|Steering Committee (CDMSI)|
|Bureau of the Committee (CDMSI-BU)|
|Former Steering Committee (CDMC)|
|Former Bureau of the Committee (CDMC-BU)|
|Rights of Internet Users|
|Legal and Human Rights Capacity Building|
|FORMER GROUPS OF SPECIALISTS|
|Public Service Media Governance|
|Protection Neighbouring Rights of Broadcasting Organisations|
|Public service Media|
hate speech - Living together on-line"
Reykjavik - Iceland
28-29 May 2009
|European Dialogue on Internet Governance (EuroDIG)|
|Committee of Ministers texts|
|Parliamentary Assembly texts|
1st Meeting - 13 to 14 September 2012 (Strasbourg, Agora, Room G02)
University of Graz/UNI-ETC1
The views expressed in this paper are those of the author and
do not necessarily reflect the official position of the Council of Europe
I. Relevant (multi-stakeholder) approaches to enumerations of human rights relevant for the internet 4
1. Introduction 4
2. Charter on Human Rights and Principles for the Internet (the IRP Charter) 6
3. Other relevant documents 10
4. Analysis of Council of Europe guidelines, codes of conduct and recommendations, regarding rights of Internet users 11
5. Criteria for a mapping of rights that could form part of the Compendium 13
6. Proposal on rights for possible inclusion 13
II. Available remedies and infringement procedures 15
1. Typology of remedies 15
2. Relevant questions to be addressed 16
III. Questions for discussion by the Committee of Experts 16
1. User’s human rights: human rights vs. consumer rights? 16
2. Which actors should be addressed by the Compendium? 16
3. What kind of Internet user rights’ violations should be considered? 17
4. Types of mechanisms 17
5. Strengths and weaknesses (gaps) of existing remedies 17
6. Value added of Compendium 17
IV. Case Studies on Internet User Rights 17
1. Relevant case law of the European Court of Human Rights 17
2. Principles established by the Parliamentary Assembly of Council of Europe on protection of privacy and personal data on the Internet and online media 18
3. Data Protection reforms in Europe 18
4. US-efforts to improve user rights 19
5. Remedies for threats to or violations of rights of the child 20
V. Conclusions and Proposals 20
Appendix 1 - APC Charter (Internet Rights Charter).PDF file sent separately. 21
Appendix 2 - IRP Charter (Charter of Human Rights and Principles for the Internet) English only. PDF file sent separately. 21
The expected result of the MSI-DUI work according to its Terms of Reference is:
“A compendium of existing human rights for Internet users is prepared to help them understand and exercise their rights when, considering their rights and freedoms have been adversely affected, they communicate with and seek effective recourse from key Internet actors and government agencies (2013).” (hereinafter the Compendium)
According to the Council of Europe Strategy on Internet Governance 2012-20152, a compendium of existing human rights of Internet users should be elaborated, with the following objectives:
· maximizing rights and freedoms of Internet users;
· allowing Internet users, who consider their rights and freedoms adversely affected, to communicate and seek effective recourse to key internet actors and government agencies.
Examples given effective recourse are:
· reporting an incident;
· lodging a complaint;
· seeking a right to reply; and redress;
· other forms of recourse.
The purpose of this Discussion Paper is to provide a basis for discussions at the first meeting of the MSI-DUI.
Definition of “User rights”
“User rights”, for purposes of this Discussion Paper, are understood as entitlements of users of Internet services to a certain treatment or behaviour by public or private entities. User rights can be equal to certain human rights, e.g. privacy rights. They can also correspond to consumer rights, which are usually different from human rights, e.g. a right to a certain quality of service, to transparency, to return products within certain dates after purchase through the internet etc. User rights are to be distinguished from “usage rights”, i. e. “the rights that mainly determine what an end user can do with the digital resource”.3This raises the question of the proper understanding of existing Human Rights of Internet Users and the adequate format of the outcome(s).
The Council of Europe has elaborated a Declaration of Internet Governance Principles in 2011. Other organisations like OECD or G8 have proposed their own principles.4 But, principles for Internet Governance need to be distinguished from user rights.
However, some principles like the principle of “empowerment of internet users” are also relevant for Internet User Rights.5 The European Union, in its Granada Ministerial Declaration on the European Digital Agenda of 19 April 2010, announced a “Code of Digital Rights of e-communications and online services”. However, up to now such a code does not yet exist.6
For example, a user’s bill of rights has been defined for ebooks, as the rights related to the access to and condition of use of e-books.7
Conditions of Service (CoS) as the contractual terms of reference for services provided could be analysed to identify problems of user rights. For example, the very fact of the length, legal language and technicality of the usual CoS could be considered as raising questions in respect of the effectiveness of users’ rights to transparency and effective remedy. Some Internet services are provided in a monopolistic fashion by certain providers such as Google, Facebook or Microsoft. Given that the usage of alternative services is not too realistic higher standards may be required in fields where there is no effective competition. Contact could be established with the Global Network Initiative (GNI) for possible cooperation.
