State Security And Personal Liberty In The Digital Age. 1. State surveillance for legitimate national security & interests

Transcription

1 State Security And Personal Liberty In The Digital Age "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks"- Article 12, Universal Declaration of Rights. A Consultation document proposing reforms to interception and monitoring of communications and mass data retention laws in Zimbabwe 1. State surveillance for legitimate national security & interests As a sovereign Republic, Zimbabwe has the right to enact laws to safeguard its national security and interests, and in certain defined circumstances, this may generate the need for the State to surveil its citizens and others within its borders. Security threats are real, and some of them are new. Whilst it is acknowledged that States concerns about public security may be seen to justify the use of personal data and meta- data obtained through surveillance and the monitoring of telecommunication networks under certain well- defined and regulated circumstances, the collection and use of such information must be proportionate to the aim being pursued, and must not unduly or unconstitutionally impinge upon the right to privacy, as set out in article 12 of the Universal Declaration of Human Rights ( UDHR ), and article 17 of the International Covenant on Civil and Political Rights ( ICCPR ). Tipping this balance would ensure that the state protects both public security and personal security- individuals right to feel secure that they are not being unnecessarily monitored. 2. Purpose of this document This document seeks to ensure that Zimbabwe s legislation and practice adhere to Zimbabwe s Constitution as well as international standards and norms regarding the protection of privacy and free expression in the digital age. It is necessary to consider both national and international perspectives because although a specific right to privacy was introduced to the new Zimbabwean Constitution in 2013, its failure to expand upon all facets of privacy including those relating to the interception, use and storage of digital and online communications leaves the way clear for abuses in these areas. An examination of examples of international law and best practice can provide the basis for future amendments to the Constitution, as well as for legal reform within the country. This paper will first set out expectations and requirements relating to the right to privacy, as set out by international laws and the various international treaties and covenants to which Zimbabwe is party. It will then address difficulties that hinder the implementation of and adherence to these requirements. Finally, it 1

2 will recommend steps that should be taken to ensure that the rights to privacy and freedom of expression are protected as efficiently as possible. 3. The right to privacy, including in the context of digital communications, according international law and discussion According to international law, as well as its own Constitution and a number of international covenants, Zimbabwe has a duty to ensure the protection of its citizens right to privacy. Although the protection of this right as far as digital communications are concerned is not always clearly defined by or explored in legislation, it is nonetheless clear that the right to privacy must account for digital communications in some form. The right to privacy has firm roots in international human rights law. The modern benchmarks for the right to privacy at the international level are the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which has to date been ratified by 167 States around the world, including Zimbabwe in Article 17 of the ICCPR provides that No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation and that Everyone has the right to the protection of the law against such interference or attacks, whilst article 12 of the UDHR further states that No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. It is clear, therefore, that two core documents of international human rights law guarantee the right to privacy, viewing it, as a fundamental right that must be protected by law. In its General Comment 16 relating to the interpretation of article 17 of the ICCPR, the Human Rights Committee clarified that the term unlawful means that no interference can take place except in cases envisaged by the law, and that Interference authorized by States can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant. The expression arbitrary interference, in the Committee s view, can also extend to interference provided for under the law. According to the Committee, the introduction of this concept is intended to guarantee that even interference provided for by law should be in accordance with the provisions, aims and objectives of the Covenant and should be, in any event, reasonable in the particular circumstances. Such definitions are particularly pertinent when discussing the right to privacy in the digital age, because they ought to protect against invasions of privacy even where technological developments that are not yet covered by specific legislation are concerned. It its General Comment 16, the Committee emphasized that the right reflected in article 17 must be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons. This guidance should be read together with that provided by the Committee in its General Comment 31 on the nature of the general legal obligation imposed on State Parties. There, the Committee has specified that positive obligations on State Parties to ensure Covenant rights will only be fully discharged if individuals 2

