The Hala Protocol

4. International Human Rights Law (IHRL)

The Best Practices identified in this Protocol reflect standards found in IHRL. Collectors may question why they should work to IHRL standards when, as explained in Section 3.2. above, IHRL is aimed at States. Collectors, as private entities, should operate in a manner that respects IHRL standards for several reasons:

  • The domestic law of the State where the audio data collection takes place (and where the processing takes place, if these are different) will often require private entities to conform with international and regional human rights law;
  • Private entities should act in accordance with the UN Guiding Principles on Business and Human Rights (UNGPs), which require business enterprises to respect human rights.1 While the UNGPs are not legally binding, and while they are not targeted at non-commercial entities per se, they are the authoritative global standard and frequently used as a basis for domestic and regional legal measures that are binding on private entities;
  • Audio data will be considered more robust before a court if it has been collected in compliance with IHRL standards;2 and
  • Operating within a human rights protective framework helps to uphold the integrity of a Collector’s work and its reputation among third parties.
A Note on Derogations
It should be noted that some IHRL treaties contain derogation provisions that, subject to strict requirements,3 allow States to temporarily suspend some of their human rights obligations4 in order to take measures to protect the security of the State in times of war or when a public emergency threatens the life of the nation. Collectors tend to operate in States that experience frequent or ongoing armed conflict, and, as a result, they may have officially derogated from some human rights obligations. A derogation by a State should not alter a Collector’s practices and the human rights law standards they aim to uphold; they should continue to operate as if there were no derogation. This is important to ensure that the Collector’s operations are aligned with international human rights standards regardless of the domestic context in which they operate.

4.1 UN Guiding Principles on Business and Human Rights

The UNGPs5 are guidelines requiring companies to respect human rights and provide a remedy for business-related human rights violations that companies may have played a part in. The UN Guide on Heightened Human Rights Due Diligence for Business in Conflict-Affected Contexts (hHRDD Guide) offers more specific guidance on how the UNGPs apply during conflict.6 The UNGPs require that companies identify, prevent, mitigate, and account for the adverse social and human rights impacts of their business activities. CSOs are not companies and are, therefore, not directly addressed by the UNGPs. However, the elements of the UNGPs identified in this section are highly relevant for CSOs and are easily transferable to their activities. The UNGPs should, therefore, be considered as part of the legal landscape that CSOs operate in.

Collectors operating in conflict-affected areas, whether they be businesses or CSOs, have heightened human rights duties because their activities can impact the dynamics of a conflict. Firstly, Collectors must ensure that their personnel do not perpetrate human rights abuses; secondly, Collectors must take steps to avoid enabling, exacerbating, or facilitating a serious human rights abuse by virtue of its activities. The duties contained in the UNGPs and the hHRDD Guide can be operationalised as follows:

  • Do not make a crime possible: Collectors should not provide a person or group perpetrating (or at risk of perpetrating) a crime with materials that could assist in a violation of IHRL or IHL. A Collector could be enabling a crime if it provides materials such as weapons, vehicles, fuel, or information.
  • Do not make a crime easier to carry out: Collectors should ensure that they do not make the commission of a crime easier. For example, if a company provides sophisticated tracking software to an armed group, it increases the group’s efficiency in targeting specific individuals. If targeting is then done for criminal purposes, the company can be held criminally responsible.
  • Do not make a crime worse: it is important that a Collector not increase the gravity of a crime by contributing to it. For example, a business may aid and abet a crime by selling a product that will increase the gravity of an attack against a group of civilians.

Criminal liability may follow if it can be proven that a company is responsible for such conduct and knew or should have known that its actions would contribute to human rights abuses or violations of IHL. Accordingly, Collectors should maintain and regularly update policies and practices that align with all relevant principles while operating in a conflict-affected area.

To identify any potential negative impacts that a Collector may have on persons and groups in the course of its operations in the context of a conflict, Collectors should conduct a human rights due diligence impact assessment prior to their operations in the area. Such a due diligence assessment should clearly identify the prevailing human rights situation in the area where the Collector plans to operate. In the simplest terms, this assessment may be done by asking the following questions:

  • Is there an actual or potential adverse impact on human rights or the conflict connected to the company’s activities (actions or omissions), products, or services in any of the State parties to the conflict?
  • If so, do the company’s activities in any of the State parties to the conflict increase the risk of that impact?
  • If so, would the company’s activities in any of the State parties to the conflict in and of themselves be sufficient to result in that impact?7

After the assessment, appropriate steps should be taken if any potential human rights risks are identified.

Collectors should periodically conduct such assessments in light of certain developments in their activities, including:

  • Before a new activity or relationship;
  • Before significant decisions or changes in the operation (e.g., market entry, product launch, policy change, or broader changes to the activities);
  • In response to or in anticipation of changes in the operating environment (e.g., rising social tensions); and
  • Periodically throughout the life of an activity or relationship.8

4.2 The Right to Privacy and Data Protection

In collecting audio data, collectors must consider the right to privacy. This right protects an individual’s private sphere (private life, home, and correspondence) from interference by others. While privacy is a core human right, it is not an absolute right and can be derogated from and limited under certain circumstances. Derogation was addressed above in the introduction to section 4; limitations will be addressed in this section. A right is limited when there is a justified interference with that right.

An important element of the right to privacy is data protection.9 The processing of personal data can constitute an interference with privacy. Data protection is relevant when working with audio because recordings of a person’s voice can constitute personal data,10 and actions taken concerning that data (collection, storage, alteration, disclosure, and erasure)11 constitute processing. As such, whenever audio data collected and otherwise processed contains human voices, data protection issues arise.

What is personal data?
Personal data is understood as information relating to an identified or identifiable individual.12 Data can identify a person in any way,13 whether directly (for example, through a name or identification number), or indirectly (for example, through an IP address).14 As such, personal data includes information that, when linked with other information, could lead to the identification of a particular person, even though the information on its own would not be enough for an identification.15 For example, cell phone location data may not in and of itself be enough to identify an individual, but when it is combined with other information, such as property tax records, it may point to a specific person. As a result, cell phone location data is personal data. If data is anonymised, meaning that any identification is irreversibly prevented, then it will no longer constitute personal data.16 Data does not need to be reviewed or deciphered, or a person be identified, for it to constitute personal data.17 As long as it is possible to identify a person from the data, it is personal data. As such, whether audio data constitutes personal data depends on whether the speaker could be identified using any aspect of the data, rather than whether the speaker has been identified.