The right to transparency raises the question of whether users have a right to be informed about the internal guidelines of relevance to the user like the “abuse standards” of Facebook.8
Human rights are based on public law or international law whereas consumer rights are based on civil law, regulating contractual relations. Accordingly, human rights of users primarily are based on public law relationships, whereas civil law-based rights can also play a role in so far as they too have to conform to human or fundamental rights, because of the horizontal effect of those rights (“Drittwirkung”).
I. Relevant (multi-stakeholder) approaches to enumerations of human rights relevant for the internet
There have been several initiatives to identify human rights relevant for the Internet. While the World Summit on the Information Society in Geneva and Tunis (2003-2005) in its main documents mainly made references to the Universal Declaration of Human Rights, the Freedom of Expression and Information and the Right to Privacy, the APC Internet Rights Charter of 2006 (the APC Charter) has been a first effort to give a comprehensive overview. The APC Charter appears in Appendix 1 and it is also available in English, French and Spanish. 9
The APC Charter on Internet Rights has been a path-breaking effort to strengthen the rights-perspective in the regulation of the internet. It contains rights as well as principles, which, however, are also spelled out in rights language. The sources of the rights are only partly indicated, they are derived both from an interpretation of existing human rights and from international documents and debates on internet rights and principles.
It provides a useful orientation on rights and aspirations in this field. It has not been put to a larger process of validation beyond the Association of Progressive Communications (APC), which, however, has a global membership.
It does not engage with the question of specific remedies, but satisfies itself to call for a right to rights protection and a right to recourse, where rights are violated. Accordingly, “the rights of people as users of the Internet must be protected by international human rights declarations, law and policy practice”. Information on rights has to be made available by competent bodies at all levels. People have to be made aware of their rights and of mechanisms to address rights violations by public education. According to the right to recourse in the APC Charter, people need to have free public access to effective recourse mechanisms for taking action against infringements of their rights.
APC Internet Rights Charter (2006)
1. Internet access for all
1. Progressive development and social justice (guarding against reinforcement of existing inequalities)
2. Freedom of expression and association
1. Protection from infringement by government and non-state actors
3. Access to knowledge
1. The right to access to knowledge
4. Shared learning and creation
1. The right to share, as well as protection of the interests of creators
5. Privacy, surveillance and encryption
1. The right to data protection; clear privacy policies
6. Governance of the Internet
1. The right to multilateral democratic oversight of the Internet
7. Awareness, protection and realization of rights
1. The right to open standards
The IRP Charter, which drew from the APC Charter, was the result of a collective effort in an open process to which members and non-members of the Dynamic, Multi-Stakeholder, Coalition on Internet Rights and Principles contributed in two stages. The first phase was a general collection of proposals, which were used by a global expert team for the elaboration of a systematic draft in 2010. During the second phase comments on this draft were received. The draft was finalised for its 2011 edition by the Chair of the Coalition. Subsequently, it was presented and discussed at the IGF in Vilnius in 2010 and in Nairobi in 2011, but did not go through a formal endorsement process. Its purpose was to provide a comprehensive view of all aspects of human rights in the internet, based on the UDHR and other relevant UN human rights instruments. It is expected to stimulate debates on human rights in the internet and to serve as a reference point, as well as to encourage other, more specific efforts like the compendium of the Council of Europe.
Table: Rights contained in the draft IRP Charter (Draft 2011)
1. Access to the Internet
a) Quality of service
2. Human Dignity
3. Non-Discrimination in the Enjoyment of all Rights
a) Equality of access
4. Liberty and Security
a) Protection against all forms of crime
5. Equality and Diversity on the Internet
a) Poverty reduction and human development
7. Freedom of Opinion and Expression
a) Right to Information
8. Freedom of Religion and Belief
9. Freedom of Assembly and Association
a) Participation in Assembly and Association on the Internet
a) National legislation on privacy
11. Data Protection
a) Protection of Personal data
a) Education through the Internet
13. Access to Knowledge and Culture
a) Right to participate in the cultural life of the community
14. Children and Child Protection
a) Right to benefit from the Internet
a) Respect for Workers’ Rights
16. Participation in Public Affairs
a) Right to equal access to electronic services
17. Consumer Protection
a) Access to health-related content online
19. Legal Remedy and Fair Trial
a) Right to a Legal Remedy
20. Appropriate Social and International Order for the Internet
a) Governance of the Internet for Human Rights
21. Duties and Responsibilities on the Internet
a) Respect for the Rights of Others
22. General Clauses
a) Interdependence of all rights in the Charter
The IRP Charter appears in Appendix 2 and is also available at http://www.irpcharter.org/charter.
b) A preliminary analysis of the rights in the IRP Charter
The right to access to the Internet is derived from an interpretation according to which all other rights spelled out in the Charter cannot be fully enjoyed without the right to access the Internet. Accordingly, the existence of such right is a precondition for the enjoyment of all other rights. Where a right to access is enshrined in national law, procedures of national law apply. In any case, there is no international mechanism in place to ensure the right to access.
