CYIL Vol. 7, 2016

CYIL 7 ȍ2016Ȏ DIGITAL ASPECTS OF THE RIGHT TO PRIVACY ȃ SURVEILLANCE ISSUES international civil society and I am glad that the pressure these revelations evoked seems to have positive results. All the aspects of extraterritoriality have to be taken into account too, of course. Such as e.g. obligations imposed on personal data administrators. These issues need to be carefully drafted so that the unclear rights and duties of States do not overlap or fight themselves. In a similar manner, Dan Svantesson criticized the proposed EU data privacy regulation. 33 Meanwhile the regulation 34 was issued. It supports the claim that data protection applies extraterritorially due to the wording of its article 3. 35 4.3 The content of the right to digital privacy The metadata have been described above. While they do not encompass the content of for example email communication itself, their use may certainly establish an interference with the right to privacy because they reveal quite a large sum of information, such as who the sender is in contact with, how often and how large the communication is. So not even the content of communications themselves but the statistics based on them need to fulfill the human rights protection standards. This applies to mass surveillance systems especially since they collect large numbers of data. Obviously the right to privacy according to international law is not unlimited. For example art. 17 ICCPR prohibits any interference that is arbitrary or unlawful. That means that non-arbitrary and lawful interference is permissible. Similar limitations may be found in other conventional provisions protecting the right to privacy; the common denominators of the permissible limitations are the principles of legality, necessity and proportionality. Such as in the ICCPR. 36 The legality requirement establishes that the provision used as a source of the limitation must be “ sufficiently accessible, clear and precise so that an individual may look to the law and ascertain who 33 SVANTESSON, Dan J. B. The (Uncertain) Future of Online Data Privacy. In 9 Masaryk U. J. L. & Tech. 129 2015, p. 140. 34 Regulation (EU) 2016/679 of the EP and of the Council, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 35 “Territorial scope 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” 36 UN, The Right to Privacy in the Digital Age. Report of the Office of the United Nations High Commissioner for Human Rights. A/HRC/27/37, p. 8.

263