Privacy and data protection

Updates

Mid-January, a German regional court in Berlin ruled against Facebook’s default privacy settings and use of personal data. It was found that Facebook does not provide its users enough information on the personal data it collects and uses for them to render meaningful consent. The court also ruled that Facebook’s real name policy is illegal and that its users must be allowed to sign up for the service under pseudonyms in order to comply with a decade-old privacy law. Couple of days after making the ruling public, the Federation of German Consumer Organisation (VZBV), which filed the lawsuit against Facebook, published press info with a breakdown of the ruling. Litigation policy officer at the VZBV, Heiko Duenkel, stated: ‘Facebook hides default settings that are not privacy friendly in its privacy centre and does not provide sufficient information about it when users register. This does not meet the requirement for informed consent.’ Days after the Berlin court ruled agains Facebook, according to the media, this social media network stated their intentions to overhaul its privacy settings in order to prepare for the upcoming European General Data Protection Regulation (DGPR). Facebook’s chief operating officer, Sheryl Sandberg, announced the changes, saying they plan to: ‘put the core privacy settings for Facebook in one place and make it much easier for people to manage their data’. According to Reuters, Facebook’s spokesperson said it will appeal the ruling, however it will make changes to comply with European Union privacy laws coming into effect in June 2018: ‘We are working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law’.

Major European telecoms companies are providing lower levels of digital rights such as transparency and consumer protections to countries in Africa than in European markets, according to Slate's comment on a new study, Droits Numeriques en Afrique Subsaharienne: Analyses des Pratiques D'Orange au Senegal et Safaricom au Kenya (in French), by Internet Sans Frontières (Internet Without Borders). Daniel Finnan of RFI notes that the research report assesses respect for freedom of expression and privacy, 'concluding that users in Europe are treated differently to those in sub-Saharan Africa'. Finnan includes an interview Julie Owono, Executive Director of Internet without Borders, which details specific information from the study about how Safaricom and Orange operate differently in Europe than they do in Africa. The interview covers points about terms of service, Internet shutdowns, and privacy considerations, among others.

Crime Russia reports that YouTube and Instagram are facing possible blocking as '14 photos from Instagram of Rybka and video published on YouTube entered the register of prohibited information based on the decision of the court and Roskomnadzor'. Hannah Levintova reports in Mother Jones that Russia is trying to bury the video. Levintova says that the video, published by Russian opposition activist Alexei Navalny, links Russian Deputy Prime Minister Sergey Prikhodko of facilitating the alleged link between the Kremlin, Oleg Deripaska, and the Trump campaign. A court injunction was issued, requiring takedown of six video and 14 Instagram posts, finding that the posts violated Deripaska's right to privacy. According to the BBC, 'If neither Mr Navalny nor the US tech firms involved delete or otherwise block local access to the imagery by the end of the day, then Russia's ISPs will be required to take action themselves.' The BBC goes on to quote a spokeswoman for the Russian Association for Electronic Communications as saying 'It's impossible for internet providers to block certain pages on Instagram and YouTube.' This could result in blocking local access to the social networks.

Pages

Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. The July 2015 appointment of the first UN Special Rapporteur on the Right to Privacy in the Digital Age reflects the rising importance of privacy in global digital policy, and the recognition of the need to address privacy rights issues the the global, as well as national levels.

 

Frameworks for safeguarding the right to privacy and data protection

The International Covenant on Civil and Political Rights (ICCPR) is the main global legal instrument for the protection of privacy. At a regional level, the main instruments on privacy and data protection in Europe is the Council of Europe (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. Although it was adopted by a regional organisation (CoE), it is open for accession by non-European states. Since the Convention is technology neutral, it has withstood the test of time. The EU Data Protection Directive (Directive 95/46/EC) has also formed an important legislative framework for the processing of personal data in the EU and has had a vast impact on the development of national legislation not only in Europe but also globally. This regulation has also entered a reform process in order to cope with the new developments and to ensure an effective privacy protection in the current technological environment.

Another key international – non-binding – document on privacy and data protection is the OECD Guidelines on Protection of Privacy and Transborder Flows of Personal Data from 1980. These guidelines and the OECD’s subsequent work have inspired many international, regional, and national regulations on privacy and data protection. Today, virtually all OECD countries have enacted privacy laws and empowered authorities to enforce those laws.

While the principles of the OECD guidelines have been widely accepted, the main difference is in the way they are implemented, notably between the European and US approaches. In Europe there is comprehensive data protection legislation, while in the USA the privacy regulation is developed for each sector of the economy including financial privacy (the Graham-Leach-Bliley Act), children’s privacy (the Children’s Online Privacy Protection Act) and medical privacy (under the Health Insurance Portability and Accountability Act).

