Authored By: Gareth Moyo
University Of Johannesburg
Introduction
We no longer use the internet; we live in it. The rapid digitalization of modern life has fundamentally rewired how our societies operate, transforming everything ranging from mundane human interactions to global commerce to the very mechanics of government.[1] At the heart of this shift is cyberspace—a vast, interconnected environment made up of hardware, software, electronic data, and fiber-optic networks spanning the globe. But as digital technologies seep into every part of our daily existence, the line between what a state needs to do to keep its people secure and what it must not do to preserve their freedom has become worryingly blurred.[2]
This merging of security and daily life creates an incredible paradox. On one hand, the digital domain offers unprecedented opportunities for human development, free expression, and global connection. On the other, it creates profound new threats to our fundamental rights. Reliable cybersecurity is undeniably essential; we need it to protect our critical infrastructure, our financial systems, and our personal data from a constantly changing array of digital threats. However, overly broad or aggressively militarized security measures routinely impinge on the very human rights they are supposed to protect—most notably privacy, freedom of expression, and the right to peaceful assembly.[3]
Consequently, there is an urgent necessity to rethink and reinforce international human rights law so that it actually functions in the digital domain. Achieving genuine security in cyberspace doesn’t mean building higher digital walls; it requires a complete paradigm shift. We need to harmonize collective national safety with the preservation of civil liberties through flexible, inclusive, and globally coordinated frameworks. This essay will explore the intrinsic tension between cybersecurity and human rights, the inadequacies of our current, state-centric legal regimes in taming the “Wild West” of cyberspace, and the specific legal pathways—both domestic and international—required to embed human rights protections at the core of our digital future.
The False Dichotomy: Security versus Freedom
There is a persistent, and arguably false, dichotomy at the heart of modern internet governance: the idea that we must trade our freedom for safety. Historically, governments and corporations have viewed cybersecurity almost exclusively through the lens of protecting assets, national infrastructure, and state secrets from illicit access or damage.[4] The outward expressions of this traditional approach are obvious: the creation of military cyber commands, aggressive national security public policies, and the deployment of massive corporate firewalls.[5] However, when we focus entirely on the security of the state or the system, we invariably marginalize the security of the individual.
The Freedom Online Coalition (FOC) has been central in challenging this story. They stress that cybersecurity cannot be limited to protecting networks and servers; it is essentially connected to the physical and psychological safety of actual human beings.[6] When hostile agents—whether they are cybercriminals, hacktivists, or state-sponsored groups—deploy cyberattacks, they compromise personal data, imperiling individual safety both online and offline. Therefore, the security of the individual ought to be the central purpose of any cybersecurity measure.
A secure internet is an absolute prerequisite for respecting human rights today. Cybersecurity controls must reinforce the availability, integrity, and confidentiality of information so that individuals can exercise their rights to speak, assemble, and access information securely. Seen in this light, human rights and cybersecurity continue not mutually exclusive enemies. They are complementary, mutually reinforcing, and entirely interdependent.[7]
And yet, the pursuit of “security” frequently becomes a convenient pretext for state overreach.[8] We live in an environment in which connecting nearly half the global population has simultaneously rendered millions vulnerable to cybercrime and sophisticated malware.[9] In reaction to these diverse threats, governments rush to enact strict cybersecurity laws. Too often, however, these laws intentionally or inadvertently suppress fundamental freedoms. By enforcing extensive surveillance, mandating data retention, and creating restrictive digital governance models, states severely curtail privacy under the guise of keeping us safe.
This tension isn’t merely theoretical; it plays out with intensity in constitutional courts. A prime example is the South African Constitutional Court’s landmark ruling in AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice.[10] The Court had to directly confront the balance between state security requirements and personal privacy rights regarding the Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (RICA).[11] The Court struck down critical aspects of RICA, forcefully articulating that covert state surveillance constitutes a significant violation of the constitutionally protected “inner sanctum” of privacy. The ruling highlighted that the state’s intelligence-gathering apparatus lacked essential democratic safeguards, such as requiring post-surveillance notification to subjects and protecting the confidentiality of lawyers and journalists. AmaBhungane acts as a vital precedent demonstrating that cybersecurity and intelligence gathering cannot function in a legal vacuum; they must be subordinate to constitutional human rights protections.
The Anarchic Architecture of Cyberspace
If we want to understand why human rights are so fragile online, we have to look at how cyberspace is structurally built. Unlike our physical spaces—air, land, and sea—which have been carved up by long-standing territorial boundaries and regulated by centuries of global legal regimes, cyberspace is an entirely human-made domain that ignores geographic borders.[12] This creates an environment that is fundamentally anarchic. In many ways, cyberspace replicates the anarchic nature of international relations, but on steroids.
