Internet Governance and Privacy - MIND 7 Editorial
Internet Governance and Privacy - MIND 7 Editorial
by Prof. Dr. Wolfgang Kleinwächter, Editor
Was there privacy in ancient times and in the Middle Ages? Whole tribes lived under one roof, and in a village everybody knew everything about everybody. If you go to the ruins of the old Roman city of Pompeii, you will learn that even the restrooms were public spaces.
Today, privacy is seen as a fundamental individual human right, protected by Article 12 of the Universal Declaration of Human Rights which states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
However, since the beginning of the Internet Age, we have seen growing unlimited access to all kinds of small and big personal data by transnational private corporations and governmental security agencies. Individual privacy is eroded and undermined. Private correspondence is checked by authorized or non-authorized parties. As soon as you are connected to the Internet via a fixed or mobile end device – whether it is in your private home or in your hotel room, if you are walking in the street or riding in a car – somebody on the other end of the line will know where you are, what you are doing, and what your plans will be. It is not only the usual skeptics who argue that the 21st century will see the “end of privacy”. Are we moving backwards into something like the “digital Middle Ages”?
Inhaltsverzeichnis |
History of Privacy
The understanding of privacy as a legal right has its own history. It goes back to a case from the 17th century – known as the Semayne’s Case from 1604 – when a British lawyer, Sir Edward Coke, stated: “The house of every one is to him as his castle and fortress, as well for his defence against injury and violence as for his repose.” The Semayne’s Case acknowledged that the king did not have unbridled authority to intrude on his subjects‘ dwellings, but recognized that government agents were permitted to conduct searches and seizures under certain conditions when their purpose was lawful and a warrant had been obtained.
This has later been taken as a blueprint by James Madison when he introduced the 4th amendment to the US Constitution in 1789: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”. Later, in 1890, Samuel D. Warren and Louis D. Brandeis described privacy as the “right to be let alone”.
The word “privacy” comes from the Latin privatus which means “separated from the rest”. The whole idea of the Internet is that we are connected, not separated, and that everybody can communicate with everybody anytime, anywhere. In the new virtual global village, we are all under one roof. Can we remain alone in cyberspace? Do we want to remain alone? How can protection work in a borderless space so that we as individuals are safe against unreasonable searches and seizures? How we can use the freedom we have won in the virtual world without risking losing our privacy if we use the Internet? This is a big question and finding the right answer is not easy.
As we have seen in the last decade, technology always develops faster than our legal system. Code makers work at a higher speed than law makers. In the information age, it is the code that defines the space in which law makers now operate. This brings a lot of new flexibility to the system. On the other hand, social values, individual rights, and personal freedoms do not change overnight when new technologies are introduced. Our legal system has a high degree of stability which is needed in a democratic society. What we have learned in recent years is that a lot of new Internet based services and applications offer new opportunities but very often do not need new regulations. They can be managed and dealt with on the basis of our existing legal system, both nationally and internationally.
From a legal point of view, there is no difference between stealing money offline and stealing money online. Stealing money is a crime, and a crime is a crime is a crime, offline as well as online. Doing harm to other people remains illegal whether it is done in the real or in the virtual world.
Yes, there are new problems in borderless cyberspace. If providers and users of Internet based services operate under different jurisdictions, there is a pressure to “harmonize” national regulations or to decide which jurisdiction is relevant in a concrete controversial case. And yes, there are some new problems which have not yet been clearly defined in our traditional legal system, such as cloud computing or the linkage of objects to the Internet via interactive RFID chips. But neither cloud computing nor the Internet of Things leads to the disappearance of universal values or human rights. In this respect, it was very natural that the UN Human Rights Council stated in a resolution from June 2012 that “the same rights that people have offline must also be protected online”.
The UN Resolution on Privacy in the Digital Age
This is also relevant for the right to privacy, as it was reaffirmed in the UN Resolution on the right to privacy in the digital age, initiated by Brazil and Germany and adopted at the 68th UN General Assembly in December 2013. The resolution notes inter alia that “the rapid pace of technological development enables individuals all over the world to use new information and communication technologies and at the same time enhances the capacity of Governments, companies and individuals to undertake surveillance, interception and data collection, which may violate or abuse human rights, in particular the right to privacy, as set out in article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights, and is therefore an issue of increasing concern”.
This brings us to the question of whether all technologies that are invented and are available should be used in an unlimited way. There is a real question whether we need ethical, moral, and legal barriers for the use of certain types of technology. A person who owns a gun is not totally free to use this gun for everything. She or he has to respect concrete laws and if she/he ignores them and uses the gun against human beings, she/he will be punished and jailed. In other words, we need restrictions on the use of communication technology which allows interference into our private homes, intrusion into our private communications, and surveillance of our day-to-day behavior by private or public parties, corporations, governments, or our unfriendly neighbors.
There can be reasons for a justified interference. But this has to be the exception and cannot be the rule. And it needs to go through a legal procedure where a neutral third party, based on evidence of a clear and present danger, checks the necessity and proportionality of such interference. In other words, there will be no one-size-fits-all solution. It has to be decided on a case by case basis, taking into account the specific circumstances.