A similar situation exists for issues of discrimination in access, including net neutrality. However, as this touches also on the right to freedom of expression (Art. 10), a case might be brought before the European Court of Human Rights.
Regarding freedom of expression on the internet, in particular, it is fully justiciable by the court. This includes the freedom of online protest, which also relates to Art. 11 on freedom of assembly and association.
Of particular relevance is the review of the legality of restrictions on freedom of expression, like blocking, filtering or other forms of censorship. In these cases the obligation of exhaustion of local remedies applies, i.e. domestic remedies need to be exhausted first. The same applies to all other rights protected by the European Convention on Human Rights (ECHR).
With regard to the right to privacy and data protection, the human right is usually implemented by state regulations based on public law and by private regulations based on civil, contractual law, both with regard to its content and procedure. Besides national law also European law applies to EU member states.
For the user, this means that it can base its rights on national, European and international human rights law. Accordingly, remedies against violations of the rights of users do exist on the private, contractual level. Some of these are offered by the private service provider voluntarily while others are provided in fulfillment of its obligations vis-à-vis the state. Such obligations flow from state –level regulation, EU regulation or relate to the implementation of the ECHR.
The bodies, which can be addressed, are the competent courts, the independent data protection agencies or mechanisms made available by the private entities such as complaint bodies, hotlines or ombuds-institutions of service providers.
The question to what extent those are responding to the human rights of users as individuals or to their rights as consumers might need further clarification.
In this context, it is worth analysing whether the rights of users are obligatorily provided based on international obligations or national law or voluntarily offered as part of services rendered, noting that the latter can also be modified or withdrawn and consequently can be enforced by the user only as a contractual obligation.
Generally, users’ rights depend on the legal position of users; their awareness of their rights and the accessibility of those rights, hence the relevance of easy to use procedures.
They depend also on the nature of duty bearers, i.e. governments or private entities. However, individuals can also be expected to act responsibly on the Internet.
Rights provided by service providers usually are not based on binding human rights obligations, but on best efforts encouraged by soft law instruments like the pertinent guidelines and codes of the Council of Europe. They might also be derived from EU law, directly (from regulation) or indirectly through transposition in domestic law (in the case of directives). They may respond to court decisions or administrative rulings.
For example, the right to consent to the use of one’s personal data is flowing from the right to privacy and data protection. In its implementation, the right to informational self-determination has been created, which requires service providers through national laws to offer ways and modalities to exercise that right. This may, however, differ from country to country and from service provider to service provider, which should not be the case for a human right. Indeed, the European Court of Human Rights has no role in the harmonisation of contractual obligations, while the Court of the European Union does. States or the EU may also take a “minimum standard approach”. States and service providers will have different approaches in practice.
There might be a situation, when different proscriptions foresee different standards and procedures or leave it to private bodies to establish accessible remedies.
Another example would be the right to participate in e-government initiatives. Some countries have e-government to a larger extent than others including respective participatory rights. The right to equal access to electronic services of the government, if not private operators also needs closer analysis for specific rights and remedies flowing from it.
The right to education also requires a detailed country analysis as in some countries digital education is obligatory, in others not; some countries foresee certain services as a matter of right, others only on a voluntary basis.
An example for such cases is Wikipedia: a group of administrators can decide what will be deleted or can stay following a decentralised mechanism. The right to freedom of expression and information would require that no opinion is suppressed, but in order to function as a valuable resource (especially in light of existing destructive tendencies in some users [‘trolls’]), some editing and control is both necessary and may be legally required (in light of the responsibility for online content). For some users, however, this editing work may appear as censorship.
Some rights might be controversial like the right to anonymity or encryption, which, however, is widely accepted in the EU, but not in all Council of Europe or OSCE member states.
Since national jurisdictions show different interpretations of protection of human rights online, it might also be necessary to clarify the approach in national law like in the case of the right to work. In some countries employees are free to use the internet access also for private purposes without limitations while in other countries the laws and practices of companies know stricter limitations. A general prohibition of the right to access the Internet would however be a violation of the right to work.
The protection of child rights may involve private service lines operated with public (EU) support, which can trigger a public procedure, i.e. activate law enforcement officials to require private service providers to take down a website considered to violate child protection standards.
Some rights are associated with more developed implementation procedures while others still are on the level of principles or in a stage of concretization like the right to access to knowledge. Others, like property rights are legally and procedurally more developed.
The working group will also have to answer the question, where to draw the line between human rights of users and users’ rights, which cannot be based on international human rights standards. This line can be drawn according to a wider or a more narrow interpretation of human rights. For example, a right to know which personal data is being held by a specific service provider or a public entity can be subsumed under the right to privacy. A right to delete or forget might be less generally applicable as would be a right to specific privacy settings, i.e. a high privacy standard by default or to specific contractual remedies.
Depending on the field like education, work or health, specific implementation measures exist of relevance to the internet. This raises the issue whether the working group should investigate rights and remedies one by one or look for common minimum standards and best practices. In this way, a matrix of user rights could be established, which would assist in possible generalisations of (typical) user rights, which are implementing respective human rights.
