Collection, processing and sharing of personal data and the use of new technologies in the counter-terrorism and freedom of movement context. Latest report from OSCE Office for Democratic Institutions and Human Rights (ODIHR).
In a globalized world, more and more people cross international borders to develop and maintain personal contacts, pursue educational and professional opportunities, to migrate or to realize the right to seek asylum when fleeing from persecution.
At the same time, new technologies, which rely on the gathering, processing, and sharing of data, are increasingly used by states to manage migration flows and to address transnational security threats, including terrorism. These technologies heighten the risk of human rights breaches in an area that is already highly opaque and discretionary, with weak safeguards, accountability and oversight, and where the private sector plays a strong role in their development and use.
The latest ODIHR policy brief provides an overview of the implications of collecting and sharing information in the context of border management and how the introduction or continued use of new technologies in the border space may affect human rights. It also provides recommendations to OSCE participating States on how to respect and protect human rights when using new technologies to manage their borders. The policy brief has been prepared as part of the ongoing work of the OSCE Office for Democratic Institutions and Human Rights (ODIHR) in the field of migration, freedom of movement, human rights and counter-terrorism.
This policy brief references various digital technologies used in migration management and counter-terrorism, referring to passenger and biometric data collection, algorithmic decision-making, and artificial intelligence-based technologies as the innovations that are currently being developed and deployed for border and migration management, and to counter transnational organized crime and terrorism.
Border management, security and counter-terrorism
States have international obligations around border management in the context of countering terrorism.
UN Security Council (UNSC) Resolution 2396 (2017) imposes legal obligations on states to establish systems for the collection, processing, and analysis of large amounts of personal data to detect terrorist travel and identify terrorists.
Measures include systems for biometric data, Advance Passenger Information (API) and Passenger Name Records (PNR) as well as watchlists and databases of “known and suspected terrorists.” The resolution also encourages states to share this information with each other and with international organizations where appropriate. OSCE Ministerial Council decisions call upon OSCE participating States to prevent the movement of terrorists, including so-called “foreign terrorist fighters,” through effective border controls, and to issue machine-readable travel documents that contain biometric data and take other measures to strengthen travel document security. OSCE participating States have also committed specifically to establishing national API systems. States have a legitimate interest in controlling their borders and managing who enters their territory.
But increased border security, including to counter terrorism, must not come at the expense of human rights and fundamental freedoms. UN Security Council resolutions and OSCE commitments consistently reaffirm that all counter-terrorism actions must comply with international law, including international human rights and refugee law. At the 2005 Ministerial Council in Ljubljana, participating States reaffirmed their commitment to promote free movement of people across borders, while also pursuing the aim of reducing the threat of terrorism.
They highlighted the need to treat individuals crossing borders with dignity in conformity with international and domestic law and human rights law. They also committed to increasing their efforts to ensure that national legislation, policies and practices provide to all persons equal and effective protection of the law and prohibit acts of intolerance and discrimination. In line with these OSCE commitments, border management should not be linked to counter-terrorism measures based on assumptions about individuals or groups wishing to migrate.
General human rights principles: regulatory frameworks, effective remedies and oversight
International human rights standards allow restrictions of certain rights, such as the right to privacy and the right to freedom of movement, but only within strictly defined parameters. Any interference with those rights must be prescribed by law, strictly necessary to achieve a legitimate aim, proportionate towards the aim, and not discriminatory. States may not introduce restrictions that impair the essence of the right in any circumstances. Similarly, there may never be any interference with absolute rights and principles, such as the right to be treated with dignity and without discrimination when crossing borders.
International human rights law not only requires states to refrain from violating human rights but also to protect individuals from undue interference by others, including private persons and companies. States must put in place regulatory and institutional frameworks to guarantee effective exercise of human rights in practice, including and especially in the border management and counter-terrorism contexts, given the unique and often highly discretionary decision-making context at and around the border.
Effective remedies and solid oversight and redress mechanisms are needed to ensure accountability and prevent violations and human rights. Human rights education and training of those involved in designing and implementing border control and counter-terrorism measures and making decisions in this space are an essential part of such a framework.
