Some notions and rules regarding human right to privacy had existed much before that, but this right in its current form was in theory formulated in the late 19th century, while it in the 20th century entered into international law and spread from the constitutions of a relatively limited number of countries to national regulation of almost all countries of the world. However, it has never been properly respected, not even in countries that had first endorsed it, let alone those which paid only lip service to it or even did not know about it.

Technology advancements in the 20th and the beginning of the 21st century have multiplied challenges to the human right to privacy. Modern-day data-processing capabilities of governmental and non-governmental actors alike surpass what normal citizens could themselves collect and process about their very selves, which means that those actors could know about a particular person more than the individual could know about their own self. Opportunities to limit or curb human freedom by data aggregation and processing, without the informed consent by the monitored person, and various misuse thereby, grow year and again.

Thus, let us hereby highlight the importance of protection of privacy for preserving and advancing human rights, rule of law and human freedom in general, as understood and monitored by the Freedom Barometer. Let us see through a few cases from Europe and Asia how limitless data aggregation and processing by state, para-state or commercial or other private actors could pose an enormous danger not least to individual human rights, but also to political and economic freedom in several of their aspects. Finally, the importance of monitoring data breaches, together with the quantity and quality analyses thereof, by civil society, should also be highlighted.

Data privacy is the most difficult one to protect while prone to breaches more than any other aspect of privacy

Right to privacy was defined, in 1890, by Louis Brandeis and Samuel Warren as „the right to be let alone“. They reckoned that „political, social and economic changes entail[ed] the recognition of new rights“. Thus personal rights should not include just physical security but respect for the immaterial aspects of human existence. About this they wrote: „...and now the right to life has come to mean the right to enjoy life, — the right to be let alone; the right to liberty secures the exercise of extensive civil privileges; and the term "property" has grown to comprise every form of possession — intangible, as well as tangible.”[1]

Following the above assumptions, other authors further developed the concept of privacy to include protection of personal autonomy, ethical and physical integrity, the right to choose one`s own lifestyle and way of life, various rights regarding free voluntary interaction with other people, etc. Legal mechanisms to achieve that were gradually developed.

Generally, there are several aspects of privacy:

  • Privacy of territory, which in reality means protection of physical property (estate, habitat, etc.) used by an individual as their personal space, resp. shelter;
  • Bodily integrity, as inviolability of the physical security of a person;
  • Privacy of communication, including of letters, phone calls, e-mails or similar;
  • Data privacy, which is a much broader term than mere privacy of communication and entails rules for collecting and management of personal data of various people.

Of the above, the fourth one is the most difficult to protect or even to detect the breaches thereof. It is especially so if we define it as our right to freely and responsibly manage our identity, thus deciding how much data about ourselves we want to be revealed and available to the public. Enormous advance of information technologies - with CCTV cameras almost everywhere, with RFID technology becoming necessary for our access to transport, work (or even home), leisure, shopping and many other activities, with online social networks visited daily by billions of users, with artificial intelligence used for crossing and further processing of data, etc. – has enabled also such analyses of our personal data and creation of our virtual personal profiles that were more accurate and to-the-detail than we could ever create ourselves. These allow for political, commercial, criminal or various other manipulation.

Thus, for more than a decade now, RFID cards (active or passive) are used in almost all walks of life, to provide access to space or services. In retailing, they mark various items for sale, but also are delivered to customers, sometimes in the framework of customer loyalty schemes. In transport, all across Europe, from Istanbul to Amsterdam, as well as on the other continents, they provide access to (or secure for payment of) public transportation services. In leisure, especially on mass sporting events, they enable control of the masses of visitors. Governments use them for biometric passports and IDs so as to secure for easier identification, less fraud and smoother trans-border movement of people. In prisons, it makes it easier to monitor prisoners. In the working environment, RFID provides for more security, easier access to premises and better management of working time and human resources.

