Global standards
Privacy finds direct and explicit protection under
international human rights law. Article 12 of the UDHR states: No one shall be
subjected to arbitrary interference with his privacy, family, home or correspondence,
nor to attacks upon his honour and reputation. Everyone has the right to the
protection of the law against such interference or attacks.
The right was given formal legal protection in Article 17 of
the ICCPR, which states:
(1) No one shall be subjected to arbitrary or unlawful
interference with his privacy, family, home or correspondence, nor to unlawful
attacks on his honour and reputation.
(2) Everyone has the right to the protection of the law
against such interference or attacks. These two definitions are similar, albeit
with some important differences. The UDHR only protects against arbitrary, but
not unlawful, interferences with privacy. In practice this is likely to be of
limited importance, since an unlawful interference will always qualify as arbitrary.
As far as honour and reputation go, the ICCPR only protects against unlawful attacks,
while the UDHR protects against all such attacks. This may be more significant in
nature, although this remains untested in the jurisprudence.
The UN Human Rights Committee has made it clear in a General
Comment on Article 17 that the right to privacy encompasses the right to
protection “against all such interferences and attacks whether they emanate
from State authorities or from natural or legal persons.The Committee’s General
Comment provides little guidance, however, as to what either ‘arbitrary’ or
‘privacy’ mean. Regarding the former, the Committee stated that an interference
that was provided by law could still be arbitrary, and that all such interferences
would need to be “in accordance with the provisions, aims and objectives of the
Covenant and should be, in any event, reasonable in the particular
circumstances. This ultimately provides very little guidance as to what may be
considered to be ‘arbitrary’, although it would at least rule out interferences
with privacy that were established by laws which ran against the aims of the
Covenant or which were not reasonable.
The General Comment also includes fairly expansive, if
general, statements on data protection, stating that the gathering and holding
of personal information, whether by public or private bodies, must be
regulated, that individuals have a right to ascertain what information about
them is held, and for what purposes, and by whom. The jurisprudence of the
Committee in this area has also been sparse. In the case of Hulst v. the
Netherlands, the Committee had to assess whether or not interception of the
telephone calls by the author, who was a lawyer, which were used to convict him
of a crime, represented an unwarranted invasion of his privacy. In deciding
that there had been no interference, the Committee quoted the standards noted
above in its General Comment, and held that the interference was authorised by
law and was reasonable.
African and Inter-American System
There is no explicit protection for privacy in the African
Charter on Human and Peoples’ Rights.135 Protections for privacy are also found
in the American Convention on Human Rights (ACHR),136 at Article 11, and the
European Convention on Human Rights (ECHR),at Article 8.
The relevant provisions of the ACHR state:
(1) No one may be the object of arbitrary or abusive
interference with his private life, his family, his home, or his correspondence,
or of unlawful attacks on his honor or reputation.
(2) Everyone has the right to the protection of the law
against such interference or attacks.
These provisions are very similar to those found under the
UDHR and ICCPR. There has been little direct jurisprudence on this issue before
the Inter-American Court of Human Rights. An important recent case on privacy,
decided in November 2011, is Fontevecchia & D’Amico v. Argentina.138 In
that case, the Inter-American Court held that the publication of certain
private information about Menem, the former President of Argentina, was not an
invasion of his privacy. It gave as reasons that the information was already
well known, it had not even been treated confidentially by Menem and there was
considerable public interest in the information.
The Inter-American Court has dealt with privacy on a number
of other occasions as well. In the case of Tristán Donoso v. Panama, the Court
found a breach of the right to privacy when State officials disseminated a
recording of a private telephone conversation, which had apparently been made
by a private party, to church officials and members of the bar association.139 In
the case of Escher et al. v. Brazil, the Court came to a number of important
conclusions regarding privacy in the context of telephone surveillance. First, it
held that while the burden proof of the facts of a human rights violation
normally lay with the complainant, it was legitimate to draw reasonable
conclusions where it was impossible for the complainant to prove these facts
conclusively, due to secrecy on the part of the State.
