The right to privacy and security

Privacy is essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built. Privacy protects us from arbitrary and unjustified use of power by states, companies and other actors. It lets us regulate what can be known about us and done to us, while protecting us from others who may wish to exert control.

It is a fundamental human right and over 130 countries in the world mention it in their constitutions. Under the European Convention on Human Rights, the right to privacy is, in effect, contained in Article 8, the right to respect for family and private life: an important element of this is the right to protection of personal data. While this can be inferred from the general right to privacy, some international and regional laws also set out a more specific right to protection of personal data. 

In 2011, when a Google user sued the company for scanning her emails. Two months after that, Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and they got to work to update the 1995 directive. The GDPR entered into force in 2016, and as of May 25, 2018, all organizations were required to be compliant or faced fines.

It is worth noting that there is a debate ongoing over how effective the fines are, both for data breaches and hate speech. Many activists and organisations advocate for the need of preemptive measures to prevent data breaches, considering that the amount of fines issued so far is not very relevant for the big companies involved; on the contrary, many studies show how the expected loss for the average company appears to be less than the cost to eliminate, or lower, potential data breaches. Especially for big companies, the financial and economic impact for data privacy breaches of the fines is almost nothing.

Over 100 countries now have some form of data protection law. 

If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:

  1. Lawfulness, fairness and transparency – processing must be lawful, fair, and transparent to the data subject
  2. Purpose limitation – you must process data for the legitimate purposes specified explicitly to the data subject when you collected it
  3. Data minimization – you should collect and process only as much data as absolutely necessary for the purposes specified
  4. Accuracy – you must keep personal data accurate and up to date
  5. Storage limitation – you may only store personally identifying data for as long as necessary for the specified purpose
  6. Integrity and confidentiality – processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption)
  7. Accountability – the data controller is responsible for being able to demonstrate GDPR compliance with all of those principles.