The Hague Process: Courses on the International Law Applicable to Cyber OperationsPanama City, Panama26-30 November 2018
HUMAN RIGHTS IN CYBERSPACE
Generally on HR and Cyber
• What are human rights?
• Who deserves to have them?
• Against whom?
• Applying old law to new problems
• Difficult to legislate in the international system
• Evolving interpretation
• Ambiguity, uncertainty, contestation
2
State Pronouncements on IHRL in Cyberspace
• UN GGE 2013 report
• “State efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments.”
• UN GGE 2015 report
• “[T]he Group identified as of central importance the commitments of States to ... respect for human rights and fundamental freedoms; ...” “States must comply with their obligations under international law to respect and protect human rights and fundamental freedoms”
• Human Rights Council, 2016
• “[T]he same rights that people have offline must also be protected online”
3
Key Sources of IHRL Relevant for Cyber
• Global treaties
• International Covenant on Civil and Political Rights
• International Covenant on Economic, Social and Cultural Rights
• Regional treaties
• American Convention on Human Rights
• European Convention for the Protection of Human Rights and
Fundamental Freedoms
• Charter of Fundamental Rights of the European Union
• African Charter on Human and Peoples’ Rights
• Customary IHRL
4
Applicability of IHRL
• Treaties: Bind only Parties
• Customary: Binds all States
• Issues
• Ascertaining customary nature
• Which sources reflect customary law?
• E.g., ICCPR, ICESR, UDHR?
• Extraterritorial applicability?
5
Types of IHRL obligations
• Respect
• State must not violate
• Negative obligation
• Example: State must not monitor the communications of
an ethnic minority for the purpose of persecuting them
• Example: State must not direct a hosting service provider
to stop offering services to an individual who manages a
website that reports on the government’s corruption
6
Types of IHRL obligations
• Protect
• State must take action to protect individuals’ human
rights from abuse by third parties
• Example: Take action to block cyber ops of another State
against server hosting political website
• Not all States agree
• Unsettled whether applies when persons are
located outside the State, but cyber infrastructure in
the State
7
Types of IHRL obligations
• Protect
• Applies when rights are exercised/enjoyed in
cyberspace
• Example: Protect individual threatened by another
individual with physical violence for having expressed
protected views online
• Applies when rights are abused offline, but abuses
are facilitated online
• Example: Take action to stop the abuse of children for the
purposes of producing online pornographic material
8
Types of IHRL obligations
• Fulfil
• State must take measures to ensure individuals can
realise their human rights
• Customary status unclear
• Example: Convention on the Rights of Persons with
Disabilities, Art. 4(1)(g): “promote the availability
and use of new technologies, including information
and communications technologies ... suitable for
persons with disabilities, giving priority to
technologies at an affordable cost”
9
Jurisdiction Clauses
• Article 2(1) ICCPR: Each State Party to the present Covenant
undertakes to respect and to ensure to all individuals within its territory
and subject to its jurisdiction the rights recognized in the present
Covenant
• Article 1 ECHR: The High Contracting Parties shall secure to
everyone within their jurisdiction the rights and freedoms defined in
Section I of this Convention
• Article 1(1) ACHR: The States Parties to this Convention undertake to
respect the rights and freedoms recognized herein and to ensure to all
persons subject to their jurisdiction the free and full exercise of those
rights and freedoms, without any discrimination for reasons of race,
color, sex, language, religion, political or other opinion, national or social
origin, economic status, birth, or any other social condition.10
Applicability of IHRL to Cyber Activities
• Recall the jurisdiction clauses
• Within State’s territory
• Extraterritorially: “Power or effective control”
• Over territory (spatial model)
• Example: Occupied territory
• Over individual (personal model)
• Example: Detained person
• States that reject extraterritorial application?
11
Extraterritoriality and Cyber, issues
• Personal model unsettled in cyber context
• If search in person qualifies, why not by cyber means (phone)?
• Positive obligations to take steps
• Limit to territorial control?
• Functional approach – control over rights
• IHRL obligations attach if can control exercise of rights by cyber means?
• OHCHR Report on Privacy in the Digital Age: control over telecom infrastructure?
