The United Nations Human Rights Council has rejected claims by governments across the world that mandatory data retention is required for national security protection.
The statement came in a report (PDF) released overnight by the council into digital privacy rights. The UNHRC had been asked to conduct an inquiry into digital privacy following the leaks from NSA whistleblower Edward Snowden on the surveillance regimes in place in the US.
The UN General Assembly adopted a resolution at the time stating that governments must respect the privacy rights of people both offline and online.
In the council's report, it stated that in some instances, governments with legitimate aims and appropriate safeguards might be allowed to engage in surveillance, but it was up to the government to demonstrate it was needed and that the intrusion into privacy was proportionate to the risk being addressed.
"Mass or 'bulk' surveillance programs may thus be deemed to be arbitrary, even if they serve a legitimate aim and have been adopted on the basis of an accessible legal regime. In other words, it will not be enough that the measures are targeted to find certain needles in a haystack; the proper measure is the impact of the measures on the haystack, relative to the harm threatened; namely, whether the measure is necessary and proportionate," the council said.
Forcing third parties — such as telecommunications companies — to retain customer data just in case it is needed for law enforcement were not necessary, according to the council.
"Concerns about whether access to and use of data are tailored to the specific legitimate aims also raise questions about the increase reliance of governments on private sector actors to retain data 'just in case' it is needed for government purposes," the council said.
"Mandatory third-party data retention — a recurring feature of surveillance regimes in many states, where governments require telephone companies and internet service providers to store metadata about their customers' communications and locations for subsequent law enforcement and intelligence agency access — appears neither necessary nor proportionate."
The council cited the European Court of Justice ruling that in April that threw out the European directive for telecommunications companies to retain customer data for up to two years. The ruling has forced the United Kingdom to bring on "emergency" data retention legislation which passed the House of Commons this week.
The decision of the UK government to proceed with data retention legislation is also having an impact in Australia, with Attorney-General George Brandis stating yesterday that data retention was under "active consideration" by the government. In highlighting the UK legislation, Brandis said that forcing telecommunications companies to store customer data on behalf of law enforcement agencies is "the way the west is moving".
The United Nation Human Rights Council report found that although digital privacy rights were part of the international human rights law framework, many countries lacked adequate national legislation, enforcement or oversight over inference in the right to privacy.