Deprecated: Function get_magic_quotes_gpc() is deprecated in /home/wgig/public_html/igf/website8/web/cms/libraries/cegcore2/gcloader.php on line 63
FINISHED - 2014 09 04 - WS 220 - Transnational surveillance and cross-border privacy protections - Room 10
 Welcome to the United Nations | Department of Economic and Social Affairs
Internet Governance Forum
A- A A+

The Internet Governance Forum

FINISHED - 2014 09 04 - WS 220 - Transnational surveillance and cross-border privacy protections - Room 10

FINISHED TRANSCRIPT

 

NINTH ANNUAL MEETING OF THE INTERNET GOVERNANCE FORUM 2014

ISTANBUL, TURKEY

"CONNECTING CONTINENTS FOR ENHANCED

MULTISTAKEHOLDER INTERNET GOVERNANCE"

 

04 SEPTEMBER 2014

WS 220

 

TRANSNATIONAL SURVEILLANCE AND CROSS-BORDER PRIVACY PROTECTIONS

 

 ***

This is the output of the realtime captioning taken during the IGF 2014 Istanbul, Turkey, meetings.  Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors.  It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record. 

***

      

     

      >> KATITZA RODRIQUEZ:  So the questions we want to answer today are, for the purpose of this workshop, should we allow intelligence services -- h-- of one country to snoop on the residents of another country without restraint?  Can any country freely deny the rights of foreigners by claiming they fall outside their jurisdiction?  Are existing laws compatible with the right to nondiscrimination under International law?  These are some of the complex questions we want to deal with today in this workshop in just one hour. 

       And we want to also have the opportunity to present this paper, the legal background paper, of the principles that display where all of these principles come from. 

       My colleagues -- this was a joint project with Article 19.  We will be explaining what it is more during the workshop.  Thank you for coming.  We have one hour. 

       I just want to start right away by introducing my colleague Amalia Toledo Hernandez.  She is a Human Rights lawyer in Colombia.  She works for a very well-known organisation in Colombia, Fundacion Karisma, in Latin America.  And they get engaged in the development of the principles and the legal background paper.  They did also work on the translation into Spanish. 

       So I have a question for Amalia.  What are the principles -- what is it that we achieved?  And was this product useful for you for your advocacy work? 

       >> AMALIA TOLEDO HERNANDEZ:  Thank you for the invitation for inviting me to be part of this panel. 

The International Principles on the application of human rights to communication surveillance are helping us [activists] –and also judges and policymakers- to better understand how new surveillance technologies have been eating away at our fundamental freedoms and how we might bring state spying back in line with human rights standards.

Their importance is unquestionable. The Principles have been signed by over 470 organizations and 300,000 individual experts throughout the world, and have been endorsed by the UK’s Liberal Democratic Conference, as well as European, Canadian, and German Parliamentarians.350,000 individuals throughout the world, and endorsed by the United Kingdom’s Liberal Democratic Conference, as well as European, Canadian, and German parliamentarians. Their impact is already evident worldwide As such, the Principles have played a central guiding role in a number of the rigorous debates on the need to limit states’ increasingly expansive surveillance capacities. Their have been cited in various national and international report such as the United States’ President Review Group on Intelligence and Communications Technologies report, the Inter-American Commission on Human Rights report, the UN Special Rapporteur on Freedom of Expression and Opinion report, and the UN High Commissioner for Human Rights report on the right to private, which  emphasized the importance of applying human right standards and democratic safeguards to surveillance and law enforcement activities.

Their influence has also manifested in some of the legislative and administrative attempts to address surveillance problems post-Snowden. Perhaps most importantly, they have functioned as a rallying point for campaigning and advocacy initiatives around the world.

I would like to go through some key feature of the Principles. But you can find a more detailed explanation of the legal grounding in a Legal Analysis and Background Materials document available at the Principle’s website.

The Principles begin with defining two core concepts that spell out the “what” and the “how” of measured surveillance.

On the first concept – protected information –, the Principles make clear that Information about communications, also called metadata, subscriber information or non-content data, can include the location of your cell phone, clickstream data, search logs, or anonymous online activity and for that is protected. Therefore, when combined and analyzed en masse, the picture painted by such data points can be far more revealing than the content of the communications they accompany. What is important is not the kind of data is collected, but its effect on the privacy of the individual.

Therefore, the Principles state that given the revealing nature of metadata and content alike, States should be restrained from unchecked interference with any protected information.

Regarding the second concept – Communication surveillance –, the Principles stress the fact that in the digital age, where the most sensitive portions of our lives are constantly communicated over digital networks, it has never been more important to ensure the integrity of our communications. The mere recording of Internet transactions – even if the information is collected by a computer but not looked at by humans – can have serious chilling effects on the use of digital medium. We have to ensure that all acts of communications surveillance are within the scope of human rights protections and, hence, are “necessary and proportionate”.

