Committee of Experts on Rights of Internet Users

    (MSI-DUI)

Rights Theme

Components

1. Internet access for all

1. Progressive development and social justice (guarding against reinforcement of existing inequalities)
2. The right to access to infrastructure
3. The right to the skills to use and shape the Internet
4. Inclusive design
5. The right to equal access for men and women
6. The right to affordable access
7. The right to access in the workplace
8. The right to public access
9. Cultural and linguistic diversity

2. Freedom of expression and association

1. Protection from infringement by government and non-state actors
2. The right to freedom from censorship
3. The right to engage in online protest

3. Access to knowledge

1. The right to access to knowledge
2. The right to freedom of information (e.g. from government)
3. The right to access to publicly-funded information

4. Shared learning and creation

1. The right to share, as well as protection of the interests of creators
2. The right to free and open source software (FOSS)
3. The right to open technological standards
4. The right to benefit from convergence and multi-media content

5. Privacy, surveillance and encryption

1. The right to data protection; clear privacy policies
2. The right to freedom from surveillance
3. The right to use encryption

6. Governance of the Internet

1. The right to multilateral democratic oversight of the Internet
2. The right to transparency and accessibility of governance decisions
3. The right to a decentralised, collaborative and interoperable Internet
4. The right to open architecture

7. Awareness, protection and realization of rights

1. The right to open standards
2. The right to Internet neutrality and the end-to-end principle
3. The right to the Internet as an integrated whole
4. The right to rights protection, awareness and education
5. The right to recourse when rights are violated

    2. Charter on Human Rights and Principles for the Internet (the IRP Charter)
    a) Introduction

    The IRP Charter, which drew from the APC Charter, was the result of a collective effort in an open process to which members and non-members of the Dynamic, Multi-Stakeholder, Coalition on Internet Rights and Principles contributed in two stages. The first phase was a general collection of proposals, which were used by a global expert team for the elaboration of a systematic draft in 2010. During the second phase comments on this draft were received. The draft was finalised for its 2011 edition by the Chair of the Coalition. Subsequently, it was presented and discussed at the IGF in Vilnius in 2010 and in Nairobi in 2011, but did not go through a formal endorsement process. Its purpose was to provide a comprehensive view of all aspects of human rights in the internet, based on the UDHR and other relevant UN human rights instruments. It is expected to stimulate debates on human rights in the internet and to serve as a reference point, as well as to encourage other, more specific efforts like the compendium of the Council of Europe.

    Table: Rights contained in the draft IRP Charter (Draft 2011)

Rights Theme

Components

1. Access to the Internet

a) Quality of service
b) Freedom of choice of system and software use
c) Ensuring digital inclusion
d) Net neutrality and net equality

2. Human Dignity

 

3. Non-Discrimination in the Enjoyment of all Rights

a) Equality of access
b) Gender equality
c) Marginalized groups and people with different needs

4. Liberty and Security

a) Protection against all forms of crime
b) Security of the Internet

5. Equality and Diversity on the Internet

 

6. Development

a) Poverty reduction and human development
b) Environmental sustainability

7. Freedom of Opinion and Expression

a) Right to Information
b) Freedom of Online protest
c) Freedom from prior censorship
d) Freedom from illegal blocking and filtering

8. Freedom of Religion and Belief

 

9. Freedom of Assembly and Association

a) Participation in Assembly and Association on the Internet
b) Freedom to set up Online Communities and freedom of online protest

10. Privacy

a) National legislation on privacy
b) Privacy policies and settings
c) Standards of confidentiality and integrity of IT-Systems
d) Protection of the virtual personality
e) Right to anonymity and to use encryption
f) Freedom from surveillance
g) Freedom from defamation

11. Data Protection

a) Protection of Personal data
b) Obligations of data collectors
c) Minimum Standards on Use of Personal Data
d) Monitoring data protection

12. Education

a) Education through the Internet
b) Education about the Internet and Human Rights

13. Access to Knowledge and Culture

a) Right to participate in the cultural life of the community
b) Diversity of languages and cultures
c) Right to use one’s own language
d) Freedom from Restrictions of Access to Knowledge by Licensing and Copyright
e) Knowledge Commons and the Public Domain
f) Free/Open Source Software and Open Standards

14. Children and Child Protection

a) Right to benefit from the Internet
b) Freedom from exploitation and child abuse imagery
c) Right to have views heard
d) Best interests of the Child

15. Work

a) Respect for Workers’ Rights
b) Internet at the workplace

16. Participation in Public Affairs

a) Right to equal access to electronic services
b) Right to participate in electronic government

17. Consumer Protection

 

