"Effective data protection is vital for our democracies and underpins other fundamental rights and freedoms." - Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship.
Last Friday, privacy advocates and government officials in countries across the world celebrated the 5th annual International Privacy Day — even as individual privacy is threatened by surveillance proposals and security breaches worldwide. This day commemorates the first legally binding international agreement on data protection – the Council of Europe’s Convention 108- which was opened for signature on January 28th, 1981. Last week’s celebration marked the 30th anniversary of Convention 108, which has served as a foundation for many countries’ national data protection laws. It is an opportunity to raise public awareness about privacy threats and to urge governments to protect citizen's privacy rights.
In Europe, the celebration highlighted citizens' rights with respect to collection and processing of their personal data. Several events organized by governmental and privacy advocates drew attention to the value of privacy in our societies. The European Court of Human Rights joined the celebration by compiling some of its key judgments protecting citizens’ privacy rights. The European Data Protection Supervisor, an independent authority tasked with ensuring that EU authorities and bodies comply with EU rules on data protection and privacy, celebrated the occasion by calling attention to the need for governments to set the right balance between security and the protection of fundamental rights. It emphasized that “authorities should only collect information for specific purposes," and criticized attempts to create enormous databases of personal information "just in case" of a crime, promoting instead the concept of targeted data collection. This comes even as the European Commission is revising their Mandatory Data Retention Directive, a framework that allows blanket surveillance of traffic data on private citizens’ online activities.
In the U.S., the Senate expressed support for the designation of January 28, 2011 as U.S. National Data Privacy Day for the third year in a row. It is a welcome gesture, if no somewhat ironic, given that the U.S. Congress is discussing legislation that undercuts the fundamental principles of individual privacy they purport to celebrate. (If you need a refresher, see CALEA II, USA PATRIOT Act renewal, data retention mandates and the much-discussed cybersecurity bill).
Celebrations were also held in Canada, Mexico, UK, Nepal, among others. In Nepal, Privacy Nepal urged the Nepalese government to pass the Data Protection Act to safeguard the privacy of Nepalese citizens. They further raised their concerns about the national ID card, and the dangers posed to citizens’ privacy rights.
Much of International Privacy Day rightly focuses on the advances established by critical moments in history, but it is clear that all governments around the world must move quickly and more aggressively to truly improve privacy as we move into the future. Despite the high degree of theoretical protection for privacy and private communications in international law and national Constitutions, in recent times we have seen an increase of legal exceptions, lack of enforcement of privacy laws while the threats to citizens’ privacy multiply.
For example, increasingly ubiquitous online surveillance technologies undermine the legal protections for privacy. While there has been a significant expansion in the volume of personal data that is being collected and stored by third party providers, mechanisms to ensure that law enforcement agencies are only granted access to that data in appropriate circumstances have not kept pace. Mandatory data retention regimes to force ISPs and telecom providers to log information about users’ online activities and communications are an overwhelmingly invasive and costly mandate with serious privacy and free expression implications. And hard lessons about the cost of the failure to protect privacy are already being learned, as we've seen in Iran and Tunisia. Political activists in authoritarian regimes have used social networking tools to rejuvenate and empower democratic participation, collaboration, and freedom of expression, but those same tools also give authoritarian governments new ways to identify and track political activists that they wish to silence.
For these reasons, we believe that governments around the world need to take urgent action to give real meaning to the right to privacy and to protect citizens’ personal data from these new threats.
EFF calls upon governments worldwide to:
Repeal the EU Data Retention Directive, and any mandatory data retention regime that requires ISP to preemptively record traffic data about the online activities of millions of citizens who haven't committed any crime.
Provide strong safeguards against government intrusion of individuals' information stored in third party providers, especially cloud service providers.
Provide strong safeguards against government intrusion of individuals' transactional data such as the location of your cell phone, click stream data revealing the web sites you visit, and search logs indicating what you searched when using search engines. Monitoring of this information is just as invasive as reading your email or listening to your phone calls.
These long-overdue reforms would be a first attempt to bring privacy protection back in line with the strong policies and traditions first established by International Human Rights Law. We look forward to continuing our work with privacy advocates on these issues, and hope to see governments and industries live up to the promise of better privacy and greater freedom.