EU lacks a coherent strategy on free expression in digital sphere

10 Jan 2014 | Digital Freedom, Europe and Central Asia, European Union, News and features

(Illustration: Shutterstock)

(Illustration: Shutterstock)

This article is part of a series based on our report, Time to Step Up: The EU and freedom of expression

The EU has made a number of positive contributions to digital freedom: it plays a positive part in the global debate on internet governance; the EU’s No-Disconnect Strategy, its freedom of expression guidelines and its export controls on surveillance equipment have all be useful contributions to the digital freedom debate, offering practical measures to better protect freedom of expression. Comparatively, some of the EU’s member states are amongst the world’s best for protecting online freedom. The World Wide Web Foundation places Sweden at the top of its 2012 Index of internet growth, utility and impact, with the UK, Finland, Norway and Ireland also in the top 10. Freedom House ranks all EU member states as “free”, and an EU member state, Estonia, ranks number one globally in the organisation’s annual survey, “Freedom in the World”. But these indices merely represent a snapshot of the situation and even those states ranked as free fail to fully uphold their freedom of expression obligations, online as well as offline.

As the recent revelations by whistleblower Edward Snowden have exposed, although EU member states may in public be committed to a free and open internet, in secret, national governments have been involved in a significant amount of surveillance that breaches international human rights norms, as well as these governments’ own legal commitments. It is also the case that across the EU, other issues continue to chill freedom of expression, including the removal or takedown of legitimate content.

The EU’s position on digital freedom is analysed in more detail in Index on Censorship’s policy paper “Is the EU heading in the right direction on digital freedom?” The paper points out that the EU still lacks a coherent overarching strategy and set of principles for promoting and defending freedom of expression in the digital sphere.

Surveillance

Recent revelations by former US National Security Agency (NSA) whistleblower Edward Snowden into the NSA’s PRISM programme have also exposed that mass state surveillance by EU governments is practised within the EU, including in the UK and France.

Mass or blanket surveillance contravenes Article 8 (the right to respect for private and family life) and Article 10 (the right to freedom of expression) of the European Convention on Human Rights. In its jurisprudence, the European Court of Human Rights has repeatedly stated that surveillance, if conducted without adequate judicial oversight and with no effective safeguards against abuse, will never be compatible with the European Convention.[1]

This state surveillance also breaches pledges EU member states have made as part of the EU’s new cybersecurity strategy, which was agreed in February 2013 and addresses mass state surveillance. The Commission stated that cybersecurity is predominantly the responsibility of member states, an approach some have argued gives member states the green light for increased government surveillance. Because the strategy explicitly states that “increased global connectivity should not be accompanied by censorship or mass surveillance”, member states were called upon to address their adherence to this principle at the European Council meeting on 24th October 2013. The Council was asked to address revelations that external government surveillance efforts, such as the US National Security Agency’s Prism programme, undermining EU citizens’ rights to privacy and free expression. While the Council did discuss surveillance, as yet there has been no common EU position on these issues.

At the same time, the EU has also played a role in laying the foundations for increased surveillance of EU citizens. In 2002, the EU e-Privacy Directive introduced the possibility for member states to pass laws mandating the retention of communications data for security purposes. In 2006, the EU amended the e-Privacy Directive by enacting the Data Retention Directive (Directive 2006/24/EC), which obliges member states to require communications providers to retain communications data for a period of between six months and two years, which could result in member states collecting a pool of data without specifying the reasons for such practice. A number of individual member states, including Germany, Romania and the Czech Republic, have consulted the European Convention on Human Rights and their constitutions and have found that the mass retention of individual data through the Data Retention Directive to be illegal.

While some EU member states are accused of colluding in mass population surveillance, others have some of the strongest protections anywhere globally to protect their citizens against surveillance. Two EU member states, Luxembourg and the Czech Republic, require that  individuals who are placed under secret surveillance to be notified. Other EU member states have expanded their use of state surveillance, in particular Austria, the UK and Bulgaria. Citizens of Poland are subject to more phone tapping and surveillance than any other citizens in the European Union; the European Commission has claimed the police and secret services accessed as many as 1,300,000 phone bills in 2010 without any oversight either by the courts or the public prosecutor.

