Explanatory Memorandum

1. The right to respect for family and private life is enshrined in Article 8 of the ECHR. This right is further interpreted by the case-law of the Court and complemented and reinforced by the Council of Europe Convention 108.

2. Private life is a notion not susceptible to exhaustive definition. The Court has emphasised that Article 8 encompasses a wide range of interests, namely private and family life, home, and correspondence including mail, telephone communications and e-mails in the workplace. Private life relates to a person's right to their image, for example by means of photographs and video-clips. It also concerns a person's identity and personal development, the right to establish and develop relationships with other human beings. Activities of a professional or business nature are also covered.

3. Many activities of users will involve some form of automatic processing of personal data; examples include the use of browsers, e-mail, instant messages, voice-over Internet protocols, social networks and search engines as well as cloud data storage services. Convention 108 covers all operations carried out in the Internet, such as collection, storage, alteration, erasure and retrieval or dissemination or personal data.

4. There are principles and rules that should be respected by public authorities and private companies which are engaged in the processing of personal data. It is necessary that a user is aware of and understands what and how her/his data is processed and whether action can be taken in this regard, for example to request correction or erasure of data. According to Convention 108, personal data must be obtained and processed fairly and lawfully, and stored for specified and legitimate purposes. It must be adequate, relevant and not excessive in relation to the purposes for which they are stored, accurate and, where necessary, kept up to date, preserved in a way which permits identification of the person whose personal data are processed and for no longer than is required for the purpose for which those data are stored.

5. Emphasis is placed on two specific principles of the processing of personal data: the lawfulness of the processing, and the user's consent. The user must be informed that data can be processed only when this is laid down by law and when she/he has consented to it, for example by agreeing to the terms and conditions of use of an Internet service.

6. A person's free, specific, informed and explicit (unambiguous) consent to the processing of personal data on the Internet is currently being discussed to be integrated in the Convention 108. Informed consent is referred to in the Recommendation CM/Rec(2012)4 of the Committee of Ministers to member States on the protection of human rights with regard to social networking services. In particular, social networks should secure the informed consent of their users before their personal data is disseminated or shared with other categories of people or companies or used in ways other than those necessary for the specified purposes for which they were originally collected. In order to ensure users' consent, they should be able to "opt in" to a wider access to their personal data by third parties (e.g. when third party applications are operated on the social network). Equally, users should also be able to withdraw their consent.

7. It is important to note Recommendation CM/Rec(2010)13 of the Committee of Ministers to member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling. This is understood as automatic data processing techniques that consist of applying a profile to an individual in order to take decisions concerning him or her or for purposes of analysing or predicting his or her personal preferences, behaviours and attitudes. For example, personal data of an Internet user may be collected and processed in the context of his/her interaction with a website or an application or in the context of Internet browsing activity over time and across different websites (e.g. by collecting information on pages and content visited, times of visits, what was searched for, what was clicked). ‘Cookies' are one of the means used to track users' browsing activities; this is done by storing information in a user's equipment retrieving it later on. The Recommendation envisages the right of Internet users to consent to the use of personal data for the purposes of profiling and the right to withdraw such consent.

8. Internet users' rights to information with regard to the processing of his/her personal data are referred to in different Council of Europe instruments. Convention 108 provides that the data subject should be enabled to establish the existence of processing of his/her personal data by any natural or legal person, the main purposes of the processing as well as the identity and habitual residence or principal place of business of the processing entity and to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him/her is stored as well as communication to him/her of such data in an intelligible form.

9. Information to users is also referred to in Recommendation CM/Rec(2012)4 of the Committee of Ministers to member States on the protection of human rights with regard to social networking services. Internet users on social networks should be informed in a clear and understandable manner about every change made to the providers' terms of service and conditions of use. This also includes other actions, such as the installation of third party applications which involve risks to users' privacy; the law that is applicable in the execution of the social networking services and the related processing of their personal data; the consequences of open access (in time and geographically) to their profiles and communications, in particular explaining the differences between private and public communication, and the consequences of making information publicly available, including unrestricted access to, and collection of, data by third parties; and- the need to obtain the prior consent of other people before they publish their personal data, including audio and video content, in cases where they have widened access beyond self-selected contacts. Internet users should also be given specific information regarding the logic underpinning the processing of personal data that is used to attribute a profile to him/her and the purposes of profiling.

10. Internet users should be able to exercise control over their personal data as developed in Convention 108, notably the right to obtain rectification or erasure of data that has been processed contrary to the law and the right to a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to above is not complied with.

11. The Committee of Ministers Recommendation CM/Rec(2012)3 of the Committee of Ministers to member States on the protection of human rights with regard to search engines, refers to a number of measures that providers can take to protect their users' privacy. This includes the protection of personal data against unlawful access by third parties and data breach notification schemes. Measures should also include "end-to-end" encryption of the communication between the user and the search engine provider. Cross-correlation of data originating from different services/platforms belonging to a search engine provider can take place only if unambiguous consent has been granted by the user for that specific service. Users should be able to access, correct and delete their data that is collected in the course of the use of such services, including any profile created, for example for direct marketing purposes.