While the right to privacy is included in most core international human rights treaties,18 the analysis in this section of the Legal Framework focuses on relevant provisions of European human rights instruments, including Article 8 of the European Convention on Human Rights (ECHR) and multiple provisions of the Council of Europe Convention No. 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Convention 108). In addition, this section covers relevant obligations under European Union (EU) law, particularly the EU’s General Data Protection Regulation (GDPR).

Not all Collectors operate in jurisdictions within the Council of Europe or EU, and therefore, not all Collectors are bound to uphold the standards below. That being said, European privacy and data protection standards represent a high level of human rights protection that Collectors should nevertheless strive to maintain in their work. As stated in the UNESCO Guidelines for Judicial Actors on Privacy and Data Protection, the ‘implementation of data protection in its most widespread aspect is nowadays represented in the European context by the General Data Protection Regulation (GDPR), which has served as a basis and inspiration for much subsequent legislation worldwide’.19

There are two key steps in assessing the right to privacy implications of collecting audio data: 1) determining whether the right to privacy is engaged, and 2) if it is, determining whether an interference with the right is justified.

4.2.1 Whether the Right to Privacy is Engaged

Audio data collected in connection with accountability work can differ in nature. For example, in a conflict context it may capture communications between military personnel, communications between civilians, and/or communications between military and civilians. It may capture open-source communications—such as those communicated over an open radio frequency—or closed-source communications—such as a telephone conversation or a voice message sent with an instant messaging app. The privacy concerns will differ depending on the kind of communication involved.

Collectors should note that the right to privacy under international human rights law continues to apply in an armed conflict.20 Even if the State on whose territory the conflict is taking place has derogated from the right to privacy, Collectors should continue to uphold and respect the right to privacy in their work (see discussion on derogations above at the beginning of section 4).

A. Military Communications and the Right to Privacy

Military communications, understood as communications between military personnel, are made in the context of a state function, which is, by nature, a public function and not for the purpose of personal fulfilment or development. The ECtHR has found that activities of ‘an essentially public nature’ are outside of the scope of private life and fail to offer the respective actor a reasonable expectation of privacy.21 The jurisprudence, therefore, supports the position that communications carried out for public purposes, such as in relation to military activity, do not involve a reasonable expectation of privacy.22

Military communications will be excluded from privacy protection regardless of whether the communications take place using open-source or closed-source channels. When the nature of the communication is public, the fact that it is transmitted through a closed-source channel cannot convert that public nature into a private one.

The application of privacy protections is more complex when communications by military personnel are not (purely) military in nature. For example, a member of the military may use a radio or mobile phone to call family members for personal reasons. While the ECtHR has not adjudicated on this specific scenario, the matter would most likely depend on the type of communication channel used. If members of the military use open-source communication channels for private communications, this would likely not be protected. ECtHR case law provides that a violation of privacy requires personal data to have been compiled, processed, or published in a way beyond that which is reasonably foreseeable.23 Where military personnel communicate over open-source channels—for example open radio frequencies that are unencrypted and publicly available–there is a reasonable foreseeability that the communications will be accessed, heard, and widely collected and shared by interested parties and stakeholders, including the opposing side of a conflict. By contrast, military personnel could expect communications over closed-source channels–for example, mobile phones—to be less easily accessed. The expectation of privacy, therefore, would be higher (although not absolute, as in conflict contexts the opposing side can always be expected to have an interest in eavesdropping on military communications of all kinds).

Given the nature of modern day conflict, Collectors will often face situations where they collect the audio communications of non-State armed groups. While fighters within these groups are not members of a State military, the above analysis should apply in the same way. Non-State armed groups often exercise effective control over segments of territory and population, such that for the individuals under their control, they are the de facto public authority. Thus, the same considerations for reasonable expectation of privacy held by State Military can be applied to Members of non-State armed groups (where they carry out functions that would be classified as public if a member of a State military carried them out).

Where there is doubt as to whether the right to privacy protects a particular audio communication, Collectors should err on the side of caution and assume that it is protected. In that case, Collectors should assess whether the interference is justified (discussed in section 4.2.2).

B. Civilian Communications and the Right to Privacy

Audio data collection efforts may pick up civilian communications and military communications, either incidentally or by design. Given the potentially sensitive nature of voice recordings, it is best to assume that the right to privacy of a civilian whose voice has been recorded is engaged from the moment of collection. Civilian communications may be entirely unrelated to military activities, or they may touch on military activities in some way, such as when two civilians discuss the arrival of soldiers in their village. In both cases, privacy is engaged because the communications relate to personal development, including establishing relationships with others and the outside world.24

Even when they are not members of the military, it is possible for civilians to directly participate in hostilities ‘when they carry out acts, which aim to support one party to the conflict by directly causing harm to another party, either directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capacity’.25 The effect of direct participation is that civilians temporarily lose protection from being targeted under the rules of IHL as long as they carry out such acts. In such a scenario, it is arguable that the right to privacy would not cover communications because they are related to a public function in the same way as military communications.

4.2.2. Whether Interference with an Individual’s Right to Privacy is Justified

If a person’s personal data has been collected in circumstances where the right to privacy is engaged, there will always be an interference with the right to privacy, but there will not always be a violation of the right to privacy. It is possible for the interference with privacy to be justified, and if justified, the interference would be a permissible limitation of the right and would not constitute a violation. Article 8 of the ECHR and Article 11 of Convention 108 list the following criteria for justifying an interference with the right to privacy;

  • It must be in accordance with the law;
  • It must be necessary to achieve a legitimate aim, namely national security, public safety, the economic well-being of the country, the prevention of disorder, the investigation and prosecution of criminal offences, the protection of health or morals, or the protection of the rights and freedoms of others; and
  • It must be proportionate to the aim sought.

For an interference with privacy to be justified, the above criteria should be met at the outset of the interference and throughout. As time passes and circumstances change, regular evaluation will be required to be sure the criteria continue to be met.26

As already mentioned, IHRL is only legally binding upon States. As such, the justification criteria are intended to be applied to a State’s interference with the right to privacy. The assessment below nevertheless applies the justification requirements to the operations of CSOs to demonstrate how these Collectors can adhere to IHRL standards.

A. In Accordance with the Law

The requirement that measures interfering with the right to privacy be ‘in accordance with the law’ is designed to prevent State authorities from acting arbitrarily. For this requirement to be met, State authorities must have a basis in domestic law for their actions, and this domestic law must provide appropriate safeguards. A domestic court must often give state authorities specific authorisation before taking measures interfering with an individual’s privacy.