Internet governance

At a global level the EU has argued for no top-down state control of internet governance. There are efforts by a number of states including Russia, China and Iran to increase state control of the internet through the International Telecommunication Union (ITU). The debate on global internet governance came to a head at the Dubai World Conference on International Telecommunications (WCIT) summit at the end of 2012 which brought together 193 member states. At the WCIT, a number of influential emerging democratic powers aligned with a top-down approach with increased state intervention in the governance of the internet. On the other side, EU member states, India and the US argued the internet should remain governed by an open and collaborative multistakeholder approach. The EU’s influence could be seen through the common position adopted by the member states. The European Commission as a non-voting WCIT observer produced a common position for member states that opposed any new treaty on internet governance under the UN’s auspices. The position ruled out any attempts to make the ITU recommendations binding and would only back technology neutral proposals – but made no mention of free expression. The absence of this right is of concern as other rights including privacy (which was mentioned) do not always align with free speech. After negotiations behind closed doors, all 27 EU member states and another 28 countries including the US abstained from signing the final treaty. That states with significant populations and rising influence in their regions did not back the EU and leant towards more top-down control of the internet should be of significant concern for the EU.

Intermediate liability, takedown and filtering

European laws on intermediate liability, takedown and filtering are overly vague in defining what constitutes valid and legitimate takedown requests, which can lead to legal uncertainty for both web operators and users. Removal of content without a court order can be problematic as it places the content host in the position of judge and jury over content and inevitably leads to censorship of free expression by private actors. EU directorate DG MARKT[2] is currently looking into the results of a public consultation into how takedown requests affect freedom of expression, among other issues. It is expected that the directorate will outline a directive or communication on the criteria takedown requests must meet and the evidence threshold required, while also clarifying how “expeditiously” intermediaries must act to avoid liability. A policy that clarifies companies’ legal responsibilities when presented with takedown requests should help better protect online content from takedown where there is no legal basis for the complaint.

The EU must take steps to protect web operators from vexatious claims from individuals over content that is not illegal. Across the EU, the governments of member states are increasingly using takedown requests. Google has seen a doubling of requests from the governments of Germany, Hungary, Poland and Portugal from 2010-2012; a 45% increase from Belgium and double-digit growth in the Netherlands, Spain and the UK. Governments are taking content down for dubious reasons that may infringe Article 10 rights of the ECHR. In 2010, a number of takedown requests were made in response to ‘”government criticism” and four in response to “religious offence”. A significant 8% of takedown requests were in response to defamation offences. With regard to defamation charges, it must be noted that the public interest is not protected equally across all EU countries (see Defamation above).

Although corporate takedown is more prevalent than state takedown, particularly in the number of individual URLs affected, the outcome of the DG MARKT consultation must be to address both vexatious state and corporate takedown requests. The new communication or directive must be clearer than the EU e-Commerce directive has been with respect to the responsibility of member states. While creating a legal framework that was intended to protect internet intermediaries, the EU e-Commerce directive has failed to be entirely effective in a number of high-profile cases. EU member states use filters to prevent the distribution of child pornography with questionable effectiveness. However, filters have not been used by states to block other content after a Court of Justice of the European Union ruling stated EU law did not allow states to require internet service providers to install filtering systems to prevent the illegal distribution of content. The Court made it clear at the time that such filtering would require ISPs to monitor internet traffic, an infringement under EU law. This has granted European citizens strong protections against systematic web filtering on behalf of states. There continue to be legal attempts to force internet intermediaries to block content that is already in the public domain. In a recent case, brought by the Spanish Data Protection authority on behalf of a complainant, the authority demanded that the search engine Google remove results that pointed to an auction note for a reposessed home due to social security debts. The claimant insisted that referring to his past debts infringed on his right to privacy and asked for the search results to be removed. In June 2013, the Advocate General of the European Court of Justice decided Google did not need to comply to the request to block “legal and legitimate information that has entered the public domain” and that it is not required to remove information posted by third parties. Google has estimated that there are 180 cases similar to this one in Spain alone. A final decision in the case is expected before the end of this year, which could have profound implications for intermediate liability.

[1] In Liberty v. UK (58243/00) the ECHR stated: “95. In its case-law on secret measures of surveillance, the Court has developed the following minimum safeguards that should be set out in statute law in order to avoid abuses of power: the nature of the offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed”; A. v. France (application no. 14838/89), 23.11.1993: found a violation of Article 8 after a recording was carried out without following a judicial procedure and which had not been ordered by an investigating judge; Drakšas v. Lithuania, 31.07.2012, found a violation of Article 13 (right to an effective remedy) on account of the absence of a judicial review of the applicant’s surveillance after 17 September 2003.

[2] The Internal Market and Services Directorate General

Tunisians cast a wary eye on new crime agency

2 Jan 2014 | Digital Freedom, Middle East and North Africa, News and features, Tunisia

(Photo illustration: Shutterstock)

(Photo illustration: Shutterstock)

Tunisian privacy advocates are concerned about a new cyber crime investigative body: the Technical Telecommunications Agency (better known by its acronyms ATT or A2T).

