Ben and David Cole have been having an exchange (see here and here) about a “universal right to privacy,” including a discussion about what such a right might look like. Stepping back, it is useful to understand how international law currently creates or regulates a “right to privacy” and how that right might (or might not) extend to extraterritorial surveillance by a state. In short, even those who read the scope of the International Covenant on Civil and Political Rights expansively concede that a state party has obligations only to those individuals subject to that state’s jurisdiction. Can we say that intercepting someone’s phone calls or email makes the person subject to the surveilling state’s jurisdiction? The exercise of translating traditional concepts of jurisdiction over individuals in the physical world to activities in the world of surveillance is not an easy one, and will force states to wrestle with both conceptual and technical questions in the coming months and years.
Most human rights treaties (such as the ICCPR, the Convention Against Torture, and the Convention on the Rights of the Child) contain provisions that regulate the geographical or jurisdictional reach of the treaty’s provisions. As a result, a state party’s responsibilities under the treaty are limited to certain factual situations or certain groups of people. While it is theoretically possible that states could agree to new treaty provisions prohibiting arbitrary interference with the privacy of anyone in the world, this construct would look significantly different from the ways in which states have assumed human rights obligations to date.
Consider the scope provision in the ICCPR. Article 2(1) states, “Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant.. . . .” One such right is the right to privacy: ICCPR Article 17(1) states, “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.”
As many readers know, the United States has long argued that the ICCPR does not apply extra-territorially, because the U.S. government reads the scope requirement as limiting the treaty to activity within U.S. territory. (This seems to track Ben’s view as to the proper scope of privacy rights.) This is a minority view these days. Many other states, as well as the ICCPR treaty body, assert that the ICCPR applies either when a person is within the territory of a state party or is subject to a state’s jurisdiction (as when a state detains a non-national abroad). David Cole goes even further, saying that the ICCPR “expressly guarantees a right of privacy to all human beings.” But he seems to be reading away – or reinterpreting – the jurisdictional limits in ICCPR Article 2(1).
Council of Europe member states (i.e., most of Europe) have different and arguably more extensive treaty obligations in this regard, but these obligations similarly are subject to jurisdictional limits. The European Convention on Human Rights requires states parties to “secure to everyone within their jurisdiction” the rights and freedoms in the Convention. Those rights include the respect for private and family life, home, and correspondence, subject to certain exceptions (such as national security). While there is extensive and internally contradictory case-law in the European Court of Human Rights about what “within [a state’s] jurisdiction” means, a common thread is the “effective control test” — the requirement that the individual complaining of an ECHR violation was under the “effective control” of the state that allegedly violated his rights. (See here for a COE-drafted summary of extraterritorial jurisdiction cases.) Many of the “effective control” cases involve detention – cases in which a state exercised some level of physical authority and control over the individual who claimed the rights violation. Intercepting telephone calls and reading someone’s email is a far cry from the type of state control those cases contemplate.
As a legal matter, then, to determine whether international law currently regulates extraterritorial surveillance, we need to ask whether surveilling a foreign national’s communications renders that person subject to the surveilling state’s jurisdiction and/or whether the surveillance constitutes “effective control” over that person. The answer is far from obvious, and illustrates that applying concepts of jurisdiction to extra-territorial internet and telephonic privacy will be a hard task indeed. Questions include: How should we think about the relationship between a state and non-nationals abroad (an issue that both Ben and David flagged)? How should we conceive of the scope and content of privacy rights? What level of involvement with a foreign national’s communications suffices to trigger privacy protections? Which state adjudicates national security exceptions to privacy rights? What remedies will exist for violations? How does the technology of surveillance interact with real-world territorial and geographical facts? Substantively, if surveillance is done at the meta-level, is an individual’s right to privacy under the ICCPR or ECHR even implicated? Under what circumstances would surveillance constitute “arbitrary and unlawful interference,” as envisioned by ICCPR Article 17?
All this is not to say that states could not choose to regulate extra-territorial surveillance expressly, including by concluding that the “effective control” test does not make sense in the surveillance/privacy context and by crafting a treaty that rejects jurisdictional limitations entirely. But removing such limits would be unusual in a human rights treaty; at least some states will undoubtedly be very cautious in doing so.