Given the intrusive nature of telephone interception, the
Court held: This measure must be based on a law that must be precise and
indicate the corresponding clear and detailed rules, such as the circumstances in
which this measure can be adopted, the persons authorised to request it, to
order it and to carry it out, and the procedure to be followed. In this case, the rules had not been followed properly, and
so the invasion of privacy did not meet the requirement of legality, as
stipulated in the ACHR.142 The dissemination of some of the private material by
State agents represented a further breach of the right to privacy. In terms of data protection, the Inter-American Commission
has made it clear that it believes that a right of habeas data exists under the
ACHR, which gives individuals the right to know what information the State and
private actors have collected on them, to access that data and to modify,
correct or remove it, as appropriate.The Inter- American Court has never
directly addressed the issue of habeas data.
ECHR: an overview
Article 8 of the ECHR formulates the right in rather
different terms that the ICCPR or ACHR, as follows:
(1) Everyone has the right to respect for his private and
family life, his home and his correspondence.
(2) There shall be no interference by a public authority
with the exercise of this right except such as is in accordance with the law
and is necessary in a democratic society in the interests of national security,
public safety or the economic well-being of the country, for the prevention of
disorder or crime, for the protection of health or morals, or for the
protection of the rights and freedoms of others.
The characterisation of the right here is more positive; a
right to respect for one’s privacy rather than to be protected against
interferences. Another difference is that the protection is restricted to
interference by public authorities, although the European Court of Human Rights
has not interpreted the provision in such a limited fashion (see below).
Finally, the tandards for restrictions are set out in a much clearer form.
Instead of vague terms such as ‘arbitrary’, ‘unlawful’ and ‘abusive’, we have a
clear three-part test: a) in accordance with the law; b) necessary in a
democratic society; and c) to protect one of the listed interests (national
security, public order and so on). In terms of the scope of the notion of
privacy, the European Court has identified a number of specific types of State
actions that may breach the right, such as interception of private communications or telephone tapping, regardless of the
content of the communication, allocation of rights over children, interference
with sexual life, compulsory medical treatment and access to certain types of
State-held information. The Court has refrained from proposing a generic
definition of privacy, holding instead, as noted above, that this is not
possible. The Court has, however, indicated a number of features of the right.
In the case of Von Hannover v. Germany, for example, the Court held that
privacy covers “aspects relating to personal identity, such as a person’s name,
or a person’s picture” and “a person’s physical and psychological integrity”. Furthermore,
the right is intended to “ensure the development, without outside interference,
of the personality of each individual in his relations with other human beings.
In Niemietz v. Germany, it held that “it would be too restrictive to limit the
notion to an ‘inner circle’ in which the individual may live his own personal
life as he chooses and to exclude therefrom entirely the outside world”.
Instead, “private life must also comprise to a certain degree the right to
establish and develop relationships with other human beings. Business and
professional relations came within the scope of the concept, so that a search
of a business premises did represent an interference with private life.
The Court has noted that “a person’s reasonable expectations
as to privacy may be a significant, although not necessarily conclusive,
factor. Even information collected in public situations may, through the
unexpected use to which it is put, raise private life issues. Thus:
“Private-life considerations may arise, however, once any systematic or permanent
record comes into existence of such material from the public domain. In
practice, the Court has tended to recognise a fairly wide scope of the right,
while also recognising the possibility of restrictions, along with a wide
margin of appreciation to States, particularly in cases involving protection of
children. For example, in the case of Keegan v. Ireland, the Court stated that
States “enjoy a wide margin of appreciation in the area of adoption. The case
involved a father seeking guardianship over his child, whom the mother, who was
estranged from the father, had put up for adoption. In Von Hannover v. Germany
(No. 2), which involved the publication of pictures alleged to be private, the
Court stated: “Contracting States have a certain margin of appreciation in assessing
whether and to what extent an interference with the freedom of expression protected
by this provision is necessary”.