The borderless and decentralized architecture of the internet severely complicates traditional concepts of state sovereignty and legal control. Cyberspace touches practically everyone and acts as the modern engine for global prosperity, but its lightly regulated, privately owned infrastructure harbors immense risks.[13] The absence of a centralized global authority means the cyber domain is highly susceptible to exploitation by both state and non-state actors. Because states naturally prioritize their own survival and national security in an anarchic system, their default approach to cyberspace frequently leans toward militarization and defensive posturing, leaving the defense of individual liberties as an afterthought.[14]
Furthermore, the internet has entirely redefined the concepts of war and peace. We are seeing indirect and non-military threats where damaging code can target a nation’s critical infrastructure—shutting down financial institutions, crippling energy networks, or disabling e-government services. The pervasive, entirely justified fear of such attacks gives governments the ammunition they need to justify expanding their surveillance apparatuses.[15] The ultimate challenge is figuring out how to balance the rights to life, liberty, and security within a domain that has been effectively weaponized, all while lacking an overarching legal mechanism to discipline state behaviour.
Where Traditional Human Rights Law Falls Short
The bedrock of our international human rights regime—instruments like the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR)—was drafted in a distinctly pre-digital era. The frameworks are brilliantly conceived but inherently state-centric. They assume that national governments bear the primary obligation to respect, protect, and fulfil human rights.[16] While the United Nations Human Rights Council has repeatedly, and rightly, affirmed that the exact same rights people have offline must also be protected online, putting that principle into practice has proven to be an uphill battle.[17]
The first major hurdle is that state-centric international law struggles to regulate a space where non-state actors wield unprecedented power.[18] Transnational technology corporations, Internet Service Providers (ISPs), and decentralized hacker collectives effectively build, own, and police the infrastructure through which we exercise our digital rights. This dynamic produces a massive governance gap. A tech giant can arbitrarily silence political speech or expose user data to foreign adversaries without direct state involvement, rendering users with little to no recourse under traditional international human rights treaties.
Secondly, the sheer velocity of technological innovation outstrips the glacial pace of international law. We are trying to govern AI-driven surveillance systems, quantum computing, and state-of-the-art encryption with juridical concepts developed in the mid-20th century. Take encryption, for example. End-to-end encryption is essential to protecting the confidentiality of our digital communications.[19] Yet, various governments continually seek to subvert these cryptographic measures, lobbying to mandate “backdoors” for law enforcement under the banner of national security. As detailed in the Encyclopedia of Cryptography, Security and Privacy, modern digital security relies on incredibly complex mathematics—from zero-knowledge proofs to quadratic span programs.[20] When policymakers who lack this technical fluency attempt to draft cybersecurity legislation, the result is often poorly tailored, blunt-instrument laws that disproportionately infringe on civil liberties.
Thirdly, the international character of cyberspace is deeply fractured by divergent government governance models.[21] We don’t have a single internet; we have a patchwork of national internets. Some states champion an open, interoperable web that maximizes free expression, while others—driven by digital authoritarianism—view the internet as a tool for control, using “cybersecurity” as a cover to monitor dissidents and censor political speech.
The Jurisdictional Nightmare: Data Flows and Surveillance
This clash of national government models creates intense jurisdictional friction, a problem vividly illustrated by the Court of Justice of the European Union (CJEU) in the landmark Schrems II decision.[22]
In Schrems II, the CJEU effectively torpedoed the EU-US Privacy Shield, a framework that enabled companies to transfer the personal data of European citizens to the United States. The Court’s reasoning was firmly grounded in human rights: it ruled that US domestic surveillance laws—specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333—authorized sweeping intelligence gathering that did not provide privacy protections “essentially equivalent” to those guaranteed by the EU’s General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights.[23]
The CJEU found that US surveillance programs were not strictly limited to what was necessary and, crucially, failed to grant actionable judicial redress for non-US citizens whose data was swept up. This ruling caused shockwaves through the global tech industry, vividly demonstrating how aggressive domestic security requirements can fracture international commerce and threaten human rights across borders. It proved that in the digital times, domestic surveillance is a global human rights issue.
Mass Surveillance and the Emergence of Digital Authoritarianism
Looking forward, one of the most terrifying challenges to human rights is the normalization of mass surveillance and the rapid growth of digital authoritarianism. As governments fully grasp the strategic and manipulative value of big data, there is a distinct gravitational pull toward total state control over digital infrastructure.[24] Under the guise of sustaining public order and cybersecurity, regimes are leveraging incredibly sophisticated surveillance technologies, like commercial spyware, to invisibly monitor their populations. When tools designed to catch terrorists are instead deployed against investigative journalists, human rights defenders, and political opponents, “security” becomes indistinguishable from oppression.
