The EU has been striving to recover what Commissioner for Digital Economy and Society Günther Oettinger described at a May 2015 press conference as digital sovereignty in a global market dominated by U.S. companies, but if this ambition is not strictly framed by human rights standards, press freedom on the Internet may be at risk.
The digital agenda involves constant arbitration between different rights and national legislations. Journalists and press freedom groups who met with CPJ said they have been warily watching developments, as the EU and individual member states firm up their stance on issues including the so-called right to be forgotten, which allows people to request that links be deleted from search engines; calls by member states for backdoors to encryption and greater control over online content; and debates over source protection and data protection.
“It is a whole new game for journalists and whistleblowers,” Alain Lallemand, a Belgian member of the Washington-based International Consortium of Investigative Journalists, told CPJ. “Journalists do not know what means can be legally used against them, how the law specifically protects them.”
Although journalists told CPJ the negative impact of the right to be forgotten ruling has not yet been widely felt in newsrooms, press freedom and transparency advocates have warned that it has serious implications for journalism and that moves by the EU to try to enforce the ruling globally oversteps the body’s mandate. The Court of Justice’s ruling stemmed from a complaint to a Spanish data protection agency from a lawyer demanding that Barcelona daily La Vanguardia delete two news items on his past financial troubles and that Google remove links to these articles resulting from searches for his name. The court backed the data agency, which ruled in favor of La Vanguardia’s right to keep the articles on its website but against Google’s insistence not to filter search results.
The court’s decision meant it was left to search engine operators to determine whether search results on an individual’s name were, as formulated in the ruling, “inadequate, irrelevant or no longer relevant, or excessive.” Google Chief Legal Officer David Drummond complained in an opinion piece in the Guardian in July 2015 that the decision means the search engine was being asked to make “difficult and debatable judgments.”
The court had “opened the door to censorship” and overemphasized privacy over free expression, as CPJ Technology Program Coordinator Geoffrey King warned in a statement released after the ruling. The U.K.’s House of Lords EU Committee came to a similar conclusion. In a July 2014 report, it stated: “We do not believe that individuals should have a right to have links to accurate and lawfully available information about them removed, simply because they do not like what is said.”
Google’s transparency report shows that since the court’s decision in May 2014 to the end of July 2015, 288,256 requests covering 1,048,795 URLs were received, and 41.3 percent of URLs had been removed. Analysis by the Guardianof data hidden in the source code of Google’s report found that 95 percent of requests came from the public and “not from criminals, politicians, and public figures,” and that social media sites including Facebook and YouTube were more affected than news websites. Although business magazine Quartz claimed in October 2014 that the press had not been greatly affected, British daily The Telegraph tracked its deleted links to show how requests were being used to edit out negative reports. In July 2015, it reported that since May 2014, 85 search results linking to its website had been removed, including reports on court cases, death notices, and scandals involving politicians and other high-profile figures.
“How can a search engine strike the right balance between the interest of the person making the ‘deletion’ request and the public’s right to know?”
– Jens-Henrik Jeppesen, Center for Democracy and Technology
The EU Article 29 data protection working party, which represents member states’ privacy agencies and judges how search engines handle de-listing requests, concluded in June 2015 that most denials were justified. But Internet freedom and privacy groups are concerned by this evolution of entrusting private behemoths, often acting on behalf of government regulators and in the absence of court oversight, with the right to decide what can or cannot be posted. “The public should be able to find out how digital platforms exercise their tremendous power over readily accessible information,” 80 academics wrote in an open letter to Google that called for greater transparency. “As their terms of service are open-ended, they restrict in unpredictable ways the right of journalists to use social media,” Joe McNamee, director of Brussels-based network European Digital Rights, told CPJ. “It means a disintegration of the concept of law.”
There is uncertainty, too, on whether the ruling should apply globally or only to the national domain where the deletion request was made. Google has argued that extending the policy to its global domain would affect countries not covered by the European court. However, the Article 29 working party stated that it should apply to Google’s global domain. On July 29, 2015, Google asked France’s data watchdog to withdraw a notice ordering it to comply globally, with the search engine highlighting again, in a blog, that the ruling was an EU, not a global, ruling.
Many press freedom advocates have been nervous about the ruling despite the European Commission’s reference to the public interest and assurances from the Article 29 working party that access to the original information will remain. “How can you make sure this decision is not going to interfere with legitimate reporting?” Jens-Henrik Jeppesen, EU representative of the Washington-based Center for Democracy & Technology, said to CPJ. “How can a search engine strike the right balance between the interest of the person making the ‘deletion’ request and the public’s right to know? Will it not be tempted to err on the side of removing content in order to avoid legal procedures and fines, and therefore to exclude from search results items that are clearly in the public interest?”
Ricardo Gutierrez, general secretary of the European Federation of Journalists, an organization viewed as a barometer for press attitudes in Europe, told CPJ that the federation has not yet taken a position on the ruling, adding, “The right to be delisted does not appear to be seen as a generalized attack on press freedom.” Gutierrez said that the federation had not yet received complaints from journalists about deletion requests.
