HRC 61: The Global Privacy Gap: When Data Travels Beyond the Law

The 61st Session of the Human Rights Council

23 February – 2 April 2026

Item 3: Promotion and protection of all human rights, civil, political, economic, social, and cultural rights, including the right to development

11 March 2026

By Hera MacPhail / GICJ

Executive Summary

The international collection of personal data has outpaced existing legal frameworks, leaving individuals without effective remedy when their privacy is violated. The UN Special Rapporteur, Ana Brian Nougrères, identifies a critical regulatory gap: international law governs the transfer of data between states but not its direct collection from abroad, enabling large-scale cross-border extraction without accountability.

The interactive dialogue revealed broad agreement on urgency but divergent views on solutions, with European states pointing to existing instruments like the GDPR while others, including China and Ecuador, calling for a new binding global treaty. Developing states stressed the need for capacity-building and international support.

Theoretically, the report situates the privacy crisis within a broader analysis of power. It argues that the ethical harm of international data collection lies not merely in information exposure but in the systematic stripping of data from its original context and market purposes - a violation of democratic principles that operate at global scale.

Geneva International Centre for Justice endorses the Rapporteur's recommendations: a binding international data protection treaty with universal standards, effective remedies, and mechanisms ensuring that accountability follows data across borders, so that no person is rendered rightless by geography.

Background

Concerns about privacy long predate the digital age, but the modern concept of data privacy emerged alongside the development of computerised information systems in the mid-twentieth century. Early debates about privacy focused primarily on protection from state intrusion and surveillance. In 1890, legal scholars Samuel D. Warren and Louis D. Brandeis famously described privacy as the “right to be let alone,” establishing one of the first legal foundations for privacy protection.

As governments and institutions began using computers to store personal information during the 1960s and 1970s, concerns shifted toward the collection, storage, and processing of personal data. These developments prompted the creation of early data protection laws in several countries and international guidelines addressing automated data processing.

At the international level, the United Nations recognised the importance of privacy as a human right in the International Covenant on Civil and Political Rights (1966), which protects individuals from arbitrary or unlawful interference with their privacy. Later, the United Nations General Assembly adopted the Guidelines for the Regulation of Computerized Personal Data Files in 1990, adopted by resolution 45/95, establishing principles for the fair and lawful handling of personal information. The report constitutes a complementary document of the 2024 submission to the General Assembly of the 1990 guidelines.

A further significant development came in 2013, when the United Nations General Assembly's Third Committee unanimously approved a draft resolution recognising the need for States to establish oversight mechanisms to ensure transparency and accountability for surveillance initiatives. The resolution, welcomed by the Special Rapporteur on freedom of expression Frank La Rue, affirmed that rights applicable offline must equally apply online, and called on States to revise national legal frameworks to address the serious gaps that had emerged in the oversight of communications surveillance. La Rue stressed that blanket and indiscriminate surveillance could never be compatible with international human rights standards, and that any interference with privacy must be assessed on a case-by-case basis against principles of necessity and proportionality. 

The resolution was subsequently adopted by the full General Assembly on 18 December 2013 by consensus, formally affirming for the first time that the same rights people have offline must also be protected online, and calling on all States to take measures to end activities that violate the right to privacy as a fundamental tenet of democratic society. The Assembly also requested the UN High Commissioner for Human Rights to submit a report on the protection of the right to privacy in the context of domestic and extraterritorial surveillance, signalling a growing institutional recognition that digital communications required urgent and coordinated international attention. This resolution marked an early formal recognition by the international community that digital communications required the same privacy protections as traditional correspondence.

With the rapid expansion of the internet, digital platforms, and global data flows in the twenty-first century, data privacy has become a central issue in human rights debates. Today, protecting personal data is increasingly recognised as essential for safeguarding individual autonomy, democratic participation, and fundamental freedoms.

Summary of the Expert’s Report The report of the Special Rapporteur, Ana Brian Nougrères, on the right to privacy examines the growing phenomenon of the international collection of personal data, whereby entities collect personal information from individuals located in other countries without maintaining a physical presence in those jurisdictions. The report highlights the legal and human rights implications of this practice in the context of increasing global digitalization and cross-border data flows.

