In this regard, many in organised civil society have argued for stronger privacy protections for people’s personal data through laws protecting informational privacy. For instance, Privacy International has argued that data protection laws are needed to protect personal information from abuse by governments and commercial companies.22 To this end, many countries have set up data protection or privacy commissioners to ensure privacy protections are upheld by public and private actors. Some countries began to enact data protection laws in the 1970s and 1980s, and by November 2016 over a hundred countries had passed data protection laws, and over forty countries were developing draft legislation.23 Many of these laws incorporate the basic principles of data protection outlined in the Fair Information Practice Principles (FIPPs), which emerged from the US government in the 1970s, and which were incorporated into the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy. These principles limit the collection and processing of personal data, and require the consent of the person whose data is being collected, who also has the right to know that data is being collected about him or her. They also commit data controllers to use the data only for the purposes for which it was collected, unless the data subject has granted permission for other uses, and they require the data processor to be responsible for complying with these principles.24 Other Fair Information Practice Principles have been developed, which range from minimalist to maximalist, but the ones aligned to the OECD Guidelines have become the most prominent as foundational principles for data protection or privacy commissioners tasked with enforcing privacy and data protection laws.
However, when put into practice, these principles have not necessarily served the struggle for privacy very well, as they have prioritised individual control over personal data, while failing to address broader societal pressures exerted on the right. In doing so, these principles have individualised the problem and reduced it to sets of narrow, technical formulae that may not work well, and may even become dysfunctional. The activities of privacy commissioners tend to be premised on the control theory of privacy – as articulated by Alan Westin – that emphasises the right of individuals to exercise control over their personal information. In terms of this theory, individuals are asked to make choices (and often very few at that) about what happens to their data, but with little understanding of the real issues at stake, as data controllers skilfully bury them in legalese. However, as the underlying theory is premised on individual behaviour to enforce privacy safeguards, the principles fail to consider the massive obstacles that individuals face when attempting to enforce this right. For instance, very few people are able to understand the increasingly complex privacy notices that companies provide; this skews individual decision-making towards those with more resources or higher levels of education, and who can access legal advice, which in turn makes this form of privacy one that only a select few can and do enjoy. Consumers are also unlikely to know if information in the possession of a data controller has been misused; this calls into question the effectiveness of complaints mechanisms. By creating the impression that individuals do, in fact, have control over their own data, the principles ignore the power differentials between institutions and individuals that may make the exercise of this control difficult. They also fail to consider whether particular forms of surveillance should be taking place at all. Broad-ranging exclusions on grounds such as national security render data protection principles all but useless in the most controversial areas of data governance, where protections are often most needed. When these factors are taken together, it is hardly surprising that an overemphasis on procedural protections for privacy, rather than substantive ones, has made little difference to the overall protection of the right. In fact, it could be argued that privacy commissioners create the illusion of information control, rather than actual control.25
The most serious flaw of data protection laws is that they often fail to hold governments to account for data breaches in the same way that private sector companies are held accountable. A former adviser to Canada’s Privacy Commissioner, Michael Geist, has argued that the Canadian government shared intelligence with other governments that went far beyond what was needed to investigate terrorism or other serious crimes, and that the government lacked the political will to address the privacy implications of these practices. While, increasingly, large communications companies like Google and Vodaphone were releasing annual transparency reports about the number of times they had been approached to share personal information, the government was not following suit and releasing similar reports.26 According to documents leaked by Snowden, in the US an internal audit found that the NSA broke privacy rules thousands of times.27 To all intents and purposes, national security has trumped informational privacy laws.
In addition to seeking legal protections through ensuring the enactment of data protection laws, privacy advocates have mounted legal challenges to enforce privacy rights, initially through complaints-receiving bodies on surveillance matters and, if these did not succeed, through the courts. This strategy has yielded mixed results, with the most positive being achieved in Europe, through the European Court of Human Rights. In the UK, several legal challenges have succeeded, and many of these have been brought by NGOs such as Privacy International and Liberty. Much of their work has focused on lodging complaints with the IPT, and then appealing against unsatisfactory decisions. As a result of the Snowden revelations and of sustained advocacy by NGOs, the number of complaints received by the IPT has grown by over 250 per cent, and increasing public scrutiny of this formerly little-known body has placed it under pressure to hold more hearings in public and communicate its findings more widely.28
Overall, though, the IPT has been unwilling to reconsider the intelligence agencies’ arguments for mass surveillance powers. Privacy International, joined by several internet companies, has brought a complaint about GCHQ’s use of bulk hacking outside the country, but this was not successful as the IPT refused to rule on the matter, leading to its being referred to the European Court. However, during the case GCHQ did admit that it undertook hacking to obtain information, modify target devices and carry out intrusive activities, which it had previously refused to confirm or deny.29 Privacy International, the National Council of Civil Liberties and other organisations have also filed separate complaints about mass surveillance and intelligence-sharing with the UK government. The IPT ruled that intelligence-sharing between the US and the UK – where the UK accessed information from the PRISM and UPSTREAM programmes – was illegal because the rules governing these activities had not been made available publicly, but that once some of them were, the sharing was rendered legal, making this case the first in which the IPT had ruled against the UK intelligence agencies.30
This victory showed that with persistence, gains can be won even from institutions that appear to be captured by the very agencies they were meant to oversee. However, the organisations disputed the IPT’s argument that the release of some of the relevant rules automatically rendered such intelligence-sharing lawful, especially given the fact that during the case GCHQ itself admitted to requesting and receiving bulk data without a warrant.31 The IPT’s unwillingness to rule on the GCHQ’s current activities meant that the agency continued to enjoy massive powers to collect the personal data of large numbers of people without even a reasonable suspicion of their having been involved in a crime, and in secret. Another victory was when the IPT found that GCHQ and MI5 had secretly and illegally harvested massive amounts of personal information from various databases between 1998 and 2015, as these activities were not subject to sufficient supervision, but again stopped short of saying that the surveillance itself was unlawful, thereby confirming a trend in the tribunal’s judgments to shy away from this all-important question.32 The UK government has also been very canny in responding to IPT judgments: if a power is not authorised sufficiently in law, then the government merely changes the law to