Privacy and data protection
#privacy #liberty #freedom
In the digital age, data plays a huge role in our everyday lives.
It's present in lots of obvious ways. When we are shopping online for example and
have to type in our name and address.
But data collection can also be less visible.
Take data brokers, for example. You've probably never heard of them, but these businesses specialise in
creating in depth profiles of individuals for advertisers.
A single profile may draw on up to 1,500 data points.
This can include a person's sexuality, browsing history, political affiliation, and even medical records.
One US based data broker, Acxiom, claims to have files on 10% of the world's population.
It's not just businesses of course. In
2013, Edward Snowden uncovered a vast regime of
mass government surveillance programmes, opening a global conversation which is still unfolding today.
In this video, we'll take a closer look at this debate, focusing on the related but distinct concepts of privacy and data protection.
By the end you should have a clear idea of:
how these issues differ and overlap;
how both are affected by the digital age; and
how you can engage with companies and governments to protect and strengthen these rights.
So what are we talking about when we say
privacy and data protection?
Let's take privacy first.
Article 12 of the Universal Declaration
of Human Rights treats privacy as a
distinct human right. It says that:
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence...
Everyone has the right to the protection
of the law against such interference or attacks"
This is simple enough. Agreeing on what
privacy actually means here has proved harder.
Depending on the context, it can mean the right to freedom of thought in conscience,
the right to be left alone,
the right to control one's own body
the right to protect your reputation,
the right to a family life,
or the right to a sexuality of your own definition.
There are other ambiguities. In legal
terms, privacy isn't an absolute right.
This means it can be restricted for
certain reasons - for example, to protect
national security or Public Safety.
Or if it conflicts with other rights,
like the right to free expression.
An example could be a public figure invoking privacy to avoid disclosing their financial records.
And what about data protection?
Contrary to popular belief it is not the same thing as privacy.
Privacy is a broad concept, referring to
the conditions which enable a basic
foundation of human dignity and autonomy.
Data protection is more specific.
It's concerned with the ways third parties
handle the information they hold about us - how it is collected, processed, shared, stored, and used.
In other words, privacy is the big picture - and data protection is one corner of it.
Like privacy, data protection is also
subject to limits - for example, when a
warrant is obtained allowing law enforcement to access the phone records of a suspect.
And while data protection is in some
ways more clearly defined than privacy,
how it is applied legally can still vary greatly depending on which country you're in.
The digital age has created new ways to
collect, access, analyse and use data,
often across multiple borders and jurisdictions.
Unsurprisingly, this poses challenges for human rights.
One challenge relates to the
way companies use our data.
The internet's business model depends on
people sharing their personal data in
exchange for access to content, services
and social media platforms.
While you might not pay anything upfront to go on Facebook,
they still make money from you by
selling your personal information to advertisers.
By clicking "agree" to terms of service, users technically consent to this model.
But in practice, virtually no
one actually reads them.
This is a problem because no one knows
what they're really signing up to,
which creates opportunities for misuse.
Another challenge relates to the
collection of personal data by governments.
Technological developments now enable
governments to monitor our conversations,
transactions, and the locations we visit.
In some countries - including Russia, Brazil, Australia and South Korea - companies are legally required to
store this data locally for long periods of
time, making it easier for governments to
get information on their citizens.
These measures are often introduced in
the name of fighting cybercrime and terrorism.
But without adequate protections, this
data can easily be abused to target
dissidents and activists - undermining freedom of expression and the rights to association and assembly.
And these are just the technologies we have now.
Emerging technologies - like the Internet of Things, wearables, and artificial intelligence - are likely to
pose new challenges to human rights.
As human rights defenders we need to be prepared for these.
There are many bodies and forums where privacy and data protection issues are discussed and defined:
National and regional courts have a crucial role here.
The European Court of Human Rights, for
example, has imposed limits on 'stop and search'
practices by the police, and on the amount of time data can be legally retained.
At the national level, it's common to find a specific public body responsible for privacy and data protection.
This can be a specialist post or an ombudsman.
But the extent to which privacy is defined and protected varies greatly between different jurisdictions.
For example, there is no clear right to privacy
in the African Charter on Human and People's Rights (ACHPR).
However, there are mechanisms at the
Following a UN resolution on the right
privacy in the digital age,
the Human Rights Council has established
a new Special Rapporteur for Privacy.
And various internet policy forums, like the
Internet Governance Forum (IGF),
the Council of Europe, the Organisation for Economic
Cooperation and Development, and
conferences, like HOPE and CyFy, also contribute to shaping the scope of privacy in the digital age.
And finally, we have companies.
The decisions of companies can also have a huge impact on data protection and privacy rights.
For example, by building end-to-end encryption into their software, as WhatsApp did in early 2016.
Let's look at two examples of privacy
and data protection in the real world.
First, let's look at the Apple vs. FBI case.
After the 2016 terrorist attacks in the US city of San Bernardino, the FBI asked apple for the information
stored on the iPhone of one of the suspects.
However, Apple's operating system is
encrypted and only accessible through a pin code.
The FBI asked Apple to modify the system
to let them in.
Apple refused - opening alively debate on the right to privacy versus security needs.
The case was almost taken to court - but in the end the FBI found a vulnerability to crack the phone.
In privacy terms, this was a legal setback.
If the case had gone to court, it could
have helped popularise the risks of
weakening encryption for society, and
establish what constitutes a legitimate limitation on privacy by the state.
Next, let's look at surveillance in Kenya.
In Kenya, a combination of invasive
surveillance measures and a lack of
adequate data protection facilitated a
crackdown on civil society in 2013,
which was documented by Peace Brigades International.
Many human rights defenders had their offices raided,
computers hacked and phones tapped by the government.
One of the ways human rights defenders
have been fighting back is by pushing
for the ratification of Kenya's first data protection law, long-stalled in Parliament.
If implemented properly, this could limit
the worst excesses of state surveillance.
Kenya is by no means the only country to bring in surveillance legislation justified by security concerns.
But this example is a good demonstration of how
seemingly abstract restrictions on online privacy can have physical consequences in the offline world.
So what can human rights defenders do to
protect and strengthen privacy and data protection?
An easy first step is taking digital
security measures yourself.
This can be as simple as using encryption and anonymity tools,
and encouraging your friends to do the same.
Human rights defenders can also advocate
for alternative digital business models, which aren't based on the extraction and sale of data.
Economic pressure on the
existing model is already growing.
For example, over the last few years, the number of users using adblock software globally has exploded.
There is evidence that this is already pushing companies to less invasive advertising practices.
Engagement in debates at the national
and regional level is, of course, crucial.
Where privacy protections are weak, human rights defenders need to actively advocate for stronger ones.
And even where they are stronger,
we need to make sure legislation is
keeping up with new technological developments
- like the Internet of Things.
Ultimately, if we want things to change,
human rights defenders need to make
these issues accessible and relatable by being more creative about the way we talk about them.
When people see how data protection and
privacy affects them on a day-to-day basis,
they may be more inclined to engage with
In the next video we'll be taking a closer look at freedom of expression, association and peaceful assembly.