Home » Blog » The Role of Privacy Laws in the Age of Digital Surveillance

The Role of Privacy Laws in the Age of Digital Surveillance

By /

Authored By: Arya Sable

Government Law College, Mumbai.

Abstract 

This article examines the escalating prevalence of digital surveillance and its profound impact on human rights. It underscores the critical need to balance security imperatives with individual privacy rights and explores the role of privacy laws in addressing these challenges. By analysing international and regional norms, comparing privacy laws across different countries, and highlighting the specific challenges faced by India, this article offers policy recommendations for regulating surveillance technologies and ensuring data privacy in the digital age. 

Introduction

The 21st century has witnessed an unprecedented surge in digital surveillance, transforming the way governments and organizations monitor individuals and societies. Technological advancements drive this increase, the growing reliance on digital platforms, and the perceived need to enhance security in an increasingly interconnected world. While digital surveillance offers potential benefits in crime prevention and national security, it also poses significant threats to fundamental human rights, including privacy, freedom of expression, and freedom of association. Balancing security needs with the preservation of individual privacy is a complex challenge that requires careful consideration of legal frameworks, ethical guidelines, and technological safeguards. The absence of adequate privacy laws and regulatory oversight can lead to the misuse of surveillance technologies, resulting in self-censorship, discrimination, and the erosion of democratic values. Therefore, it is crucial to examine the role of privacy laws in addressing these challenges and ensuring that surveillance practices are conducted in a manner that respects human rights and upholds the rule of law. 

Key Concepts 

Digital surveillance encompasses a wide range of methods used to monitor, track, and analyse individuals’ digital activities. These methods include: 

  • Monitoring electronic communications: Intercepting and analysing emails, text messages, and social media posts. 
  • GPS tracking: Using location data from smartphones and other devices to track individuals’ movements. 
  • Data mining: Collecting and analysing large datasets to identify patterns and trends in individuals’ behaviour. 
  • Facial recognition technology: Employing software to identify and track individuals in public spaces. 

The effects of digital surveillance on digital rights are far-reaching. Surveillance can infringe upon the right to privacy, which is recognized as a fundamental human right under international law. It can also stifle freedom of expression by creating a chilling effect on dissent and critical discourse. Furthermore, surveillance can undermine freedom of association by discouraging individuals from participating in lawful gatherings and organizations. Data protection is the practice of safeguarding personal information from unauthorized access, use, and disclosure. With the increasing capacity of entities to extract personal data, the need for robust data protection measures has become more critical than ever. Data protection laws and regulations aim to ensure that personal data is collected and processed fairly, transparently, and for legitimate purposes. 

International and Regional Norms

The international framework governing surveillance technologies is based on the principles of necessity, proportionality, and legality. These principles require that surveillance measures be: 

  • Necessary: Implemented only when there is a legitimate need to achieve a specific objective. 
  • Proportional: Limited in scope and duration to what is necessary to achieve the objective. 
  • Lawful: Conducted in accordance with applicable laws and regulations. 

Despite these principles, there is a growing recognition of the need for stronger international norms and standards to regulate the use of surveillance technologies.  

The UN Human Rights Council has emphasized the right to privacy in the digital age and called on states to ensure that surveillance measures comply with international human rights law. It has consistently emphasized the importance of the right to privacy in the digital age, asserting that the same rights individuals have offline must also be protected online. This position is reflected in several resolutions adopted by the Council. These resolutions recognize that the rapid advancement of information and communication technologies and the global nature of the internet are driving forces in accelerating progress. However, they also acknowledge that new and emerging technologies may not be compatible with international human rights law. The Human Rights Council has called upon states to respect international human rights obligations regarding the right to privacy when intercepting digital communications. They have also recognized that certain types of metadata when aggregated, can reveal personal information and provide insights into an individual’s behaviour, social relationships, private preferences, and identity. To address these concerns, the Human Rights Council has taken several steps: 

