Privacy and data protection

Updates

20 May 2017

The European Commission has fined Facebook €110 million for giving misleading or incorrect information during Commission’s 2014 vetting of its deal to acquire messaging service WhatsApp. It was found that, contrary to Facebook’s statement in the 2014 merger review process, the technical possibility for automatic users identities’ matching between their Facebook and WhatsApp accounts not only existed in 2014 but also Facebook staff was aware of this. In August 2016, WhatsApp published terms of service and privacy policy updates, which included the possibility of linking users’ phone numbers linked to WhatsApp with Facebook identities. Margrethe Vestager, EU Competition Commissioner, said that the EC decision is a clear message to companies to comply with European Union merger rules, which also includes the obligation to provide true and correct information. 

19 May 2017

The Commission Nationale de I’Informatique et des Libertés (CNIL), France’s data protection watchdog, has fined Facebook €150,000 for violating the country’s data protection rules. CNIL published a statement saying Facebook has failed in informing its users about how their personal data is tracked and shared with advertisers. A common statement by the Contact Group of the Data Protection Authorities of the Netherlands, France, Spain, Hamburg, and Belgium has also been issued along with the investigation results from three member countries: France, Belgium, and the Netherlands. At the same time, the Dutch Data Protection Authority (DPA) Autoriteit Persoonsgegevens's statement says that Facebook violates Dutch data protection law and does not provide sufficient information about the use of their personal data. DPA stated they did not fine Facebook, but if the violations continue ‘may decide to issue a sanction’. As a response, Facebook’s spokesperson said in an email statement to Reuters: ‘We take note of the CNIL’s decision with which we respectfully disagree’. 

4 May 2017

An ‘incredibly sophisticated’ phishing campaign using spoofed email addresses affected over a million users of Google’s Software as a Service (SoA) ‘Docs’ platform. By purporting to share a document for collaboration, the program requested access to the user’s email account. Google addressed the issue and released a statement and invited affected users to visit its security checkup page.

Pages

Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. The July 2015 appointment of the first UN Special Rapporteur on the Right to Privacy in the Digital Age reflects the rising importance of privacy in global digital policy, and the recognition of the need to address privacy rights issues the the global, as well as national levels.

 

Frameworks for safeguarding the right to privacy and data protection

The International Covenant on Civil and Political Rights (ICCPR) is the main global legal instrument for the protection of privacy. At a regional level, the main instruments on privacy and data protection in Europe is the Council of Europe (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. Although it was adopted by a regional organisation (CoE), it is open for accession by non-European states. Since the Convention is technology neutral, it has withstood the test of time. The EU Data Protection Directive (Directive 95/46/EC) has also formed an important legislative framework for the processing of personal data in the EU and has had a vast impact on the development of national legislation not only in Europe but also globally. This regulation has also entered a reform process in order to cope with the new developments and to ensure an effective privacy protection in the current technological environment.

Another key international – non-binding – document on privacy and data protection is the OECD Guidelines on Protection of Privacy and Transborder Flows of Personal Data from 1980. These guidelines and the OECD’s subsequent work have inspired many international, regional, and national regulations on privacy and data protection. Today, virtually all OECD countries have enacted privacy laws and empowered authorities to enforce those laws.

While the principles of the OECD guidelines have been widely accepted, the main difference is in the way they are implemented, notably between the European and US approaches. In Europe there is comprehensive data protection legislation, while in the USA the privacy regulation is developed for each sector of the economy including financial privacy (the Graham-Leach-Bliley Act), children’s privacy (the Children’s Online Privacy Protection Act) and medical privacy (under the Health Insurance Portability and Accountability Act).

Another major difference is that, in Europe, privacy legislation is enforced by public authorities, while in the USA enforcement principally rests on the private sector and self-regulation. Businesses set privacy policies. It is up to companies and individuals to decide about privacy policies themselves. The main criticism of the US approach is that individuals are placed in a comparatively weak position as they are seldom aware of the importance of options offered by privacy policies and commonly agree to them without informing themselves.