The Challenge to Find the Right Balance
The big challenge here is to find the right balance. But one thing is also clear; this can´t be left to the “free market”, where the individual Internet user has no adequate negotiation capacity against big corporations or big governments. For a fair balance, we need the protection of the law. As Jean Baptiste Lacordaire, the French philosopher, stated nearly two hundred years ago: “Between the strong and the weak … it is freedom that oppresses and the law that liberates”.
The 2013 UN Resolution on Privacy in the Digital Age is moving in the right direction here. The resolution reaffirms “the human right to privacy, according to which no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, and the right to the protection of the law against such interferences”. It recognizes that “the exercise of the right to privacy is important for the realization of the right to freedom of expression and to hold opinions without interference, and one of the foundations of a democratic society”, and it emphasizes that “unlawful or arbitrary surveillance and/or interception of communications, as well as unlawful or arbitrary collection of personal data, as highly intrusive acts, violate the rights to privacy and freedom of expression and may contradict the tenets of a democratic society”.
Furthermore, the resolution also notes that “while concerns about public security may justify the gathering and protection of certain sensitive information, States must ensure full compliance with their obligations under international human rights law”. And it expresses its deep concern about “the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights”. It concludes that “States must ensure that any measures taken to combat terrorism are in compliance with their obligations under international law, in particular international human rights, refugee and humanitarian law”.
This is clear and balanced language adopted by UN member states and supported by a wide range of non-governmental stakeholders, in particular from civil society. To find the right balance not only among governments and stakeholders but also between justified security concerns and individual privacy rights is not easy, but we have to face this challenge in the digital age. The right answer can be found only in a bottom-up, open and transparent multistakeholder policy development process.
In this respect, it is good that the resolution invites the governments of the UN member states “to review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection, with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law” and to “establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and the collection of personal data”. However, such a call should go beyond relevant activities by the governments of the UN member states and should also include the private sector, civil society, and the technical community.
Towards a Multistakeholder Model in the Development of Privacy Policies
A lot of personal data and surveillance capacity is now in the hands of the private sector. While private corporations are obliged to respect the legislation of the country in which they operate, they often try to escape national legislation by “jurisdiction shopping” – that is, to pick the country with the lowest standard of privacy laws as the place for starting business in borderless cyberspace. An inclusion of the private sector in a multistakeholder process to develop policies to respect individual privacy rights is as important as bringing civil society directly to the negotiation table. Networks like Privacy International, Human Rights Watch, Reporters without Borders, Article 19, Transparency International, Consumer International and others have to have a voice and a vote when it comes to global mechanisms which will enhance the protection of privacy in the digital age. And even more important is the inclusion of the technical community. This community has developed standards which enabled surveillance and enhanced control capacities. This community, as IETF or W3C, is now challenged to offer standards which will allow a higher protection of individual privacy. Privacy by design is a very concrete challenge for the Internet standard setting organizations, in particular when it comes to the next wave of services and applications relating to the Internet of Things.
Furthermore, it needs an enhanced understanding of the various elements of privacy protection and more specifications. When the Global Business Dialogue on eCommerce (GBDe) discussed privacy concerns in 1999, they differentiated between “sensitive” and “non-sensitive” data. For “sensitive” data (data related to health, finances, sexual orientation, religion, and political affiliation), they proposed that a corporation should ask the individual if the corporation wanted to use this data (opt in). For “non-sensitive data” (such as shopping behavior, travel, open chats, searches), they proposed that corporations could use the data as long as the individual did not express an explicit reservation (opt out). This approach was not further investigated or translated into concrete legislation. But it shows that a multistakeholder approach widens the perspective and can bring more and reasonable arguments to the negotiation table.
To take another example: the German constitution has included – since the 1980s – the right to informational self-determination which gives all rights regarding how to use personal data to the individual. In the 1990s, the right to access the secret files of the East German secret service (Stasi) was seen as a constitutional right. Can such an approach be globalized? Is it the right of an individual to know what information secret services around the world have collected about her or him? May I ask the NSA whether they have looked at my private communication and if yes, what do they have in their database?
Net Mundial
In this respect, the final document adopted at the recent Global Multistakeholder Meeting on the Future of Internet Governance (NetMundial) can be a good guideline on how to enhance the multistakeholder model when it comes to policy development and decision making with regard to privacy issues in the Internet Governance Ecosystem. Principle 1.3 of the NetMundial Declaration says very clearly: “The right to privacy must be protected. This includes not being subject to arbitrary or unlawful surveillance, collection, treatment and use of personal data.” And the roadmap section of the Sao Paulo Declaration states: “Mass and arbitrary surveillance undermines trust in the Internet and trust in the Internet governance ecosystem. Collection and processing of personal data by state and non-state actors should be conducted in accordance with international human rights law. More dialogue is needed on this topic at the international level using forums like the Human Rights Council and IGF aiming to develop a common understanding on all related aspects.”
This is a process and it will not be settled overnight. The next concrete step will be the report by the United Nations High Commissioner for Human Rights on “the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and the collection of personal data, including on a mass scale, to the Human Rights Council at its twenty-seventh session and to the General Assembly at its sixty-ninth session (2014), with views and recommendations, to be considered by Member States” as it was decided by the UN General Assembly in 2013.
There is still a long way to go. But the first steps have been taken. Do not expect big jumps. Let´s go forward by taking more small steps, but let´s move in the right direction.
|
MIND-Multistakeholder Internet Dialog |