The importance of this requirement for CSOs is not settled. Given that IHRL is addressed to States, and given that private entities do not generally have standing to apply for permission to collect closed-source data relating to other private entities, it is possible that this requirement does not apply. That being said, private entities are subjects of domestic law; their collection efforts should therefore respect provisions of domestic law that apply to them.

Despite the uncertainty surrounding this requirement, Collectors can consider two factors to inform their approach: the nature of the data and the context of the collection.

Nature of the Audio Data
Data collection from open sources, including personal data such as photographs, is not generally regarded as requiring a basis in law or specific authorisation. In the November 2022 decision in Ukraine and The Netherlands v Russia, the ECtHR relied on open-source data collected by both private and public entities–including photographs–to establish the admissibility of a claim. No mention was made of a legal basis or authorisation being required to collect the data, nor was the issue raised by any of the parties to the proceedings.27

By comparison, access to closed-source data will require some form of legal basis and authorisation. In the same November 2022 decision, the ECtHR also relied on intercepted telephone communications. In relation to this closed-source data, the court noted that the collection and sharing of intercepts was authorised by a domestic court and the domestic prosecutor’s office.28 This accords with the long line of ECtHR case law on the right to privacy and closed-source data.29 Many legal systems prohibit–through criminal law, civil law, or both–the unauthorised collection of closed-source data by non-state parties.

Context
In situations of armed conflict, it may not be possible or desirable to request authorisation to collect audio data, as doing so may compromise the objective of the collection effort. In such cases, international criminal courts and tribunals have been flexible when approaching closed-source audio data evidence collected otherwise than in accordance with the law.30 Therefore, lack of authorisation does not affect the evidentiary value of audio data from closed sources per se.

B. Necessary to Achieve a Legitimate Aim

Collectors working in the accountability space have a strong claim that their audio data collection is necessary to achieve a legitimate aim. Audio data collected in the context of an armed conflict or serious violence can play a role in establishing the truth of events: it captures contemporaneous information that could be used in future criminal trials or other accountability efforts. Furthermore, the ephemeral nature of digital information means it can be taken offline or deleted at any moment, making its fast collection and preservation crucial to accountability efforts. This is particularly true of intercepted audio: if this audio is not captured in the precise moment that it is communicated, there will be no record of the communication and valuable potential evidence of criminal acts will be lost.

At the necessity stage of the privacy assessment, an important question to ask is whether the legitimate aim could be achieved by less intrusive means. If the answer is ‘yes’, then the audio collection is not necessary to achieve the aim and less intrusive means should be sought.

C. Proportionate to the Aim Sought

The proportionality requirement for justifying an interference with privacy calls for the greatest nuance. An assessment must be made to measure whether the infringement of privacy is proportionate to the legitimate aim—in this case, of contributing to accountability for international crimes. This section identifies the considerations relevant to assessing proportionality in the context of work with audio data by formulating key questions that Collectors can ask themselves about their data practices. This is followed by a more detailed discussion of these issues.

Key Questions

Was the audio data open source or closed source?There is generally a greater expectation of privacy in closed-source data, making proportionality harder to establish.
Did the person/s know they were being recorded?If the subject of the audio recording was aware that the recording was being made, but nevertheless continued to speak, proportionality may be easier to establish.
Does the audio recording contain sensitive or privileged information?Sensitive or privileged information is subject to higher protection, so its collection and processing will generally be harder to establish as proportionate.
How serious are the crimes to which the audio recording relates?The more serious the crime, the lower the threshold for proportionality.
How long will the audio data be retained for?Generally speaking, the longer the Collector plans to retain the audio data, the harder it will be to argue that the retention is proportionate.
Was the audio data collected for a clearly articulated and limited purpose?The collection and processing of audio data will be easier to establish as proportionate if done for a concrete and clearly articulated purpose.
Is the audio data only being used for the purpose for which it was collected?Where data collected for one purpose is later used for a different purpose, the proportionality of this secondary use of the data will be more challenging to establish.
Is data minimisation being observed?The amount of data collected should be proportionate to the purpose for which it is collected and excessive collection should be avoided.
Are limits placed on who can access the data?Access to the data should be limited to those who require access in order to achieve the purposes behind the collection. Unjustifiably broad access will be disproportionate.
Is the audio data linked with other personal data?When different data points are linked together, this can provide a more complete picture of an individual’s private life, making proportionality harder to establish.

Detailed Discussion

As a starting point, it is worth noting that there are no absolutes when it comes to assessing the proportionality of a privacy interference. It is entirely dependent on the constellation of factors in a given case. Collectors should therefore reassess the proportionality of their practices whenever something in their collection and/or processing changes.

In cases where the threshold for establishing proportionality is high, it does not follow that data collection and/or processing can never be proportionate. Proportionality can still be achieved by having strong protections in place. For example, if data needs to be retained for a long time, the retention can be proportionate if the crime to which the data relates is very serious and access to the data is strictly controlled.

Open-Source vs Closed-Source Data
The data’s open source or closed source nature is relevant for proportionality because it affects a person’s expectation of privacy regarding their data. While there is no direct ICL or IHRL case law on this point, one can analogise from the case law of the ECtHR concerning surveillance in private and public places.31

Collectors should work from the starting point that open-source data will have a low expectation of privacy attached to it, and closed-source data will have a high expectation of privacy. From this starting point, Collectors should also consider the nature of the data (whether it is particularly sensitive) and who made the data public (whether it was the data subject themselves or a third party32).

Knowledge of the recording
When collecting data relevant to the commission of international crimes, it cannot be a requirement that the data subject knew their voice was being recorded. Indeed, this could undermine evidence collection efforts. That being said, case law from the ECtHR indicates that it will work in favour of a finding of proportionality if the data subject was aware that they were being monitored.33 In situations where individuals are speaking on open lines–such as unencrypted radio channels–or where they know their phone has been tapped,34 the threshold for proportionality will be lower.