The legality of hoovering up massive amounts of citizen data was heavily scrutinized by the Grand Chamber of the European Court of Human Rights (ECtHR) in Big Brother Watch and Others v United Kingdom.[25] In the wake of the Snowden revelations, human rights groups challenged the UK’s bulk data-collection programs. The ECtHR ultimately ruled that the UK’s mass interception regimes violated Article 8 (the right to respect for private and family life) and Article 10 (freedom of expression) of the European Convention on Human Rights.[26]
The Court’s rationale was clear: the UK’s program lacked independent authorization and was virtually devoid of safeguards governing the selection and examination of intercepted data. Big Brother Watch is a watershed moment because it legally confirms a vital principle: while states do enjoy a “margin of appreciation” in matters of national security, engaging in bulk surveillance without rigorous, independent, and end-to-end judicial oversight proves fundamentally incompatible with international human rights law.
Centering Human Rights: The Way Ahead
To actually fix this, we have to stop treating human rights as an obstacle to cybersecurity and start treating them as the baseline. We need to integrate a human rights-based approach into all domestic and international cybersecurity systems.[27] This means officially acknowledging that the end goal of a cybersecurity policy isn’t just to protect a government server; it’s to protect the health and privacy of the citizens using it.
Civil society and the technical community have a massive role to play here. Historically, the people actually building the internet—groups like the Internet Engineering Task Force (IETF)—operated largely independently of government politics to ensure the physical security of the internet’s infrastructure.[28] But as the internet has become deeply politicized, civil society organizations have had to step up, championing evidence-based cybersecurity decisions that place human rights at the center of the debate.[29] By demanding a seat at the table during international treaty negotiations and domestic policy-making meetings, civil society acts as a vital counterweight to the intelligence and military communities, making sure that our digital freedoms aren’t quietly negotiated away behind closed doors.[30]
The Freedom Online Coalition continues to push states to commit to transparency, proportionality, and necessity in their cyber operations.[31] If states genuinely want a secure digital ecosystem, they must agree to norms of responsible behavior. That means agreeing to abstain from deploying malicious software against civilian targets, refraining from undermining global encryption standards, and tying their cyber operations immediately to their existing obligations under the ICCPR.
Policy Recommendations
Managing the tightrope between security plus freedom in the 21st century calls for a proactive, multi-faceted approach.[32] We cannot rely on the old ways of doing things.
First, at the domestic level, states must develop national strategic action plans that explicitly embed human rights protections into the foundation of their cybersecurity mandates.[33] This requires enacting and fiercely enforcing complete data protection laws. Frameworks such as the GDPR in Europe and the Protection of Personal Information Act 4 of 2013 (POPIA) in South Africa are essential blueprints. They strictly regulate how both public agencies and private tech monopolies collect, store, and process our data. Furthermore, following the legal logic of cases such as AmaBhungane and Big Brother Watch, any state surveillance activities must be liable to rigorous prior judicial oversight. Intelligence agencies cannot be left to police themselves.
Second, at the international level, institutions must aggressively adapt existing human rights treaties to fit the digital context. While drafting an entirely new, standalone “Digital Human Rights Treaty” might be a geopolitical impossibility right now, we can use authoritative interpretations—such as General Comments from UN Treaty Bodies—to clearly define what states can and cannot do. We need widely accepted “red lines,” such as absolute prohibitions on state-sponsored cyberattacks against critical civilian infrastructure (such as hospitals and electrical grids) and on the use of commercial cyber mercenaries.[34]
Third, we have to get ahead of the technology. The swift evolution of Artificial Intelligence, quantum computing, and blockchain requires what scholars call “anticipatory governance.” We can’t wait for a technology to be abused before we regulate it. Tech companies must be legally required to adopt strict human rights due diligence processes, compelling them to design their products using “privacy by design” principles before they hit the market.[35]
Finally, we cannot ignore the digital divide. Roughly 40 percent of the planet is online, but vast inequalities exist in who has access to secure, reliable digital infrastructure.[36] This divide isn’t just an economic issue; it’s a serious human rights vulnerability. Marginalized populations who lack digital skills and access to encrypted technologies are disproportionately targeted by cybercrime and state surveillance. A truly global human rights strategy must involve developed nations assisting developing countries in building secure, rights-respecting digital frameworks, rather than just selling them outdated surveillance software.
