The Hague Process: Courses on the International Law Applicable to Cyber OperationsPanama City, Panama26-30 November 2018

HUMAN RIGHTS IN CYBERSPACE

Generally on HR and Cyber

• What are human rights?

• Who deserves to have them?

• Against whom?

• Applying old law to new problems

• Difficult to legislate in the international system

• Evolving interpretation

• Ambiguity, uncertainty, contestation

2

State Pronouncements on IHRL in Cyberspace

• UN GGE 2013 report

• “State efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments.”

• UN GGE 2015 report

• “[T]he Group identified as of central importance the commitments of States to ... respect for human rights and fundamental freedoms; ...” “States must comply with their obligations under international law to respect and protect human rights and fundamental freedoms”

• Human Rights Council, 2016

• “[T]he same rights that people have offline must also be protected online”

3

Key Sources of IHRL Relevant for Cyber

• Global treaties

• International Covenant on Civil and Political Rights

• International Covenant on Economic, Social and Cultural Rights

• Regional treaties

• American Convention on Human Rights

• European Convention for the Protection of Human Rights and

Fundamental Freedoms

• Charter of Fundamental Rights of the European Union

• African Charter on Human and Peoples’ Rights

• Customary IHRL

4

Applicability of IHRL

• Treaties: Bind only Parties

• Customary: Binds all States

• Issues

• Ascertaining customary nature

• Which sources reflect customary law?

• E.g., ICCPR, ICESR, UDHR?

• Extraterritorial applicability?

5

Types of IHRL obligations

• Respect

• State must not violate

• Negative obligation

• Example: State must not monitor the communications of

an ethnic minority for the purpose of persecuting them

• Example: State must not direct a hosting service provider

to stop offering services to an individual who manages a

website that reports on the government’s corruption

6

Types of IHRL obligations

• Protect

• State must take action to protect individuals’ human

rights from abuse by third parties

• Example: Take action to block cyber ops of another State

against server hosting political website

• Not all States agree

• Unsettled whether applies when persons are

located outside the State, but cyber infrastructure in

the State

7

Types of IHRL obligations

• Protect

• Applies when rights are exercised/enjoyed in

cyberspace

• Example: Protect individual threatened by another

individual with physical violence for having expressed

protected views online

• Applies when rights are abused offline, but abuses

are facilitated online

• Example: Take action to stop the abuse of children for the

purposes of producing online pornographic material

8

Types of IHRL obligations

• Fulfil

• State must take measures to ensure individuals can

realise their human rights

• Customary status unclear

• Example: Convention on the Rights of Persons with

Disabilities, Art. 4(1)(g): “promote the availability

and use of new technologies, including information

and communications technologies ... suitable for

persons with disabilities, giving priority to

technologies at an affordable cost”

9

Jurisdiction Clauses

• Article 2(1) ICCPR: Each State Party to the present Covenant

undertakes to respect and to ensure to all individuals within its territory

and subject to its jurisdiction the rights recognized in the present

Covenant

• Article 1 ECHR: The High Contracting Parties shall secure to

everyone within their jurisdiction the rights and freedoms defined in

Section I of this Convention

• Article 1(1) ACHR: The States Parties to this Convention undertake to

respect the rights and freedoms recognized herein and to ensure to all

persons subject to their jurisdiction the free and full exercise of those

rights and freedoms, without any discrimination for reasons of race,

color, sex, language, religion, political or other opinion, national or social

origin, economic status, birth, or any other social condition.10

Applicability of IHRL to Cyber Activities

• Recall the jurisdiction clauses

• Within State’s territory

• Extraterritorially: “Power or effective control”

• Over territory (spatial model)

• Example: Occupied territory

• Over individual (personal model)

• Example: Detained person

• States that reject extraterritorial application?

11

Extraterritoriality and Cyber, issues

• Personal model unsettled in cyber context

• If search in person qualifies, why not by cyber means (phone)?

• Positive obligations to take steps

• Limit to territorial control?

• Functional approach – control over rights

• IHRL obligations attach if can control exercise of rights by cyber means?

• OHCHR Report on Privacy in the Digital Age: control over telecom infrastructure?

12

IACtHR AO on the Environment and HR

• http://www.corteidh.or.cr/docs/opiniones/resumen_seriea_23_eng.pdf

• Paras. 101-2: La Corte considera que los Estados tienen la obligación de evitar daños ambientales transfronterizos que pudieran afectar los derechos humanos de personas fuera de su territorio. A efectos de la Convención Americana, cuando ocurre un daño transfronterizo que afecte derechos convencionales, se entiende que las personas cuyos derechos han sido vulnerados se encuentran bajo la jurisdicción del Estado de origen si existe una relación de causalidad entre el hecho que se originó en su territorio y la afectación de los derechos humanos de personas fuera de su territorio. … El ejercicio de la jurisdicción por parte del Estado de origen frente a daños transfronterizos se basa en el entendimiento de que es el Estado, en cuyo territorio o bajo cuya jurisdicción se realizan estas actividades, quien tiene el control efectivo sobre las mismas y está en posición de impedir que se cause un daño transfronterizo que afecte el disfrute de los derechos humanos de individuos fuera de su territorio.