Sensitive or privileged information
Sensitive information, such as that pertaining to a person’s religion, race, ethnicity, or sexual orientation, is subject to more stringent protection than other kinds of information.35 In the view of the ECtHR, it is not acceptable to process this kind of data in line with ‘ordinary domestic rules’.36

Privileged information is likewise more protected. It is in the public interest for communications between, for example, lawyers and clients, to be heavily protected from interference. The case law of the ECtHR leaves very little margin of appreciation to states to restrict the right to privacy in relation to privileged communications,37 and the ICC Appeals Chamber in Bemba et al stressed that the recordings made of the defendants to which the Prosecution had access related only to non-privileged phone calls.38

The seriousness of the potential crimes
The more serious the crime, the easier it is to justify processing data that could aid in its investigation and prosecution.39 As part of its assessment of proportionality in the context of the right to privacy, the ICC Appeals Chamber in Bemba et al indicated that the infringement should be proportionate to the investigative need.40

The period of data retention
Ideally, there should be a defined amount of time that data will be retained, after which it is deleted.41 The longer data is retained, the harder it will be to argue that the interference with privacy is proportionate. Although it is not automatically a problem if there is no set end date for the retention of the data,42 it can be an important consideration in a proportionality assessment. Regardless, a decision about the length of the data retention should be made on the basis of objective criteria and determined by necessity.43

In conflict situations, it can be many years before accountability processes materialise, making it impossible to know in advance how long data needs to be retained for.44 Furthermore, it can be difficult to know beforehand what data may or may not be relevant to future accountability proceedings. If data is deleted that later turns out to be pertinent to the defence case, this can compromise the rights of the accused. With that said, deleting data once it is clear that the data is not relevant can support the proportionality of the retention period.45

Clearly articulated and limited purpose
The collection and processing of data for a specific purpose, which is clearly set out beforehand, is more likely to be proportionate than data collected for a vague and broad reason. Judges at the STL considered it relevant for proportionality that call data records were collected and stored to investigate ‘concrete and specific crimes whose execution has already taken place’ and not ‘future indeterminate and unspecified criminal conduct’.46

Use in line with collection purpose
To be proportionate, the uses to which audio data is put should correspond to the purpose behind the collection.47 For example, for conducting accountability work in conflict-affected regions, the use of the collected data may be limited to promoting the investigation and prosecution of international crimes. A strong justification would be needed to change the use of the data to a different purpose.

Data minimisation
The amount of personal data being processed should not be excessive when weighed against the purpose for which it was collected. Even in the context of a criminal investigation, the collection of data should not be boundless without justification.48 Data will go through several stages of processing: collection, assessment, preservation, storage, transfer (to name a few). For each of these different stages, it is important to ask whether retaining the data for the aims being pursued is necessary.

Limits to access to the data
If only a limited category of individuals with a particular interest in the data are given access, the collection and processing of the data is more likely to be proportionate than if many individuals/organisations have access to it.49 This is particularly so if there is not a clear reason or justification for why such individuals/organisations are given access.50 Accordingly, when data is transferred to third parties, an assessment should be carried out to determine whether they can offer safeguards against abuse and disproportionate interference and whether their storage is secure.51

Collectors may wish to share with third parties the relevant information derived from the audio data in the form of a report or analysis. Doing so in a manner that excludes any individuals’ personal data would avoid interfering with any individuals’ privacy rights, and thereby avoid the need to ensure proportionality in the sharing process. Conversely, if the report or analysis includes information through which an individual is identified or identifiable, then a careful assessment should be carried out.

Linking datasets
Investigative work is characterised by the bringing together of information to build a picture of events. Audio data can form one piece of a bigger puzzle made up of witness testimony, open-source information (including photos and videos), call data records, satellite images, and other documentary evidence.

The linking of data is relevant for the right to privacy because the more data is brought together, the more detailed and granular the picture of a person’s private sphere becomes. Non-sensitive data may become sensitive if it is cross referenced with other data and sensitive information is revealed as a result. Or, already sensitive data may become more so.52 In cases where some (or all) of the data was shared voluntarily, linking it together can involve using it for a different purpose than the person intended or could have foreseen,53 and may reveal personal characteristics the person did not intend to disclose.54

Because of the risks that linking data can present,55 Collectors should be aware that additional safeguards may be needed to establish the proportionality of the data processing when data sets are cross-referenced.

4.2.3. The Right to Privacy and Audio Data Collected by Third-Party Sources

Collectors may come into possession of audio data because it is passed to them by third-party sources, rather than through direct collection. In this scenario, the Collectors were not involved in any potential privacy infringements that may have taken place during the initial collection and processing of the audio data. This is not to say, therefore, that Collectors can be unconcerned with this initial collection and processing; Collectors should conduct a preliminary assessment to identify any significant right to privacy issues. This involves inquiring into whether any manifest problems exist with respect to the ‘in accordance with law’, ‘necessity’, and ‘proportionality’ requirements discussed previously.

There are two reasons why Collectors should conduct a preliminary assessment of the actions of the third-party source: 1) because significant privacy violations can affect the admissibility of audio data as evidence before a court or tribunal, and 2) because it is relevant to the proportionality assessment that Collectors should undertake when they further process the data.

Section 5.1 below discusses in more detail when evidence will be inadmissible because it was collected in violation of human rights. Here it suffices to point out that Collectors should aim to identify possible grounds for exclusion of evidence as early as possible and flag this information to any actors they subsequently share the audio data with. Transparency is important for building robust evidence and can prevent problems in the future.

When audio data shared with Collectors by third-party sources is further processed by the Collector–meaning it is stored, analysed, enhanced, and/or transferred to other parties–an assessment of necessity and proportionality must be still undertaken. This is because the actions of the Collector in relation to the data, even if they did not collect it themselves, can infringe the right to privacy. This means that the Collector must conduct two assessments: 1) the above-stated preliminary assessment of the actions of the third-party source who directly collected the data, to check for manifest privacy issues, and 2) a detailed assessment of the Collector’s own actions and plans in relation to the data. The actions of the third-party source who collected the data may be relevant for the necessity and proportionality assessment that the Collector undertakes concerning their own processing of the data. For example, if audio data was collected in violation of privacy, it may make it harder to argue that the Collector’s data processing is proportionate.

4.2.4. Data Protection Instruments and Provisions

A. Convention 108+

When personal data is involved, the Council of Europe’s modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (Convention 108+) enumerates a number of ‘data subject rights’ that are not fully reflected in the ECtHR case law concerning Article 8 ECHR. Generally speaking, data subject rights are the rights that a person has with regard to their personal data when such data has been processed by a third party. These rights include the right to know what personal data is being processed, the reason for the processing, and the right to object to the processing.56 Exercising these rights requires that the individual (i.e., the data subject) knows that their personal data has been processed.

