Privacy as a Universal Human Right: Beyond the OECD Guidelines to the UN Special Rapporteur on the Right to Privacy – The Hon Michael Kirby AC CMG

It is curious that people who were so insistent on privacy in their ordinary lives, the British, should have been so neglectful in developing effective judicial and other legal rules for its protection. Nowhere was this irony more noticeable than in the Australian outposts of the British Empire.

Eighty years ago, the High Court of Australia, in Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (Taylor), concluded that the common law in Australia did not provide specific legal protections for individual privacy, although it was decided that perhaps it should. One Justice of the Court (Evatt J) dissented from this view. In the peculiar factual circumstances of the case, Taylor was an opinion that was properly capable of being limited to the particular forms of intrusion in issue in that case. For example, it did not expressly address the problems of data privacy. Despite the peculiarity of the case (which involved a radio broadcaster describing a horserace on nearby private property by viewing the race over the perimeter fence of the racetrack), the general principle of law expressed in Taylor has survived to this day.

It is a sad commentary on the creative inclinations of the common law in Australia, on the judges and on the legal inertia that this basic impediment survives into the current age.

During my service on the High Court of Australia, in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (Lenah), an attempt was made to overcome, or to overrule or re-examine, the principle in Taylor. I would have been most ready to agree to do so. However, the case in question arose in a potential claim for privacy by a corporation. Long before, in undertaking its investigation of privacy, the Australian Law Reform Commission (ALRC) had pointed out that claims to “privacy” by legal persons (corporations) raised issues that were distinct and separate from the human rights issues normally addressed in relation to individual claims to privacy:

The approach taken by the Commission has been to exclude legal persons and to apply the privacy regime for the benefit of natural persons only. This is the correct approach when privacy is seen in the context of human rights. The extent to which it is apt to extend human rights, or civil and political rights, of individuals to statutory creations, such as corporations or to associations, clubs, partnerships and small businesses, is a controversial question. On the other hand, so far as information privacy is concerned, the experience of a number of countries indicates that it is difficult to define clearly the dividing line between personal and non-personal information or between the individual entitled to protection and the small business or group claiming protection. As the OECD experts pointed out, information relating to a small company may also concern its owner or owners. This aspect is taken into account in the Commission’s recommendations. The possibility of extending privacy protection to legal persons was provided for in the OECD Guidelines. The issue has political and economic implications. Fears have been expressed that, if a corporation had to disclose identifiable information about legal persons, it might be forced into disclosure of its research on a rival or competing corporation, association, firm or small business. Nonetheless, the privacy protection laws of a number of European countries extend to confer rights on the legal persons, including to permit such legal persons to inspect identifiable information about them (see Privacy Report No 22 at [1404]). 

The claim to privacy in Lenah was one by a corporate abattoir seeking to prevent the broadcast of a film, covertly recorded, picturing its operations. The conceptualisation of the issue as one of privacy (as distinct from, say, unjust invasion, deception, deliberate economic harm or some other wrong) made the case unsuitable for exploring the ambit of privacy as a general wrong. This is why Lenah did not open the gate to judicial reform on privacy protection under Australian law. I concurred in that conclusion.

Notwithstanding this, many efforts have been made in Australia in recent years to propose the adoption of a general remedy (sometimes called a statutory tort) for defined instances of privacy invasion. The ALRC made such a proposal in its 1979 report, Unfair Publication: Defamation and Privacy. Such proposals were repeated in later ALRC reports and in State law reform reports (in New South Wales in 2009; in Victoria in 2010; in a federal privacy tort discussion paper in 2011; and in a further ALRC report in 2014).

The New South Wales Law Reform Commission (NSWLRC) recommended in that State a statutory remedy along the lines of the ALRC report of 2014. This was followed by a most thorough investigation by a New South Wales parliamentary committee in 2016. That committee also recommended the adoption in New South Wales of such a remedy (at 10), even if the Federal Parliament held back and it was not enacted elsewhere in Australia. Attention was directed to the supposed advantage of a federal system of government: permitting law reform experimentation to start in one subnational jurisdiction and to spread elsewhere, if seen to be worthwhile.

