Deep Dive: Updates to the Necessary and Proportionate Principles
July 10 marks one year since EFF and a coalition of hundreds of experts and human rights activists put the finishing touches on the Necessary and Proportionate Principles.
These 13 Principles articulate how international human rights law should be applied to government surveillance. The Principles have since received strong support across the globe, fueled in part by the popular outrage over spying by the NSA, GCHQ and other intelligence agencies highlighted in documents leaked by whistleblower Edward Snowden. National and local activists from Mexico to South Korea to Canada to Brazil have used the Principles to push for stronger protections against governmental digital surveillance. We’ve seen them used in litigation, legislation, administrative work, advocacy campaigns and more, and debated in both regional and international policy venues.
Today, we are publishing an updated version of the Necessary and Proportionate Principles, incorporating the terrific feedback we have received over the past year. The overriding intention of the changes was to clarify the language to better capture the original intent and, in some places, simplify the language and the structure, remove possible ambiguities, clean up grammar, and reduce redundancy. We have also made one substantive change to the "Notification" section.
The core drafting group for the project consisted of the Electronic Frontier Foundation, Privacy International, Access, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, and the Center for Internet and Society-India, in consultation with Article 19, Open Net Korea, the Association for Progressive Communications and other organizations around the world.
Below we summarize the changes that merit attention:
First paragraph and throughout: We added “activities, powers, or authorities” to "laws and regulations" to be sure to capture all acts done by governments. This should leave no doubt that the Principles reach activities such as NSA surveillance conducted under Executive Order 12333
First paragraph: We added the phrase "clarify” to describe the Principles' intent to reinforce that these principles are not advocating for a change in international human rights law and standards. We argue instead for their proper application given the digital context. The word “clarify” is a common construction to denote that no new law is being contemplated. We also added the formulation “human rights law and standards” to account for proper grammar and syntax.
Preamble and throughout: We added "and a number of other human rights" here and similarly elsewhere to be clear that this is not only about the right to privacy but also about fundamental freedoms such as the freedoms of association and expression. Also this phrase signals that the Principles are not about all human rights: since, for example, the right to life doesn’t relate to the Principles.
Scope of application: We added this subsection for clarity and added this sentence to explain: "The Principles and the Preamble are holistic and self-referential – each principle and the preamble should be read and interpreted as one part of a larger framework that, taken together, accomplish a singular goal: ensuring that policies and practices related to Communications Surveillance adhere to international human rights obligations and adequately protect individual human rights such as privacy and freedom of expression."
Scope of application: We felt it was important to point out that national security and intelligence fall within the ambit of the Principles, as well as all other governmental functions: "...including, enforcing law, protecting national security, gathering intelligence, or another governmental function."
Scope of application: We sought to clarify the role of privacy sector entities. “Business enterprises bear responsibility for respecting individual privacy and other human rights, particularly given the key role they play in designing, developing, and disseminating technologies; enabling and providing communications; and in facilitating certain State surveillance activities.”
Protected information definition: We moved the definition from the bottom of the paragraph to the top but did not change the content.
First paragraph of preamble: For clarity we added that communications surveillance “interferes” with the right to privacy “among a number of other human rights.” As a result, it “may only” be justified when it is prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued.
Fifth paragraph of definitions: We added "or invasive techniques used to accomplish Communications Surveillance" to clarify that techniques, like installation of malware, can be the basis for determining that something is protected information as much as the pervasiveness or systemic nature of the monitoring.
Proportionality: We understand that this might be perceived as a big change, but hopefully not very substantive in the end. Because of confusion about the role of the two tests that the original principles contained, we tried to make one test embody both of the tests provided before, allowing for both crimes and "specific threats to a Legitimate Aim" as a basis for surveillance. This also helpfully ties the test back to the Principle of Legitimate Aim.
Competent Judicial Authority: We clarified that it has to be an "independent" judicial authority.
User Notification: This is the other big change in response to feedback. Again, we attempted to clarify and simplify this and to tie any delay in notice to whether or not the purpose for the surveillance would be jeopardized or if there is an imminent danger to human life. We did eliminate the provision that required notice at the end of the surveillance, but we also specified that these determinations must be made by Competent Judicial Authority and that notice must happen after the risk has passed and that the decision has to be made by a judicial authority as well.
Transparency: We added a couple of clarifications to require "specific" numbers, not just aggregates. Aggregates are not sufficiently helpful to allow the public to understand how surveillance authorities are being used.
Public Oversight: We specify that oversight mechanisms should have the authority to make public determinations as to the lawfulness of its communication surveillance, including the extent to which they comply with these Principles. Without being able to determine whether the overseen surveillance practice are actually lawful, oversight may become irrelevant or be seen as a rubber stamp.
Safeguards Against Illegitimate Access and Right to Effective Remedy: We added the “Right to Effective Remedy” In the remedies section, to trigger the right in the title itself.
Brief history: Finally, we added a short history of the development of the 13 Principles at the end of the text to explain the history of the initiative and the final consultation, which was conducted to ascertain and clarify textual problems and update the Principles accordingly. The effect and the intention of the Principles has not been altered by these changes.