12
IACtHR AO on the Environment and HR
• http://www.corteidh.or.cr/docs/opiniones/resumen_seriea_23_eng.pdf
• Paras. 101-2: La Corte considera que los Estados tienen la obligación de evitar daños ambientales transfronterizos que pudieran afectar los derechos humanos de personas fuera de su territorio. A efectos de la Convención Americana, cuando ocurre un daño transfronterizo que afecte derechos convencionales, se entiende que las personas cuyos derechos han sido vulnerados se encuentran bajo la jurisdicción del Estado de origen si existe una relación de causalidad entre el hecho que se originó en su territorio y la afectación de los derechos humanos de personas fuera de su territorio. … El ejercicio de la jurisdicción por parte del Estado de origen frente a daños transfronterizos se basa en el entendimiento de que es el Estado, en cuyo territorio o bajo cuya jurisdicción se realizan estas actividades, quien tiene el control efectivo sobre las mismas y está en posición de impedir que se cause un daño transfronterizo que afecte el disfrute de los derechos humanos de individuos fuera de su territorio.
13
Assessing Whether Cyber Activities Violate IHRL
1. Does the State owe the individual concerned a
human rights law obligation?
• Where is the individual located?
2. Does the individual’s cyber-related activity fall
within scope of specific human right?
• E.g., does data about an individual’s location fall within the scope
of the right to privacy?
• E.g., is the individual engaging in protected expression on-line?
• Is the relevant State obligation a negative one (State duty not to
interfere without justification) or a positive one (State duty to act,
unless there’s a justified reason not to)?
14
Assessing Whether Cyber Activities Violate IHRL
3. Has the State engaged in conduct, consisting of
either action or omission, that adversely affects
human right?
• Negative obligation: State interfered with the individual’s
rights? E.g., is State processing personal data?
• Positive obligation: State failed to act to protect individual’s
rights? E.g. failed to regulate private companies that process
personal data?
4. Is the State interference or failure to act justified?
• Limitations and derogations
15
Limitations clauses, express or implied -examples
• Art 17(1) ICCPR: No one shall be subjected to arbitraryor unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
• Art 19(3) ICCPR: The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (1) For respect of the rights or reputations of others; (2) For the protection of national security or of public order (ordrepublic), or of public health or morals.
16
Limitations
• No limitations on absolute rights
• Examples: freedom from torture, freedom from slavery, right to hold an opinion
• Limitations are distinct from derogation in emergency situations
• Requirements for limitations:
• Legitimate aim
• Necessary to achieve that aim
• Prescribed by law
• Proportionate
• Requirements apply to obligations to respect and to protect
17
Requirements for Limitations
• Legitimate aim
• Different provisions have different lists
• Protection of rights and reputations of others
• National security
• Public order
• Public health or morals
• Example: monitoring certain online communications
in order to counter terrorism
18
Requirements for Limitations
• Prescribed by law
• Accessible, precise and clear to put affected individuals on notice
• A formal criterion; generally concerns the quality of domestic law
• Example: A law that sets forth the legal basis for online surveillance must outline the conditions under which the State may engage in such surveillance
• Example: quality of oversight – Zakharov v. Russia
19
Requirements for Limitations
• Necessary
• Proportionate
• (1) State measure needs to be suitable to achieving the aim; (2) less intrusive means have to be exhausted first; (3) a fair balance needs to be struck between competing interests
• “[R]estrictive measures ... the least intrusive instrument amongst those which might achieve their protective function; they must be proportionate to the interest to be protected...” – General Comment No. 27, para. 14
• Example: Is it proportionate to engage in mass collection of online communications?
20
Cyber-Relevant Human Rights
• Examples:
• Freedom of expression
• Privacy
• Freedom of opinion
• Due process
• Association and peaceful assembly
• Non-discrimination (e.g. distinctions based
on ethnicity; what about citizenship?)
21
Freedom of Cyber Expression
• Recognised in various treaties
• Separate from the freedom of opinion
• ICCPR definition: “Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impartinformation and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.”
22
Freedom of Cyber Expression
• Examples:
• Websites
• Blogs
• Online forums
• Social media posts
• Skype, Viber, Whatsapp calls
• Text messages
• Etc.
23
Privacy in Cyberspace
• Recognised in various treaties
• ICCPR definition: “No one shall be subjected to
arbitrary or unlawful interference with his
privacy, family, home or correspondence, nor to
unlawful attacks on his honour and reputation.”
24
Privacy in Cyberspace
• Scope• Enjoyment of right dependent on reasonable expectation
of privacy?
• Confidentiality of communications
• Personal data
• Confidentiality: communications must be “delivered
to the addressee without being opened or
otherwise read” • General Comment No. 16, para. 8
• Is email metadata part of a communication?
• Personal data: no generally accepted definition• Health-related data clearly qualifies
25
Privacy In Cyberspace
• Electronic surveillance; bulk or targeted
• Surveillance and locus standi
• Machine inspection based on algorithms of
communications / personal data without human
access?
• Mere collection of communications / personal
data for potential future examination?
26
Cyber-Specific Human Rights
• Human right to anonymity?
• Human right to access the internet?
• Human right to be forgotten?
27
Top Related