To remedy this issue, the Principles define “communications surveillance" as encompassing the monitoring, interception, collection, analysis, use, preservation and retention of, interference with, or access to information that includes, reflects, or arises from or a person’s communications in the past, present or future.

Finally, the Principles also address a long-standing problem arising from narrow interpretations adopted by some states regarding the extraterritorial application of their human rights obligations. The Principles, therefore, apply to surveillance conducted within a state or extraterritorially, and regardless of the purpose for the surveillance – including enforcing law, protecting national security, gathering intelligence, or another governmental function.

With the 13 Principles, we are not inventing the wheel; they are firmly rooted in well-established human rights law. That is, surveillance activities have the effect of limiting our human rights, and according to human rights standards, any limits on human rights should be prescribe by law, be necessary, proportionate and for a set of permissible purposes. And that is what the Principles emphasized.

    For us in Colombia, as well as in many other parts of the world, the Principles are an instrument that are already serving activists to show governments exactly where they have crossed the line, and how policymakers could act in regard to this matter. The principles are a tool to call for surveillance reform to ensure that our national surveillance laws and practices comply with human rights standards and to ensure cross-border privacy are in place and effectively enforced.

That's all I wanted to add. 

       >> KATITZA RODRIGUEZ:  Thank you for your speech. 

       Now I want to ask Article 19, who is here to introduce Gabrielle Guillemin.  Article 19 has a partner to work on this book, on the legal background paper of the principles.  And I want to ask Gabrielle Guillemin why Article 19 as a free speech organisation decided to work on this issue, which is not really a privacy organisation.

       So why did you get involved? 

       >> BAGRIELLE GUILLEMIN: Being International doesn't just mean that we have one big office and we send people around the world to talk about Freedom of Expression.  We have regional offices around the world.  So, in countries such as Bangladesh, Brazil, Senegal, Kenya or Mexico, what happens is that there are people on the ground when they talk to activists and journalists.  One of the major concerns that is being raised is that their communication may be surveilled not only by their own Governments, but also by the UK, the NSA, or GCHQ, so the UK and US Governments. And the concern is that because of transnational cooperation between these various Governments, the information about them is being shared.  This was made clear by the Snowden revelations, where we saw that all the major intelligence agencies located in like key locations in the U.S, in Canada, New Zealand and covering wide regions around the world, exchanged intelligence and communications data. 

       And in case you wondered, the impact of surveillance on Freedom of Expression, I can also give you an example of, in the UK again, of David Niranda, who was helping his partner Glen Reitwald in his reporting.  David was retained at the airport on the basis of counter terrorism powers.  And one of the things said by the British Government was by writing about the Snowden files, David fell under the laws of terrorism under the UK law. 

       Again as a free expression, talking to activists on a regular basis, we have to be concerned about our own communications now.  Because we don't know if our communications are being accessed or surveilled

       So, that is why Article 19 as a free speech organisation got involved in the principles on the application of human rights to communication surveillance. 

       >> KATITZA RODRIGUEZ:  Probably you can -- your main talks about the main importance of the principles or the issues that you care about, or --

       >> GABRIELLE GUILLEMIN:  Yes, so what I'd like to do now very briefly is talk about the principles themselves.  Amalia talked about them briefly.  But there are 13 principles, which reflect International human rights standards.  So they include legality, legitimate aim, proportionality, public oversight, there is a range of them, 13 of them.  What I'd like to talk about more specifically is two principles.  I'd like to talk about legality and judicial authorization. 

       One, legality, it's a cornerstone of human rights law.  And it is really what constrains the powers of the executive and the arbitrary exercise of those powers.  So it is very -- it is fundamental. 

       Human rights law says that in order to be lawful under International law, the law must be transparent, clear, and accessible.  This sounds simple.  In practice, we found that there is no law at all to regulate especially in the intelligence agency, but that even when the law exists, the law is far from clear.  And it's something that we have seen -- for example, in the United Kingdom, we're a member of the coalition Don't Spy On Us Campaign, fighting against RIPA, the legal framework for the Regulation of investigatory powers in the United Kingdom.  And what is extraordinary about this is that for a very long time, a number of UK NGOs were fighting against another bill.  It was not law, but it was a draft called Law Against Communications Bill.  And what everybody was upset about, under this bill, the UK Government was seeking greater powers to collect more information and communications data about people.

       But when we learned with the Snowden revelations and the fallout from those revelations is that the UK Government was already collecting this information, because they relied on some secret interpretation of RIPA.  And I think that Eric will talk to you a bit more about that, and the legislation that came out of this. 