18. Health and Social Services Online

a) Access to health-related content online

19. Legal Remedy and Fair Trial

a) Right to a Legal Remedy
b) Right to a Fair trial

20. Appropriate Social and International Order for the Internet

a) Governance of the Internet for Human Rights
b) Multilingualism and Pluralism on the Internet
c) Effective Participation in Internet Governance

21. Duties and Responsibilities on the Internet

a) Respect for the Rights of Others
b) Responsibility of power holders

22. General Clauses

a) Interdependence of all rights in the Charter
b) Non-exhaustive nature of the Charter
c) Interpretation of Rights and Freedoms of the Charter

    The IRP Charter appears in Appendix 2 and is also available at http://www.irpcharter.org/charter.

    b) A preliminary analysis of the rights in the IRP Charter

    The right to access to the Internet is derived from an interpretation according to which all other rights spelled out in the Charter cannot be fully enjoyed without the right to access the Internet. Accordingly, the existence of such right is a precondition for the enjoyment of all other rights. Where a right to access is enshrined in national law, procedures of national law apply. In any case, there is no international mechanism in place to ensure the right to access.

    A similar situation exists for issues of discrimination in access, including net neutrality. However, as this touches also on the right to freedom of expression (Art. 10), a case might be brought before the European Court of Human Rights.

    Regarding freedom of expression on the internet, in particular, it is fully justiciable by the court. This includes the freedom of online protest, which also relates to Art. 11 on freedom of assembly and association.

    Of particular relevance is the review of the legality of restrictions on freedom of expression, like blocking, filtering or other forms of censorship. In these cases the obligation of exhaustion of local remedies applies, i.e. domestic remedies need to be exhausted first. The same applies to all other rights protected by the European Convention on Human Rights (ECHR).

    With regard to the right to privacy and data protection, the human right is usually implemented by state regulations based on public law and by private regulations based on civil, contractual law, both with regard to its content and procedure. Besides national law also European law applies to EU member states.

    For the user, this means that it can base its rights on national, European and international human rights law. Accordingly, remedies against violations of the rights of users do exist on the private, contractual level. Some of these are offered by the private service provider voluntarily while others are provided in fulfillment of its obligations vis--vis the state. Such obligations flow from state –level regulation, EU regulation or relate to the implementation of the ECHR.

    The bodies, which can be addressed, are the competent courts, the independent data protection agencies or mechanisms made available by the private entities such as complaint bodies, hotlines or ombuds-institutions of service providers.

    The question to what extent those are responding to the human rights of users as individuals or to their rights as consumers might need further clarification.

    In this context, it is worth analysing whether the rights of users are obligatorily provided based on international obligations or national law or voluntarily offered as part of services rendered, noting that the latter can also be modified or withdrawn and consequently can be enforced by the user only as a contractual obligation.

    Generally, users’ rights depend on the legal position of users; their awareness of their rights and the accessibility of those rights, hence the relevance of easy to use procedures.

    They depend also on the nature of duty bearers, i.e. governments or private entities. However, individuals can also be expected to act responsibly on the Internet.

    Rights provided by service providers usually are not based on binding human rights obligations, but on best efforts encouraged by soft law instruments like the pertinent guidelines and codes of the Council of Europe. They might also be derived from EU law, directly (from regulation) or indirectly through transposition in domestic law (in the case of directives). They may respond to court decisions or administrative rulings.

    For example, the right to consent to the use of one’s personal data is flowing from the right to privacy and data protection. In its implementation, the right to informational self-determination has been created, which requires service providers through national laws to offer ways and modalities to exercise that right. This may, however, differ from country to country and from service provider to service provider, which should not be the case for a human right. Indeed, the European Court of Human Rights has no role in the harmonisation of contractual obligations, while the Court of the European Union does. States or the EU may also take a “minimum standard approach”. States and service providers will have different approaches in practice.

    There might be a situation, when different proscriptions foresee different standards and procedures or leave it to private bodies to establish accessible remedies.

    Another example would be the right to participate in e-government initiatives. Some countries have e-government to a larger extent than others including respective participatory rights. The right to equal access to electronic services of the government, if not private operators also needs closer analysis for specific rights and remedies flowing from it.

    The right to education also requires a detailed country analysis as in some countries digital education is obligatory, in others not; some countries foresee certain services as a matter of right, others only on a voluntary basis.

    An example for such cases is Wikipedia: a group of administrators can decide what will be deleted or can stay following a decentralised mechanism. The right to freedom of expression and information would require that no opinion is suppressed, but in order to function as a valuable resource (especially in light of existing destructive tendencies in some users [‘trolls’]), some editing and control is both necessary and may be legally required (in light of the responsibility for online content). For some users, however, this editing work may appear as censorship.

    Some rights might be controversial like the right to anonymity or encryption, which, however, is widely accepted in the EU, but not in all Council of Europe or OSCE member states.

