Professional Documents
Culture Documents
Unoct Establishing Legislative Framework Web
Unoct Establishing Legislative Framework Web
The opinions, ndings, conclusions and recommendations expressed herein do not necessarily reect the views o the
United Nations, the International Criminal Police Organization (INTERPOL), the Governments o the European Union or
any other national, regional or global entities involved.
The designation employed and material presented in this publication does not imply the expression o any opinion
whatsoever on the part o the Secretariat o the United Nations concerning the legal status o any country, territory,
city or area o its authorities, or concerning the delimitation o its rontiers or boundaries.
Contents o this publication may be quoted or reproduced, provided that the source o inormation is acknowledged.
The authors would like to receive a copy o the document in which this publication is used or quoted.
Acknowledgements
This report is the product o a joint initiative between the United Nations CounterTerrorism Centre (UNCCT) o the
United Nations Oce o CounterTerrorism (UNOCT) and INTERPOL on strengthening capacities o law enorcement
and criminal justice authorities to counter the use o new technologies or terrorism purposes. The joint initiative was
unded with generous contributions rom the European Union.
Copyright
[I]
BACKGROUND ......................................................................................................8
1.1 Overview ...............................................................................................................................................8
1.2 CT TECH Initiative..................................................................................................................................9
1.3 Document Purpose and Use ................................................................................................................. 10
[II]
APPROACH......................................................................................................... 12
2.1 Overview ............................................................................................................................................. 12
2.3 Methodology........................................................................................................................................ 15
[III]
INTRODUCTION ...................................................................................................17
3.1 Overview ............................................................................................................................................. 17
3.2 New Technologies and CounterTerrorism............................................................................................ 17
[IV]
COLLECTION OF ONLINE DATA BY LAW ENFORCEMENT AUTHORITIES ...............20
4.1 Overview .............................................................................................................................................20
4.2 Terminology: Online Data Collection and Online Surveillance ................................................................ 21
4.3 Metadata .............................................................................................................................................22
4.4 Guiding Principles ...............................................................................................................................22
4.5 Rights o Data Subjects .......................................................................................................................24
[V]
TRANSPARENCY AND OVERSIGHT MECHANISMS................................................26
5.1 Overview .............................................................................................................................................26
5.2 Eective Oversight Bodies...................................................................................................................27
5.3 Prior Independent Approval or Surveillance and Special Investigative Operations.................................27
5.4 Complaints Mechanisms ......................................................................................................................30
5.5 Commercially Aggregated Data ............................................................................................................32
[VI]
SUMMARY OF CONSIDERATIONS.........................................................................33
6.1 Key Considerations..............................................................................................................................33
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 3
Acknowledgements
This document has been developed through the contributions and review by a wide range o stakeholders.
Specically, the United Nations Oce o CounterTerrorism (UNOCT) wish to acknowledge the contribution
made by:
1 European Cybercrime Center (EC3), Internet Organized Crime Threat Assessment 2019 (Europol, 2019), https://www.europol.europa.eu/
cms/sites/deault/les/documents/iocta_2019.pd
2 CTED Guidelines to acilitate the use and admissibility as evidence in national criminal courts o inormation collected, handled,
preserved and shared by the military to prosecute terrorist oences (2019), https://www.un.org/securitycouncil/ctc/sites/www.un.org.
securitycouncil.ctc/les/les/documents/2021/Jan/cted_military_evidence_guidelines.pd
3 Oce o the United Nations High Commissioner or Human Rights, Basic Principles on the Independent o the Judiciary,
< https://www.ohchr.org/en/instrumentsmechanisms/instruments/basicprinciplesindependencejudiciary>
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 5
Independent are autonomous rom political, economic, military or other objectives. They have: 1) ormal (de jure)
Oversight independence requiring that they remain outside the bureaucratic, hierarchical chain o command
Mechanisms within a ministry or other government agencies; and 2) actual (de acto) independence, which
relates to the agency’s seldetermination in the use o appropriate measures.4
Intelligence The product resulting rom collecting, developing, disseminating, analysing, and
interpreting o inormation gathered rom a wide range o sources, to inorm decision
makers or planning purposes to take decisions or actions – strategic, operational or
tactical level. Intelligence should be collected, retained, used and shared in compliance with
relevant Member State obligations under international human rights law.
Criminal The process o collecting inormation (or evidence) to determine i a crime has been
Investigations committed; identiy the perpetrator and to provide evidence to support the prosecution in
legal proceedings.
Law Enforcement Typically describes law enorcement actions taken against a threat, which may include detaining
Actions individual(s), disrupting threat actor activities (i.e. content removal, asset seizures), etc.
Legal Framework for reers to national laws, executive or judicial orders, administrative regulations, case law, and
Government Access other legally binding instruments or requirements, including legal obligations arising rom
to Personal Data international and supranational law as applicable in the country.
Metadata dened as “a set o data that describes and gives inormation about other data.”
New Technologies While the new technologies terminology covers a wide range o dierent technologies5,
or the purpose o this document new technologies reer to the use and abuse o such new
technologies as the Internet, social media, cryptocurrencies, acial recognition and darknet.6
Personal Online Data Reers to any online inormation relating to an identied or identiable individual
Rehabilitation In a criminal justice context, the term ‘rehabilitation’ is used to reer to interventions managed by
the corrections system with the aim to change the oender’s views or behaviour to reduce the
likelihood o reoending and prepare and support the oender’s reintegration back into society.
Reintegration A comprehensive process o integrating a person back into a social and/or unctional setting.
Surveillance the systematic observation or monitoring o individuals, groups or activities by an
authorized government entity, including the collection, recording, analysis, or dissemination
o inormation, or the purpose o preventing, investigating, and/or prosecuting criminal
activity. It may consist o physical, electronic (wiretaps, tracking devices, etc.) or digital
surveillance (internet browsing, email communications, social media interactions).
Terrorism Criminal acts, including against civilians, committed with the intent to cause death or
serious bodily injury, or taking o hostages, with the purpose to provoke a state o terror in
the general public or in a group o persons or particular persons, intimidate a population
or compel a government or an international organization to do or to abstain rom doing
any act, which constitute oences within the scope o and as dened in the international
conventions and protocols relating to terrorism.7
Zettabyte One zettabyte is equal to one billon terabytes.
