Today there may be no resource as powerful, or as vulnerable, as data. The central role that data sharing plays in contemporary society, ranging from use of social media to accessing administrative services, is accompanied by a high degree of risk. Data sharing on a mass scale and for many purposes in a digitally connected world means that our personal information is increasingly open to attack and misuse. In our online communications and transactions, we risk exposing details about our lives that used to be private as a matter of course. This includes not just financial data that must be kept secure but also information about our location, our friends, families and associates, our political beliefs, our purchases and even our health data. Further, States across the globe are creating digital identity systems that connect to our biometric information, building a bridge from our digital activities to our lives and identity offline. This digital identity may then become the target of exploitation, either for commercial or political ends.

Prior to the 2016 presidential elections in the United States, the British firm Cambridge Analytica enabled the use of data from 50 million Facebook accounts to create profiles for targeted political advertisements. The resulting scandal has helped raise public awareness globally about the power of data for manipulation and control in the digital era, and of how few protections we have against this kind of abuse. There is no comprehensive data protection framework in the United States, and little to stop the misuse of Facebook’s platform to sow discord online and potentially influence elections. The same lack of protections may have also been a factor in the 2018 presidential elections in Brazil.1 In the absence of appropriate laws, policies and corporate practices that are grounded in internationally recognized principles for human rights, the data that we share every day can be twisted to undermine democratic processes and hurt the most vulnerable among us.

Unfortunately, how States respond to scandals like that involving Cambridge Analytica can make things worse, and some initiatives even serve to undermine the fundamental rights of the citizens they purport to protect. These responses go beyond passing inadequate data protection laws in haste without proper consultation or input by civil society.2 Governments across the globe are using the focus on data and national security to push misguided efforts to localize data3 and advance cybersecurity or cybercrime laws that are not user-centred, do not keep data secure and effectively open the door to human rights violations. Legal frameworks, whether set up to protect our data or enhance cybersecurity, must be designed to centre on an individual’s right to privacy that is recognized under international human rights instruments. For example, laws that authorize surveillance must be both “necessary and proportionate.”4 All United Nations Member States are tasked with upholding fundamental human rights, online and off—and in this digital era, privacy is a cornerstone of these rights.

Yet as Governments attempt to determine the rules of the game in a rapidly evolving digital landscape, they often pursue policy, legislation and governance objectives in a manner that is removed from the perspectives, rights or needs of individuals. Laws developed without input from diverse stakeholders, including voices from civil society, are putting marginalized populations, in particular, at risk of grave human rights abuses. Recent “cybercrime” legislation enacted in a United Nations Member State in North Africa, as well as media regulation law, demonstrate how legislation created to regulate cyberspace can undermine civil liberties and criminalize activities inherent to the exercise of human rights, including the rights to privacy and free expression. Such laws authorize broad State censorship, website blocking and online surveillance. The law on cybercrime, for instance, mandates that Internet service providers keep and store users’ data, including phone calls, text messages, and browsing and application history, for a period of 180 days, and that they make the data accessible to law enforcement without necessary human rights safeguards.

This evident disregard for the right to privacy enables the criminalization of free expression. It facilitates government censorship of critical voices, fostering a culture of self-censorship and fear that further erodes the inherent right to hold and express opinions without interference. Accordingly, the wave of optimism that characterized the discourse surrounding the growth of the Internet and new technologies following the 2011 uprisings in North Africa and the Middle East, when many trumpeted the Internet’s potential to serve as a platform for freedom of expression, association and activism, is now being reversed. New laws are being leveraged to suppress criticism and dissent, effectively closing off space for free and open discourse on the Internet. This repression of critical speech violates article 19 of the Universal Declaration of Human Rights, which grants the right to freedom of opinion and expression, and access to information “through any media and regardless of frontiers”, as well as article 19 of the International Covenant on Civil and Political Rights, to which 172 countries are party.

Governments in Asia are similarly advancing laws that serve to restrict the freedom of expression. Legislation on digital security enacted by a Member State in the region is a signal example of this chilling trend. The act in question was developed as a replacement for an earlier law dealing with information and communication technology (ICT), which itself had been used to silence dissent by enabling the criminal prosecution of those accused of sharing false information online, enforced with onerous fines and sentences. The more recent act carries vague provisions that leave it open to abuse, and is similar to its predecessor. For example, the law establishes a digital security agency and a national digital security council, but the jurisdiction and powers of these government bodies remain undefined. It also expands police authority to search any person or place without a warrant if the person or entity is merely suspected of committing a “digital offence”. By criminalizing the expression of personal opinion online, the law excludes any rights-based considerations and casts a hostile shadow over the exercise of civil liberties.

As noted above, waiting in the wings to deepen and exacerbate the risks to human rights posed by these laws is the push to develop national digital identity programmes, some of which have already been implemented. Such programmes entail the collection and storage of our sensitive personal data and biometric identifiers to establish and authenticate a single digital ID.?They are intended to ensure the efficient delivery of government services. But before creating what are often centralized troves of personal and biometric data, States must understand the full range of risks posed to users.5 They should also avoid the mistake of rolling out such programmes without real human rights and cybersecurity protections?embedded in the law.6

In 2016, lawmakers in another Member State in North Africa advanced a proposed biometric identification bill, and a coalition of civil society actors launched a campaign to draw attention to its shortcomings. This dangerous proposal did not specify what kind of data would be stored and who would have access to it. It also failed to include provisions adequate to securing the data. Taken as a whole, the bill posed a threat to the privacy, cybersecurity and data of that country’s citizens, and therefore to their fundamental rights. The bill was eventually dropped following significant pushback from civil society. However, given the presumptive benefits of national digital ID schemes, we can be sure that they will continue to be pursued. Unless these considerable risks are actually mitigated, such schemes could serve to undermine the rights to privacy, freedom of movement and the freedom of expression wherever they are implemented.

The digital future is already here. As nearly every aspect of our lives becomes digitized, we must ensure that laws and policies are based on fundamental rights. Laws must enable us to satisfy our basic needs and flourish while offering protection against the abuse of power. Let us remember that our data is much more than “the new oil”. It reflects who we are, and as an extension of one's self, it must be guarded with the highest levels of protection.

?

Notes

1. Verónica Arroyo and Javier Pallero, “Your data used against you: reports of manipulation on WhatsApp ahead of Brazil’s election”, Access Now, 26 October 2018.
Available at .

2. Verónica Arroyo and Javier Pallero, “Panama: civil society demands an open process for rushed Data Protection Bill”, Access Now, 10 October 2018. Available at .

3. The Editorial Board, “There may soon be three Internets. America’s won’t necessarily be the best.”, New York Times, 15 October 2018.
Available at .

4. Necessary and Proportionate, “International Principles on the Application of Human Rights to Communications Surveillance” (May 2014).
Available at .

5. Brett Solomon, “Digital IDs are more dangerous than you think”, WIRED (28 September 2018). Available at .

6. Wafa Ben-Hassine, “Digital identity programs: what could go wrong? Our contribution at UNCTAD’s E-Commerce Week”, Access Now, 19 April 2018.
Available at