Resolution 2396: Some Privacy and Data Protection Considerations

Remarks at a side event organized on the occasion of a special meeting of the UN Counter-Terrorism Committee (CTC)

December 13, 2018
New York, UN Headquarters

Address by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Ladies and Gentlemen, members of the Committee, thank you for the invitation to address you today.

I am grateful for the invitation by CTED to address you as member of the Executive Committee of the International Conference of Data Protection and Privacy Commissioners (ICDPPC or Conference). The Conference represents approximately 120 data protection authorities at the national or sub-national level.

Rights-based analysis in security deliberation

Let me start by acknowledging that from my experience in data protection work in the security domain, there is no single, simple solution to privacy concerns in the context of counter-terrorism programs.

Each country will have a different experience, jurisprudence and history with these issues, and there are many groups with very legitimate concerns about state action, human dignity and individual autonomy.

Nor are the governmental issues straightforward: they are legally complex, technically difficult, intrinsically inter-jurisdictional problems.

Mounting effective counter-terrorism measures – while at the same time observing international human rights – requires more than a single meeting, or efforts of a single country, or work from a single forum.

This is why solutions need to be collective ones, built upon discussion, patience and thoughtfulness from all sides. I do not claim that conversation is always a comfortable dialogue. But the result is often better government interventions that have a greater degree of support.

Counter-terrorism resolutions and data protection

Counter-terrorism measures often require the collection, sharing and analysis of personal information. This is where national security law and privacy law intersect.

While there is as yet no universal convention specifically on data protection,  privacy is nevertheless an international human right, recognized by the UN Declaration of Human Rights (article 12) and the International Covenant on Civil and Political Rights (article 17).

The protection of privacy in the Declaration of Human Rights is of course noteworthy as we celebrate this week the 70th anniversary of that milestone document in the history of human rights, co-drafted by a Canadian, John Humphrey.

UN resolutions on the issue of counter-terrorism, including R1373 (2001), R2178 (2014) and R2396 (2017), all state that counter-terrorism measures must respect international human rights law. The most recent of these resolutions even states that respect for human rights is an essential part of counter-terrorism efforts and that failure to comply with these obligations is one of the factors contributing to increased radicalization.

The issue that brings us here today, the Madrid Guiding Principles on the subject of foreign terrorist fighters (FTF), also refers to respect to human rights law as a key consideration. In several principles (10, 14, 15, 19, 21, 25 and 31), we see the importance of international human rights commitments echoed, in relation to community policing, online communications, authorities’ use of API/PNR information, electronic surveillance and monitoring of social media.

But what does that mean exactly in relation to privacy and data protection? What are the relevant legal principles?

Relevant privacy and data protection principles

While there exists no universal covenant on data protection or privacy, most laws around the world are based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Another important legal instrument is Convention 108 of the Council of Europe.

Among the most important principles found in data protection laws are: necessity, proportionality and oversight.

(i) Necessity and proportionality

To satisfy the necessity standard, a measure need not be the only way in which an objective may be achieved. However, (1) it must be rationally connected and demonstrably necessary to the objective; it must therefore be more than simply useful. (2) It must also be effective in meeting the objective. (3) There must be no other less privacy-invasive way to effectively achieve the objective. And (4) the loss of privacy must be proportional to the importance of the objective.

The necessity and proportionality standards were at play in a 2017 decision of the European Court of Justice assessing the constitutionality of a proposed agreement between the European Commission and Canada related to API/PNR information.

The Court recognized that the transfer from Europe to Canada of the PNR data of all travelers and the subsequent processing of that data may be considered appropriate for public security and safety purposes. Specifically, the Court agreed the systematic use of PNR data was directly and rationally connected to carrying out checks to identify public security threats.

However, the Court held the agreement failed to meet the necessity and proportionality standards on several grounds, including the fact that the agreement authorized the retention of the data of passengers in respect of whom no risk had been identified.

To be compatible with the EU Charter of Fundamental Rights, the Court stipulated a new agreement would need (among other things) to:

  • Define more clearly and precisely the data to be transferred:
  • Ensure criteria for the automatic processing of PNR data will be specific, reliable, and non-discriminatory;
  • Provide that the databases will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;
  • Guarantee that an independent supervisory authority oversee rules for the processing of passengers’ PNR data.

(ii) Independent review (oversight)

Another fundamental principle for the protection of privacy, particularly relevant within the context of national security, is the need for independent review of the legality and constitutionality of state conduct. This of course is an essential tenet of the rule of law.

As to the ideal features of bodies charged with review, government reviews and academic literature highlight eight important elements for effective oversight. Those features are:

  • Meaningful independence from the executiveFootnote 1;
  • Capacity for proactive work – not simply reactive role;
  • Non-partisan staff;
  • Full, unfettered access to information and systems;
  • The ability to maintain secrecy, as necessary (for both complainants and government bodies);
  • Adequate resources and dedicated, full-time support staff;
  • Capacity to educate citizens and stakeholders;
  • Institutional expertise, with knowledge of both domestic and international standards and law.

Potential amendments to the Madrid principles and Good practices

How should these data protection principles inform potential improvements to the Madrid guiding principles or at least their application?

Let us remember that we are not starting from scratch. Many Madrid principles (but not all relevant ones) already provide that they shall apply in ways consistent with international human rights law.

One solution under consideration would be to clarify in an addendum that when the Madrid principles specify that their implementation must respect international human rights law, this includes privacy and data protection principles of necessity, proportionality and independent oversight.

I have noted that many but not all Madrid guiding principles relevant to data protection include references to international human rights law.

To be more specific, I am referring in part to Principle 15 on the collection of information to help identify foreign fighters, which is ambiguous in this regard and likely under-inclusive. Principles 16 to 18 could also be improved.

The rule in terms of data protection should be that in all stages of data processing, be it collection, analysis, sharing, storage and use, privacy principles should apply. Interestingly, Principle 19(f) of the Madrid document comes close to confirming that rule, except that it applies only to PNR data and that it uses the general reference to human rights law.

Principle 19(f) would be an excellent model for a general data protection principle, to be added to the Madrid principles, if it applied to all data processing activities in relation to FTF and if it included reference to the principles of necessity, proportionality and independent review or oversight.

Conclusion

Thank you again to Michèle Coninsx, the CTED Executive-Director and Assistant Secretary-General, for the invitation to speak to you today and to offer the perspective of a data protection authority on a very difficult issue and challenge for governments worldwide.

Democracy and the rule of law enable serious discussions and measures to protect the privacy rights of citizens.

Conversely, privacy – a viable private life – is the foundation and necessary condition for a public, democratic life; that is for constitutional democracy.

In that spirit, I hope you take my remarks this morning as the next step in that dialogue and thank you once again for the time you have given to the question of privacy rights today.

I would be very happy to take any questions.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: