Symposium on PMSCs: When Surveillance Goes Private

[Méryl Schwitzguébel, CFE, is a project officer at DCAF – Geneva Centre for Security Sector Governance.

Dr Ilia Siatitsa is currently programme director and senior legal officer at Privacy International.]

Recently, surveillance technologies have captivated the public’s attention. From targeted attacks with spyware, like Pegasus or earlier FinFisher, to massive data scandals like Cambridge Analytica, these new technologies raise serious concerns for privacy, human rights, and democracy.

So far, much of the attention surrounding surveillance has been focused on intelligence and law enforcement agencies. However, the private surveillance industry and with it the provision of private surveillance services have been growing at such a rapid rate that it has spread everywhere around us. These highly intrusive surveillance tools, once reserved exclusively for governments’ use, are now increasingly used by private actors.

With often transnational and opaque operations, surveillance services provided by private military and security companies (PMSCs) are a regulator’s jigsaw puzzle. Many struggle to define what ‘private surveillance services’ even include. Is it traditional PMSCs using drones or offering cybersecurity services? Is it data brokers? Is it spyware vendors? The term encompasses a wide range of actors and technologies, making oversight harder. Regulating private surveillance services may be a complex undertaking, but delaying it is no longer an option.

How private companies collect and exploit personal data raises some of the most pressing risks. If left unregulated, private surveillance can seriously impact the rights to privacy and data protection and further enable infringements on other human rights, such as the rights to life and be free from torture.

As surveillance is commercialised and outsourced, we need to ensure that these services are regulated, transparent, accountable, and respectful of human rights. This post explores the evolution of private surveillance services and how existing tools and frameworks can address some of the far-reaching scope of private surveillance services.

Private Surveillance Services

PMSCs’ impact on physical security and human rights, particularly in relation to the use of force, has attracted growing attention in the last two decades. However, rapid technological advancements have been radically changing the nature of private security services, with PMSCs increasingly prioritising private surveillance, data harvesting, and cyber operations. It is of serious concern that these types of services have not been subjected to the same level of scrutiny.

Sophisticated and highly intrusive technologies are becoming today an integral part of PMSCs’ operations. From drones equipped with high-resolution cameras and sensors capable of monitoring large areas and capturing real-time footage, to advanced facial recognition systems used to identify or authenticate individuals – companies are increasingly equipping themselves with high-end surveillance equipment. Recent examples – including the exclusion of self-identified ‘enemies’ from public venues in the US or the facial network system operated by Facewatch in the UK – highlight the rising concerns about the unrestrained and uncontrollable proliferation of the use of advanced technologies by private actors. In addition, many PMSCs now offer cybersecurity services to monitor digital communications and networks to detect and prevent cyber threats as well as to ensure the security of their clients’ digital infrastructure. This often grants PMSCs unrestricted access to personal data. The companies may further use advanced data management and analytics to process vast amounts of data.

The technologies used by these companies can be highly intrusive. Data processing is becoming often a service in itself, not just a tool for providing security. With the rise of data-driven technologies and the growing interest in AI and machine learning capabilities, the collection and retention of vast amounts of data is becoming a priority for many of these companies. This data often includes sensitive personal information, such as biometrics, political or religious opinions, sexual orientation etc, which require enhanced protection under data protection laws, especially given the risk of discrimination, persecution and harm that comes with exposing this data.

These developments not only violate the rights to privacy and data protection – Privacy is a gateway right essential for the enjoyment of many if not all the other human rights. For example, private companies have engaged in spying on human rights defenders, including peaceful environmental activists through fake ‘astroturfing’ campaigns – a deceptive practice of creating a false impression of grassroots support for a cause, product, or policy – for major polluters. Similarly, private security companies have been involved in election manipulation, directly affecting the right to democratic participation. The current legal landscape, regulatory frameworks, and gaps in regulation enable these operations.

As surveillance technologies and data processing are becoming central to the activities of PMSCs, they have created new types of services, bringing with them new challenges that require urgent regulation. These activities are, for instance, hard to trace, as they do not always require the physical presence of a company in the territory where their clients operate. The increasing dependence on private companies, by public and private actors alike, and the transnational nature of their operations make international regulatory standards even more critical.

Integrating Private Surveillance into International Regulation of PMSCs

Although there is currently no reference document on the regulation of private surveillance services, there are international norms and good practices that apply to them.

The Montreux Document (MD), a non-binding but widely referenced tool, provides guidance for states on the regulation of PMSCs. While private surveillance is not specifically mentioned, the MD’s definition of PMSCs is applicable to several private surveillance service providers. The MD addresses issues linked to lawful acquisition and use of equipment, which are particularly relevant to the issue of the legality of PMSCs using certain types of technologies like facial recognition, or artificial intelligence capabilities.

Furthermore, the International Code of Conduct for Private Security Service Providers (the Code) contains important standards focused on human rights and respect for the rule of law. The Code’s emphasis on transparency, accountability, and responsible business practices is relevant for surveillance providers dealing with personal data or using invasive technologies.

Similarly, the Voluntary Principles on Security and Human Rights mainly provide guidance for those involved in physical security, and their scope could reasonably be interpreted to cover private surveillance carried out by individuals, especially when it involves direct, in-person monitoring.

