Blog post written by Elif Mendos Kuşkonmaz (University of Portsmouth) and forms part of a series of blog posts examining the implementation of the Global Compact for Safe, Orderly and Regular Migration.

Objective 11 calls for the collaboration among states on border management to ensure state security and security of migrants as well as regular border crossing. It also lists several actions that states may take to achieve this objective. One action is the pre-screening of arriving passengers and use of information technology, which primarily involves collection and use of personal data and their transfer between different actors (be it private sector-public authorities or among public authorities). This raises number of issues regarding the protection of the human right of privacy; a challenge that Objective 11 acknowledges. What are then key indicators to assess whether border management activities fully comply with international human rights standards?

Protection of Privacy and Personal Data

The Right to Privacy is protected under Article 12 of the Universal Declaration of Human Rights (UDHR)  :

‘No one shall be subject to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.’

Article 17 of the International Covenant on Civil and Political Rights (ICCPR) also sets out the right of everyone to be protected against arbitrary or unlawful interference with his/her privacy, family, home or correspondence as well as against unlawful attacks on his honour and reputation. It further provides everyone ‘the protection of the law against any such interference or attacks’.

Collection of personal data, its use, and transfer fall within the protective ambit of Article 17 ICCPR. These actions, thus, interfere with the right to privacy and would be considered ‘arbitrary’ unless they are justified. Article 17 ICCPR does not have a limitation clause like Article 8 of the European Convention on Human Rights (ECHR), which is the main regional normative basis for the right to privacy in Europe. Still, looking at the Human Rights Committee’s General Comment No. 31 where it addresses the general legal obligations on states under the ICCPR, the justification inquiry turns on three key questions: (i) is the interference lawful? (i.e. legality principle); (ii) does it have a legitimate aim?; (iii) is it necessary and proportionate? (i.e. principles of necessity and proportionality) (para. 6).

Indicator 1: Legality Principle

The legality principle means that actions involving collection and use of personal data must be based in law, which has to embrace foreseeability and accessibility requirements. This means that laws allowing for those actions must be sufficiently clear and precise when indicating who has the power to collect the data and under what circumstances; the procedure for which authorised body may collect and use the data; people who may be subject to data collection; and safeguards against abuse of powers (A/HRC/27/37, para. 23). Applying this to the GCM’s Objective 11, there must be law that permits the collection and use of as well as access to personal data. That law must indicate clearly (i) who can access, collect, and use information, for what purposes and how; (ii) whether this information can be shared with other domestic authorities or authorities of third countries for the same purposes for which they are initially collected; (iii) the minimum protection standards in case there are different levels of data protection between countries; (iv) the time limit for the retention of such data; (v) the rule on the deletion when it is no longer necessary or otherwise at the expiration of the retention period. On top of these, the law must also indicate who may be subjected to information collection. If information is collected for law enforcement or counter-terrorism purposes, this indicator may call for an assessment of information collection carried out without any form of targeting individuals for whom there is no link capable of suggesting their involvement of criminal activities. This indicator may also relate to the question on the necessity and proportionality of information collection activities.

Indicator 2: Legitimate Aim

Collection and use of personal data must be done in pursuance of a legitimate aim (e.g. protection of rights of others, for national security, public order, or public health or morals). If the personal data are originally collected by private sector such as airlines, consent given by data subjects for processing of their personal data does not justify the processing of those data by public authorities. Any subsequent processing of personal data must be conducted on the basis of the express aims. Counter-terrorism or law enforcement have been the dominant purposes for which states implement pre-screening activities. Introducing border management and consequently migration-related purposes into this equation may not satisfy the purpose requirement because it may blur the distinct fields of action.  This is important because information collection for one purpose may not be necessary and proportionate for the other purpose (A/HRC/27/73, para. 27). Moreover, the use of overly broad concepts without adequate safeguards on their use (e.g. ‘national security’) may have implications on the permissibility of an Article 17 limitation (A/HRC/23/40, paras 58-60), although this may fall under the question on the legality of the limitation.

Indicator 3: Necessity and Proportionality Principles

Existence of a legitimate aim is not enough to consider an Article 17 limitation to be permissible because the necessity principle requires an objective assessment on the necessity for reaching that aim by the limitation (A/HRC/27/73, para. 23). This includes a consideration whether the limitation is in line with the purposes, aims, and objectives of the ICCPR. Also, an Article 17 limitation must be proportionate to the aim and it must be the least intrusive action available (A/HRC/27/73, para. 23).