3 are protected by the State, not just against violations of Covenant rights by its agents, but also against acts committed by private persons or entities that would impair the enjoyment of Covenant rights in so far as they are amenable to application between private persons or entities. The Committee has noted that there may be circumstances in which a failure to ensure Covenant rights would give rise to violations by State Parties of those rights, as a result of State Parties permitting or failing to take appropriate measures or to exercise due diligence to prevent, punish, investigate or redress the harm caused by such acts by private persons or entities. In this regard, the Committee has highlighted the requirement that privacy- related guarantees under article 17 be protected by law. In addition to the rights established by the UDHR and ICCPR, on 18 December 2013, the United Nations General Assembly adopted by consensus Resolution A/RES/68/167, The Right to Privacy in the Digital Age (see page 139 of document A/68/456/Add.2). Whilst resolutions do not have the same legal effects as treaties, they can nevertheless be considered a form of soft law, because they outline agreed positions on specific issues. Significantly, Resolution 68/167 calls on the UN High Commissioner for Human Rights to submit a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data, including on a mass scale. As a result, the topic will surely be discussed again at the General Assembly. The Resolution reaffirms the importance of existing human rights instruments and notes that technological developments enhance surveillance, interception and data collection capabilities that may lead to the violation or abuse of human rights, in particular the right to privacy. It reaffirms that right, recognising that it is essential to citizens ability to enjoy the right to freedom of expression, and their right to hold opinions without interference foundations of a democratic society. The importance of full respect for the freedom to seek, receive and impart information is stressed, and it is emphasised that unlawful or arbitrary surveillance as well as unlawful or arbitrary collection of personal data, as highly intrusive acts, violate the rights to privacy and to freedom of expression. The Resolution notes that while concerns about public security may justify the gathering and protection of certain sensitive information, States must ensure full compliance with their obligations under international human rights law. This sentiment was also expressed in UN Resolution A/HRC/25/L.11 on the Protection of Human Rights and Fundamental Freedoms While Countering Terrorism, which urged States, whilst countering terrorism, to safeguard the right to privacy in accordance with international law, and to take measures to ensure that interferences with the right to privacy are regulated by law, specifying the purposes in which interference is permitted, and that such interference is not arbitrary or unlawful, nor implemented in a discriminatory manner, and is subject to effective oversight and appropriate redress, including 3

4 through judicial review or other means (A/HRC/25/L.11). Resolution 68/167 expressed deep concern at the negative impact that the surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights, and affirms that the same rights that people have offline must also be protected online, including the right to privacy. Finally, it calls on States to respect the right to privacy; to take measures to put an end to violations of those rights; to review their procedures, practices and legislation regarding surveillance; and to establish or maintain independent, effective domestic oversight mechanisms. 4. Measures that have been taken at national level to ensure respect for and protection of the right to privacy, including in the context of digital communication In May 2013, the Zimbabwean government took a significant step towards affirming citizens fundamental right to privacy, by including in the newly approved Constitution a specific guarantee of the right to privacy. In doing so, the government brought the country into line with international best practice regarding constitutional rights, and indeed the constitutional guarantee represented a significant improvement on the rights set out by international covenants and declarations that had already been ratified by the country, such as the African Charter on Human and People s Rights ( ACHPR ), which does not contain a specific right to privacy. Article 57 of the Constitution now specifies that: Every person has the right to privacy, which includes the right not to have: a. their home, premises or property entered without their permission; b. their person, home, premises or property searched; c. their possessions seized; d. the privacy of their communications infringed; or e. their health condition disclosed. It is clear from this that the right to private communications is constitutionally recognised, and this must be seen as a significant, positive measure that has been taken to address the need to protect Zimbabwean citizens right to privacy. 4