In mid-2016, the New South Wales Government Dismissed this argument. It agreed that a special, limited protection against unwanted publication of sexually explicit material should be enacted. This had been one particular illustration used by the ALRC, the NSWLRC and the parliamentary committee to illustrate the need for law reform. Otherwise, the government revealed the usual Australian timidity about enacting a law providing a remedy for privacy protection. The 2016 response, and many before it, show the power of media interests in Australia to fight off law reform in the area of privacy protection. Major media outlets in Australia are controlled by relatively few interests. They generally prefer to be left alone to act as investigator, prosecutor, jury and sentencing judge, with no right of reply or appeal. Unfortunately, the political branches of the government back away from a fight with the media. The abuses of privacy, including information privacy, in Australia are many. Nevertheless, the prospects of effective statutory remedies in the foreseeable future appear to be small.

This conclusion should be remembered the next time politicians deny the necessity of any form of charter or statute of rights in Australia as inessential in a jurisdiction where parliament “will always respond” to specific needs. The near total failure of (all) the Australian Parliaments to respond to the demonstrated need for the better protection of privacy, through appropriate and adapted legislation, is a disappointing story. It tells of the failure of law reform, the timidity of legislators, the formalism of the courts and the failure of the law reform process. Australian law has failed to develop a general and enforceable civil wrong for serious and unjustifiable invasions of privacy. It has left individuals unprotected by enforceable law. To be blunt, the law reform process has repeatedly failed.

UN human rights initiatives

One feature of the law that has changed in the 40 years since the Organisation for Economic Co-operation and Development (OECD) first initiated its investigation of privacy protection in 1978 and the ALRC embarked upon its work on privacy protection in Australia in 1976 is the growing number of subject matters of human rights that have come under specific international attention. Occasionally, these projects invoke international legal norms.

I illustrate this proposition by reference to the areas in which I have myself been engaged during the past few years. These demonstrate the fact that an increasing number of subjects today arise for consideration at an international level, with a view to the effective enforcement of universal human rights. Time and the major focus of this article permit no more than a passing reference to the applicable issues. However, these will be sufficient to illustrate the growing internationalisation of matters of concern for human rights, including in the area of privacy protection:

