CYIL vol. 7 (2016)

263

CYIL 7 ȍ2016Ȏ

DIGITAL ASPECTS OF THE RIGHT TO PRIVACY ȃ SURVEILLANCE ISSUES

international civil society and I am glad that the pressure these revelations evoked

seems to have positive results.

All the aspects of extraterritoriality have to be taken into account too, of course.

Such as e.g. obligations imposed on personal data administrators. These issues need

to be carefully drafted so that the unclear rights and duties of States do not overlap or

fight themselves. In a similar manner, Dan Svantesson criticized the proposed EU data

privacy regulation.

Meanwhile the regulation

was issued. It supports the claim that

data protection applies extraterritorially due to the wording of its article 3.

4.3 The content of the right to digital privacy

The metadata have been described above. While they do not encompass the

content of for example email communication itself, their use may certainly establish

an interference with the right to privacy because they reveal quite a large sum of

information, such as who the sender is in contact with, how often and how large

the communication is. So not even the content of communications themselves but

the statistics based on them need to fulfill the human rights protection standards.

This applies to mass surveillance systems especially since they collect large numbers

of data.

Obviously the right to privacy according to international law is not unlimited. For

example art. 17 ICCPR prohibits any interference that is arbitrary or unlawful. That

means that non-arbitrary and lawful interference is permissible. Similar limitations

may be found in other conventional provisions protecting the right to privacy; the

common denominators of the permissible limitations are the principles of legality,

necessity and proportionality. Such as in the ICCPR.

The legality requirement

establishes that the provision used as a source of the limitation must be “

sufficiently

accessible, clear and precise so that an individual may look to the law and ascertain who

SVANTESSON, Dan J. B. The (Uncertain) Future of Online Data Privacy. In

9 Masaryk U. J. L. &

Tech. 129

2015, p. 140.

Regulation (EU) 2016/679 of the EP and of the Council, on the protection of natural persons with

regard to the processing of personal data and on the free movement of such data, and repealing Directive

95/46/EC (General Data Protection Regulation).

“Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment

of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by

a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required,

to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union,

but in a place where Member State law applies by virtue of public international law.”

UN, The Right to Privacy in the Digital Age. Report of the Office of the United Nations High

Commissioner for Human Rights. A/HRC/27/37, p. 8.