5 5. Challenges To Protecting The Right To Privacy It is clear that there exists in international law a strong legal framework intended to guarantee and promote the right to privacy. However, the implementation of this framework in Zimbabwe and indeed other states has been hindered by a number of factors, which must be addressed in order to ensure that citizens right to privacy is adequately protected. The first challenge relates to the manner in which respect for the right to privacy is guaranteed by legislative, administrative or judicial authorities. Effective national legal frameworks are critical to ensuring protection against unlawful or arbitrary interference. Yet, in general, national legislation has not been adopted to match developments in communications technology and the surveillance measures these developments have facilitated. In addition, in some jurisdictions there is a lack of independent oversight to review surveillance measures as a safeguard against abuse. A second challenge is related to the fact that, even where adequate legislation and oversight mechanisms do exist, a lack of effective enforcement is bound to contribute to a lack of accountability for arbitrary or unlawful intrusions on the right to privacy. A third challenge relates to the rapid and significant advances in communications and information technology, and a blurring of lines between the public and private sphere, which has prompted some to call for greater attention to the scope of the right to privacy. The questions of what privacy or private communication mean in the digital age, and what the privacy interests inherent in communications data transmitted over the Internet or by mobile phone must be addressed formally. In recent years, UN special procedures mandate- holders have addressed some of these complex issues. For example, in his report to the 23rd session of the Human Rights Council, the UN Special Rapporteur on the right to freedom of opinion and expression, Frank La Rue, explored the relationship between State surveillance, privacy and freedom of expression. La Rue s 2013 annual report highlighted the need to revise national laws regulating surveillance practices in order to bring them into line with international human rights standards, and expressed particular concerns about a lack of judicial oversight, unregulated access to communications data, and mandatory data retention (see A/HRC/23/40). A fourth related challenge concerns the definition of legitimate parameters for national security surveillance, which, increasingly, has an impact on the right to privacy of individuals. In the pursuit of legitimate national security interests, governments are entitled to gather and protect certain sensitive information, as well as to restrict public access to certain information (such as that pertaining to the operations, sources and methods of intelligence services). In so doing, however, they must ensure full compliance with international human rights law. Serious concerns are raised over the potential for national security overreach, without adequate safeguards to protect against abuse. La Rue s 2013 report 5

6 raises this concern, stating that Inadequate national legal frameworks create a fertile ground for arbitrary and unlawful infringements of the right to privacy in communications and, consequently, also threaten the protection of the right to freedom of opinion and expression. In his report to the Human Rights Council in 2010, the former Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Martin Scheinin, highlighted the erosion of the right to privacy in the fight against terrorism, as a result of the use of surveillance powers and new technologies which are used without adequate legal safeguards. He noted that the increasing use of data mining by intelligence agencies blurs the boundary between permissible targeted surveillance and problematic mass surveillance which potentially amounts to arbitrary or unlawful interference with privacy. The current Special Rapporteur on human rights and counter- terrorism, Ben Emmerson, also has addressed these issues recently, noting that there should be a debate on the extent to which the public in both States is prepared to tolerate official access to meta data. 6. Measures that should taken to prevent violations of the right to privacy, and to ensure that relevant national legislation, procedures and practices regarding the surveillance of communications, their interception and collection of personal data comply with international human rights law Firstly, Zimbabwe s Constitution must be amended to ensure that it expands upon all facets of privacy covered by article 57 s guarantee of the right, so as not to leave areas of uncertainty about the rights associated with online communications and digital technology. As the clarification of situations under which the interception of communications is deemed acceptable is absolutely key to ensuring that unnecessary and unjustifiable violations of privacy do not occur under the banner of national security, the Constitution must also be updated to remove nonspecific definitions of the circumstances under which breaches of privacy may be considered legally and constitutionally acceptable. Article 86 of the Constitution currently states that the right to privacy may be compromised in situations in which it is deemed to be in the general public interest to do so; a definition which is so vague as to be entirely ineffective as a safeguard. Were this article to be amended so that the limitation of the right to privacy would be permissible only to the extent that the limitation is fair, reasonable, necessary, and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom, the potential for unjustified violations would be reduced. Secondly, national legal frameworks must be updated to take into account technological developments, and to provide better protection of citizens privacy. In particular, addressing the major flaws in the following two pieces of legislation ought to be seen as a priority: 6