Another major difference is that, in Europe, privacy legislation is enforced by public authorities, while in the USA enforcement principally rests on the private sector and self-regulation. Businesses set privacy policies. It is up to companies and individuals to decide about privacy policies themselves. The main criticism of the US approach is that individuals are placed in a comparatively weak position as they are seldom aware of the importance of options offered by privacy policies and commonly agree to them without informing themselves.

These two approaches – US and EU – to privacy protection have generated conflict. The main problem stems from the use of personal data by business companies. How can the EU ensure that data about its citizens is protected according to the rules specified in its Directive on Data Protection? According to whose rules (the EU’s or the USA’s) is data transferred through a company’s network from the EU to the USA handled?

A working solution was found in 2000 when the European Commission decided that EU regulations could be applied to US companies inside a legal ‘safe harbour’. US companies handling EU citizens’ data could voluntarily sign up to observe the EU’s privacy protection requirements. Having signed, companies were required to observe the formal enforcement mechanisms agreed upon between the EU and the USA.

The so-called Safe Harbor Agreement was received with a great hope as the legal tool that could solve similar problems with other countries. However, it was criticised by the European Parliament for not sufficiently protecting the privacy of EU citizens.

In a turning point for data transfers between the EU and the USA, in October 2015, the Court of the Justice of the European Union (CJEU) struck down this long-standing agreement and declared the Safe Harbour Agreement to be invalid. The Court found that the European Commission had failed to examine whether the USA afforded an adequate level of protection equivalent to that guaranteed in EU, but simply examined the safe harbor scheme. It found that in the US, the scheme is applicable only to undertakings that adhere to it, whereas public authorities are not subject to it, and national security, public interest and law enforcement requirements prevail over scheme. The US scheme therefore enables interference by public authorities, whereas no such limitations exist under EU law.The Court also found that the powers of national supervisory authorities could not be diminished other than by the Court.

Given the high importance of privacy and data protection in the relations between the USA and the EU after the Snowden revelations, it is likely to expect higher pressure to find a post-Safe Harbour Agreement solution.

Events

Actors

(ISO)

More and more standards and guidelines developed by ISO cover issues related to data and information security,

...

More and more standards and guidelines developed by ISO cover issues related to data and information security, and cybersecurity. One example is the 27000 family of standards, which cover aspects related to information security management systems and are used by organisations to keep information assets (e.g. financial data, intellectual property, employees’ information) secure. Standards 27031 and 27035, for example, are specifically designed to help organisations to effectively respond, diffuse and recover from cyber-attacks. Cybersecurity is also tackled in the framework of standards on technologies such as the Internet of Things, smart community infrastructures, medical devices, localisation and tracking systems, and future networks.

(UN OHCHR)

Challenges to the right to privacy in the digital age (such as surveillance and interception) are among the is

...

Challenges to the right to privacy in the digital age (such as surveillance and interception) are among the issues covered by activities of the High Commissioner for Human Rights. At the request of the UN General Assembly, the Commissioner prepared a report of the right to privacy in the digital age, which was presented to the Assembly in December 2014. The office of the Commissioner also organises discussions and seminars on the promotion and protection of the right to privacy in the online space, and collaborates on such issues with the UN Special Rapporteur on the right to privacy.

(UNHRC)

Privacy and data protection online has been the subject of many UNHRC resolutions.

...

Privacy and data protection online has been the subject of many UNHRC resolutions. General resolutions on the promotion and protection of human rights on the Internet have underlined the need for states ensure a balance between cybersecurity measures and the protection of privacy online. The Council has also adopted specific resolutions on the right to privacy in the digital age, emphasising the fact that individuals should not be subjected to arbitrary of unlawful interference with their privacy, either online or offline. The UNHRC has also mandated the Special Rapporteur on the right to privacy to address the issue of online privacy in his reports.

(ECHR)

The European Court of Human Rights deals with privacy through the prism of Article 8 of the

...

The European Court of Human Rights deals with privacy through the prism of Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms. It adjudicates on cases brought on against Council of Europe member states accused of being in violation of one or more articles of the Convention. The ECHR has a broad view of what it deems to be protected as ‘personal data’ as any information related to a person (identified or identifiable), which falls under the ‘private life’ part of Article 8. Its most recent high-profile case on the issue found the Hungarian government in breach of Article 8, due to its broad surveillance law.

(CoE)

The Council of Europe has been actively involved in policy discussions on the issue of net neutrality.

...

The Council of Europe has been actively involved in policy discussions on the issue of net neutrality. In 2010, the Committee of Ministers adopted a Declaration on network neutrality declaring its commitment to the principle of net neutrality. Later on, and in line with the Council’s Internet Governance Strategy, the Committee adopted a Recommendation on protecting and promoting the right to freedom of expression and the right to private life with regard to network neutrality, calling on member states to safeguard net neutrality in legal frameworks. Issues related to net neutrality and its connections with human rights are also tackled in events organised and studies conducted by the Council.

(PI)

Privacy International’s work is varied, in terms of both subject matter and actions.

...

