On-Line Surveillance in the case-law of the UN Human Rights Committee
Published: July 13th, 2017
The Human Rights Committee is the principal UN treaty body entrusted with monitoring the implementation of civil and political rights, including the right to privacy. In its capacity as custodian of the ICCPR – the International Covenant for Civil and Political Rights – it reviews State reports and individual communications (complaints) relating to excessive use of governmental powers, which potentially include the use of such powers in the field of on-line surveillance.
So far, the Committee has not received any individual communication alleging violation of the Covenant by reason of misuse of surveillance powers by national security authorities. This is not very surprising since the secretive nature of on-line surveillance is often such that renders it difficult for individuals to establish that they were placed under surveillance and thus qualify as ‘victims’ entitles to submit a communication to the Committee. Still, the Committee does have a mechanism for review of legislation in abstracto without establishing its specific application to any particular individual: the process of review of periodic states reports on the implementation of the Covenant. This is a process which encourages stakeholders, including national and international NGOs, to raise concerns both in relation to the actual and potential application of governmental power in the field of on-line surveillance. Indeed, review of the recent practice of the Committee in the field suggests a sharp rise in the handling of questions relating to the application of on-line surveillance powers. Whereas questions relating to such issues were raised with respect to two states between 2007-2014, since 2014 they have been addressed with respect to 15 different states (representing more than 25% of the states reviewed by the Committee during this period). This sharp rise is suggestive both of the growing resort to on-line surveillance powers by governments due to advances in available technology, and of growing awareness to their human rights implications by the Committee.
The legal framework under which the Committee discusses questions relating to the legality and propriety of surveillance measures is article 17 of the ICCPR, which provides that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence...” The key term in this formulation is arbitrary – a term which provides a normative benchmark to assess relevant on-line surveillance activity. The term ‘arbitrariness’ has been recently redefined by the Committee in its general comment 35(2014) (albeit in a different context, with relation to “arbitrary detention“), in the following manner:
The notion of “arbitrariness” is not to be equated with “against the law”, but must be interpreted more broadly to include elements of inappropriateness, injustice, lack of predictability and due process of law, as well as elements of reasonableness, necessity and proportionality.
Applying this legal standard when reviewing the ‘arbitrariness’ of on-line surveillance, would appear to invite an evaluation of the predictability of the application of surveillance powers, the fairness of the procedure governing their application, the potential for excessive use of such powers and the availability of safeguards against abuse. Indeed, the 17 periodic reviews in which questions relating to on-line surveillance were considered, have raised concerns, broadly corresponding to the following evaluative criteria:
- Lack of Predictability - No legal basis for the application of surveillance power,[1] or lack of specificity and transparency of the governing legal framework;[2]
- Procedural fairness – The inconsistent application of privacy standards;[3]
- Excessive Use – Laws affording sweeping data or metadata collection powers,[4] and indications of de-facto abuse of surveillance powers;[5]
- Lack of adequate safeguards – Shortcomings in the existing institutional and normative right protecting mechanisms.[6]
It should be noted that the Committee does not only identify problems (referred to in its jargon as ‘concerns’); it also recommends changes in existing laws and policies. Sometime such recommendations are very general. For example, it made the following recommendation for South Africa in 2016:
The State party should take all measures necessary to ensure that its surveillance activities conform to its obligations under the Covenant, including article 17, and that any interference with the right to privacy complies with the principles of legality, necessity and proportionality
However, some of the Committee’s recommendations are more specific, aimed at ensuring the equal application of protections to national and foreigners,[7] enhancing the specificity and transparency of surveillance laws,[8] narrowing surveillance powers, so as to ensure close tailoring of powers to needs,[9] and the development of effective safeguards, which include, when appropriate, judicial involvement, remedies for individuals subject to unlawful surveillance operations, and independent monitoring over the application of all on-line surveillance powers.[10] One specific element that had been raised in the context of the some review processes had been the need to limit mandatory retention by third parties.[11]
The upshot of this survey is that the HRC is currently in the process of establishing specific legal standards that would enable review of the arbitrariness of on-line surveillance. Much emphasis has been put in its work, so far, on evaluative criteria, such as the level of precision of legal definitions of on-surveillance powers, breadth of triggers for the application of such powers, institutional safeguards, including the need for judicial authorization and individual remedies, data retention periods and equal protection of all individuals who were subject to on-line surveillance. Future developments may include the emergence of a duty for ex post facto notification of persons who were under surveillance, closer attention by the Committee to specific safeguards in the authorization procedures, regulation of technology development and transfers, and intelligence sharing.[12]
The author is a member of the UN Human Rights Committee, but the views expressed here do not necessarily represent the views of the Committee. No emphases were used in the original texts cited below.