Conclusion
We are living through a major transition. The digital era has effortlessly knitted our physical and virtual realities together, making cyberspace the primary arena for political debate, economic survival, and social life. Securing this domain is undeniably one of the most significant challenges of our time. However, the blind pursuit of cybersecurity must never occur at the expense of the very rights and freedoms it is supposed to safeguard. The old, state-centric, “security-first at all costs” paradigm is dangerously inadequate for the complex, anarchic reality of the modern web.[37]
Strengthening human rights law in the digital domain is not a matter of tweaking a few regulations; it requires a basic paradigm shift. We must legally and culturally recognize that cybersecurity and human rights are mutually reinforcing elements of a free society.[38] By realizing that state security tools can easily become weapons of oppression, officials can formulate frameworks that are adaptive, legally rigorous, and human-centered. This monumental task demands the relentless participation of civil society, the technical community, and international courts to remind states that the ultimate objective of any security policy is the safety and liberty of the individual.[39] Only through a committed, legally binding, and multidisciplinary approach may we ensure that the internet of the future stays a tool for human liberation, rather than an instrument of total control.
Bibliography
Cases
AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services [2021] ZACC 3, 2021 (3) SA 246 (CC)
Big Brother Watch and Others v United Kingdom App nos 58170/13, 62322/14 and 24960/15 (ECtHR [GC], 25 May 2021)
Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] ECLI:EU:C:2020:559 (Schrems II)
Legislation and Treaties
European Convention for the Protection of Human Rights and Fundamental Freedoms (adopted 4 November 1950, entered into force 3 September 1953) 213 UNTS 222 (ECHR)
Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002
Secondary Sources
Akyeşilmen N, ‘Cybersecurity and Human Rights: Need for a Paradigm Shift?’ (2016) 1(1) Cyberpolitik Journal 32
Association for Progressive Communications, APC Policy Explainers: Cybersecurity (APC 2015)
Freedom Online Coalition, ‘FOC Joint Statement on the Human Rights Impact of Cybersecurity Laws, Practices and Policies’ (February 2020) www.freedomonlinecoalition.com accessed 15 March 2026
Jajodia S, Samarati P, and Yung M (eds), Encyclopedia of Cryptography, Security and Privacy (3rd edn, Springer 2025)
Rossini C and Green N, ‘Cybersecurity and Human Rights’ in GCCS 2015 Webinar Series Introductory Text (Public Knowledge 2015)
Shawe R, ‘Cybersecurity and Human Rights: Navigating the Balance between Security and Freedom in the Digital Era’ (2025) 3(2) J Inform Techn Int 110
Zalnieriute M, ‘Data Transfers after Schrems II: The EU-US Disagreements over Data Privacy and National Security’ (2023) 55 Vanderbilt Law Review 1
[1] Nezir Akyeşilmen, ‘Cybersecurity and Human Rights: Need for a Paradigm Shift?’ (2016) 1(1) Cyberpolitik Journal 32
[2] Freedom Online Coalition, ‘FOC Joint Statement on the Human Rights Impact of Cybersecurity Laws, Practices and Policies’ (February 2020) www.freedomonlinecoalition.com accessed 15 March 2026
[3] Carolina Rossini and Natalie Green, ‘Cybersecurity and Human Rights’ in GCCS 2015 Webinar Series Introductory Text (Public Knowledge 2015)
[4] See n 1
[5] See n 3
[6] See n 2
[7] See n 2
[8] Robb Shawe, ‘Cybersecurity and Human Rights: Navigating the Balance between Security and Freedom in the Digital Era’ (2025) 3(2) J Inform Techn Int 110
[9] See n 3
[10] AmaBhungane Centre for Investigative Journalism NPC v Minister of Justice and Correctional Services [2021] ZACC 3, 2021 (3) SA 246 (CC
[11] Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002
[12] See n 1
[13] See n 3
[14] See n 1
[15] See n 8
[16] See n 1
[17] See n 2
[18] See n 1
[19] Association for Progressive Communications, APC Policy Explainers: Cybersecurity (APC 2015)
[20] Sushil Jajodia, Pierangela Samarati, and Moti Yung (eds), Encyclopedia of Cryptography, Security and Privacy (3rd edn, Springer 2025)
[21] See n 8
[22] Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] ECLI:EU:C:2020:559 (Schrems II)
[23] Monika Zalnieriute, ‘Data Transfers after Schrems II: The EU-US Disagreements over Data Privacy and National Security’ (2023) 55 Vanderbilt Law Review 1
[24] See n 8
[25] Big Brother Watch and Others v United Kingdom App nos58170/13, 62322/14 and 24960/15 (ECtHR [GC], 25 May 2021)
[26] European Convention for the Protection of Human Rights and Fundamental Freedoms (adopted 4 November 1950, entered into force 3 September 1953) 213 UNTS 222 (ECHR)
[27] See n 2
[28] See n 3
[29] See n 19
[30] See n 3
[31] See n 2
[32] See n 8
[33] See n 1
[34] See n 19
[35] See n 8
[36] See n 3
[37] See n 1
[38] See n 2
[39] See n 3