    One could argue that the right to security in the Internet should also be developed in terms of user rights. However, because of the wide range of issues connected with such an approach the issue is only flagged here, but not further developed.

    Since national jurisdictions show different interpretations of protection of human rights online, it might also be necessary to clarify the approach in national law like in the case of the right to work. In some countries employees are free to use the internet access also for private purposes without limitations while in other countries the laws and practices of companies know stricter limitations. A general prohibition of the right to access the Internet would however be a violation of the right to work.

    The protection of child rights may involve private service lines operated with public (EU) support, which can trigger a public procedure, i.e. activate law enforcement officials to require private service providers to take down a website considered to violate child protection standards.

    Some rights are associated with more developed implementation procedures while others still are on the level of principles or in a stage of concretization like the right to access to knowledge. Others, like property rights are legally and procedurally more developed.

    The working group will also have to answer the question, where to draw the line between human rights of users and users’ rights, which cannot be based on international human rights standards. This line can be drawn according to a wider or a more narrow interpretation of human rights. For example, a right to know which personal data is being held by a specific service provider or a public entity can be subsumed under the right to privacy. A right to delete or forget might be less generally applicable as would be a right to specific privacy settings, i.e. a high privacy standard by default or to specific contractual remedies.

    Depending on the field like education, work or health, specific implementation measures exist of relevance to the internet. This raises the issue whether the working group should investigate rights and remedies one by one or look for common minimum standards and best practices. In this way, a matrix of user rights could be established, which would assist in possible generalisations of (typical) user rights, which are implementing respective human rights.
    3. Other relevant documents
    The Geneva Declaration on Internet Freedom of 9 March 2010. It is the outcome of the 2nd Geneva Summit for Human Rights, Tolerance and Democracy and endorsed by the participating civil society representatives.10

    European Union: Digital User Rights: Code of Digital Rights of e-Communications and online services, announced in the Granada Ministerial Declaration on the European Digital Agenda on 19 April 2010 (but not elaborated so far).11

    Praxis Centre for Policy Studies and co.: Guiding Principles of Internet Freedom, 14 February 2012. This appears to be the work of a think tank, not endorsed by any organizations.12

    Declaration of Internet Freedom of 2012. It does not indicate its authors and seems to be launched as part of a collaborative process It states five major principles, i.e. on expression, access, openness, innovation and privacy and has been endorsed by a number of organizations and individuals mainly from the US, but also worldwide. 13

    The mushrooming of the calls for drafting of such declarations14 shows that there is a widely perceived need to provide guidance on main human rights obligations for all actors. However, by singling out certain rights and, as in the case of the Declaration on Internet Freedom of 2012 neglecting their human rights character, there is also a danger of missing the full relevance of human rights for the internet. There is also too little learning from each other; most declarations seems to ignore previous work and thus echo the trend in technological development to develop new standards that only partially complement existing standards, but often add to the confusion.

    However, what is most important in the context of this paper, there are hardly any concerns with how these rights should be implemented, which remedies should be made available or how Internet users can claim their rights.

    More can be found, in this respect, in the respective guidelines, codes of conduct and recommendations of the Council of Europe.

    4. Analysis of Council of Europe guidelines, codes of conduct and recommendations, regarding rights of Internet users
    Several CoE legal texts contain pertinent provisions on rights of internet users. These include:

    Recommendation CM/Rec (2012) 4 on the protection of human rights with regard to social networking services
    Resolution 1843 (2011) and Recommendation 1984 (2011) of PACE on the Protection of Privacy and Personal Data on the Internet and Online Media
    Recommendation CM/Rec (2012) 3 on the protection of human rights with regard to search engines
    Recommendation CM/Rec (2010) 13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling
    Human rights guidelines for online game providers (2008)
    Human rights guidelines for internet service providers (2008)
    Recommendation CM/Rec (2008) 6 on measures to promote the respect for freedom of expression and information with regard to internet filters
    Declaration CM of 20 February 2008 on protecting the dignity, security and privacy of children on the Internet

    The user rights spelled out in these instruments are of key relevance for the work of the Committee.15

    User rights can also be derived from the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data of 1980 or the Council of Europe Convention No. 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data of 1981, which is in a process of modernisation, or the EU Data Protection Directive 95/46, which also is being renewed. Similar trends can be observed in the US, where a “Consumer Privacy Bill of Rights” has recently been proposed.16

    Further of continuing relevance are the OECD Guidelines for Consumer Protection in the Context of Electronic Commerce of 1999. The OECD Council Recommendation on Principles for Internet Policy Making of 2011 called to “maximize individual empowerment”, hence all stakeholders should work together “to provide the capacity for appropriate and effective individual control over the receipt of information and disclosure of personal data, which should include user education and digital literacy initiatives.”17

    Council of Europe recommendations which are addressed to its member states, indicate action which should partly be undertaken by industry. These actions include ensuring:

    Right to Information (Rights to Know)

    concise explanations of terms and conditions of service providers, easily understandable to the target group;
    right to know about the existence of personal data and to rectify them or have them erased if they were obtained without legal obligation;
    right to access to information about potential risks to user’s rights, security and privacy online;
    to be informed on the applicable law;
    to be informed about data breaches or losses, and on use of data in the context of profiling;
    to be informed about filtering and blocking mechanisms;
    right to be made aware of, understand and be able to effectively use, adjust and control filters according to individual need.