3. Other relevant documents
· The Geneva Declaration on Internet Freedom of 9 March 2010. It is the outcome of the 2nd Geneva Summit for Human Rights, Tolerance and Democracy and endorsed by the participating civil society representatives.10
· European Union: Digital User Rights: Code of Digital Rights of e-Communications and online services, announced in the Granada Ministerial Declaration on the European Digital Agenda on 19 April 2010 (but not elaborated so far).11
· Praxis Centre for Policy Studies and co.: Guiding Principles of Internet Freedom, 14 February 2012. This appears to be the work of a think tank, not endorsed by any organizations.12
· Declaration of Internet Freedom of 2012. It does not indicate its authors and seems to be launched as part of a collaborative process It states five major principles, i.e. on expression, access, openness, innovation and privacy and has been endorsed by a number of organizations and individuals mainly from the US, but also worldwide. 13
The mushrooming of the calls for drafting of such declarations14 shows that there is a widely perceived need to provide guidance on main human rights obligations for all actors. However, by singling out certain rights and, as in the case of the Declaration on Internet Freedom of 2012 neglecting their human rights character, there is also a danger of missing the full relevance of human rights for the internet. There is also too little learning from each other; most declarations seems to ignore previous work and thus echo the trend in technological development to develop new standards that only partially complement existing standards, but often add to the confusion.
However, what is most important in the context of this paper, there are hardly any concerns with how these rights should be implemented, which remedies should be made available or how Internet users can claim their rights.
More can be found, in this respect, in the respective guidelines, codes of conduct and recommendations of the Council of Europe.
4. Analysis of Council of Europe guidelines, codes of conduct and recommendations, regarding rights of Internet users
Several CoE legal texts contain pertinent provisions on rights of internet users. These include:
· Recommendation CM/Rec (2012) 4 on the protection of human rights with regard to social networking services
· Resolution 1843 (2011) and Recommendation 1984 (2011) of PACE on the Protection of Privacy and Personal Data on the Internet and Online Media
· Recommendation CM/Rec (2012) 3 on the protection of human rights with regard to search engines
· Recommendation CM/Rec (2010) 13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling
· Human rights guidelines for online game providers (2008)
· Human rights guidelines for internet service providers (2008)
· Recommendation CM/Rec (2008) 6 on measures to promote the respect for freedom of expression and information with regard to internet filters
· Declaration CM of 20 February 2008 on protecting the dignity, security and privacy of children on the Internet
The user rights spelled out in these instruments are of key relevance for the work of the Committee.15
User rights can also be derived from the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data of 1980 or the Council of Europe Convention No. 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data of 1981, which is in a process of modernisation, or the EU Data Protection Directive 95/46, which also is being renewed. Similar trends can be observed in the US, where a “Consumer Privacy Bill of Rights” has recently been proposed.16
Further of continuing relevance are the OECD Guidelines for Consumer Protection in the Context of Electronic Commerce of 1999. The OECD Council Recommendation on Principles for Internet Policy Making of 2011 called to “maximize individual empowerment”, hence all stakeholders should work together “to provide the capacity for appropriate and effective individual control over the receipt of information and disclosure of personal data, which should include user education and digital literacy initiatives.”17
Council of Europe recommendations which are addressed to its member states, indicate action which should partly be undertaken by industry. These actions include ensuring:
Right to Information (Rights to Know)
· concise explanations of terms and conditions of service providers, easily understandable to the target group;
· right to know about the existence of personal data and to rectify them or have them erased if they were obtained without legal obligation;
· right to access to information about potential risks to user’s rights, security and privacy online;
· to be informed on the applicable law;
· to be informed about data breaches or losses, and on use of data in the context of profiling;
· to be informed about filtering and blocking mechanisms;
· right to be made aware of, understand and be able to effectively use, adjust and control filters according to individual need.
Right to Consent
· informed consent to use personal data;
· right to consent on default settings, activation of filters etc.;
· right to reply for correction of data/content.
Right to Autonomous Decision
· right to choose providers, search engines, social networks etc.;
· right to restrictive measures only after verification of illegal content.
Right to a Certain Treatment/Control
· privacy-friendly default settings, right to opt-in rather than to opt-out, privacy by design;
· service to be continued also in the case of refusal of consent;
· minimum standards in quality of service;
· processing of data only for the agreed purpose and the shortest time necessary;
· right to be made aware how to protect oneself against the risk of continuing illegal and/or harmful content including information on available software tools;
· special protection of sensitive data;
· appropriate security measures.
Right to Remedy
· to be made aware of threats and means of redress;
· right to report illegal or harmful content (for example incitement to violence, child pornography);
· right to have one’s complaint dealt with in a transparent procedure/due process;
· right to reply;
· right to bring a case in the competent court/administrative tribunal;
· right to bring complaints to ombuds-institutions.
As can be observed most user rights exist in the context of privacy and data protection as well as of the freedom of expression and information.
