Privacy and Human Rights 2004
This annual report by the Electronic Privacy Information
Center and Privacy International reviews the state of privacy in over 60
countries around the world. It outlines legal protections for privacy, and
summarizes important issues and events relating to privacy and surveillance.
Each country report covers the constitutional, legal and regulatory framework
protecting privacy and the surveillance of communications by law enforcement,
new landmark court cases, most noteworthy advocacy work of non-governmental
organizations (NGOs) and human rights groups, various new developments, and
major news stories related to privacy.
A major focus of the 2004 report has been to
document the effects of the terrorist attacks of September 11, 2001 and subsequent ones on the state of privacy and civil liberties in the world between June
2003 and June 2004. In response to the need for security those events created,
many countries around the world have pursued policy and legislative efforts
that aim at increasing identification schemes and the surveillance of communications
for law enforcement and national security agencies, weaken data protection
regimes, and intensify data sharing and collection practices, thanks to a
growing cooperation between government entities and the private sector.
New identification measures and new traveler prescreening and profiling
systems
Around the world, most governments have pursued
policies guided by the fight against terrorism. One of the most important
trends has been the deployment of new measures ensuring the identification of
people traveling across country borders (most particularly new and more secure
travel documents), and the establishment of traveler prescreening and profiling
systems. After the United States government decided, in the aftermath of
September 11, 2001, to require every foreigner entering the country to carry a
machine-readable passport incorporating biometrics by October 2004 and to
establish a huge database of foreigners' fingerprints (called US-VISIT), most
countries have bowed to its wishes by designing new passports with facial
recognition, fingerprint scanning, iris scan or other biometric features. Plans
even include the use of radio frequency identification technologies. While
working on those new identification requirements, many governments have
established new national ID schemes (China, the Netherlands, Nigeria, Russia,
Taiwan), some of them reviving schemes that had been rejected in the past by
failure of public support or lack of legitimacy (Canada, the Philippines and
the United Kingdom). Other countries are setting up biometric databases (France,
South Africa, Taiwan, United States). Many data protection authorities had to
strike down some of those new measures as they were found to exceed their
stated purposes of securing persons' identity or aircraft safety (Greece, Italy).
The establishment of those new identification measures seems to provide new
reasons for governments to centralize databases and use upcoming biometric
passports as unique ID and as part of ambitious national ID schemes.
Under the impulse of the United States
government's Computer-Assisted Passenger Prescreening System of the second
generation (or CAPPS-II), recently renamed "Secure Flight," Australia
and Canada, followed by a few other countries around the globe, have started
designing traveler prescreening and profiling systems. The main problem those
systems create is whether there is an adequate protection in place for
travelers' personal information once disclosed to foreign law enforcement
authorities. This issue was best exemplified in the intense battle between the
EU and the US government over the legitimacy and legality of the disclosure of
Europeans' passenger name records to US authorities.
While governments have generally begun
implementing those new identification requirements for foreigners and minority
populations, the new schemes are likely to be extended to all citizens at a
later stage.
New anti-terrorism laws and governmental measures provide for increased
search capabilities and sharing of information among law enforcement
authorities
In addition to travel identification measures,
governments have adopted other measures to respond to the threat of terrorism.
Some of the new laws, originally passed for legitimate purposes (combating
terrorism), either have been enacted to provide law enforcement with new powers
that are not proportionate to the objective of fighting against terrorism (Sweden,
United Kingdom), or enforced later for unrelated purposes (Malaysia). Some
countries have adopted laws under the influence of international anti-terrorism
agreements (New Zealand); while others generally provided their law enforcement
bodies with increased powers, although without corresponding oversight
safeguards.
New laws or pending bills generally provide for
police cooperation agreements (European Union, Switzerland); long data
retention periods (Argentina, Estonia, Italy, Nigeria); increased surveillance
powers and measures facilitating the sharing of intelligence information
(Australia, Colombia, New Zealand, South Africa, United States); as well as new
government agencies and institutions established to fight terrorism (Ukraine,
European Union).
The trend of law enforcement agencies delegating
the task of collecting and storing personal information to private companies is
also on the rise in many nations.
Governments have not limited themselves to deploy
new surveillance measures that directly respond to the threat of terrorism.
Recent areas of interest for surveillance technologies have included video
surveillance, smart cards, and DNA and health information databases. A few
countries have pursued censorship policies as a means to control people's
activities, especially online.