    Right to Consent

    informed consent to use personal data;
    right to consent on default settings, activation of filters etc.;
    right to reply for correction of data/content.

    Right to Autonomous Decision

    right to choose providers, search engines, social networks etc.;
    right to restrictive measures only after verification of illegal content.

    Right to a Certain Treatment/Control

    privacy-friendly default settings, right to opt-in rather than to opt-out, privacy by design;
    service to be continued also in the case of refusal of consent;
    minimum standards in quality of service;
    processing of data only for the agreed purpose and the shortest time necessary;
    right to be made aware how to protect oneself against the risk of continuing illegal and/or harmful content including information on available software tools;
    special protection of sensitive data;
    appropriate security measures.

    Right to Remedy

    to be made aware of threats and means of redress;
    right to report illegal or harmful content (for example incitement to violence, child pornography);
    right to have one’s complaint dealt with in a transparent procedure/due process;
    right to reply;
    right to bring a case in the competent court/administrative tribunal;
    right to bring complaints to ombuds-institutions.

    As can be observed most user rights exist in the context of privacy and data protection as well as of the freedom of expression and information.

    Special protection for children, young people and other vulnerable groups

    provision of clear information on content;
    easily accessible mechanisms for reporting illegal or harmful content or behavior;
    accessible to people with disabilities.

    Accordingly, the rights of the Internet user include information rights, i.e. on general policies, terms of reference, information for teachers and parents, legal guardians etc., the right to verification of illegal contents before blocking or filtering, a right to access own data, a right to reply, protection of the identity of users, their traffic data and content, limitations on collection, processing or storage of data, the use for promotional or marketing purposes, ensuring users control over their data, i.e. to correct or delete them or withdraw their consent, by proper default settings or easy access to reporting mechanisms on illegal or inappropriate content etc.

    The right to freedom of expression and information, for example, requires that search results in Europe can only be discarded in line with the requirements of Article 10 para. 2.

    The recommendations are addressed to different actors, i.e. governments and business in particular. Accordingly, the corresponding obligations regarding the human rights of users are on specific actors like governments and through them on service providers/companies
    5. Criteria for a mapping of rights that could form part of the Compendium
    Among the criteria for the inclusion of rights into the compendium, the following could be considered:

      their well-established nature
      their relevance for the Internet
      their importance for the user

    Special Case: Right to Access the Internet

    A special case is the right to access, which can be considered both as an emerging right or a corollary of other existing human rights when interpreted in the context of the Internet.
    6. Proposal on rights for possible inclusion
    This proposal is meant to demonstrate existing possibilities, but also limitations of enforcement or remedies. It is not meant to be comprehensive.

Right/freedom

Content of the right

Remedies

Freedom of expression and information

- Right to express opinions and seek information on the Internet;
- Right to choose provider, search engine, social network etc.;
- Right to be informed about filtering and blocking measures;
- Right to control personal filtering settings;
- Right to have search results discarded only on basis of Art. 10, para. 2.

- Recourse to national courts and the ECtHR;
- Recourse to service provider/company;

Right to Online Assembly and Association

- Right to meet on the Internet
- Right to protest online;
- Right to organise online;

Complaint to competent authorities and recourse to courts and service providers.

Right to privacy and data protection

- Right to informed consent to use of data, default settings, activation of filters, data breaches and losses etc.
- Right to anonymity and to use encryption.

- Rights to complain to service provider;
- Right to complain to data protection authority or to ombuds-institution;
- Right to court procedures.

Freedom of Religion and Belief exercised on the Internet

- Right to manifest one’s religion or belief on the Internet in teaching and practice or to proselytize;
- Restrictions to be in conformity with the limitation clauses.

- Right to bring cases to competent courts;
- Right to complain to competent authorities.

Rights of the child

- Right to appropriate information on content;
- Right to relevant information on filtering;
- Right to protection from violent and other harmful content and to be informed of available tools of protection.
-

- Right to address authorities, helplines, police, courts.

Rights of people with disabilities on the Internet

- Right to accessible Internet;
- Right to availability and affordability of the Internet.

