Intelligence services around the world should be kept in check by an international body with the power to make sure governments don't misuse personal data for surveillance purposes, said the Council of Europe's data protection committee chairs in a joint statement.
Countries should agree at an international level on the extent to which the surveillance carried out by intelligence services can be authorized and under which conditions, recommended the committee. The agreement should come as a legal tool that could be enforced independently by a data protection body that is yet to be created.
The European human rights organization said that calls for better data protection at an international level are especially relevant in times of crisis, when circumstances provide governments with an opportunity to lawfully restrict citizens' privacy rights.
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
Although sometimes prompted by legitimate concerns, such as threats to national security, those restrictions need stringent oversight, it said, so that they come with a number of safeguards and remain proportionate.
Referring to the ongoing COVID-19 crisis, the statement also mentioned threats to citizens' health as potentially enabling interference with rights to privacy.
Digital health and contact-tracing services are increasingly permeating many people's lives as a result of the pandemic, sometimes with detrimental consequences on the protection of personal data. Cities, for instance, are increasingly leveraging surveillance technologies ranging from traffic-monitoring tools to CCTV cameras to control the lifting of lockdown restrictions.
In France, the government recently trialed facial-recognition software in a metro station in Paris, to flag passengers who weren't wearing a mask. Although the initiative was promptly called off by the French data protection agency, it reflects the potential for governments to tap privacy-intruding technologies in extraordinary times.
The Council of Europe has repeatedly called for the creation of an international body dedicated to privacy protection over the past few years, as economies simultaneously digitize and globalize, resulting in vast amounts of personal data flowing across borders.
For example, since Edward Snowden's 2013 revelations about mass surveillance practices carried out by the US intelligence services against national and foreign citizens, the Council of Europe's Parliamentary Assembly has been calling for the creation of an international legal framework that would guarantee the protection of privacy.
And the European institution has attempted to regulate, to a degree, nation states' use of surveillance technologies. In 2018, for example, it ruled that the UK government's mass surveillance and data collection programs, which came to light in the aftermath of Snowden's revelations, had breached the European Convention on Human Rights and would be upheld.
Alessandra Pierucci, chair of the Council of Europe's data protection committee, who co-authored the organization's latest statement, told ZDNet: "Several years have passed since the revelations on mass surveillance programs and still the situation has continued to allow violations of the rights to privacy and data protection in the context of data flows."
It is necessary to give "new impetus" to repeated calls for action heard in the past, added Pierucci, and to hold discussions between democratic countries to reach a common commitment on what can and cannot be done by intelligence services.
The prospect of countries around the world agreeing on a set of international laws defining citizens' data protection rights might seem rather ambitious, not to say unrealistic. For Paul Bernal, researcher in media and information technology at the University of East Anglia School of Law, it is effectively hard to tell how much impact the Council of Europe's call will have – but that shouldn't downplay the importance of the institution's statement.
"I think this is a very important statement," said Bernal. "Not because it will actually achieve much – there will be far too much resistance from not only China or Russia but the US and UK too, when push comes to shove – but because it's both symbolic and a sense of the overall mood of what might loosely be called the international community. It's a recognition that people's rights matter."
The statement, more than a concrete plan of action, acts as a reminder that anger and momentum, far from disappearing, have actually taken hold since the Snowden revelations, argued Bernal.
The nearest example of an international agreement on data protection that currently exists is Convention 108 – a treaty created in 1981 by the Council of Europe, ratified so far by 55 countries around the world, and which is a legally binding instrument on data protection.
Convention 108 was modernized two years ago to adapt to the new realities of the digital age. The new version, called Convention 108+, is set to come into force shortly.
But while the Council of Europe hopes that the treaty will become an internationally recognized standard on privacy, the committee's chairs recognized that Convention 108+ is not enough in itself to guarantee protection everywhere that data flows, and anywhere it ends up.
"There are already important existing safeguards," said Pierucci, "but the difficulty is that those do not apply to personal data transferred abroad to countries that are neither bound by one, nor the other. Data transfers may thus have important consequences for individuals."
Case in point: last July, the European Court of Justice (ECJ) ruled that the EU-US Privacy Shield, which was agreed to facilitate trans-Atlantic data flows, was not sufficient to ensure the protection of European data in the US. In a decision called "Schrems II", the ECJ invalidated the agreement, causing significant disruption to trade between the two continents.
Without international standards on data protection, Pierucci argued, rulings like Schrems II will only multiply, with potentially serious consequences on international relations.
"The Schrems II invalidation is the best illustration of the dangers of not living up to the legal obligations that states have," said Pierucci. "The entire information era, our trust in the internet and new technologies may erode even more, with possibly fragmentations of the system in the end."