  • Identifying and clarifying principles: The Council aims to identify and clarify principles, standards, and best practices regarding the promotion and protection of the right to privacy in the digital age. 
  • Analysing issues: The Council recognizes the need to further discuss and analyze issues related to the promotion and protection of the right to privacy in the digital age, including procedural safeguards, effective domestic oversight and remedies, and the impact of surveillance on the right to privacy and other human rights. 
  • Examining principles: They also seek to examine the principles of non-arbitrariness and lawfulness and the relevance of necessity. 
  • Promoting awareness: The Council aims to raise awareness concerning the importance of promoting and protecting the right to privacy, including with a view to particular challenges arising in the digital age. 
  • Providing remedies: It is important to provide individuals whose right to privacy has been violated with access to effective remedies, consistent with international human rights obligations. 
  • International cooperation: The Human Rights Council encourages States to participate in relevant international conferences and events with the aim of promoting a systematic and coherent approach to issues pertaining to the mandate. 
  • Special Rapporteur: The Human Rights Council established a Special Rapporteur on the right to privacy to monitor and report on alleged violations of the right to privacy. 

The Human Rights Council has also addressed encryption, acknowledging that in order to guarantee the enjoyment of all human rights both offline and online, technological solutions are necessary to secure and protect the confidentiality of digital communications, including measures for encryption and anonymity. 

The Council of Europe’s Convention 108 and its updated version, Convention 108+, provide a regional framework for data protection and privacy. These conventions establish the powers and duties of supervisory authorities, which are responsible for monitoring and enforcing compliance with data protection laws. 

The historic “Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data,” or Convention 108 of the Council of Europe, safeguards people’s right to privacy regarding automated data processing. It was the first legally enforceable international data protection instrument when it was made available for signature in 1981. Convention 108 has been ratified by every member state of the Council of Europe. Argentina, Cabo Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia, and Uruguay are among the non-Council of Europe nations that have ratified the pact. 

Key Aspects of Convention 108: 

  • Purpose: To protect individuals, regardless of nationality or residence, regarding the processing of their personal data, contributing to respect for human rights, fundamental freedoms, and particularly the right to privacy. 
  • Definitions: “Personal data” refers to any information pertaining to an identified or identifiable individual, and “data processing” refers to any action taken on personal data, such as gathering, storing, altering, retrieving, or destroying it. It also provides legal definitions for important data protection concepts, such as personal data, data controller, and processing activity, highlighting individual control over their data. 
  • Principles: Establishes principles for lawful, fair, and purpose-specific data processing, incorporating privacy by design and default, compliance, transparency, data security, and risk management. 
  • Data Security: Requires parties to ensure data controllers implement appropriate security measures against risks like unauthorized access, destruction, or disclosure of personal data and to notify supervisory authorities of data breaches that could seriously interfere with the rights of data subjects. 
  • Rights of Data Subjects: Guarantees data subjects the right to know if their data is being processed, to obtain communication of their data in an intelligible form without excessive delay or expense, to request rectification or erasure of data processed unlawfully, and to have a remedy if their rights are violated. 

Convention 108+ (Modernized Convention 108):

To address emerging challenges, the Council of Europe modernized Convention 108, resulting in Convention 108+. This updated version includes: 

  • An obligation to report data breaches 
  • Additional accountability for data stores. 
  • New rights regarding algorithmic decision-making. 
  • Supervisory Authorities: The function of supervisory authorities is emphasized in both Convention 108 and 108+. Helping data subjects exercise their rights is the responsibility of these authorities. 
  • Working together with oversight bodies in other nations.  
  • Keeping an eye on and guaranteeing adherence to data protection regulations;  •Sharing information and offering support to one another as needed for their responsibilities, while abiding by the guidelines and protections of the Convention. 

Convention 108 remains the only binding international legal instrument in the field, with a potential worldwide scope of application. 

Privacy Laws of Different Countries

The EU’s General Data Protection Regulation (GDPR) is widely regarded as a leading example of privacy legislation. The GDPR sets a high standard for data protection and grants individuals significant rights over their personal data. Key features of the GDPR include: 

  • Explicit consent: Requiring individuals to give explicit consent before their personal data is collected and processed. 
  • User rights: Granting individuals the right to access, rectify, and erase their personal data. 
  • Supervisory functions: Empowering data protection authorities to educate the public, monitor compliance, and enforce the law. 