These two approaches – US and EU – to privacy protection have generated conflict. The main problem stems from the use of personal data by business companies. How can the EU ensure that data about its citizens is protected according to the rules specified in its Directive on Data Protection? According to whose rules (the EU’s or the USA’s) is data transferred through a company’s network from the EU to the USA handled?

A working solution was found in 2000 when the European Commission decided that EU regulations could be applied to US companies inside a legal ‘safe harbour’. US companies handling EU citizens’ data could voluntarily sign up to observe the EU’s privacy protection requirements. Having signed, companies were required to observe the formal enforcement mechanisms agreed upon between the EU and the USA.

The so-called Safe Harbor Agreement was received with a great hope as the legal tool that could solve similar problems with other countries. However, it was criticised by the European Parliament for not sufficiently protecting the privacy of EU citizens.

In a turning point for data transfers between the EU and the USA, in October 2015, the Court of the Justice of the European Union (CJEU) struck down this long-standing agreement and declared the Safe Harbour Agreement to be invalid. The Court found that the European Commission had failed to examine whether the USA afforded an adequate level of protection equivalent to that guaranteed in EU, but simply examined the safe harbor scheme. It found that in the US, the scheme is applicable only to undertakings that adhere to it, whereas public authorities are not subject to it, and national security, public interest and law enforcement requirements prevail over scheme. The US scheme therefore enables interference by public authorities, whereas no such limitations exist under EU law.The Court also found that the powers of national supervisory authorities could not be diminished other than by the Court.

Given the high importance of privacy and data protection in the relations between the USA and the EU after the Snowden revelations, it is likely to expect higher pressure to find a post-Safe Harbour Agreement solution.

Events

Actors

World Bank
(World Bank)

Access Now
(Access)

G20
(G20 )

US Congress
(US Congress)

Hivos
(Hivos)

Pew Research Center
(Pew Research)

Freedom House
(Freedom House)

G7
(G7)

Instruments

Conventions

Link to: Convention on Cybercrime (Budapest Convention)-482 (2001)

Judgements

Case of Barbulescu v Romania - European Court of Human Rights (2016)
Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González Case - Court of Justice of the European Union (2014)

Resolutions & Declarations

IPU Resolution: 'Democracy in the Digital Era and the Threat to Privacy and Individual Freedoms' (2015)
Universal Declaration of Human Rights (1948)

Standards

Request for Comments (RFC) dealing with Privacy and Data Protection (2015)

Recommendations

Other Instruments

Suplementary act on personal data protection within ECOWAS (2010)
Patriot Act (2001)

Resources

Articles

Apple vs FBI: A Socratic Dialogue on Privacy and Security (2016)
2016 Data Threat Report (2016)
Trends in Transition from Classical Censorship to Internet Censorship: Selected Country Overviews (2012)
Policy and Regulatory Issues in the Mobile Internet (2011)

Publications

Internet Governance Acronym Glossary (2015)
Securing Safe Spaces - Online Encryption, online anonymity, and human rights (2015)
An Introduction to Internet Governance (2014)

Papers

Expert and Non-Expert Attitudes towards (Secure) Instant Messaging (2016)
Personal Data Storage in Russia (2015)

Reports

Technology, Media and Telecommunications Predictions 2017 (2017)
Drones and Privacy by Design: Embedding Privacy Enhancing Technology in Unmanned Aircraft (2016)
Enabling Growth and Innovation in the Digital Economy (2016)
One Internet (2016)
Encryption: A Matter of Human Rights (2016)
A New Regulatory Framework for the Digital Ecosystem (2016)
The Impact of Digital Content: Opportunities and Risks of Creating and Sharing Information Online (2016)
NI Trend Watch 2016 (2015)
Freedom on the Net 2015 (2015)
OECD Digital Economy Outlook 2015 (2015)
Global Internet Report 2015 (2015)
Government Request Report (2015)
Taxation and the Digital Economy: A Survey of Theoretical Models (2015)

GIP event reports

Data Protection, Digital Trade and Development (2017)
Report for EBU Big Data Conference 2017 (2017)
ICANN58: GNSO Registration Directory Services (RDS) Policy Development Process Working Group Meeting (2017)
ICANN58: Public Forum 1 & 2 (2017)
Report for Symposium on The Future Networked Car (2017)
Report for ITU CWG-Internet - 4th Physical Open Consultation Meeting (2017)

