III. Criteria and metrics
We analysed each of the countries in accordance with the following criteria:
The framework of participation, accountability and rule of law enables a nation to nurture and protect rights. An open and democratic society is possibly the greatest protector of privacy. When a state is accountable to its citizens, it must justify its surveillance decisions, and it must change its practices when citizens appeal through a democracy's institutions including through open participation, media and public discourse, access to legislators and the courts, amongst other means. We used the Economist's recent ratings of the state of democracy around the world. We used the Economist's Democracy Index 2010 to gauge the strength of a democratic-nature of the state.
A constitution is the bedrock that stabilises the democratic framework but also provides the assurance of continued application of rights. The ability to appeal to the state's key foundation principles and show that a surveillance practice is incompatible with the interests of the government to interfere with the private lives of individuals. Many states have gone beyond merely stating the right to a private life, but also include specific clauses on the protection of communications. In a growing number of countries there is also a constitutional right to the protection of personal data. A key test of the strength of these principles is when a court rules on cases where the government has gone too far, and the emerging case law helps inform future action. A given country may not even have a distinct privacy right, but the courts could have interpreted the privacy right from 'basic rights' or the 'protection of dignity' principles in many constitutions
- Does a constitution exist and does it protect privacy, even 'within the shadows' of other rights?
- Are there other protections, e.g. rights to data protection and private communications?
- Have the courts defended the right of privacy?
- Have there been recent cases?
Laws are the expression of a government's commitment to its citizens rights and freedoms, and give life to the constitutional principles. These tend to come in the form of a Data Protection law, which in Europe is often is consistent with the EU Directive on Data Protection (95/46/EC), protecting privacy of information in both the public and private sectors. Often countries have additional laws that apply to specific types of information or sectors, e.g. medical information, employment law, etc. The most important characteristic of a law is that it enables individuals to seek redress.
- Are there laws protecting the right to privacy against governments and companies?
- Are there sectoral laws, e.g. medical privacy, workplace privacy, financial privacy?
- Are these laws useful in pursuing action?
For any protective law to be effective its enforcement must be unequivocal but fair. This is most often done in the form of a regulator who is given jurisdiction over a law, e.g. a data protection law, consumer law, etc. and can then assist individuals, conduct investigations, and penalise non-compliance. Not all regulators are equal, as some place energies into generating awareness of their function and thus reminding citizens of their rights. Others place an emphasis on working with government and industry to make them aware of their duties under the law. These regulators must have sufficient powers to investigate and penalise, must be independent of the government, must promote awareness of rights and responsibilities.
- Is there an independent and competent regulator?
- Is there a regulatory body with sufficient powers to investigate? Can this regulator act proactively?
- Does this regulator act in an effective way? are the number of complaints significant? have cases been taken through the administrative and legal systems?
Some countries show positive leadership by promoting strong privacy protections around the world. Other governments act regressively by promoting bad policy and surveillance schemes.
- Has the government or regulator taken significant steps in privacy protection initiatives that has led other countries to consider doing so as well?
- Has the government signed and ratified problematic international treaties?
Identity cards and biometrics
State imposed requirement for identity can form the basis of limitless invasions of human rights. The fusion of the individual with the machinery of the state through biometrics can irrevocably compound these violations. These systems are rarely designed carefully to protect civil liberties and instead have been historically linked with great infringements of human rights. Not all identity card systems are built equally: some are merely printed documents, others incorporate some measures like smart-chips or contact-less technologies to enable the sharing and linking of information. More recently some are taking on the use of biometrics, recording facial patterns or fingerprints. The most dangerous of these systems combine all these techniques and then store the data in a centralised register, which in turn enables even greater data-sharing.
- Is there a national identity scheme, and does it include biometrics?
- Are they implemented in privacy protecting ways or in surveillance-enhancing ways?
- Is there adequate debate about the nature of biometrics or is there a blind faith in the technology and international obligations?
Privacy is best protected when information can be confined to individually accountable purposes. Keeping information in separate silos ensures that the government never has dominion over the lives of individuals. Traditionally information held by governments has been held in separate registers: e.g. a tax file is kept separate from a medical file. Increasingly governments are keen to find new ways of bringing together information from across government departments. They may do so for different functions, e.g. combining healthcare provision with immigration status checking. Privacy is best protected when there are strong barriers between these sources of information, as they were collected for one purpose and must not be used for another.
- Are there laws protecting against use of information for secondary purposes?
- Has the government set forth on plans to diminish existing protections?
Electronic visual surveillance is becoming ubiquitous in our living environment. Fusion with communications and software systems presents substantial opportunities for tracking, profiling, and discrimination.The growth and spread of visual surveillance in recent years has been remarkable. Previously visual surveillance was deployed sparingly; now visual surveillance is being used in more locations, with fewer restrictions. Yet much of the criminological research shows that existing systems have little effect on crime, and are also open for abuse.
- To what extent are there visual surveillance systems in the public and private sectors?
- Are these regulated and are their limitations in place?
- What is the nature of the policy debate?
