The Limits of Privacy: Reconciling Data Protection with National Security and Public Safety in the Age of AI

Blogs | 0 comments

BY: Motunrayo Adebayo

The rapid advancement of artificial intelligence (AI) technologies, particularly in surveillance, law enforcement, and intelligence-gathering, has raised significant concerns about the balance between national security and individual privacy. While AI offers valuable tools for enhancing public safety and preventing threats, its widespread use by governments for national security purposes often leads to tensions with data protection and privacy rights. This article explores how different jurisdictions—the United States, the European Union, and Nigeria—navigate this delicate balance, examining key legal frameworks, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Nigeria’s National Data Protection Regulation (NDPR). Through an analysis of relevant court cases and national security provisions, the article highlights the complex relationship between privacy rights and national security interests. It argues that while national security is crucial, it is essential for governments to implement clear, proportionate, and transparent regulations to ensure that AI technologies do not unduly infringe upon fundamental privacy rights. The article concludes by stressing the need for continuous legal and ethical oversight to safeguard privacy in an increasingly AI-driven world.

The Limits of Privacy: Reconciling Data Protection with National Security and Public Safety in the Age of Artificial Intelligence Privacy and Data Protection: A Foundational Right
The right to privacy is enshrined in international human rights law, particularly in documents such as the Universal Declaration of Human Rights (UDHR) , which asserts that no one should be subjected to arbitrary interference with their privacy. This right is also embedded in national legal frameworks that regulate how personal data is collected, stored, and processed. However, as surveillance technologies powered by AI become more prevalent, governments argue that the need to protect national security justifies the intrusion on privacy. Legal frameworks, therefore, need to strike a delicate balance between ensuring security and protecting individual rights. UDHR (1948)
The use of AI for surveillance, including facial recognition, data mining, and predictive policing, often raises the question of whether national security can justify such invasions of privacy. Governments argue that security concerns, particularly in the age of terrorism and cyber threats, necessitate the use of AI-driven technologies. Legal frameworks, therefore, need to strike a balance, ensuring that while national security concerns are met, individuals’ privacy is still protected. Power (2020)

 

Key Data Protection Laws and Court Cases

  1. General Data Protection Regulation (GDPR) – European Union (2016)
    The GDPR is a comprehensive data protection law in the European Union that regulates the collection and processing of personal data, with strict rules on how this data can be used. The law acknowledges the importance of national security, allowing for some exemptions to the protection of personal data when necessary for security purposes.
    • Article 5(1)(c) – Purpose Limitation: Personal data can only be collected for specific, legitimate purposes, and further processing must be compatible with those purposes.
    • Article 9 – Special Categories of Data: Processing sensitive data, including biometric data, is prohibited unless explicitly justified for national security or law enforcement purposes. GDPR (2016)
    In Tele2 Sverige AB v. Post- och telestyrelsen (2018), the European Court of Justice (ECJ) ruled on the legality of telecommunications data retention for national security purposes. The Court held that while surveillance for national security may justify certain intrusions into privacy, such measures must be subject to strict conditions, including proportionality, necessity, and judicial oversight. This decision highlights the need to limit government surveillance practices to what is strictly necessary for national security, ensuring that privacy rights are respected even in high-risk situations.
    2. The California Consumer Privacy Act (CCPA) as an example– United States (2018)
    The CCPA is a significant privacy law in California that gives residents control over their personal data, including the right to access, delete, and opt out of the sale of their data. While the CCPA primarily targets private companies, it also impacts government surveillance practices, especially when AI is used to collect data for law enforcement or national security purposes.
    • Section 1798.100 – Right to Know: California residents have the right to be informed about the collection of their personal data, including data collected for national security or law enforcement purposes.
    • Section 1798.105 – Right to Delete: Residents can request the deletion of their personal data, even if it has been collected for security purposes.
    In Klayman v. Obama (2013), the U.S. District Court for the District of Columbia examined the constitutionality of the NSA’s mass surveillance program under the Foreign Intelligence Surveillance Act (FISA). The case addressed concerns about the government’s warrantless collection of phone metadata, which was justified by national security needs. This case highlights the balancing act between national security imperatives and privacy protections, underscoring the need for strict oversight of government surveillance programs.
    The Guiding Principles on Government Use of Surveillance Technologies provide a voluntary framework for governments to use surveillance tools responsibly, while respecting human rights and democratic values. The guidelines aim to prevent misuse in three key areas: 1) using internet controls to suppress human rights and limit access to information; 2) employing AI-driven video surveillance to monitor people unjustly; and 3) using big data analytics to discriminate against marginalized groups, including journalists, human rights defenders, and political dissidents.

