The body said that governments can "engage in quite intrusive surveillance" of its citizens provided that "there is a legitimate aim and appropriate safeguards are in place". However, it said that governments must show that their surveillance programs represent both a "necessary and proportionate" infringement of individuals' privacy (16-page / 322KB PDF), and questioned whether mass surveillance activities pass that test.
"Mass or 'bulk' surveillance programmes may … be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime," the UNHRC said in a new report. "In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate."
"Concerns about whether access to and use of data are tailored to specific legitimate aims also raise questions about the increasing reliance of governments on private sector actors to retain data 'just in case' it is needed for government purposes. Mandatory third-party data retention – a recurring feature of surveillance regimes in many states, where governments require telephone companies and Internet service providers to store metadata about their customers’ communications and location for subsequent law enforcement and intelligence agency access – appears neither necessary nor proportionate," it said.
The report comes as UK law makers debate an emergency bill that the government is attempting to fast-track into law on the retention of communications data by telecoms companies. The proposed Data Retention and Investigatory Powers (DRIP) Bill would replace existing UK regulations that implement an EU law that was ruled invalid by the Court of Justice of the EU earlier this year. The CJEU said the Data Retention Directive was incompatible with EU citizens' privacy rights.
Specialist in financial services regulation John Salmon and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said earlier this week that the DRIP Bill "could be challenged in the same way as the court-revoked law it is replacing".
Communications data is a term used to describe the traffic information concerning mobile and internet communications such as the source of a communication, its destination, date, time, duration and type. They do not relate to the content of communications, which is protected by other laws.
The UNHRC paper was issued in response to a request by the General Assembly of the United Nations for a report from the Council on "the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or the interception of digital communications and the collection of personal data".
In its report the UNHRC raised concerns with a lack of "use limitations" specified in national laws on data retention. It said that this means that whilst data may be collected "for one legitimate aim" it may be used for another use subsequently in a way which is not necessary and proportionate.
"The absence of effective use limitations has been exacerbated since 11 September 2001, with the line between criminal justice and protection of national security blurring significantly," the UNHRC said. "The resulting sharing of data between law enforcement agencies, intelligence bodies and other state organs risks violating [individuals' privacy rights specified in the International Covenant on Civil and Political Rights], because surveillance measures that may be necessary and proportionate for one legitimate aim may not be so for the purposes of another."
The UNHRC said that telecoms providers have a role in protecting privacy of their customers and should not accede to "government demands for access to data that do not comply with international human rights standards". In those cases "they are expected to seek to honour the principles of human rights to the greatest extent possible, and to be able to demonstrate their ongoing efforts to do so", it said. The Council provided some practical examples of what actions businesses should take in such circumstances.
"This can mean interpreting government demands as narrowly as possible, seeking clarification from a government with regard to the scope and legal foundation for the demand, requiring a court order before meeting government requests for data, and communicating transparently with users about risks and compliance with government demands," the UNHRC said in its report. "There are positive examples of industry action in this regard, both by individual enterprises and through multi-stakeholder initiatives."