The Special Rapporteur stresses that privacy protection today goes beyond safeguarding personal information; it also concerns the protection of democratic institutions and individual autonomy in democratic societies. As stated in the Special Rapporteur’s speech: “We are not just protecting information; we are safeguarding the very fabric of our democratic societies and the personal autonomy of our citizens.” Large-scale data collection and analysis may influence political participation, freedom of expression, and other fundamental rights, making privacy a foundational condition for the exercise of many other freedoms.

A key concern identified in the report is that international data collectors frequently operate outside the jurisdiction of the individuals whose data they collect. This creates significant legal uncertainty and leaves many individuals without effective remedies when their privacy rights are violated. The borderless nature of the Internet further complicates jurisdictional questions and challenges traditional territorial legal frameworks.

The report notes that existing international rules primarily address international data transfers, whereby personal data is exported from one country to another under regulated conditions. However, these frameworks do not adequately address international data collection, whereby information is directly gathered from individuals abroad without any data exporter in the country of origin. This regulatory gap allows large-scale cross-border extraction of personal data without clear accountability mechanisms.

The Special Rapporteur also mentions how easy it is to act as a data collector – the existence of just an internet connection is enough. They also highlight the role of online tracking technologies, including cookies and other monitoring tools, which enable companies to collect information such as IP addresses, browsing histories, and user preferences. These technologies facilitate profiling and behavioural analysis, often without meaningful consent from individuals. 

In addition to these technological challenges, the report identifies several structural issues. Not all countries have comprehensive data protection laws, and some jurisdictions function as “data havens” with weak regulatory standards. Furthermore, the absence of a binding global framework on data protection makes it difficult to regulate cross-border data practices effectively.

The report concludes that national measures alone are insufficient to address the global nature of international data collection. To strengthen the protection of the right to privacy, the Special Rapporteur recommends that States develop a binding international treaty addressing international data collection, strengthen national legislation to cover extraterritorial data practices, establish independent data protection authorities, and enhance international cooperation among regulatory bodies. Overall, the report emphasizes that safeguarding privacy in the digital age requires coordinated global action and the implementation of legally binding international regulations to safeguard the rights of people regardless of nationality. As she states “the vulnerability of one citizen is the vulnerability of all.”

The Special Rapporteur also addresses her official mission to Mongolia in April related to A/HRC/61/48/Add.1. The visit aimed to assess Mongolia’s legal framework, policies, and practices concerning the protection of privacy and personal data. The Special Rapporteur acknowledged that Mongolia has taken important legislative steps, particularly the adoption of the Law on Personal Data Protection, which significantly modernizes the country’s legal framework for privacy and data protection. She described this development as a positive step toward safeguarding privacy rights. However, she also emphasized that implementation and enforcement remain key challenges. Mongolia is undergoing rapid digitalisation and transitioning toward an increasingly digital and e-governance–based society, which creates new privacy risks if legal safeguards and institutional capacity do not keep pace.

The Special Rapporteur highlighted several issues requiring further attention such as the limited awareness of privacy rights among the public, particularly among vulnerable groups, insufficient institutional capacity, and the absence of financial resources to enforce privacy protections effectively. In addition, they stressed the need for stronger safeguards against cybersecurity threats and digital surveillance. Furthermore, they warned against risks associated with emerging technologies and large-scale digital data processing. They stressed finally that technological innovation must be guided by a human-rights-based approach, ensuring that individuals remain at the centre of digital transformation.

The Special Rapporteur’s main recommendations were to increase public education and awareness about the right to privacy, strengthen institutional oversight and enforcement mechanisms, improve cybersecurity and data protection safeguards, promote digital literacy and inclusive access to technology. Overall, the Special Rapporteur concluded that Mongolia demonstrates political will to strengthen privacy protections, but that significant work remains to ensure that rapid digitalisation does not undermine the right to privacy.