    The five core principles that guide the responsible use of surveillance technologies are:

  2. Appropriate Legal Protections: Surveillance must comply with domestic and international law, ensuring lawfulness, necessity, and proportionality.
    2. Nondiscrimination: Surveillance should not target individuals based on race, gender, ethnicity, religion, political views, or any other protected classification.
    3. Oversight and Accountability: Governments must ensure proper oversight mechanisms, with transparent and independent review processes.
    4. Transparency: Governments should clearly communicate the legal basis and safeguards for surveillance technology use, balancing the need for public information with security concerns.
    5. Limitations on Data Scope and Collection: The data collected through surveillance should be relevant and necessary for achieving legitimate objectives, with appropriate data retention and privacy protections.
    Governments are also encouraged to implement mechanisms for ensuring privacy and human rights protections in the design, development, and deployment of surveillance technologies. The guidelines highlight the importance of training officials and ensuring systems undergo regular testing and evaluations. The OECD Principles on AI and privacy , including the OECD Recommendation on Artificial Intelligence, the OECD Privacy Guidelines , and the OECD Declaration on Government Access to Personal Data guide these principles, ensuring responsible data management. These principles have been adopted by 36 Member States of the Freedom Online Coalition.
    These countries are committed to supporting internet freedom and protecting human rights online, aligning with the guidelines to ensure surveillance technologies are used responsibly and without discrimination.
    3. National Data Protection Regulation (NDPR) – Nigeria (2019)
    In Nigeria, the National Data Protection Regulation (NDPR) governs the collection, use, and protection of personal data. It includes provisions that allow data collection without consent in certain cases, such as for national security or law enforcement purposes. NDPR (2019)
    • Section 2.5 – National Security: This provision permits the processing of personal data for national security purposes without the need for individual consent.
    • Section 3.2 – Purpose Limitation: Data must only be collected for specified, legitimate purposes, ensuring that any collection of personal data for national security purposes is justifiable and necessary. NDPR (2019)

National Security and Public Safety: The Need for Data Collection

Governments argue that national security justifies the collection and processing of personal data, particularly when it comes to preventing terrorism, detecting criminal activity, and ensuring public safety. AI technologies, such as surveillance cameras, facial recognition, and data mining tools, are increasingly being used by governments to address these needs. However, the deployment of such technologies raises critical ethical and legal questions about privacy rights and the potential for government overreach.

National Security Provisions

  1. Foreign Intelligence Surveillance Act (FISA) – United States (1978)
    The Foreign Intelligence Surveillance Act (FISA) allows the U.S. government to collect intelligence on foreign nationals, including data about U.S. citizens, when necessary for national security purposes. This includes surveillance without a warrant in some instances, particularly when deemed essential for protecting the nation from terrorism.
    • Section 702 – Acquisition of Foreign Intelligence Information: Authorizes the collection of foreign communications, including incidental communications of U.S. citizens, without a warrant if related to national security.
    • Section 215 – Business Records: Allows the bulk collection of business records, including metadata, for national security purposes. FISA (1978)
    In ACLU v. Clapper (2013), the U.S. Court of Appeals ruled on the constitutionality of the NSA’s mass data collection under Section 215 of FISA. The court ruled that such mass surveillance was unconstitutional, as it violated privacy rights protected by the Fourth Amendment. This case illustrated the tension between national security interests and individual privacy rights and set a precedent for requiring more transparency and oversight in surveillance programs.
    2. Artificial Intelligence Act – European Union (2021)
    The AI Act proposed by the European Commission aims to regulate the use of AI technologies in the EU, including those used for national security purposes. It imposes stricter rules for high-risk AI applications, including biometric surveillance systems like facial recognition.
    • Article 5 – Prohibited AI Practices: Prohibits certain high-risk AI applications, such as real-time biometric surveillance in public spaces, unless they are necessary to address specific and imminent threats to national security.
    • Article 6 – High-Risk AI Systems: AI systems used for law enforcement or national security, including surveillance technologies, must undergo stringent risk assessments to ensure compliance with privacy protections. EU AI ACT (2021)
    In Schrems II (2020), the European Court of Justice ruled that the EU-U.S. Privacy Shield was invalid due to U.S. surveillance practices not offering adequate protection for EU citizens’ data. The court emphasized the importance of privacy in the context of international data transfers, particularly when AI-driven surveillance technologies are used for national security purposes. This case reinforced the need for stringent data protection rules and independent oversight of national security surveillance programs.
    3. National Security and Public Safety – NDPR, Nigeria
    Under the NDPR, Nigeria allows for the processing of personal data for national security purposes without the need for individual consent. However, this is balanced by the requirement that such data collection must be proportionate and necessary.
    • Section 2.5 – National Security: Allows personal data to be processed for national security purposes, including surveillance, without the consent of the individual.