[1] HRC Concluding Observations: Namibia (2016)(“The Committee notes with concern that interception centres seem operational despite the fact that their legal basis, part 6 of the Communications Act (Act No. 8 of 2009), is not yet in force”); HRC Concluding Observations: Republic of Korea (2015)(“It is also concerned about the use and insufficient regulation in practice of base station investigations of mobile telephone signals picked up near the site of demonstrations in order to identify participants, and about the extensive use and insufficient regulation in practice of wiretapping, in particular by the National Intelligence Service”); HRC Concluding Observations: Italy (2017)(“The Committee is concerned about reports that intelligence agencies are intercepting personal communications and employing hacking techniques without explicit statutory authorization or clearly defined safeguards from abuse”); HRC Concluding Observations: Turkmenistan (2017)(“The Committee is concerned about the lack of a clear legal framework regulating surveillance activities, including by the intelligence services”).
[2] HRC Concluding Observations: USA (2014)(“The Committee is concerned that, until recently, judicial interpretations of FISA and rulings of the Foreign Intelligence Surveillance Court (FISC) had largely been kept secret, thus not allowing affected persons to know the law with sufficient precision”); HRC Concluding Observations: France (2015)(“The Committee is particularly concerned about the fact that the law on intelligence adopted on 24 June 2015 (submitted to the Constitutional Court) gives the intelligence agencies excessively broad, highly intrusive surveillance powers on the basis of broad and insufficiently defined objectives, without the prior authorization of a judge and without an adequate and independent oversight mechanism”); HRC Concluding Observations: Namibia (2016)(“While noting the indication by the delegation that all interceptions must be authorized by a magistrate, and that no private information is kept, the Committee is concerned about the lack of clarity regarding the reach of legal interception possibilities, as well as about the safeguards to ensure respect of the right to privacy in line with the Covenant”); HRC Concluding Observations: New Zealand (2016)(“The Committee is also concerned about the absence of a clear definition of the terms “national security” and “private communication” in the Telecommunications (Interception Capability and Security) Act 2013”); HRC Concluding Observations: Sweden (2016)(“While acknowledging the number of safeguards in place to prevent abuse in the application of the Signals Intelligence Act (2008:717), the Committee remains concerned about the limited degree of transparency with regard to the scope of such surveillance powers and the safeguards on their application”); HRC Concluding Observations: Morocco (2016)(“The Committee is also concerned by the lack of clarity with regard to the legal provisions which authorize and govern surveillance activities”).
[3] HRC Concluding Observations: UK (2015)(“The Committee is concerned: (a) that the Regulation of Investigatory Powers Act 2000 (RIPA), that makes a distinction between “internal” and “external” communications, provides for untargeted warrants for the interception of external private communication and communication data which are sent or received outside the United Kingdom without affording the same safeguards as in the case of interception of internal communications”); HRC Concluding Observations: New Zealand (2016)(“The Committee is further concerned about the limited judicial authorization process for the interception of communications of New Zealanders and the total absence of such authorization for the interception of communications of non-New Zealanders”).
