Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The United Nations' framework for responsible state behavior in cyberspace outlines voluntary, non-binding norms, principles and rules designed to guide member states in their conduct within the digital domain.
Rooted in a commitment to a rules-based international order, the framework affirms the applicability of international law to cyberspace, promotes adhering to responsible behavior norms, and encourages implementing practical measures to reduce the risk of conflict stemming from cyber incidents. It also underscores the importance of capacity-building efforts to help states strengthen cybersecurity capabilities and infrastructure.
Despite acknowledging the need to address threats to information security and recognizing states' obligations to uphold human rights in cyberspace, including the right to privacy and freedom of expression, privacy itself does not feature prominently in the framework.
However, recognizing privacy as a core element of the UN framework can reinforce trust, enhance human security and better align cyber stability efforts with existing human rights obligations.
Two tracks to inform privacy considerations
The UN General Assembly first took up the issue of "Developments in the field of information and telecommunications in the context of international security" through the consensus adoption of resolution 53/70 in 1999. The resolution marked the beginning of what became the UN's framework for responsible state behavior in cyberspace.
For over 27 years, the UN has progressively worked toward articulating clear expectations for how states should behave in cyberspace. In 2022, resolution 56/19 established the first Group of Governmental Experts — a body focused on developments in the field of information and telecommunications in the context of international security. The GGE comprises experts appointed on the basis of equitable geographical distribution and, more recently, gender parity. Between 2004 and 2021, six GGEs were convened to study threats in the sphere of information security and to explore cooperative measures to address them.
In parallel, member states have submitted national contributions to inform annual reports by the UN Secretary-General since 1998. The first Secretary-General report referenced privacy as a fundamental aspect of information security, although this was not strongly emphasized by most submissions that year. Over the course of the subsequent 12 reports, references to privacy persisted, often related to data security and the importance of safeguarding privacy in the digital age.
The first GGE, which met in 2004 and 2005, did not produce a consensus report; this outcome was understandable given the early and evolving nature of cyber discussions at the time. However, it laid the groundwork for the second GGE established by resolution 60/45, which successfully produced a report in 2010.
While the early threat landscape identified by these groups differs significantly from today's reality, they did recognize the harmful use of information and communication technologies in cyberspace affecting individuals, businesses, national infrastructures and governments. Still, there was no mention of data protection or privacy in these early outputs, despite growing recognition via member states' submissions, that privacy and fundamental rights are intrinsically linked to information security.
In the 2011 Secretary-General's report on developments in the field of information and telecommunications in the context of international security, privacy was mentioned regarding regional initiatives such as the 2010 Organisation for Economic Co-operation and Development's Working Party on Information Security and Privacy and the 2011 Organization for Security and Co-operation in Europe conference, which emphasized privacy alongside principles such as confidentiality, integrity and authenticity of data.
The Cyber Security and Privacy EU Forum 2012, focused on internet and human rights and reaffirmed that security, freedom and privacy online are complementary. These developments reflect a growing awareness, particularly at the regional level, of privacy’s relevance to cybersecurity.
Norm 13 (e) and the emergence of privacy in the UN framework
Despite increasing attention, it was not until the 2015 GGE report, produced by the third GGE, that privacy was explicitly mentioned within the UN framework. For the first time, the GGE recognized that "States should guarantee full respect for human rights, including privacy and freedom of expression." This marked a significant step forward; the recognition was elevated to Norm 13 (e) in the report, which called for the respect of human rights in cyberspace, including the right to privacy.
This development aligns with the General Assembly resolution 68/167, which recognized the right to privacy in the digital age. Though the resolution was not adopted in the context of international security, it nonetheless set an important precedent and encouraged member states to develop legislation aligned with privacy protections in digital communications. From a privacy perspective, this resolution was a turning point and directly influenced the 2015 GGE report.
By this time, many Western and European countries were enacting national data protection laws. The European Union's General Data Protection Regulation came into effect in 2018. However, privacy advocacy was no longer limited to the Global North. By the time of the 2020 Report of the Secretary-General, countries in the Global South were also emphasizing the right to privacy, reflecting broader convergence on the issue.
Opportunities for strengthening privacy commitments
As the GGE format concluded, discussions transitioned to a more inclusive, democratic and transparent Open-ended Working Group, allowing UN Member States to participate. The first OEWG was mandated by resolution 73/27 and concluded in 2021. A second OEWG was established under resolution 75/240.
The OEWG reaffirmed all previous GGE outcomes. Its draft third annual progress report includes a voluntary checklist of practical actions to implement the framework's norms. Yet, the checklist fails to reflect how the increasing worldwide enactment of data protection laws directly contributes to the implementation of Norm 13 (e).
As of Jan. 2025, there were 144 countries with national privacy or data protection laws. These legislative frameworks are tangible measures that support human rights online and should be recognized as key mechanisms to implement the UN cyber norms. National experiences should be leveraged regionally to encourage further adoption of comprehensive privacy laws.
Given that modern cyberattacks increasingly target personal data, advancing regulatory frameworks for privacy and data protection is not only a matter of rights but of security. The integration of privacy protections throughout the data lifecycle, including measures to prevent unauthorized use or exploitation, can contribute to reducing cybercrime and enhancing public trust.
The OEWG concluded its mandate in July 2025 and established the Global Mechanism that will serve as a permanent, action-oriented UN mechanism on developments in the field of information and communication technologies in the context of international security and advancing responsible state behavior in cyberspace. It is crucial that member states reflect on how privacy can be better integrated into the implementation of the framework in the next Global Mechanism.
Privacy is a pillar of cybersecurity, a foundation for trust, and a necessary element in ensuring peaceful and stable behavior in cyberspace. Strengthening privacy commitments across the UN frameworks is not only timely but essential.
Julia Rodríguez is a diplomat at the United Nations representing El Salvador and is pursuing a Master of Science in Cybersecurity at the Georgia Institute of Technology.
