When Right to Information Meets Right to Privacy

Do we, as a society, respect and value privacy?

‘Not really’, was the response from many in my audience when I posed this question while speaking at a recent event on the right to privacy and Internet freedom organised by the Bar Association of Sri Lanka (BASL).

That has been our historical legacy, I argued: Ours is a rather nosy culture, where many want to know far too much about others’ private lives. Not just in villages, but in cities and towns as well.

Communal living has some benefits, for sure, but as societies advance socio-economically, people begin to cherish more privacy and value greater individuality. They like to draw clear distinctions between public and private spheres. Many in Sri Lanka haven’t crossed this threshold, yet, which makes privacy protection a difficult issue to advocate.

Privacy is like trust and security – it’s much easier to define when we don’t have it. We value privacy more when we realize it is breached or missing. Now, our increasingly digital lives and greater use of online services have added a new layer of complexity. The demarcation between public and private lives is blurred, or lost in cyber space. The challenge is to strike the right balance between digital utilities and privacy protection.

● Data Misuse
Absolute privacy is not possible online—every action is documented somewhere, and is ultimately traceable. Within this reality, however, reasonable levels of privacy controls can still be achieved. But, that is the shared responsibility of technology service providers and their customers. The problem is that many users are unaware of multiple privacy pitfalls online.

Facebook is a case in point. Over the years, the platform’s administrators have kept changing its privacy rules. Their ongoing ‘tug of war’ between public and private information has led to embarrassing incidents where some users shared information thinking it was private, but it was visible to everyone. Facebook Founder Mark Zuckerberg claimed in 2010 that the rise of online social networking means that “people no longer have an expectation of privacy”. That view was widely contested by those who argued that the spread of social media just means that privacy has new conditions – and involves greater challenges of safeguarding these. Are these primarily the concerns of more economically advanced countries? Is privacy a luxury for developing country residents? Not so.

While 30% of Lankan population that regularly use the Internet are definitely more exposed, all citizens are affected in different ways – for example, by various government agencies storing citizen data in digital formats, and companies retaining mobile phone numbers or tracking consumer behaviour in their systems. Both governments and corporations can use such data beyond the immediate and stated purpose for which it is provided. Data protection laws and regulations are meant to minimise such misuse. Sri Lanka urgently needs to legislate for such protection. Individuals often have no choice but to provide their data, especially when required by the state – like in annual revisions of electoral registers for censuses and other data-gathering processes. During the war, citizen data was gathered by law enforcement agencies at various levels, even without a proper legal framework.

How safe and secure is such data within the state machinery? Who has access and under what conditions? This is a very valid question.

Privacy is like trust and security – it’s much easier to define when we don’t have it

As digital activist Sanjana Hattotuwa, who was part of the BASL panel, reflected: “There are enduring concerns around a very porous firewall between information collected by the Department for Registration of Persons and the Ministry of Defence, and an assorted array of intelligence services.

In the absence of robust, modern data protection laws, information on individuals, their families, professions, home addresses, work addresses and biometric data that with little or no judicial oversight or due process can be accessed by State intelligence services is a dystopian future best resisted.”

Although it is not mandatory, we as consumers have to provide basic information like mobile number and email address when signing up for various ‘free’ online services such as Gmail, Facebook and Instagram. Their operators may not charge us for the service, but they usually make money by extracting data from users and selling this data to advertisers.

This is summed up by the aphorism that “When something online is free, you’re not the customer, you’re the product.” Privacy is a casualty in such processes.

● Digital ‘Bread Crumbs’
Then, there are electronic trails, also known as ‘digital bread crumbs’, we leave behind as we browse the web. Every search, every item we read, every email or other form of messaging we exchange, and every product or service we buy leaves electronic traces. These can be aggregated to form an accurate profile of our likes, dislikes, moods, purchasing power, sexual preference, medical history and shopping patterns. Given enough time and data, these can be used to map our political, religious and philosophical interests as well.

What we choose to disclose or not disclose, and in which situations, is deeply personal. Everyone should have that choice, and not find it taken away by an overbearing government or a cynically exploitative service provider.

“Individual privacy is not the only societal value under pressure in the current data-saturated infrastructure. The effects of data practices without ethics can be manifold – unjust treatment, discrimination and unequal opportunities. But privacy is at its core. It’s the needle on the gauge of society’s power balance,” says Gry Hasselbalch, an expert on Internet policy and digital rights who co-founded the DataEthics.eu initiative.

She adds: “In a well-functioning democracy, those in power are open and transparent about how they exercise their power. One should not expect [similar] transparency from individuals. The more transparent people are, the more vulnerable they become.” This is the balance that right to information (RTI) laws seek to strike.

Section 5 (1) (a) of Sri Lanka’s RTI Act of 2016 says personal information of a citizen, held by the government, need not be disclosed if it would “cause unwarranted invasion of privacy of the individual”. But the Act also has the provision: “…unless the larger public interest justifies the disclosure of such information.”

● Right to Privacy
Right to privacy is not new. It was enshrined in the Universal Declaration of Human Rights of 1948 (in Article 12), and subsequent conventions. The European Union has been especially active on this front. Half the world’s population now using the Internet has created new challenges for safeguarding this right. Recognising this, the United Nations Human Rights Council appointed Professor Joseph Cannataci of Malta the first-ever Special Rapporteur on the right to privacy in July 2015. It was partly in reaction to public disclosures (by Edward Snowden and others) of the existence of certain governments engaging in mass scale electronic surveillance.

In his first report, released in March 2016, Prof Cannataci clarified that his work will focus on informational privacy. He also called for a more integrated approach to human rights that considers right to privacy, along with freedom of expression and right to publicly held information.

He noted how tension between security, corporate business models and privacy continues to take centre stage. These require a measured response from legal and human rights communities, so as to counter what he called “disproportionate, privacy-intrusive measures such as mass surveillance or breaking encryption”.

Can the new Constitution include the right to privacy in its enhanced framework of fundamental rights? Let’s hope so

Encryption is the process of converting information or data into a code to prevent unauthorized access. Seen as the most effective way to achieve data security, it has become a bone of contention between technology providing companies and law enforcement agencies.

In his report, Prof Cannataci noted how privacy is emerging as an important commercial consideration, “with some major companies adopting it as a selling point”. While some companies are accused of violating user privacy, others are discovering business opportunities in enhanced privacy protection, online and offline.

He added, “If there is a market for privacy, market forces will provide for it. The rapid increase in the availability of encrypted devices and software services is a strong indicator that consumers worldwide are increasingly aware of the risks to their privacy, and that they will increasingly choose privacy-friendly products and services over ones that are privacy neutral or privacy unfriendly.”

These global discussions are relevant as we evolve our own information society. There is no right to privacy under our Constitution, although under the Roman Dutch law, the right to privacy is protected in some specific instances. Can the new Constitution include this in its enhanced framework of fundamental rights? Let’s hope so.

After all, as Edward Snowden famously said, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.