At Least Authority, we believe that people have a fundamental right to privacy. In a technical context, a “right to privacy” translates into concrete requirements and design principles that ensure users maintain meaningful control over their personal data. Our security consulting work is rooted in this value as we help others build systems that respect and reinforce privacy-by-design, and we have applied these same principles to the development of our products Winden and PrivateStorage. In what follows, we examine the legal concept of the “right to privacy,” with particular focus on data privacy.
Historical Background
As a legal concept, the right to privacy is a fairly recent invention. In 1890, two young Boston lawyers, Samuel Warren and Louis Brandeis, published the law review article “The Right to Privacy,” which is considered a landmark in the development of privacy law. They argued that technological developments in the late nineteenth century, notably, the advancement of instantaneous photography, audio recordings, and mass-circulation newspapers, had created new, harmful intrusions on personal seclusion and dignity that existing laws could not properly address. Building on a concept whose roots can be traced back to Aristotle’s distinctions between private and public spheres, they called for the recognition of a distinct privacy right, a right to one’s own personality, or peace of mind, or even the “right to be let alone.” With this essay, Warren and Brandeis laid the intellectual foundation for the modern privacy torts and later constitutional protections.
As of now, the “right to privacy” is a fundamental liberty recognized in many legal systems. At its core, it protects an individual’s “personal sphere” from undue intrusions by public or private parties. Different jurisdictions around the world protect this right on different levels and with different scopes.
A Patchwork of Privacy Laws in the U.S.
The U.S. Constitution itself contains no express right to privacy or to data privacy. The U.S. Supreme Court, however, beginning as early as 1923 and continuing through its recent decisions, has broadly read a right to privacy into several constitutional provisions — especially the Fourth and the Fourteenth Amendment — and has treated personal autonomy as a fundamental liberty.
For example, in Katz v. United States (389 U.S. 347 (1967)), the U.S. Supreme Court decided that law enforcement’s eavesdropping on Mr. Katz’s public phone booth conversation without a warrant violated his reasonable expectation of privacy as protected by the Fourth Amendment. In this case, an FBI agent attached an electronic listening device to the outside of a public telephone booth in order to record Mr. Katz as he placed illegal gambling wagers. These recordings were used to obtain a conviction.
Notably, the U.S. Supreme Court’s privacy decisions are increasingly focused on restraining government intrusions or surveillance, but do not guarantee a comprehensive data privacy right, including any processing of personal data by both public and private entities. Despite multiple efforts — including the most recent on April 7, 2024, when the American Privacy Rights Act was announced, a comprehensive federal U.S. data protection law to ensure privacy protection on a federal level is still missing. Meanwhile, several sectoral federal privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPPA) or the Children’s Online Privacy Protection Act (COPPA), and a continuously growing patchwork of state privacy laws are providing some measure of data privacy protection within the U.S.
Safeguarding Privacy in Europe
The European Convention on Human Rights (ECHR) is a treaty designed to protect the basic human rights and freedoms of people within the member states of the Council of Europe, an international organization. There are currently 45 member states of the Council of Europe, including all EU member states. The European Court of Human Rights, an international court that interprets the ECHR, understands that the right to respect for private and family life in Article 8 ECHR includes a right to the protection of personal data. Additionally, for the member states of the Council of Europe, the Convention 108 (1981) on Automated Processing of Personal Data was designed to supplement Article 8 ECHR by laying out concrete data-protection principles.
The ECHR needs to be distinguished from the Charter of Fundamental Rights of the European Union (CFR), which enshrines into primary EU law a wide array of fundamental rights enjoyed by EU citizens and residents. The CFR became legally binding for the 27 EU member states with the coming into force of the Treaty of Lisbon on December 1, 2009.The CFR is one of the most compelling fundamental laws, as it explicitly protects both a right to respect for private life (Article 7 CFR) and a right to the protection of personal data (Article 8 CFR). Within the EU, data protection is primarily specified by the General Data Protection Regulation (GDPR), a data‐protection law that applies comprehensively to any processing of personal data by public and private entities within the EU, and, under certain circumstances, also outside the EU (see Article 3 GDPR).
Germany’s Constitutional Privacy
The German Federal Constitutional Court locates the right to privacy (“Privatsphäre”) as an essential element of the general right of personality (“allgemeines Persönlichkeitsrecht”) under Article 2(1), in conjunction with Article 1(1) (human dignity), of the German Constitution. The German Federal Constitutional Court, in its “Right to be Forgotten I” decision of November 6, 2019, argued that in the context of modern data processing, the free development of one’s personality requires that the individual be protected against the unlimited collection, storage, use, and sharing of their personal data. This fundamental right confers upon the individual the authority to, in principle, decide for themselves about the disclosure and use of their personal data. If individuals cannot, with sufficient certainty, determine what kind of personal information is known in certain areas of their social environment, and if it is difficult to ascertain what kind of information potential communication partners are privy to, this could greatly impede their freedom to make self-determined plans or decisions. Thus, although not named in the German Constitution in a standalone clause, the right to data privacy is firmly embedded in constitutional guarantees. Additionally, European laws, as well as federal and state laws — particularly the Federal Data Protection Act (Bundesdatenschutzgesetz) — ensure the right to data privacy in Germany.
