Cybersecurity, Privacy, and the International Legal Landscape

Gianluca Scaglione
Vol. 39 Associate Editor

Now more than ever, privacy and its cybersecurity dimension demand increased attention. As digital technology and its uses expand rapidly, the amount of data generated about every individual is staggering: from our real-time movement location to texts and emails, almost everything we do is encapsulated on a daily basis in the devices we use. In the face of rapid technological development—situated as we are at the dawn of the Internet era—current legal protections have proven lackluster and adequate norms have yet to be conceived. Part of the problem lies in the current cultural perception of cybersecurity and privacy. Notwithstanding the pervasiveness of technology and the accelerating amount of data collected about each individual, privacy is often overlooked or disregarded on the spectrum of today’s social goals. “Why do you care? What do you have to hide?” is often the response to requests for increased data protection. Privacy, however, means the ability to control information disclosed about oneself.[1] As such, privacy should be seen as an essential component of the freedom of speech. It should be understood as a rightful expression of one’s own persona—and not as a suspect assertion of secrecy.[2] Moreover, protecting privacy is the only way to avoid what has been described as a “Panopticon effect.”[3] Due process considerations require preventing people from being forced into a societal model in which they are constantly monitored for unknown reasons, by unknown individuals, who are applying unknown evaluation standards and taking undisclosed measures. Building a stronger legal framework would encourage greater trust for Internet and digital technologies. Moving forward, this trust may prove key to future economic and technological development, since a lack of trust can make people hesitant to participate in the global market, which is motored in no small part by digital technologies. Courts across the world are beginning to recognize the need to develop the right to privacy in personal data and cybersecurity. Earlier this year, the Supreme Court of India, for example, recognized a fundamental right to privacy as a necessary condition for the meaningful exercise of other guaranteed freedoms, and it called for the government to protect individual privacy with an adequate data protection regime.[4] In 2014, the Court of Justice of the European Union recognized the fundamental right to Internet privacy as “a right to be forgotten” in the European Union (E.U.).[5] The E.U. has been a leader in this respect: in Google Spain SL v Agencia Española de Protección de Datos, a man sought to have Google remove his data from search results.[6] The court held that each individual has a fundamental right to privacy and to be forgotten, and that search engines must remove personal information from search results whenever an interested party files a request that satisfies certain criteria. As a result, Google had to remove the plaintiff’s personal data from search results pursuant to the court judgment. In 2016, the E.U. Council and Parliament adopted a new general Regulation that will apply from May 25, 2018.[7] The Regulation (2016/679) will be directly and immediately binding within all Member States. It will codify the right to be forgotten, and it aims to reinforce the system of protections regarding the processing and free movement of personal data. It will impose supervision by public independent authorities over companies that process personal data, and it will empower the current collaborative environment among law enforcement agencies in cross-border enforcement of criminal laws. In the U.S., conversely, privacy protections have been historically scarce. Freedom of speech and security concerns have been used to justify restrictions on individual rights to privacy.[8] The scholarly literature reflects this preoccupation through its focuses on redefining privacy as a tool for free speech and security. The right to privacy has been considered antagonistic to these concerns, and as such, privacy has been restricted on the assumption that protecting privacy would remove protections in favor of free speech and national security.[9] The U.S. legal landscape on cybersecurity relies to a great extent on sectoral rules contained in statutes—and the main statute on electronic communications is outdated.[10] From a constitutional perspective, instead, American courts have construed the Fourth Amendment as a protection for the contents of communication, but the results have not proven very effective. In fact, according to certain Fourth Amendment jurisprudence, the law protects the confidentiality of the “contents,” but not the “envelopes” containing information.[11] Thus, for example, while the body of an email might be protected, the date it has been sent and the recipient’s address might not be. Email headers, IP addresses, and URLs may all fall within the “envelope” classification. The U.S. Patriot Act was passed in an effort to increase national security and promote more pervasive controls over personal information in order to prevent future terrorist attacks. Against this backdrop, Congress has expanded the notion of “envelope” information to all “dialing, routing, addressing, or signaling information.”[12] As a result, under current statutory law and Fourth Amendment jurisprudence, such data and information would not be afforded protection from unreasonable search and seizure regardless of whether or not it reveals information about the content of the communication (e.g. in many cases, it is easy to infer what the user was looking at by glancing at the URL).[13] Today, the world needs adequate protections for privacy and its cybersecurity dimension at an international level. Internet technology knows no geographic boundaries, and the cross-border flow of information has become an increasingly important issue world-wide–both for private individuals and corporations. Private individuals have their data often handled by large foreign corporations located in foreign countries that may be able to escape domestic regulations. In such cases, politically speaking, affected individuals do not have a say in the privacy guarantees afforded to their own information. Corporations, on the other hand, are progressively learning how important it is to perform due diligence searches into other parties’ systems to evaluate whether cyber-information would carry liabilities within a deal. For example, acquiring a company might expose the purchaser to liability caused by the technological systems already in place, and thorough examination is required to limit the purchaser’s risk and liability. In what is seen by some as a “Cybered Westphalian Age,”[14] nations all over the world are currently regulating data locally and trying to take as much control as possible over slippery information and communications transmitted over the Internet. Because of the volatile and cross-border nature of technology and internet communication, however, international law would be the best tool to offer protection. Nonetheless, as of now, public international law does not offer much in terms of feasible regulatory models. International law on the subject currently revolves around the United Nations Charter, the International Covenant on Civil and Political Rights (ICCPR), human rights guarantees, and customary international law.[15] On one hand, the UN Charter and the ICCPR recognize the value of privacy and might offer basic protections.[16] On the other hand, customary international law recognizes the principle of good neighborliness and currently imposes two obligations on each country. First, each country has an obligation to prevent cyber-attacks within its territory; second, it has an obligation to establish a legal system that ensures and fosters cybersecurity.[17] These are good starting points. They highlight a shared global perception of the importance of protecting privacy and developing cybersecurity protections at the international level. Aside from these general guidelines, however, there are no multilateral treaties that primarily address cybersecurity and privacy. Furthermore, bilateral treaties between select countries are insufficient to protect against data disclosure, since establishing data processing facilities in a different country can often be sufficient to escape regulations. A multilateral treaty accepted worldwide would be the best solution because it would be able to effectively bind all States; however, reaching an agreement between many countries with very different political views over a matter such as cybersecurity would be a daunting task. The Convention on Cybercrime, for example, has been open for ratification for more than a decade, but it has not been accepted worldwide, and key players such as Russia and China have not ratified it.[18] Privacy and cybersecurity pose difficult but crucial challenges to the international community. What is traditionally considered the best tool for the job, public international law, is impractical because public international law takes time to develop, and the intrinsic political nature of cybersecurity and data protection raise the costs of reaching a global agreement even further. At the opposite end of the spectrum, technology is developing faster and faster, together with new risks and opportunities for cyber-attacks and threats to personal data. Moving forward, international dialogue on privacy should be a priority. By acknowledging the importance of privacy in today’s world, and raising awareness about central cybersecurity concerns, the costs of aligning different views would be lower, and a multilateral agreement with global reach might become feasible.