ECHR: restrictions
The Court has developed a fairly clear methodology for
applying the three-part test for restrictions in cases involving interferences
with privacy. In a number of cases, especially regarding telephone tapping and
other forms of surveillance, the Court has noted that due to the particularly
invasive nature of these activities, they must “be based on a ‘law’ that is
particularly precise … especially as the technology available for use is
continually becoming more sophisticated. In the case of Kruslin v. France, the
Court held that this part of the test was not met because the conditions on
telephone tapping were not sufficiently precise. In particular, there was no
restriction on the categories of person who might have their telephones tapped,
no obligation on judges to set a time limit on tapping, no procedures for
drawing up reports on intercepted conversations or procedures for destruction
of recordings, and no requirements that recordings be kept intact.
In the case of Malone v. United Kingdom, the European Court
examined the practice of ‘metering’ of phone calls (i.e. recording the numbers
called and length of the calls). It distinguished this from actual interception
of calls, but noted that while this was legitimate (presumably on the basis of
consent) for purposes of billing and monitoring of proper use of the service,
passing this information on to the police represented an interference with private
life. There was no law that required the Post Office, which conducted the
metering (a public body which had become British Telecommunications by the time
of the case), to pass the records over to the police, but in practice they did
so in cases where this information was “essential to police enquiries in
relation to serious crime” and could not be obtained from other sources”. This
practice did not meet the standard of being “in accordance with the law” for
purposes of Article 8(2) of the ECHR. This is clearly relevant for other cases
in which private actors – such as Internet service providers – engage with
public bodies in areas which impact on privacy rights.
In terms of the second part of the test, in general, the
Court has no problem recognising a legitimate aim which requires protection in
privacy cases, often the rights of others or public order. Thus, in Leander v.
Sweden, the Court held in one short paragraph that a law allowing police to
keep secret information gathered on job applicants for certain positions was
necessary in the interests of national security,while in Murray v. the United
Kingdom the Court similarly devoted only one paragraph to recognising the
prevention of crime as a legitimate aim.
In assessing the necessity part of the test, the Court has
stated: “[R]egard must be had to the fair balance that has to be struck between
the competing interests of the individual and of the community as a whole”.Furthermore,
“the notion of necessity implies that the interference corresponds to a
pressing social need and, in particular, that it is proportionate to the
legitimate aim pursued” and that the “reasons adduced to justify the
interferences at issue are ‘relevant and sufficient’”. As with national courts,
the European Court has relied upon the idea of the overall public interest when
assessing restrictions on privacy, especially when competing human rights come
into play, as is clear from the box below on the Von Hannover case.
ECHR: private actors
The European Court has addressed the question of
interference with privacy by private interests on a number of occasions. It has
stressed that “the object of [Article 8] is ‘essentially’ that of protecting
the individual against arbitrary interference by the public authorities”. The
Court has recognised that privacy interests may impose positive obligations on
States to take action to safeguard privacy. Sometimes, the Court uses positive
obligations in cases in which “it is not that the State has acted but that it
has failed to act” to protect privacy. Some of these cases deal with the
relationship between individuals and the State, or the ‘vertical’ application
of rights. Gaskin v. United Kingdom is an example of this. In that case, the
Court held that a public authority was obliged to release certain personal
information relating to the applicant to protect a privacy interest.
At the same time, the Court has in some cases referred to
States’ positive obligation to regulate relations between non-State actors, the
‘horizontal’ application of rights. In such cases, it is not the relationship
between the State and an individual – either because of an action the State has
taken or the failure of a State to act – that is in issue. Rather, the claim is
that the effective protection of private life requires the State to regulate
relations between non-State actors, for example by providing a legal remedy
against privacy invasions.
In some of these cases, there has been an element of State
involvement in the privacy breach. For example, in López Ostra v. Spain, the
Court held that the failure of the authorities to take action to prevent the
detrimental effects of severe environmental pollution arising from a
waste-treatment plant breached Article 8. However, the Court specifically noted
that the legality of the plant under Spanish law was in question and focused on
the fact that the authorities had not only failed to protect Mrs. López Ostra but
had also contributed to prolonging the situation.In X and Y v. the Netherlands,
the Court held that a civil remedy was insufficient to protect individuals against
sexual assault and that a criminal remedy should be available. The Netherlands
did normally provide ma criminal law remedy for sexual assault; it was not
applicable in this case because of certain procedural issues relating to the
fact that the victim was mentally handicapped. In other cases, however, the
Court has held that States were in breach of the right to mprivacy purely due
to actions between private parties (see box).
SURFING AND SEARCHING
Technical description and actors involved
The process of websurfing
• Telecoms providers. In order to contact a website an
Internet user generally contacts
the Internet by a telephone connection to an Internet
Service Provider (ISP). The telecom
provider logs the call to the ISP.
• Internet Access Provider. The entry point to the ISP is
the network access server. This
server generally records the Calling Line Identification of
the connection. Most IAP’s log
the login name, login and logout times and the amount of
data transferred during a
session. It should be noted that in some cases the telecoms
provider is also the IAP.
• Allocation of the IP address. Once the contact with the
IAP has been established, the
IAP allocates a dynamic IP-address for the duration of the
Internet user’s session.
Henceforth all communication during a session is to and from
this IP-address. The IP
number is carried with all the packets transmitted in all
subsequent stages of
communication. It should be noted that the allocated IP
number is always within a certain
range of numbers allocated to the respective IAP. Hence
external parties can easily
retrieve the IAP from which IP-packets originate.
After this, the Internet traffic is sorted at the ISP by the
so-called port number, which
specifies the service and corresponding protocol. A request
to visit a website is generally
done through the HTTP protocol. At the ISP this traffic is
recognised by a corresponding
port number. It may also be transferred directly to a router
which connects the Internet
user with the external websites required.
The request is often transferred to a dedicated proxy server.
This server logs the request
for a certain website. The proxy server contains a copy of
the content of the most
frequently visited websites. If the website requested by the
Internet user is in the proxy
server, this server only needs to prompt the respective
website for an update of any
changes since the moment the copy was stored in the proxy.
This measure strongly
reduces the amount of data to be exchanged between the ISP and
the website, since it
only communicates the changes instead of the full pages. The
proxy server may store a
detailed list of the visits to websites connected to an
IP-address at a given time. These
can be linked to an individual user by the IP-address and
the logging of the session times.
• Routers. On the path between the ISP and the website
visited, the traffic generally
passes through several routers that direct the data between
the IP-address of the Internet
user and the IP-address of the website. With regard to the
storage of personal data, these
routers are considered as neutral elements, even though
dedicated facilities could be
applied to intercept the Internet traffic at these points.
• Regular websites. Once the connection with the website has
been established, the
website collects information on the visiting Internet user.
All requests are accompanied
by the destination IP-address. The website also knows from
which page an Internet user
has been transferred (the previous page reference, or URL,
is known). The information
on website visits is generally stored in the ‘Common Log
File’. All the above mentioned
information can be used to create, by means of a log
analyser, accumulated information
on the traffic to and from a website and the activities of
visitors.
Upon connection with a website, some additional information
is collected in the
communication between the most common browser software used
by Internet users and
the websites visited. This is often referred to as
‘chattering data.’ It generally includes the
following items:
- Operating system
- Type and version of browser
- Protocols used for websurfing
- Referring page
- Language preferences
- Cookies
The website has additional gathering power if it posts
so-called cookies. These are
pieces of data that can be stored in text files which may be
put on the Internet user’s hard
disk, while a copy may be kept by the website. They are a
standard part of HTTP traffic,
and can as such be transported unobstructed with the
IP-traffic. A cookie can contain a
unique number (GUI, Global Unique Identifier) which allows
better personalisation than
dynamic IP-adresses. Such cookies extend the capability of
websites to store and
‘personalise’ information on their visitors. The cookie may
be re-read on a regular basis
by the site to identify a Internet user and recognise
him/her when he/she visits again,
check possible passwords, analyse the path during a session
and within a site, record
transactions, such as Articles purchased, customise a site
etc.
