Major UN Privacy Report Is a Strong Blow against US Surveillance Regimes

Yesterday, the UN High Commissioner for Human Rights—the world’s top human-rights official—released a highly anticipated report about “the right to privacy in the digital age.”  The UN General Assembly asked the High Commissioner, Navi Pillay, to research and write this report in the wake of the Snowden revelations, and her resulting document strikes a strong blow against the legal underpinnings of the US’ foreign and mass surveillance programs.  Overall, the report reaches bold legal findings that are clear, well-reasoned, and urgently needed, and it deserves to be widely read by international and US surveillance-law experts alike.

Calling mass surveillance a “dangerous habit,” the High Commissioner reaches a number of legal conclusions that have genuine implications for US secret surveillance practices.  (We are happy to observe that nearly all of these are consistent with the recommendations we submitted to her office in response to a consultation last year.)  Some of the most important conclusions include:

• “Mass” and “bulk” surveillance programs are illegal under international human-rights law.  Although there continues to be a lack of consensus among experts as to what exactly constitutes “mass” or “bulk” collection, the High Commissioner has pointed out that any collection of communications en masse and in a non-individualized way is inherently arbitrary and therefore violates the right to privacy.  (See Article 17 of the International Covenant on Civil and Political Rights, Article 8 of the European Convention on Human Rights, and Article 11 of the American Convention on Human Rights.)

• The US’ foreign surveillance regime may very well be unlawfully discriminatory.  Citing Section 702 of the FISA Amendments Act, the High Commissioner notes that countries such as the US are providing lesser legal protections to foreigners outside of their territory than to their own citizens and residents.  In this context, she emphasizes that international human-rights law does not permit countries to engage in discrimination (including on the basis of nationality) where privacy rights are concerned. 

• Courts that issue secret rulings about surveillance laws cannot adequately guarantee respect for privacy rights.  Whether one agrees or disagrees, this conclusion is extremely important in the US context, where most rulings of the Foreign Intelligence Surveillance Court are kept classified.

• The secret collection of metadata interferes with the right to privacy. The US government uses Section 215 of the USA PATRIOT Act as a legal basis for collecting basic information (known as “metadata”) about all Americans’ telephone communications.  Legally, the government has sought to draw a distinction between metadata (for example, the date and time of, or parties to, a phone call) and the content of a conversation.  The High Commissioner’s report states firmly that individuals have exactly the same privacy rights when it comes to both content and metadata.  This finding is consonant with the CJEU’s recent judgment in the Digital Rights Ireland case, in which the Court observed that metadata can reveal a great deal about an individual’s private life.

• It may be illegal for governments to force private companies to store customers’ metadata.  The High Commissioner writes that it is probably illegal under international human-rights law for governments to force telecommunications companies and Internet service providers to retain their customers’ metadata “just in case” it is needed for government purposes.  Strikingly, she also encourages companies to insist (as much as possible) that any government demands for data be fully compliant with national law and international human rights.  Furthermore, she suggests—correctly—that a company “risks being complicit or otherwise involved with human rights abuses” if it fails to ensure that a State’s request for user data or “mass surveillance technology” complies with human rights.  The fact that she has mentioned the possibility of corporate liability for complicity in human-rights violations is a remarkable indicator of the seriousness with which she views the violations themselves. The High Commissioner stopped short of recommending that governments allow companies to disclose information about the surveillance demands they receive, which CDT believes is a vital step.

• Legal assumptions that consumers understand how and with whom their data is shared probably do not reflect reality.  US Fourth Amendment jurisprudence tends to assume a general understanding among members of the public that Internet and telecommunications companies can see (and share) metadata related to telephone calls, e-mails, etc. The High Commissioner challenges this assumption, pointing out that consumers may not be “truly aware of what data they are sharing, how and with whom, and to what use they will be put.”

• International human-rights laws, including the right to privacy, are strictly binding upon the US in a very wide range of circumstances—even, in some cases, extraterritorially.  The US has signed and ratified the International Covenant on Civil and Political Rights, meaning that the Covenant is legally binding upon the US government even though Congress has not taken the necessary steps to make it enforceable in US courts.  The High Commissioner’s report confirms that in order to be lawful, any state’s surveillance program must comply not only with its own national laws, but also with international law, including (where applicable) the Covenant.  As a general matter, this is not controversial. However, the High Commissioner has gone a step further and affirmed that the US must comply with human rights law not only when its acts occur within territories that it controls, but also when its surveillance “involves [its] exercise of power or effective control in relation to digital communications infrastructure, wherever found,” or where “exercises regulatory jurisdiction over a third party that physically controls the data.”  These are truly groundbreaking statements and help to address a major point of disagreement within the US government about the scope of the US’ human-rights obligations.  They also have enormous potential implications for a state such as the US that is home to a large amount of Internet infrastructure as well as a large number of service providers.

Although the High Commissioner’s report does not address all of the issues that CDT raised in our comments during the consultation phase, we applaud the report for its breadth, frankness, and willingness to stand up—firmly and without apology—for individuals’ privacy rights against pervasive government surveillance.