       And the number of other things that are required under the legality principles is that the law must contain a number of safeguards.  So, it's not enough to say you can have surveillance operations for any offense.  The offenses have to be spelled out.  The law must clearly indicate which categories of people may be subjected to surveillance and not mass surveillance.  Millions of people.  It's specific targeted individuals.  There must be strict procedures in place for ordering the examination, use and storage of data obtained, and usually also the deletion. 

       So there is really a range of measures, and the European Court of Human Rights in Strasbourg has been very clear about what these safeguards are.  But, unfortunately, in practice, we're far from getting there. 

       So the second principle I wanted to briefly talk about is the one of judicial authorization.  This is also a major principle to ensure that when surveillance operations are being carried out, or that the rights of the individual, their right to privacy, are put in the balance in the same way as national security concerns or the prevention of crime.  Because -- and what we see in practice is that, in fact, the decision to authorize surveillance operations is made by politicians or intelligence agencies.  And, of course, what is at the forefront of their mind is that they have to collect people. So there is very little incentive for them to take into account the right to privacy of the individual. 

       So one of the key principles in here are that surveillance operations might be authorized by a Judge.  And here we're going slightly further than established principles under human rights law, because the European Court of Human Rights hasn't quite recognized yet that judicial authorization is a requirement.  It said that it's desirable and it's been going towards it little by little, saying that it should be a requirement.  So together with other organisations we are pushing very hard for this to happen. 

       But I'll stop here.  Thanks. 

       >> KATITZA RODRIGUEZ:  Thank you, Gabrielle Guillemin. 

       Now I want to give the board to Dr. Eric Metcalfe.  He is a barrister and a lawyer in the UK and is leading one of the key challenges against the UCHQ in the United Kingdom.  So Eric, what can you tell us about your work in relation to transnational surveillance litigation, especially for today's world. 

       >> ERIC METCALFE:  I'm pleased to be here to talk about this on EFF and Article 1.  I'm instructed by many of human rights organisations in the United Kingdom and outside the UK in a claim which has been brought against the intelligence services in the UK.  That's MI 5, MI 6, and in particular Government Communications Headquarters or GCHQ for short.  This was a claim first brought approximately three weeks after the Snowden revelations.  So as soon as we had the information, we worked very hard to lodge a claim with a very mysterious body known as the Investigatory Powers Tribunal.  This is a tribunal in which you don't have a right to be heard.  You don't have the right to cross-examine witnesses.  You don't have a right to see the evidence on the other side.  It is the tribunal that has been set up in the UK to adjudicate whether your human rights were violated by unlawful surveillance by GCHQ, for example.

       So after the Snowden revelation, Liberty, which is one of the leading Cuban rights organisations, but also a number of other international organisations which were partners such as the ACLU, the Irish Council of Civil Liberties, the Hunagrian Civil Liberties Union, the Egyptian Centre for Personal Rights, and the Legal Resources Centre in South Africa brought a joint claim saying that the use of both collection of communications and communications data in the UK was an unlawful and disproportionate right to interference and right to privacy. 

       This brings up the issue of jurisdiction.  It's well for me to say as a person in the UK, if the intelligence services in the UK violate my rights I can go to court.  But what is the issue when a person outside the UK has had their rights violated?  One key highlight is that the GCHQ has listening posts through fiber optic cables through which most communications are transmitted particularly on the transAtlantic level. Not only in the UK, but other points.  We learned about one in Oman that they have a post sitting on top of a submarine cable, running fibre optic through the middle eastern cables. 

       And the question is, if a Government conducts this activity outside of its own territory, or if you are outside the territory and that Government violates your private communications, observes your envelope, reads your e-mail, listens to your telephone calls or text messages, collects your communications data, what right do you have to be able to bring a challenge? 

       This is the fundamental issue of jurisdiction.  To anyone who is a scholar of International law in the room, I apologize because what I'm about to give is a crude version.  Jurisdiction follows territory.  You can bring -- a country has jurisdiction or responsibility to safeguard the human rights of people within its territory or jurisdiction.  But in certain circumstances, International law recognizes that jurisdiction goes beyond just where your borders are, but also to places where you have, for example, effective control. 

       So I was involved in a case in 2007 about an Iraqi national who was detained in southern Iraq by British sources.  In that case, the Court of Human Rights held that the British Government had effective control.  No one said that the British Government was responsibile for Iraq, but that they had control in relation to that person.  And so standing as it were to bring a human rights claim followed the degree of control that you have.  But there are other principles which I won't bore you with. 