Special protection for children, young people and other vulnerable groups
· provision of clear information on content;
· easily accessible mechanisms for reporting illegal or harmful content or behavior;
· accessible to people with disabilities.
Accordingly, the rights of the Internet user include information rights, i.e. on general policies, terms of reference, information for teachers and parents, legal guardians etc., the right to verification of illegal contents before blocking or filtering, a right to access own data, a right to reply, protection of the identity of users, their traffic data and content, limitations on collection, processing or storage of data, the use for promotional or marketing purposes, ensuring users control over their data, i.e. to correct or delete them or withdraw their consent, by proper default settings or easy access to reporting mechanisms on illegal or inappropriate content etc.
The right to freedom of expression and information, for example, requires that search results in Europe can only be discarded in line with the requirements of Article 10 para. 2.
The recommendations are addressed to different actors, i.e. governments and business in particular. Accordingly, the corresponding obligations regarding the human rights of users are on specific actors like governments and through them on service providers/companies
5. Criteria for a mapping of rights that could form part of the Compendium
Among the criteria for the inclusion of rights into the compendium, the following could be considered:
· their well-established nature
· their relevance for the Internet
· their importance for the user
Special Case: Right to Access the Internet
A special case is the right to access, which can be considered both as an emerging right or a corollary of other existing human rights when interpreted in the context of the Internet.
6. Proposal on rights for possible inclusion
This proposal is meant to demonstrate existing possibilities, but also limitations of enforcement or remedies. It is not meant to be comprehensive.
Content of the right
Freedom of expression and information
- Right to express opinions and seek information on the Internet;
- Recourse to national courts and the ECtHR;
Right to Online Assembly and Association
- Right to meet on the Internet
Complaint to competent authorities and recourse to courts and service providers.
Right to privacy and data protection
- Right to informed consent to use of data, default settings, activation of filters, data breaches and losses etc.
- Rights to complain to service provider;
Freedom of Religion and Belief exercised on the Internet
- Right to manifest one’s religion or belief on the Internet in teaching and practice or to proselytize;
- Right to bring cases to competent courts;
Rights of the child
- Right to appropriate information on content;
- Right to address authorities, helplines, police, courts.
Rights of people with disabilities on the Internet
- Right to accessible Internet;
- Right to complain to responsible authorities/service providers.
Right to education
- Right to digital education;
- Right to complain to competent authorities and courts.
Right to culture
- Right to participate in cultural life on the Internet;
Right to complain to competent authority/service provider.
Right to Online Participation in Public Affairs
- Right to equal access to electronic services;
- Right to judicial procedure;
Right to Non-discrimination
- Right to non-discrimination in access to the Internet;
- Right to address cases to competent courts and authorities;
II. Available remedies and infringement procedures
There is a large variety of possible remedies or infringement procedures in practice, from which the compendium can draw inspiration. These can be structured as follows:
· Procedures before the European Court of Human Rights;
· UN Procedures: reports, complaints, inquiries, special procedures;
· Remedies Provided by Companies/Based on Private Law Contracts or Rules of Business; from Right to Correct to the right to delete (such as those provided by Social Networks, Search Engines or others).
However, there is also the case of conflicts of rights, for example User Rights vs. Author Rights. This issue merits further discussion.
The IRP Charter spells out a right to legal remedy and fair trial for actions involving the Internet including due process.
Generally, there is a wide scale of possible remedies, ranging from reporting procedures to complaint procedures including court procedures, from addressing hotlines or contacting administrators to complaining with data protection authorities to seeking redress from inter-governmental institutions, in particular through international court procedures.
The Council of Europe Convention on Cybercrime requires adequate legal procedures to be established in the domestic legal systems for the adequate protection of human rights in the collection and interception of online data, which includes legal remedies.
1. Typology of remedies
A. Direct remedies, addressed to a self-regulation body, hotline, independent data protection authority, governmental institution, court:
- right to information;
- access to data held by governments or companies on individuals;
- right to protection of user identity;
- right to give and withdraw informed consent;
- right to reply;
- right to complain;
- right to correct or delete data, i.e. personal data on social websites, YouTube etc.
- right to investigate, to inquiry;
- right to take down content related to racism, hate-speech, glorification of violence and terrorism etc, or the respective websites;
- right to have restrictive measures regarding human rights reviewed.
B. Indirect remedies
- transparency of restrictions, e.g. Transparency Report by Google;
- assessment of policies of Internet companies - self-assessment and third-party assessment – example of Global Network Initiative (GNI);
- “naming and shaming” of policies, considered in violation of rights, i.e. critique of privacy policies of companies like Facebook or Google;
- mechanisms for ensuring internal compliance.
As could be seen from the analysis of rights proposed for the Compendium, the remedies available are regularly limited to court procedures and complaints to public authorities or private institutions, which, however, are not easily accessible or well developed. The exception is the right to privacy and data protection, where user rights do exist or are being developed in recent legal reforms of the pertinent laws or terms of service.
What should the human right to a remedy entail in the online context? Minimum standards would require an institution to address a complaint, a procedure to follow and a result to obtain.