4 See, or example, OECD Public Integrity Handbook Section 12.2.3, <https://www.oecdilibrary.org/sites/77150e0en/index.html?itemId=/
content/component/77150e0en>
5 Articial Intelligence, Internet o things, block chain technologies, cryptoassets, drones and unmanned aerial systems, DNA,
ngerprints, cyber technology, acial recognition, 3D printing.
6 CT TECH Project Document – Annex I Description o the Action
7 United Nations Security Council resolution 1566 (2004), OP 3.
6 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
Executive Summary
The most eective counterterrorism responses are those that are compliant with international human rights
obligations. Intrusive national security policies may have a negative impact on the respect and protection o human
rights, in particular the rights to privacy, reedom o expression and association, and nondiscrimination. Whether
online or ofine, ensuring that security policies comply with international law obligations requires the adoption o
appropriate and human rightscompliant legal rameworks and the establishment o eective and independent
transparency and oversight mechanisms.
This guidance ocuses on the obligations o Member States and not those o Inormation and Communications
Technology companies. The human rights responsibilities o these companies are addressed in the United Nations
Guiding Principles on Business and Human Rights.8
8 Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework | OHCHR
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 7
The CTC noted “with concern the increased use, in a globalized society, by terrorists and their supporters of the Internet
and other information and communication technologies, including social media platforms, for terrorist purposes”
and acknowledged “the need to balance fostering innovation and preventing and countering the use of new and
emerging technologies, as their application expands, for terrorist purposes”, while emphasizing “the need to preserve
global connectivity and the ree and secure fow o inormation facilitating economic development, communication,
participation and access to information”.
To achieve the overall objective, the CT TECH initiative implements two distinct outcomes with six
underpinning outputs.
FIGURE 1
Strengthening capacities of law enforcement and criminal justice authorities to counter the exploitation of
new and emerging technologies for terrorist purposes and supporting the leveraging of new and emerging
technologies in the ght against terrorism as part of this effort.
OUTCOME 1 OUTCOME 2
EFFECTIVE COUNTER-TERRORISM INCREASED LAW ENFORCEMENT AND
POLICY RESPONSES … CRIMINAL JUSTICE OPERATIONAL CAPACITY …
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 9
TABLE 1. CT TECH Outcomes and Outputs
Outcome 1: Effective counter-terrorism policy responses towards the challenges and opportunities of new
technologies in countering terrorism in full respect of human rights and rule of law.
Knowledge products developed or the design o national counterterrorism policy responses
to address challenges and opportunities o new technologies in countering terrorism in ull
Output 1.1 respect o human rights and the rule o law is developed.
Increased awareness and knowledge o good practices on the identication o risks and
benets associated with new technologies and terrorism in ull respect o human rights and the
Output 1.2 rule o law.
Outcome 2: Increased law enforcement and criminal justice operational capacity to counter the exploitation of
new technologies for terrorist purposes and use of new technologies to prevent and counter-terrorism in full
respect of human rights and rule of law.
Practical tools and guidance or law enorcement on countering the exploitation o new
technologies or terrorist purposes and use o new technologies to prevent and counter
Output 2.1 terrorism in ull respect o human rights and the rule o law is developed.
Partner States’ law enorcement and criminal justice institutions have enhanced skills to
counter the exploitation o new technologies or terrorist purposes and use o new technologies
Output 2.2 to counterterrorism in ull respect o human rights and the rule o law.
Increased international police cooperation and inormation sharing on countering terrorist use
o new technologies and using new technologies to counterterrorism.
Output 2.3
1.3.1 Scope
This document aims to raise awareness regarding the human rights and privacy concerns on the practices o online
data collection or counterterrorism law enorcement purposes as well as oer key oversight considerations to
ensure appropriate saeguards to the practices o online data collection with respect to international human rights
norms and practices.
10 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
1.3.2 Target Audience
This guide is designed primarily or policy makers, although law enorcement agencies should be aware o its main
principles and related mechanisms.
1.3.3 Benets
History is replete with examples o responses to terrorist threats that have created or amplied existing grievances that
may in turn uel terrorism and violent extremism conducive to terrorism. Eective independent oversight mechanisms
contribute to greater accountability and transparency.
1.3.4 Limitations
This guidance does not address in any depth the numerous concerns regarding the purchase o commercially aggregated
personal data by government agencies, although the practice raises substantial privacy issues. It also does not address
oversight o the private sector.
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 11
The guiding ramework is a conceptual model that is intended to guide, align, and inorm the development o the
report. It seeks to ensure coherence rom strategy to execution between the United Nations Global CounterTerrorism
Strategy (GCTS) and a Member State’s National Counterterrorism Policy and Strategy goals and outcomes, services,
and capabilities rom a law enorcement and criminal justice perspective, regarding new technologies.
The United Nations GCTS, adopted by the General Assembly, sets out broad actions or Member States to address
terrorism threat, which are set out across our key pillars:
Pillar III: Measures to build States’ capacity to prevent and combat terrorism and to strengthen the role o the
United Nations system in this regard
Pillar IV: Measures to ensure respect or human rights or all and the rule o law as the undamental basis o the
ght against terrorism
Member States are encouraged to develop their respective national counterterrorism legal and policy rameworks
in alignment with the United Nations GCTS. They must ensure that their respective counterterrorism laws, policies,
strategies and measures comply with their obligations under international law, including international human rights law,
international reugee law and international humanitarian law. A Member State’s national counterterrorism legal and
policy ramework should broadly seek to prevent and address violent extremism as and when conducive to terrorism,
prevent or limit terrorist activities, take appropriate measures to protect persons within the State’s jurisdiction,
services and inrastructure against reasonably oreseeable threats o terrorist attacks, and ensure that terrorists are
held accountable or their actions.
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 13
To achieve the counterterrorism outcomes and goals, Member States’ national law enorcement and criminal justice
authorities have a set o tools at their disposal. These include, but are not limited to:
TABLE 2. High-level National Law Enforcement and Criminal Justice Services for Counter-terrorism
Services Description
Criminal Justice A legal process to bring about criminal charges against an individual or an entity and the
Process court proceedings, judgement o the case, and sentencing o the conviction as well as
corrections and rehabilitation.
