This document touches upon the relationship between the internet privacy and freedom of expression, and discusses various privacy issues arising from the use of the new technologies. It also provides information about the regulatory environment of Internet Privacy by comparing it with the freedom of expression. The Survey also discusses the national protection for privacy in China, Argentina, Mexico, USA, India, Egypt, France, Nigeria, and South Africa and outlines several useful resources that may be used to obtain more information about this topic (including for countries, such as: Africa, Europe and North America, Latin America, Asia). It also provides self-regulatory guidelines, normative challenges, policy recommendations and case studies. Among other key issues, it discusses the roles and the responsibilities of the service providers and intermediaries (e.g. Section 2.1.3 of the Survey).
The Survey acknowledges that internet-based communications rely more on the intermediaries for processing data, which leads to various concerns about the protection of privacy rights. It predominantly refers to the social networking sites, cloud computing capacities and search engines. It provides various examples for abuse of privacy by the intermediaries. For example: a) Internet Service Providers (ISPs) are coerced into “voluntary policing” the actions of their users; b) large transnational intermediaries negotiate with nation-states on seemingly equal terms due to their size and flexibility about their physical location, which leads to “pick and choose jurisdictions.”
The Survey also acknowledges the privacy risks from the increased use of intermediaries and their control of personal data (Page 20). For example: a) cloud computing - poses a high risk to privacy due to unclear or vague terms of service of the cloud computing service. Further, data stored on clouds is accessible by multiple parties (including governments); b) Search engines – privacy issues surrounding search engines include cross reference of information between different service providers to build more exhaustive user profiles; c) Social networks – are most problematic because they tend to lock-in their users and often become irreplaceable. Social networking sites often unilaterally change their privacy policies, claiming that they informed their users and obtained consent. However, it is arguable that this stand is based on an incorrect assumption of the user’s ability to understand and adequately consent to such policies. There are several other issues discussed by the survey including the potential mining of publicly available personal data on social networking sites etc. (Page 33).
The Survey outlines:
- The global standards for protection of privacy and personal data (e.g. Art.12 of the UDHR, Article 17 of the ICCPR, Article 8 of the ECHR),
- Several cases (e.g. Cases of Von Hannover v. Germany, cases before the ECtHR: Leander, Gaskin, Guerra, McGinley and Egan etc.)
- Regional standards on data protection, such as: the Organization for Economic Co-operation and Development (OECD), Asia-Pacific Economic Cooperation (APEC), Economic Community for West African States (ECOWAS), Organization of American States (OAS), Council of Europe, EU Directive 95/46/EC.
Further, the Survey discusses the tensions between freedom of expression and privacy, the causes for such tensions (e.g. differences between privacy & data protection, different approach in Europe and USA).
The Survey provides various recommendations:
- Constitutional Protection - Strong constitutional protection for both privacy and freedom of expression. The Constitution must place clear limits on the scope of any restrictions to privacy.
- Civil Law Protection – a private remedy is envisaged against invasion of privacy that must cover information regarding which the user has reasonable expectation of privacy.
- Criminal Law Protection – sector-based criminal rules on privacy should be implemented to protect highly sensitive information (e.g. banking, telecommunication), as the right to freedom of expression shall be taken into consideration.
- Data Protection Systems – data protection regimes should be put in place, as exceptions shall be envisaged for the purposes of freedom of expression.
- Corporate practices – Corporations should develop strong privacy policies to protect their users. Self-regulatory measures are not recommended due to the business interests lining up against privacy. However, good business practices are considered essential for protection of privacy online (e.g. obtain efficient consent, clear privacy policies, control over privacy shall be given to the users).
- Raise awareness – States, corporations, civil society groups and media should raise awareness about privacy.
The summary of this document is part of the report produced on the Stanford Law School Intermediary Liability and Human Rights Policy Practicum and is based on the work of Ella Hallwass. The full report “The ‘Right to Be Forgotten’ and Blocking Orders under the American Convention: Emerging Issues in Intermediary Liability and Human Rights”, can be accessed here.