2. Relevant questions to be addressed
· Should there be a focus on certain rights?
· Should the Committee of Experts (MSI-DUI) follow a comprehensive or a selective approach?
· Should the focus be limited to general remedies or on a right by right approach?
III. Questions for discussion by the Committee of Experts
This section identifies a broader number of considerations, questions and issues which could be taken up by the expert group for clarification.
1. User’s human rights: human rights vs. consumer rights?
· Human rights are based on public and international law while consumer rights are based on civil law.
· Human rights are general rights of all individuals. Consumer rights depend on contractual relations.
· User rights can be both, human rights and consumer rights.
· Governmental responsibilities in regulating business activities.
Companies are expected to respect human rights. In the context of Corporate Social Responsibility (CSR) there is the Framework of Principles developed by John Ruggie, the UN Special Representative on Business and Human Rights, which includes duties to protect, respect and remedy as well as a due diligence-obligation.18 One main purpose is to gain the trust or the confidence of the users.
2. Which actors should be addressed by the Compendium?
· Governance bodies at all levels, business organisations and companies, individuals, civil society/NGOs (all exercise responsibilities or are subject to governmental accountability or social responsibility)?
· Which legitimate expectations towards stakeholders should be reflected in the Compendium?
· Responsibilities of stakeholders; negative and/or positive obligations?
· Violations of Internet user rights relate to users in different capacities, as human beings, citizens, beneficiaries of certain services such as those offered by social networks. Users’ position in respect of criminal liabilities (e.g. identity theft, phishing) etc, may also be relevant in this context.
· Accountability for violations could relate to activities of governments/states, companies, service provider, other users.
· Which violations should be considered – those committed by public authorities or private sector players, or mixed if private actors act on behalf of public ones?
· Quality of service vs. human rights issues?
· Which mechanisms for redress should be considered, those made available by public authorities?
· Private, self-regulatory, internal?
· Decentralised, denouncing bad practices?
· Semi-public, i.e. alert mechanisms, depending on cooperation between industry, NGOs and law enforcement (which can be based on co-regulation)?
· Types of remedies provided (discontinuation of violation, compensation, others)?
· Some criteria to be considered could inlcude the cost and the length of procedures involved, accessibility (efforts needed), effectiveness, possibility of compensation, etc.
· Obstacles to effectiveness are a relevant issue to be discussed.
· Which remedies work best and are more satisfactory? For example, procedures before European Court of Human Rights are finally very effective, but lengthy and often not well-understood;
· Advantages and disadvantages of complaints to certain Internet actors should be considered (e.g. Facebook Privacy Rules now need a high quorum, but certain concerns can be addressed by users themselves like modifying privacy settings).
· How can the Compendium add value to existing catalogues of rights – some considerations: better access to rights of users, awareness raising, better overview of rights and remedies, new approaches to facilitating access, better dissemination of information on Internet user-specific rights.
IV. Case Studies on Internet User Rights
1. Relevant case law of the European Court of Human Rights
A preliminary analysis of the case-law based on the study of the research division of the European Court of Human Rights on “Internet Case-Law of the European Court of Human Rights”, shows that the case law is mainly concerned with the issue of the content of rights and not with the issue of remedies. The case law is too voluminous to be presented in the context of this paper. There are also useful collections of the case law of the Court on data protection issues and on freedom of expression relevant to the Internet as well as on Internet and Intellectual Property.19
According to Article 13 of ECHR, there is a right to an effective remedy, which also applies to cases involving the Internet. However, no specific cases related to the Internet could be identified.
2. Principles established by the Parliamentary Assembly of Council of Europe on protection of privacy and personal data on the Internet and online media
In addition to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), the Parliamentary Assembly Recommendation 1984 (2011) 20 contains a comprehensive collections of principles on protection of privacy and personal data, of which the most important are summarised here with regard to user rights.
· right to know and rectify one’s own personal data;
· right to control the use of personal data by others;
· right to have personal data provided without legal obligation erased;
· right to informed consent to any use of personal data by others and to withdraw that consent;
· right to be informed on and give consent to any planned commercial exploitation of personal data;
· freedom from manipulation of personal ICT-based communications including through “cookies”;
· right to higher protection of sensitive data through self-regulatory, technical or legal means ensuring due accountability in case of infringements. Such data should be kept or used only for specified periods.
· right to have personal data collected, stored or processed only to the minimum necessary;
· right to delete outdated and unused data;
· right to effective remedy against unlawful interference21 before domestic courts and non-judicial self-regulatory or arbitration bodies.