Intelligence The product resulting rom collecting, developing, disseminating, analysing, and
interpreting o inormation gathered rom a wide range o sources, to inorm decision
makers or planning purposes to take decisions or actions – strategic, operational or
tactical level. Intelligence should be collected, retained, used and shared in compliance
with relevant Member State obligations under international human rights law.
Criminal The process o collecting inormation (or evidence) to determine i a crime has been
Investigations committed; identiy the perpetrator and to provide evidence to support criminal justice
proceedings.
Law Enforcement Typically describes law enorcement actions taken against a threat, which may
Actions include detaining individual(s), disrupting threat actor activities (i.e., content removal,
asset seizures), etc.
Rehabilitation In a criminal justice context, the term ‘rehabilitation’ is used to reer to interventions
managed by the corrections system with the aim to change the oender’s views or
behaviour to reduce the likelihood o reoending and prepare and support the oender’s
reintegration back into society.
The eective use and deployment o such services and tools is dependent on a set o underlying capabilities. The
required capabilities to enable and deliver services are oten dened and represented in a capability model. A capability
model represents a unctional decomposition o key unctions into a logical and granular grouping which supports the
execution o services and activities. The capability model inorms the requirements across people (structure and skills),
processes, technology, inrastructure, and nance.
The guiding ramework serves to ensure alignment between strategy and execution rom both ‘topdown’ and ‘bottomup’.
14 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
2.3 Methodology
FIGURE 3
The methodology or developing this document on “Establishing Legislative Frameworks and Transparency Mechanisms
or Online Data Collection” includes research, analysis, and consultation with relevant stakeholders and experts,
which include CT TECH project documents, stakeholder consultation, internal analysis, desktop research, expert
group meetings, coordination with the United Nations Global CounterTerrorism Coordination Compact entities, and
the guiding ramework as described above in section 2.2. From these activities, the key outputs o this document
identiy key human rights and privacy issues and challenges with regard to online data collection as well as oer key
considerations or oversight through legislative and transparency mechanisms.
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 15
2.3.2 Reference Document Review
The development o this guide was inormed by, took into consideration, built upon, and complemented existing
research, guidelines, and publications – which includes the ollowing:
TABLE 3. References
2 Reports o the Oce o the United Nations High Commissioner or Human Rights, the Right to Privacy in
the Digital Age.
3 Report o the Special Rapporteur on the promotion and protection o human rights and undamental
reedoms while countering terrorism, Martin Scheinin, Compilation o good practices on legal and
institutional rameworks and measures that ensure respect or human rights by intelligence agencies while
countering terrorism, including on their oversight.
4 The state o international cooperation or lawul access to digital evidence: research perspectives, CTED
trends report, January 2022.
8 Council o Europe, Practical guide on the use o personal data in the police sector
9 Report o the Special Rapporteur on the promotion and protection o the right to reedom o opinion and
expression, Frank La Rue, A/HRC/23/40
16 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
On the other hand, new technologies present signicant opportunities as a capability multiplier or counterterrorism
and law enorcement authorities. For example, such technologies could allow law enorcement authorities to do more
with less, ast track timely decision making, generate new insights, and conduct disruptive operations remotely. At the
same time, concerns arise about the risks to privacy and the exercise o human rights more generally, emanating rom
relevant legislation allowing the use o such technologies which oten all short o applicable international human rights
standards as well as rom their implementation by law enorcement.
Countering the use o new technologies or terrorist purposes hinges on understanding how terrorist actors are using
new technologies, developing eective and human rightscompliant legal ramework and policy responses, and building
operational capacity to counter the use o such technologies or terrorist purposes, to include leveraging and adopting
the use o new technologies.
Opensource intelligence enables quick collection o inormation about targets o interest, which can make law
enorcement activities more eective. Advanced data analytics and articial intelligence (AI) capabilities allow or
the processing and analysis o vast amounts o inormation, enabling law enorcement to identiy patterns, detect
potential threats, and preemptively respond to terrorist activities. Advanced surveillance systems, including acial
recognition and biometric technologies, aid in the identication and tracking o suspects, enhancing the eciency o
investigations, preventing potential attacks, and prosecuting suspected terrorists. Furthermore, digital orensics tools
assist in extracting critical evidence rom electronic devices, enabling law enorcement to uncover hidden connections,
disrupt terrorist networks and prosecute suspected terrorists.
Leveraging new technologies can help prioritize limited law enorcement resources in a more eective way. However,
it is crucial that these technologies are employed ethically and with strict adherence to the rule o law and international
human rights norms and standards, including the right to privacy. Transparency and accountability measures and
mechanisms must be in place to ensure responsible use and prevent any potential misuse o these powerul tools.
Additionally, comprehensive training programmes should be implemented to equip law enorcement personnel with the
necessary skills to leverage new technologies eectively in line with international human rights norms and standards,
and within the boundaries o legal and ethical rameworks. By leveraging new technology responsibly, law enorcement
can signicantly enhance their counterterrorism eorts and saeguard the saety and security o communities.
18 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
3.2.3 Human Rights and New Technologies
Terrorism poses a serious challenge to the very tenets o the rule o law, the protection o human rights and their eective
implementation. It can destabilize legitimately constituted governments, undermine pluralistic civil society, jeopardize
peace and security, and threaten social and economic development. States have the obligation to take appropriate
measures to protect persons within their jurisdiction against reasonably oreseeable threats o terrorist attacks. States’
duty to saeguard human rights includes the obligation to take necessary and adequate measures to prevent, combat and
punish activities that endanger these rights, such as threats to national security or violent crime, including terrorism. All
such measures, must themselves be in line with international human rights law and rule o law standards.
In the context o employing new and emerging technologies to counter terrorist activities , States have to ensure that
relevant laws, policies and practices respect rights such as the right to privacy, the rights to reedom o expression,
reedom o association, reedom o thought, conscience and religion, the right to liberty and security o the person, the
right to air trial, including the presumption o innocence as well as the principle o nondiscrimination. States must also
uphold the absolute prohibition o torture and cruel, inhuman or degrading treatment or punishment.