    Conclusion: The Need for a Balanced Approach

While national security is undeniably important, it is essential that governments balance security needs with the protection of privacy and individual rights. The social contract theory, which asserts that individuals consent to limitations on their freedoms in exchange for security and public order, underlines the need for a fair balance between privacy and security. However, this must be done in a way that ensures that privacy intrusions are justifiable, transparent, and subject to oversight.
Comparatively, the United States, European Union, and Nigeria each approach the balance between privacy and national security differently. The U.S. leans heavily on intelligence-gathering frameworks like FISA, but court rulings like ACLU v. Clapper highlight concerns over mass surveillance. The European Union takes a more cautious approach with the GDPR and the AI Act, emphasizing data protection while allowing for national security exceptions. Nigeria, as a developing nation, is still in the process of balancing national security with privacy through regulations like the NDPR, although there are concerns about enforcement and oversight.
Ultimately, the challenge for governments worldwide is to adopt clear legal frameworks that protect citizens’ privacy while ensuring that national security is not compromised. As AI technologies continue to evolve, so too must the laws and policies governing their use to maintain public trust and safeguard fundamental rights.

REFERENCES:
1. European Union. (2016). General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. https://eur-lex.europa.eu/eli/reg/2016/679/oj
o Article 5(1)(c) – Purpose limitation: Regulation concerning the processing of personal data.
o Article 9 – Processing of special categories of data.
2. Power, D. J., Burk, S., & Valacich, J. (2020). Balancing privacy rights and surveillance analytics: A decision process guide. Journal of Business Analytics, 4(2), 118-131. https://doi.org/10.1080/2573234X.2021.1920856
3. California State Legislature. (2018). California Consumer Privacy Act (CCPA), California Civil Code, Title 1.81.5, Section 1798.100 – 1798.199. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&chapter=22.&lawCode=CIV
o Section 1798.100 – Right to Know.
o Section 1798.105 – Right to Delete.
4. National Information Technology Development Agency (NITDA). (2019). National Data Protection Regulation (NDPR). https://nitda.gov.ng
o Section 2.5 – National Security.
o Section 3.2 – Purpose Limitation.
Nigeria Law Report, 2019.
5. Foreign Intelligence Surveillance Act (FISA), Pub. L. No. 95-511, 92 Stat. 1783 (1978). U.S. Code. https://www.law.cornell.edu/uscode/text/50/chapter-36
6. European Court of Justice. (2018). Tele2 Sverige AB v. Post- och telestyrelsen, Case C-203/15. https://curia.europa.eu/juris/document/document.jsf?text=&docid=196945&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=370
7. Klayman v. Obama, No. 13-0881, U.S. District Court for the District of Columbia (2013). https://www.courtlistener.com/docket/4283655/klayman-v-obama/
8. ACLU v. Clapper, United States Court of Appeals for the Second Circuit, 2013. https://www.aclu.org/cases/aclu-v-clapper
9. European Court of Justice. (2020). Schrems II, Case C-311/18. https://curia.europa.eu/juris/document/document.jsf?text=&docid=224217&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=370
10. European Commission. (2021). Artificial Intelligence Act – Proposal for a regulation of the European Parliament and of the Council on Artificial Intelligence. COM(2021) 206 final. https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12477-Artificial-Intelligence-Act_en
11. United Nations. (1948). Universal Declaration of Human Rights. https://www.un.org/en/universal-declaration-human-rights/
12. European Court of Justice. (2015). Schrems I, Case C-362/14. https://curia.europa.eu/juris/document/document.jsf?text=&docid=169227&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=370
13. European Court of Justice. (2020). Case C-311/18: Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (Schrems II). https://curia.europa.eu
14. Privacy International. (2020). How AI and surveillance technologies are changing national security and public safety. https://privacyinternational.org
15. United Nations. (1966). International Covenant on Civil and Political Rights (ICCPR). Article 17. https://www.ohchr.org/en/international-covenants
16. Joined Cases Tele2 Sverige AB V. Post –och telestyrelsen and Secretary of State for the Home Department v Watsons, Global Freedom of Expression, Columbia University https://globalfreedomofexpression.columbia.edu/cases/joined-cases-tele2-sverige-ab-v-post-och-telestyrelsen-c-20315-secretary-state-home-department-v-watson/

Submit a Comment

Your email address will not be published. Required fields are marked *