Council of Europe Tells Governments and Internet Intermediaries to Protect Internet Users’ Rights Better

The Council of Europe’s decision-making body, the Committee of Ministers, adopted a ‘Recommendation to member States on the roles and responsibilities of internet intermediaries’ on 7 March 2018. Most importantly, it stressed the importance of appropriate and transparent regulatory frameworks, reiterated that states should refrain from general content monitoring and untargeted surveillance, and called upon internet intermediaries to be more transparent and non-discriminatory when restricting content.

The Council of Europe is traditionally very active with respect to cybercrime harmonisation and cooperation (see earlier Incyder articles on its work on cloud evidence and production orders for subscriber information). It is also quite vocal in its documents about human rights online (see, for example, an earlier Incyder article on the resolution on mass surveillance). Most recently, it issued an almost visionary Recommendation on internet intermediaries, which came out just 10 days before the Facebook-Cambridge Analytica scandal broke.

Who are ‘internet intermediaries’?

Internet intermediaries comprise a variety of entities such as internet service providers, but also social media, search engines, internet payment systems and others. They fulfil various roles, from moderating content through processing personal data to influencing access to certain types of information. They can be small blog sites as well as large corporate entities that are in a position to control the market.

The Committee initially recalls that, while enhancing the ability to seek and impart information and contributing to the exercise of the freedoms of assembly and expression and other human rights and fundamental freedoms, the internet has also facilitated an increase in privacy-related risks and contributed to the spread of some forms of harassment, hatred and incitement to violence. The growing prominence of the online environment also creates challenges for the maintenance of public order, national security, crime prevention and law enforcement. Protection of intellectual property rights online is also an issue.

The Recommendation therefore sets out, firstly, the obligations of member States in respect of the protection and promotion of human rights and fundamental freedoms in a digital environment; and secondly, the corresponding responsibilities of internet intermediaries themselves. It is important to note that States have a positive obligation: not only to refrain from impeding human rights and fundamental freedoms, but also to adopt measures to ensure a safe environment for everyone and to protect human rights.

What should states do?

In broad terms, the Recommendation encourages states to: implement the guidelines provided therein when devising and implementing legislative frameworks pursuant to their obligations under various human rights instruments; review previously adopted measures; engage regularly with all relevant stakeholders; and encourage literacy programmes to enable all age and gender groups to enjoy the benefits of the internet while minimising the risks associated with its use.

In more detail, the obligations of member states include measures with regard to: legality, legal certainty and transparency; safeguards for freedom of expression, privacy and data protection; and access to effective remedy. Such measures, for instance, mean that requests by public authorities to internet intermediaries that interfere with human rights in any way, including access to, collecting or intercepting personal data, must be prescribed by law and must fulfil other requirements under the Convention as interpreted by the ECtHR. Effective oversight mechanisms should be in place, relevant legislation must be accessible and foreseeable and powers of public authorities should be clearly defined. Sanctions should be proportionate in order to avoid a chilling effect on the right to freedom of expression.

States should ensure that internet intermediaries are not by default held liable for third-party content they only give access to, transmit or store. Confidentiality of communication should be protected, while any surveillance should be targeted and subject to effective external oversight. Users, affected third parties, and the intermediaries themselves should all have at their disposal effective and accessible judicial and non-judicial procedures to address all claims of violation of rights under the Convention.

The role of internet intermediaries

Internet intermediaries, on their part, should respect internationally recognised human rights and fundamental freedoms in all their activities. Such responsibility exists independently of States’ ability or willingness to meet their human rights obligations.

Similar to the States’ obligations, internet intermediaries should strive for transparency, foreseeability and accessibility in respect of their service agreements, community standards or content-restriction policies. Content moderation should be conducted transparently, by trained personnel and on a non-discriminatory basis, while always respecting the users’ right to receive and impart information.

The same goes for the use of personal data, which should be limited to what is necessary in the given context, transparent for users and subject to the consent of the users at any phase of processing. Personal data should not be shared with third parties, unless provided for by relevant legislation. Intermediaries should make effective online and offline complaint mechanisms available; when designing and implementing these, they should engage in dialogue with relevant stakeholders such as consumer associations, regulatory authorities or human rights advocates.

CoE steadfast on human rights online

Many of the above obligations and responsibilities stem from the existing case-law of the ECtHR applicable to the offline world. They also reflect earlier instruments such as the UN Guiding Principles on Business and Human Rights or the Committee’s own 2016 Recommendation on business and human rights. Yet, in light of new revelations about possible misuse of personal data by social media, the growth in expressions of intolerance online and offline, as well as new regulatory frameworks such as GDPR and cyber security laws, there are real concerns over the protection of human rights and fundamental freedoms online. The Recommendation serves as a timely reminder that states have the obligation to secure the rights and freedoms enshrined in the European Convention on Human Rights for everyone within their jurisdiction, both offline and online, and that this duty involves carefully balancing the rights granted by the Convention.1 It is also important to note that the Convention not only provides for rights and freedoms, but also prohibits their abuse, in Article 17.

Author: Taťána Jančárková, National Cyber and Information Security Agency (NCISA), Czech Republic

This publication does not necessarily reflect the policy or the opinion of the NCISA, the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.