The UN, Interpol and the EU have repeatedly underlined the interrelationship between new technologies, counterterrorism,
and human rights, including gender equality. The UN Global CounterTerrorism Strategy and various General Assembly and
Security Council resolutions underscore Member States’ obligations under international human rights law, international
humanitarian law, and international reugee law when countering terrorism .In particular, the UN’s counterterrorism
strategy recognizes that “eective counterterrorism measures and the protection o human rights are not conicting
goals, but complementary and mutually reinorcing” and requires measures to ensure respect or human rights or all and
the rule o law as the undamental basis o the ght against terrorism . Specically, the Strategy encouraged Member
States to address the use o the Internet and other inormation and communications technologies, including social media
platorms, or terrorist purposes, including the continued spread o terrorist content while respecting international law,
including international human rights law, including the right to reedom o expression.
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 19
Best practices and mechanisms must include: clear and precise internal guidelines or law enorcement access to
online data to be provided to the relevant ocers beore they access any personal data; internal supervision o data
collection during operations; ex ante independent authorization or the collection o certain types o inormation;
independent oversight o law enorcement operations during and ater operations; and, access to redress mechanisms
and the provision o eective remedies and to victims o violations o human rights.
A police ocer who has stopped a vehicle or a trac inraction, or example, may not need prior judicial authorization
to check the driver’s license against a database o drivers whose licenses have been suspended or the license plate
against a database o stolen vehicles. Moreover, licensed drivers are aware that their personal data is collected, stored,
and processed by government agencies or road saety purposes.
That being said, access to certain categories o data, such as genetic data, personal data related to oences, criminal
proceedings and convictions and related security measures, biometric data uniquely identiying a person, personal data
or the inormation they reveal relating to racial or ethnic origin, political opinions, tradeunion membership, religious or
other belies, health or sexual lie can only be processed i prescribed by law and appropriate saeguards have been put
in place to tackle the potential risk o discrimination or o adverse legal eect signicantly aecting the data subjects.
Saeguards can be o a technical nature, or instance, additional security measures, and o an organisational nature.
Saeguards should be adjusted to each data processing operation taking into account their specicities. The use o
multiple levels o protection or those categories o data (e.g.: separate mainrames, shorter data retention periods,
etc.) is highly recommended. Further, it is o paramount importance that specic security measures be put in place to
prevent unauthorised or unwanted access to those categories o data.26
In contrast to ordinary data collection and processing, online surveillance, involves the monitoring o the online activities
o specic individuals and entities by security orces, typically without their knowledge or consent. The absence o
knowledge and consent calls or more stringent oversight i not complete transparency at all times.
As all orms o surveillance physical, electronic, and digital generally raise more critical privacy issues, they require
more rigorous oversight than other orms o personal data collection. This guidance ocuses primarily on personal data
collection in the context o surveillance operations.
25 See or example, Council o Europe, Practical guide on the use o personal data in the police sector, Sections 2 and 3. Available at:
< https://rm.coe.int/tpd20101practicalguideontheuseopersonaldatainthepolice/16807927d5>
26 Council o Europe, Practical guide on the use o personal data in the police sector, Section 4. Available at: < https://rm.coe.int/tpd201
01practicalguideontheuseopersonaldatainthepolice/16807927d5>
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 21
4.3 Metadata
Metadata is generally dened as “a set o data that describes and gives inormation about other data.” It was initially
believed that the collection o metadata relating to communications was o lesser concern than the collection o the
content o communications. The European Court o Human Rights, or example, held that communications data is an
“integral element” o a private communication and thereore enjoys a degree o protection under Article 8 albeit less than
that aorded to the content o a communication.27 However, due to developments in technology, metadata, including
the identication o the owner o an IP address, subscriber data, mobile device identier or an email’s IP address, a
mobile subscriber identier (IMSE), and email addresses call be highly revealing in an ecosystem where individuals leave
their electronic ootprints behind in their digital content. As such, metadata can be a proxy or the protected content
o communications, and as a result, collection o such data can be highly intrusive.28 Indeed, a separate European
court, the Court o Justice o the European Union, concluded that “data, taken as a whole, is liable to allow very precise
conclusions to be drawn concerning the private lives o the persons whose data has been retained, such as everyday
habits, permanent or temporary places o residence, daily or other movements, the activities carried out, the social
relationships o those persons and the social environments requented by them. In particular, that data provides the
means o establishing a prole o the individuals concerned, inormation that is no less sensitive, having regard to the
right to privacy, than the actual content o communications”.29 Consequently, distinctions between identiying personal
data and apparently anonymized metadata are increasingly articial and dicult to justiy.
27 See, European Court o Human Rights, Big Brother Watch and other v. the United Kingdom and Malone v. United Kingdom, (1985), para. 84.
28 Brie o Amici Curiae Article 19, Electronic Frontier Foundation, Fundación Karisma, and Privacy International at the InterAmerican Court
or Human Rights in Members of José Alvear Restrepo Lawyers’ Collective v. Colombia, p. 10. <https://www.law.berkeley.edu/wpcontent/
uploads/2022/05/AmicusBrieCCAJARv.Colombia.pd>
29 Judgments in Case C623/17, Privacy International, and in Joined Cases C511/18, La Quadrature du Net and Others, C512/18, French Data
Network and Others, and C520/18, Ordre des barreaux rancophones et germanophone and Others, para. 117.
30 When acing a public emergency “threatening the lie o the nation”, States have the possibility to temporarily adjust certain human rights
obligations, subject to a set o conditions. For more details on derogations: Human Rights Committee, General Comment No. 29 ‘States o
emergency (Article 4), CCPR/C/21/Rev.1/Add.11.
31 Such rights include the prohibitions on torture and cruel, inhuman or degrading treatment or punishment, on slavery and servitude as
well as the principle o legality requiring that there be no punishment without law. The absolute nature o these rights means that it is not
permitted to restrict them by balancing their enjoyment against the pursuit o a legitimate aim, including in case o armed conict, or any
case o public emergency.
32 See, e.g., Siracusa Principles on the Limitation and Derogation o Provisions in the International Covenant on Civil and Political Rights (E/
CN.4/1985/4, annex); Human Rights Committee, General Comment No. 37, Article 21 on the right o peaceul assembly, CCPR/C/GC/37, paras.
36, 46; Human Rights Committee, General Comment No. 34. Article 19: Freedoms o opinion and expression, CCPR/C/GC/34, para. 32.