Given the jurisdictional complexity of regulating PMSCs providing surveillance services, the Legislative Guidance Tool for States to Regulate Private Military and Security Companies is another useful resource. It provides concrete examples of how to effectively apply the MD and the Code. For example, the guidance tool provides advice on regulating services that span across borders. The tool also provides examples of how India, Honduras, and Switzerland have introduced laws with an extraterritorial reach that clarify these states’ responsibilities for overseeing private security operations abroad.

Finally, data protection principles and legislation are particularly relevant in controlling the data processing activities of PMSCs. Over 130 countries around the world have introduced data protection and privacy legislation that would be directly applicable to the companies operating in their jurisdiction. Also, the Council of Europe Convention 108  – officially titled ‘Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ – contains obligations for both public and private actors.

Beyond these regulatory frameworks, research can help raise awareness of the kinds of actors and technologies that should be overseen. Papers like Understanding Private Surveillance Providers and Technologies andthe Global Surveillance Industry Report shed light on the sector’s complexity and fast evolving landscape. The Surveillance Watch highlights the growth of private surveillance providers that operate with little accountability. These companies may not be formally labelled as PMSCs, but the types of services that they provide should determine whether they fall within the scope of international norms and good practices applicable to private security companies.

Although international norms and good practices applicable to PMSCs were not originally designed to address the challenges raised by surveillance technologies, they remain relevant if adequately applied. Nevertheless, failing to properly integrate private surveillance services into ongoing regulatory discussions risks leaving significant accountability gaps.

First Steps Toward Integration

Existing international frameworks and guidelines are a reference for regulating private surveillance services. However, many countries still struggle to identify and respond to the growing role of surveillance services within the private sector. To promote effective change, national efforts should focus both on increasing state capacities to regulate surveillance services and on working with the industry to encourage human rights compliance.

Regulating private surveillance services provided by PMSCs is a complex task. States should assess existing regulatory mechanisms that apply to private surveillance services at the national level, identify the gaps and develop a plan to address them. Many states already have a regulatory framework for private security providers, such as national laws or licensing systems, that need to be adapted for surveillance services. With the rapid pace of technological development and the growing number of actors involved, private surveillance regulations must be flexible and adaptable in order to anticipate future trends.

The lack of awareness and expertise among regulators is a significant barrier to effective regulation. Indeed, many do not fully understand the scope, nature, or risks linked to private surveillance services, as the technologies used are often complex and opaque. Next to external capacity-building and other support, long-term and permanent technical expertise is needed within regulatory bodies.

While the issues and implications of unregulated private surveillance services remain broadly unknown, DCAF is collaborating with states, the industry and civil society, such as Privacy International, to address the above-mentioned regulatory gaps. Following advocacy by DCAF and Privacy International, some states have already begun to recognise the need to include surveillance services in their regulations. In Nigeria, civil society organisations like African Law Foundation (AFRILAW), support state authorities by raising awareness among regulators who are currently working on including private surveillance in their regulation. Guatemala is developing its private security policy that will for the first time incorporate the use of emerging technologies in the sector. These examples show that although regulatory reform remains challenging, it is possible.

Conclusion

The discussion around regulating private surveillance services is gaining momentum, however concrete action is still lacking. To move beyond analysis and towards effective safeguards, clear legislative and institutional steps must be prioritised at both national and international levels.

Explicit recognition and inclusion in regulation: Private surveillance services must be clearly named and defined in international legal and policy frameworks. This recognition is essential to avoid loopholes and ambiguity – actors providing surveillance services should no longer escape scrutiny because they do not fit outdated security definitions that are disconnected from today’s landscape.

Prohibit harmful technology and ensure responsible use:  Not all surveillance technologies should be permitted. States and international bodies must set clear limits on what can be developed, exported, or used by PMSCs. Licensing schemes should vet providers for transparency, human rights compliance, and legality—similar to arms control systems. Data processing is central to private surveillance, yet many actors operate outside relevant laws. Regulations must require full compliance with data protection standards, including consent, data minimisation, purpose limitation, and accountability.

Build on existing frameworks: The instruments referenced in this post offer useful foundations, but they must be applied in a way that addresses technological advancements. Rather than starting from scratch, these frameworks can guide international negotiations such as those ongoing at the UN in the open-ended intergovernmental working group elaborating on the content of an international regulatory framework relating to the activities of private military and security companies.

Equip oversight bodies to address the current challenges: Oversight bodies must be equipped with technical expertise to understand and regulate private surveillance services. Cooperation between relevant regulatory authorities (e.g. private security regulator, technology agencies, data protection commissions, human rights commissions) should be strengthened to share knowledge and streamline oversight. The PMSC industry should also be supported in updating its requirements and standards according to the evolution of surveillance services. DCAF is coordinating with International Code of Conduct Association (The Code’s oversight body) to ensure that the PMSC industry provides surveillance services that comply with human rights.

While not pretending to address all the challenges linked to privatised surveillance, these steps offer a clear path forward. As states and institutions revisit existing PMSC frameworks, these priorities can help ensure that surveillance technologies are not just powerful — but also governed, transparent, and human rights compliant.