their voice prints or fingerprints to the authorities or ‘spoof’ fingerprints to fool biometric systems, provide no, false or misleading information, or refuse to register their subscriber information module (SIM) cards or register them under false names. For instance, in Mexico, a SIM card registration process was resisted by over seventeen million subscribers. In an act of civil disobedience, over five thousand people protested by subscribing their SIM cards under the name of the President.18
Increasingly, individual acts of resistance also include encrypting communications to make surveillance more difficult, using tools that anonymise browsing, such as TOR (software that allows users to browse anonymously on the internet), and not using company hardware or applications that take cavalier approaches to their users’ privacy. However, the use of these tools is purely voluntary and at the discretion of the individual, who may not have the technical knowledge to be able to use them or even know that they exist. While the relevant authorities may be irritated by these tactics, they are unlikely to result in substantive challenges to broader surveillant forms of governance, which would require more organised responses. Nevertheless, there are signs that more users are changing their communications practices in the wake of the Snowden revelations, with more people taking steps to hide their communications from the government.19
At the collective level, privacy advocacy has traditionally been based mainly in the US, where many of the well-funded groups are to be found (such as the Electronic Frontier Foundation, or the EFF; the Electronic Privacy Information Center, or EPIC; and the American Civil Liberties Union, or the ACLU).20 The problem civil society faced in mounting organised opposition in the wake of the Snowden revelations was that while they could appeal to the internationally recognised right to privacy, they lacked clarity on what this right meant when applied to communications surveillance in the digital age. In an attempt to reach such clarity, they developed a set of thirteen principles called the International Principles on the Application of Human Rights to Communications Surveillance, otherwise known as the Necessary and Proportionate Principles. At their launch in 2013 at the UN Human Rights Council, over four hundred organisations worldwide endorsed them. The initiating organisations also broadened the range of anti-surveillance actors beyond those of the ‘usual suspects’, drawing support from organisations and individuals from around the world, although with a bias towards the US and Europe. While the signatories represented a broad range of actors, there was a clear bias towards media freedom and civil liberties organisations, as well as technology, digital rights and legal organisations and experts. The challenge this new movement faced was to translate this spurt of energy into an organised form and to sustain it.
The Principles were updated in 2014, to ensure that communications surveillance practices would adhere to international human rights law. The Principles state that any surveillance law needs to comply with the principle of legality, must serve a legitimate aim and be adequate for the fulfilment of this aim. It must also be necessary, proportional to the level of threat faced by a country and determined by a competent judicial authority following due process. Users have a right to be informed that their communications have been surveilled, and public oversight involving transparency must apply to communications surveillance. States should not compel communications service providers to build surveillance capacities into their systems, and they should also put in place safeguards against illegitimate access to these systems and the information that flows through them. Where mutual assistance from other states is sought, the available standards with the highest levels of protection should apply.21 These standards provided a useful framework for advocacy against unaccountable communications surveillance, and allowed for a generalisation of grievances against these practices. At the same time, while it made the establishment of the broadest possible coalitions possible that did not alienate groups who might not share the political perspectives of privacy activists, it also risked depoliticising the problem, as it failed to locate the problem within the broader context of the growth of surveillant capitalism and inequality.
In this regard, many in organised civil society have argued for stronger privacy protections for people’s personal data through laws protecting informational privacy. For instance, Privacy International has argued that data protection laws are needed to protect personal information from abuse by governments and commercial companies.22 To this end, many countries have set up data protection or privacy commissioners to ensure privacy protections are upheld by public and private actors. Some countries began to enact data protection laws in the 1970s and 1980s, and by November 2016 over a hundred countries had passed data protection laws, and over forty countries were developing draft legislation.23 Many of these laws incorporate the basic principles of data protection outlined in the Fair Information Practice Principles (FIPPs), which emerged from the US government in the 1970s, and which were incorporated into the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy. These principles limit the collection and processing of personal data, and require the consent of the person whose data is being collected, who also has the right to know that data is being collected about him or her. They also commit data controllers to use the data only for the purposes for which it was collected, unless the data subject has granted permission for other uses, and they require the data processor to be responsible for complying with these principles.24 Other Fair Information Practice Principles have been developed, which range from minimalist to maximalist, but the ones aligned to the OECD Guidelines have become the most prominent as foundational principles for data protection or privacy commissioners tasked with enforcing privacy and data protection laws.
However, when put into practice, these principles have not necessarily served the struggle for privacy very well, as they have prioritised individual control over personal data, while failing to address broader societal pressures exerted on the right. In doing so, these principles have individualised the problem and reduced it to sets of narrow, technical formulae that may not work well, and may even become dysfunctional. The activities of privacy commissioners tend to be premised on the control theory of privacy – as articulated by Alan Westin – that emphasises the right of individuals to exercise control over their personal information. In terms of this theory, individuals are asked to make choices (and often very few at that) about what happens to their data, but with little understanding of the real issues at stake, as data controllers skilfully bury them in legalese. However, as the underlying theory is premised on individual behaviour to enforce privacy safeguards, the principles fail to consider the massive obstacles that individuals face when attempting to enforce this right. For instance, very few people are able to understand the increasingly complex privacy notices that companies provide; this skews individual decision-making towards those with more resources or higher levels of education, and who can access legal advice, which in turn makes this form of privacy one that only a select few can and do enjoy. Consumers are also unlikely to know if information in the possession of a data controller has been misused; this calls into question the effectiveness of complaints mechanisms. By creating the impression that individuals do, in fact, have control over their own data, the principles ignore the power differentials between institutions and individuals that may make the exercise of this control difficult. They also fail to consider whether particular forms of surveillance should be taking place at all. Broad-ranging exclusions on grounds such as national security render data protection principles all but useless in the most controversial areas of data governance, where protections are often most needed. When these factors are taken together, it is hardly surprising that an overemphasis on procedural protections for privacy, rather than substantive ones, has made little difference to the overall protection of the right. In fact, it could be argued that privacy commissioners create the illusion of information control, rather than actual control.25
The most serious flaw of data protection laws is that they often fail to hold governments to account for data breaches in the same way that private sector companies are held accountable. A former adviser to Canada’s Privacy Commissioner, Michael Geist, has argued that the Canadian government shared intelligence with other governments that went far beyond what was needed to investigate terrorism or other serious crimes, and that the government lacked the political will to address the privacy implications of these practices. While, increasingly, large communications companies like Google and Vodaphone