22 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
4.4.1 Provided by Law
Any counterterrorism measures that restrict human rights must have a basis in domestic law. That domestic legal
basis much be suciently oreseeable, accessible and provide adequate saeguards against abuse such as independent
review and oversight and must or provide or an eective remedy, in case o violations o human rights. Foreseeability
implies that the law must be ormulated with sucient precision to enable both an individual to regulate their conduct
accordingly33 and competent authorities to ascertain when rights can be restricted and indicate the scope o any
discretion conerred them as well as the manner o its exercise.34 The law must be suciently accessible so that
individuals must have the possibility to become aware o its content.35 A decision to authorize intererence with the
right to privacy, or example by issuance o a warrant, must be made only by an independent authority designated under
the law, and on a casebycase basis.36 Secret rules, guidelines, or interpretations o the rules do not have the quality o
“law.”37 Finally, laws must be democratically enacted.38
However, States have at times improperly reerred to the imperatives o national security, specically counterterrorism,
as a pretext to justiy vaguely dened and arbitrary intererences with human rights. “[t]he use o an amorphous
concept o national security to justiy invasive limitations on the enjoyment o human rights is o serious concern. The
concept is broadly dened and is thus vulnerable to manipulation by the State as a means o justiying actions that
target vulnerable grounds such as human rights deenders, journalists, or peaceul activists. It also acts to warrant
oten- unnecessary secrecy around investigations or law enorcement activities, undermining the principles o
transparency and accountability.41
33 See, e.g., Human Rights Committee, General Comment No. 34. Article 19: Freedoms o opinion and expression, CCPR/C/GC/34, para. 25;
European Court o Human Rights, Sunday Times v. The United Kingdom (no. 1), Application no. 6538/74, 26 April 1979, § 49.
34 See, e.g., Human Rights Committee, General Comment No. 34. Article 19: Freedoms o opinion and expression, CCPR/C/GC/34, para. 25;
European Court o Human Rights, Malone v. The United Kingdom, Application no. 8691/79, 2 August 1984, §§ 6668.
35 See, e.g., Human Rights Committee, General Comment No. 34. Article 19: Freedoms o opinion and expression, CCPR/C/GC/34, para. 25;
European Court o Human Rights, Groppera Radio AG and Others v. Switzerland, Application no. 10890/84, Series A no. 173, 28 March 1990,
§§ 6568.
36 Human Rights Committee, General Comment 16, para. 8, available at: https://www.reworld.org/docid/453883922.html
37 Report o the United Nations High Commissioner or Human Rights, The Right to Privacy in the Digital Age, A/HRC/27/37, para.29. See
also, European Court o Human Rights, Malone v. United Kingdom, (1985), 7 EHRR 14, paras. 6768, available at: https://www.stradalex.
com/nl/sl_src_publ_jur_int/document/echr_869179; Arican Commission on Human and Peoples’ Rights, Principles and Guidelines
on Human and Peoples’ Rights While Countering Terrorism in Arica, Part 11, A: The legal ramework concerning any intererence with
privacy, as well as their procedures, should be accessible to the public. Available at: https://www.achpr.org/legalinstruments/detail?id=9
38 See, Arican Court o Human and Peoples’ Rights, XYZ v. Republic of Benin, Judgement 27 November 2022, paras. 101102, concluding that
the impugned law was unlawully adopted by summary procedure, and that the additional ailure to disseminate the law constituted a
violation o the right to inormation, paras. 118121. Available at: https://aricanlii.org/au/judgment/aricancourt/2020/3
39 See or example, ECHR, Article 8 (2); IACHR, Articles 13 (2) (b) and 30; ACHPR, Article 11. See also, Arican Commission on Human and
Peoples’ Rights, Principles and Guidelines on Human and Peoples’ Rights While Countering Terrorism in Arica, General Principle M.
40 Siracusa Principles on the Limitation and Derogation o Provisions in the International Covenant on Civil and Political Rights (E/
CN.4/1985/4, annex), para. 29; Human Rights Committee, General Comment No. 37, Article 21 on the right o peaceul assembly, CCPR/C/
GC/37, para. 42.
41 Report o the Special Rapporteur on the promotion and protection o the right to reedom o opinion and expression, Frank La Rue, A/
HRC/23/40, para. 58. < http://www.ohchr.org/Documents/HRBodies /HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pd>
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 23
4.4.3 Necessity and Proportionality
As such, limitations must not only be taken in pursuance o a legitimate aim, they must also be necessary to protect the
aim. The requirement o necessity goes beyond/ sets a higher threshold than what is “merely reasonable or expedient”.
In essence, a measure violates the test o necessity i the protection could be achieved in other ways that do not restrict
the right in question.
Measures restricting a qualied right must be proportionate to the legitimate aim pursued, and , they must be
appropriate to achieve their protective unction and they must be the least intrusive among those that might achieve
the desired result, and they must be proportionate to the interest to be protected.42 For example, in a case beore the
European Court o Human Rights, the Court held that “the blanket and indiscriminate” retention o DNA amounted to a
“disproportionate intererence” with the private lives o those persons rom which the data had been taken. The Court
placed particular weight on the act that the material was “retained indenitely” whatever the nature or seriousness o
the oense o which the person was suspected, an especially appropriate consideration in the case as one deendant
was acquitted and the case against the second was discontinued.43
4.4.4 Non-discrimination
The prohibition against discrimination in international human rights law is absolute and there can be no derogation
rom or restriction on that right.44 Protected grounds comprise, but are not limited to: sex, race, colour, ethnic origin,
language, religion, political or other opinions, national or social origin, or other status.
42 See or example, Human Rights Committee, General Comment 31, para. 6. Arican Commission on Human and Peoples’ Rights,
Principles and Guidelines on Human and Peoples’ Rights While Countering Terrorism in Arica, General Principle M.
<https://www.achpr.org/legalinstruments/detail?id=9>
43 European Court on Human Rights, S and Marper v. United Kingdom (2009) 48 EHRR 50 at para 118. In this case, one o the accused was
acquitted and the case against the second was discontinued. The UK government itsel admitted that the retention o DNA data “was
neither warranted by any degree o suspicion o the applicants’ involvement in a crime or propensity to crime nor directed at retaining
records in respect o investigated alleged oences in the past. Also on the principle o proportionality, see: InterAmerican Court on
Human Rights, Roche Azaña v. Nicaragua Merits and Reparations. Judgment o June 3, 2020. Series C No. 403, para. 53.