In the context of Collectors’ work, data subjects (whether military or civilian) will generally not know that their data is being processed. For example, it is likely to be neither possible nor desirable for the individual whose voice is captured in an intercepted radio communication to be contacted by the Collector. Rather, Collectors can rely on Article 11 of Convention 108+, which sets out the exceptions to the protection of the rights of data subjects. These conditions mirror those that need to be satisfied for the restriction of privacy under the ECHR, so the analysis is the same here as above in section 4.2.2. The modernised Convention 108+ is also aligned with the EU’s General Data Protection Regulation (GDPR), discussed in the next section.

B. The EU’s General Data Protection Regulation

The EU’s General Data Protection Regulation (GDPR) harmonised data privacy laws across the EU. It sets out seven general principles for data processing. These are lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.57 Many of these principles will be familiar from the discussion above in section 4.2.2.C on proportionality.

Scope of the GDPR
The territorial scope of the GDPR is broad. If the Collector has an establishment in the EU, the GDPR applies to its activities regardless of (i) the location of the data subjects (i.e., even if they are outside of EU territory); (ii) the location where the data is processed; and (iii) whether the individuals whose data is collected are EU citizens.58 If the Collector does not have an establishment in the EU, the GDPR will still apply to its activities if it processes the data of data subjects who are in the EU.59

Legal Bases for Data Processing
Article 6 GDPR sets out the legal bases for data collection. Consent—where the data subject has agreed to the processing of their data—is a prominent legal basis for data collection, but will be problematic for accountability work as most data subjects are not aware of the data collection. More relevant for Collectors is the ‘legitimate interests’ legal basis.60

Data can be collected and processed if ‘it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data’.61 The Information Commissioner’s Office sets out a three-part test for weighing the ‘legitimate interests’ of the data controller (i.e., the Collector) against the ‘fundamental rights and freedoms’ of the data subject. The three parts are:62

  1. Purpose test – is there a legitimate interest behind the processing? It is likely that processing data for the purposes of criminal accountability would qualify as a legitimate interest.63
  2. Necessity test – is the processing necessary for that purpose? It must be shown that a less invasive method to achieve the legitimate interest was not possible.
  3. Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms? This will require an assessment of the risk of harm to the individual compared with the importance of the legitimate interest.64

If the nature of the data processing changes—for example, the initial processing was collection and preservation, but this is later expanded to include transfer of data to third parties—then this three-part test must be newly carried out and satisfied.

Notification Requirements
When personal data is collected, the data controller65 must inform the data subject of the identity of the controller, their contact details, the legal basis and purpose of the processing, and who the data may be transferred to, among other things.66 Depending on whether the data was collected from the data subject themselves or not, this must be done at the point of data collection or at a later time.

The GDPR notification requirements can be onerous. Collection methods such as data scraping can collect the personal data of millions of people, in which case those millions of people must be notified of the information in the previous paragraph. Data scraping is covered by Article 14 GDPR, as this provision sets out the notification requirements for situations where personal data is not collected directly from the data subject. Article 14(5)(b) contains three limited exemptions to the notification obligation:

  1. Where notifying the data subject would be impossible;
  2. Where notifying the data subject would involve a disproportionate effort; or
  3. Where notifying the data subject would make the achievement of the objectives of the data processing impossible or seriously impair them.

The burden of proving impossibility lies with the Collector, who must show that there are ‘factors that actually prevent it from providing the information in question to data subjects’.67 In order to show that notification would involve disproportionate effort, the Collector must balance the effort involved in providing the information to the data subject with the impact and effects on the data subject if they are not provided with the information. This balancing exercise should be documented and further procedural steps followed.68 In practice, the disproportionate effort exemption has been interpreted narrowly. In a case involving a Swedish company operating in Poland, the Polish Data Protection Authority (DPA) and a Polish court determined that the financial cost of posting letters or sending text messages to nearly six million people–which the company estimated to be €8M69–was not sufficient to exempt it from the notification obligation.70 The Polish court, upholding the DPA’s decision, clarified that ‘disproportionate effort’ describes a situation where it is objectively possible but extremely difficult to notify the data subjects; financial reasons do not qualify. The act of posting a notice on the company website was also not sufficient, as the data subjects would not have known to look there given that they did not know their data had been collected.71 It is unclear how this would play out in a criminal accountability context.

The final Article 14(5)(b) exemption is perhaps the most promising for accountability work. If a potential perpetrator must be contacted and notified that their personal data has been collected, this would make it impossible to achieve the objectives of a collection effort or, indeed, seriously impair them. This is especially so since the information that must be provided in the notification includes the identity of the Collector and the legal basis and purpose of the processing.72 It is worth noting that these exemptions only apply when personal data is not collected directly from the data subject–Article 13 GDPR, which addresses situations where personal data is collected directly from data subjects, contains no exemptions.

Data Protection Measures
The GDPR contains a range of measures that data controllers and processors73 must take when carrying out data processing activities. Collectors should familiarise themselves with the measures that apply to them. Some examples include:

  • Implementing appropriate technical and organisational measures designed to implement data protection principles;74
  • Implementing appropriate technical and organisational measures (for example, pseudonymisation, encryption, anonymisation, and other safeguards75) to ensure that only personal data that is necessary for the purpose of the processing is processed;76
  • Keeping detailed records of the processing of data, including the names of the controllers and processors, the purpose of the processing, any transfers of data, etc.;77
  • Taking security measures to protect the data that are proportionate to the level of security risk;78 and
  • Notifying the relevant authorities of any data breaches if they occur.79

Data Transfers
In relation to the transfer of personal data from EU to non-EU jurisdictions, Collectors should ensure that the country to which they are transferring offers an equal level of protection. Some countries have been pre-approved as safe by the European Commission, and no further approval needs to be sought for transfer to those countries. At the time of this Protocol’s publication there are 11 countries on the pre-approved list:80 Andorra, Argentina, Canada,81 Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States,82 and Uruguay.