Video surveillance
Video surveillance technology is now being used
by a plethora of governments for various public safety and law enforcement
objectives (including the monitoring and prevention of violent activities by
Islamic groups in Thailand), from monitoring public places (Malaysia, Japan),
transportation means (Italy) and schools (Canada), to collecting tolls (Germany).
The United Kingdom is still ahead every other country in its use of that
technology with one camera installed for every 14 resident and a 300 percent
increase in cameras in the last three years. Some data protection authorities
have reacted to potential or actual abuses by initiating complaints (Canada),
launching consultations and hearings (Canada), or issuing opinions and
guidelines (Italy and Canada). A few countries have also established safeguards
(mandatory notices in Brazil, Estonia and the Netherlands; protection of
recorded images in Brazil; maximum retention periods in Slovenia). Bad actors
in this field included Switzerland where the legal basis of video surveillance
using face recognition has been contested, and where another video surveillance
system once considered illegal was only made legal after the fact.
Smart cards
Several governments have started deploying smart
cards for various applications, ranging from their use as a unique ID number
(Austria, Ireland), a passport, a driver's license, a banking card (Belgium,
Malaysia), a jobcard for employees (Germany) and patients (Taiwan), or a secure
token of identity (Belgium, Ireland, Spain). It may contain sensitive
information, from health data (Taiwan and Thailand), to religious and tax
information (Thailand), and fingerprints (Thailand). Some are coupled with biometric
information (Italy, Thailand) and their information may be stored in a central
database (Germany, Spain). Certain cards allow their holders to electronically
interact with government agencies and benefit from e-government services (Austria,
Belgium, Ireland (in project only), Italy, Spain, Thailand). They seem first
to have been developed with minority populations, such as refugees and illegal
foreigners (South Africa), although some governments do not hide their
intentions of rolling out cards for the whole population in the long term (South
Africa), if it is not already the case (Belgium). Most of the criticisms they
currently face have to do with the lack of adequate data protection laws in
place in the country in which they are used (Malaysia); the risk of identity
theft (Ireland), the risk for privacy that a link between e-commerce identity
and authentication presents (Belgium), or even the violation of the
constitution and/or existing data protection law (Germany and Taiwan).
DNA and health information databases
The establishment of DNA and other health
information databases has rapidly grown during the period this survey covers.
Their use and scope have also increased with a higher number of offenses
susceptible for inclusion in the database; a higher number of people compelled
to be recorded (from sexual offenders (France); violent offenders or all felons
(United States); drunk drivers not yet convicted (United Kingdom); and selected
babies and their parents (United Kingdom)); as well as longer retention
periods, even indefinite retention as in the United Kingdom. Law enforcement
has increasingly relied upon the use of DNA evidence. These databases are also
increasingly being used for additional purposes (social security in France,
medical research in Estonia and Iceland, monitoring of health care expenditures
in Italy). Some governments have created national DNA databases (Australia, Israel,
United Kingdom). The highest risks to privacy that these databases raise
include the absence of control by individuals of when genetic testing is
conducted, or how the results are used. This is especially worrisome since the
personal information contained in such databases may include data collected
during genetic testing in the workplace and its data may be used in certain
cases as a condition to obtain medical and life insurance coverage. Criticism
has emerged on their legality or constitutionality (the Icelandic Supreme Court
considered that a law creating a health information database was unconstitutional),
or the lack of public awareness (New Zealand). The Dutch privacy commissioner
has even planned to investigate some of them. However, privacy protections for
donors are being established, e.g., in the genome project in Estonia, or
in the case of medical registries in the Czech Republic.
Censorship measures
Among the countries surveyed, a few have pursued
drastic censorship measures, from the monitoring of e-mails, telephone and fax
communications, SMS, and Internet searching and browsing (China); to Internet
filtering and interception of communications (China); and the surveillance of
cybercafés (China, Peru). Russia is considering a bill regulating the Internet
while a Singaporean government agency has recommended that ISPs develop a
filtering system for the Internet. The issue of censorship was particularly
debated and criticized in Singapore, Slovenia and Thailand. In Slovenia, the
publication of Secret Service files on 1.5 million persons on the Internet and
the blocking of the concerned web site by the national data protection
authority incensed a vigorous debate about censorship on the Internet. In Thailand,
journalist associations criticized the government's information access policy
and editorial intervention on media content.
