by Douwe Korff Emeritus Professor of International Law
E mail: email@example.com
Today, 8 December 2014, the Commissioner for Human Rights of the Council of Europe, Nils Muižnieks, released a so-called “Issue Paper” on The rule of law on the Internet and in the wider digital world, with important conclusions and recommendations. They cover four topics of particular interest to civil society: privatised law enforcement, suspicionless mass data retention, cross-border “pulling” of data by law enforcement agencies, and global surveillance by national security agencies.
On privatised law enforcement, the Commissioner says that States should not circumvent their human rights obligations “through ad hoc arrangements with private actors who control the Internet and the wider digital environment”, such as ISPs and MNOs. Rather,
Member states should ensure that any restrictions on access to Internet content affecting users under their jurisdiction are based on a strict and predictable legal framework regulating the scope of any such restrictions and affording the guarantee of judicial oversight to prevent possible abuses. In addition, domestic courts must examine whether any blocking measure is necessary, effective and proportionate, and in particular whether it is targeted enough so as to impact only on the specific content that requires blocking. Member states should not rely on or encourage private actors who control the Internet and the wider digital environment to carry out blocking outside a framework meeting the criteria described above.
The Commissioner condemns compulsory mass retention of communications data (such as was imposed by the EU’s Data Retention Directive until it was found to be in breach of the EU’s Charter of Fundamental Rights and invalid) as “fundamentally contrary to the rule of law, incompatible with core data-protection principles and ineffective”; and adds that “Member states should not resort to it or impose compulsory retention of data by third parties.”
On cross-border “pulling” of data, according to the Commissioner:
Member states should ensure that their law-enforcement agencies do not obtain data from servers and infrastructure in another country under informal arrangements [with other law enforcement agencies or private companies]. Rather, they should use the mutual assistance arrangements, and the special arrangements for expedited data preservation, created by the Convention on Cybercrime. Law-enforcement agencies in one country should not rely on the fact that private entities – such as Internet service providers, social networks or mobile network operators – in other countries have obtained authority to disclose their customers’ data under their general terms and conditions. 
On surveillance by national secutity agencies, the Commissioner stresses that “The ECHR and [the CofE Data Protection Convention] must be applied to all activities of the states that are party to these conventions, including states’ national security and intelligence activities.”
Specifically, in order to achieve respect for the rule of law on the Internet and in the wider digital environment:
- states should only be allowed to invoke national security as a reason to interfere with human rights in relation to matters that threaten the very fabric and basic institutions of the nation;
- states that want to impose interferences with fundamental rights on the basis of an alleged threat to national security must demonstrate that the threat cannot be met by means of ordinary criminal law, compatible with international standards relating to criminal law and procedure;
- the above also applies to actions of states that relate to the Internet and e-communications.
Moreover, according to the Commissioner, “Member states should bring the activities of national security and intelligence agencies within an overarching legal framework.” He stresses that “[u]ntil there is increased transparency on the rules under which these services operate – domestically, extraterritorially and/or in co-operation with each other – their activities cannot be assumed to be in accordance with the rule of law.” Although this is not expressly spelled out in the Commissioner’s recommendations, elsewhere in the Issue Paper it is noted that:
Under Article 52 of the ECHR, the Secretary General of the Council of Europe has the right to initiate an “inquiry”, under which all states parties (that is, all member states of the Council of Europe) can be required to provide such information. This would appear to be an appropriate way to collect the texts of the relevant laws, rules, rulings and treaties.
And finally, in this respect:
Member states should also ensure that effective democratic oversight over national security services is in place. For effective democratic oversight, a culture of respect for human rights and the rule of law should be promoted, in particular among security service officers.
8 December 2014
 NB: The view expressed in the last sentence of the Commissioner’s recommendation is also reflected in a letter from the EU “Article 29 Working Party” on data protection to the Cybercrime Committee of the Council of Europe of 5 December 2013, in which it says that “companies acting as data controllers usually do not have the “lawful authority to disclose the data” which they process for e.g. commercial purposes according to the EU data protection acquis. They can normally only disclose data upon prior presentation of a judicial authorisation/warrant or any document justifying the need to access the data and referring to the relevant legal basis for this access, presented by a national law enforcement authority according to their domestic law that will specify the purpose for which data is required. Data controllers cannot lawfully provide access or disclose the data to foreign law enforcement authorities that operate under a different legal and procedural framework from both a data protection and a criminal procedural point of view.” (quoted in Working Document on surveillance of electronic communications for intelligence and national security purposes, WP228 of 5 December 2014, p. 47; footnotes omitted).