This annual report by EPIC and Privacy International reviews the state of privacy in over fifty-five countries around the world. It outlines legal protections for privacy, and summarizes important issues and events relating to privacy and surveillance.
A major focus of the 2003 report has been to document the effects of the terrorist attacks of September 11, 2001 on the state of privacy and civil liberties in the world. In response to the fear for security and stability those events created, many countries around the world have adopted a new set of policies and legislative measures that all tend to increase the surveillance of communications and search and seizure powers for law enforcement and national security agencies, weaken data protection regimes, intensify data sharing, and increase profiling and identification schemes. While none of the above trends are necessarily new, the novelty is the speed in which these policies gained acceptance, and in many cases, became law. At the same time, we have also noted increased public opposition to expansive police powers. In the United States, the Congress has moved to curtail the Total Information Awareness program and to roll back certain provisions of legislation adopted hastily after September 11.
A major shift has taken place in the political and legal landscape of many countries around the globe in the last two years: governments have seized the response to the threat of terrorism to enhance their powers, affecting many fundamental human rights, including privacy. Many have adapted their political discourse, given new life to proposals that had previously failed, broadened the definitions of "terrorism" and "terrorists," passed laws giving them enhanced powers for one purpose, the war on terrorism, and applied them for others, such as the suppression of dissent and the general surveillance and profiling of people's activities. In some cases, they have modeled policies and legal measures from other countries with little consideration to their own cultural and political specificities.
Several laws enacted after September 11, 2001 provide law enforcement and national security and intelligence agencies with more powers to intercept communications and pursue criminal investigations while loosening the procedural safeguards. Australia, France, New Zealand, South Africa and Switzerland recently adopted new laws that provide increased powers of interception of communications and make it easier for law enforcement and security agencies to obtain customers' data from ISPs and telecommunications companies. The United States also weakened privacy protections against wiretapping and expanded the Department of Justice's surveillance authority, establishing looser foreign intelligence standards to conduct criminal investigations, while removing the separation between intelligence officials monitoring suspected foreign agents and criminal prosecutors investigating crimes. Denmark and France recently enacted laws that are specifically aimed at combating terrorism, while a draft South African Anti-Terrorism Bill is being widely criticized as unconstitutional, because it would threaten personal freedom, freedom of expression and freedom of the press.
While most of the laws governments passed after the 9/11 terrorist attacks have been justified as part of the fight against terrorism, two years later, many of them have proved to be wider in scope than what was originally intended. Some of these laws were recently amended with other purposes in mind, such as the suppression of dissent or the profiling of people. Recent Danish and New Zealand laws expand police and security agencies interception powers for terrorism-related investigations, but also for criminal activities not related to terrorist acts (e.g., hacking or the distribution of illegal software in the case of the New Zealand Crimes Amendment Act). When the Hong Kong government recently tried to adopt a regulation that bans local groups on national security grounds, it aimed less at fighting real terrorist organizations than suppressing dissent and freedom of political expression. Similarly, Russia's new bill on the combat against terrorism contains very broad definitions of "extremist activities," which would allow the government to stifle freedom of expression.
Another shift has occurred in the technological landscape: new laws and political decisions around the world reflect a growing interest in new surveillance technologies that governments trust will enable them to prevent terrorist attacks or effectively fight crime and arrest criminals. Those new technologies include video surveillance, smart cards, traveler profiling tools and databases, face recognition and biometrics. Governments have started using their new tools to monitor and profile individuals, hoping to detect characteristic terrorist-like patterns, even if this treats all citizens as suspects without first obtaining valid grounds for surveillance. They are increasingly relied upon by governments to control borders and to validate citizens' identification, even though their effectiveness has almost never been demonstrated. Private companies have also embraced new technologies to better profile their customers.
While the United States are building elaborate profiling and tracking systems and databases, with such acronyms as CAPPS II, SEVIS, US VISIT and TIA, to monitor the activities of their citizens and the foreigners crossing their borders, many governments have agreed to cooperate and to share passenger information and enact new laws that facilitate its transfer. New sophisticated mechanisms that allow the locational tracking of mobile phone calls are being implemented (e.g., in Belgium and Germany), and laws are being passed to facilitate cooperation between private companies and implement location detecting technology in every mobile phone (e.g., in South Korea). Australia and the Slovak Republic are building new DNA databases to fight crime, even though some of them are not protected by any legal data protection framework and could, as a result, easily be subject to abuse.
Radio frequency identification technologies are also emerging as a new technique for tracking and surveillance: Finland has developed RFID chips for travel cards, the European Central Bank plans on putting some on EURO banknotes, while department stores and clothing and tire manufacturers have incorporated them various consumer products or used them for improved supply chain management. At the same time, public protests has slowed the adoption of RFID and raised the possibility of new regulation.