13

Assessing Whether Cyber Activities Violate IHRL

1. Does the State owe the individual concerned a

human rights law obligation?

• Where is the individual located?

2. Does the individual’s cyber-related activity fall

within scope of specific human right?

• E.g., does data about an individual’s location fall within the scope

of the right to privacy?

• E.g., is the individual engaging in protected expression on-line?

• Is the relevant State obligation a negative one (State duty not to

interfere without justification) or a positive one (State duty to act,

unless there’s a justified reason not to)?

14

Assessing Whether Cyber Activities Violate IHRL

3. Has the State engaged in conduct, consisting of

either action or omission, that adversely affects

human right?

• Negative obligation: State interfered with the individual’s

rights? E.g., is State processing personal data?

• Positive obligation: State failed to act to protect individual’s

rights? E.g. failed to regulate private companies that process

personal data?

4. Is the State interference or failure to act justified?

• Limitations and derogations

15

Limitations clauses, express or implied -examples

• Art 17(1) ICCPR: No one shall be subjected to arbitraryor unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

• Art 19(3) ICCPR: The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (1) For respect of the rights or reputations of others; (2) For the protection of national security or of public order (ordrepublic), or of public health or morals.

16

Limitations

• No limitations on absolute rights

• Examples: freedom from torture, freedom from slavery, right to hold an opinion

• Limitations are distinct from derogation in emergency situations

• Requirements for limitations:

• Legitimate aim

• Necessary to achieve that aim

• Prescribed by law

• Proportionate

• Requirements apply to obligations to respect and to protect

17

Requirements for Limitations

• Legitimate aim

• Different provisions have different lists

• Protection of rights and reputations of others

• National security

• Public order

• Public health or morals

• Example: monitoring certain online communications

in order to counter terrorism

18

Requirements for Limitations

• Prescribed by law

• Accessible, precise and clear to put affected individuals on notice

• A formal criterion; generally concerns the quality of domestic law

• Example: A law that sets forth the legal basis for online surveillance must outline the conditions under which the State may engage in such surveillance

• Example: quality of oversight – Zakharov v. Russia

19

Requirements for Limitations

• Necessary

• Proportionate

• (1) State measure needs to be suitable to achieving the aim; (2) less intrusive means have to be exhausted first; (3) a fair balance needs to be struck between competing interests

• “[R]estrictive measures ... the least intrusive instrument amongst those which might achieve their protective function; they must be proportionate to the interest to be protected...” – General Comment No. 27, para. 14

• Example: Is it proportionate to engage in mass collection of online communications?

20

Cyber-Relevant Human Rights

• Examples:

• Freedom of expression

• Privacy

• Freedom of opinion

• Due process

• Association and peaceful assembly

• Non-discrimination (e.g. distinctions based

on ethnicity; what about citizenship?)

21

Freedom of Cyber Expression

• Recognised in various treaties

• Separate from the freedom of opinion

• ICCPR definition: “Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impartinformation and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.”

22

Freedom of Cyber Expression

• Examples:

• Websites

• Blogs

• Online forums

• Social media posts

• Skype, Viber, Whatsapp calls

• Text messages

• Etc.

23

Privacy in Cyberspace

• Recognised in various treaties

• ICCPR definition: “No one shall be subjected to

arbitrary or unlawful interference with his

privacy, family, home or correspondence, nor to

unlawful attacks on his honour and reputation.”

24

Privacy in Cyberspace

• Scope• Enjoyment of right dependent on reasonable expectation

of privacy?

• Confidentiality of communications

• Personal data

• Confidentiality: communications must be “delivered

to the addressee without being opened or

otherwise read” • General Comment No. 16, para. 8

• Is email metadata part of a communication?

• Personal data: no generally accepted definition• Health-related data clearly qualifies

25

Privacy In Cyberspace

• Electronic surveillance; bulk or targeted

• Surveillance and locus standi

• Machine inspection based on algorithms of

communications / personal data without human

access?

• Mere collection of communications / personal

data for potential future examination?

26

Cyber-Specific Human Rights

• Human right to anonymity?

• Human right to access the internet?

• Human right to be forgotten?

27

QUESTIONS?