Around the world, private companies have engaged
in various surveillance practices. The major ones involved the use of radio
frequency identification technologies (RFID) and video surveillance.
Radio frequency identification technologies
Although not a new technology, RFID only recently
became popular in the private sector as a multi-purpose tool of surveillance,
tracking, security, product inventory, and supply chain management. The
investment for the technology and the range of its potential applications are
growing every day, from its use in libraries to manage book rentals and
inventory (Finland, Singapore); pay without cash (Japan, Spain); locate people
(Mexico); record license plates (United Kingdom); even track dangerous dogs
(Peru). It is also increasingly being used for medical (Mexico) or political (Switzerland)
purposes. Although a useful technology in many of its applications, some of the
uses of RFIDs raises major risks for people's privacy, especially when the
technology enables extensive tracking of consumers (e.g., in Germany and
the United States) or attendees at a major international political gathering
(in Switzerland) without their awareness; or when it clearly violates the law
(Switzerland). As a reaction, legislators, government agencies and data
protection authorities have begun tackling its implications for privacy: bills
are pending in the United States; European privacy commissioners are
considering how the current European data protection legal framework is
applicable to the new technology (Italy, Portugal) and government agencies have
started issuing guidelines (Japan). Privacy and consumer groups have started
coordinating the opposition.
Video surveillance
Although the use of video surveillance by private
actors has consistently increased in the last 12 months around the world and in
a wider range of settings, only a few countries have reacted by adopting
safeguards to prevent abuses. The Canadian data protection commissioner
launched surveillance cases that are likely to set the standards for the future
use of private surveillance cameras; the Swiss privacy commissioner issued
guidelines; and Brazilian municipalities have enacted laws that mandate
notification of the cameras and protect recorded images as confidential personal
information.
Since last year's
Privacy and Human Rights report, all EU countries, including the 10 new Member
States since May 2004 (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania,
Malta, Poland, Slovakia and Slovenia) have transposed the Data Protection
Directive (1995/46/EC) into national law, while the Directive on Privacy
and Electronic Communications (2002/58/EC) is still at various stages of
implementation. New data protection laws or pending bills cover the processing
of medical or healthcare personal information (Bulgaria, Japan, Ukraine,
Uruguay); credit data (Japan); smart card users (Malaysia); telecommunications
data (in many EU Member States, by the implementation of the Directive
2002/58/EC; Bulgaria, Ukraine); children's personal information on the Internet
(Brazil); pictures taken of persons in public areas without the person's
consent (South Korea, United States); personal data harvested on the Internet
and disclosed or sold to third parties (Brazil, Peru); and unsolicited
electronic communications (Chile, all EU Member States by the implementation of
the Directive 2002/58/EC). One Mexican state has enacted a comprehensive data
protection law (the State of Colima), while other countries are still drafting
them (Costa Rica, Malaysia, Mexico, Thailand, Turkey). Out of those last
countries, all but one, Malaysia are following the model of the EU Data
Protection Directive. Since January 1, 2004, the Canadian data protection
legislation (PIPEDA) is applicable to private sector organizations.
Ukraine created its first data protection
authority whose mission will be to protect consumers and data subjects' rights.
Spam
The fight against unsolicited commercial emails
(spam) has pushed many countries to pass new laws (Chile, Denmark, Finland, Italy,
Slovenia, South Korea, Sweden, United Kingdom, United States). Bills are also
pending elsewhere (Brazil, Canada, Peru, Czech Republic) or are being considered
by governments (China, New Zealand, Singapore). The EU Directive on Privacy and
Electronic Communications (2002/58/EC) is the most important legislative effort
this year to provide for a uniform legal solution to the issue of spam across
many jurisdictions. It is currently being implemented in all EU Member States,
which further exacerbates the fracture between the European opt-in and the
North American opt-out regimes. Australia chose the opt-in model, while Ireland
(only exception in the EU), Argentina, Chile and Singapore chose the latter.
The law is not the only solution considered to
fighting spam. International organizations and governments organized
conferences, public consultations, and issued reports (e.g., in
Australia Malaysia, New Zealand, and Singapore). Several anti-spam
organizations and expert groups were also created across the globe (Argentina, Canada,
Malaysia, New Zealand) to tackle spam. Major case law further limited the
intrusions of spam (e.g., in Argentina and the Netherlands). Some data
protection authorities also noticed that most of the complaints they had to
handle concerned spam (Romania, Sweden).