       I want to highlight a couple cases in the European Court of Human Rights, where it's recognized where it's possible to bring cases from people outside the borders.  First is a case called Seravia.  It's against Germany and a couple people from Uruguay.  One of them was a German national who complained that the German strategic monitoring collection programme interfered with their right to privacy.  This was listening to telephone calls on a bulk basis.  The complaint was dismissed for a different reason.  But the European Court of Human Rights did not dismiss the complaint on the ground that the people were in Uruguay.  They allowed the -- well, they at least considered the complaint without dismissing on the ground that they were outside Germany. 

       And a second case called Liberty and others against the UK.  This was a previous case by the organisation that I'm representing where Liberty but also the Irish council for civil liberties brought a complaint about the UK's bulk surveillance of telephone calls.  This was the old system about 15 years ago.  That was a case in which not only Liberty, which is in the UK, but also the Irish council for Civil Liberties, which is outside the UK, not far outside, but outside, was able to bring a claim in the UK and complained about surveillance by the UK. 

       And so in our case, the current case that is before the investigatory powers tribunal, we're looking at a situation where there has been close cooperation between GCHQ and the NSA.  In particular, we're concerned that the NSA has in some cases collected the same information as the British Government would otherwise collect, and then giving it to the British Government, which then creates significant problems.  Because what is the point in having laws regulating surveillance by your own intelligence services if your own intelligence service is friendly with the foreign Government, which will then obtain the same information and help give it without the same legal regulations or restrictions? 

       So one of the fundamental features of the necessary and proportionate principles is it seems to suggest the issues that come about with transnational surveillance. We are finding that a world with counterterrorism by Governments is complex, and the ease with which communications may be interpreted and communications data can be retained and gathered by sitting on top of the fiber optic cable and gathering everything that goes through the pipeline, that we are seeing that Governments now are able to share I think with an unprecedented scope and ease massive amounts of private information, information not only the content of communications but also what we call metadata, the location, the time, the duration and so forth. 

       And so the necessary and proportionate principles really provide a valuable bedrock in highlighting these issues. 

       Thank you very much. 

       >> KATITZA RODRIGUEZ:  Thank you.  I want to give the microphone now to Mr. Luis Garcia.  He worked for the NGOR 3D.  And I would like to ask Luis, what is your perspective from the InterAmerican human rights systems on the extraterritorial obligation of human rights law and what is the effect of countries like -- developed countries like Europe or the U.S, and what effect they are having in surveillance?

       >> LUIS GARCIA:  This notion has been not only recognized in the case law of the European Court of Human Rights, but also recently by the Human Rights Committee in the concluding observations with regard to the United States, in which it clearly states that under the International laws and Political Rights, the United States has the obligation to safeguard privacy of all citizens either outside or inside the United States, based on this case law and article 31 of the ACPR.  So this is clear. 

       And in the case of the InterAmerican System of Human Rights, this is also the case.  The InterAmerican system of human rights, basically the American Commission on Human Rights has established several cases with regard, for example, to the United States and the retaining of persons in Guantanamo or the refugees in the high seas or in the interstate case between Colombia and Ecuador that under the Article 1 of the American Convention and also of the American Declaration, the human rights obligations of the InterAmerican System of Human Rights are applicable when States operate outside of these territories.  The term jurisdiction is not in the view of the  American Commission of Human Rights attached to a territorial aspect.  And literally what the InterAmerican Commission has said is that the essence to the term -- whether the interAmerican human rights system bodies can judge the conduct of a State to determine transnational responsibility is if there is a council nexus between extraterritorial conduct of the State and the alleged violation of rights and freedoms.

       In this respect, it's clear and incontrovertible from a point of view that when the United States is surveilling foreign citizens inside or outside of its country, it's unlawful.  And this is something that needs to be stated very clearly.  It's unlawful, the action of the United States surveilling other countries. 

       But besides that, I'm interested in also mentioning what are the effects that transnational surveillance is having in different countries, especially in countries such as the one that I work in, which is Mexico, and other parts of Latin American.  And I think that there is also a question about what can or what should the Governments of countries that are being surveilled by other countries do?  And it's their obligation to protect its citizens from surveillance.  And this is a tricky question; it's not really easy to respond.  Some countries have thought of, for example, adopting some measures that can be regarded as counterproductive or costly or ineffective. 

       For example, the proposals of forced location of servers, of intermediaries in certain countries to have regulatory control and try to protect the privacy of citizens. But this, for example, the Commission on Human Rights also in a recent report on Freedom of Expression on the Internet, mentioned this, this forced location provision, as costly and that can have an impact on Freedom of Expression that is contrary.  So thankfully the proposal that was put forward from Brazil was crafted from Marco Civil, and now it lost momentum, this idea, but it might come back.  And this is -- we need to explore this.  But there is this precedent that is regarded as contrary to human rights obligations. 

