On July 31, 2013, in the wake of revelations of sweeping government surveillance, Access, Electronic Frontier Foundation, Privacy International, and a number of other civil society groups announced the Principles to help assess how state surveillance practices and policies comport with human rights norms and obligations.
The updates have been announced following the release of “The Right to Privacy in the Digital Age” by the United Nations Office of the High Commissioner for Human Rights (OHCHR). The report, which repeatedly cites the Principles, emphasizes the problems inherent in mass surveillance, and the vital importance of protecting privacy in the digital world. The Principles have also been cited by President Obama’s Review Group on Intelligence and Communications Technologies in expressing doubt that metadata deserves less protection than other forms of content. Some of the most prominent technology companies in the world, including Microsoft, Google, and Yahoo, have publicly supported a separate framework that largely echoes the Principles, and both Sweden and the United States have used the Principles as a basis for human rights frameworks adopted internally.
The updates announced this week do not change the core meaning of any of the thirteen Principles (summarized below) or the Preamble. Instead, the updates reflect the need, demonstrated in feedback received over the past year, to simplify the structure and clarify language, including refinement of grammar and word use. The updates were coordinated by Access along with EFF, Privacy International, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, the Center for Internet and Society-India, and in coordination with Article 19, Open Net Korea, the Association for Progressive Communications, and others.
Drawing on international law and jurisprudence, and endorsed by more than 400 civil society organizations worldwide, the Principles serve to inform the public debate on the appropriate limits of government surveillance. They speak to a growing global consensus that government communications surveillance has gone too far and needs to be restrained.
Organizations wishing to sign on to the Principles and join this growing chorus of voices calling for the application of human rights to communications surveillances should visit https://www.necessaryandproportionate.org.
More on updates
The updates clarify that the Principles are meant to apply not only to laws and regulations, but also to activities, powers, or authorities, calling for them to protect both the right to privacy as well as other human rights. Language was also updated to clarify that the document was holistic and self-referential — that is, in order to realize the full scope of the Principles’ protection, they should be adopted in their entirety, and not in a piecemeal manner.
Most notably, the “Proportionality” principle was updated in order to simplify its scope, and the two tests that had been reflected in the first version were condensed into a single test for surveillance conducted for any purpose. The Competent Judicial Authority Principle was also updated to reflect the need for the judiciary’s independence. This is important in light of another update, to the User Notification Principle, which resolves that such notice should come from the Competent Judicial Authority and clarifies in what narrow situations a delay in notice may be appropriate.
The full scope of the updates are provided below.
Principles in context
The Principles advance the important concept of “protected information,” that protections for user data should not be based on formalistic or artificial categories like “content” versus “non-content,” stored data or data in transit, data held in the home or in the possession of a third party service provider, but rather that “all information that includes, reflects, arises from or is about a person’s communications and that is not readily available and easily accessible to the general public, should be considered to be ‘protected information,’ and should accordingly be given the highest protection in law.”
The announcement of the Principles in 2013 came on the heels of a landmark report by UN Special Rapporteur for Freedom of Expression, highlighting the growing issue of rights-abusing government surveillance programs and arguing that without a proper legal framework, privacy rights are arbitrarily violated. The Principles can be found in full at necessaryandproportionate.org.
Summary of the 13 Principles
1. Legality: Any limitation on the right to privacy must be prescribed by law.
2. Legitimate Aim: Laws should only permit communications surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.
3. Necessity: Laws permitting communications surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a Legitimate Aim.
4. Adequacy: Any instance of communications surveillance authorised by law must be appropriate to fulfill the specific Legitimate Aim identified.
5. Proportionality: Decisions about communications surveillance must consider the sensitivity of the information accessed and the severity of the infringement on human rights and other competing interests.
6. Competent judicial authority: Determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.
7. Due process: States must respect and guarantee individuals’ human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public.
8. User notification: Individuals should be notified of a decision authorising Communications Surveillance with enough time and information to enable them to challenge the decision or seek other remedies and should have access to the materials presented in support of the application for authorisation.
9. Transparency: States should be transparent about the use and scope of Communications Surveillance laws, regulations, activities, powers, or authorities.
10. Public oversight: States should establish independent oversight mechanisms to ensure transparency and accountability of Communications Surveillance.