Where a country is not on the pre-approved list, the GDPR prohibits transfers of personal data if adequate safeguards are not put in place.83 Such safeguards include model contract clauses (Standard Contractual Clauses, or SCCs), pre-approved by the European Commission, to be used in agreements to govern the transfer of data from controllers or processors in the EU to those outside. Additionally, companies must also ensure that the SCCs will be adhered to within the legal framework of the recipient country, or else implement additional protective measures.84 This can be achieved via the performance of an impact assessment to analyse the risks involved in transferring the data, with consideration for the legal context of the recipient country.85

C. Ljubljana-The Hague Convention

The Ljubljana-The Hague Convention on International Cooperation in the Investigation and Prosecution of the Crime of Genocide, Crimes Against Humanity, War Crimes, and Other International Crimes contains a specific provision on the use and protection of personal data. This convention applies to cooperation between States and does not grant individual rights, yet is worth Collectors’ consideration because it signals the importance of the right to privacy and data protection in the accountability space. The text of Article 16 of the convention reflects the GDPR principles of purpose limitation, accuracy, storage limitation, integrity and confidentiality, as well as the data subject rights to access, rectification, erasure, and notification.86

D. African Union Convention on Cyber Security and Personal Data Protection

The AU Convention on Cyber Security and Personal Data Protection–known as the Malabo Convention–came into force in June 2023. The Convention is a framework treaty which, among other things, requires member States to implement data protection rules in their domestic legal systems. The terms of the Malabo Convention mirror, in large part, the standards in the GDPR and Convention 108+. The six basic principles of the Malabo Convention are consent, lawfulness and fairness, purpose limitation, accuracy, transparency, and confidentiality.87 The Convention also identifies specific principles for processing sensitive data88 and the interconnection of personal data files.89

4.3 The Right to Fair Trial

Individuals facing criminal charges are entitled to rights and protections under international human rights law, including the right to a fair trial.90 This means that certain protections must be provided, including to be prosecuted within a reasonable time, by an impartial and independent judge, to have adequate time and resources to prepare a defence, and to be presumed innocent. The Collectors addressed by the Protocol are not State entities and do not themselves have the power to prosecute individuals. However, given that the audio data Collectors gather may be used as evidence in future criminal trials, the right to fair trial is relevant to their work because it can impact the evidentiary value of the data.91 As such, while they are not legally obliged to respect the protections involved in the right to a fair trial, it is both legally and ethically desirable that Collectors incorporate consideration for these protections into their workflow.

Below is an overview of the key fair trial protections that are relevant for Collectors in their audio data work. There is an explanation of what each protection entails in general, followed by an indication of the ways in which the Collector can act accordingly.

The right to be presumed innocentIn General
The presumption of innocence is the legal principle according to which any person accused or suspected of a crime is considered innocent until they are proven guilty.92 The burden is on the prosecutor to prove the guilt of the accused beyond a reasonable doubt. The presumption of innocence applies from the moment an individual is identified as a suspect. Individuals do not need to have been formally charged with a crime to enjoy the right to be presumed innocent.93 When an individual is formally charged and classified as an accused, the presumption of innocence continues to apply. It is only once a final decision is reached on the guilt of an accused that the presumption of innocence ceases to apply (and does not apply at the sentencing stage94).
For Collectors
Abstain from making public statements about an individual’s guilt based on the audio data collected.95 This also applies to audio recordings containing potentially incriminating statements, as the presumption of innocence applies even if an individual admits guilt.96 Consider carefully who audio data is transferred to, as third parties may make prejudicial statements based on the data. This includes the media, which could publish material prejudging the individual’s trial.97 Some ways to share data with caution include redaction or anonymisation of certain information, as well an agreement with the third-party recipient to ensure the appropriate use of the audio data. If Collector team members are called as witnesses, they should be conscious of presenting their testimony in an objective manner without making statements relating to guilt or innocence.
To know the case against them and be given exculpatory materialIn General
The accused is entitled to be informed of the evidence the prosecution intends to rely on.98 The prosecution is obligated to disclose any evidence which may mitigate the guilt of the accused or affect the credibility of prosecution evidence.99
For Collectors
Collectors can protect this right by sharing all relevant material with either the prosecution or defence, as requested. If a request is made, a Collector should continue to disclose material it identifies as being potentially exculpatory even after the initial data handover.
To examine witnesses against themIn General
An accused has the right to examine witnesses against them and to call witnesses in their own defence.100
For Collectors
Collectors can protect this right by ensuring that, when called upon, team members involved in the collection, processing, and/or analysis of audio data are available to testify for either the prosecution or defence (or both) as relevant.

A Note on the Interaction Between the Rights to Privacy and Fair Trial
Where evidence was collected and processed in a manner that violated the right to privacy, it does not automatically mean that using that evidence in a criminal trial would be unfair to the accused. If the evidence is of good quality and was collected in circumstances that do not cast doubts on its reliability and accuracy, it may potentially still be used.101 If the following additional criteria are met, it is likely the evidence can be used without violating an accused’s right to a fair trial: a) the defence is given an opportunity to challenge the authenticity of the evidence and oppose its use; b) that where the evidence is decisive in the proceedings, it is particularly strong and reliable; and c) overall, the accused’s defence rights are not disregarded.102

Footnotes

  1. OHCHR, Guiding Principles on Business and Human Rights, 2011 (OHCHR, Guiding Principles on Business and Human Rights), page 13.

  2. See infra, Section 5 below.

  3. The ICCPR, Article 4 and ECHR, Article 15 both permit member states to derogate from their obligations ‘to the extent strictly required by the exigencies of the situation, provided that such measures are not inconsistent with their other obligations under international law.’

  4. Not every right can be derogated from. For example, the prohibitions on torture and slavery cannot be limited in any way.

  5. OHCHR, Guiding Principles on Business and Human Rights.

  6. UNDP, Heightened Human Rights Due Diligence for Business in Conflict-Affected Contexts: A Guide (2022) (UNDP, hHRDD Guide); Jonathan Kolieb, ‘Don’t forget the Geneva Conventions: achieving responsible business conduct in conflict-affected areas through adherence to international humanitarian law’ (2020) 26 Australian Journal of Human Rights 142.

  7. UNDP, hHRDD Guide, page 28.

  8. UNDP, hHRDD Guide, page 20.

  9. ‘[C]ontemporary data protection frameworks are, conceptually speaking, legislative substantiations of the right to privacy’ (Robin Geiß and Henning Lahmann, ‘Protection of Data in Armed Conflict’ (2021) 97 International Law Studies 556, page 568).

  10. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 8 and 50-53. Under some circumstances, voice recordings can even be considered ‘sensitive data’ and therefore subject to heightened protection (para. 24) or otherwise as a category of data of special concern (paras. 50-53).

  11. Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data 1981 (Convention 108) Article 2(b). Additionally, the term ‘processing’ should be interpreted as including any use of the collected data to train AI/develop algorithms. Such processing should therefore adhere to the same data protection requirements as any other form of processing.

  12. Convention 108, Article 2(a); GDPR, Article 4(1).

  13. GDPR: Personal Data (Intersoft Consulting).

  14. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 8.

  15. What is Personal Data? (European Commission)

  16. European Commission Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, adopted 10 April 2014, page 9, which clarifies: ‘An effective anonymisation solution prevents all parties from singling out an individual in a dataset, from linking two records within a dataset (or between two separate datasets) and from inferring any information in such dataset.’