       But there are other things that countries can and should do and are not doing.  For example, in Mexico, the Government of Mexico has just limited itself to making statements which lack credibility because they don't follow actions.  It just asks for clarifications by the U.S. Government, but it hasn't realized that the actions and the surveillance that Mexican citizens have been subjected to, it's illegal.  It's a crime.  Inside Mexico, for example, it was revealed thanks to relations that NSA has access to the data that is mandated to be retained by the law in Mexico on the service of the telecommunications companies.  And this -- and this raises legal questions.  In our Treaty, the organisation which I work for, is launching legal action in the following weeks where we're initiating different legal processes to make the people who might have facilitated this surveillance accountable: either the U.S. agents who operated in Mexico to access this data are committing crimes under the criminal code of Mexico, and also companies, telecommunication companies, should realise that their failure to protect its customers' data might also raise liability either civil or criminal.  And this is something that needs to be -- that I think activists and lawyers and we need to put our countries aware of, and to push for this accountability of US agents inside our countries and also of those who have facilitated this surveillance inside of countries. 

       >> KATITZA RODRIGUEZ: Thank you, Luis. 

       Now I want to give the microphone to Mr. Ken Roth.  He worked for CloudFlare.  He is a worldwide Cloud provider.  Ken, please.  I have a question before you can do your own introduction.  Can you give us the eye view of how you deal with these cases where the Government knocks at your door?

       >> KEN CARTER:  First, my remarks will focus on how human rights translate into consumer wants and how CloudFlare is a company that is working to be transparent, clear and accessible in the spirit of these principles.

       When the Government knocks at your door it's rarely in the middle of night.  They tend to be polite and respectful, if you develop the appropriate rapport in advance. 

       Let me rewind the tape for a second.  My name is Ken Carter.  I run legal affairs for policy and government relations for CloudFlare.  CloudFlare runs what they call a reverse proxy, which sits in front of our 2 million customers' websites to make them secure and performant.  On a daily basis we handle about five percent of the World Wide Web requests. 

       So the fear of bulk surveillance in the reck of the Snowden revelation has been a headwind to our business as individuals and companies fear bulk collection, and that as a U.S. company that we are somehow enabling and facilitating this.  That is not the least bit true. The sad irony is that data in the United States has greater protection from NSA and CIA type activity, but that doesn't mean that this doesn't create a headwind for our business. 

       To that end, we have been doing several things, developing what we believe are best practices on what a corporate actor should be doing in this space.  I'd like to share with you sort of five guidelines for respecting customers' privacy internationally.  Privacy is a competitive advantage.  If we offer better privacy protections for our customer, then we will be able to lure business away from the competitors.  It's a selling point and differentiating feature.  We aspire to exceed any threshold. 

       Second, disclose and adhere.  Tell your customers what your practices are, what do we collect, how do we collect it.  How long do we keep it and what do we do with it?  And we stick to those practices.  We don't allow outside uses of our network and our customers' data. We would never ever turn over SSL encryption keys or a customer's encryption keys.  If we were asked to do so, we would fight like hell in court to prevent that. 

       We would never install law enforcement software in our network or allow that to happen.  We will not provide any law enforcement organisation a content feed of our customers' content. 

       Finally, we always notify the customer of a governmental request and give the customer notice and opportunity to respond to the request. 

       Third, we are constructively difficult.  We maintain a rigorous and unwaivering commitment to process, procedure, and the due process of law. 

       Fourth, we're not afraid to say no.  So if somebody comes to us which does not adhere to the due process of law, we will reject it out of hand.  And I will give you a recent example.  Some months ago we were threatened by an FBI attorney to serve on us a national security letter.  And I informed the attorney that he could serve it on me, but our corporate policy is that we would litigate that letter.  We would contest it in court and we would exhaust all appellate remedies.  So the FBI withdrew the request, it backed down, and then we blogged about it.  To this end, also, don't be afraid to sue.  There are organisations such as Katitza Rodriguez's EFF that are happy to help even small companies like ours defend its rights and the rights of its customers. 

       And, finally, our fifth principle is educate your constituents.  Educate your customers.  Educate your employees. Educate your regulators and educate the Government officials who bring you requests.  So that it doesn't waste their time, our time, and it doesn't involve going back and forth when we can solve the problem in a more efficient manner.

       I welcome your questions, and I'm happy to tell the stories.  Thank you. 

       >> KATITZA RODRIGUEZ:  Thank you Ken. 

       I would like now to give the microphone to Nevena Ruzic.  She is the Vice Chair of the Console Committee set up under the Convention of the Protection of Individuals with regard to automatic processing of personal data.  She is the data protection commissioner from Serbia. 