Habeas Data in Latin America
In many Latin American constitutions, for example in Argentina (Article 43 of the Constitución de la Nación Argentina), Brazil (Article 5 of the Constituição da República Federativa do Brasil), or Mexico (Article 6 and 16 of the Constitución Política de los Estados Unidos Mexicanos), data protection is uniquely built upon the concept and tradition of habeas data, a constitutional right — literally translated as “bring me the data” — which guarantees individuals the right to access, correct, or require deletion of any personal information that the state possesses about him or herself. Additionally, many Latin American countries protect data privacy through comprehensive legislation, for example Argentina’s Protección de los Datos Personales (effective as of October 2000) and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) (effective as of August 2018), which go beyond the core right of habeas data found in their constitutions. These modern data protection laws are often inspired by European data protection laws, and govern the collection, use, and dissemination of personal data by private as well as public parties.
A Spectrum of Privacy Protections in Asia
In several Asian countries, privacy protection is “an essential and often-used protection,” while in others, it is either absent or of uncertain legal existence. Thailand, for example, provides in Section 33 of its Constitution (2017) a right to privacy, and explicitly forbids the “exploitation of personal data” except as “provided by law” and “necessary for the public interest.” Thailand’s Personal Data Protection Act as of 2019 specifies this constitutional data protection guarantee.
Japan’s Supreme Court interprets Article 13 of its Constitution (1946), which protects the rights to “life, liberty and the pursuit of happiness,” as also including a right to privacy, provided it does not interfere with public welfare.
Singapore, on the other hand, is lacking constitutional privacy protection. Its Constitution has a number of provisions relating to protection of individual liberties, including a provision protecting life and personal liberty (Article 9 of the Singapore Constitution), but none of them refer specifically to privacy. However, Singapore chose a statutory approach by enacting the Personal Data Protection Act in 2012, which governs the collection, use, disclosure, and care of personal data by organizations. Notably, the term “privacy” does not appear in this law, and it is considered a business-friendly approach.
A lack of privacy safeguards can be seen, for example, in China. While Chapter II of China’s Constitution formally lists fundamental rights and duties of citizens, China’s Constitution itself is generally regarded as non-justiciable, indicating that there are no institutions capable of enforcing the rights.
Notable Strides in Africa’s Data Protection
Most African Constitutions do not yet enshrine a standalone “data-protection” right, but guarantee a general “right to privacy” in their Bill of Rights, for example Article 14 of the Constitution of South Africa, or Article 31 of the Constitution of Kenya. With the adoption of the African Union Convention on Cyber Security and Personal Data Protection in 2014 (the “Malabo Convention”), a continent-wide legal standard covering cybersecurity, e-transactions, and personal data protection was established. This first region-wide data protection treaty outside Europe, which in general mirrors the GDPR, became binding in 2023 when Mauritania became the fifteenth state to ratify it. Within the Economic Community of West African States (ECOWAS), a regional group of fifteen West African countries, the ECOWAS Supplementary Act on Personal Data Protection (2010) complements the Malabo Convention by requiring member states to enact national legislation and, for the first time in the region, making data protection subject to enforcement by the ECOWAS Court of Justice.
Australia’s Statutory Privacy Rights
Australia’s constitution lacks a general right to privacy or control over personal information, but Australians can rely on a statutory framework, most notably the Privacy Act 1988. This law includes the Australian Privacy Principles (APPs), which set out thirteen principles governing the collection, use, disclosure, quality, security, access, and correction of personal data. These principles apply to some private sector organizations as well as most Australian government agencies.
Privacy Laws vs. Real Protection
According to a January 2025 Analysis from the International Association of Privacy Professionals (IAPP), 144 countries — roughly 75 percent of all countries recognized by the United Nations (UN) — have enacted national data privacy laws, bringing 6.64 billion people, or 82% of the world’s population, under some form of legislative privacy protection. Besides the United States, notable countries still lacking a comprehensive national statutory privacy regime include Pakistan, Bangladesh, Iran, and Iraq, with Pakistan and Bangladesh having draft bills. In some countries, constitutional privacy guarantees exist but are not judicially enforceable or untested.
A Call to Prioritize Privacy
Privacy must be protected. As technology evolves, so too must our approach to safeguarding data and individuals’ freedom to make self-determinations. In many cases, personal data has become the product, monetized by companies in exchange for convenience. We all must ask ourselves: How much control over our information are we willing to surrender just to use an app to pay for goods or services?
At Least Authority, we implement and advocate for security and privacy by design, but we’re only one part of the larger ecosystem. Real change requires the support of developers and businesses that recognize that the right to privacy is not just a legal ideal — it’s mission-critical.