Privacy International

Formation, background and objectives

During 1990, in response to increasing awareness about the globalisation of surveillance, more than a hundred privacy experts and human rights organizations from forty countries took steps to form an international organization for the protection of privacy.

Members of the new body, including computer professionals, academics, lawyers, journalists, jurists and activists, had a common interest in promoting an international understanding of the importance of privacy and data protection. Meetings of the group, which took the name Privacy International (PI), were held throughout that year in North America, Europe, Asia, and the South Pacific, and members agreed to work toward the establishment of new forms of privacy advocacy at the international level. The initiative was convened and personally funded by British privacy activist Simon Davies who served as director of the organisation until June 2012.

At the time, privacy advocacy within the non-government sector was fragmented and regionalised, while at the regulatory level there was little communication between privacy officials outside the European Union. Awareness of privacy issues at the international level was generated primarily through academic publications and international news reports but privacy campaigning at an international level until that time had not been feasible.

While there had for some years existed an annual international meeting of privacy regulators, the formation of Privacy International was the first successful attempt to establish a global focus on this emerging area of human rights. PI evolved as an independent, non-government network with the primary role of advocacy and support, but largely failed in its first decade to become a major international player. Most of its early campaigns were focused on Southeast Asia.

From 2011, Privacy International began to formalise and condense its operations. It is now a UK-registered charity (number 1147471) with twenty full-time members of staff and an office in Central London. As part of restructuring, an informal advisory board was replaced in 2012 by a managing 9 member board of trustees, including investigative journalist Heather Brooke and technologist Jerry Fishenden. The restructuring also established three major program areas: contesting surveillance, challenging data exploitation, and building a global privacy movement.

Privacy International's Articles of Association state that the charity's objective is to promote the human right of privacy throughout the world, as set out in the Universal Declaration of Human Rights and subsequent United Nations conventions and declarations; specifically:

Privacy International has been funded and supported by a variety of foundations, academic establishments, and non-government organisations, including the Adessium Foundation, the Open Society Foundations, the International Research Development Centre, the European Parliament, the European Commission, the Joseph Rowntree Reform Trust, the Esmée Fairbairn Foundation, the University of Toronto's Canada Centre for Global Security Studies in the Munk School of Global Affairs, the American Civil Liberties Union, the Electronic Privacy Information Center, The Fund for Constitutional Government, the Stern Foundation, the Privacy Foundation, the German Marshall Fund, the University of New South Wales, the German Permanent Mission to the UN, the Oak Foundation, the Renewable Freedom Foundation, the Omidyar Network, the Roughley Charitable Trust, the Swedish International Development Agency, and the Street Foundation. It also receives a small amount of finance via contributions.

Campaigns, networking and research

Throughout the 1990s Privacy International was active in North America, Europe and Southeast Asia, where it liaised with local human rights organisations to raise awareness about the development of national surveillance systems. From 2001 to 2010 the organization shifted much of its focus to issues concerning the EU and the United States. From 2011 onward activities expanded to include a more aggressive program of legal action and international advocacy, particularly in the global south.

Since the late 1990s the organization's campaigns, media activity and projects have focused on a wide spectrum of issues, including Internet privacy, international government cooperation, passenger name record transfers, data protection law, anti-terrorism developments, freedom of information, Internet censorship, identity systems, corporate governance, the appointment of privacy regulators, cross-border data flows, data retention, judicial process, government consultation procedures, information security, national security, cybercrime and aspects of around a hundred technologies and technology applications ranging from video surveillance to DNA profiling.

The PI network has also been used by law reform and human rights organisations in more than forty countries to campaign on local privacy issues. In Thailand and the Philippines, for example, Privacy International worked with local human rights bodies to develop national campaigns against the establishment of government identity card systems. In Canada, New Zealand, the United States, Hungary, Australia, and the United Kingdom it has promoted privacy issues through national media and through public campaigns. In Central and Eastern Europe, PI has been active in promoting government accountability through Freedom of information legislation.

PI monitors the activities of international organisations, including the European Union, the Council of Europe, and United Nations agencies. It has conducted numerous studies and reports, and provides commentary and analysis of contemporary policy and technology issues.