[4] HRC Concluding Observations: Sweden (2009)(“While understanding that security requirements may be aimed at preventing violence and terrorism, the Committee takes note that the Law on Signals Intelligence in Defence Operations (2008:717), will apparently provide the executive with wide powers of surveillance in respect of electronic communications”); HRC Concluding Observations: USA (2014)(The Committee is concerned about the surveillance of communications in the interest of protecting national security, conducted by the National Security Agency (NSA) both within and outside the United States, through the bulk phone metadata surveillance programme (Section 215 of the USA PATRIOT Act) and, in particular, surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendment Act, conducted through PRISM (collection of communications content from United States-based Internet companies) and UPSTREAM (collection of communications metadata and content by tapping fiber-optic cables carrying Internet traffic) and the adverse impact on individuals’ right to privacy”); HRC Concluding Observations: UK (2015)(“The Committee is concerned that the State party’s current legal regime governing the interception of communications and communication data allows for mass interception of communications… The Committee is further concerned that the 2014 Data Retention Investigatory Powers Act provides for wide powers of retention of communication data and access to such data does not appear to be limited to the most serious crimes”); HRC Concluding Observations: Canada (2015)(“ However, the Committee is concerned about information according to which (a) Bill C-51’s amendments to the Canadian Security Intelligence Act confer a broad mandate and powers on the Canadian Security Intelligence Service to act domestically and abroad, thus potentially resulting in mass surveillance and targeting activities that are protected under the Covenant without sufficient and clear legal safeguards; (b) Bill C-51 creates, under the Security of Canada Information Sharing Act, an increased sharing of information among federal government agencies on the basis of a very broad definition of activities that undermine the security of Canada, which does not fully prevent that inaccurate or irrelevant information is shared”); HRC Concluding Observations: France (2015) (“The Committee is particularly concerned about the fact that the law on intelligence adopted on 24 June 2015 (submitted to the Constitutional Court) gives the intelligence agencies excessively broad, highly intrusive surveillance powers on the basis of broad and insufficiently defined objectives, without the prior authorization of a judge and without an adequate and independent oversight mechanism”); HRC Concluding Observations: South Africa (2016) (“The Committee is concerned about the relatively low threshold for conducting surveillance in the State party and the relatively weak safeguards, oversight and remedies against unlawful interference with the right to privacy contained in the 2002 Regulation of Interception of Communications and Provision of Communication-Related Information Act. It is also concerned about the wide scope of the data retention regime under the Act”); HRC Concluding Observations: Denmark (2016) (“In particular, the Committee is concerned about: […] (b) section 780 of the Administration of Justice Act, which allows interception of communication by the police domestically and which may result in mass surveillance, despite the legal guarantees provided in sections 781 and 783 of the same Act”); HRC Concluding Observations: Colombia (2016) (“It is also concerned by the fact that the new Police Code that is to enter into force in 2017 defines the concept of “public areas” in a very broad sense that includes the electromagnetic spectrum, and by the fact that all the information and data gathered in public areas are considered to be in the public domain and to be freely accessible”); HRC Concluding Observations: Poland (2016) (“The Committee is concerned about the surveillance and interception powers of the Polish intelligence and law enforcement authorities, as reflected in the law on counter-terrorism of June 2016 and the act amending the Police Act and certain other acts of January 2016. The Committee is particularly concerned about: (a) the unlimited and indiscriminate surveillance of communications and collection of metadata”); HRC Concluding Observations: Italy (2016) (“It is also concerned that the anti-terrorism decree and Law No. 21/2016 compel telecommunications service providers to retain data beyond the period allowed by article 132 of the personal data protection code, and that the authorities can access such data without authorization from a judicial authority”).
- [5] HRC Concluding Observations: UK (2015) (“It notes, inter alia, reports that Amnesty International’s email communication had been intercepted by the government under a general warrant”); [5] HRC Concluding Observations: Republic of Korea (2015)(“It is also concerned about the use and insufficient regulation in practice of base station investigations of mobile telephone signals picked up near the site of demonstrations in order to identify participants, and about the extensive use and insufficient regulation in practice of wiretapping, in particular by the National Intelligence Service”); HRC Concluding Observations: South Africa (2016)(“The Committee is further concerned at reports of unlawful surveillance practices, including mass interception of communications carried out by the National Communications Centre”); HRC Concluding Observations: Morocco (2016) (“The Committee is concerned by reports of illegal infringements of the right to privacy in the course of surveillance operations conducted by law enforcement and intelligence agencies targeting journalists, human rights defenders and perceived opponents of the Government, particularly those located in Western Sahara”).