       I have a question for you.  As part of your speech, can you let us know from your point of view of data protection authority and your experience with data protection, what data protection can do and what Governments cannot do and how Serbia is dealing with these requests. 

       >> NEVENA RUZIC:  So I'm here also representing the Consult Committee to the Convention known as 108 on data protection for the Council of Europe, but also as a representative of the national data protection authority.  That is also dealing with transparency, which when it comes to intelligence services or state security services, it's very important.  But they also need to be as transparent as possible. 

       So when it comes to regimes, if I may, I would go back to questions that were posed in preparation of this workshop.  Like should we allow the intelligence services of one country to snoop on the residents of another country without restraint?  The answer is of course not.  Can any country freely violate the rights of foreigners, in other words, by claiming they fall outside their jurisdiction?  Of course not. There’s no free violation.  A violation can be free but it has to be sanctioned.

       And the last one that they found a little bit more complex to answer, are existing surveillance laws compatible with the right of nondiscrimination under international law?

       So, for example, when it comes to personal data protection, under the regime of the Council of Europe and the Data Protection Convention, and law being -- I mean, the Convention being an instrument for fulfillment of one's human rights is applicable to each and every person.  The Conventions, especially when they are dealing with human rights, do not per se discriminate between foreigners or national residents. 

       However, they may not be discrimination as such, but may be exclusion of the application of the Convention to intelligence services or when it comes to national security issues.  And that is -- that was possible under current Convention and many countries, not many, not majority, luckily, but some countries as Member States to the Convention made a declaration that this particular Convention was not applicable for national security agencies.  That would mean in that particular sense when it comes to, for example, interception of communication, they would fall outside the scope of Convention and also the principles promoted and safeguarded by the Convention. 

       But it doesn't mean that the different regimes would be applicable to national citizens or to foreign citizens, at least when we talk about Europe.  Because a person can claim that his or her rights were infringed upon in front of the European Court of Human Rights, and this is not related to citizenship.  It is related to the national state that is a Member State of the Convention. 

       So, for example, in Serbia, we don't have such an exclusion.  There is no declaration made to the Convention 108.  And what applies to, for example, everyday use of personal data in private relationships.  It also applies to a national security or intelligence services as well.  So there is no different regime.  What is peculiar with Serbia is that there is a very high constitutional standard when it comes to surveillance and when it comes to communication interception.  So regardless whether that is for criminal investigation purposes or national security purposes, there has to be a court order.  That is without any saying that there can be a different regime.  And from the very beginning, both the information commissioner and ombudsman as well as other institutions equated metadata with the interception of communications.

       And so we're actually -- we're linking the stance with the European Court of Human Rights' several decisions claiming that metering of one's communication is also a part of communication and thus should -- and thus the regime should be the same. 

       So we actually manage to have several laws providing access to so-called metadata.  Those retain the data based only from, for example, military services and also intelligence services.  So access to those data based on the order of the head of the institution, those legislations have been forced by the constitutional court.  And even for access to metadata regardless of the procedure or the processes as an individual.  So no over-collection of data.  The individual has to be identified or at least the device has to be identifiable.  It also has to be under a court decision. 

       When it comes to the Council of Europe, just to switch back and give a little bit of the European perspective, the new, modernized Convention that is now under finalization of the so-called ad hoc Committee before being brought to the Council of Ministers of the Council of Europe, would not allow -- well, at least this is the situation so far, would not allow any exceptions to the application of the Convention.  That's good news.  Because then it would mean that all the principles that are there, enshrined in the Convention and the rights of individuals, would be applicable no matter what the field or activity of the state in question. 

       And at the same time, there is a Commission that is preparing a report on intelligence service oversight.  What is also not harmonized practice, let's put it that way, in Council of Europe countries or in the Council of Europe, but it's also applicable to the European Union is exactly this oversight.  Who has the oversight over intelligence services?  In some countries, like, for example, the Netherlands or even Slovenia, I think UK as well, national data protection authorities, in fact in the UK's Information Commission, it's also in Slovenia and its agency for data protection in the Netherlands are not a component for these agencies.  So, secure vision is excluded when it comes to certain services. 

       In some countries like mine we are a competent legal authority.  Whether it's good or bad, I don't know. But we had a case, and why I mentioned the transparency, and why it's important, several years ago we had an information commissioner in Serbia.  It was important for free access to information.  So several years ago we had an NGO requesting a state security agency to reveal the number of requested and approved requests for phone tapping.  And they did -- declared that that was a secret.  We were of the stance that that information should not be confidential and should be revealed to the public.  It was only telling about the number, not the individual. 

