By Mike Harris / 10 January, 2014
This article is part of a series based on our report, Time to Step Up: The EU and freedom of expression
The EU has made a number of positive contributions to digital freedom: it plays a positive part in the global debate on internet governance; the EU’s No-Disconnect Strategy, its freedom of expression guidelines and its export controls on surveillance equipment have all be useful contributions to the digital freedom debate, offering practical measures to better protect freedom of expression. Comparatively, some of the EU’s member states are amongst the world’s best for protecting online freedom. The World Wide Web Foundation places Sweden at the top of its 2012 Index of internet growth, utility and impact, with the UK, Finland, Norway and Ireland also in the top 10. Freedom House ranks all EU member states as “free”, and an EU member state, Estonia, ranks number one globally in the organisation’s annual survey, “Freedom in the World”. But these indices merely represent a snapshot of the situation and even those states ranked as free fail to fully uphold their freedom of expression obligations, online as well as offline.
As the recent revelations by whistleblower Edward Snowden have exposed, although EU member states may in public be committed to a free and open internet, in secret, national governments have been involved in a significant amount of surveillance that breaches international human rights norms, as well as these governments’ own legal commitments. It is also the case that across the EU, other issues continue to chill freedom of expression, including the removal or takedown of legitimate content.
The EU’s position on digital freedom is analysed in more detail in Index on Censorship’s policy paper “Is the EU heading in the right direction on digital freedom?“ The paper points out that the EU still lacks a coherent overarching strategy and set of principles for promoting and defending freedom of expression in the digital sphere.
Recent revelations by former US National Security Agency (NSA) whistleblower Edward Snowden into the NSA’s PRISM programme have also exposed that mass state surveillance by EU governments is practised within the EU, including in the UK and France.
Mass or blanket surveillance contravenes Article 8 (the right to respect for private and family life) and Article 10 (the right to freedom of expression) of the European Convention on Human Rights. In its jurisprudence, the European Court of Human Rights has repeatedly stated that surveillance, if conducted without adequate judicial oversight and with no effective safeguards against abuse, will never be compatible with the European Convention.
This state surveillance also breaches pledges EU member states have made as part of the EU’s new cybersecurity strategy, which was agreed in February 2013 and addresses mass state surveillance. The Commission stated that cybersecurity is predominantly the responsibility of member states, an approach some have argued gives member states the green light for increased government surveillance. Because the strategy explicitly states that “increased global connectivity should not be accompanied by censorship or mass surveillance”, member states were called upon to address their adherence to this principle at the European Council meeting on 24th October 2013. The Council was asked to address revelations that external government surveillance efforts, such as the US National Security Agency’s Prism programme, undermining EU citizens’ rights to privacy and free expression. While the Council did discuss surveillance, as yet there has been no common EU position on these issues.
At the same time, the EU has also played a role in laying the foundations for increased surveillance of EU citizens. In 2002, the EU e-Privacy Directive introduced the possibility for member states to pass laws mandating the retention of communications data for security purposes. In 2006, the EU amended the e-Privacy Directive by enacting the Data Retention Directive (Directive 2006/24/EC), which obliges member states to require communications providers to retain communications data for a period of between six months and two years, which could result in member states collecting a pool of data without specifying the reasons for such practice. A number of individual member states, including Germany, Romania and the Czech Republic, have consulted the European Convention on Human Rights and their constitutions and have found that the mass retention of individual data through the Data Retention Directive to be illegal.
While some EU member states are accused of colluding in mass population surveillance, others have some of the strongest protections anywhere globally to protect their citizens against surveillance. Two EU member states, Luxembourg and the Czech Republic, require that individuals who are placed under secret surveillance to be notified. Other EU member states have expanded their use of state surveillance, in particular Austria, the UK and Bulgaria. Citizens of Poland are subject to more phone tapping and surveillance than any other citizens in the European Union; the European Commission has claimed the police and secret services accessed as many as 1,300,000 phone bills in 2010 without any oversight either by the courts or the public prosecutor.