44 See, or example, Universal Declaration o Human Rights (arts. 1 and 2) and International Covenant on Civil and Political Rights (art. 26),
as well as the Convention on the Elimination o Racial Discrimination (CERD). The InterAmerican Court o Human Rights, or example,
has stated that “the principle o equality beore the law, equal protection beore the law and nondiscrimination belong to jus cogens,
because the whole legal structure o national and international public order rests on it and it is a principle that permeates all law.” Inter
American Court o Human Rights, Advisory Opinion OC18/03 on the juridical condition and rights o the undocumented migrants, 17
September 2003, para. 101. Arican Commission on Human and Peoples’ Rights, Principles and Guidelines on Human and Peoples’ Rights
While Countering Terrorism in Arica, General Principle G. the Committee on the Elimination o Racial Discrimination has called on States
to ensure that any measures taken in the ght against terrorism do not discriminate, in purpose or eect, on the grounds o race, colour,
descent, or national or ethnic origin and that noncitizens are not subjected to racial or ethnic proling or stereotyping.
45 Freedom o Inormation is an integral part o the undamental right to reedom o expression. See, or example, < https://www.un.org/
ruleoaw/thematicareas/governance/reedomoinormation/#:~:text=Freedom%20o%20inormation%20is%20an,right%20o%20
reedom%20o%20expression>
24 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
At its essence, European Union law requires that, at a minimum, the persons aected by online data collection and
processing have a right to know that personal data has been retained and processed, to have access to the data stored, to
rectiy data that is inaccurate or outdated, and to delete or rectiy data unlawully or unnecessarily stored. In addition, they
have a right to object to personal data processing, unless the State or processing entity demonstrates legitimate grounds
or the collection and processing o that data and they have the right to a remedy where their rights have been violated.46
However, there may be restrictions rom these general rules in the context o law enorcement activities and operations
when such restrictions are provided by law, respect the essence o the undamental rights and reedoms and constitute
a necessary and proportionate measure in a democratic society, including or, but not limited to the protection
o national security or the prevention, investigation and prosecution o criminal oences.47 For example: when
investigating and surveilling a highrisk suspect, data processing and longterm data retention may be justied without
inorming the individual under surveillance i alerting the target could prejudice an ongoing or planned investigation.
But once the purpose o covert monitoring has been achieved, and no other restriction is applicable, the target should
be inormed about the act that s/he was subject to such a measure. Other circumstances in which restrictions on the
right to access inormation related to data processed might be warranted include, or example, i providing inormation
to a data subject could endanger the saety o a witness or inormant. Or, i specic intelligence indicates that money
laundering operations have been carried out to nance terrorist operations, data collected on individuals may be kept,
i approved by an external oversight body, or a longer period than might otherwise be strictly necessary or purposes o
an individual investigation. Withholding inormation about the data processing by police, however, should be used only
sparingly and where it can be clearly justied. 48
46 Council o Europe, modernized Convention 108 or the Protection o Individuals with regard to Automatic Processing o Personal Data.
See also article 21 o the European Union’s General Data Protection Regulation and article 18 (1) o the Malabo Convention on cyber
security and personal data protection.
47 Ibid., Article 11.
48 Council o Europe, Practical guide on the use o personal data in the police sector, Sections 5,7. Available at: < https://rm.coe.int/tpd
20101practicalguideontheuseopersonaldatainthepolice/16807927d5>
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 25
5.2 Effective Oversight Bodies
To be eective, oversight bodies must be able to initiate and conduct independent investigations, be adequately
resourced in terms o budgets, expertise, material, and must have ull and unhindered access to inormation, installations
and ocials.51 For example, oversight bodies must have access to all relevant inormation, regardless o its level o
classication, which they deem to be relevant to the ullment o their mandates. Access to inormation by oversight
bodies should be enshrined in law that denes their mandates and powers. Any attempts to restrict oversight bodies’
access to classied inormation should be prohibited and subject to sanction where appropriate. It may, however, be
necessary to redact rom public reports, inormation identiying potential targets, witnesses, and individual methods.
Law enorcement agencies have increasingly sophisticated capacities to collect, share and receive inormation and use
increasingly complex systems or doing so. Accordingly, oversight bodies may require independent technical expertise
to understand the unctioning o various systems.
51 Report o the Special Rapporteur on the promotion and protection o human rights and undamental reedoms while countering
terrorism, Martin Scheinin, Compilation o good practices on legal and institutional rameworks and measures that ensure respect or
human rights by intelligence agencies while countering terrorism, including on their oversight, A/HRC/14/46, available at: <https://
documentsddsny.un.org/doc/UNDOC/GEN/G10/134/10/PDF/G1013410.pd?OpenElement>
52 See, or example, OECD Public Integrity Handbook Section 12.2.3, <https://www.oecdilibrary.org/sites/77150e0en/index.html?itemId=/
content/component/77150e0en>
53 General Comment 16, para. 8.
54 Szabó and Vissy v. Hungary, para. 77.
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 27
surveillance despite the act that the request or surveillance did not include any reasons or grounds to justiy it. It
also observed that those seeking surveillance permission had not indicated that less intrusive means o obtaining the
inormation sought were unavailable.55
Ex ante approval o particularly intrusive law enorcement operations must be received rom an independent body
beore engaging in any o the ollowing activities either directly or through/in collaboration with private sector entities:
• Conducting targeted surveillance measures, including the collection o and access to communications data
(including when held by the private sector);
• Conducting untargeted bulk surveillance measures regardless o the methods or technology used or the type
o communications targeted;
• Using selectors or key words to extract data rom inormation collected through bulk surveillance, particularly
when these selectors relate to identiable persons;
The European Court o Human Rights has addressed surveillance operations in a number o cases and the principles
established are applicable to all orms o surveillance. Independent authorizations or surveillance must include:
• The precautions to be taken in order to maintain the integrity and security o intercepted material; and
• The circumstances, including a timelimit, in which the inormation intercepted is to be erased or destroyed,
or example, ollowing the discharge or acquittal o the accused.57
The independent and eective body authorizing surveillance measures must also ensure that there is clear evidence
o a sucient threat and that the surveillance proposed is targeted, strictly necessary and proportionate and
authorize (or reject) ex ante the surveillance measures.58
The same principles apply when law enorcement agencies seek personal data rom the private sector.