       The decision of the Commission is a binding one and should be enforced.  That did not happen.  It was also confirmed by the court.  Nonetheless, the agency did not comply with the decision, so the case was brought to the European Court of Human Rights.  It took a while for the European Court to decide, but that's the case in every case.  And the European Court said it was not prescribed by law, because there was a clear decision that such information should be provided for. 

       The decision of the European Court was not necessary, especially because it's like a bad record for a country.  But at the same time it can be used as something positive, as a confirming standard that in this particular sense, although the European court in this particular case didn't go into depth and analyzing whether or whether or not intelligence service should provide such data to the public, but there was a standard setting decision saying that this should be transpiring.  So the number of access or requests for communication interception should be known to the public, at least if we talk about number or statistics.  

       So this can be also seen as a positive step supporting the principles, like transparency and that. 

       And it's the case that we are all eager to hear the results from, it's what was mentioned so-called this Big Brother watch case versus UK.  And we will see what would be the court first -- actually, we would see whether it would pass the admissibility test, and if so what would be the result of that case. 

       That would be my contribution for now.  Thank you. 

       >> KATITZA RODRIGUEZ:  Thank you.  We have only ten minutes left.  I would like to ask if there is a question with the remote moderator, for those who are monitoring the Internet in the back. 

       No?

       Yes.  Please. 

       >> AUDIENCE:  My name is Gita.  I work for the Centre for Internet in India.  I'd like to thank the panel for an open and frank discussion.  But I'd like to say that statements that were made at this panel are sort of wishful thinking.  They don't reflect current law but they reflect the law as it should be.  We want privacy to be protected worldwide and we want States -- and we want Human Rights Conventions to have extraterritorial applications. But the reality is under present human rights law, if we look at the scope clauses, the responsibility for States is either restricted to territorial boundaries, which can extend to citizens or noncitizens, or to those within jurisdiction.  And the question here is what does jurisdiction mean?  The professor, in his two memos to the Obama administration, has said that you can extend jurisdiction to mean effective control over citizens abroad, or noncitizens within your territory, or in other cases.  So I think we have got to remember when we're discussing cross-border surveillance, that it's standard to establish cross-border surveillance.  And this is the particular question that needs to be answered if we are looking for extraterritorial protection without extending the concept of jurisdiction to beyond territorial boundaries or beyond territorial effective controls, like Guantanamo Bay.  It will be impossible to argue that there was a violation of privacy rights of noncitizens that are not in your territory or control. So those are the situations we’re considering here unless we’re looking at diplomatic relations or a broader concept of territorial sovereignty and a violation of sovereignty under the United Nations charter.  

       So I think that if progress is to be made on considering whether human rights applications can be made nonterritorially and to extend the concept of jurisdiction, this is the question that needs to be addressed.  And I'd like the panel to consider whether legally this is possible to extend today. 

       >> ERIC METCALFE:  I'd invite you to read the background paper, which actually we went into, it's not obviously an in-depth thesis but quite a lot of detail into the relevant case law on jurisdiction.  One of the points to bear in mind is that you don't need to think necessarily about the fancy cases, about extra territorial jurisdiction.  Start with the territory.  The UK is scooping up the world's communication as it passes through its fiber optic cables.  My Egyptian clients, my clients in South Africa, Hungary, the United States, have standing.  The British Government recognized that they have a right to bring their claim in the UK against the British government for surveillance of their email, their internet, their text messages, all over the world that the British government has gathered in the UK.

       Another point which is relevant, and this is particularly important for anyone within the European Union, think about where the data is being processed.  This links back to the discussion that we had about Serbian law. It doesn't matter where the data is being gathered, if it's being processed within the European Union, that's a potential ground for argument.  I can't answer the problems in the United States.  You need a U.S. Lawyer.  You need EFF to be on the case with that. 

       >> KATITZA RODRIQUEZ:  The United States does not follow International human rights law.

       (Laughter)

       Well, I think that in the American system could be a good answer to that, and the U.S. has also signed -- well, it's not technically part of the interAmerican system, but it's part in some way.  And Luis can talk a bit about that. 

>> LUIS GARCIA:  The U.S. is not a party of the InterAmerican convention of human rights but it’s part of the system and it has an obligation to comply with the American Declaration of Human Rights.  And I think -- I disagree.  I think the law is clear now, at least the interAmerican system of human rights, the concept of jurisdiction is not attached to territory, and it has even applied to the United States in several cases.

       And, for example, the Human Rights Committee, which is the authorized interpreter of the ICCPR, a Treaty in which the United States is party to, has established in its concluding observations regarding the compliance of the United States with the ICCPR, that it has -- I can show you -- hic -- my computer just shut off, but I was going to read a part in which the Human Rights Committee explicitly establishes that the United States had to comply with the privacy rights of persons inside and outside the United States, based on the surveillance.

