Edward Snowden’s disclosure of National Security Administration surveillance practices has provoked a public debate about the merits of establishing an international standard for privacy and data protection. Officials from a number of countries, including Brazil, Uruguay, Denmark, Holland, and Hungary, have expressed interest in such a standard. Perhaps the most intriguing development thus far is a proposal by Germany’s federal data protection officer, Peter Schaar, who has proposed adding a protocol to Article 17 of the United Nations’ International Covenant on Civil and Political Rights, which protects against “arbitrary or unlawful interference with…privacy, family, home or correspondence.”1 This proposal, and the debate that accompanies it, have raised two key questions: 1) Is creating an enforceable global privacy standard even possible?; and, 2) If so, what form should this standard take?
Discussions about a global privacy standard predate the Snowden leaks. That being said, the current debate is very much grounded in the context of the Snowden controversy. Revelations of comparable prominence and scope (such as the Wikileaks releases of 2010) have historically had adverse effects on efforts to further secure the privacy of Internet users. Governments made to feel vulnerable by revelations of this nature sometimes respond defensively by cracking down on leakers and finding other ways to increase government access to information while reducing transparency. Furthermore, media coverage of past controversies has framed these leaks in the context of “leakers versus the government,” pushing advocates on both sides of the issue (as well as members of the public) toward extreme positions that hinder productive discussion and policy development.
Despite this challenging context, a number of resources exist that may help inform the current discussion. In the last few years, a specialized subset of academic discourse has centered on global data privacy standards.2 One notable scholar in this field, Australian law professor Graham Greenleaf, has outlined an approach that differs from Schaar’s protocol addendum in one key aspect: instead of involving the UN, he proposes building on the Council of Europe’s (CoE) existing Data Protection Convention 108. The arguments against and in support of Greenleaf’s proposal may be indicative of arguments that will surround Schaar’s proposed amendment to the ICCPR.
Although it is an established practice for non-CoE countries to sign such conventions, critics of Greenleaf’s approach argue that there are few apparent incentives for the US government to do so at this time. Furthermore, from a privacy advocate’s standpoint, creating a global data privacy standard comes with the risk of starting a “race to the bottom.” This theory holds that as soon as a widespread data privacy treaty is in force, states with greater protective measures would have to justify why their measures exceed global standards. Studies suggest, however, that this fear is unfounded. Greenleaf himself has demonstrated that data privacy laws have a global trajectory that increasingly favors expanding protections rather than rolling them back. He adds that the primary principles shaping this trajectory draw on the EU Directive more than any other source.3
Greenleaf’s arguments, and those of other optimistic advocates of increased data protection, are further bolstered by trends in the private sector driven by greater public demand for data protection. A primary example of this is how some IT companies, rather than viewing data protection standards as a state-imposed cost, are emphasizing privacy protection as a key selling point to consumers. In Germany, for instance, Internet service providers now advertise the fact that they encrypt email communication. These trends indicate that a shift to high data protection standards could be supported not only by government forces but also by private sector companies that wish to cater to public demand.
Given these developments, there is good reason to believe that a global standard for data privacy could be created and enforced. Determining what this standard should look like, who should be responsible for enforcing it, and what power it will actually have to shape the continuing evolution of the Internet will require further scholarship and debate. Academia can play a pivotal role in this process by generating research to focus the problem, creating and evaluating public and private solutions, and providing a platform for debate.
As the conversation moves from scholarship to policy creation, the ITU could serve as a suitable platform for negotiations, especially when paired with UNESCO involvement to monitor implications for freedom of speech. But it may also be necessary to think creatively about negotiating a new treaty independent of established UN institutions—a similar process was used to create the Rome Statute, which serves as the basis for the International Criminal Court.
The process of creating a global standard for data privacy requires an undeniably delicate balancing act that must negotiate a complex interplay of technological, social, economic, legal, and political factors. It is a process, however, that offers the chance to create a healthier Internet where all global citizens can enjoy the benefits of interconnectivity without unduly compromising their own security. While success may be uncertain, this goal is definitely worth pursuing.