NB This is the executive summary of an issue paper prepared by Professor Douwe Korff, Visiting Fellow, Yale University (Information Society Project), and Oxford Martin Associate, Oxford Martin School, University of Oxford, UK for the Council of Europe Commissioner for fundamental rights. (Douwe Korff is also member of FREE Group)
FULL DOCUMENT ACCESSIBLE HERE
This issue paper addresses a pressing question: how can we ensure that the rule of law is established and maintained on the Internet and in the wider digital world? Section 1 describes the range of online activities and the threats to this environment; section 2 discusses the emerging “Internet governance” principles, and notes the special control exercised over the digital world by the USA (and the UK, in respect of Europe), which could lead to fragmentation of the Internet in response. Section 3 sketches the international standards of the rule of law, and some problems in the application of law in this new environment. Section 4 looks in some more detail at the main issues emerging from the earlier sections – freedom of expression, privatised law enforcement, data protection, cybercrime and national security – and discusses the delicate balances that need to be struck. The Council of Europe Commissioner for Human Rights has formulated a number of recommendations on the basis of the issues raised by this issue paper; these are set out after this executive summary.
A new environment for human activities
We live in a global digital environment that has created new means for local, regional and global activities, including new types of political activism, cultural exchanges and the exercise of human rights. These activities are not virtual in the sense of “not truly real”. On the contrary, they are an essential part of real citizens’ lives. Restrictions on access to the Internet and digital media, and attempts to monitor our online activities or e-communications, interfere with our fundamental rights to freedom of expression and information, freedom of association, privacy and private life (and possibly other rights such as freedom of religion and belief, or the right to a fair trial).
The new global digital environment of course also creates a new space for unlawful behaviour: for the dissemination of hate speech or child pornography, incitement to violence, breaches of copyright (“piracy”), fraud, identity theft, money laundering and attacks on the e-communications infrastructure itself through malware (such as Trojans and worms) or “denial of service” attacks. Cybercrime and cybersecurity have become major concerns. These threats are increasingly transnational, and there is a broad international consensus on the need to deal with cybercrime, cybersecurity and terrorism, but there is much less agreement on specifics – or even what constitutes a threat.
Four issues stand out. First, state actions aiming to counter cybercrime, threats to cybersecurity and threats to national security are increasingly intertwined; the boundaries between such activities are blurred, and the institutions and agencies dealing with them work more closely together. Second, states are now co-ordinating their actions in all these regards. Third, the work of national security and intelligence agencies increasingly depends on monitoring the activities of individuals and groups in the digital environment. Fourth, instead of ex post facto law enforcement, the emphasis is now on intelligence and prevention, with law-enforcement agencies using techniques – and technologies – previously reserved for secret services.
The nature of the digital environment Dangerous data
In an age of “Big Data” (when data on our actions are shared and/or exploited in aggregate form) and the “Internet of Things” (when more and more physical objects – things – are communicating over the Internet), it is becoming difficult to ensure true anonymisation: the more data are available, the easier it becomes to identify a person. Moreover, the mining of Big Data, in ever more sophisticated ways, leads to the creation of profiles. Although these profiles are used to spot rare phenomena (e.g. to find a terrorist in a large set of data, such as airlines’ passenger name records), they are unreliable and can unwittingly lead to discrimination on grounds of race, gender, religion or nationality. These profiles are constituted in such complex ways that the decisions based on them can be effectively unchallengeable: even those implementing the decisions do not fully comprehend the underlying reasoning. The digital environment can by its very nature erode privacy and other fundamental rights, and undermine accountable decision making. There is enormous potential for undermining the rule of law – by weakening or destroying privacy rights, restricting freedom of communication or freedom of association – and for arbitrary interference.
Global and private, but not in the sky
Because of the open nature of the Internet (which is its greatest strength), any end point on the network can communicate with virtually any other end point, following whatever route is calculated as being most efficient, the data flowing through all sorts of switches, routers and cables: the Internet’s physical infrastructure. The electronic communications system is transnational, indeed global, by its very nature; and its infrastructure is physical and located in real places, in spite of talk of a Cloud. At the moment, many of these physical components are in the USA and many of them are managed and controlled by private entities, not by governmental ones.
The main infrastructure for the Internet consists of high-capacity fibre-optic cables running under the world’s oceans and seas, and associated land-based cables and routers. The most important cables for Europe are those that run from continental Europe to the UK, and from there under the Atlantic to the USA. Given the dominance of the Internet and of the Cloud by US companies, these cables carry a large proportion of all Internet traffic and Internet-based communication data, including almost all data to and from Europe.
Who is in control? Internet governance
Important Internet governance principles have been put forward, by the Council of Europe and others, that stress the need to apply public international law and international human rights law equally online and offline, and to respect the rule of law and democracy on the Internet. These principles recognise and promote the multiple stakeholders in Internet governance and urge all public and private actors to uphold human rights in all their operations and activities, including the design of new technologies, services and applications. And they call on states to respect the sovereignty of other nations, and to refrain from actions that would harm persons or entities outside their territorial jurisdiction.