At a global level the EU has argued for no top-down state control of internet governance. There are efforts by a number of states including Russia, China and Iran to increase state control of the internet through the International Telecommunication Union (ITU). The debate on global internet governance came to a head at the Dubai World Conference on International Telecommunications (WCIT) summit at the end of 2012 which brought together 193 member states. At the WCIT, a number of influential emerging democratic powers aligned with a top-down approach with increased state intervention in the governance of the internet. On the other side, EU member states, India and the US argued the internet should remain governed by an open and collaborative multistakeholder approach. The EU’s influence could be seen through the common position adopted by the member states. The European Commission as a non-voting WCIT observer produced a common position for member states that opposed any new treaty on internet governance under the UN’s auspices. The position ruled out any attempts to make the ITU recommendations binding and would only back technology neutral proposals – but made no mention of free expression. The absence of this right is of concern as other rights including privacy (which was mentioned) do not always align with free speech. After negotiations behind closed doors, all 27 EU member states and another 28 countries including the US abstained from signing the final treaty. That states with significant populations and rising influence in their regions did not back the EU and leant towards more top-down control of the internet should be of significant concern for the EU.
Intermediate liability, takedown and filtering
European laws on intermediate liability, takedown and filtering are overly vague in defining what constitutes valid and legitimate takedown requests, which can lead to legal uncertainty for both web operators and users. Removal of content without a court order can be problematic as it places the content host in the position of judge and jury over content and inevitably leads to censorship of free expression by private actors. EU directorate DG MARKT is currently looking into the results of a public consultation into how takedown requests affect freedom of expression, among other issues. It is expected that the directorate will outline a directive or communication on the criteria takedown requests must meet and the evidence threshold required, while also clarifying how “expeditiously” intermediaries must act to avoid liability. A policy that clarifies companies’ legal responsibilities when presented with takedown requests should help better protect online content from takedown where there is no legal basis for the complaint.
The EU must take steps to protect web operators from vexatious claims from individuals over content that is not illegal. Across the EU, the governments of member states are increasingly using takedown requests. Google has seen a doubling of requests from the governments of Germany, Hungary, Poland and Portugal from 2010-2012; a 45% increase from Belgium and double-digit growth in the Netherlands, Spain and the UK. Governments are taking content down for dubious reasons that may infringe Article 10 rights of the ECHR. In 2010, a number of takedown requests were made in response to ‘”government criticism” and four in response to “religious offence”. A significant 8% of takedown requests were in response to defamation offences. With regard to defamation charges, it must be noted that the public interest is not protected equally across all EU countries (see Defamation above).
Although corporate takedown is more prevalent than state takedown, particularly in the number of individual URLs affected, the outcome of the DG MARKT consultation must be to address both vexatious state and corporate takedown requests. The new communication or directive must be clearer than the EU e-Commerce directive has been with respect to the responsibility of member states. While creating a legal framework that was intended to protect internet intermediaries, the EU e-Commerce directive has failed to be entirely effective in a number of high-profile cases. EU member states use filters to prevent the distribution of child pornography with questionable effectiveness. However, filters have not been used by states to block other content after a Court of Justice of the European Union ruling stated EU law did not allow states to require internet service providers to install filtering systems to prevent the illegal distribution of content. The Court made it clear at the time that such filtering would require ISPs to monitor internet traffic, an infringement under EU law. This has granted European citizens strong protections against systematic web filtering on behalf of states. There continue to be legal attempts to force internet intermediaries to block content that is already in the public domain. In a recent case, brought by the Spanish Data Protection authority on behalf of a complainant, the authority demanded that the search engine Google remove results that pointed to an auction note for a reposessed home due to social security debts. The claimant insisted that referring to his past debts infringed on his right to privacy and asked for the search results to be removed. In June 2013, the Advocate General of the European Court of Justice decided Google did not need to comply to the request to block “legal and legitimate information that has entered the public domain” and that it is not required to remove information posted by third parties. Google has estimated that there are 180 cases similar to this one in Spain alone. A final decision in the case is expected before the end of this year, which could have profound implications for intermediate liability.
 In Liberty v. UK (58243/00) the ECHR stated: “95. In its case-law on secret measures of surveillance, the Court has developed the following minimum safeguards that should be set out in statute law in order to avoid abuses of power: the nature of the offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed”; A. v. France (application no. 14838/89), 23.11.1993: found a violation of Article 8 after a recording was carried out without following a judicial procedure and which had not been ordered by an investigating judge; Drakšas v. Lithuania, 31.07.2012, found a violation of Article 13 (right to an effective remedy) on account of the absence of a judicial review of the applicant’s surveillance after 17 September 2003.