- Right to complain to responsible authorities/service providers.
-

Right to education

- Right to digital education;
- Right to access to digital educational materials;
- Right to fair use exceptions to copyright.

    -

- Right to complain to competent authorities and courts.

Right to culture

- Right to participate in cultural life on the Internet;
- Right to use one’s own language/diversity.

Right to complain to competent authority/service provider.

Right to Online Participation in Public Affairs

- Right to equal access to electronic services;
- Right to participate in online government.

- Right to judicial procedure;
- Right to complain to competent authorities.

Right to Non-discrimination

- Right to non-discrimination in access to the Internet;
- Right to non-discrimination in enjoyment of all rights regarding the Internet including net neutrality;
- Right to gender equality and elimination of any form of discrimination against women;
- Right to special attention to the needs of marginalised groups.

- Right to address cases to competent courts and authorities;
- Right to complain to service providers.

    II. Available remedies and infringement procedures
    There is a large variety of possible remedies or infringement procedures in practice, from which the compendium can draw inspiration. These can be structured as follows:

      Procedures before the European Court of Human Rights;
      UN Procedures: reports, complaints, inquiries, special procedures;
      Remedies Provided by Companies/Based on Private Law Contracts or Rules of Business; from Right to Correct to the right to delete (such as those provided by Social Networks, Search Engines or others).

    However, there is also the case of conflicts of rights, for example User Rights vs. Author Rights. This issue merits further discussion.

    The IRP Charter spells out a right to legal remedy and fair trial for actions involving the Internet including due process.

    Generally, there is a wide scale of possible remedies, ranging from reporting procedures to complaint procedures including court procedures, from addressing hotlines or contacting administrators to complaining with data protection authorities to seeking redress from inter-governmental institutions, in particular through international court procedures.

    The Council of Europe Convention on Cybercrime requires adequate legal procedures to be established in the domestic legal systems for the adequate protection of human rights in the collection and interception of online data, which includes legal remedies.
    1. Typology of remedies
    A. Direct remedies, addressed to a self-regulation body, hotline, independent data protection authority, governmental institution, court:

      - right to information;
      - access to data held by governments or companies on individuals;
      - right to protection of user identity;
      - right to give and withdraw informed consent;
      - right to reply;
      - right to complain;
      - right to correct or delete data, i.e. personal data on social websites, YouTube etc.
      - right to investigate, to inquiry;
      - right to take down content related to racism, hate-speech, glorification of violence and terrorism etc, or the respective websites;
      - right to have restrictive measures regarding human rights reviewed.

    B. Indirect remedies

      - transparency of restrictions, e.g. Transparency Report by Google;
      - assessment of policies of Internet companies - self-assessment and third-party assessment – example of Global Network Initiative (GNI);
      - “naming and shaming” of policies, considered in violation of rights, i.e. critique of privacy policies of companies like Facebook or Google;
      - mechanisms for ensuring internal compliance.

    As could be seen from the analysis of rights proposed for the Compendium, the remedies available are regularly limited to court procedures and complaints to public authorities or private institutions, which, however, are not easily accessible or well developed. The exception is the right to privacy and data protection, where user rights do exist or are being developed in recent legal reforms of the pertinent laws or terms of service.

    What should the human right to a remedy entail in the online context? Minimum standards would require an institution to address a complaint, a procedure to follow and a result to obtain.
    2. Relevant questions to be addressed

      Should there be a focus on certain rights?
      Should the Committee of Experts (MSI-DUI) follow a comprehensive or a selective approach?
      Should the focus be limited to general remedies or on a right by right approach?

    III. Questions for discussion by the Committee of Experts
    This section identifies a broader number of considerations, questions and issues which could be taken up by the expert group for clarification.
    1. User’s human rights: human rights vs. consumer rights?

      Human rights are based on public and international law while consumer rights are based on civil law.
      Human rights are general rights of all individuals. Consumer rights depend on contractual relations.
      User rights can be both, human rights and consumer rights.
      Governmental responsibilities in regulating business activities.

    Companies are expected to respect human rights. In the context of Corporate Social Responsibility (CSR) there is the Framework of Principles developed by John Ruggie, the UN Special Representative on Business and Human Rights, which includes duties to protect, respect and remedy as well as a due diligence-obligation.18 One main purpose is to gain the trust or the confidence of the users.
    2. Which actors should be addressed by the Compendium?

      Governance bodies at all levels, business organisations and companies, individuals, civil society/NGOs (all exercise responsibilities or are subject to governmental accountability or social responsibility)?
      Which legitimate expectations towards stakeholders should be reflected in the Compendium?
      Responsibilities of stakeholders; negative and/or positive obligations?

