The UN’s top human rights office concluded years ago that in order to respect the right to privacy, governments should regulate how private companies – not just police and spy agencies – treat personal data. Although the human rights treaties only strictly apply to governments, there is a long-established norm that businesses should respect rights even if a government doesn’t force them to do so – and that’s as true for Facebook as for more usual suspects such as the diamond, oil, and tobacco industries. The same UN body has specifically urged web-based companies to make sure their practices don’t facilitate inappropriate government surveillance or otherwise harm human rights.
To achieve this, companies should first recognize that simply because a user has ‘shared’ a piece of information with a platform or others doesn’t mean he or she has lost any privacy interest in it. If one looks closely at Facebook executives’ responses to the scandal surrounding data analysis firm Cambridge Analytica’s access to users’ data, one will find repeated mentions of the idea that this was data the users themselves had shared or made public.
However, as the European Court of Human Rights has recognized, data about us can still raise privacy concerns even if it isn’t something we’ve kept secret. And European Union law acknowledges even more explicitly that personal information we can’t – or shouldn’t have to – keep to ourselves, such as our race and religious beliefs, can still be sensitive and need protection by both governments and companies.
One reason this is important is that when a company gathers, analyzes, or shares data that can identify personal characteristics such as race, this can lead to discrimination – as the ongoing controversy over allegedly biased housing advertisements on Facebook shows.
Companies such as Facebook also create vast pools of personal data where intelligence agencies, police, hackers, and fraudsters could go fishing. This makes adherence to human rights principles essential for these companies, including when users have knowingly shared information about themselves.
Human rights courts have also recognized that nearly every step in the handling of personal data – from the initial gathering to use, retention, and sharing – can interfere with privacy. This means those actions should be limited to what is truly necessary and is proportionate to a legitimate goal.
UN experts have further stated that if data a company holds about you is wrong, you should be able to get that data corrected or deleted – and under the European Union’s new General Data Protection Regulation (GDPR), this will be an even broader right. In many circumstances, the regulation will also require companies to obtain EU users’ specific and informed consent before gathering their data in the first place.
Given that Facebook’s handing of personal data has been the subject of major rights-based challenges in Europe as well as a 2011 settlement with the US Federal Trade Commission about consumer privacy, it seems highly likely that the company is aware of these human rights principles. It simply needs to be willing to act on them.
The new EU regulation, Facebook will need to do this for its millions of users in the European Union by May 25. During the hearing, Zuckerberg indicated that the company will extend those new user protections “to the world.” This was encouraging, although Zuckerberg did not fully explain the details or offer a timeline.
This article has been excerpted from: ‘Data Privacy Is a Human Right. Europe Is Moving Toward Recognizing That’.