  17. Among the examples of ‘personal data’ listed in ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 8, is that of ‘electronic data seized in a law firm, even though it had not been deciphered, transcribed or officially attributed to their owners’ (citing Kırdök and Others v. Turkey, Judgment, ECtHR, 14704/12, 3 December 2019 (Kırdök and Others v. Turkey, Judgment), para. 36). Extrapolating from this example, data that has the potential to identify a person is still personal data even if it has not been deciphered, translated, or attributed.

  18. The right to privacy is protected by major regional and international human rights treaties: ECHR, Article 8; ICCPR, Article 17; ACHR, Article 11; EU Charter of Fundamental Rights, Article 7 (privacy) and 8 (data protection).

  19. UNESCO, Guidelines for Judicial Actors on Privacy and Data Protection (2022), page 17.

  20. Mary Ellen O’Connell, ‘Data Privacy Rights: The Same in War and Peace’ in Russel Buchan and Asaf Lubin (eds) The Rights to Privacy and Data Protection in Times of Armed Conflict (NATO CCDCOE, 2022), page 13.

  21. Friend and Others v UK, Decision, ECtHR, 16072/06 27809/08, 24 November 2009, para. 42.

  22. Friend and Others v UK, Decision, ECtHR, 16072/06 27809/08, 24 November 2009, para. 42. See also, Uzun v Germany, Judgment, ECtHR, 35623/05, 2 September 2010 (Uzun v Germany, Judgment), para. 44: a reasonable expectation of privacy is a significant, but not conclusive factor, when assessing whether a person’s private life is concerned.

  23. Uzun v Germany, Judgment, para. 45; Oy and Oy v Finland, Judgment, ECtHR, 931/13, 27 June 2017, para. 136. A significant element in determining whether operations concerning personal data fall within the scope of Article 8 is whether an individual is entitled to expect protection of his/her private life (ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 13).

  24. ECtHR, Guide on Article 8 of the European Convention on Human Rights (2022), para. 79.

  25. See ICRC, Direct Participation in Hostilities: Questions and Answers (2009); also see Russel Buchan and Nicholas Tsagourias, Ukranian ‘IT Army’: A Cyber Levée en Masse or Civilians Directly Participating in Hostilities? (EJIL:Talk, 9 March 2022).

  26. P.N. v Germany, Judgment, ECtHR, 74440/17, 11 June 2020, para 85; Catt v United Kingdom, Judgment, ECtHR, 43514/15, 24 January 2019, paras 119-120; Big Brother Watch and Others v. UK, Judgment, ECtHR, 58170/13, 62322/14 and 24960/15, 25 May 2021 (Big Brother Watch and Others v. United Kingdom, Judgment), paras 350, 356; Case of S. and Marper v United Kingdom, Judgment, ECtHR, 30562/04 and 30566/04, 4 December 2008, para. 119.

  27. Ukraine and The Netherlands v Russia, Decision, ECtHR, 8019/16, 43800/14 and 28525/20, 30 November 2022 (Ukraine and NL v Russia, Decision), see for example paras 464, 472, 524, 620, 650.

  28. Ukraine and NL v Russia, Decision, paras 1501-2.

  29. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras 86-87

  30. Prosecutor v Brdjanin, Decision on the Defence “Objection to Intercept Evidence”, Case No. IT-99-36-T, ICTY, 3 October 2003, (Prosecutor v Brdjanin, Decision on the Defence “Objection to Intercept Evidence”), para. 56; Prosecutor v. Renzaho, Decision on Exclusion of Testimony and Admission of Exhibit, ICTR-97-31-T, 20 March 2007 (Prosecutor v Renzaho, Decision on Exclusion of Testimony and Admission of Exhibit), para. 15.

  31. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 158-161.

  32. See CoE, Guidelines on Safeguarding Privacy in the Media (2018), page 16.

  33. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 153-157.

  34. In Prosecutor v Brdjanin, Decision on the Defence “Objection to Intercept Evidence”, para. 63, the fact that the defendant knew their phone was tapped was important to finding that illegally obtained evidence could be admissible in a trial at the ICTY.

  35. GDPR, Article 9; Convention 108, Article 6; ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 18-37.

  36. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 21.

  37. ECtHR, Guide on Article 8 of the European Convention on Human Rights (2022), para. 242.

  38. Prosecutor v Bemba et al, Decision on Requests to Declare Certain Materials Inadmissible, paras. 17-18.

  39. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 199-202.

  40. Prosecutor v Bemba et al., Judgment on the appeals of Mr Jean-Pierre Bemba Gombo, Mr Aimé Kilolo Musamba, Mr Jean-Jacques Mangenda Kabongo, Mr Fidèle Babala and Mr Narcisse Arido against the Decision of Trial Chamber VII entitled “Judgment pursuant to Article 74 of the Statute, ICC-01/05-01/13-2275-Red, 8 March 2018 (Prosecutor v Bemba et al, Appeal Judgment), para. 336.

  41. See ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 204-213. See also UN Security Council Counter-Terrorism Committee Executive Directorate, Guidelines to facilitate the use and admissibility as evidence in national criminal courts of information collected, handled, preserved and shared by the military to prosecute terrorist offences (2020) (UNSC CTCED, Military Evidence Guidelines), page 18, guideline 12.

  42. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 207.

  43. Digital Rights Ireland v Minister for Communications, Marine and Natural Resources and others, Judgment, CJEU, Joined Cases C-293/12 and C-594/12, 8 April 2014 (Digital Rights Ireland, Judgment), paras. 64 and 65.

  44. For example, crimes relating to the conflict in the former Yugoslavia are still being prosecuted, despite the war being over for many years and the first indictment of the ICTY being issued in 1994.

  45. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 205.

  46. Prosecutor v Ayyash et al, Decision on appeal by counsel for Mr Oneissi against the Trial Chamber’s decision on the legality of the transfer of call data records, STL-11-01/T/AC/AR126.9/F0007-AR126.9/20150728/R001136-R001176/EN/dm, 28 July 2015 (Prosecutor v Ayyash et al, Decision on Transfer of Call Data Records) para. 56. See also UNSC CTCED, Military Evidence Guidelines, page 18, guideline 12 which stipulates that States should ‘have in place a legal and policy framework that addresses the purpose of the collection, use and storage of the information, which competent authorities may store and control data, the procedures for storing and using data, as well as existing controls and guarantees against abuses’.