In contrast to the GDPR’s comprehensive approach, the United States relies on sector-based privacy regulations. These regulations address specific types of personal data, such as health information (HIPAA), financial information (GLBA), and the Children online privacy protection Act (COPPA) but do not provide a comprehensive framework for data protection. 

  • The 1996 U.S. statute known as the Health Insurance Portability and 

Accountability Act (HIPAA) sets nationwide guidelines for safeguarding patient medical records and other private health data. To secure protected health information (PHI), it regulates covered organizations that carry out specific transactions electronically, including health plans, clearinghouses for healthcare, and healthcare providers. HIPAA contains clauses about data security and privacy. People have rights regarding their health information, such as the ability to request errors and obtain a copy of their records. 

  • Gramm-Leach-Bliley Act (GLBA): Not present in the provided search results. Generally, the Gramm-Leach-Bliley Act is a United States federal law that requires financial institutions to explain how they share and protect consumers’ private information. 
  • Children’s Online Privacy Protection Act (COPPA): Enacted in 1998 and effective since 2000, COPPA is a U.S. federal law, managed by the Federal Trade Commission (FTC), designed to protect the online privacy of children under 13. It applies to operators of websites and online services directed at children or who knowingly collect personal information from children under 13. COPPA mandates verifiable parental consent for the collection, use, or disclosure of children’s personal information. It requires specific inclusions in a privacy policy, restricts marketing to those under 13, and imposes data security obligations. COPPA defines “personal information” to include a range of identifiers, contact details, persistent identifiers, and media containing a child’s image or voice. 

Challenges Posed by Digital Surveillance 

Digital surveillance poses numerous challenges to human rights. The risks to privacy are particularly acute, as surveillance technologies can collect and analyze vast amounts of personal data without individuals’ knowledge or consent. This can lead to the misuse of personal data, including identity theft, discrimination, and the violation of personal autonomy. Surveillance can also stifle freedom of expression and association. The knowledge that one’s communications and activities are being monitored can lead to self-censorship and discourage individuals from expressing dissenting opinions or participating in lawful gatherings. This can have a chilling effect on democratic discourse and undermine the ability of civil society to hold governments accountable. The misuse of digital ID systems and the abuse of counter-terrorism measures are additional concerns. Digital ID systems can be used to track individuals’ movements, purchases, and political beliefs without their consent. Counter-terrorism measures can be used as a pretext for conducting mass surveillance and targeting political opponents. The absence of a data protection law and the increase of surveillance in digitalizing democracies further exacerbate these challenges. Without adequate legal safeguards, individuals are vulnerable to the arbitrary and excessive collection and processing of their data. The COVID-19 pandemic has also led to an increase in surveillance, as governments have relied on tech tools to track and monitor the spread of the virus. 

Challenges Faced by India in Digital Surveillance 

India faces unique challenges in the realm of digital surveillance. The expansion of digital surveillance in India is driven by the increasing digitalization of the economy and society, as well as the growing use of artificial intelligence (AI). The cost-effectiveness of digital surveillance for the state makes it an attractive tool for law enforcement and national security agencies. However, this comes at a cost to the public, as the absence of external oversight, accountability, and redressal mechanisms for individuals whose rights are violated creates a climate of fear and impunity.   

Since the landmark Justice K.S. Puttaswamy (Retd) vs. Union of India case in 2017 affirmed the right to privacy as a fundamental right, India has seen significant progress in privacy laws and digital surveillance practices. Most notably, the Digital Personal Data Protection Act (DPDPA) of 2023 marks the first comprehensive, cross-sectoral law on personal data protection in India. This legislation requires explicit consent for data processing and grants individuals the right to access, correct, update, and erase their personal information. It establishes a legal foundation for data protection, promoting baseline standards for data collection among businesses. The Supreme Court’s jurisprudence has continually broadened the scope of the right to privacy, with High Courts providing nuanced interpretations, especially in cases related to the “right to be forgotten,” enabling individuals to request the removal of their personal information from public records under certain circumstances. There have been limitations placed on investigative authorities, relying on the Puttaswamy judgment to define boundaries for surveillance, search and seizure, and DNA testing powers. The Supreme Court has also acknowledged the “right to be forgotten,” allowing individuals to have their personal information removed from the internet in cases of social ostracization. The DPDPA has moved away from criminalizing non-compliance, imposing monetary penalties determined by the Data Protection Board (DPB) instead. The DPDPA provides for the establishment of the Data Protection Board of India to handle complaints, resolve grievances, and impose penalties for non-compliance. 