55 k (2009), paras. 92, 134, 135, 140. The European Court o Human Rights has also held that “where a judge merely endorses the actions o
security services without genuinely checking the acts or providing adequate oversight” there is a violation o Article 8 o the Convention.
See Zoltán Varga v. Slovakia, paras. 155160.
56 Council o Europe, Democratic and eective oversight o national security services, p. 12, available at: < https://book.coe.int/en/
commissionerorhumanrights/6682pddemocraticandeectiveoversightonationalsecurityservices.html>
57 OSCE/ODIHR, Human Rights in CounterTerrorism Investigations: A Practical Manual or Law Enorcement Ocers, ootnote 48 citing
Countering Terrorism, Protecting Human Rights: A Manual, p. 205, ootnote 687 citing ECtHR, Huvig v. France, Case no. 4/1989/164/220,
27 March 1990, paras. 3233; ECtHR, Kruslin v. France, Application no. 11801/85, 24 April 1990, para. 35; ECtHR, Greuter v. The Netherlands,
Application no. 40045/98, 19 March 2002.
58 Report o the United Nations High Commissioner or Human Rights, The Right to Privacy in the Digital Age, A/HRC/39/29, para. 39,
available at: < https://documentsddsny.un.org/doc/UNDOC/GEN/G18/239/58/PDF/G1823958.pd?OpenElement>
28 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
5.3.1 Oversight During Operations and Ex-Post Review of Activities
and Operations
The Human Rights Committee has noted that surveillance, interception, and hacking programmes can only be human
rights compliant where robust and independent oversight mechanisms exist.59
The rst degree o control in any police accountability system is the internal control mechanisms within the police service.
Eective controls assist in preventing misconduct and addressing it. Such mechanisms have three main components:
It is thereore imperative that police services develop comprehensive proessional standards (codes o conduct, codes
o ethics), providing clear guidance on the exercise o policing duties and powers in practice.
The judiciary is an indispensable element o a police accountability system. Surveillance or covert data collection
activities must be authorized by a judicial representative or body, or similarly independent mechanism, prior to the
start o such activities, to the extent possible. In civil law systems, investigative judges monitor law enorcement
activities while they are ongoing. And in all systems, the judiciary must be charged with adjudicating allegations o law
enorcement misconduct and imposing sanctions and remedies.
One o the most undamental roles o parliaments across the world is to drat, amend and enact laws. Thus, such bodies
must establish clear, precise, accessible, comprehensive and nondiscriminatory legal rameworks on law enorcement
surveillance programmes that are in line with international law, including international human rights norms and
standards. Additionally, as legislative bodies are responsible or checking the powers o the executive branch, they
oten establish permanent or ad hoc oversight committees and inquiries to review covert surveillance programmes.
Some Member States have also established independent expert bodies, including but not limited to national
human rights institutions, Ombudspersons, and/or data protection authorities authorised to oversee surveillance
programmes. The precise orm o such oversight bodies is not regulated by international law, but they must be
independent and must have robust powers, including obtaining all inormation relating to ull surveillance cycles, and
make binding and public recommendations.
Oversight rameworks may integrate a combination o administrative, judicial and/or parliamentary oversight.
Authorization and oversight bodies should be institutionally separated, although one judicial body may authorize an
operation, and another may provide redress to victims.
Independent oversight bodies should proactively investigate and monitor the activities o those who conduct
surveillance and have access to the products o surveillance and carry out periodic reviews o surveillance capabilities
and technological developments. The agencies carrying out surveillance should be required to provide all the inormation
necessary or eective oversight upon request and regularly report to the relevant oversight bodies, and they should
be required to keep records o all surveillance measures taken.60 Oversight mechanisms may make recommendations
59 CCPR/C/ITA/CO/6, para. 37. See also General Assembly Resolution 73/179. See also, Report o the Special Rapporteur on the promotion
and protection o human rights and undamental reedoms while countering terrorism, Martin Scheinin, Compilation o good practices
on legal and institutional rameworks and measures that ensure respect or human rights by intelligence agencies while countering
terrorism, including on their oversight, A/HRC/14/46, available at: <https://documentsddsny.un.org/doc/UNDOC/GEN/G10/134/10/PDF/
G1013410.pd?OpenElement>
60 Report o the United Nations High Commissioner or Human Rights, The Right to Privacy in the Digital Age, A/HRC/39/29, para. 40,
available at: < https://documentsddsny.un.org/doc/UNDOC/GEN/G18/239/58/PDF/G1823958.pd?OpenElement>
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 29
or institutional and legislative reorm that should be given appropriate consideration by the relevant executive and
legislative bodies.
Oversight institutions must take all necessary measures to protect classied inormation and personal data to which
they have access during the course o their work, and penalties imposed or the breach o these requirements by
members o oversight institutions.61
Five principal types o police complaints mechanisms in operation around the world, include: internal police; Ministry
or police or Interior; public prosecutor; ombudsman; civilian oversight. It is not uncommon or several mechanisms to
operate in one jurisdiction.62
The establishment o an independent, external citizen oversight body with responsibilities or receiving and investigating
complaints against the police is essential to achieve greater accountability and transparency and in some cases, to
address shortcomings o ineective internal control and oversight. A standard statutory purpose, in jurisdictions
where police complaints systems have been codied, is to hold law enorcement ocials accountable in criminal and
disciplinary proceedings on the basis o evidence obtained in the investigation o a complaint. The same mechanisms
that investigate allegations o the use o excess orce by the police may also investigate allegations o unlawul
intererence with privacy or unlawul collection o personal online data, although the mechanism may require additional
technical expertise. An eective police complaints system oers undamental protection against the development
o a culture o impunity. Additionally, complaints are an important resource that may be researched and analysed so
that lessons may be learned rom past mistakes or the purpose o improving uture perormance. Complaints provide
lesson learning opportunities at the individual ocer and service level.63
61 Report o the Special Rapporteur on the promotion and protection o human rights and undamental reedoms while countering
terrorism, Martin Scheinin, Compilation o good practices on legal and institutional rameworks and measures that ensure respect
or human rights by intelligence agencies while countering terrorism, including on their oversight, A/HRC/14/46, para. 14, available at:
<https://documentsddsny.un.org/doc/UNDOC/GEN/G10/134/10/PDF/G1013410.pd?OpenElement>
62 Ibid.
63 Council o Europe, International Police Complaints Reorm, available at: <https://rm.coe.int/16806dbbbd>
64 Article 2 o the International Covenant on Civil and Political Rights establishes that: (a) To ensure that any person whose rights or reedoms
as herein recognized are violated shall have an eective remedy, notwithstanding that the violation has been committed by persons acting
in an ocial capacity; (b) To ensure that any person claiming such a remedy shall have his right thereto determined by competent judicial,
administrative or legislative authorities, or by any other competent authority provided or by the legal system o the State, and to develop the
possibilities o judicial remedy; (c) To ensure that the competent authorities shall enorce such remedies when granted.