    3. What kind of Internet user rights’ violations should be considered?

      Violations of Internet user rights relate to users in different capacities, as human beings, citizens, beneficiaries of certain services such as those offered by social networks. Users’ position in respect of criminal liabilities (e.g. identity theft, phishing) etc, may also be relevant in this context.
      Accountability for violations could relate to activities of governments/states, companies, service provider, other users.
      Which violations should be considered – those committed by public authorities or private sector players, or mixed if private actors act on behalf of public ones?
      Quality of service vs. human rights issues?

    4. Types of mechanisms

      Which mechanisms for redress should be considered, those made available by public authorities?
      Private, self-regulatory, internal?
      Decentralised, denouncing bad practices?
      Semi-public, i.e. alert mechanisms, depending on cooperation between industry, NGOs and law enforcement (which can be based on co-regulation)?
      Types of remedies provided (discontinuation of violation, compensation, others)?

    5. Strengths and weaknesses (gaps) of existing remedies

      Some criteria to be considered could inlcude the cost and the length of procedures involved, accessibility (efforts needed), effectiveness, possibility of compensation, etc.
      Obstacles to effectiveness are a relevant issue to be discussed.
      Which remedies work best and are more satisfactory? For example, procedures before European Court of Human Rights are finally very effective, but lengthy and often not well-understood;
      Advantages and disadvantages of complaints to certain Internet actors should be considered (e.g. Facebook Privacy Rules now need a high quorum, but certain concerns can be addressed by users themselves like modifying privacy settings).

    6. Value added of Compendium

      How can the Compendium add value to existing catalogues of rights – some considerations: better access to rights of users, awareness raising, better overview of rights and remedies, new approaches to facilitating access, better dissemination of information on Internet user-specific rights.

    IV. Case Studies on Internet User Rights
    1. Relevant case law of the European Court of Human Rights
    A preliminary analysis of the case-law based on the study of the research division of the European Court of Human Rights on “Internet Case-Law of the European Court of Human Rights”, shows that the case law is mainly concerned with the issue of the content of rights and not with the issue of remedies. The case law is too voluminous to be presented in the context of this paper. There are also useful collections of the case law of the Court on data protection issues and on freedom of expression relevant to the Internet as well as on Internet and Intellectual Property.19

    According to Article 13 of ECHR, there is a right to an effective remedy, which also applies to cases involving the Internet. However, no specific cases related to the Internet could be identified.
    2. Principles established by the Parliamentary Assembly of Council of Europe on protection of privacy and personal data on the Internet and online media
    In addition to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108), the Parliamentary Assembly Recommendation 1984 (2011) 20 contains a comprehensive collections of principles on protection of privacy and personal data, of which the most important are summarised here with regard to user rights.

      right to know and rectify one’s own personal data;
      right to control the use of personal data by others;
      right to have personal data provided without legal obligation erased;
      right to informed consent to any use of personal data by others and to withdraw that consent;
      right to be informed on and give consent to any planned commercial exploitation of personal data;
      freedom from manipulation of personal ICT-based communications including through “cookies”;
      right to higher protection of sensitive data through self-regulatory, technical or legal means ensuring due accountability in case of infringements. Such data should be kept or used only for specified periods.
      right to have personal data collected, stored or processed only to the minimum necessary;
      right to delete outdated and unused data;
      right to effective remedy against unlawful interference21 before domestic courts and non-judicial self-regulatory or arbitration bodies.

    3. Data Protection reforms in Europe
    The Consultative Committee (T-PD) of Convention No. 108 of the Council of Europe is considering amendments to the Convention with a view to its modernisation.22

    Some of the main features considered in this context include:

- collection of personal data for explicit, specified and legitimate purposes and not processed in ways incompatible with those purposes;

- the right of the data subject to receive all available information on their origin as well as any other information that the controller is required to provide to ensure the transparency of data processing;

- the right to obtain knowledge of the reasoning underlying in the data processing, the results of which are applied to him/her ;

- privacy by design principle - the products and services intended for the data processing shall take into account the implications of data protection from the stage of their design and include easy-to-use functionalities allowing the compliance of the processing with the applicable law to be ensured;

    The so-called ‘right to be forgotten’ has not been included in the modernisation proposals, as it was considered that the right of rectification or erasure together with the provision on the length of time of data storage offer an effective protection to the data subject and pragmatically correspond to the effects of the ‘right to be forgotten’.

    In the EU, there are proposals for a new regulation and a new directive on protection of personal data by the European Commission of 25 January 2012, to “empower” Internet consumers and save costs for business. They contain also a number of user rights:

      The principle of explicit prior consent (which affects also cookies);
      The right to delete, in particular of own data published on the Internet;
      The right to be forgotten;
      The freedom of movement (portability) of data;
      EU national data protection authorities are to provide remedies;
      Significant sanctions are foreseen for breaches.