Cookies can differ in nature: they can be persistent but can
also have a limited duration,
when they are called “session cookies”. In some cases, they
may be useful for providing a certain service through the Internet or to
facilitate the surfing of the Internet user. For
instance, certain custom websites rely on cookies to
identify users each time they return,
so users do not have to log into the website each time they
check their news.
The privacy implications of the use of cookies should
however not be underestimated.
This issue will be dealt with in the legal analysis section
of this chapter.
• Portal sites
Because of the growing complexity of the Internet, Internet
users often connect to a
website via a so-called portal site, which provides an
overview of weblinks in an ordered
way.
Often such portals contain links to commercial sites, and
could be compared to a
shopping mall hosting many stores. The portal sites collect
information in the same way
as websites in general, but may also store information on
visits to all the sites ‘behind’
the portal.
A portal site is always hosted by an Internet Service
Provider and in some cases can
belong to the ISP. In such cases, the ISP has the possibility
of collecting data on a user’s
visits to sites " behind" this portal and can
therefore create a complete profile of the user.
The Dutch Data Protection Authority (Registratiekamer)
concluded in a report about
the Internet and privacy, based on investigations into 60 ISPs
in the Netherlands, that it is
possible for the content provider (in this case the ISP that
owns a portal) to know how
many advertisements have been placed, how often a user has
visited an e-shop, which
products he/she has bought and how much he/she has paid for
them.
• Providers of additional services
The data collected by websites is sometimes (automatically)
transferred to a third party to
the original communication (e.g. companies specialised in
the analysis of web statistics,
such as Nedstat). The purpose can be to create accumulated
statistical data on visits to the
website, which is sold back to the owner of the respective
websites. Advertisement
banners generally collect information on the websites
visited by a person by means of
cookie-files. Service providers like DoubleClick or
Globaltrash accumulate the
information on website visits to all the different sites on
which they put advertisements.
A profile of the Internet users’ preferences can be compiled
with these data, and
subsequently used to customise webpages.
Surfing from the perspective of the Internet user
A PC installed with browser software will in many cases,
after starting up, automatically
load a selected starting page from the web. This starting
page may contain hyperlinks that
can be activated to visit other websites or search engines.
While browsing, the browser
programme of the Internet user sends a request to a server
(that can be located anywhere
in the world) to transmit a specified webpage (marked by its
URL) that is hosted by this
webserver. By clicking on a hyperlink the Internet user in
fact downloads the requested
webpage to his/her computer.
After having connected to his/her ISP, the Internet user
generally chooses one of the
following approaches when surfing:
• Directly addressing the website required by entering the
URL, such as
www.amazon.com. The URL also contains the protocol.
• Reaching the website via a referring (portal) site that
contains hyperlinks towards other
sites. These portal services are becoming more popular as
the number of webpages is
growing and Internet users need more guidance to find
interesting material.
• Retrieving relevant sites by first entering a query to a
website using a search-engine.
Search engines use indexing by means of keywords. The user
enters one or more
keywords and initiates the search. The search engine then
searches for the titles of the
corresponding sites and their URL addresses in its own index
database. The search
engine has the power to assemble personal profiles as it
accumulates the search terms
entered by an Internet user and the websites consequently
visited. The personalisation is
often done by means of cookies. Several search engines also
offer more personalised
services whereby an Internet user is required to provide
information on personal
preferences in order to get, for example, regular updates of
websites on a certain topic.
III. Privacy risks
Millions of Internet users around the word often surf the
World Wide Web or search for
information on the Internet. These activities are, however,
not risk-free from a privacy
point of view.
In the context of the Internet, a lot of information is
collected and processed in a manner
which is invisible to the data subject. The Internet user is
sometimes not aware of the fact
that his/her personal data have been collected and further
processed and might be used
for purposes that are unknown to him/her. The data subject
does not know about the
processing and has no freedom to decide on it.