Privacy International’s work is varied, in terms of both subject matter and actions. Their three main areas are ‘Building a Global Privacy Movement’, ‘Challenging Data Exploitation’ and ‘Contesting Surveillance’, while their actions include research (Privacy 101 explainers and broad-ranging reports) and legal action. A majority of its most recent work has skewed towards issues of surveillance around the world, with a specific focus on Kenya, which relies heavily on its Privacy International Network.

Hivos
(Hivos)

Freedom House
(Freedom House)

G20
(G20 )

World Bank
(World Bank)

Access Now
(Access)

G7
(G7)

US Congress
(US Congress)

Pew Research Center
(Pew Research)

Instruments

Conventions

Link to: Convention on Cybercrime (Budapest Convention)-482 (2001)

Judgements

Case of Barbulescu v Romania - European Court of Human Rights (2016)
Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González Case - Court of Justice of the European Union (2014)

Resolutions & Declarations

IPU Resolution: 'Democracy in the Digital Era and the Threat to Privacy and Individual Freedoms' (2015)
Universal Declaration of Human Rights (1948)

Standards

Request for Comments (RFC) dealing with Privacy and Data Protection (2015)

Recommendations

Other Instruments

Suplementary act on personal data protection within ECOWAS (2010)
Patriot Act (2001)

Resources

Articles

Apple vs FBI: A Socratic Dialogue on Privacy and Security (2016)
2016 Data Threat Report (2016)
Trends in Transition from Classical Censorship to Internet Censorship: Selected Country Overviews (2012)
Policy and Regulatory Issues in the Mobile Internet (2011)

Publications

Internet Governance Acronym Glossary (2015)
Securing Safe Spaces - Online Encryption, online anonymity, and human rights (2015)
An Introduction to Internet Governance (2014)

Papers

Expert and Non-Expert Attitudes towards (Secure) Instant Messaging (2016)
Personal Data Storage in Russia (2015)

Reports

Technology, Media and Telecommunications Predictions 2017 (2017)
Drones and Privacy by Design: Embedding Privacy Enhancing Technology in Unmanned Aircraft (2016)
Enabling Growth and Innovation in the Digital Economy (2016)
One Internet (2016)
Encryption: A Matter of Human Rights (2016)
A New Regulatory Framework for the Digital Ecosystem (2016)
The Impact of Digital Content: Opportunities and Risks of Creating and Sharing Information Online (2016)
NI Trend Watch 2016 (2015)
Freedom on the Net 2015 (2015)
OECD Digital Economy Outlook 2015 (2015)
Global Internet Report 2015 (2015)
Government Request Report (2015)
Taxation and the Digital Economy: A Survey of Theoretical Models (2015)

GIP event reports

The Legal Framework for Countering Terrorist and Violent Extremist Content Online (2017)
Where and How to Protect Legal Interests in the Digital Era (2017)
Addressing Access to Remedy in the Digital Age: Corporate Misconduct in Sharing and Processing Personal Data (2017)
Big Data and Conflict Prevention: Balancing Opportunities with Challenges (2017)
Recent Cyber Incidents - Patterns, Vulnerabilities and Concerns (2017)
Artificial Intelligence, Justice and Human Rights (2017)
Realizing Rights Online: From Human Rights Discourses to Enforceable Stakeholder Responsibilities (2017)
Key-note Speeches on the Future of the Internet (2017)
Digital citizenship, Integration, and Participation (2017)
GAC Meeting with the ICANN Board (2017)
Cross-Community Discussion on Next-Generation gTLD Registration Directory Services (RDS) Policy Requirements (2017)
At-Large Advisory Committee (ALAC) and Regional Leaders Wrap Up – Part 2 (2017)
GDPR and Its Potential Impact: Looking for Practical Solutions (2017)
International Trade Agreements and Internet Governance (2017)
EuroDIG 2017 Welcoming Address (2017)
Domain Names Innovation and Competition (2017)
Data Protection, Digital Trade and Development (2017)
Report for EBU Big Data Conference 2017 (2017)
ICANN58: GNSO Registration Directory Services (RDS) Policy Development Process Working Group Meeting (2017)
ICANN58: Public Forum 1 & 2 (2017)
Report for Symposium on The Future Networked Car (2017)
Report for ITU CWG-Internet - 4th Physical Open Consultation Meeting (2017)

Other resources

Internet Legislation Atlas (2016)
Security and Privacy Handbook: 100 Best Practices in Big Data Security and Privacy (2016)
Security for All: An Open Letter to the Leaders of the World's Governments (2016)
The Twitter Rules (2016)
Privacy Level Agreement [v2]: A Compliance Tool for Providing Cloud Services in the European Union (2015)

Processes

Session reports

Click on the ( + ) sign to expand each day.

12th IGF 2017

WTO Public Forum 2017

WSIS Forum 2017

IGF 2016

WTO Public Forum 2016

WSIS Forum 2016

WSIS10HL

IGF 2015

 

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top