Interception is generally considered amongst the most intrusive forms of surveillance. Countries that understand this will implement it under extremely strict conditions of law and will apply stringent controls. Interception must be done sparingly, once other methods of investigation have been tried, and failed; and authorised by an independent judge, with regular oversight of the activities of the state agencies. Increasingly governments are resorting to unwarranted surveillance.
- Are there adequate laws protecting against abuse?
- When can police intercept? e.g. only when investigating specific types of crimes, 'serious crimes', etc.
- Do state security agencies have to follow similar rules?
- Who authorises? a judge? a politician?['judicial warrants' does not mean the same in all countries, where sometimes judges have investigatory powers, but we do our best to note this]
Communications data retention
One of Europe's most pernicious policies, the retention of communications traffic data on a population scale means that telecommunications and internet service providers are required to retain logs on with whom you communicate and what you do online for up to two years, in the event you become of interest to the state.
- Is there a retention law? If so, for how long must communications data be kept?
- Has there been any consideration of the different types of information and how retention periods may have to differ?
- Has there been any detailed deliberation on the policy? e.g. consultations, industry engagement, court cases
Government access to data
Governments empower themselves to gain access to data held by companies and individuals. Too often they do so without requiring police and security agencies to gain authorisation from a judge, and never tell the individual that his or her personal data was accessed by the state.
- What powers do various agencies have to gain access to files?
- Are there safeguards on how law enforcement agencies get access to data on databases in the private sector?
The evolution of management and insurance practices have motivated employers to institute saturation surveillance in their workplaces. Employment contracts allow employeers to establish comprehensive and continuous surveillance over employees. Employers often try to gain access to background information on employees and potential employees, often peering into the most intimate details. Increasingly employers are also monitoring activities at work, using audio and video surveillance, intercepting communications, and monitoring online interactions. Some are looking to collect biometric details. States often have legal protections against workplace surveillance, and some have gone so far as to ban specific forms of technologies and data collection, as they recognise that employees face a power imbalance against an employer and traditional forms of 'consent' may not apply to this relationship.
- Are there laws protecting against abuse?
- Are there legal cases and methods for employees to object to these practices?
- Are there guidelines issued by the regulator or some other institution to inform employers and employees?
People are more concerned about the privacy of their health information more than any other aspect of their lives. Yet governments are increasingly exploiting their citizens' health data. What was once confidential health information is now a resource to be collected, analysed and shared. Some states have laws that protect information collected in the provision of healthcare. Other states have laws that compel the sharing of this information. Increasingly states are seeking to develop electronic systems that will collect, process, and centrally store all this most sensitive information.
- Do patients have control over their medical information?
- Are there safeguards and protections against the secondary and other uses?
- Are there plans to develop a centralised patient register?
- Are there safeguards on how the information will be collected and used?
In recent years, the financial profile of people has become an open resource for governments and companies. Audit trails of financial behaviour are routinely shared across governments and the corporate sector with little or no distinction between the two. Monitoring bank accounts, international transfers, and the state of one's finances is of interest to both the state and industry. Both want to know about habits and purchases, while the state also wants to require the disclosure of this information to identify money laundering, but also to identify possible sources fraud, or even tax revenue. Sometimes, states require the systematic disclosure of financial information, such as through the publication of tax returns, or the collection of all suspicious transactions.
- Are there protections around government access to financial information?
- Are there safeguards around other uses of financial information by the private sector?
Borders are now becoming constitution-free zones where governments can do as they please. Now states are introducing measures to collect vast amounts of information on both citizens and visitors. 'Securing' the border is now the justification for collecting vast amounts of information on travellers, both citizens and non-citizens. Now states are introducing measures, inspired by the Bush Administration, to collect fingerpritns of all travellers, as well as intelligence information from their reservation files with airlines in order to profile passengers.
- Has the government implemented profiling at borders or collecting passenger travel data?
- Is the government collecting biometrics at borders?
- Has the government initiated agreements with other governments to share information?
Intelligence and surveillance oversight
Many governments are allowing their security services to circumvent constitutional and statutory protections and safeguards. The trump card of 'national security' is now being used as commonly as 'terrorism' to justify further encroachments on due process and the rule of law. History has shown that secret surveillance done by security services has caused great harms and led to abuses. Many governments are now returning to these practices where they are allowing their security services to circumvent constitutional and statutory protections and safeguards, avoiding warrant requirements, preventing oversight, and exempting these agencies from the law.
- Are national security agencies exempted from privacy laws?
- Are there appropriate reporting and oversight mechanisms for secret surveillance?
- Have there been cases of abuse and if so, has there been sufficient safeguards put in place?
Many countries now compel the collection of DNA samples and the generation of DNA profiles from innocent people who have not even been charged, for minor investigations, and then retain their profiles and samples for extended periods of time, sometimes indefinitely. Even though the European Court of Human Rights has ruled against this practice, many countries intentionally ignore the need for safeguards and protections. We consulted with the Council for Responsible Genetics to develop this index.
- Are there limitations under which circumstances collection of DNA may occur? e.g. limited to convicted persons and serious offences?
- When is data be removed? Is there any data-sharing?
- What happens to the DNA samples once the profiles have been generated?