7 The Interception of Communications Act (ICA) 2007: The ICA 2007, which allows the seizure of personal possessions such as letters, has remained in force since the new Constitution was introduced in 2013, despite the fact that it contradicts constitutional guarantees in this case both the right of citizens not to have their possessions seized, and their right not to have the privacy of their communications infringed. The ICA 2007 in its current form specifically allows for the interception of verbal and audio conversations as well as for the reading and copying of postal communications, but in failing to define the limitations of the term communications monitoring, also leaves room for the interception of currently non- established means of communication in the future. Similarly vague definitions are employed throughout the ICA 2007, which, for example, grants authorities permission to intercept whole or part of a communication suggesting that the act would allow authorities to collect private information from an entire communication even if only a small part of it were initially of interest and allows for the interception of not only postal or telecommunications, but also information sent using any other related service or system. Also of concern is the fact that the ICA 2007 does not require reasonable suspicion to be demonstrated before communications are intercepted, and thus falls below the standard grounds required by best practice in criminal codes worldwide. Statutory Instrument 142 (SI 142) of 2013 on the Postal and Telecommunications (Subscriber Registration) Regulations: SI 142 came into operation on 01 October 2013, and called for the establishment of a central database of information about all mobile telephone users in the country, ostensibly with the aim of, among other things, assisting emergency services, assisting law enforcement agencies, and safeguarding national security. The problems with SI 142 are manifold. Compulsory SIM card registration infringes on citizens constitutionally protected right to enjoy privacy, by rendering anonymous communications impossible. Mandatory registration provides the government with the means to track citizens whereabouts and by extension the people with whom they associate and creates a situation in which personal data could theoretically be shared between government departments, allowing for the creation of individual profiles based on data stored elsewhere. This would be supported by the regulations stipulation that service providers must store all personal data for five years after a customer s use of the provider s services has ceased. SI 142 allows for the release of private information to the police in the absence of a search warrant, and although the regulations state that no information is to be released if its release would violate the Constitution, the fact that the police can request information without informing the individual concerned and without oversight makes it impossible for 7

8 citizens to object to the release of information on the grounds of a lack of constitutionality in time to prevent its release. The regulations also patently discriminate against the considerable number of Zimbabwean citizens who would be unable to provide the identity particulars required for SIM card registration, such as a permanent address and a national identification number. It is clear that the regulations infringement on and limitation of the rights and freedoms set out in the Declaration of Rights contravenes section 134 of the Constitution, under which it is forbidden for subsidiary legislation to abridge Constitutional entitlements. Further to this, the SI 142 can be considered constitutionally unsound because it contravenes Section 134 (c) of the Constitution through several of its aims which are at variance with the objectives of its parent act, section 99 of the Postal Telecommunication Act; and because it sub- delegates power to the Authority to create and issue guidelines about the information it requires from service providers, thus offending basic legal principles against sub- delegation. Thirdly, the severe lack of effective domestic judicial oversight mechanisms, and the lack of effective methods by which to redress breaches of privacy, must be addressed. Particularly problematic is the lack of separation between judiciary and political roles in Zimbabwe. The fact that the Ministry for Communications, rather than the courts, is responsible for granting authorisation for the interception of communications under the ICA means that in effect a government minister - who may be disposed to favour the State over the rights of its citizens - is the decision- maker. This does not guarantee impartiality. Similarly, it is wholly inappropriate to allow information to be requested and obtained without oversight, as is permitted under the ICA Finally, it is necessary to examine the effects that technological developments have had on the right to privacy, and to create or adapt legislation to ensure that these developments are accounted for. Although the Constitution guarantees that every person has the right to privacy, its failure to expand upon all facets of privacy including those relating to the interception, use and storage of digital and online communications leaves the way clear for abuses in these areas. The ICA 2007 and SI 142 clearly demonstrate that a failure to clearly define terms or to specify the technology covered by or exempt from laws leads to situations in which gross violations of privacy would be possible. Legislation that relates to digital surveillance and the use or storage of data obtained through such surveillance must be re- examined and re- written to ensure that the vagaries that currently create uncertainty about the circumstances under which it is justifiable to breach citizens right to privacy are removed. The creation of a set of specific situations in which such a breach may be considered proportionate and acceptable would go some way to reducing the potential for abuses and to establishing legal provisions to govern the use and collection of digital information. The repeal and/or amendment of the Access to Information and Protection of Privacy Act (AIPPA) and the introduction of comprehensive data protection 8

9 legislation would also be a significant step towards ensuring that citizens rights and data are protected. Legislation based on models used by countries complying with the EU Data Protection Directive would be likely to require individuals to consent to having their personal information processed; to introduce mandatory notifications of data breaches; and to limit the processing of information relating to religious beliefs, race or ethnicity, trade union membership, sexual orientation, and political opinions. Arthur Gwagwa, Zimbabwe Human Rights NGO Forum Arthur@hrforum.co.zw 9