12. Social networks should also assist users in the management and protection of their data in particular with:

  • default privacy-friendly settings, to limit access to contacts identified and selected by the user. This includes adjustments to their privacy settings and to the selection of the level of public access to their data;
  • enhanced protection for sensitive data, such as biometric data or facial recognition access which should not be activated by default;
  • data security against unlawful access to user's personal data, by third parties, including end-to-end encryption of communication between the user and social networks. Users should be informed about breaches of their personal data security in order to be able to take preventive measures such as changing their passwords and being attentive to their financial transactions (for example when social networks are in possession of bank or credit card details);
  • privacy by design, that is addressing data protection needs at the stage of conception of their services or products, and continuously assessing the privacy impact of changes to existing services;
  • protection for non-users of social networks by refraining from collecting and processing their personal data, for example e-mail addresses and biometric data. Users should be made aware of the obligations they have towards other individuals and, in particular, that the publication of personal data related to other people should respect the rights of those individuals.

13. Before a social network user's account is terminated, he/she should be able to easily and freely move his/her data to another service or device, in a usable format. Upon termination, all data from and about the user should be permanently eliminated from the storage media of the social networking service. In addition, Internet users should be able to make informed choices about their online identity, including the use of a pseudonym. In the event that a social networking service requires real identity registration, the publication of that real identity on the Internet should be optional for users. This does not prevent law-enforcement authorities from gaining access to the user's real identity when necessary and subject to appropriate legal safeguards guaranteeing the respect of fundamental rights and freedoms.

14. In the context of profiling, the user should also be able to object to the use of his/her personal data for the purpose of profiling and to object to a decision taken on the sole basis of profiling, which has legal effects concerning him/her or significantly affects him/her, unless this is provided by law which lays down measures to safeguard the users' legitimate interests, particularly by allowing him/her to put forward his point of view and unless the decision was taken in the course of the performance of a contract and provided that the measures for safeguarding the legitimate interests of the Internet user are in place.

15. The rights of the Internet user are not absolute hence the reference to the word ‘generally' in the third sub-paragraph. Derogations are permissible when this is provided for by law and it constitutes a necessary measure in a democratic society in the interests of: (a) protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences; and (b) protecting the data subject or the rights and freedoms of others. Restrictions on the exercise of the rights foreseen may be provided by law with respect to automated personal data files used for statistics or for scientific research purposes when there is obviously no risk of an infringement of the privacy of the data subjects.

16. Interception relates to the listening to, monitoring or surveillance of content of communications, securing the content of data through the access and use of the computer system, or indirectly through the use of electronic eavesdropping or tapping devices. Interception may also involve recording. The right to respect for the confidentiality of correspondence and communications is enshrined in Article 8 of the ECHR, which has been further interpreted by the Court. The concept of correspondence covers mail and telecommunications as well as e-mails sent in a working context. It is expected that the interpretation of this concept will evolve to keep pace with the developments of technology which may bring other forms of communications on the Internet, such as email messages (in a broader context), instant messaging or others within the sphere of Article 8 protection.

17. Some of the general principles affirmed in the Court case-law with regard to interception and surveillance of communications in non-Internet cases and cases involving interferences by State authorities are given below. These principles provide general guidance and reference, for possible future application to Internet communications.

18. The interception of correspondence and telecommunications are interferences with the right to private life and subject to the conditions of Article 8 paragraph 2 of the ECHR. The very existence of legislation permitting surveillance of telecommunications may be considered as an interference with the right to private life. A law that institutes a system of surveillance, under which all persons in the country concerned can potentially have their mail and telecommunications monitored, directly affects all users or potential users of the postal and telecommunication services in that country. The Court has, therefore, accepted that an individual may, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of secret measures or of legislation permitting them, without having to allege that such measures were in fact applied to him or her.

19. Interception must have a basis in law and be necessary in a democratic society in the interest of the national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others, as foreseen in Article 8 of the ECHR. The Court has developed the following general principles with particular reference to the requirements that the law, providing for covert measures of surveillance of correspondence and communications by public authorities, should meet:

  • Foreseeability – the law must be accessible to the person concerned who must be able to foresee the consequences of its application to him/her. The law must also be formulated with sufficient clarity and precision to give citizens an adequate indication of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.
  • Minimum safeguards for the exercise of discretion by public authorities – the law should have detailed rules on (i) the nature of the offences which may give rise to an interception order; (ii) the definition of the categories of people liable to have their communications monitored; (iii) the limit on the duration of such monitoring; (iv) the procedure to be followed for examining, using and storing the data obtained; and (v) the precautions to be taken when communicating the data to other parties; and the circumstances in which data obtained may or must be erased or the records destroyed.
  • Supervision and review by competent authorities – the Court requires that there exist adequate and effective guarantees against abuse.

20. Court's case law on privacy in the workplace has found that telephone calls made by an employee in the premises of the enterprise are covered by the notions of private life and correspondence. Emails sent from work as well as information derived from the monitoring of personal Internet usage should be protected under Article 8 of the ECHR. In the absence of a warning that these would be liable to monitoring, the employee has a reasonable expectation that her/his privacy is respected with regard to phone calls, email and Internet usage in the workplace. The user can be assisted by data protection authorities, or other competent authorities in member States.

21. Data protection authorities, existing in a vast majority of member States, play an important role in investigating, intervening, raising awareness or otherwise remedying interferences in the processing of personal data. This is notwithstanding the primary role of the State to assure the protection of personal data within the wider scope of their obligation to safeguard the right to private and family life.

Please see here the full text of the Explanatory Memorandum.