30 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
harm suered. This may include nonjudicial institutions empowered to receive and investigate complaints as well to
issue binding orders or provide eective remedies, or judicial institutions that can order remedial action. To ensure the
practical application o this right, states must ensure that individuals can also access an institution equipped to make
legally binding orders about cooperation, including inormation that has been received rom or sent to oreign bodies.
The institutions responsible or addressing complaints and claims or eective remedy arising rom the activities o
intelligence services must be independent o law enorcement agencies and the executive branch. Such institutions
must also have ull and unhindered access to all relevant inormation, the necessary resources and expertise to conduct
investigations, and the capacity to issue binding orders.65
5.4.2 Transparency
Transparency is critical in all democratic government operations. Thereore, the overall legal ramework concerning
surveillance o all kinds, as well as the procedures to be ollowed or authorizing surveillance, selecting targets o
surveillance, and using, sharing, storing, and destroying intercepted material, should be accessible to the public.66
State authorities and oversight bodies should engage in public inormation about the existing laws, policies and
practices in surveillance and communications interception and other orms o processing o personal data, as open
debate and scrutiny are essential to understanding the advantages and limitations o surveillance techniques.67
Those who have been the subject o surveillance should be notied and have explained to them ex post facto the
intererence with their right to privacy i contemporaneous notication is not possible. Subjects should also be entitled
to alter and/or delete irrelevant personal inormation, provided that inormation is inaccurate or no longer to necessary
or purposes o a current or pending investigation.68
Oversight processes must also be transparent and subject to appropriate public scrutiny and the decisions o the
oversight bodies must be subject to appeal or independent review.69 Oversight bodies should be required by law to
publish public versions o their periodic and investigation reports. Additionally, law enorcement agencies and oversight
bodies must not be generally exempt rom reedom o inormation legislation. Instead, decisions not to make certain
inormation public must be taken on a casebycase basis, properly justied and subject to the supervision o an
independent body.
65 Report o the Special Rapporteur on the promotion and protection o human rights and undamental reedoms while countering
terrorism, Martin Scheinin, Compilation o good practices on legal and institutional rameworks and measures that ensure respect or
human rights by intelligence agencies while countering terrorism, including on their oversight, A/HRC/14/46, para. 1617, available at:
<https://documentsddsny.un.org/doc/UNDOC/GEN/G10/134/10/PDF/G1013410.pd?OpenElement>
66 Principle 10. E o the Tshwane Principles on National Security and the Right to Inormation, available at: <https://www.justiceinitiative.
org/publications/tshwaneprinciplesnationalsecurityandrightinormationoverview15points#:~:text=June%202013,The%20
Tshwane%20Principles%20on%20National%20Security%20and%20the%20Right%20to,and%20national%20law%20and%20practices.>
67 Report o the Special Rapporteur on the Right to Privacy, A/HRC/34/60, para. 38, available at: <https://documentsddsny.un.org/doc/
UNDOC/GEN/G17/260/54/PDF/G1726054.pd?OpenElement>
68 Report o the United Nations High Commissioner or Human Rights on the Right to Privacy in the Digital age, A/HRC/39/29, available at:
< https://documentsddsny.un.org/doc/UNDOC/GEN/G18/239/58/PDF/G1823958.pd?OpenElement>
69 Ibid., para. 40.
Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection 31
5.5 Commercially Aggregated Data
While international law requires that government agents obtain warrants or similar permissions, in compliance with
clear, precise, accessible, comprehensive and nondiscriminatory domestic law, beore accessing individual personal
data, the issue is complicated by the existence o commercially available data that aggregates publicly available
and private inormation. Government agencies seeking to purchase data requently use terms like ‘open source’ and
‘publicly available’ in their purchase orders and contracts, suggesting that they are only seeking inormation such as
public social media posts that people knowingly make available to the public. However, government purchase orders
and contracts requently use these terms to include inormation collected specically or a given agency that is not
actually available to the public or any other consumer. The broad and misleading usage o these terms undermines
governmental claims that agencies are permitted to collect such inormation on the basis that it is generally out there
to the public and individuals, thereore, lack a reasonable expectation o privacy in such sensitive data.70 At a minimum,
where government agencies purchase data that includes, or example, nancial or medical inormation, that a person
would reasonably expect to be private, that data must be purchased in strict accordance with the principles set out in
this report. Although outside o the scope o this document, the United Nations Guiding Principles on Business and
Human Rights urther details the obligations o States when they contract with business enterprises as well as the
responsibility o such enterprises to respect human rights and to prevent and address all adverse human rights impacts
directly linked to their operations, products or services.71
70 Center or Democracy and Technology, Legal Loopholes and Data or Dollars: How Law Enorcement and Intelligence agencies are Buying
Your Data rom Brokers, < https://cdt.org/insights/reportlegalloopholesanddataordollarshowlawenorcementandintelligence
agenciesarebuyingyourdatarombrokers/>
71 Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework | OHCHR. See
also, Report o the United Nations High Commissioner or Human Rights on the Right to Privacy in the Digital age, A/HRC/39/29, para. 4249.
32 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection
© United Nations Ofce o Counter-Terrorism (UNOCT), 2023
United Nations Oce o CounterTerrorism
United Nations Headquarters
New York, NY 10017
www.un.org/counterterrorism
34 Establishing Legislative Framework, Transparency Mechanisms and Oversight or Online Data Collection