E-voting
New electronic voting technologies are growing in
popularity around the world. Internet voting is still in its infancy with a
limited number of countries that have attempted public elections with this
method and elections that mostly involved low-level political contest or
decisions. In fact, many factors are still making e-voting a tool that may
present threats to voters' privacy in some cases, depending on the technology
used, the circumstances surrounding the administration of the elections, and
whether voter registration involves centralized registration databases. Many
countries have, however, already used e-voting technologies (Belgium, India, United
Kingdom, the United States) or are considering using them for upcoming
elections (Finland, Germany, Sweden). Several municipalities in Canada, for
example, have used Internet voting and direct recording electronic (DRE) voting
methods. Privacy concerns were raised there about the possibility of hacking
when information was transmitted between the voter's computer and the ISP in
the case of Internet voting. Making use of publicly available networks in the
DRE voting elections was rejected because of security and privacy issues. That
same voting method was rejected for the EU elections because of risks of
corruption or intimidation. DRE voting technology has triggered a strong debate
between technologists, elections administrators, voting rights activists, the
media and NGOs, particularly in the United States.
Mismanagement of personal data and major data leaks
This last year numerous scandals took place that
showed that bad online data-processing and security practices, or the use and
dissemination of individuals' personal data outside any legal data protection
framework, can have damaging consequences for data subjects' privacy, and is
likely to have an impact on the trust Internet users put in e-commerce actors.
This was especially noticeable in the sale of 60,000 citizens' detailed
personal information on consumer habits and professional activity by database
dealers (Peru); the failure to properly secure access to databases resulting in
major leaks of personal data (Japan); the publication on the Internet of a
Communist era former secret service agency's old police files on 1.5 million
individuals (Slovenia); the hacking into financial institutions' Internet
banking services that led to the theft of customers' account and password
details (South Africa); the leak of personal data from government agencies and
private companies to crime syndicates (Taiwan); and the regular disclosure of
personal information from government computers inadvertently or for profit,
because of a poor culture of security (United Kingdom). There was, however,
some positive consequences for those scandals as the publicity given to the
Internet banking service theft case in South Africa – unusual since most bank
fraud cases are generally kept confidential – resulted in upgrades to banks'
security practices; while the data leaks scandals in Taiwan led to calls for
lawmakers to strength the law.
Invasions of privacy were met in various
countries with forceful reactions from human rights groups. In Germany, outcry
against a retail chain's use of RFID tags unbeknownst to its customers led to
the halt to the company's projects. In Greece, the data protection authority
struck down the use of biometric identity verification in airports because the
collection of personal information through RFID tags exceeded its purpose. In Malaysia,
the Bar Council criticized the security and privacy risks of Mykad, the
multi-purpose smart card, which forced the government to work on a legislation
to answer such concerns. In Poland, the Constitutional Tribunal held
unconstitutional a law that allowed police officers to observe and record
events in public places. Public interest groups had opposed the law alleging
that it violated the right to privacy enshrined in the Polish Constitution. In Sweden,
the privacy commissioner forbade a school's fingerprint recognition program. In
Ukraine, a new law that restricts access to information was strongly opposed
by several NGOs and international organizations because of its violation of the
Constitution and global freedom of information standards. In reaction,
amendments were introduced that improve the final version of the law.
This year most of the developments in open
government concerned new laws or regulations (Argentina, China, Mexico, Poland,
Slovenia and Turkey). While Mexico and Slovenia established new agencies to
ensure compliance with the new rules in place, journalist associations
criticized the lack of enforcement of those rules in Thailand, and several
international organizations and NGOs considered that the new Ukrainian law that
restricts access to information violates the Constitution and global freedom of
information standards.
The action of
international governmental organizations, while having a definite impact on
policies related to the fight against terrorism, has generally been out of the
public eye. Those organizations have been very active, at a global level devoid
of any democratic accountability, in developing
counter-terrorism policy tools and mechanisms that have affected upcoming
national policy discourse and laws aimed at combating terrorism. The Council
of the European Union, for example, has been
consistently pushing for new anti-terrorism measures harmonizing EU Member
States' legal frameworks towards more powers for law enforcement without
corresponding means of oversight and adequate privacy safeguards.