However, all those applications bring with them also various challenges. In retailing, data on customers might be misused by criminals, but also by the retailers if transferred to third persons (such as their subcontractors or suppliers, and then further). This especially goes for loyalty programs[2] and their possible overlap with credit-card data, whereby the size and structure of consumption, as well as general customer`s habits could be detected and information misused. If these data are coupled with CCTV data, the amount of information illicitly gained is even larger. In prisons – although some breach into privacy of prison inmates is necessary and legitimate – it is questionable if the misdemeanor or similar basically harmless prisoners should be forced to leave, forever, to the prison authorities, their entire personal profiles, with patterns of behavior and everyday life, all suitable for further misuse by governmental or private actors. As for biometric passports and IDs, those enable the governments to monitor not just cross-border traffic but movement of people, including individuals, within their borders. On the other hand, criminal or terrorist misuse of such data could actually harm security (e.g. through creation of „smart bombs“ that would react only upon certain RFID signals, grouped or individual). In the working environment, collecting data which is irrelevant for the working tasks and professional status of the particular employee might result in a lot of misuse (either by employers, or by trade unions, or by both).[3]

The most developed countries of the EU are by and large also the most advanced in drafting, updating and thorough implementation of data-protection regulation

The most developed countries of the EU are – by and large - also most advanced in drafting, updating and sincere and thorough implementation of the regulation that protects citizens from the above-described misuse. Alas, countries outside EU and its control mechanisms suffer from the lack of rule of law more than EU-members (no matter how „new“, being „freshmen“, or even having allegedly had „sneaked“ into the EU). Even the best drafted and state-of-the-art legislation applies randomly or selectively.

There are relatively few attempts to measure the size of governmental or other intrusion into citizens` privacy around the world, let alone proper and regularly updated indices. That is among the main reasons why protection of privacy, and especially data protection, are not directly included into the Friedrich Naumann Stiftung`s Freedom Barometer index, nor to the Human Rights Index as its part.

One of the researches[4], has been conducted by a UK-based organization Privacy International since 1997. Thereby, the selected 48 countries of Europe and Asia (together with a few from Africa or North America) were assessed regarding privacy protection, using 14 different criteria:

  • Constitutional protection
  • Statutory protection
  • Privacy enforcement
  • Identity cards and biometrics
  • Data-sharing
  • Visual surveillance
  • Communication interception
  • Workplace monitoring
  • Government access to data
  • Communications data retention
  • Surveillance of medical, financial and movement
  • Border and trans-border issues
  • Leadership
  • Democratic safeguards

The countries got scores and were ranked. The last global report was published in 2007, while in the meantime the organization continued monitoring in cooperation with others and in the framework of broader privacy protection projects. According to it, China, Malaysia and Russia were the most „endemic surveillance societies“, while, at least at that time, Greece – followed by Canada and a number of EU member states - was at the top by having in place „adequate safeguards against abuse“.

Privacy International`s heat map of the world as of 2007, with countries in red being „endemic surveillance societies“, those painted in orange being seriously endangered by the unchecked surveillance and those painted in yellow having considerable safeguards against abuse of information technologies for breaches into citizens` privacy.

Interestingly enough, USA and UK fared poorly, similar as France, while most of the EU (including Germany as the biggest EU country) were in the middle between heavy surveillance and strong safeguards against misuse thereof.

Meanwhile, the situation has changed, for better or worse, in many countries thereby researched. For instance, India, which was near the bottom in 2007, introduced a detailed and state-of-the-art Personal Data Protection Bill in 2018[5]. Taken its own size and the size of its economy (including the digital one) this might have a considerable global positive impact.

China has resumed being a negative role model worldwide in the field of data privacy protection

The country which fared the worst in the above survey as of 2007 – China – has resumed being a negative role model in the field, worldwide. Meanwhile, it tremendously advanced technologically, while legislation on civil rights and human-rights protection culture did not follow it, alas, even in some fields have reversed. In the Freedom Barometer research as of 2014[6], it was noted that „Chinese socio-economic development and modernization has not correlated with a rise in human rights conditions”, as well as, in the 2012 research[7], that China “continued to be ruled under an authoritarian one-party system which greatly restricts freedom”.

Thus, with enlarged possibilities to gather information about citizens from multiple sources, through various technology (monitoring of Internet traffic, RFID, new generations of CCTV cameras, phone calls` meta-data, etc.) and its analysis via artificial intelligence, Chinese government has entered into a new phase of misusing modern technology for the sake of monitoring both the public and private life of its citizens and possibly of influencing their everyday behavior. In a word, besides authoritarianism, some elements of totalitarianism thereby emerge.

