WORKING PAPER

THE UNITED NATIONS HUMAN RIGHTS COUNCIL

Deliberating upon the need for data privacy in the 21st Century

Sponsors: The Russian Federation (through Kyrgyz Republic), The Democratic

People’s Republic of Korea (through Republic of Cuba), People’s Republic of China

Signatories: Republic of Iraq, Syrian Arab Republic, Republic of Cuba, Islamic

Republic of Iran, Republic of Maldives, State of Eritrea, Kyrgyz Republic, Socialist
Republic of Vietnam, Republic of Turkey, People's Democratic Republic of Algeria,
Kingdom of Sweden, Gabonese Republic , Republic of Lebanon, People’s Republic of
Bangladesh, Republic of France, Republic of Uganda, Republic of Colombia, Islamic
Republic of Pakistan, Republic of Honduras, Republic of Uzbekistan, Republic of
Lithuania, Republic of Costa Rica, Islamic Republic of the Gambia, Hashemite
Kingdom of Jordan, Arab Republic of Egypt, State of Kuwait, Republic of Azerbaijan,
Kingdom of Saudi Arabia, Czech Republic, Republic of Chile, Malaysia, Federal
Republic of Germany, Republic of South Africa, Republic of Kazakhstan, State of
Qatar, United Arab Emirates, Republic of India, State of Israel,

United Nations Human Rights Council (UNHRC)

The Human Rights Council,

Guided by the purposes and principles of the Charter of the United Nations,
Recalling past resolutions 28/16 of 1st April 2015, 68/167 of 18th December 2013,
69/166 of 18th December 2014 on the right to privacy in the digital age, HRC
Resolution 42/15 of 26th September 2019, GA Resolution 75/176 of December 2020,
GA Resolution 73/179, HRC Resolution 37/2 and GA Resolution 71/199,

Welcoming nations willing to work under the ambit of the UNHRC to implement data
privacy and personal data protection legislations in their sovereign territories,

Emphasizing that there is a need for additional discussion and analysis of issues about
the advancement and defence of the right to privacy in the digital age, procedural
safeguards, efficient domestic oversight, and remedies, as well as the necessity of
looking into the concepts of non-arbitrariness and lawfulness and the applicability of
necessity and proportionality assessments about surveillance practices, based on
international human rights law,

Noting that the digital age brings with itself a set of unique challenges that need ample
deliberation and discussion in the international forum to bring about comprehensive
solutions for the same,
Recalling that private entities, and business corporations which handle the personal
data of individuals have the moral responsibility to safeguard the same and be
accountable while handling the same,

1. Recognizes the need for human rights assessments when developing and
deploying public sector surveillance systems, ensuring these systems align with
international human rights standards and uphold both individual rights and
rights of the State;

2. Requests that legislation include methods to increase transparency in data

surveillance by public and private entities, holding all involved parties
accountable for their actions;
a) Mandating the periodic disclosure of surveillance activities and data collection
practices to relevant government bodies under strict confidentiality,
b) Requiring public and private entities to obtain explicit government authorization
before implementing large-scale surveillance programs, ensuring alignment with
national security objectives,
c) Establishing independent state-controlled review boards to oversee surveillance
practices, with the authority to audit, investigate, and enforce compliance;

3. Recommends laws that restrict personal data processing to specific, legal

purposes, including:
a) Processing only with the explicit consent of the data subject wherein the subject has
the right to be informed about the terms of data processing, duration of storage and
rights of the data subject,
b) Prohibiting unauthorized disclosure of data,
c) Implementing measures to secure personal data;
4. Encourages countries to assess risks related to data collection system
vulnerabilities, including threats from internal and external sources by
codifying procedures for avoiding the exploitation of rights of individuals and
their personal data;

5. Calls for significant investment in cybersecurity to protect sensitive data, with

options for international assistance if agreed upon;

6. Urges that victims of human rights abuses from surveillance systems have
access to effective legal remedies including the information on how to perform
their rights such as the right to receive information about their personal data
processing and right to lodge a claim regarding the same;

7. Advises states to protect data privacy by:

a) Engaging stakeholders in decisions about sensitive data to address risks,
b) Ensuring data access and analysis consider the legitimate interests of individuals;
 8. Reaffirms the need for grassroots public education on data privacy rights with
an “inverted pyramid approach” of resource allocation, protection methods and
legal remedies which are pivotal to formulate and update response plans based
on lessons learned from data privacy related mishaps and related evolving
threats;

9. Calls for government accountability in addressing serious data breaches

affecting individuals and corporations;

10. Advises the creation and enforcement of robust legal frameworks, similar to
China’s Personal Information Protection Law (PIPL) or Russia’s Federal Laws
on Personal Data, that define the boundaries of data collection and usage,
balancing individual privacy rights with state oversight by;
a) Mandating clear regulations on the collection, storage, and processing of personal
data, ensuring transparency and accountability in how data is handled,
b) Granting government authorities access to data under defined legal conditions to
protect national security, while safeguarding individual privacy rights,
c) Implementing stringent penalties for unauthorized access, disclosure, or misuse of
personal data to maintain public trust and adherence to the law,
d) Establishing mechanisms for individuals to seek redress in cases of data breaches or
violations of privacy rights, ensuring that legal remedies are accessible and effective;

11. Urges States to implement data backup and recovery mechanisms in relation to
public sector data in order to avoid instances of data leaks and losses, by
maintaining consistent and frequent backup mechanism which aid data storage
and help establish a comprehensive Data Recovery Plan;