  • In 2014, I chaired a Commission of Inquiry (COI) for the UN Human Rights Council. It concerned human rights violations in the Democratic People’s Republic of Korea (North Korea). The report found many grave crimes proved against the human rights of the people of North Korea. It also found reasonable cause for accepting a conclusion that serious “crimes against humanity” had been committed by officials in that country. The COI recommended referral of the case of North Korea to a prosecutor of the International Criminal Court (ICC). Under the Rome Statute , establishing that court, even countries that are not state parties to the court’s jurisdiction can be referred to the ICC by an affirmative vote of the UN Security Council. The report of the COI was strongly endorsed by the HRC. It was referred to the General Assembly of the UN, with a recommendation that it should, in turn, bring the findings to the notice of the UN Security Council. This has been done. In an unusual move, the UN Security Council voted to place the issues of North Korea on its agenda. Resolutions have more recently been adopted strengthening UN sanctions against North Korea. Whilst no vote has yet been taken on a proposal to refer the case to the ICC, the international community has generally responded to North Korea in a strong, principled and tough-minded way. This response is continuing. It involves international treaty law, including the operation of the Charter of the UN itself. Law is an important component in this development of human rights. It is possible that the resort to the international law of human rights hastened the dialogue between DPRK, the United States of America and other countries.
  • In 2015–16, I served on the High-Level Panel on Access to Medicines of the Secretary-General of the UN. Amongst other topics, the report of that panel, delivered to Secretary-General Ban Ki-moon in September 2016, addressed the ways in which the Sustainable Development Goals (SDGs) of the UN might be given effect so that, specifically, by 2030, people everywhere will have access to essential medicines. This presents a potential conflict of legal norms between the universal right to essential health care and the international legal principles governing intellectual property protection (see Report: Promoting Innovation and Access to Health Technologies). It would have been easy in 2015 for the outgoing Secretary-General of the UN to have left this issue to be handled by a successor. Instead, he grasped the nettle. He required a report to come forward showing ways of ensuring that “no one is left behind” in attaining the SDGs. Slowly, imperfectly, inadequately but inexorably, international law is building the responses that are needed to turn the brave words of the Universal Declaration of Human Rights (UDHR) and of the SDGs into practical effect. The world is not there yet. But, as with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”), we can see the outline of the future. We know what needs to be done and the cooperation that will secure progress.
  • Also in 2016, I was involved in a number of initiatives of the UN Development Programme (UNDP), then headed by that fine international official, Administrator of UNDP and former Prime Minister of New Zealand, Helen Clark. These initiatives have addressed the rights of the lesbian, gay, bisexual, transgender, intersex and queer minority (LGBTIQ) who are still the subject of violence and discrimination in many countries. Their oppression is similar to what I experienced at the beginning of my own journey. During 2016, the HRC established a new human rights mandate in respect of the LGBTIQ people. The mandate is that of the Independent Expert on sexual orientation and gender identity (SOGI) issues. Establishing that mandate was another achievement of Ban Ki-moon. He always insisted that the words “all human beings” in the first line of Art 1 of the UDHR refer to everyone, including minorities, and including minorities defined by their sexuality. Again, this issue might have been left to the future. But the mandate was created later followed by Victor Madrigal of Costa Rica. The first office holder (Professor Vitit Muntarbhorn of Thailand) was appointed. Attempts were promptly made by a number of countries to stop progress in its tracks. A group in the General Assembly, led by a number of African countries and members of the Organisation of Islamic Cooperation moved to delete references to the new SOGI mandate from the report of the HRC when that report was presented to the General Assembly for confirmation. This was tried in the Third (Political) Committee of the General Assembly and narrowly defeated. It was then pursued in the plenary of the General Assembly and defeated. It was then pursued in the Fifth (Budget) Committee of the General Assembly. Once again, it was rejected. The last throw of the dice was attempted in the plenary session of the General Assembly when the report of the Fifth Committee was presented for ratification. The challenge was rejected, with 77 countries voting to delete the new mandate, 84 voting to maintain it and 16 abstaining. The UN stayed the course. The General Assembly upheld and defended the mandate of the HRC. It rejected the notion that LGBTIQ people were outside a human rights mandate addressed to violence and discrimination. It looked to the future. It insisted on the universality of human rights. Once again, the right thing was done. The opponents were defeated. But this course of events shows how controversial and contested can be the international debates on protecting particular and novel human rights interests in today’s world.

The new Special Rapporteur on the right to privacy

In the field of privacy, the current international regime has been far less forthcoming. Of course, the UDHR and the International Covenant on Civil and Political Rights (ICCPR) are UN instruments. The inclusion within them of references to privacy rights ensures that the concept has an ongoing significance for the entire UN system.

In 1968, the UN General Assembly invited the UN Secretary-General to examine and report on the specific concept of privacy. A UN report in 1976 recommended the adoption of data privacy legislation, listing proposed minimum standards. In 1990, the General Assembly adopted guidelines on data privacy, based primarily on human rights concerns. A substantive innovation was the encouragement addressed to international organisations (governmental and non-governmental), urging them to process personal data in “a responsible, fair and privacy respecting manner”. This went beyond the OECD Guidelines and the European Union Data Protection Directive, in force by that time (see Bygrave, Data Privacy Law: An International Perspective, Oxford University Press, 2014 at p 51). There were various other innovations. However, no moves were suggested towards a binding UN treaty or like measure. The criticism of the UN initiatives on privacy to date regularly refers to the vagueness and undefined character of the key expressions, including “personal data” and “personal data file”. Perhaps in consequence, the UN guidelines adopted to date have had less practical impact internationally than those of the OECD (see Bygrave at 52).