    According to the amended “privacy directive”23 there is an obligation of electronic communication providers to notify users of personal data breaches. A public consultation has taken place on appropriate formats in 2012.

    EU data protection laws are to apply globally, if EU users are affected, i.e. by making use of cloud computing.
    4. US-efforts to improve user rights
    In February 2012 the White House has published a report on Consumer Data Privacy in a Network World: A Framework for Protecting Privacy and Promoting Innovations in the Global Digital Economy.24

    Objectives:

    Globally recognised Fair Information Practice Principles (FIPPs);
    Empowerment of Consumers-giving users more control;
    Strengthen Trust into Business Operations and Government.

    Elements of a “Consumer Privacy Bill of Rights”:

    Individual Control over personal data;
    Transparency: easy to understand and accessibly information on privacy and security practices;
    Respect for Context: personal data will not be collected, used etc. inconsistent with the context in which they were provided by consumers;
    Security: Secure and responsible handling of data;
    Access and Accuracy: right of consumers to have access and to correct personal data;
    Focused Collection: right to reasonable limits of collection and retention of personal data;
    Accountability: right to responsible handling of data25;
    Approach: to be negotiated in a multi-stakeholder process.

    Enforcement: Federal Government through the Federal Trade Commission (FTC) to provide for effective enforcement

    FTC-Report: Protecting Consumer Privacy in Area of rapid Change (March 2012)26
    “Privacy Framework”: Proposed to Apply to Offline- and Online Data
    “Privacy by Design”: Data Security, Reasonable Collection Limits, Sound Retention Practices, Data Accuracy; do not track-mechanism
    Implementation: Procedural protection by companies, simplified consumer choice, transparency

    Examples:

    FTC action against Google and Facebook: orders to obtain affirmative express consent before changing data practices and adopting stronger privacy programmes.

    FTC action against applications violating the Children’s Online Privacy Protection Act.
    5. Remedies for threats to or violations of rights of the child
    The ins@fe-system supported by the European Union, operates based on a mechanism of hotlines (for example Stopline in Austria), who can take action leading to a procedure which can result in the taking down of illegal or harmful content.

    The opportunities of this system are that it operates quickly and is easily accessible. The threats are that there seems to be a lack of common due process standards leading to gaps in legal protection of affected website operators.
    V. Conclusions and Proposals
    A. Conclusions

    The strength and weaknesses of existing rights and remedies can be seen in the low degree of awareness on their existence and the fact that they are often too technical or too legally demanding.

    There are also gaps in the existing mechanisms, like easy access to a responsible person institution or complaint mechanism, which is often not provided.

    The focus on Internet users’ rights should allow a more operational approach to human rights, in particular through envisaging effective remedies to be provided by service providers.

    There is a need for remedies easy to access which are generally known on all levels. In the search for adequate remedies best practices should be taken into account.

    There is no need for ‘new’ rights for the Internet. Rather the existing rights should be adjusted to the needs of the Internet, according to the principle that “what applies offline should also apply online” as also confirmed by the recent resolution of the Human Rights Council in Geneva on the promotion, protection and enjoyment of human rights on the Internet.27

    However, a (human) right to access is a precondition for the full enjoyment of all other rights on the Internet.

    It would also be worth exploring how to better use the Internet technologies for the purposes of the Compendium.

    B. Proposals

    The outcome of the MSI-DUI could consist of two documents, a short, easy to read, Guide on Main Rights and Remedies for Internet Users and a more comprehensive Report on Human Rights of Internet Users.
    The rights proposed for consideration under I.7. show the diversity of situations, which can hardly be addressed by a single approach; hence different users rights might need to be identified for individual rights.
    Specific attention should be given to the needs of children and other vulnerable or marginalised groups like people with special needs.
    Symbols, icons or buttons, which exist or could be further developed could be used for easier understanding of the concerns at stake.
    Just like “share buttons” for social networks, an icon could be developed that guides users to a quick and easy-to-understand overview of their rights – and includes country-specific links to remedies.
    Particular emphasis needs to be given to awareness raising and education about digital user rights
    Regarding institutional aspects, the creation of ombuds-like institutions for Internet users should be encouraged in order to assure quick and easy access to relevant information and redress to concerns on a personal basis.
    Regarding the name “Compendium”, the original idea of the IRP Dynamic Coalition was to have a “Charter”. Depending on the outcome of the work, the issue of the name might be addressed again (exploring other options like “guide” or “manual”, for example “Internet Users’ Rights Guide”)
    Specific attention should be given to the issue of the acceptance and use of the Compendium by major actors, which should therefore be involved at an early stage.

    Appendix 1 - APC Charter (Internet Rights Charter).PDF file sent separately.