The agency was created by the Tunisian government under decree 2013-4506 issued on 6 November. It is tasked with “providing technical support to judicial investigations into information and communication crimes” (article 2 of decree ).

As soon as the creation of ATT was made public, netizens expressed their concern of a comeback of the despicable Ammar 404 (nickname attributed to internet censorship and surveillance under the Ben Ali regime). Others described the newly established agency as “Tunisia’s NSA”.

“Fears about a Tunisian NSA are justified”, Douha Ben Youssef an internet freedom activist said.

“The ICT Ministry is justifying the existence of A2T the way Ben Ali justified the need for a control of information flow under the pretext of counterterrorism”, she adds.

Ben Youssef is also concerned about the lack of transparency and civil-society participation in drafting decree 4506.

“There was not a single multi-stakeholder debate about the decree while it was a draft”, she says.

While acknowledging the need to “monitor criminals and terrorists’ activities in this digital age”, Raed Chammem, a member of the Pirate Party shares Ben Youssef’s fears.

“The fact that this agency was dropped as it is with no external supervision, in a country with a history full of abuses in this field, is very suspicious”, Chammem said.

The decree is “too vague. It mentions cyber-crimes without providing a clear definition about the nature of these crimes or specifying them”, he added.

Tunisia does not have laws addressing cybercrime or clearly determining “ICT crimes” mentioned in the decree. This legal void could be problematic considering the country’s vague ICT legislation and repressive laws.

Article 2 of decree 4506 states that ATT is tasked with the “reception and processing of investigation orders… stemming from the judicial authority, in accordance with the legislation in effect”.

Without specifying “the legislation in effect”, users could be investigated and put under surveillance by the ATT under criminal defamation and insult laws.

“Judges do not assess the seriousness of putting certain types of internet content under surveillance”, Moez Chakchouk CEO of the Tunisian Internet Agency (ATI) told Index.

Despite the absence of a legal text requiring the agency to practice surveillance, ATI has been tasked with policing the Internet and assisting the judiciary to investigate cases of cyber crime amidst a legal and and institutional vacuum. Though, the establishment of ATT is set to bring an end to such tasks.

Chakchouk says that many of the surveillance court orders received by ATI after the revolution have nothing to do with cases of counter terrorism or national security but are rather related to defamation.

“A crime in the cyberspace is not defined within the meaning of the Tunisian law. A simple facebook post or a tweet could be considered as a serious crime by these people [judiciary]”, he said.

In 2012, the Ministry of Information and Communications Technology (ICT) consulted ATI about a new surveillance agency. The ATI had suggested the creation of an independent and permanent committee tasked with responding to court requests and made up of judges and civil-society actors, ATI chief declared to Index.

ATI’s suggestions “had been completely ignored”, he said.

Under the current decree, ATT is far from being an independent entity.

The agency’s director-general and department directors are “named by decree on the proposal of the ministry of information and communications technology”, (articles 4 and 12).

While an oversight committee established by the decree “to ensure the proper functioning of the national systems for controlling telecommunications traffic in the framework of the protection of personal data and civil liberties”, is dominated by government representatives appointed from the ministries of ICTs, Human Rights and Transitional Justice, Interior, National Defense, and Justice.

Tunisia’s interim authorities have failed to introduce real reforms in order to cut ties with the surveillance abuses of the past. Before taking the step to establish a surveillance entity the priority should have been repealing the dictatorship era laws and legally consolidating personal data protection.

Last year, the National Authority for the Protection of Personal Data (INPDP), Tunisia’s Data Protection Authority, was working on a draft of amendments to the 2004 privacy law.

The proposed amendments’ aims were to consolidate the authority’s independence from government interference and make state authorities’ collection and processing of personal data without the consent of the authority not possible. But, to this date the amendments have not been voted on at the National Constituent Assembly (NCA).

“The government does not see these amendments as an urgent priority”, Mokhtar Yahyaoui head of INPDP told Index.

“Without reforms, the authority is incapable of conducting its role the way it should”, he added.

This article was posted on 2 Jan 2014 at indexoncensorship.org

The European Union’s commitments to freedom of expression

27 Dec 2013 | Digital Freedom, Europe and Central Asia, European Union, News and features, Politics and Society, Religion and Culture

eu-map

This article is part of a series based on our report, Time to Step Up: The EU and freedom of expression.