Summary of the Interactive Dialogue

The interactive dialogue revealed broad consensus on the urgency of strengthening privacy protections in the digital age, while exposing significant divergences on the appropriate institutional response.

Mongolia

The delegation of Mongolia opened by acknowledging the challenges posed by the country's rapid digital transformation and expressed support for the Special Rapporteur's recommendations as valuable guidance for strengthening privacy protection. The distinctive representative of Mongolia emphasised the continuous attempts of the government to ensure data protection and its efforts for collaboration with other stakeholders to achieve this result. At the same time, Mongolia acknowledged that safeguarding privacy is not solely the responsibility of the State but also requires the cooperation of private companies and individuals.

On the question of institutional design, delegations divided broadly into two camps. A number of States, including China and Ecuador, called for the development of a new binding international legal instrument on data protection, arguing that existing frameworks are insufficient to address the scale and complexity of cross-border data collection. Countries such as Austria, Dominican Republic and the Netherlands expressed general agreement with the report and asked what elements would be essential for establishing a universal framework for privacy protection and what concrete steps should be prioritized. 

China

The delegation of China also raised concerns regarding differing approaches to data protection at the international level and stressed the challenge of national security that arises with such data travel. It specifically noted that the US has downplayed the importance of robust privacy protections and have characterised comprehensive data protection legislation in other countries as overly “burdensome”. In this context, the delegation further expressed concern that such positions may influence diplomatic engagement with other States, including discouraging the adoption of strong data protection frameworks on the basis of sovereignty or economic considerations. The intervention pointed out that US actions do not support a principle of state sovereignty in digital governance but they exemplify a type of foreign policy based on interference, meaning that decisions about privacy regulation should remain under national control without outside pressure. 

A second thematic thread concerned the relationship between privacy and existing international human rights law welcoming the report, sharing national experiences and legislation regarding data protection, and emphasising the existence of legislation concerning the issue. The European Union stressed the importance of preventing impunity in the misuse of personal data and raised questions about how existing regulatory frameworks can remain effective in the face of rapid technological development. Germany, Brazil, and Lichtenstein were also concerned about how existing legislation can avoid legal loopholes. Estonia and the Nordic States noted that existing regional instruments, including those developed by the Council of Europe, already provide comprehensive standards and the question is how to ensure more countries adopt these measures and put the existing legal frameworks into force.

Statement from the African Group 

The distinctive representative speaking on behalf of the African Group, recalled the protections contained in Article 17 of the International Covenant on Civil and Political Rights concerning the right to privacy. By recalling this provision, the African Group emphasized that the right to privacy is already firmly established in international human rights law. The intervention underscored that States have a legal obligation to respect and protect this right, including in the digital sphere. It also implicitly highlighted that emerging challenges - such as cross-border data collection and digital surveillance - must be addressed in a manner consistent with these existing international standards.

A third area of discussion concerned implementation challenges and the particular needs of developing States. Mauritius reported that it had adopted legislation broadly aligned with the General Data Protection Regulation (GDPR), while Costa Rica warned that digital privacy risks are frequently underestimated, particularly regarding online tracking technologies and the absence of genuine informed consent. Malawi and several other developing States stressed that capacity-building and international support are essential prerequisites for the establishment of effective data protection systems.

Some delegations highlighted situations of concern. Afghanistan specifically reported a deterioration of privacy protections under the Taliban and called for greater international attention to the issue. 

NGO Statements 

Finally, civil society organizations also contributed to the discussion, emphasizing that privacy constitutes a pillar of freedom and democratic participation. NGOs raised concerns about the role of large technology companies in collecting and controlling personal data and questioned whether existing safeguards offered by platforms such as WhatsApp and companies such as Meta are sufficient to protect users’ rights. They also stressed that privacy should not be dismissed through the argument that individuals who have “nothing to hide” should not fear surveillance.

Concluding Remarks of the Special Rapporteur

In their concluding remarks, the Special Rapporteur emphasized that strengthening the protection of privacy must begin with education and public awareness. They noted that individuals often remain unaware of how their personal data is collected, processed, and used in the digital environment. Increasing digital literacy and promoting awareness campaigns were therefore highlighted as essential steps to empower individuals to better understand and exercise their privacy rights.