  47. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 117-120; Digital Rights Ireland, Judgment, para. 61. See also GDPR, Recital 50.

  48. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 106-108; Digital Rights Ireland, Judgment, paras. 57-59.

  49. Prosecutor v Ayyash et al, Decision on Transfer of Call Data Records, para. 57.

  50. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 223-225; Digital Rights Ireland, Judgment, para 62.

  51. Big Brother Watch and Others v. United Kingdom, Judgment, para. 362.

  52. Paul Quin and Gianclaudio Malgieri, ‘The Difficulty of Defining Sensitive Data–The Concept of Sensitive Data in the EU Data Protection Framework’ (2021) 22 German Law Journal 1538, pages 1596-7. For a discussion on how computational capability affects data sensitivity, see Gianclaudio Malgieri and Giovanni Comandé, ‘Sensitive-By-Distance: Quasi-Health Data in the Algorithmic Era’ (2017) 26(3) Information, Communication and Technology Law 229.

  53. European Data Protection Supervisor, Formal consultation on EASO’s social media monitoring reports (case 2018-1083), page 3.

  54. European Data Protection Supervisor, Opinion 3/2018 on online manipulation and personal data (2018), page 15.

  55. Agencia Española Protección de Datos, Risk Management and Impact Assessment in the Processing of Personal Data (2021), page 91.

  56. Convention 108+, Article 9.

  57. GDPR, Article 5. These principles are reflected in UNESCO, Guidelines for Judicial Actors on Privacy and Data Protection (2022), page 18.

  58. GDPR, Article 3(1).

  59. GDPR, Article 3(2).

  60. GDPR, Article 6(1)(f).

  61. GDPR, Article 6(1)(f).

  62. What is the ‘legitimate interests’ basis?’ (Information Commissioner’s Office).

  63. GDPR, Recital 50.

  64. What is the ‘legitimate interests’ basis?’ (Information Commissioner’s Office).

  65. GDPR, Article 4(7): ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  66. GDPR, Articles 13(1) and 14(1).

  67. Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679 (2017) (WP 29 Transparency Guidelines), page 29.

  68. These steps are detailed in WP 29 Transparency Guidelines, page 31.

  69. Natasha Lomas, ‘Covert data-scraping on watch as EU DPA lays down “radical” GDPR red-line’ (Techcrunch, 30 March 2019).

  70. Joanna Karolina Tomaszewska, ‘Polish court overturns DPS’s first GDPR fine’ (International Association of Privacy Professionals, 2 April 2020).

  71. Joanna Karolina Tomaszewska, ‘Polish court overturns DPS’s first GDPR fine’ (International Association of Privacy Professionals, 2 April 2020)..

  72. GDPR, Article 14(1).

  73. GDPR, Article 4(8): ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  74. GDPR, Article 25(1) and (2).

  75. GDPR: Privacy by Design (Intersoft Consulting).

  76. GDPR, Article 25(2).

  77. GDPR, Article 30.

  78. GDPR, Article 32.

  79. GDPR, Article 33.

  80. European Commission, Data Protection Adequacy for Non-EU Countries

  81. Only commercial organisations.

  82. Only commercial organisations participating in the EU-US Data Privacy Framework.

  83. GDPR, Article 46 (1) and 46 (2)(c).

  84. Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, Judgment, CJEU, C-311/18, 16 July 2020, para. 134.

  85. Guidance on the performance of such an assessment can be found in European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (2021); see also Amancaya Schmitt, International Data Transfer of HR Data From the EU to Non-EU Entities – The Deadline for Adapting SCCs is December 27, 2022, (Littler, 4 October 2022).

  86. Ljubljana-The Hague Convention, Article 16.

  87. Malabo Convention, Article 13.

  88. Malabo Convention, Article 14.

  89. Malabo Convention, Article 15.

  90. ECHR, Article 6; ICCPR, Article 14; ACHR, Article 8; ACHPR, Article 7.

  91. See infra section 5.1. on ‘Admissibility of Evidence’ and supra ‘Methodology: How was it Developed?’

  92. Rome Statute, Article 66; Statute of the International Residual Mechanism for Criminal Tribunals (IRMCT), Article 19 (3); UDHR, Article 11(1); ICCPR, Article 14 (2); ECHR, Article 6(2); ACHR, Article 8(2), ACHPR, Article 7(1)(b).

  93. Rome Statute, Article 66 (1) clarifies that the presumption of innocence extends to persons beyond the accused, stating that ‘everyone’ should be treated accordingly. See further Christoph JM Safferling, Towards an International Criminal Procedure (OUP 2003) page 67; Salvatore Zappala, Human Rights in International Criminal Proceedings (OUP 2003), page 84; and Karin N Calvo-Goller, The Trial Proceedings of the International Criminal Court. ICTY and ICTR precedents, (Martinus Nijhoff Publishers 2006), page 56.

  94. Bikas v. Germany, Judgment, ECtHR, 76607/13, 25 January 2018, para. 57.

  95. ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), para. 355.

  96. Axel Springer SE and RTL Television GmbH v. Germany, Judgment, ECtHR, no. 51405/12, 21 September 2017, para. 51.

  97. EU Agency for Fundamental Rights, Presumption of Innocence and Related Rights: Professional Perspectives (2021), page 42; See also, UN Human Rights Committee, General Comment No. 32, 9-27 July 2007, which states: ‘The media should avoid news coverage undermining the presumption of innocence.’

  98. Rome Statute, Article 67(2); ICC RPE, Rules 76-84; IRMCT RPE, Rules 71-73.

  99. Rome Statute, Article 67(2).

  100. Rome Statute, Article 67(1)(e); IRMCT Statute, Article 19(4)(e); ICCPR, Article 14(3)(e); ECHR, Article 6(3)(d); ACHR, Article 8(2)(f).

  101. Vukota-Bojić v Switzerland, Judgment, ECtHR, 61838/10, 18 October 2016 (Vukota-Bojić v Switzerland, Judgment), paras. 94-5; Khan v The United Kingdom, Judgment, ECtHR, 35394/97, 12 May 2000 (Khan v The United Kingdom, Judgment), paras. 35-40; Schenk v Switzerland, Judgment, ECtHR, 10862/84, 12 July 1988 (Schenk v Switzerland, Judgment), paras. 47-8.

  102. Vukota-Bojić v Switzerland, Judgment, paras. 94-5; Khan v The United Kingdom, Judgment, paras. 35-40; Schenk v Switzerland, Judgment, paras. 47-8.