What was also surprising was the initial failure of the UN Commission on Human Rights, and then the HRC, to interest itself in the broad issues of privacy as a human right. This was curious given the engagement with so many other, even related, issues under international human rights law (including LGBTIQ rights) and the willingness of the HRC to push the boundaries and develop binding norms on human rights, as broadly defined.

In 2015, this early reticence appeared at last to be overcome. In the run-up to moves by the HRC, media articles contrasted the disclosures of mass surveillance of individuals by governmental authorities, particularly by governmental authorities of the US and the failure of the UN to protect and promote privacy rights despite the human rights treaty provisions that support doing so (see Rotenberg, Scott and Horwitz, Privacy in the Modern Age: The Search for Solutions, The New Press, 2015).

This was the context in which the mandate of a new thematic Special Rapporteur was created by the HRC in 2016 for the protection of the fundamental right to privacy and for strengthening the UN’s engagement with the protection and promotion of privacy rights generally.

The establishment of a new Special Rapporteur on the right to privacy was one of a number of new thematic “special procedures”. When the mandate was created by the HRC, the post was advertised and applications were invited from interested persons. An appointments committee of the HRC was established. Ultimately, Mr Joseph Cannataci, an academic from Malta with experience in privacy, was selected. He was appointed in July 2015. It is useful to set out the main provisions of the mandate of the UN Special Rapporteur on the right to privacy:

  1. To gather relevant information, including on international and national frameworks, national practices and experience, to study trends, developments and challenges in relation to the right to privacy and to make recommendations to ensure its promotion and protection, including in connection with the challenges arising from new technologies;
  2. To seek, receive and respond to information … from States, the United Nations and its agencies …regional human rights mechanisms, national human rights institutions, civil society organizations, the private sector, including business enterprises and any other relevant stakeholders or parties;
  3. To identify possible obstacles to the promotion and protection of the right to privacy …
  4. To participate in and contribute to relevant international conferences and events with the aim of promoting a systematic and coherent approach …
  5. To raise awareness concerning the importance of promoting and protecting the right to privacy …
  6. To integrate a gender perspective throughout the work of the mandate;
  7. To report on alleged violations [of UDHR, Art 12 and ICCPR, Art 17] … and to draw the attention of the Council and the United Nations High Commissioner for Human Rights to situations of particularly serious concern;
  8. To submit an annual report to the Human Rights Council and to the General Assembly …

So far, the Special Rapporteur has produced substantive reports for the Council. They outline his activities in 2016 and 2017 and explain his proposed activities. Both in the version of the report addressed to the HRC and that addressed to the Third Committee of the General Assembly, the Special Rapporteur complained about the lack of staff and other resources for the discharge of his extremely wide mandate. After describing the work undertaken in the first year, the report lists a “Ten Point Action Plan”. High on this list was the development of a “more detailed and more universal understanding” of the right to privacy and promotion of energy and influence in civil society and further elaboration in international law.

Special rapporteurs of the HRC perform their duties in an honorary capacity. They receive travel allowances; but no remuneration. The resources made available to assist them are tiny, often limited to one or two professional officers on the staff of the UN High Commissioner for Human Rights. The nation states, by their resolutions, impose mandates of great detail, variety, complexity and size. Country visits consume considerable time otherwise available for the discharge of the mandate. Linguistic limitations often restrict the practical ambit of consultations and their responsiveness. The use of websites is admirable, as is engagement with human rights organisations in civil society having the resources to enlarge the contacts. However, much of the initiatives of the special rapporteurs depend on the imagination, flair and energy of the individual mandate holders.

There are many projects that warrant the attention of the Special Rapporteur on the right to privacy. These certainly include the challenge of mass surveillance by governments that was the original trigger for the establishment of the mandate. Given the implications of doing so for the support available to the many other thematic special rapporteurs, it is probably unlikely that the resources of the Special Rapporteur on the right to privacy will be significantly enhanced in the immediate future. Strategic decisions therefore need to be made concerning particular tasks within the current mandate that would most effectively fulfil the obligation to protect and promote privacy rights, according to priorities that are explained and justified.