Additional risks exist when data collected during the
surfing activities of Internet users
can be linked with other existent information on the same
user. The fear of such a
connection of personal data concerning Internet users has
been very present in the
discussion on the merger between Internet advertiser
DoubleClick and market research
firm Abacus Direct.
It was feared that, should the two firms merge, the
DoubleClick database containing data
on Internet usage habits would be cross-referenced with the
Abacus Direct database
containing real names and addresses, as well as detailed
information on customer buying
habits.
This merger took place in November 1999. According to the
information provided on the
Doubleclick website, name and address information
volunteered by a user on an
Abacus Alliance website were to be linked by Abacus through
the use of a match code
and the DoubleClick cookie with other information about that
individual.
Information in the Abacus Online database includes the
user's name, address, retail
catalogue and online purchase history, and demographic data.
The database also includes
the user's non-personally-identifiable information collected
by websites and other
companies with which DoubleClick does business. According to
Double Click, no link has been made up to now between the Double Click and the
Abacus databases.
New monitoring software
New monitoring technologies are becoming available to ISPs
which will generate far
more information about traffic patterns and content
preferences than existed in the public
switched telecommunications network (PSTN). Such
technologies promise to deliver the
Internet equivalent of PSTN call-detail records, and more.
These kinds of software programs are popularly known as E.T.
applications “because
once they have lodged in the user's computer and learned
what they want to know, they
do what Steven Spielberg's extra-terrestrial did: phone
home”.
To given an example, Narus, a private software company in
Palo Alto, Californa (USA),
offers software to ISPs that ‘monitors the data stream and
parses each packet to extract
packet header and payload information. Narus claims to work
closely with key partners,
including Bull, Cisco and Sun Microsystems. This software
can be used for the
identification and measurement of Internet telephony and
other applications (eg, the web,
e-mail or IP fax), but it also aims to monitor potentially
billable content within the IP traffic (eg copyrighted material requiring a
royalty or on-demand use of an application, or audio clips). The Narus software
reports to ISPs in real time on the top websites visited as well as the types
of content viewed and downloaded.
Alexa is a tool that can be added to a browser to accompany
the user while surfing, by
providing additional information about the site visited
(about the registered site owner,
ratings and reviews of the site) and making suggestions on
related sites. In return for
providing this service to users, Alexa has complied one of
the largest databases on
patterns of web usage. Amazon paid 250 million US dollars in
stock for Alexa in early
1999. In its privacy policy, Alexa states that it collects
information on web usage which
remains anonymous, by using their web usage logs and cookie data.
Amongst other products produced by Alexa is the zBubbles
program, an on-line
shopping tool that collects surfing data on the user in
order to offer product
recommendations, comparative shopping advice, etc. According
to the information
published by Time Magazine, zBubbles also sends information
back to Alexa when
users are not shopping. This product is designed to be
installed on the screen during the
whole duration of the navigation session, even though most
users are not shopping all the
time.
Another interesting example of monitoring software is
Radiate, formerly known as
Aureate. Radiate is an advertising company that works with
the makers of shareware. It
is reported that Radiate's advertisements came with E.T.
software that embedded
themselves in 18 million people's computers and used their
Internet connection to report
back on what advertisements people were clicking on. The
original version of Radiate's
software, which still resides in countless computers, was
written to keep phoning home
even after the shareware that put it there was deleted.
Users needed a special tool to
delete the file, which the company provided on its website
later on.
Presently hundreds of E.T. applications exist. More than 22
million people are believed
to have downloaded them. E.T. monitoring software programs
are again an example of
technologies that process personal data on users without
their knowledge (invisible
processing): most computer users have no idea that these
software programs have been
placed in their computers.
Often the makers of these E.T. applications say that,
although they are able to collect data
about computer users, they do not connect them to
individuals. This does not, however,
offer sufficient guarantees to the user since, given the
commercial value of individualised
data, companies that collect them could change their
policies at any time. The potential
risk of data misuse is still there.