The private sector plays an increasing role in the development and operation of border management systems powered by artificial intelligence and biometric technology, as key border management and security functions are being outsourced to private companies. But effective state regulation and control in this field has not caught up with the pace of development.
The regulatory and legal space around the use of new technology remains deficient, marked by discretionary decision-making, privatized development and uncertain legal ramifications. States are primarily responsible for ensuring respect for human rights and must put in place clear human rights based frameworks for the use of technology. The UN Guiding Principles on Business and Human Rights (the Ruggie Principles) also set out human rights responsibilities of businesses. Businesses should exercise due diligence to avoid negative human rights impacts arising out of their activities.
Border management and counter-terrorism technologies and systems can impact a wide range of human rights protected under international law. But some human rights are particularly relevant in this context:
Freedom of movement
Article 12 of the International Covenant on Civil and Political Rights (ICCPR) affords everyone the right to leave any country, including his/her own, and the right to enter one’s own country. Freedom of movement is an indispensable condition for the free development of a person. While the entry of a non-national to the territory of a State may be subject to restrictions, any restrictions must be compliant with international human rights obligations. A non-national may also enjoy the protection of the ICCPR in relation to entry or residence, and any limitations on the right to freedom of movement must take account of other rights such as non-discrimination, prohibition of cruel, inhuman or degrading treatment and respect for family life.
Right to privacy and data protection
The right to privacy is a “gateway right” – without privacy, the full enjoyment of a broad range of other rights is endangered. The right to privacy is guaranteed under Article 17 of the ICCPR. The protection of personal data is an important element of the right to privacy which is particularly relevant in the context of new technologies for border management and counter-terrorism.
Key data protection principles set out in international standards include that personal data undergoing automatic processing shall:
(a) be obtained and processed fairly and lawfully;
(b) be stored for specified and legitimate purposes,
(c) be adequate, relevant and not excessive;
(d) be accurate and, where necessary, kept up to date; and
(e) be preserved for no longer than is required. Sensitive data (e.g., data revealing ethnic origin, political opinions, religious or other beliefs, health or sexual life, criminal conviction) requires a particularly high level of protection.
Data security and protection against unauthorized access must be ensured; as well as the right for the data subject to know that information is stored on him or her, to have access to such data and to have it corrected, if necessary.
Participating States have committed to protect the right to private and family life, domicile, correspondence and electronic communications, as well as the prevention of arbitrary intrusion in the realm of the individual.
New technologies used at the border can also directly and indirectly affect a broad range of other rights; and it can directly and indirectly affect the rights of people in specific need of protection, such as refugees and asylum-seekers, children and victims of trafficking. Depending on what decisions are taken and how they are taken in border management and security, the use of such technology can impact the right to liberty, fair trial and due process standards such as the right to be heard; to a fair, impartial and independent decision-maker; to be provided with information and reasons for a decision and the right to appeal an unfavourable decision, among others. As will be discussed below, it can expose individuals to violations of the absolute prohibition of torture and other cruel, inhuman or degrading treatment and lead to undue interferences with freedom of religion or belief. But it can also indirectly affect a person’s rights beyond the border context, for example through a chilling effect on the exercise of freedom of expression, assembly and association and knock-on effects on many other rights.
While states have the right to control who enters their territory and an obligation to counter terrorism and other crime, this must be done in full compliance with international human rights standards.
The emergence and growing use of new border management technologies that gather and process large amounts of personal data to track, identify and control those crossing borders poses new challenges for the protection of human rights. Technology is far from neutral. Placing people under suspicion based on assumptions generated by algorithms, discriminatory profiling, surveillance, and privacy and other human rights infringements resulting from the collection, processing and sharing of biometrics, API/PNR and other travel-related data are just some of the human rights risks such technologies entail.
These risks are amplified by a lack of transparency and oversight of systems developed for border management; and they put people in particular situations of vulnerability, such as migrants, asylum seekers and refugees, especially at risk. Over-securitized border management, which denies people their rights and targets those who are in most acute need of protection, will lose the trust of the communities it should serve. Consequently, it will not create more security but less. Human rights protections are a vital tool to ensure effective cross-border security.