[6] HRC Concluding Observations: USA (2014)(“The Committee is concerned that the current oversight system of the activities of the NSA fails to effectively protect the rights of the persons affected; Finally, the Committee is concerned that the persons affected have no access to effective remedies in case of abuse”); HRC Concluding Observations: UK (2015)(“The Committee is concerned that the State party’s current legal regime governing the interception of communications and communication data… lacks sufficient safeguards against arbitrary interference with the right to privacy… The Committee is concerned: … (b) about the lack of sufficient safeguards for obtaining private communications from foreign security agencies and for sharing personal communications data with such agencies”); HRC Concluding Observations: Canada (2015)(“However, the Committee is concerned about information according to which (a) Bill C-51’s amendments to the Canadian Security Intelligence Act confer a broad mandate and powers on the Canadian Security Intelligence Service to act domestically and abroad, thus potentially resulting in mass surveillance and targeting activities that are protected under the Covenant without sufficient and clear legal safeguards; The Committee is also concerned about the lack of adequate and effective oversight mechanisms to review activities of security and intelligence agencies, and the lack of resources and power of existing mechanisms to monitor such activities”); HRC Concluding Observations: France (2015)(“The Committee is particularly concerned about the fact that the law on intelligence adopted on 24 June 2015 (submitted to the Constitutional Court) gives the intelligence agencies excessively broad, highly intrusive surveillance powers on the basis of broad and insufficiently defined objectives, without the prior authorization of a judge and without an adequate and independent oversight mechanism”); HRC Concluding Observations: Republic of Korea (2015)(“The Committee notes with concern that, under article 83 (3) of the Telecommunications Business Act, subscriber information may be requested without a warrant by any telecommunications operator for investigatory purposes”); HRC Concluding Observations: Namibia (2016)(“While noting the indication by the delegation that all interceptions must be authorized by a magistrate, and that no private information is kept, the Committee is concerned about the lack of clarity regarding the reach of legal interception possibilities, as well as about the safeguards to ensure respect of the right to privacy in line with the Covenant”); HRC Concluding Observations: New Zealand (2016)(“The Committee is further concerned about the limited judicial authorization process for the interception of communications of New Zealanders and the total absence of such authorization for the interception of communications of non-New Zealanders”); HRC Concluding Observations: Rwanda (2016)(“The Committee is concerned that Law No. 60/2013 permits the interception of communications without prior authorization of a judge”); HRC Concluding Observations: Sweden (2016)(“While acknowledging the number of safeguards in place to prevent abuse in the application of the Signals Intelligence Act (2008:717), the Committee remains concerned about the limited degree of transparency with regard to the scope of such surveillance powers and the safeguards on their application”); HRC Concluding Observations: South Africa (2016)(“The Committee is concerned about the relatively low threshold for conducting surveillance in the State party and the relatively weak safeguards, oversight and remedies against unlawful interference with the right to privacy contained in the 2002 Regulation of Interception of Communications and Provision of Communication-Related Information Act… The Committee is further concerned at… delays in fully operationalizing the Protection of Personal Information Act, 2013, due in particular to delays in the establishment of an information regulator”); HRC Concluding Observations: Colombia (2016)(“The Committee is also concerned that the “electromagnetic spectrum monitoring” provided for in article 17 of Act No. 1621 of 2013 could result in instances in which private communications conveyed via the electromagnetic spectrum are intercepted without the benefit of a rigorous assessment of the legality, necessity and proportionality of such interceptions”); HRC Concluding Observations: Morocco (2016) (“The Committee is also concerned by the lack of clarity with regard to the legal provisions which authorize and govern surveillance activities and the lack of oversight of those activities by an independent authority”); HRC Concluding Observations: Italy (2017)(“The Committee is concerned about reports that intelligence agencies are intercepting personal communications and employing hacking techniques without explicit statutory authorization or clearly defined safeguards from abuse. It is also concerned that the anti-terrorism decree and Law No. 21/2016 compel telecommunications service providers to retain data beyond the period allowed by article 132 of the personal data protection code, and that the authorities can access such data without authorization from a judicial authority”).
