Joseph Cannataci recently submitted his first report as UN Special Rapporteur on the right to privacy – a brand new position, created in July 2015 in the wake of the German-Brazilian initiative for a UN resolution on privacy in the digital age. The report includes a description of Cannataci’s working methods, a general overview of privacy-relevant topics, and a ‘Ten point action plan’ – described as a to-do list for the post holder, rather than a mere wish list.
Across the internet community there were high expectations for the report. Some hoped it would focus on privacy in general, a stance exemplified by a joint letter by groups including Privacy International, EFF, and the ACLU. Others – for example Human Rights Watch – called for a more specific focus on privacy in the digital age. As Programme Lead on our Cyber Capacity Building programme, I was particularly interested in the SR’s take on cybersecurity.
Below are some quick reflections on the report: what was good, what could be improved, and what – as human rights defenders – we should be focusing on next.
Let’s start with cybersecurity. The report makes some promising noises on this issue; not least in its emphasis on ‘cyberpeace’ over ‘cyberwar’, an important rhetorical distinction which opens up space for a more holistic, human-centered framing of cybersecurity. This may prove helpful in contesting the ongoing trend of securitisation in international cybersecurity debates. Cannataci’s acknowledgment that current cybersecurity policy can lead to citizens “being monitored in the name of national security in a way which is unnecessary, disproportionate and excessive” (page 6), is a striking intervention which should be further elaborated.
The report also highlights the need for a robust international remedy mechanism (p4) for victims of privacy violation. In the present context, where the few existing routes to legal redress are inaccessibly expensive and complex, such a tool is desperately needed and should certainly be one of the topics that Cannataci should work on in more depth.
Human rights and technical communities will no doubt welcome the SR’s stated intention “to meet and listen to the concerns of many more stakeholders around the world” (p3), though details are unfortunately lacking. Will these meetings be open or invite-only? What weight and influence will they hold in the final reports? How far will the SR be held accountable to this commitment? Until these questions are answered, it is hard to judge its significance.
The less good
The report places a special emphasis on cultural difference with regard to the right to privacy, stipulating a “crying need” to achieve “a better understanding of what privacy is or should be across cultures” (p4, Para 7a). This risks downgrading the safeguards already enshrined in international human rights law, and opens the door to legal interpretations of acceptable restrictions; such as “morale” or “public wellbeing”.
But perhaps the key takeaway from the report is a lack of substantial progression from the ‘Ten point action plan’ first outlined in August – which is, indeed, reproduced in virtually identical form in the report’s conclusion (p18ff). The SR’s repeated allusions to the necessary “modesty” of the report given the short (6-month) timescale and funding constraints are discouraging, given the urgency of current debates around, for example, encryption and the Internet of Things (neither of which, incidentally, are covered in the report). In the introduction, the SR confirms that he has not yet even decided which issues to prioritise. Coupled with the present absence of a structured roadmap, and the SR’s self-imposed limitation to identifying already existing research problems, this is frankly concerning.
Some things which would improve the next report:
- A fuller elaboration of a user-centered perspective on cybersecurity, tackling issues such as data ownership in relation to both governments and private sector
- More robust and accountable commitment to including different stakeholders, from human rights groups to technical constituencies
- A more focused response to current issues (eg encryption), with reference to ongoing legislative processes and legal challenges (eg Apple vs FBI)
- A clear set of priorities instead of a mere list of privacy-relevant topics, and a focus on issues which are currently under-researched from a legal perspective
But in the current absence of a formal mechanism for direct input and feedback on the report, how can we – as civil society – raise these issues with the SR?
As other initiatives have shown, open letters and joint statements are one way to do this. Providing expertise on specific issues is another. By campaigning, raising awareness, writing articles and supporting direct advocacy, we can make sure these priorities stay on the agenda.