11. Integrity of communications and systems: States should not compel service providers, or hardware or software vendors to build surveillance or monitoring capabilities into their systems, or to collect or retain particular information purely for State Communications Surveillance purposes.
12. Safeguards for international cooperation: Mutual Legal Assistance Treaties (MLATs) entered into by States should ensure that, where the laws of more than one State could apply to Communications Surveillance, the available standard with the higher level of protection for individuals should apply.
14. Safeguards against illegitimate access: States should enact legislation criminalising illegal Communications Surveillance by public and private actors.
Updates to the Principles in full
The updates announced this week primarily include:
1. Addition of “activities, powers, or authorities” to “laws and regulations” to be sure to capture all acts done by governments. This should leave no doubt that the Principles reach activities such as NSA surveillance conducted under Executive Order 12333.
2. Addition of the phrase “clarify” to describe the intent to reinforce that these Principles are not advocating for a change in international human rights law and standards. We argue instead for their proper application given the digital context. The word “clarify” is a common construction to denote that no new law is being contemplated. We also added the formulation “human rights law and standards” to account for proper grammar and syntax.
3. Addition of “and a number of other human rights” in the Preamble and throughout the document to be clear that this is not only about the right to privacy but also about fundamental freedoms such as the freedoms of association and expression. Also this phrase signals that the Principles are not about all human rights: since, for example, the right to life doesn’t relate to the Principles.
4. Addition of a “Scope of Application” section for clarity and in order to explain, “The Principles and the Preamble are holistic and self-referential – each principle and the preamble should be read and interpreted as one part of a larger framework that, taken together, accomplish a singular goal: ensuring that policies and practices related to Communications Surveillance adhere to international human rights obligations and adequately protect individual human rights such as privacy and freedom of expression.” We felt it was important to point out that national security and intelligence fall within the ambit of the Principles, as well as all other governmental functions: “…including, enforcing law, protecting national security, gathering intelligence, or another governmental function.” We also sought to clarify the role of privacy sector entities: “Business enterprises bear responsibility for respecting individual privacy and other human rights, particularly given the key role they play in designing, developing, and disseminating technologies; enabling and providing communications; and in facilitating certain State surveillance activities.”
5. Movement of the definition of “Protected Information” from the bottom of the paragraph to the top.
6. Addition of language to clarify that surveillance “interferes” with the right to privacy “among a number of other human rights.” As a result, it “may only” be justified when it is prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued.
7. Addition of “or invasive techniques used to accomplish Communications Surveillance” to the fifth paragraph to clarify that techniques, like installation of malware, can be the basis for determining that something is protected information as much as the pervasiveness or systemic nature of the monitoring.
8. Addition of a short history on the development of the Principles at the end of the text to explain the history of the initiative and the final consultation, which was conducted to ascertain and clarify textual problems and update the Principles accordingly. The effect and the intention of the Principles has not been altered by these changes.
Principle-Specific Changes
9. Proportionality – Condensation of the two tests into one test to embody both crimes and “specific threats to a Legitimate Aim” as a basis for surveillance. This also helpfully ties the test back to the Principle of Legitimate Aim.
10. Competent Judiciary Authority – Clarification that it has to be an “independent” judicial authority.
11. User Notification – Clarification and Simplification of the language to tie any delay in notice to whether or not the purpose for the surveillance would be jeopardized or if there is an imminent danger to human life. Elimination of the provision that required notice at the end of the surveillance, in exchange for a specification that these determinations must be made by Competent Judicial Authority and that notice must happen after the risk has passed and that the decision has to be made by a judicial authority as well.
12. Transparency – Clarification to require “specific” numbers, not just aggregates. Aggregates are not sufficiently helpful to allow the public to understand how surveillance authorities are being used.
13. Public Oversight – Specification that oversight mechanisms should have the authority to make public determinations as to the lawfulness of its Communication Surveillance, including the extent to which they comply with these Principles. Without being able to determine whether the overseen surveillance practice are actually lawful, oversight may become irrelevant or be seen as a rubber stamp.
14. Safeguards Against Illegitimate Access and Right to Effective Remedy – Addition of the “Right to Effective Remedy” In the remedies section, to trigger the right in the title itself.