So-called Social Credit System[8], a government-sponsored program of surveillance of citizens and evaluating their “trustworthiness” through awarding them positive points for what is regarded as socially desirable behavior and negative points for the alleged “anti-social behavior” has so far, since 2009 when its introduction had begun, proven as circumvention of the rule of law principles and in numerous documented cases as a breach of human rights, political manipulation and forceful social engineering. As “positive” behavior included donating blood, participation in humanitarian activities, “negative” points were scored not just for serious breaches of laws but also for minor personal misdemeanor offence or even technically legal actions such as listening to loud music, disobeying red light at pedestrian crossings, or similar. The most controversial part of the program is evaluation of the individual`s behavior on Internet, whereby not only hate speech or other breaches of netiquette by that very person but also mere online groups` friendships with those who behaved in that way brings negative points. Consequences of collecting too many negative points on behalf of positive ones include administrative problems when getting a passport, restrictions on air or speed-rail travel, restrictions in access to some forms of education (also for children of the negatively scored person) and a number of other problems in various walks of life, when interacting with government agencies or with the para-governmental private sector.

In the east of the European continent, data protection laws are often up-to-date, yet implementation lags behind – a proper example for that might be Serbia, where increasing authoritarian tendencies in government have been matched with more breaches of data or other privacy

In the countries of the eastern or central part of Europe which had joined the EU between 2004 and 2013 or have currently been EU candidates or aspirants, nothing so dramatic could be expected or witnessed that would even resemble the above described Chinese negative role model. After all, all those countries are pluralist democracies (however unstable and non-consolidated some of them might be), while EU`s influence thereon is crucial to maintain at least the basics of the rule of law. However, those countries still face serious problems with the privacy of their citizens or companies, and with protection thereof.

Ownership of media, and illicit concentration thereof, has been a problem region-wide. Thus, many media serve the interests of various interest groups (political, commercial, criminal, etc.) instead of informing the public. Tabloid newspapers often spread fake news, conduct smearing campaigns, or disrespect other good journalism practices, encountering very little legal or professional resistance. Laws on the free access to information of public interest have been introduced everywhere in the region, but the implementation of those is still lagging far behind even the most urgent needs. Finally, information and data security culture are scarce and various manipulations with the public, including via social media, are thus quite common. In countries where authoritarian tendencies in the government have increased recently, many political goals are reached through breaches into the (supposedly protected and/or classified) data-bases and misusing the thus obtained information about political opponents.

Serbia is quite an example of a country where the described practices occurred many times during recent years, in a drastic manner. Examples included: publishing of the (per definition classified) military-reserve medical files on the health condition of an opposition presidential candidate in 2017, in a pro-government tabloid daily newspaper, and that, after another investigative journalists` team was refused to legally obtain them; constant leakage of temporarily classified court documents in various criminal cases to the tabloid press, often breaching the privacy of victims and/or presumption of innocence of defendants; too broad application of court orders to secret services to collect meta-data about individual suspects` phone connections, whereby there were years with a six-digit number of people occasionally or permanently monitored; import of Chinese technology and software, by Serbia`s police, for traffic surveillance in Belgrade, without a single consideration what the similar technology was used for in the country of origin and what could and should be done to adapt it so as to hinder abuse in a – supposedly - different political environment; etc.

Conclusion – a few recommendations

Modern information technologies, which enabled collection and processing, as well as cross-evaluating, of a huge amount of data about individual citizens, need be followed by the progress in legal and social protection mechanisms against governmental or other abuse. Civil society organizations and think tanks which monitor various aspects of human rights should go beyond “whistle-blowing” about cases of such abuse and try to quantify those, nationally and internationally, and find out patterns in which they repeated. Finally, spreading information security culture is irreplaceable for the increased citizens` immunity against cyber or classical breaches of their data or other privacy.

 

(This article, slightly modified, is an extract from the publication Freedom Barometer Europe Edition 2019.)

 

[1] See: http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm

[2] See: https://us.norton.com/internetsecurity-privacy-do-loyalty-cards-compromise-your-security.html

[3] See: http://www.europarl.europa.eu/thinktank/en/document.html?reference=IPOL-JOIN_ET(2007)383219

[4] See: http://chartsbin.com/view/by8

[5] See: https://iclg.com/practice-areas/data-protection-laws-and-regulations/india

[6] See: http://www.freedombarometer.org/country/china/69/2014/

[7] See: http://www.freedombarometer.org/country/china/69/2012/

[8] More on it at: https://nypost.com/2019/05/18/chinas-new-social-credit-system-turns-orwells-1984-into-reality/ and: https://www.marketplace.org/2018/02/13/qa-china-s-social-credit-system/ but here from another angle: https://www.washingtonpost.com/news/theworldpost/wp/2018/11/29/social-credit/