    Appendix 2 - IRP Charter (Charter of Human Rights and Principles for the Internet)
    English only. PDF file sent separately.

1 European Training and Research Center for Human Rights and Democracy of the University of Graz

2 Internet Governance – Council of Europe Strategy 2012-2015, CM (2011) 175 final of 15 March 2012.

3 See Karen Coyle (2004), XrML – A History of Usage Rights, http://kcoyle.netXrml.html.

4 See Wolfgang Kleinwchter, Internet Principle Hype: How soft law is used to regulate the Internet, see at: http://news.dot-nxt.com/2011/07/27/internet-principle-hype.

5 Council of Europe, Declaration on Internet Governance Principles, adopted on 21 September 2011.

6 Cf. European Union, Council of Ministers, Granada Ministerial Declaration on the European Digital Agenda, agreed on 19 April 2010, http://ec.europa.eu/ceskarepublika/pdf/press/ks7rada.pdf, para. 12.

7 See Andy Woodworth (2011), The e-Book User’s Bill of Rights, The Digital Reader, http://www.the-digital-reader.com/2011/02/28/the-ebook-user%E2%80%99s-bill-of-rights/.

8 Cf. Matthias C. Kettemann, Where humor overrules hate speech and crushed limbs are "ok to show": Facebook's Content Moderation Standards leaked, 22 February 2012, http://internationallawandtheinternet.blogspot.co.at/2012/02/where-humor-overrules-hate-speech-and.html.

9 APC Internet Rights Charter (2006), http://www.apc.org/en/node/5677/ .

10 See Geneva Declaration on Internet Freedom, adopted by the Human Rights Defenders and Civil Society Representatives assembled at the 2nd Geneva Summit for Human Rights, Tolerance and Democracy, March 9 2010, available at http://www.genevasummit.org/outcome/2/2010

11 See Granada Ministerial Declaration on the European Digital Agenda agreed on 19 April 2010, paras.12 and 13, available at http://ec.europa.eu/ceskarepublika/pdf/press/ks7rada.pdf

12 See http://www.praxis.ee/index.php?id=27&L=1&tx_ttnews%5Btt_news%5D=1252&cHash=3d6a324f64

13 See http://boingboing.net/2012/07/02/declaration-of-internet-freedo.html

14 See Nicolas Mendoza, Metal, code, flesh: Why we need a “Rights of the Internet” declaration, http//www.aljazeera.com/indepth/opinion/2012/02/201228715322807.html; see also We, the Web Kids, by Piotr Czerski, 15.02.2012, http://pastebin.com/0xXV8k7k and Timothy Garton Ash, Ten principles on free speech, http://freespeechdebate.com/en/media/timothy-garton-ash-at-the-brandenburg-gate/.

15 For an overview, see Matthias C. Kettemann, Ensuring Human Rights Online: An Appraisal of Selected Council of Europe Initiatives in the Information Society Sector in 2010, in Wolfgang Benedek et al. (eds.), European Yearbook on Human Rights 2011, Vienna 2011, 461-482; and Matthias C. Kettemann, Internet Governance and Human Rights in Europe, in Wolfgang Benedek et al. (eds.), European Yearbook on Human Rights 2010, Vienna 2010, 335-352.

16 See the Case studies in IV.

17 Available at http://www.oecd.org/dataoecd/11/58/49258588.pdf

18 Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework, A/HRC/17/31.

19 See European Court of Human Rights, Research Division, Internet: Case-law of the European Court of Human Rights, Council of Europe 2011.

20 Resolution 1843 (2011); see also Recommendation 1984 (2011) of 7 October 2011 on the Protection of Privacy and Personal Data on the Internet and Online Media and Explanatory Memorandum, by Ms. Rihter, Rapporteur.

21 Based on Andreja Rihter, Towards the Council of Europe Strategy on Internet Governance 2012-2015: Privacy on the Internet – what standards do we want?, Council of Europe Conference on “Our Internet - Our Rights – Our Freedoms”, Vienna 24-25 November 2011.

22 See http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD_2012_04Mos.pdf

23 Directive on Privacy and Electronic Commerce, No. 2002/58/EC, amended by the “Telecom Reform Package” of 2009, Directive 2009/136/EC/to be implemented by 2011.

24 See the White House Consumer Data Privacy in a Networked World, http://www.whitehouse.gov/sites/default/files/privacy-final.pdf

25 See Executive Summary, ibid.

26 See http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.

27 See Resolution A/HRC/20/L.13 of 2012 by the Human Rights Council on 5 July 2012, available at http://daccess-dds-ny.un.org/doc/UNDOC/LTD/G12/147/10/PDF/G1214710.pdf?OpenElement. See also Matthias C. Kettemann, EJIL Talk of 23 July 2012.