The charity is relatively small, comprising twenty full-time staff and a number of volunteers and interns. However the core team is supported in its project work by a collaborative network of around a hundred organisations in the fields of civil liberties, academia, technology assessment and human rights. These include, or have included, the American Civil Liberties Union, the Australian Privacy Foundation, the Electronic Privacy Information Center (US), Statewatch (UK), the Electronic Frontier Foundation (US), European Digital Rights, Consumers International, the Foundation for Information Policy Research (UK), Liberty (UK), the Hungarian Civil Liberties Union, the Moscow Human Rights Network, Amnesty International, Privacy Ukraine, Quintessenz (Austria), Human Rights Watch, Bits of Freedom (Netherlands), freedominfo.org, Index on Censorship, the Association for Progressive Communications, the Global Internet Liberty Campaign, Charter88 (UK), the Philippine Alliance of Human Rights Advocates and the Thai Civil Liberties Union.

PI also has partners in developing countries in Africa, Asia and Latin America, under the auspices of the Global South Program. The partners are:

1. Asociación por los Derechos Civiles (ADC), Argentina
2. Coding Rights, Brazil
3. Derechos Digitales, Chile
4. The Center for Law, Justice and Society (Dejusticia) , Colombia
5. Fundación Karisma, Colombia
6. The Centre for Internet and Society (India) (CIS), India
7. The Institute for Policy Research and Advocacy (ELSAM), Indonesia
8. The National Coalition of Human Rights Defenders Kenya (NCHRD-K), Kenya
9. Digital Rights Foundation (DRF), Pakistan
10. BytesForAll (B4A), Pakistan
11. The Foundation for Media Alternatives (FMA), Philippines
12. The Unwanted Witness, Uganda
13. Privacy LatAm, Brazil
14. The Right2Know Campaign (R2K), South Africa
15. The Media Policy and Democracy Project, South Africa
16. TEDIC, Paraguay
17. Social Media Exchange (SMEX), Lebanon
18. Red en Defensa de los Derechos Digitales (R3D), Mexico

Legal Actions

Privacy International’s legal actions against governments and companies include the following cases:

1. In the Matter of the Search of an Apple iPhone Seized during the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 (“Apple v. FBI”)
2. 10 Human Rights Organisations v. United Kingdom
3. UK Government Hacking Challenge
4. Bulk Personal Datasets Challenge
5. Criminal complaint to National Cyber Crime Unit on behalf of Bahraini activists
6. Privacy International v. United Kingdom
7. OECD complaint against BT, Verizon Enterprise, Vodafone Cable, Viatel, Level 3, and Interoute
8. Privacy International v. Secretary of State for the Foreign and commonwealth Office et al.
9. Privacy International v. The Commissioner for HM Revenue and Customs
10. OECD complaint: Trovicor exporting surveillance technology to Bahrain

Investigations

Privacy International has conducted investigations on Thailand, Syria, Egypt, Uganda, Colombia, Pakistan and Central Asia.

Research projects

PI has published around forty major research reports. These include studies on Internet censorship, communications data retention, counter-terrorism policies in the EU and the US, SWIFT auditing processes, travel surveillance, secrecy provisions and protection of sources, Internet privacy, policy laundering, free-expression and privacy, the US-VISIT program, identity cards and counter-terrorism, encryption, the global surveillance industry, the UK Investigatory Powers Bill, gender issues & the right to privacy, and medical privacy.

PI called on Swiss government to withdraw export licenses for monitoring technology

In 2013 Privacy International publicized the links between several Swiss-based companies and the export of surveillance technologies to authoritarian regimes including Turkmenistan and Oman and called on the Swiss government to withdraw relevant export licenses. The Swiss government later withdrew all export licenses for internet monitoring technology as well as several for mobile phone monitoring technology that were awaiting approval.

European Data Protection Law

From 2012 to 2015 Privacy International lobbied for greater data protection laws in Europe during formation of the General Data Protection Regulation (GDPR). While praising certain provisions including the expansion of people’s rights over personal data, Privacy International claims potential loop holes and vague language make the GDPR fall short of fully safeguarding against unique 21st century threats to data protection.

The International Principles on the Application of Human Rights to Communications Surveillance

In 2013 Privacy International together with Access Now and the Electronic Frontier Foundation launched the “International Principles on the Application of Human Rights to Communications Surveillance”. These principles can provide civil society groups, industry, States, and others with a framework to evaluate whether current or proposed surveillance laws and practices are consistent with international human rights law.