Other resources

Internet Legislation Atlas (2016)
Security and Privacy Handbook: 100 Best Practices in Big Data Security and Privacy (2016)
Security for All: An Open Letter to the Leaders of the World's Governments (2016)
The Twitter Rules (2016)
Privacy Level Agreement [v2]: A Compliance Tool for Providing Cloud Services in the European Union (2015)

Processes

Sessions at IGF 2016

Sessions at WSIS Forum 2016

Sessions at IGF 2015

IGF 2016 Report

 

Continuing a trend to keep human rights at the forefront, a main session at the IGF 2016 was dedicated to the topic (Human Rights: Broadening the Conversation). This demonstrates that the IGF has matured to a point where human rights (Dynamic Coalition on Internet Rights and Principles) are now accepted as an underlying unifying force (Mapping Digital Rights in the Middle East and North Africa: A New Visual Tool for Comparative Analysis). 

The broader implications that the right to privacy (Surveillance and International Human Rights Law - WS267) and data protection (Is Personal Data ‘Mine’ or There to be ‘Mined’? - WS114) have for the Internet and society were discussed in the context of global balance, with overarching links to states’ governance models. These topics are being increasingly merged with issues of security (a right in itself), jurisdiction, and other complexities. The interconnections between privacy, on one side, and access and net neutrality issues, on the other side, were also discussed (Dynamic Coalition on Net Neutrality).

WSIS Forum 2016 Report

 

Privacy and data protection in the online space was discussed from various perspectives. Internet Governance, Security, Privacy and the Ethical Dimension of ICTs in 2030 (session 150) looked at issues related to online privacy in different contexts: the evolution of Internet of Things technologies, state surveillance programmes, and cybersecurity.

In session 169 on Internet Fragmentation one interesting scenario was exposed: one in which governments had one IP address fixed for each citizen, and used it as a passport. In this scenario, the individual would have to renew their passport every year. The government would know exactly which content they had accessed and could deny renewal.

IGF 2015 Report

 

At this year’s IGF, the discussion on privacy and data protection revisited a typical dilemma: How do we ensure both privacy and security or - at least - strike a right balance between two?

This ‘balancing question’ was echoed in many discussions. In the debate on encryption (WS 141 on Law Enforcement in a World of Pervasive Encryption, and WS 53 on The Politics of Encryption), human rights and security communities presented two different views. Human rights activists argued for pervasive encryption aimed at protecting privacy, while security officials believe that strong encryption hinders investigations and poses a problem to gathering data and preventing crime and terrorism.

In the debate between Privacy and Transparency (WS 124), it was argued that the treatment of personal data needs to be transparent, with transparency being also closely associated with accountability. Yet, a recently negotiated trade agreement, which will impact users’ privacy,was not negotiated in such a transparent way.

In discussing these dichotomies, a few new proposals and ideas emerged. For example, in Implementing Core Principles in the Digital Age (WS 114), the two UN Special Rapporteurs on freedom of expression and on privacy argued that both rights could be protected in an integrated way, where encryption and transparency of policy should play an important role. The link between privacy, freedom of expression, and anonymity was discussed in depth in Special Rapporteur David Kaye’s report on the promotion and protection of the right to freedom of opinion and expression (May 2015).

Another question was whether privacy should be protected on a national or international level. The prevailing view is that it needs to be afforded international protection. In the same workshop, Special Rapporteur Joseph Cannataci said that people needed ‘safeguards without borders’ and ‘remedies across borders’, neither of which he believe is possible at the moment. He also referred to the ‘further development of international law’ during the Open Forum on the Right to Privacy in the Digital Age, a view which was picked up by a Brazilian Foreign Ministry official: the right to privacy is already enshrined in international law through the International Covenant on Civil and Political Rights, which has been ratified by 168 countries. His comment: ‘And we might ask ourselves what about the remaining countries? Well, all remaining countries recognise the universal Human Rights, which also [include] the right to privacy. So we have the norm. We have a foundation. A basis to work on.’

 

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top