The Special Rapporteur also reiterated the importance of enhanced international cooperation to address the challenges posed by cross-border data collection. Given the global nature of digital technologies and data flows, they stressed that national measures alone are insufficient to ensure effective protection of the right to privacy. Stronger collaboration among States, regulators, and other stakeholders is necessary to respond to emerging technological developments.

Furthermore, they highlighted the need to translate the principles outlined in the report into concrete legal frameworks capable of addressing existing regulatory gaps. In this regard, they reiterated their recommendation for the development of stronger international legal standards, including the potential establishment of a global treaty on data protection, to ensure accountability in cases of international data collection.

Finally, the Special Rapporteur underscored that violations of privacy should be understood as human rights violations, given the central role privacy plays in protecting individual autonomy, democratic participation, and other fundamental freedoms. As digital technologies continue to expand, she stressed that developing effective international safeguards will be essential to ensure that technological innovation strengthens, rather than undermines, human rights.

Special Section: The Ethics of Privacy in the Age of Surveillance and International Data Collection

Privacy is among the most contested concepts in contemporary political philosophy. Once understood primarily as a negative right - a shield against unwarranted intrusion into one's home or correspondence - it has been radically destabilised by the architecture of the digital age. The proliferation of networked devices, the global infrastructure of data brokers, and the surveillance programmes of nation-states have transformed privacy from a personal concern into a civilisational one. 

Personal data is not merely neutral information; it reveals identity, beliefs, relationships, and vulnerabilities. In this sense Véliz, C. argues that personal data is a form of political and social power. When data is collected without meaningful consent, individuals lose control over self-presentation and decision-making, undermining autonomy and dignity. Critical Theorists give an illuminating way to look at privacy as a human right. They describe how surveillance transforms power from coercion into internalised discipline. The citizen who knows their communications may be monitored, whose internet searches are logged, whose physical movements are tracked by a smartphone, inhabits a digital panopticon. The power of this architecture lies not in constant surveillance but in its possibility: subjects internalise the gaze and discipline themselves accordingly. The practical result - self-censorship, behavioural conformity, the suppression of dissent - is precisely the normalising function of disciplinary power Foucault identified. 

The harms that flow from this are frequently diffuse and probabilistic rather than concentrated and visible. A person who self-censors their political speech online because they fear monitoring suffers a real loss of autonomy, but this harm does not appear in any ledger. A journalist who avoids contacting a source for fear of metadata exposure suffers a professional and democratic harm that is difficult to quantify. These harms are real but structurally invisible - a feature, not a bug, of surveillance architectures that obscure their own costs while making their benefits legible to those who deploy them.

Critical theorists following Foucault, notably Shoshana Zuboff in her analysis of "surveillance capitalism," have extended this analysis to the corporate domain. Zuboff argues that the extraction and commodification of behavioural data constitutes a new logic of accumulation that is essentially anti-democratic: it concentrates the power of prediction and behavioural modification in the hands of platform corporations, reshaping markets, politics, and social life while remaining largely unaccountable to democratic oversight. The intersection of surveillance capitalism and state intelligence creates a surveillance infrastructure of unprecedented scope and intimacy.

This theoretical framework can be translated in the legal dimension through the framework of internal self-determination under Article 1 of the International Covenant on Civil and Political Rights. Internal self-determination guarantees the right of peoples to pursue their own economic, social, and cultural development free from outside interference. Where surveillance capitalism operates across borders - extracting, commodifying, and acting upon the behavioural data of foreign populations - it does precisely what Article 1 prohibits: it concentrates the power to shape economic choices, social behaviours, and political participation in the hands of external actors who bear no democratic accountability to the populations they affect. People whose collective behaviour is systematically predicted and modified by foreign platform corporations, without democratic oversight or meaningful consent, has been deprived of the practical conditions necessary for the exercise of self-determination. The right is rendered nominal rather than effective. On this construction, the cross-border extraction of behavioural data is not merely a privacy violation under Article 17 but an ongoing interference with the collective autonomy of peoples under Article 1 - and States permitting or facilitating such extraction through weak regulatory frameworks may bear international responsibility accordingly.