I think that the legal question from the International human rights law perspective, another thing is whether the United States cares about International human rights law, that is another question.  But from the International technical human rights law perspective, the actions of the United States are unlawful.  I think from the human rights system bill, and also from the interpretation of the ICCPR by the authorized interpreter of that Treaty, which is the Human Rights Committee. 

       >> KATITZA RODRIGUEZ:  Just to complement that, the leader report from the High Commission of Human Rights also deals with the same issue.  So,there is a consensus about that.  If you want to -- we're very happy.

       >> AUDIENCE:  (Off microphone.)

       >> KATITZA RODRIGUEZ:  Which kind of law, International level or human rights law? 

       >> AUDIENCE:  It is not law that you can go to the ICCPC or the human rights to be enforced.  For instance, in the Human Rights Committee’s concluding observations to the U.S. report they do not recognize that cross-border surveillance is unlawful.  They don't say that.  On the other hand, they say in particular under section 702 of the Amendment Act we consider that this is an adverse impact on individual rights to privacy.  And in paragraph 22(b), they suggest that the United States should ensure that any interference with the right to privacy, family or home, et cetera, is authorized by laws.  They do not outright say that it is unlawful.  And when the Human Rights Committee considers that certain acts are unlawful, they are -- they don't beat around the bush.  So I'm not certain that this argument can be positively made.  It's an argument that should be made.  That the right to privacy is an obligation -- is an argument that should be made.  But I'm not certain that it's supported by law as it stands.

       I'm happy to take this conversation outside. 

       >> ERIC METCALFE:  I'm just drawing attention to page 7 of the discussion paper, where you cite a -- we cited a couple of decisions of the UN Human Rights Committee in two cases involving Uruguay, where it talks about the requirement under Article 2 of the ICCPR to respect and ensure covenant rights and all persons subject -- persons who may be within the territory and all persons subject to the jurisdiction.  That means that a State Party must respect and ensure the rights laid down in the covenant to anyone in the power or effective control of that State Party even if not situated within the territory of that state party. 

       Now, that’s its own jurisprudence in relation to – it’s not like it's a difficult concept.  And then we have gone on to cite jurisprudence from the European Court of Human Rights.  I think it's always fair to say in International law that you can, you know, there are arguments going to be made on both sides. But I don't think it is -- you can simplistically reduce it to say it's only territory. 

       As to the broader point about wishful thinking, well, with respect, no progress would ever be made in International law.  We would still be stuck with some 19th century concept of States rights.  We would never have an International human rights movement if people didn't stand up and make the argument that the law needs to develop beyond what it is.  And we're seeing with cases such as digital rights in the European Court of Justice, for example, where we're seeing courts breaking new ground in protecting and data protection rights and recognizing that the retention, for example, of communications data for everyone in the European Union is a disproportionate measure.  We're not saying that this is transforming into International law overnight.

It's identifying trends and legal standards which are developing and hopefully laying us a blueprint for how that law would develop in the future. 

       >> KATITZA RODRIGUEZ:  One more question and then we have to finish. 

       >> AUDIENCE:  My name is Sinem from Turkey and I speak for myself.  I have a question to Ken Carter.  Suppose that you receive a request from a country where you are not established, a request which is legal coming from the court of that country.  What do you do? What would be your approach, whether it is -- if it's in parallel with your policies or not, keeping in mind that if you do not comply you may be banned in that country and in that services and in the end you may lose money?

       >> KEN CARTER:  It's a fabulous question and it puts into clear focus the sort of problems that I deal with every day.  It depends on the nature of the request.  If it's a takedown under DMCA and they are asserting U.S. law, then we will process it as a DMCA complaint.  If it's a governmental complaint or in the context of some civil or criminal litigation, we will reject the complaint with a written response stating that you have not established jurisdiction over us.  And then we will give them the opportunity to comply with MLAT or letter rotatory.  And we do deal with the processes, U.S.  Judicial system that way.  But then as you say, it can then be the subject of other retaliation.  So it's not the easy thing to do.  But it is the right thing to do. 

       >> KATITZA RODRIGUEZ:  We only have one hour and more questions, but we have to finish.  So thank you very much for coming.  We are organising another event to go more deeper into this very complex topic that requires a lot of time.  We are organising this in a government forum which is a parallel event.  Many people in society are getting together from 3 to 4 to discuss strategies of how to deal with this issue.  And then at 4 we have a whole panel discussion to try to find more ways of dealing with the problem.  So you are invited if you want to go to the parallel IGF. 

       Thank you. 

      

***

This is the output of the realtime captioning taken during the IGF 2014 Istanbul, Turkey, meetings.  Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors.  It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record. 

***

 

 

Back to Top