Applying this to the GCM’s Objective 11, pre-screening activity and information collection have to be capable of achieving the purpose for which they are implemented. Activities that are ineffective in achieving the purpose concerned do not conform to necessity and proportionality principles. If the purpose is law enforcement and/or counter-terrorism, the mass collection of information (which indicates a lack of link between activities of people concerned and that purpose) may be disproportionate according to the international human rights standards (ECHR, S and Marper, Roman Zakharov; ECJ, Digital Rights Ireland, Tele2). Information must not be retained for longer than is necessary for the purpose for which it is collected because otherwise the law does not conform to the principle of necessity and proportionality. Also, the necessity of retention periods may turn on the nature and the age of information as well as its retention purpose (ECHR, Segerstedt-Wiberg and others).

Indicator 4: Prohibition on Processing of Sensitive Data

Certain categories of data, such as information relating to race or ethnic origin, health or sex life, sexual origin, political opinion, religious or philosophical beliefs, or trade union membership, may reveal more intrusive information about individuals and may have discriminatory consequences. These data must not be processed as a rule due to the grave human rights violations that may arise from their potential misuse. For example, a person may be subjected to degrading treatment because of their political opinions or sexual origin revealed through inappropriate sharing of personal data collected for a specific purpose.

Indicator 5: Safeguards against Profiling and Risk Assessment

Pre-screening activities may involve profiling of individuals based on the alleged threat that they pose to the public security. This may involve looking at risk factors such as travel from conflict zones or certain travel or behavioural activities that are associated with criminal activities. The possibility that this can be carried out by automated tools applying algorithms to information about individuals collected by public or private authorities raises a variety of implications for the protection of human rights not least because of the opaqueness of the algorithms applied. If a pre-screening activity involves the use of such algorithmic decision making, the decisions on the admission of individuals must not be based solely on the automatic process. Individuals must be able to challenge any adverse decisions based on such processing. Rules and criteria according to which the automated processing take place must be reliable, specific, and up-to-date, and must not be discriminatory (ECJ, Opinion 1/15, paras 168-174). This is particularly important when considering the fact that they may involve information gathered for intelligence purposes. Especially with regards to cross-checking different databases as part of the profiling process, information must be cross-checked only with those databases whose objective is limited to purposes for which the information is collected. Above all, the level of margin of error must be taken into account before implementing the pre-screening activity.

Indicator 6: Remedies available to Individuals

Effective remedies for individuals must be incorporated into pre-screening activities or any information-collection tool in the context of border management. These remedies mustensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the [ICCPR]’ (Human Rights Committee General Comment No. 16, para. 10). They must be known and accessible to everyone who may be subjected to the information collection practice (A/HRC/27/73, para. 40). Individuals must have the right to notification in relation to processing of their personal data which enables them to know what data are processed, for which purposes and by whom because it is impossible to challenge the practice without knowing that one may be subjected to information collection in the first place. They must also have the right to rectification or elimination so that they can challenge  incorrect personal data or data that have been collected contrary to law. As mention above, there must be remedies available for automated profiling and risk assessment procedures.

Indicator 7: Adequate Safeguards and Oversight Mechanisms

There must be rules for safeguards to ensure that processing of personal data is adequate, relevant and not excessive in relation to the purposes for which they are processed. This includes safeguards against the risk of arbitrary or abusive use of power by public authorities. Rules on safeguards must be accessible and sufficiently clear in order to provide an adequate indication for individuals about who may have recourse to information collection powers and under what conditions. Moreover, there must be independent and impartial oversight mechanisms to make sure that public authorities conform to domestic rules as well as international human rights standards when implementing pre-screening activities and information collection procedures. The oversight body must also make sure that the safeguards provided to individuals work in practice.

Indicator 8: Prohibition against Discrimination

Article 17 ICCPR protection must be afforded to everyone irrespective of their nationality (A/HRC/27/73, para. 36). This is also required under Article 26 ICCPR which prohibits any discrimination on any ground such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status. Protections of personal data with respect to pre-screening activity and information collection for border management must be provided equally to citizens and migrants.  

The views expressed in this article belong to the author/s and do not necessarily reflect those of the Refugee Law InitiativeWe welcome comments and contributions to this blog – please comment below and see here for contribution guidelines.