[1] See John L. Mills, Privacy: The Lost Right 108 (2008). [2] See Daniel J. Solove, Nothing to Hide: The False Tradeoff Between Privacy and Security 21-24 (2011). [3] See Mills, supra note 1, at 70-72. The Panopticon is a circular prison structure with a large, open interior and an observation tower in the center. Each prisoner is subject to constant scrutiny by guards in the tower, but prisoners never know whether they are being watched at any point in time. [4] See Justice K.S. Puttaswamy (Retd.) v. Union of India, W.P.(C) No.-000494-000494 (India 2012). [5] See Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos, ECLI:EU:C:2014:317. [6] Id. [7] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data, 2016 O.J. (L 119) 1-88. [8] See Solove, supra note 3, at 12-13. [9] See, e.g., Adam D. Moore, Privacy Rights: Moral and Legal Foundations 142, 150-52 (2010). [10] See Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848; see also Solove, supra note 3, at 11-13, 167-70. [11] See Solove, supra note 3, at 156-58. [12] 18 U.S.C. § 3127(3), amended by USA PATRIOT Act, Pub. L. No. 107-56, § 216(c) (2001). [13] See also Mike Breen, Comment, Nothing to Hide: Why Metadata Should Be Presumed Relevant, 56 U. Kan. L. Rev. 439, 442-43 (2008). [14] Chris Demchack & Peter Dombrowski, Rise of a Cybered Westphalian Age, 5 Strategic Stud. Q. 32 (2011). [15] See Matthias C. Kettemann, Ensuring Cybersecurity Through International Law, 69 Rev. Española Der. Internacional, July-Dec. 2017, at 281, 284-87. [16] See id.; see also U.N. Charter art. 2 (ban on aggression and intervention, which might be extended to cyber-attacks); see also International Covenant on Civil and Political Rights art. 17, 19, Dec. 16, 1966, S. Treaty Doc. No. 95-20, 999 U.N.T.S. 171. [17] See Kettemann, supra note 15, at 286-87. [18] See Council of Europe, Treaty Office, Chart of Signatures and Ratifications of Treaty 185, (last visited Oct. 26, 2017).