Big Brother Incorporated

In 1995, PI published a report on the international trade in surveillance technology, entitled Big Brother Incorporated and focusing on the sale of technologies by companies in Western countries to repressive regimes intent on using them as tools of political control. However, governments and regulators did not intervene and regulate the surveillance industry, the value of which is now estimated at around $5 billion a year. Exports of surveillance technology to foreign regimes are still wholly at the discretion of the exporter.

PI therefore commenced a second investigation in June 2011. The project, also called Big Brother Incorporated, uses a blend of research and investigation, public campaigning, political engagement and strategic litigation to bring to light the abuses of the surveillance industry and to campaign for proper government regulation, specifically export control regimes.

In December 2011, Privacy International released documents collected from a number of surveillance trade shows and conferences (most prominently the ISS World conference in Washington DC) in collaboration with WikiLeaks, BuggedPlanet, The Bureau of Investigative Journalism, The Washington Post, l'espresso, The Hindu, ARD and OWNI. The Spy Files included brochures, catalogues, technical specifications, contracts and pricelists for the products of around 160 companies.

During 2012, there was growing international awareness of the problems inherent in the rise of the surveillance industry and increasing momentum towards stricter regulation of surveillance technology exports. In March 2012, the EU banned the export of monitoring equipment to the Iranian authorities. The following month, a European Parliament resolution calling for stricter oversight of companies selling equipment to countries such as Syria or China was passed overwhelmingly, with 580 votes for, 28 against, and 74 abstentions. In July 2012, the French Minister for the Digital Economy, Fleur Pellerin, announced her opposition to exports of surveillance technology to repressive regimes during a radio show hosted by Le Monde and public broadcaster France Culture. In September 2012, comments made by the German Foreign Minister at an Internet and Human Rights conference in Berlin were interpreted by the German media as a clear statement of intent to push for tighter controls of EU surveillance technology exports at a national and European level.

The SWIFT affair

In June 2006, The New York Times and the Los Angeles Times published details of a private arrangement between Society for Worldwide Interbank Financial Telecommunication (SWIFT) and the United States Government that involved the mass covert disclosure to the US of customer financial data. SWIFT is a cooperative involving around 8,000 financial institutions. It handles the secure messaging process at the heart of the majority of financial transfers worldwide, amounting to around $2,000 trillion per year.

The following week PI filed simultaneous complaints with Data Protection and Privacy regulators in 38 countries concerning the secret disclosures of records. The complaints alleged that the transfers violated EU law.

The PI complaints sparked a series of regulatory and legal actions that have ultimately forced SWIFT to re-evaluate its practices. The organisation has now agreed to move its data operations to Switzerland where US authorities have no jurisdiction.

The Big Brother Awards

In 1998 Privacy International took the decision to start an international gong called the Big Brother Awards to be given to the most influential and persistent privacy invaders, as well as to people and organisations who have excelled in defending privacy. To date, 75 awards ceremonies have been held as annual events in 17 countries including Japan, Bulgaria, Ukraine, Australia. France, Germany, Austria, Switzerland, the Netherlands, New Zealand, Denmark, the United States, Spain, Finland and the United Kingdom.

The Stupid Security competition

In January 2003, PI launched an international competition to discover the world's "most pointless, intrusive and self-serving security initiatives". The "Stupid Security" award highlighted measures which are pointless and illusory, and which cause unnecessary distress, annoyance and unintended danger to the public. The competition resulted in over five thousand nominations from around the world. The winners were announced at the Computers, Freedom and Privacy Conference in New York on 3 April that year.

Google Street View

In March 2009, following the addition of 25 UK cities to Google's Street View service, Privacy International sent a formal complaint about the service to the UK Information Commissioner's Office (ICO). The complaint cited more than 200 reports from members of the public who were identifiable on images hosted by the service. Privacy International director Simon Davies said that the organisation had filed the complaint due to the "clear embarrassment and damage" Street View had caused to many Britons. He said that Street View fell short of the assurances given to the ICO that had enabled its UK launch and asked for the system to be "switched off" while an investigation was completed.