[7] HRC Concluding Observations: USA (2014)(“measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under direct surveillance”); HRC Concluding Observations: UK (2015)(“In particular, measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under direct surveillance”); HRC Concluding Observations: New Zealand (2016)(“Sufficient judicial safeguards are implemented, regardless of the nationality or location of affected persons, in terms of interception of communications and metadata collection, processing and sharing”).
[8] HRC Concluding Observations: USA (2014)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that : ( i ) are publicly accessible;… (iii) are sufficiently precise and specify in detail the precise circumstances in which any such interference may be permitted , the procedures for authorization , the categories of persons who may be placed under surveillance , the limit on the duration of surveillance; procedures for the use and storage of data collected”); HRC Concluding Observations: UK (2015)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that: (i) are publicly accessible… (iii) are sufficiently precise and specify in detail the precise circumstances in which any such interference may be permitted, the procedures for authorization, the categories of persons who may be placed under surveillance, the limit on the duration of surveillance; procedures for the use and storage of data collected”); HRC Concluding Observations: France (2015)(“The State party should ensure that the collection and use of data on communications take place on the basis of specific and legitimate objectives and that the exact circumstances in which such interference may be authorized and the categories of persons likely to be placed under surveillance are set out in detail”); HRC Concluding Observations: South Africa (2016)(“It should also ensure that interception of communications by law enforcement and security services is carried out only according to the law and under judicial supervision”); HRC Concluding Observations: Sweden (2016)(“The State party should increase the transparency of the powers of and safeguards on the National Defence Radio Establishment, the Foreign Intelligence Court and the Data Inspection Board, by considering to make their policy guidelines and decisions public, in full or in part, subject to national security considerations and the privacy interests of individuals concerned by those decisions”); HRC Concluding Observations: Turkmenistan (2017)(“The State party should ensure that: (a) all types of surveillance activities and interference with privacy, including online surveillance for the purposes of State security, are governed by appropriate legislation that is in full conformity with the Covenant, in particular article 17, including with the principles of legality, proportionality and necessity, and that State practice conforms thereto”).
[9] HRC Concluding Observations: UK (2015)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that:… (ii) contain provisions that ensure that collection of, access to and use of communications data are tailored to specific legitimate aims; Revise the 2014 Data Retention Investigatory Powers Act with a view to ensuring that access to communication data is limited to the extent strictly necessary for the prosecution of the most serious crimes and dependent upon prior judicial authorization”); HRC Concluding Observations: France (2015)(“The State party should ensure that the collection and use of data on communications take place on the basis of specific and legitimate objectives and that the exact circumstances in which such interference may be authorized and the categories of persons likely to be placed under surveillance are set out in detail”); . HRC Concluding Observations: Rwanda (2016)(“ It should also ensure that communications are intercepted and data are used to achieve specific and legitimate objectives and that the categories of circumstances in which such interference may be authorized and the categories of persons whose communications are likely to be intercepted are set out in detail”); HRC Concluding Observations: Namibia (2016)(“The State party should ensure that the interception of telecommunications may only be justified under limited circumstances authorized by law with the necessary procedural and judicial safeguards against abuse, and supervised by the courts when in full conformity with the Covenant”).