Helen Nissenbaum's theory of contextual integrity offers one of the most sophisticated rights-based frameworks for thinking about privacy in the digital age. Rather than defining privacy as a binary condition - either information is private or it is not - Nissenbaum argues that privacy norms are context-relative. Information flows appropriately when they match the norms of the context in which the information was originally shared. Medical information shared with a doctor flows appropriately to a specialist but not to an employer. Personal communications shared between friends flow appropriately within that relationship but not to a government database.

On this account, the ethical wrong of international data collection is not simply that information is collected, but that it is systematically stripped of its context. Data collected for commercial purposes - a location ping from a mapping application, a purchase record from an e-commerce platform - is aggregated by data collectors and sold to brokers, each transfer violating the contextual norms under which the data was originally generated. The subject of this data never consented to its migration across contexts; the very architecture of the data economy depends on this contextual violation.

This problem is intensified at the international level. When data generated in the European Union is processed on servers in the United States and potentially accessed by American intelligence agencies under Section 702 of the Foreign Intelligence Surveillance Act, the contextual norms of multiple jurisdictions are simultaneously violated. The 2020 Schrems II ruling by the Court of Justice of the European Union acknowledged precisely this tension: that legal frameworks ostensibly protecting European citizens' data could not be adequately enforced once that data crossed into the jurisdiction of a foreign intelligence apparatus. The CJEU's invalidation of the Privacy Shield adequacy decision was, in Nissenbaum's terms, a recognition that cross-jurisdictional data flows structurally undermine contextual integrity.

Nissenbaum's framework also illuminates the particular harms of corporate data collection for state purposes. The distinction between public and private actors in the surveillance landscape has been largely dissolved by the practice of intelligence agencies either purchasing commercial data or compelling its disclosure through legal instruments. When a government accesses location data purchased from a data broker - a practice documented in the United States - it circumvents the legal constraints that would apply to direct collection, exploiting the commercial infrastructure of surveillance capitalism for state ends. The contextual violation is doubled: the data subject never consented to commercial collection for intelligence purposes, and the state acquires data without the warrant that constitutional frameworks might otherwise require.

The European Union's General Data Protection Regulation (GDPR) represents the most ambitious attempt to impose a rights-based framework on international data flows, establishing the principle that EU residents retain rights over their data regardless of where it is processed. Yet the Schrems litigation has repeatedly demonstrated that these protections are undermined when data is transferred to countries whose intelligence frameworks are incompatible with European fundamental rights standards. The United States, for all the sophistication of its domestic legal system, has no comprehensive federal privacy law and permits its intelligence agencies to conduct surveillance of non-US persons with minimal judicial oversight.

This governance deficit has a distinctly colonial dimension that is under-examined in mainstream policy discourse. The major nodes of global internet infrastructure - undersea cables, data centres, dominant platform corporations - are disproportionately located in or controlled by a small number of wealthy states, primarily the United States and its Five Eyes partners. The data of citizens in the Global South flows through infrastructures over which they exercise no democratic control and which are subject to intelligence collection by foreign governments. The populations least able to exercise legal or political redress are simultaneously the most exposed to the asymmetries of international surveillance.

The emergence of "data havens" - jurisdictions with weak or absent data protection regimes -compounds this inequality. Entities operating from such jurisdictions can effectively circumvent stronger protections elsewhere, creating a systematic race to the bottom in which rights protections erode under competitive pressure. This dynamic is not merely a legal gap; it is, as the Special Rapporteur frames it, a structural human rights issue - a condition enabling domination, manipulation, and inequality at scale (A/HRC/61/48, 2025). Consent mechanisms are frequently opaque, raising serious doubts about their meaningfulness even where they are technically present.

GICJ Position

GICJ fully endorses the Special Rapporteur's conclusion that the current international framework is inadequate to protect the right to privacy in the digital age. The foregoing analysis makes clear that this inadequacy is not merely technical but ethical: it reflects a structural imbalance of power between individuals and the states and corporations that extract their data. This asymmetry is reflected in the inadequate legal frameworks and enforcements mechanisms.