3. Data Protection reforms in Europe
The Consultative Committee (T-PD) of Convention No. 108 of the Council of Europe is considering amendments to the Convention with a view to its modernisation.22
Some of the main features considered in this context include:
- collection of personal data for explicit, specified and legitimate purposes and not processed in ways incompatible with those purposes;
- the right of the data subject to receive all available information on their origin as well as any other information that the controller is required to provide to ensure the transparency of data processing;
- the right to obtain knowledge of the reasoning underlying in the data processing, the results of which are applied to him/her ;
- privacy by design principle - the products and services intended for the data processing shall take into account the implications of data protection from the stage of their design and include easy-to-use functionalities allowing the compliance of the processing with the applicable law to be ensured;
The so-called ‘right to be forgotten’ has not been included in the modernisation proposals, as it was considered that the right of rectification or erasure together with the provision on the length of time of data storage offer an effective protection to the data subject and pragmatically correspond to the effects of the ‘right to be forgotten’.
In the EU, there are proposals for a new regulation and a new directive on protection of personal data by the European Commission of 25 January 2012, to “empower” Internet consumers and save costs for business. They contain also a number of user rights:
· The principle of explicit prior consent (which affects also cookies);
· The right to delete, in particular of own data published on the Internet;
· The right to be forgotten;
· The freedom of movement (portability) of data;
· EU national data protection authorities are to provide remedies;
· Significant sanctions are foreseen for breaches.
According to the amended “privacy directive”23 there is an obligation of electronic communication providers to notify users of personal data breaches. A public consultation has taken place on appropriate formats in 2012.
EU data protection laws are to apply globally, if EU users are affected, i.e. by making use of cloud computing.
4. US-efforts to improve user rights
In February 2012 the White House has published a report on Consumer Data Privacy in a Network World: A Framework for Protecting Privacy and Promoting Innovations in the Global Digital Economy.24
· Globally recognised Fair Information Practice Principles (FIPPs);
· Empowerment of Consumers-giving users more control;
· Strengthen Trust into Business Operations and Government.
Elements of a “Consumer Privacy Bill of Rights”:
Ø Individual Control over personal data;
Ø Transparency: easy to understand and accessibly information on privacy and security practices;
Ø Respect for Context: personal data will not be collected, used etc. inconsistent with the context in which they were provided by consumers;
Ø Security: Secure and responsible handling of data;
Ø Access and Accuracy: right of consumers to have access and to correct personal data;
Ø Focused Collection: right to reasonable limits of collection and retention of personal data;
Ø Accountability: right to responsible handling of data25;
Ø Approach: to be negotiated in a multi-stakeholder process.
Enforcement: Federal Government through the Federal Trade Commission (FTC) to provide for effective enforcement
Ø FTC-Report: Protecting Consumer Privacy in Area of rapid Change (March 2012)26
Ø “Privacy Framework”: Proposed to Apply to Offline- and Online Data
Ø “Privacy by Design”: Data Security, Reasonable Collection Limits, Sound Retention Practices, Data Accuracy; do not track-mechanism
Ø Implementation: Procedural protection by companies, simplified consumer choice, transparency
FTC action against Google and Facebook: orders to obtain affirmative express consent before changing data practices and adopting stronger privacy programmes.
FTC action against applications violating the Children’s Online Privacy Protection Act.
5. Remedies for threats to or violations of rights of the child
The ins@fe-system supported by the European Union, operates based on a mechanism of hotlines (for example Stopline in Austria), who can take action leading to a procedure which can result in the taking down of illegal or harmful content.
The opportunities of this system are that it operates quickly and is easily accessible. The threats are that there seems to be a lack of common due process standards leading to gaps in legal protection of affected website operators.
V. Conclusions and Proposals
The strength and weaknesses of existing rights and remedies can be seen in the low degree of awareness on their existence and the fact that they are often too technical or too legally demanding.
There are also gaps in the existing mechanisms, like easy access to a responsible person institution or complaint mechanism, which is often not provided.
The focus on Internet users’ rights should allow a more operational approach to human rights, in particular through envisaging effective remedies to be provided by service providers.
There is a need for remedies easy to access which are generally known on all levels. In the search for adequate remedies best practices should be taken into account.
There is no need for ‘new’ rights for the Internet. Rather the existing rights should be adjusted to the needs of the Internet, according to the principle that “what applies offline should also apply online” as also confirmed by the recent resolution of the Human Rights Council in Geneva on the promotion, protection and enjoyment of human rights on the Internet.27
However, a (human) right to access is a precondition for the full enjoyment of all other rights on the Internet.
It would also be worth exploring how to better use the Internet technologies for the purposes of the Compendium.
· The outcome of the MSI-DUI could consist of two documents, a short, easy to read, Guide on Main Rights and Remedies for Internet Users and a more comprehensive Report on Human Rights of Internet Users.
· The rights proposed for consideration under I.7. show the diversity of situations, which can hardly be addressed by a single approach; hence different users rights might need to be identified for individual rights.
· Specific attention should be given to the needs of children and other vulnerable or marginalised groups like people with special needs.
· Symbols, icons or buttons, which exist or could be further developed could be used for easier understanding of the concerns at stake.
· Just like “share buttons” for social networks, an icon could be developed that guides users to a quick and easy-to-understand overview of their rights – and includes country-specific links to remedies.
· Particular emphasis needs to be given to awareness raising and education about digital user rights
· Regarding institutional aspects, the creation of ombuds-like institutions for Internet users should be encouraged in order to assure quick and easy access to relevant information and redress to concerns on a personal basis.