[10] HRC Concluding Observations: Sweden (2009) (“The State party should take all appropriate measures to ensure that the gathering, storage and use of personal data not be subject to any abuses, not be used for purposes contrary to the Covenant, and be consistent with obligations under article 17 of the Covenant. To that effect, the State party should guarantee that the processing and gathering of information be subject to review and supervision by an independent body with the necessary guarantees of impartiality and effectiveness”); HRC Concluding Observations: USA (2014)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that:… (iv) provide for effective safeguards against abuse; (c) Reform the current oversight system of surveillance activities to ensure its effectiveness, including by providing for judicial involvement in the authorization or monitoring of surveillance measures, and considering the establishment of strong and independent oversight mandates with a view to preventing abuses;… (e) Ensure that affected persons have access to effective remedies in cases of abuse”); HRC Concluding Observations: UK (2015)(“Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that:… (iv) provide for effective safeguards against abuse; Ensure that robust oversight systems over surveillance, interception and intelligence-sharing of personal communications activities are in place, including by providing for judicial involvement in the authorization of such measures in all cases, and considering the establishment of strong and independent oversight mandates with a view to preventing abuses; Ensure that affected persons have access to effective remedies in cases of abuse”); HRC Concluding Observations: France (2015)(“It should also ensure the effectiveness and independence of a monitoring system for surveillance activities, in particular by making provision for the judiciary to take part in the authorization and monitoring of surveillance measures”); HRC Concluding Observations: Canada (2015)(“establish oversight mechanisms over security and intelligence agencies that are effective and adequate, and provide them with appropriate powers as well as sufficient resources to carry out their mandate; provide for judicial involvement in the authorization of surveillance measures”); HRC Concluding Observations: Republic of Korea (2015)(“It should, inter alia, ensure that subscriber information may be issued with a warrant only, introduce a mechanism to monitor the communication investigations of the National Intelligence Service, and increase the safeguards to prevent the arbitrary operation of base station investigations”); HRC Concluding Observations: Sweden (2016)(“It should ensure:… (b) that effective and independent oversight mechanisms over intelligence-sharing of personal data are put in place; and (c) that affected persons have proper access to effective remedies in cases of abuse”); HRC Concluding Observations: Rwanda (2016)(“It should also ensure the effectiveness and independence of a monitoring system for such interception , in particular by providing for the judiciary to take part in the authorization and monitoring of the interception”); HRC Concluding Observations: Namibia (2016)(“The State party should ensure that the interception of telecommunications may only be justified under limited circumstances authorized by law with the necessary procedural and judicial safeguards against abuse, and supervised by the courts when in full conformity with the Covenant”); HRC Concluding Observations: New Zealand (2016)(“Sufficient judicial safeguards are implemented, regardless of the nationality or location of affected persons, in terms of interception of communications and metadata collection, processing and sharing”); HRC Concluding Observations: South Africa (2016)(“The State party should refrain from engaging in mass surveillance of private communications without prior judicial authorization… It should also ensure that interception of communications by law enforcement and security services is carried out only according to the law and under judicial supervision”); HRC Concluding Observations: Morocco (2016)(“The State party should also establish independent oversight mechanisms in order to prevent abuses”); HRC Concluding Observations: Italy (2017)(“The State party should review the regime regulating the interception of personal communications, the hacking of digital devices and the retention of communications data with a view to ensuring: … (b) that robust, independent oversight systems are in place regarding surveillance, interception and hacking, including by ensuring that the judiciary is involved in the authorization of such measures, in all cases, and by affording persons affected with effective remedies in cases of abuse, including, where possible, an ex post notification that they were placed under surveillance or that their data was hacked”); HRC Concluding Observations: Turkmenistan (2017)(“The State party should ensure that: … (b) surveillance is subject to judicial authorization as well as effective and independent oversight mechanisms; and (c) affected persons have proper access to effective remedies in cases of abuse”).
[11] HRC Concluding Observations: USA (2014) (“Refrain from imposing mandatory retention of data by third parties”); HRC Concluding Observations: South Africa (2016) (“The State party should… consider revoking or limiting the requirement for mandatory retention of data by third parties”).
[12] HRC Concluding Observations: Sweden (2016) (“It should ensure: (a) that all laws and policies regulating the intelligence-sharing of personal data are in full conformity with its obligations under the Covenant; that effective and independent oversight mechanisms over intelligence-sharing of personal data are put in place”).