Since the entering into force of the Lisbon Treaty on 1 December 2009, which made the EU Charter of Fundamental Rights legally binding, the EU has gained an important tool to deal with breaches of fundamental rights.

The Lisbon Treaty also laid the foundation for the EU as a whole to accede to the European Convention on Human Rights. Amendments to the Treaty on European Union (TEU) introduced by the Lisbon Treaty (Article 7) gave new powers to the EU to deal with state who breach fundamental rights.

The EU’s accession to the ECHR, which is likely to take place prior to the European elections in June 2014, will help reinforce the power of the ECHR within the EU and in its external policy. Commission lawyers believe that the Lisbon Treaty has made little impact, as the Commission has always been required to assess whether legislation is compatible with the ECHR (through impact assessments and the fundamental rights checklist) and because all EU member states are also signatories to the Convention.[1] Yet external legal experts believe that accession could have a real and significant impact on human rights and freedom of expression internally within the EU as the Court of Justice of the European Union (CJEU) will be able to rule on cases and apply European Court of Human Rights jurisprudence directly. Currently, CJEU cases take approximately one year to process, whereas cases submitted to the ECHR can take up to 12 years. Therefore, it is likely that a larger number of freedom of expression cases will be heard and resolved more quickly at the CJEU, with a potential positive impact on justice and the implementation of rights in the EU.[2]

The Commission will also build upon Council of Europe standards when drafting laws and agreements that apply to the 28 member states. Now that these rights are legally binding and are subject to formal assessment, this may serve to strengthen rights within the Union.[3] For the first time, a Commissioner assumes responsibility for the promotion of fundamental rights; all members of the European Commission must pledge before the Court of Justice of the European Union that they will uphold the Charter.

The Lisbon Treaty also provides for a mechanism that allows European Union institutions to take action, whether there is a clear risk of a “serious breach” or a “serious and persistent breach”, by a member state in their respect for human rights in Article 7 of the Treaty of the European Union. This is an important step forward, which allows for the suspension of voting rights of any government representative found to be in breach of Article 7 at the Council of the European Union. The mechanism is described as a “last resort”, but does potentially provide leverage where states fail to uphold their duty to protect freedom of expression.

Yet within the EU, some remained concerned that the use of Article 7 of the Treaty, while a step forward, is limited in its effectiveness because it is only used as a last resort. Among those who argued this were Commissioner Reding, who called the mechanism the “nuclear option” during a speech addressing the “Copenhagen Dilemma” (the problem of holding states to the human rights commitments they make when they join). In March 2013, in a joint letter sent to Commission President Barroso, the foreign ministers of the Netherlands, Finland, Denmark and Germany called for the creation of a mechanism to safeguard principles such as democracy, human rights and the rule of law. The letter argued there should be an option to cut EU funding for countries that breach their human rights commitments.

It is clear that there is a fair amount of thinking going on internally within the Commission on what to do when member states fail to abide by “European values”. Commission President Barroso raised this in his State of the Union address in September 2012, explicitly calling for “a better developed set of instruments” to deal with threats to these rights.

This thinking has been triggered by recent events in Hungary and Italy, as well as the ongoing issue of corruption in Bulgaria and Romania, which points to a wider problem the EU faces through enlargement: new countries may easily fall short of both their European and international commitments.

Full report PDFTime to Step Up: The EU and freedom of expression

Footnotes

[1] Off-record interview with a European Commission lawyer, Brussels (February 2013).

[2] Interview with Prof. Andrea Biondi, King’s College London, 22 April 2013.

[3] Interview with lawyer, Brussels (February 2013).

President Obama: Privacy, free expression for all

19 Dec 2013 | About Index, Campaigns, Digital Freedom, Press Releases

Index on Censorship is deeply concerned that neither the report nor the recommendations on the NSA prepared by the White House review panel tackles the worldwide mass surveillance carried out by the United States.  Index calls on President Obama to take urgent action to respect the right to freedom of expression and privacy of all the world’s citizens, not just those of the United States.

The report from  President Barack Obama’s Review Group on Intelligence and Communications Technology is a 300-page tome which includes 46 recommendations – from forcing telecommunications firms to store call data for on demand NSA access, to higher level signoff on surveillance of foreign leaders.

Kirsty Hughes, CEO of Index, said:

“These weak recommendations offer no privacy for non-Americans and only scant protection for foreign leaders. The NSA’s surveillance programmes continue to violate human rights on a massive scale. When Barack Obama decides what reforms to implement in January, he should remember that Americans are not the only people who deserve the right to privacy and free speech. ”