However, these principles still remain largely declaratory and aspirational: there is still a deficiency in actual Internet governance arrangements that can be relied on to ensure the application of these principles in practice. Also, Internet governance must take account of the fact that – partly because of its corporate dominance, and partly because of historical arrangements – the USA has more control over the Internet than any other state (or even all other states combined). Together with its close partner, the UK, it has access to most of the Internet infrastructure.
The former US National Security Agency contractor Edward Snowden has revealed that the USA and the UK are using this control and access to conduct mass surveillance of the Internet and of global electronic communications systems and social networks. There are fears that states may respond to the Snowden revelations by fragmentation of the Internet, with countries or regions insisting that their data are routed solely through local routers and cables, and stored in local clouds. This risks destroying the Internet as we know it, by creating national barriers to a global network. Unless the USA improves compliance with international human rights standards in its activities that affect the Internet and global communication systems, the movement towards such a truncated Internet will be difficult to stop.
Much of the infrastructure of the Internet and the wider digital environment is in the hands of private entities, many of them US corporations. This is problematic because companies are not directly bound by international human rights law – that directly applies only to states and governments – and it is more difficult to obtain redress against such companies.
In addition, private entities are subject to the national laws of the countries where they are established or active – and those laws do not always conform to international law or international human rights standards: they may impose restrictions on activities on the Internet (typically, on freedom of expression) that violate international human rights law; or they may impose or allow interference, such as surveillance of Internet activity or e-communications, that is contrary to international human rights law; and such actions may be applied extraterritorially, in violation of the sovereignty of other states.
The application of national law to the activities of private entities controlling (significant parts of) the digital world is extremely complex and delicate. Of course states have a right, and indeed a duty, to counter criminal activity that uses the Internet or e-communication systems. In this, they naturally enlist the help of relevant private actors. Responsible companies will also want to avoid their products and services being used for criminal purposes. Nonetheless, in such circumstances, states should in their actions both fully comply with their international human rights commitments and fully respect the sovereignty of other states. In particular, states should not circumvent constitutional or international law obligations by encouraging restrictions on human rights through “voluntary” actions by intermediaries; and companies, too, should respect the human rights of individuals.
The rule of law in the digital environment
The rule of law
The rule of law is a principle of governance by which all persons, institutions and entities, public and private, including the state itself, are accountable to laws that are publicly promulgated, equally enforced, independently adjudicated and consistent with international human rights norms and standards. It entails adherence to the principles of supremacy of law, equality before the law, accountability to the law, fairness in applying the law, separation of powers, participation in decision making, legal certainty, avoidance of arbitrariness and procedural and legal transparency.
The basic “rule of law” tests developed by the European Court of Human Rights
The European Court of Human Rights has developed elaborate “rule of law” tests in its case law, and these have also been adopted by other international human rights bodies. To pass these tests, all restrictions on fundamental rights must be based on clear, precise, accessible and foreseeable legal rules, and must serve clearly legitimate aims; they must be “necessary” and “proportionate” to the relevant legitimate aim (within a certain “margin of appreciation”); and there must be an “effective [preferably judicial] remedy” against alleged violations of these requirements.
“Everyone”, without discrimination
It is one of the hallmarks of international human rights law since 1945, and one of its greatest achievements, that human rights must be accorded to “everyone”, to all human beings: they are humans’ rights, not just citizens’ rights. Thus, subject to very limited exceptions, all laws, of all states, affecting or interfering with human rights must be applied to “everyone”, without discrimination “of any kind”, including discrimination on grounds of residence or nationality.
Because of the unique place of the USA and US companies in the functioning of the Internet, the constitutional and corporate legal framework in the USA is of particular importance. However, in contrast to the above-mentioned principle of international human rights law, many of the human rights guarantees in the US Constitution and in various US laws relating to the digital environment apply only to US citizens and non-US citizens residing in the USA (“US persons”). Only “US persons” benefit from the First Amendment, covering free speech and freedom of association; the Fourth Amendment, protecting US citizens from “unreasonable searches”; and most of the (limited) protections against excessive surveillance provided by the main pieces of legislation on national security and intelligence (FISA Amendment and Patriot Acts).
“Within [a contracting state’s] [territory and] jurisdiction”
The duty of states to comply with their responsibilities under international human rights law also when acting extraterritorially The main international human rights treaties, including the International Covenant on Civil and Political Rights (ICCPR) and the European Convention on Human Rights (ECHR), oblige states to “ensure” or “secure” the human rights laid down in those treaties to “everyone subject to their jurisdiction” (or “within their jurisdiction”). This requirement is increasingly given a functional rather than a territorial meaning – as has recently been reaffirmed by the Human Rights Committee and the European Court of Human Rights. In other words, each state must ensure or secure these rights to anyone under its physical control or whose rights are affected by its (or its agencies’) actions.
Thus, states must comply with their international human rights obligations in any action they take that may affect the human rights of individuals – even when they act extraterritorially, or take actions that have extraterritorial effect. This obligation has specific consequences for data – what the digital world is made of – and especially for personal data, as is recognised by European data-protection law, which protects all individuals whose data are processed by European controllers, irrespective of their place of residence, nationality or other status. However, the USA formally rejects this application of international human rights law. In view of the predominance of the USA (and of US corporations that are subject to that country’s jurisdiction) in the digital environment, this poses a serious threat to the rule of law in that new environment. Continue reading