In this section, we focus upon political and regulatory measures that could be put in place for enhancing resilience to surveillance. They relate to the questions for policy-makers and regulators identified in Part Two, most of which involve accountability, oversight, principles, and public awareness. In this Part, these items are seen in terms of the role they play in maintaining or increasing resilience to surveillance.
Accountability and oversight
As mentioned above, resilience to surveillance requires ways of preventing, mitigating and remedying the negative effects of surveillance. The opacity and non-accountability of much surveillance needs to be overcome in order to enable these effects to be realised. Resilience includes strengthening laws and procedures for accountability and transparency through political processes that include review, the exertion of pressure from outside and within the institutions of politics and government, legislation or other formal rules, the creation of independent oversight and sanctions, and the replacement of a culture of secrecy and public acquiescence by one of openness and criticism. Accountability is more than the assignment and acceptance of responsibility for surveillance practices; it also requires procedures and rules for reporting publicly and engaging in possible challenge to the account given. Oversight encompasses part of this latter requirement, insofar as oversight is applied by specialised independent agencies on behalf of the public. Accountability and oversight in any single country will be less successful without international co-operation and co-ordination where surveillance activities involve other countries.
Several of the generic questions in Part Two can be seen through the lenses of accountability and oversight. Policy-makers and regulators should consider measures that clarify and reinforce current legislation, compliance and “best practice” guidance with regard to the way in which system providers and users demonstrate their accountability in terms of answering the generic questions posed above. These questions closely resemble those that system developers need to answer when they conduct privacy or surveillance impact assessments, which legislators and regulators should encourage where they do not already exist as a statutory requirement. Answering these questions and giving accounts of performance are more likely to have traction on practice if they form part of oversight regimes exercised by regulators or their third-party agents. Policy-makers and regulators should consider how this oversight can be made more effective.
The questions as to how societies can best anticipate future challenges from surveillance, especially in relation to politics and policy formation, are more directly addressed to policy-makers when they develop policies or laws that involve extension or intensification of surveillance, for they ask about the consequences for power imbalances and for societal resilience to surveillance, and about ways of controlling surveillance, which includes oversight. These questions also should be answered by regulators, such as data protection authorities, concerning their own practices in carrying out their enforcement, guidance and awareness-raising roles, and in their practical activities at international levels.
The issue of consent is important both in the narrower sense of individual consent, but also in the broader sense of societal agreement that the state be allowed to undertake surveillance on the people’s behalf. Individual consent is not an absolute requirement for the lawful processing of personal data, although obtaining consent is highly desirable for the establishment of confidence between individuals and surveillant data-collectors. Consent in regard to mass surveillance systems is problematic, especially in the public sector where surveillance is carried out for purposes of law enforcement and combating criminal and terrorist activities. The questions raised above, however, go some way towards addressing transparency even if consent is not possible. For the private sector, where dataveillance is used for marketing and other commercial purposes, required procedures for gaining consent already exist but are not always complied with. Policy-makers and regulators should consider how compliance could be improved, whether by increased penalties and sanctions for non-compliance or by more effective ways of promoting good practice. Where it is not possible, accountability and oversight are all the more necessary. It is important too that society’s consent to surveillance be sought, since, while states may be able successfully to implement secret surveillance schemes, once revealed, they risk threatening the legitimacy of law enforcement and indeed the political process more generally.
Strengthening legal and constitutional protections of privacy
Regulators should ensure that surveillance systems respect privacy principles, for example, those referenced in the proposed EU Data Protection Regulation and already in play in privacy laws around the world. Principles play a part in resilience by providing a normative rationale for judging the acceptability of surveillance, on the basis of which opposition or adaptation may take place. However, privacy is more than data protection: it includes the protection of bodies, spaces, movement, thoughts and other types of privacy and freedoms from the incursions of surveillance technologies, policies and practices. Thus, when assessing surveillance systems, regulators should take into account this wider canvas when assessing the legitimacy and legality of surveillance systems. Equality is an important principle in a democratic society, providing a further rationale for resilience or resistance and a criterion for evaluating surveillance. Surveillance may lead to discrimination and adverse decisions taken against individuals and groups in ways that cut across important values of fairness, equal treatment and the rule of law, beyond any invasion of privacy itself. Generic question 12 and questions 2, 4 and 11 for policy-makers and regulators highlight the relevance of principles and their relation to the proportionality, necessity and consequences of surveillance, all of which should be taken into serious consideration in policy-making and decisions about the legitimacy and exercise of surveillance.
When new surveillance measures are being considered, or when existing schemes are being expanded, the deliberative and democratic process should be as open, consultative and fair as possible. This is the case both in relation to small-scale local measures as well as to national (or even transnational) systems. The deliberative process enables the voices of different parties and interests to be heard, which is important not least because the consequences of implementing surveillance schemes are potentially damaging and far-reaching. Through consultation processes, especially where these involve genuine deliberation and frank public discussion, the grounds on which the surveillance is to be introduced can be heard and assessed, and concerns and objections can be addressed. Deliberative processes facilitate public engagement and are likely to confer greater legitimacy on the surveillance schemes thereby developed.
Awareness and communication
Raising public awareness contributes to resilience by disseminating important information that provides a platform for debate and change. If it is not known who is operating a surveillance systems or the extent of surveillance, it is not possible to resist or to be resilient. Raising awareness is a resilience measure. It is already practiced by regulators such as data protection authorities, and is addressed by questions 2, 3 and 7 for policy-makers and regulators, as well as by the generic questions that underpin the accountability procedures set out in privacy impact assessment, as mentioned above.
Tests of proportionality
In Europe, the most acknowledged method of legal evaluation of conflicts of fundamental rights and legitimate interests, such as privacy and security, is the test of proportionality. The strict methodology of the test is routinely used by courts, including the European Court of Human Rights (ECtHR), when the courts make decisions on the justifiability of concrete cases of restricting fundamental rights, such as the application of surveillance measures. If the legitimacy of surveillance is questioned, the dispute in most cases is resolved by courts, applying the test of proportionality. In the practice of the ECtHR, the emphasis is laid on the last phase of the test, that is, the moral balancing between competing rights and interests. In order to strengthen the legal requirements of introducing or maintaining surveillance measures, European courts need to lay more emphasis on the first phases of the test, namely, the factual elements of the test of proportionality.
The same methodology can also be adequately used at the level of planning, introducing or increasing individual surveillance measures, as research results from the EC-funded PRISMS project (http://prismsproject.eu) have shown. Regulatory or self-regulatory measures should be taken in order to encourage (in certain cases, oblige) stakeholders, who are interested in introducing surveillance methods, formally and substantially to apply the methodology of the test of proportionality. Elements of the test are highlighted above in Part Two, both in the generic questions and in the questions formulated for policy-makers.