12. Requests countries to avoid “one-size fits all” approaches and bring about
legislatures which help acquire, manage ,share , analyse and govern data with
 increased efficiency while meeting the need of government and protecting the
rights of citizens;

13. Calls upon member states to develop and implement laws that reflect national
priorities and security concerns, ensuring effective enforcement;

14. Further recommends governments to be vigilant in streamlining data

collection and processing modules in order to manage cost, security and also to
ease out processing of citizen data whilst protecting their privacy rights;

15. Encourages member states to adopt data localization policies to mandate the
storage and processing of data within their borders, enhancing state control and
security;
a) Requiring foreign entities to establish local data centres as a condition for operating
within the country,
b) Mandating that critical data related to national security and infrastructure be
exclusively stored and processed domestically,
c) Implementing strict penalties for non-compliance with data localization laws to
ensure adherence and protect national sovereignty;

16. Urges the establishment of international frameworks for cooperation on data

privacy that respect state sovereignty, with emphasis on bilateral and
multilateral agreements tailored to national contexts;

17. Recommends the use of advanced anonymization and encryption techniques to

protect personal data, while ensuring that such technologies do not impede
necessary state security and monitoring functions;
a) Implementing government-approved encryption standards that balance data
protection with state surveillance capabilities,
b) Requiring that decryption keys be accessible to state authorities under defined legal
frameworks for national security purposes,
c) Promoting the development of state-sponsored anonymization tools that align with
national security priorities and facilitate secure data processing;

18. Calls for the establishment of state-controlled oversight mechanisms to

monitor data collection and processing practices, ensuring accountability while
maintaining governmental authority;

19. Encourages member states to engage with selected civil society organizations
and the private sector in a controlled manner to develop policies that balance
national security interests with data protection;

20. Emphasizes on the need for States to lay focus on evolving aspects such as
“Bigdata” and “Metadata”;

21. Urges member states within the UNHRC to support capacity-building efforts,
especially for nations with emerging data protection systems, with an emphasis
on strengthening their domestic capabilities in data governance and
safeguarding privacy by;
a) Providing technical assistance and expertise to develop robust data protection
frameworks tailored to national contexts,
b) Facilitating knowledge exchange programs between developed and developing
states to share best practices in data management and privacy protection,
c) Establishing regional training centres focused on enhancing the skills of local data
protection authorities and government officials in handling data security challenges,
d) Promoting collaboration between states to create standardized tools and
technologies that reinforce privacy protection while ensuring national security
interests are upheld;
 22. Affirms the necessity for ongoing research and dialogue on the implications of
emerging technologies in data privacy, focusing on national ethical standards
and state interests;

23. Calls upon member states to develop and enforce data privacy laws tailored to
the unique challenges of e-commerce, focusing on national priorities and
security concerns;

24. Requests data operators to adhere to data privacy norms such as;
a) Operators should not process personal data outside of the specific,
legitimate, legally binding, and predetermined purposes of collection of data,
b) Operators should implement organizational and technical as well as legal and
security measures when processing personal data of citizens in order to safeguard the
personal data of individuals,
c) Operators should take necessary measures to remove or clarify inaccurate or
falsified data to ensure the genuine nature of data which is collected and stored,
reducing the chances of falsification of data which could lead to malpractices with the
data;

25. Advises governments to inspect the efficiency of the personal data security
measures which they implement prior to putting the same into computer
systems and into operation to determine and identify possibilities of security
risks in relation to data processing, giving government the ability to restore
personal data which may have been modified or tampered with because of data
privacy breaches;

26. Encourages member states to mandate the establishment of local data centres
for all major technology companies operating within their borders, ensuring
that data generated domestically is stored and processed within the country to
safeguard state control over sensitive information;
 27. Calls upon the development and implementation of comprehensive
surveillance systems utilizing Security Information and Event Management
(SIEM) and Data Loss Prevention (DLP) technologies to monitor data flows
and user activities, ensuring that collected data is anonymized and aggregated
to preserve individual privacy;
a) Encourages member states to incorporate SIEM and DLP technologies within their
data management frameworks to enhance security and mitigate the risk of data
breaches,
b) Recommends that data obtained through these technologies be anonymized and
aggregated to prevent the identification of individuals,
c) Advocates for the regular auditing and updating of these technologies to ensure
compliance with evolving privacy standards and security requirements;
28. Encourages the formation of the "Global Cyber Sovereignty Coalition"
(GCSC) as detailed in Annexure: 1, to promote international cooperation in
digital sovereignty and cybersecurity, with membership open to all UN General
Assembly member states;

29. Urges to remain actively seized of the above matters;

ANNEXURE 1 GCSC
1. The abbreviation, "GCSC" shall refer to the "Global Cyber Sovereignty
Coalition",

2. The GCSC shall consist of member states of the United Nations General
Assembly, with participation open to all member states regardless of their
attendance at the assembly,

3. The GCSC shall be accountable to the Secretary-General of the United

Nations, ensuring transparency, adherence to international standards, and the
most efficient practices in digital sovereignty,
 4. The members of the GCSC shall be selected based on criteria established by
the United Nations General Assembly to ensure equitable representation; these
criteria may include:
a) Influence in the global digital space,
b) Capacity and resources to assist other nations in cybersecurity,
c) Commitment to upholding state sovereignty in the digital realm,
d) Experience in countering cyber threats,
6. The GCSC shall collaborate with representative governments or authorities of
nations and their respective sub-committees that regulate cyber-related fields,
facilitating international cooperation to counter cyber threats.