This week the United States Congress voted to strip away one of the country’s few safeguards of the right to privacy by repealing rules which would have limited internet service provider’s ability to use or share customers’ data without customers’ approval.
Meanwhile, last week, 6,500 kilometers away in Geneva, the United Nations Human Rights Council called on states to strengthen customers’ control over their data and develop legislation to address harm from the sale or corporate sharing of personal data without the individual’s free, explicit, and informed consent. All 47 members of the Human Rights Council, including the US, agreed on the resolution, which was adopted by consensus.
So, was this a case of the left hand not knowing what the right hand is doing? Probably not. The US delegation at the UN explained that “in many commercial contexts, meaningful consent could be drawn from the behaviour of consumers”. This “meaningful” consent falls far short of the standard of free, explicit, and informed consent that is so central to modern data protection standards. In fact, in the US there is currently no data protection regime, meaning that companies are virtually free to use, retain, sell, analyse, and profit from customer data. Often times customer data is used to create detailed customer profiles, which can lead to services being unduly restricted or costs increasing. In contrast, data protection standards in Europe and elsewhere require that individuals give explicit consent to their data being used, and that the consent is free and informed, meaning that it is not sufficient to assume consent by interpreting the behavior of the consumer who is using a service.
In its resolution, the UN Human Rights Council seeks to address the consequences of data mining and profiling. The resolution notes that metadata (the ‘who, what, where’ of a message*) “can reveal personal information that can be no less sensitive than the actual content of communications”, including giving an insight into an individual’s behaviour, social relationships, private preferences, and identity.
The Council joins the conclusion of many privacy experts and courts, including the Court of Justice of the European Union which last December confirmed that metadata, when aggregated, is able to reach very precise conclusions about the private lives of individuals, including their everyday habits and activities, places of residence and daily movements, and their social relationships.
Privacy experts have long noted how metadata can be used to profile individuals, and the Council’s resolution singles out profiling to be of particular concern. It further seeks to address the increasing capacity of companies and governments to mine data, to find links between patterns of behaviour, and to predict behaviour. Specifically, it says that automated processing of personal data “may lead to discrimination as well as negatively impact individual’s economic, social and cultural rights”. The use of profiling is being used in a variety of contexts, from basic consumer profiling, to predictive policing, and social profiling. Such profiling can negatively affect access to credit, to heath, to work, and more including restricting basic fundamental rights such as liberty, freedom of expression, and peaceful assembly.
The resolution also encourages companies to use encryption and calls upon states not to interfere with the use of encryption, which is central to protecting confidentiality of digital communications. And the debate over encryption is once again heating up in the United Kingdom. Barley three days after the resolution’s adoption, the UK’s Home Secretary called on companies to collaborate with the government by giving intelligence services and police backdoor access to encrypted messages on Whatsapp.
What these examples show is how the UN remains a key voice in the right to privacy debate, and it will continue to be so. Last week the Council called for an expert workshop and a new study by the High Commissioner on the Human Rights to clarify principles, standards and best practices against which to assess states’ (and companies’) compliance with the right to privacy.
While this resolution alone will not change the practices of states (or of companies), it reminds us what is at stake: threats to privacy and security increase when hard-fought and meaningful privacy protections are irresponsibly stripped away. The UN plays a global role in advocating for the respect of the right to privacy. At a time when human rights are being squeezed between ballooning state surveillance powers and companies’ increasing appetite for customer data, such a role is much needed.