The ICO had given permission for the launch of the service in July 2008 based partly on Google's assurances that it would blur faces and vehicle licence plates to protect privacy. In its complaint, PI said that Google's claim that its face blurring system would result in a few misses was a "gross underestimation" and meant that the data used by Street View would fall under the UK's Data Protection Act 1998, which requires that subjects give permission for the use of information concerning them. However, the ICO rejected PI's complaint, noting that removing the service would be "disproportionate to the relatively small risk of privacy detriment" and that "Google Street View does not contravene the Data Protection Act and, in any case, it is not in the public interest to turn the digital clock back"

NSA-GCHQ Tribunal Case

In February 2015 PI and other claimants won a judgment from the UK Tribunal that the mass surveillance conducted by the GCHQ with data from the NSA was illegal up to December 2014, being in violation of the European Convention on Human Rights and lacking the necessary legal framework, whereupon PI launched a campaign enabling anyone in the world to ascertain (eventually) if the GCHQ illegally had their data from the NSA.

PI and public controversy

Privacy International's unconventional and sometimes aggressive approach to privacy advocacy has at times resulted in controversy and a questioning of its motives.

The most notable political controversy surrounding the organisation was sparked in 2005 when British Prime Minister Tony Blair and Home Secretary Charles Clarke publicly accused PI's director and founder Simon Davies of covertly using his academic affiliation with the London School of Economics (LSE) to undermine the government's plans for a national identity card. The LSE Director Sir Howard Davies strongly rebutted this charge. The government's intent was apparently to raise doubts about the accuracy of the report in several areas and in particular, the manner in which projected cost estimates had been calculated (based on figures developed by the independent IT analysis company, Kable), and what it called "selective and misleading use of evidence regarding biometrics and a failure to include any natural scientists to inform the report despite the significant claims made about biometrics and the accuracy of biometric technologies". Rather than address the issues raised by the report, several government politicians and their biometric experts instead chose to criticise the accuracy of the report, questioning whether the involvement of leading PI campaigners and well known opponents of identity cards meant that it could be considered unbiased. The episode is notable for the nature of its overtly political attack on an academic report from a leading UK university and its personalisation of criticisms of Simon Davies. Even MPs who supported identity cards recognised that the government had entered new territory by undermining independent academic work on issues of legitimate contemporary interest.

The government's claims of bias were strenuously denied by Simon Davies and resulted in heated debate between Government and Opposition parties both in the House of Commons and the House of Lords. The coverage led Davies to draw comparisons of the argument with former government scientific advisor David Kelly who took his life following an allegedly similar campaign.

In his 2006 autobiography, another former Home Secretary David Blunkett wrote "I am really sorry that the London School of Economics have allowed him (Davies) to even hint that he has any connection with them". Davies has lectured at the LSE since 1997 and continues to do so both as Visiting Fellow and as co-director of the LSE's Policy Engagement Network.

In June 2007 PI released an assessment of the privacy practices of selected online services.

Simon Davies drew criticism for his apparent enthusiasm for aspects of Phorm's model of operation, stating that "[PI] DOES NOT endorse Phorm, though we do applaud a number of developments in its process." PI as a group has not published any analysis or comment concerning Phorm products.

In March 2009, following PI's criticism of Google Street View service, Davies sent an open letter to Google chief executive Eric Schmidt, accusing the company of briefing journalists against him, by claiming Davies was biased in favor of Microsoft. Google pointed to connections between Microsoft and data protection consultancy 80/20 Thinking, run by Davies, and said that Davies's connections to Microsoft should be made clear in public, as the credibility of his criticisms was undermined by the fact that he acted as a consultant to companies who are direct rivals and critics of Google; a fact Davies rarely disclosed in press releases or comments. 80/20 Thinking ceased operations in 2009.

Privacy index

Since 1997 Privacy International, in cooperation with the Electronic Privacy Information Center (EPIC), has conducted annual surveys in order to assess how much privacy nations' populations have from both corporative and government surveillance. The last global report was in 2007. Currently PI publishes State of Privacy reports with its partners, researching the legal and political situation in each country, updated yearly. It also regularly submits country reports to the Universal Periodic Review and the Human Rights Council.

In January 2011, Privacy International, in cooperation with EPIC and the Center for Media and Communications Studies (CMCS) published the European Privacy and Human Rights 2010 report, funded by the European Commission's Special Programme "Fundamental Rights and Citizenship," 2007–13. This was an investigation of the European landscape of national privacy and data protection laws and regulations, as well as other laws, jurisprudence and recent factual developments with an impact on privacy. The study consisted of 33 targeted reports, an overview presenting a comparative legal and policy analysis of main privacy topics and a privacy ranking for all the countries surveyed.