Global Conference on Cyber Space 2015 - Focus session: A secure place for business and people

16 April 2015, The Hague

The key issue for the Council of Europe is to ensure security while respecting fundamental rights and freedoms.

The countries in Europe and the European institutions are facing huge challenges and threats across the continent. We are all witnessing attacks on our democratic institutions and as well as on freedom of expression, freedom of assembly, the right to privacy…

Security must not be confused with securitarianism, an obsession with security.  Of course we need to defend our security, but it cannot go at the expense of the values we stand for. Because there can be no real security without freedom.

Therefore, the aim of our Organisation – the Council of Europe - is to ensure democratic security, which requires respect for human rights, rule of law and democracy, for our 47 member states and 820 million Europeans.

Democratic security is as vital on-line as it is off-line.  It very much englobes the focus of this session on providing a secure place for business and people.

We have developed a number of international legal instruments for this. And we continue to do so, increasingly with a multistakeholder approach.

The European Convention on Human Rights and the European Court of Human Rights are the cornerstones of the human rights’ protection system in Europe. The Court applies the Convention both on-line and off-line.

Cyber-attacks have a very serious impact in human rights and fundamental freedoms; take for example the recent attack on TV5 Monde last week. When the eleven channels of this major French-speaking television network went black, the freedom of expression and the right to receive and impart information were seriously interfered with.

The Committee of Ministers, our highest inter-governmental decision-making body, in a 2011 Declaration already expressed its growing concern about attacks (such as ‘distributed denial-of-service attacks’) against websites of independent media, human rights defenders, dissidents, whistle-blowers and other new media actors; it alerted member States to their gravity, and underlined the necessity to reinforce protection policies in this context.

Another key legally binding international instrument for security on the Internet is our Budapest Convention on Cybercrime. The Convention aims to harmonise national laws on cybercrime, improve domestic capabilities for investigating cybercrime and securing electronic evidence, and allow for effective international co-operation.

The Cybercrime Convention Committee – comprising the Parties to the Budapest Convention - issues Guidance Notes aimed at facilitating the effective use and implementation of the Convention to address new challenges, for example, botnets, identity theft, distributed denial of service (DDoS) attacks, critical infrastructure attacks or spam.

Last December, the Cybercrime Convention Committee adopted recommendations on how to render mutual legal assistance more efficient. This may lead to an additional protocol to the Budapest Convention in the future.

Through a dedicated Cybercrime Programme Office we support countries worldwide in the implementation of this treaty. The Budapest Convention currently has 45 State Parties, 8 signatories and 12 states invited to accede, among them most recently Peru and Sri Lanka. It is further used as a point of reference by many States that have not ratified this convention. In all, the Convention has an impact on more than 126 States worldwide.

Earlier this week, the United Nations Congress on Crime Prevention and Criminal Justice, meeting in Qatar, adopted the Doha Declaration. With regard to cybercrime, the Congress underlined the importance of capacity building. We welcome that reflections on effective international responses will continue also at the level of the United Nations, the Cybercrime Convention is an important tool in the fight against organized crime, as well as terrorism.

As regards the latter, it is complemented by our Convention on the Prevention of Terrorism and the Convention against the Financing of terrorism.

The Council of Europe’s Convention on Data Protection (Convention 108) sets out a legal framework that enhances legal certainty and provides a common understanding of key values and principles regarding privacy.

This Convention is open to non-Council of Europe member States. For example, Uruguay has ratified it, Morocco has been invited to accede and Senegal has requested to be invited to accede. Ensuring that people around the globe are appropriately protected in respect of the processing of their personal data gives greater faith in data exchanges and security responses.

This is important not just for the States but also for t businesses which, through the laws adopted at national level and based on the provisions of Convention 108, will know clearly what their obligations are when they are processing personal data. They should inform the persons concerned, guarantee the security of the data they hold, enable access to that data by the persons concerned including the right to the deletion of their data.

This is particularly crucial in the context of mass surveillance activities and their threat to privacy. The Dutch Parliamentarian Pieter Omtzigt, in a report to be presented to the Council of Europe’s Parliamentary Assembly next week, points out that surveillance practices disclosed so far interfere with rights that are the cornerstones of democracy, and jeopardise the rule of law.

Data protection and cyber-security are both required to ensure the safety of businesses and people. Essential is the balancing of interests and rights, taking into account the notion of proportionality. The European Court of Human Rights repeatedly held that national security interests should not automatically prevail over the right to privacy. Interferences must be prescribed by law and necessary in a democratic society. Democracy should not be destroyed on the ground of defending it.

The Council of Europe supports the multi-stakeholder approach to the Internet. This has been clearly spelled out in our Organisations multi-annual Internet Governance Strategy. The development and implementation of Internet governance arrangements should ensure, in an open, transparent and accountable manner, the full participation of governments, the private sector, civil society, the technical community and users.

The protection of human rights in all Internet governance arrangements, in accordance with international human rights law, is of equal importance for us.  All public and private actors should recognise and uphold human rights and fundamental freedoms in their operations and activities, as well as in the design of new technologies, services and applications.

Cybercrime–including botnets and denial of service attacks – should be considered not only as a threat to business and people but also to the values on which democratic security depends.  In a recent landmark judgment, the European Court of Human Rights has affirmed that the Internet has become the principal means of freedom of information, which applies not only to the content of information but also to the means of its dissemination (such as infrastructure of the Internet) (Yildirim v Turkey, 2013).

In conclusion, to create a secure Internet for business and people is a common responsibility.

The Budapest Convention, in combination with other treaties such as Data Protection Convention 108, provides an effective rule of law framework that reconciles the need for effective criminal justice measures with the protection of human rights.

We will ensure that these instruments remain up-to-date , through co-operation between different stakeholders taking into account their specific roles and responsibilities.

Securing an Internet which is a secure place for business and people will be a long and tough process. In which this conference will no doubt be remembered as an important mile-stone.