The UN Special Rapporteur on the right to privacy has emphasised that personal data is increasingly extracted across borders, often without meaningful oversight or consent, creating gaps that national laws alone cannot fill (A/HRC/61/48, 2025). The report underscores that in the digital age, privacy protections cannot be confined to national jurisdictions - data protection must follow the person, not stop at borders.

The Interactive Dialogue illuminated a profound moral crisis in how states and corporations handle personal data - one that cannot be resolved by technical fixes alone but that demands structural, legal, and political transformation.

GICJ therefore calls on states to:

• Support the development of a binding international treaty on data protection, establishing universal minimum standards, clarifying jurisdictional responsibilities, and ensuring that individuals have access to effective remedies regardless of where violations occur.
• Strengthen cooperation between national data protection authorities, with particular attention to the needs of states in the Global South whose populations bear a disproportionate share of the harms of cross-border data extraction.
• Close the corporate accountability gap by requiring companies to apply the highest available standards of data protection to all users, irrespective of their geographic location, in accordance with the UN Guiding Principles on Business and Human Rights.
• Eliminate the exploitation of jurisdictional gaps, including the practice whereby state intelligence agencies acquire personal data through commercial intermediaries in order to circumvent legal constraints that would otherwise apply to direct collection.

Privacy is not a regulatory technicality. It is a fundamental human right inseparable from dignity, autonomy, democratic self-government, and democracy. Protecting it in an interconnected world requires that accountability follows data across borders - and that no person be rendered rightless by the accident of geography.

References

Legal Sources

International Instruments

International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171, art 17.

United Nations General Assembly, 'Guidelines for the Regulation of Computerized Personal Data Files' (Resolution A/RES/44/132, 14 December 1990).

UN Reports & General Comments

UN Human Rights Committee, 'General Comment No 12: Article 1 (Right to Self-Determination)' (1984) UN Doc HRI/GEN/1/Rev.9.

UN Human Rights Committee, 'General Comment No 16: Article 17 (Right to Privacy)' (1988) UN Doc HRI/GEN/1/Rev.9.

United Nations Human Rights Council, 'Report of the Special Rapporteur on the Right to Privacy' (2025) UN Doc A/HRC/61/48.

Ana Brian Nougrères (Special Rapporteur on the Right to Privacy), Statement at the 61st Session of the Human Rights Council, 26th Meeting, Interactive Dialogue on the Right to Privacy (UN Web TV, Geneva, 11 March 2026) https://webtv.un.org/en/asset/k1l/k1lqs5ai52.  Accessed 11 March 2026.

Frank La Rue (Special Rapporteur on the Right to Freedom of Opinion and Expression), Statement on the Third Committee Resolution on the Right to Privacy in the Digital Age (29 November 2013) UN News https://news.un.org/en/story/2013/11/456632. Accessed 09 March 2026.

General Assembly Backs Right to Privacy in Digital Age' (UN News, 19 December 2013) https://news.un.org/en/story/2013/12/458232. Accessed 09 March 2026.

Legislation

Foreign Intelligence Surveillance Act Amendments Act of 2008, Pub L No 110-261, 122 Stat 2436 (codified as amended at 50 USC § 1881a).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1.

Case Law

Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II) ECLI:EU:C:2020:559 (16 July 2020).

Journal Articles

Warren SD and Brandeis LD, 'The Right to Privacy' (1890) 4 Harvard Law Review 193.

Secondary Sources (Theory)

Foucault M, Discipline and Punish: The Birth of the Prison (Alan Sheridan tr, Pantheon Books 1977) (originally published 1975).

Pettit P, Republicanism: A Theory of Freedom and Government (Oxford University Press 1997).

Véliz C, Privacy is Power (Bantam Press 2020).

Westin AF, Privacy and Freedom (Atheneum 1967).

Zuboff S, The Age of Surveillance Capitalism (PublicAffairs 2019).