Given the suggested deficiencies of the OECD Guidelines of 1980, following the changes in technology since those guidelines were first adopted, one very important task that might be initiated by the Special Rapporteur on the right to privacy could be a revision of the international privacy rules, as the core principles of information privacy, to reassess those rules and to ensure that they are grounded in UN human rights law. Although this would be a major enterprise and (as the OECD itself has found) full of controversy, it is certainly a fundamental task. In a real sense, it presents itself at the threshold of the mandate. So it would be worthy of the new UN mandate holder.

Such a task could not be accomplished by the Special Rapporteur on the right to privacy alone. It would need engagement with a team of experts and consultative procedures assembled with a university or other institutional support. The mandate is now established. In my view, the mandate holder should be defining activities that assert, and justify, his intellectual and international pre-eminence in the field. Ironically, what he lacks in resources from the UN High Commissioner for Human Rights, he may be able to overcome by a deft use of the very digital technology that is sometimes viewed as the chief source of privacy’s largest challenges today. The Special Rapporteur’s special mandate is something new. Of this mandate, inevitably, there are great expectations.

Conclusions: a new beginning?

In the field of digital privacy, the OECD Guidelines are now “something old”. Indeed, already at the time of their drafting, they represented “something borrowed”. They utilised and built upon initiatives earlier taken in Scandinavia, by the Nordic Council, then followed up by the Council of Europe and, later still, the European Economic Community and European Union Directives.

The disappointing responses (judicial and legislative) in the Australian and other legal systems in response to the conceptual challenges to privacy protection are also something old. Inaction and passivity by the courts have been with us in Australia since the Taylor case in 1936. Attempts to secure changes in the courts and in legislatures have repeatedly failed. Successive law reform reports have been rejected. Even the bipartisan parliamentary report in New South Wales has got nowhere. The arrival at something really new in Australia appears to be as far-off as ever.

Whilst the influence of the OECD Guidelines, in Australia, New Zealand and elsewhere, has been substantial and enduring, something new is now clearly required. This is so because of the huge potential of information technology today to gather, compile, store and distribute personal information in metadata on just about everybody. The UN human rights machinery represents a new and legitimate venue, long neglected, to “develop something truly new”.

The appointment of the Special Rapporteur on the right to privacy, with his dauntingly overbroad mandate, is at least a new opportunity. Information privacy is not a concern only of the developed countries of the OECD. Privacy is a universal value but with manifestations that can vary from one jurisdiction to another. That is why the greatest attention should now be focused on the HRC’s new mandate. Privacy scholars and institutions should be exploring how they can support the Special Rapporteur; and how they can enhance, through him, the ability of the HCR, the General Assembly and the global community to respond to the rapidly increasing challenges to data privacy in the contemporary world. It is almost too late to hope for something effective to protect privacy — a value most precious in the catalogue of valuable human rights. It is stated in clear language in Eleanor Roosevelt’s UDHR at the beginning of the global journey to enhance the protection of the precious characteristics of human rights in a time of rapid technological and societal change. And a clear signal of the growing international concern can be found in the General Data Protection Regulation of the European Union and the European Economic Area.

 

The Hon Michael Kirby AC CMG served as a Justice of the High Court of Australia (1996–2009). Before that, he had many posts, including inaugural chairman of the Australian Law Reform Commission. In that Commission, he led the project on privacy protection that produced the report that gave rise to the Australian Privacy Act. This work took him to the Organisation for Economic Co-operation and Development (OECD) in Paris 1978-80 where he chaired the expert group that produced the influential OECD guidelines on privacy. He has been awarded the Australian Human Rights Medal and the inaugural Privacy Medal. 

This article was originally published in the Journal of Law, Information and Science: M Kirby “Privacy Today: Something Old, Something New, Something Borrowed, Something Blue” (2017) 25(2) Journal of Law, Information and Science EAP 1. It is reproduced by agreement. It was derived from: M Kirby “Privacy Today: Something Old, Something New, Something Borrowed, Something Blue” speech delivered at the 5th Asian Privacy Scholars Network (APSN) Conference, Auckland, New Zealand (14 December 2016).