The Puttaswamy judgment prompted a re-evaluation of existing data protection norms, recognizing that before this decision, data protection laws were limited to the Information Technology Rules of 2011. These advancements highlight a growing acknowledgment of the importance of individual privacy in the digital era and a concerted effort to create a robust legal structure governing data protection and digital surveillance in India. 

The DPDPA, or Digital Personal Data Protection Act of 2023  

One important step in creating a thorough legislative framework for data privacy in India is the Digital Personal Data privacy Act, 2023 (DPDPA). The Act gives Indian individuals a number of significant rights, such as: • The ability to view their personal information.  

  • The right to have their personal information deleted; • The right to have inaccurate or incomplete data corrected.  
  • The ability to limit how their personal data is processed.  
  • The freedom to transfer data.  
  • The ability to protest how their personal information is processed.  

However, given the government’s extensive authority to exempt itself from the Act’s restrictions, questions still surround the DPDPA’s ability to effectively protect privacy 

Recommendations 

To address the challenges posed by digital surveillance and ensure data privacy in the digital age, the following policy recommendations are offered: 

  • Regulate surveillance technologies: Implement strict legal frameworks that regulate the use of surveillance technologies, ensuring that they are used only when necessary, proportional, and lawful. 
  • Establish independent oversight bodies: Create independent oversight bodies with the power to monitor and investigate surveillance practices, ensuring accountability and transparency. 
  • Strengthen data protection laws: Enact comprehensive data protection laws that grant individuals significant rights over their personal data and establish clear obligations for data controllers and processors. 
  • Promote privacy-enhancing technologies: Encourage the development and use of privacy-enhancing technologies that can help individuals protect their personal data from unauthorized access and use. 
  • Educate the public: Raise public awareness about the risks of digital surveillance and the importance of protecting privacy, empowering individuals to take control of their personal data. 
  • Foster international cooperation: Promote international cooperation on data protection and surveillance issues, sharing best practices and developing common standards. 

Balancing security with privacy requires a holistic approach that considers legal, ethical, and technological factors. Stronger privacy laws are needed to balance privacy protection with competition, ensuring that individuals’ rights are respected in the digital marketplace. 

Conclusion 

In the twenty-first century, human rights are seriously threatened by digital surveillance. Fear and impunity have become more common as a result of the growing use of surveillance technologies and the lack of sufficient legal protections. In order to solve these issues, privacy laws are essential because they set down precise guidelines for the gathering, handling, and application of personal information. In order to ensure that surveillance practices are carried out in a way that respects human rights and promotes the rule of law, governments and organizations should better balance security and privacy by putting the policy recommendations discussed in this article into effect. 

References- 

    1. Amnesty Int’l, Ending the Targeted Digital Surveillance of Those Who Defend Our Rights (n.d.) 
    2. Digital Public Health Surveillance: A Systematic Scoping Review, Nature (2021) 
    3. GCHRAHD, Surveillance and Human Rights (n.d.) 
    4. Effectiveness of Public Health Digital Surveillance Systems, NIH (2023) 
    5. OHCHR, Spyware and Surveillance: Threats to Privacy and Human Rights Growing, UN Report Warns (2022) 
    6. The Use of Big Data Analytics in Healthcare – PMC, NIH (2022) 
    7. Int’l Bar Ass’n, Digital Surveillance’s Threat to Human Rights (n.d.) 
    8. Austl. Competition & Consumer Comm’n, The Impact of Digital Platforms on News and Journalistic Content (n.d.) 

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top