· Regarding the name “Compendium”, the original idea of the IRP Dynamic Coalition was to have a “Charter”. Depending on the outcome of the work, the issue of the name might be addressed again (exploring other options like “guide” or “manual”, for example “Internet Users’ Rights Guide”)
· Specific attention should be given to the issue of the acceptance and use of the Compendium by major actors, which should therefore be involved at an early stage.
1 European Training and Research Center for Human Rights and Democracy of the University of Graz
2 Internet Governance – Council of Europe Strategy 2012-2015, CM (2011) 175 final of 15 March 2012.
3 See Karen Coyle (2004), XrML – A History of Usage Rights, http://kcoyle.netXrml.html.
4 See Wolfgang Kleinwächter, Internet Principle Hype: How soft law is used to regulate the Internet, see at: http://news.dot-nxt.com/2011/07/27/internet-principle-hype.
5 Council of Europe, Declaration on Internet Governance Principles, adopted on 21 September 2011.
6 Cf. European Union, Council of Ministers, Granada Ministerial Declaration on the European Digital Agenda, agreed on 19 April 2010, http://ec.europa.eu/ceskarepublika/pdf/press/ks7rada.pdf, para. 12.
7 See Andy Woodworth (2011), The e-Book User’s Bill of Rights, The Digital Reader, http://www.the-digital-reader.com/2011/02/28/the-ebook-user%E2%80%99s-bill-of-rights/.
8 Cf. Matthias C. Kettemann, Where humor overrules hate speech and crushed limbs are "ok to show": Facebook's Content Moderation Standards leaked, 22 February 2012, http://internationallawandtheinternet.blogspot.co.at/2012/02/where-humor-overrules-hate-speech-and.html.
9 APC Internet Rights Charter (2006), http://www.apc.org/en/node/5677/ .
10 See Geneva Declaration on Internet Freedom, adopted by the Human Rights Defenders and Civil Society Representatives assembled at the 2nd Geneva Summit for Human Rights, Tolerance and Democracy, March 9 2010, available at http://www.genevasummit.org/outcome/2/2010
11 See Granada Ministerial Declaration on the European Digital Agenda agreed on 19 April 2010, paras.12 and 13, available at http://ec.europa.eu/ceskarepublika/pdf/press/ks7rada.pdf
12 See http://www.praxis.ee/index.php?id=27&L=1&tx_ttnews%5Btt_news%5D=1252&cHash=3d6a324f64
13 See http://boingboing.net/2012/07/02/declaration-of-internet-freedo.html
14 See Nicolas Mendoza, Metal, code, flesh: Why we need a “Rights of the Internet” declaration, http//www.aljazeera.com/indepth/opinion/2012/02/201228715322807.html; see also We, the Web Kids, by Piotr Czerski, 15.02.2012, http://pastebin.com/0xXV8k7k and Timothy Garton Ash, Ten principles on free speech, http://freespeechdebate.com/en/media/timothy-garton-ash-at-the-brandenburg-gate/.
15 For an overview, see Matthias C. Kettemann, Ensuring Human Rights Online: An Appraisal of Selected Council of Europe Initiatives in the Information Society Sector in 2010, in Wolfgang Benedek et al. (eds.), European Yearbook on Human Rights 2011, Vienna 2011, 461-482; and Matthias C. Kettemann, Internet Governance and Human Rights in Europe, in Wolfgang Benedek et al. (eds.), European Yearbook on Human Rights 2010, Vienna 2010, 335-352.
16 See the Case studies in IV.
17 Available at http://www.oecd.org/dataoecd/11/58/49258588.pdf
18 Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework, A/HRC/17/31.
19 See European Court of Human Rights, Research Division, Internet: Case-law of the European Court of Human Rights, Council of Europe 2011.
20 Resolution 1843 (2011); see also Recommendation 1984 (2011) of 7 October 2011 on the Protection of Privacy and Personal Data on the Internet and Online Media and Explanatory Memorandum, by Ms. Rihter, Rapporteur.
21 Based on Andreja Rihter, Towards the Council of Europe Strategy on Internet Governance 2012-2015: Privacy on the Internet – what standards do we want?, Council of Europe Conference on “Our Internet - Our Rights – Our Freedoms”, Vienna 24-25 November 2011.
22 See http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD_2012_04Mos.pdf
23 Directive on Privacy and Electronic Commerce, No. 2002/58/EC, amended by the “Telecom Reform Package” of 2009, Directive 2009/136/EC/to be implemented by 2011.
24 See the White House Consumer Data Privacy in a Networked World, http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
25 See Executive Summary, ibid.
26 See http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.
27 See Resolution A/HRC/20/L.13 of 2012 by the Human Rights Council on 5 July 2012, available at http://daccess-dds-ny.un.org/doc/UNDOC/LTD/G12/147/10/PDF/G1214710.pdf?OpenElement. See also Matthias C. Kettemann, EJIL Talk of 23 July 2012.