestShare on LinkedInShare on Reddit