Research estimates that over half of the world’s population is online every day and over 90% of the population aged 6 and older will be online by 2030. The onset of the coronavirus pandemic saw a sustained surge in online activity across the world. Beginning as a breakthrough in communications, the internet phenomenon has since transformed into a revolution that is embedded in every sector from commerce to education. Although internet continues to empower communities around the world, it also ushers in distinct, lethal risks to the data privacy of individuals. ‘TikTok,’ the social media app that is presently a subject of intense global regulatory scrutiny, is not the first nor the last case of interference with individual data privacy. Given the nature of the problem, an international cybersecurity framework could help countries in countering pervasive threats to individuals’ right to privacy in an increasingly digital world.
Right to privacy in a digital space
The right to privacy is a fundamental human right recognised in the Universal Declaration of Human Rights (UDHR) and it is addressed in the constitutions of most countries. Article 17 of the International Covenant on Civil and Political Rights (ICCPR) which is ratified by 173 states, also provides protection from arbitrary or unlawful interferences with the right to privacy. Data privacy (privacy related to the personal information of individuals), is a subset of the right to privacy and is increasingly being recognised as a human rights issue given that interference with data privacy can compromise or violate an individual’s fundamental human right to privacy.
UN Resolution 68/167, passed by the UN General Assembly in 2013, clarified that protections for an individual’s right to privacy apply while online. The United Nations has also recognised that interference with data privacy should receive the same scrutiny as the interference with the traditional human right to privacy.
Despite the internationally recognised right to privacy in the digital space, the collection and aggregation of data is a major theme amongst digital applications. Advances in data collection and aggregation are actively marketed as a tool for commercial use by corporations and governments alike. A consequence of this commercialisation of user data is the loss of a pseudo-anonymity which allows for online activity to not be linked to any one individual.
TikTok vs. the world: a continuing list of privacy issues
TikTok’s largest userbase is in India which banned the social media app over concerns of privacy and national security. The United States is the latest country to contemplate banning the app and joins five other countries which are currently investigating security risks associated with TikTok. Currently, a variety of US based organisations, and US Presidential candidate Joe Biden’s political campaign have all prohibited their employees from using the app. Much of the controversy surrounding TikTok has been attributed to the fact that Byte Dance, the company that owns TikTok, is incorporated in China and is subject to Chinese cybersecurity regulations.
The UN Special Rapporteur on the promotion and protection of the right to freedom of speech and the UN Special Rapporteur on digital privacy have previously highlighted the Chinese cybersecurity regulations as a threat to online privacy and freedom of expression due to its broad powers of monitoring and investigation of companies incorporated in China.
India’s ban on TikTok cited the data compilation, mining, and profiling of users as a breach of privacy. Similar concerns have been voiced by the current US administration. Apart from concerns of data aggregation, the global regulatory scrutiny on TikTok is attributed to its sizeable underage userbase. Unlike conventional digital applications, TikTok’s distinct platform configuration has allegedly facilitated the sexual predation of children and infringing of child privacy and safety. Both South Korea and the United States have fined TikTok over this issue, with the latter being the largest civil penalty in a children’s privacy case in the US.
Although the vulnerabilities in TikTok are dominating the regulatory conversations around privacy today, other applications, including the Russian made Face App, have stirred national security concerns in the past. Recently, privacy concerns were expressed over the data sharing partnership between a company and a government entity in the case of Clearview AI, a company which marketed sophisticated facial recognition tools based on mass data aggregation, to US law enforcement agencies.
A serious concern associated with digital applications is the lack of uniformity in privacy regulations. The exponential proliferation of applications across different countries has resulted in a patchwork protection of user privacy rights, as regulatory regimes differ from country to country in both the quantity and quality of privacy safeguards. In this context, the banning of TikTok or any other application with privacy issues does not effectively safeguard the right to privacy long term.
The popularity and rapid proliferation of various digital applications allows privacy issues to persist and even thrive under different permutations. TikTok itself is a rebranded version of Musical.ly, which was also plagued with privacy concerns.
Accordingly, improving user privacy calls for identifying and adhering to internationally recognised and uniform cybersecurity standards for digital applications. An international convention for cybersecurity standards aimed at protecting data privacy will help build technical consensus among states and pave the way for a unified data protection model going forward.
Building an international instrument for securing data privacy
From a practical perspective, states are the primary actors in a treaty-based approach and the methods of implementation are up to the states’ individual prerogative. Additionally, privacy obligations under international law can also be addressed through domestic legal avenues. To this end, is it important to recognise that an internationally sanctioned enforcement mechanism is not the end goal of an international instrument aimed at securing data privacy.
The case for an international instrument on data privacy is rooted in two broad objectives. The first objective is to facilitate an international convergence of data privacy regulations. The second is to use the corresponding convergence in privacy regulations to confer obligations onto states to adhere to an agreed upon international standard of privacy for digital applications created by the state and by companies incorporated within their borders.
Identifying and advocating for common standards of cybersecurity required to protect data privacy can go a long way in creating a basic privacy safety net in countries around the world. States and relevant corporate stakeholders can collaborate periodically, to review and update the framework to ensure robust and resilient protection of data privacy. This standardised framework can also serve as a starting point for States in the process of developing privacy legislation. Even if a State does not adopt this model, the standardised framework can be used in national campaigns for inducing change in privacy laws and regulations in that State.
The adherence to a consolidated framework of cybersecurity standards could also assist in levelling privacy protections offered by States to non-nationals. Currently, the vast differences in global cybersecurity regulations leaves States with broad access controls, such as China, at an advantage with respect to data collection. This is illustrated in the recent Zoom security incident which routed North American traffic through China. The adoption of common cybersecurity standards can provide for a uniform protection model which safeguards user data in countries whose laws expose non-nationals to privacy risks.
The comments and scrutiny by UN experts on a States’ proposed national privacy regulations have shown that it is possible to have an impact on safeguarding privacy rights. An international instrument that adopts standardised cybersecurity principles to protect data privacy will formalise and reinforce a process of international scrutiny and can serve as a model for responding to the ever-evolving threats to individual privacy around the world. Embracing an international cybersecurity framework is ultimately as much of a process as it is a project. The framework would not be intended as a one-time treaty agreement. Rather, it serves as an affirmation for continuous improvement in privacy protection via an international convergence of policy, which responds to changes in the cybersecurity sphere.
Ultimately, the unlawful interference with data privacy of individuals is a growing global problem that ranks among the top threats facing the world in 2020. Invasion of data privacy is not a minor threat to privacy rights of individuals; in an increasingly internet integrated society, data privacy reinforces the freedom of expression and the freedom of association making the invasion of data privacy a threat to multiple fundamental rights. Accordingly, the time has come for an international cybersecurity framework that ensures meaningful protection of human rights in the digital era.
Featured photo: ‘iPhone displaying social media apps’, Kon Karampelas, Unsplash
Share this Post