14 June 2013

CoE response to PRISM

The Council of Europe (CoE) - the international entity that has driven Australian proposals for mandatory electronic data retention through the global Cybercrime Convention - has responded to the furore over PRISM.

Its media release states that the Council
today alerted its 47 member states to the risks of digital tracking and other surveillance technologies for human rights, the rule of law and democracy, and recalled the need to ensure their legitimate use. 
In a Declaration issued to governments, the Committee of Ministers say that legislation allowing for overly broad surveillance of citizens can challenge their privacy and have a chilling effect on their freedom of expression and the freedom of the media.
The Committee recall that tracking and surveillance measures by law enforcement authorities should comply with the Council of Europe’s human rights standards set out in the European Convention on Human Rights. Such measures should also strictly respect the limits, requirements and safeguards set out in the Data Protection Convention 108.
The Declaration also draws attention to the criminal law implications of unlawful surveillance and tracking and to the relevance of the Budapest convention on Cybercrime to address this challenge.
Finally, the Committee also encourages states to introduce suitable export controls to prevent the misuse of technology to undermine human rights standards.
The Declaration, which must have been fun to write, is as follows
1. The propensity to interfere with the right to private life has significantly increased as a result of rapid technological development and of legal frameworks which are slow to adapt. 
2. Data processing in the information society which is carried out without the necessary safeguards and security can raise major human rights related concerns. Legislation allowing broad surveillance of citizens can be found contrary to the right to respect of private life. These capabilities and practices can have a chilling effect on citizen participation in social, cultural and political life and, in the longer term, could have damaging effects on democracy. They can also undermine the confidentiality rights associated to certain professions, such as the protection of journalists’ sources, and even threaten the safety of the persons concerned. More generally, they can endanger the exercise of freedom of expression and the right to receive and impart information protected under Article 10 of the European Convention on Human Rights. 
3. In this connection, it is recalled that, in accordance with Article 8 of the European Convention on Human Rights, Council of Europe member States have undertaken to secure to everyone within their jurisdiction the right to respect of private and family life, home and correspondence. Restrictions to this right can only be justified when it is necessary in a democratic society, in accordance with the law and for one of the limited purposes set out in Article 8, paragraph 2, of the Convention. 
4. As a corollary to the Convention and relevant case law of the European Court of Human Rights, member States have negative obligations, that is, to refrain from interference with fundamental rights, and positive obligations, that is, to actively protect these rights. This includes the protection of individuals from action by non-state actors. 
5. People nowadays rely on a growing range of both fixed-location and mobile electronic devices which enhance their possibilities to communicate, participate and manage their everyday lives. However, a growing number of these devices are equipped with software that are capable of collecting and storing data, including personal data (e.g. keystrokes that reveal passwords) and private information such as user generated content, websites visited, and geographical locations that potentially allow tracking and surveillance of people. This data can reveal delicate and/or sensitive personal information (such as financial, health, political, religious preferences, sexual habits) which can be aggregated to provide detailed and intimate profiles of them. 
6. Tracking and surveillance technologies can be used in the pursuit of legitimate interests, for example to develop new services, improve user experience or facilitate network management, as well as law enforcement. On the other hand, they may also be used for unlawful purposes that lead to illegal access, data interception or interference, system surveillance, and misuse of devices or other forms of malpractice; for example, geo-location tracking could be used to stalk women and make them more vulnerable to gender-related abuse and violence. 
7. In all cases, the modalities for processing personal data should comply with relevant Council of Europe standards. This implies ensuring that law enforcement’s own tracking and surveillance measures respect the applicable human rights safeguards, which should provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which should incorporate the principle of proportionality. It also concerns strict respect for the limits, requirements and safeguards set out in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and in its Additional Protocol as well as regard for other instruments such as Recommendation CM/Rec(2010)13 on the protection of personal data in the context of profiling. 
8. Against this background, the Committee of Ministers:
  • - alerts member States to the risks of digital tracking and other surveillance technologies for human rights, democracy and the rule of law and recalls the need to guarantee their legitimate use which benefits individuals, the economy, society at large, and the needs of law enforcement; 
  • - encourages member States to bear these risks in mind in their bilateral discussions with third countries, and, where necessary, consider the introduction of suitable export controls to prevent the misuse of technology to undermine those standards; 
  • - welcomes steps taken by data protection authorities in some member States to raise awareness of the implications of tracking and surveillance technologies and to investigate these practices to ensure compliance with the provisions of Convention No. 108 and their national legislations; 
  • - draws attention to the criminal law implications of unlawful surveillance and tracking activities in cyberspace and the relevance of the Budapest Convention in combating cybercrime; 
  • - welcomes measures taken by both State and non-State actors to raise awareness among users, and, a fortiori, within the private sector and among technology developers about the potential impact of the use of such technologies on human rights and the steps which can be taken at the design stage to minimise the risks of interferences with these rights and freedoms (e.g. “privacy by design” and “privacy by default”); 
  • - recalls the Council of Europe Internet Governance Strategy 2012-2015 which includes a number of action lines relevant to the challenges identified in this Declaration and looks forward to the concrete results of the work of the competent Council of Europe bodies.