Many countries are also developing new identification and authentication systems, such as smart cards and digital identification cards. Austria is promoting a new social security smart card; Belgium is the first European country to embed a digital signature in an identity card to be used for e-government services and authentication purposes while transacting with commercial entities; Singapore also created "SingPass," an ID to be used for access to e-government services; Germany plans on releasing an encrypted biometric ID for all of its citizens, and Malaysia is still trying to establish "Mykad," a universal purpose ID card. The Netherlands plan on introducing compulsory identification requirements for all persons above fourteen; Spain is drafting a bill on an electronic ID; while the Russian government intends on releasing one very soon.
Enhanced video surveillance has provoked public debate. Several privacy commissions (e.g., in Italy and in the United Kingdom), and the European Commission have issued reports on the various risks that video surveillance presents for privacy, and how to comply with data protection laws when a surveillance system is put into place in the private or public realm. Finland is drafting a new bill to regulate the use of video surveillance; the Netherlands have enacted a law that will require a notice when using hidden cameras; and the Canadian Privacy Commission has brought several cases to court that deal with abusive video surveillance practices. Use of video surveillance cameras has increased in several countries, e.g., with Hong Kong installing them in many of its prisons, and Hungary mounting them on the streets and public spaces of some of its cities. Protests in Washington, DC and hearings in both the US Congress and the DC City Council produced regulations for video surveillance, though advocates have urged stronger controls.
In Taiwan, a coalition of several non-governmental organizations and civil liberties groups have successfully fought against the next-generation national ID system and the introduction of a health insurance integrated circuit card, because they would both require citizens to submit sensitive data, and their implementation would violate the national data protection law. In South Korea, advocacy by a human rights commission and a teachers' union was successful in stopping the launching of a nationwide database that would have linked the personal information about children from over 10,000 schools and education agencies. In Finland, a bill that would have imposed excessive data retention obligations and liabilities for ISPs was criticized, and its most egregious provisions removed from the final version of the bill. In Canada, public interest groups and privacy commissioners successfully obtained the modification of a major endeavor by the government to retain for six years extensive data on every traveler entering Canada, after arguing that the plan violated major Canadian privacy and human rights laws. Opposition has also grown steadily to some of the new US anti-terrorism laws: local governments and communities have protested against the USA PATRIOT Act increase in federal powers by enacting local Anti-PATRIOT laws.
Most countries consider very seriously the processing of genetic and medical data. Major reports on the ethical, legal and social implications of the processing of genetic data and its risks for privacy were released in Australia and Germany. In Iceland, a civil liberties group criticized a recent bill on prescriptions databases because the collection of genetic data the bill would authorize would not be proportionate to its purposes. Also, Belgium adopted a law specifically providing strong privacy safeguards for the processing of patients' medical information, while, in the United States, a law regulating health-related data became effective. The Swiss commissioner urged the federal government to draft a new law on the processing of DNA information to regulate the use of a police database using suspected criminals' DNA samples. Similar to last year, new developments are occurring in workplace privacy: a new Finnish bill allows employers to read their employees e-mails under certain circumstances; the Portuguese data protection commissioner released guidelines that protect the privacy of employees' e-mails and Internet use, while the British privacy commission released a new Code of workplace surveillance. Also, an important debate took place in 2003 in Spain on this topic.
Since last year's Privacy and Human Rights report, several countries have implemented the European Data Protection Directive into national law, or are closely following its model: Ireland, Luxembourg - its new law goes even beyond the strict requirements of the Directive - Malta and the Slovak Republic. The Philippines is drafting a bill that is expected to adhere to the Directive. At last, the European Commission considered recent data protection legislation in Argentina adequate under the European data protection legal framework.
Several countries, including Canada, Ireland, and the United States, have restricted the use of open government laws by enacting broad exceptions. Ireland amended its Freedom of Information Act to give more central control over government information. In the United States, Congress adopted a broad "critical infrastructure exemption" to the Freedom of Information Act for the newly formed Department of Homeland Security. Canada has restricted public access to government records by adopting a new anti-terrorism legislation and gave the Ministry of Justice the power to issue a secrecy certificate, concealing information related to terrorism. Other governments have instead become more transparent, with Peru now mandating its government agencies to explain and publish their activities on the Internet; and the Slovak Republic, giving, with the enactment of the National Memory Act, citizens and foreigners, access to documents that former State Security services have collected about them in the last fifty years.
The action of international governmental organizations, while having a definite impact on policies related to the fight against terrorism, has generally been out of the public eye. Those organizations have been very active in developing counter-terrorism policy tools and mechanisms at a global level that will affect upcoming national policy discourse and laws aimed at combating terrorism. EU governments, through the Council of the European Union, have been pushing for new anti-terrorism measures harmonizing member states' legal frameworks towards more powers for law enforcement without appropriate means of oversight.
Last but not least, ten new countries, mostly from Eastern Europe, will become members of the European Union by May 2004, which compels them to implement the European Data Protection Directive into their national laws in order to reach a harmonized data protection legal framework. Most countries have already complied with that obligation, which suggests that efforts to strengthen existing laws are continuing in Eastern Europe.