The court’s ruling highlights the danger to press freedom posed by intermediary liability, a crucial element of a free and untrammeled Internet being discussed in the EU in the context of hate speech, or of copyright law that pits rights holders against Internet users. General monitoring and filtering is banned under the so-called E-Commerce Directive confirmed in November 2011 by the court. Targeted blocking, however, is accepted. Hosting companies are required to take down information as soon as they learn that it may be unlawful, or face liability. Some Internet freedom groups endorsed the E-Commerce Directive’s exemptions as protective. “It has done an excellent job of defining the responsibilities of Internet platforms with respect to hosting user-generated content. It enables free expression online, cross-border commerce, and social development, and provides a clear framework for dealing with illegal content,” Jeppesen told CPJ. Aleksandra Kuczerawy, of the Leuven University Interdisciplinary Centre for Law and ICT in Belgium, was less reassured. In a January 2015 essay in Computer Law and Security Review, she found that the directive may lead to self-censorship and highlighted the legal uncertainty caused by it not being uniformly adopted by member states.
The commission has been reviewing the directive, particularly in the context of the launch in May 2015 of a Digital Single Market strategy meant to boost, integrate, and regulate the EU digital sector. Internet freedom groups such as the Center for Democracy & Technology are suspicious in particular of the “duty of care” provision to be imposed on third-party content. “According to commission documents I have seen, plans for this duty of care include forcing Internet platforms to actively scan user-uploaded content for illegal information,” warned Julia Reda in a May 2015 blog on her website. The German MEP for the digital rights Pirate Party and vice-president of the European Green Group added, “This would increase groundless mass surveillance, outsource law enforcement to private companies, and introduce huge barriers to entry on the intermediaries market, preventing competition. Because there simply aren’t enough copyright lawyers in the world to check all the videos and pictures uploaded every day, platforms would have to increasingly rely on automatic detection algorithms that are known for their unreliability and would introduce huge barriers to market entry.” She has a point. On YouTube alone, 300 hours of video are uploaded every minute, its statistics show.
Another issue with implications for press freedom is net neutrality, the principle that service providers should grant access to all content and applications regardless of the source and without discriminating against or blocking products or websites, press freedom advocates told CPJ. Although the commission and Parliament officially endorsed net neutrality, European telecoms companies had been lobbying against it and the position of the Council was undecided. The text adopted in July 2015 by the three institutions, according to digital freedom organization Access Now, “lacks elements that would provide a solid footing for net neutrality in Europe.” The draft is expected to be presented for approval at the end of 2015.
“To abandon net neutrality is to abandon both the freedom to impart and receive information without interference,” Jeppesen told CPJ. Pierre-Arnaud Perrouty, executive director of the European Humanist Federation, added, “Without net neutrality, journalists would be deprived of equal rights to information access and distribution.”
Another case that has raised concerns about the regulation of online content is the June 2015 ruling on Estonian news outlet Delfi by the European Court of Human Rights. In Delfi AS vs Estonia, the outlet was sued by an individual named only as L who claimed to have been the subject of threats in the comments section of a news story. After being ordered to pay damages by an Estonian court, Delfi went to the court of human rights, to which all EU member states are a party, but lost its case twice. The Grand Chamber of the Strasbourg court concluded that Delfi, as a content provider, was not a “passive hoster” and therefore was the publisher of the comment and liable. “Holding content hosts liable for their users’ speech is a shortcut to censorship for governments and private litigants who cannot easily identify an anonymous speaker or seek a judgment against her,” Emma Llansó, director of the Free Expression Project at the Center for Democracy & Technology, wrote in a blog. “The threat of liability creates strong incentives for content hosts to preview and approve all user comments—and to censor with a broad brush.”
Surveillance and counterterrorism efforts have been brought to the forefront in the EU by revelations by former NSA contractor Snowden of mass government surveillance and calls for greater restrictions under the guise of anti-terror measures after the Charlie Hebdo attack. French Interior Minister Bernard Cazeneuve’s proposals for Web giants to work directly with the government in tracking and taking down material deemed by authorities to have links to terrorism illustrate the risk of knee-jerk reactions compromising press freedom. Demands for backdoors to encryption by the EU and its member states are of particular concern for CPJ.
In 2009, the right to safety from surveillance was affirmed in the European Charter on Freedom of the Press, a non-binding document adopted by 48 European editors-in-chief and journalists. “Surveillance or electronic eavesdropping on or searches of newsrooms, private rooms, or journalists’ computers with the aim of identifying sources of information or infringing on editorial confidentiality are unacceptable,” the charter stated. In the wake of the Snowden revelations, Parliament adopted a resolution, “Surveillance Bodies in Various Member States and Their Impact on EU Citizens’ Privacy,” which reaffirmed the need to strike a balance between security and liberty and underlined how it was crucial for journalists to be protected against surveillance in the NSA program. The findings are expected by the end of 2016 of an investigation Parliament asked the Fundamental Rights Agency to carry out into large-scale surveillance by intelligence agencies in the EU and any instances of democratic oversight. The reaction by member states to the NSA revelations was criticized in a report published in June 2015 by Council of Europe Human Rights Commissioner Muižnieks. The report found: “Security operations which have violated human rights should have prompted reforms in this field, but progress has been disappointingly slow.”
However, when they address counterterrorism, MEPs are doing little more than shadow boxing because the Treaty on European Union states that “national security remains the sole responsibility of each member state.” As German Green MEP Jan-Philipp Albrecht, rapporteur on Data Protection Regulation, said at a European Parliament briefing, “No EU rules bind the security services, and national security is the black hole of European law.”
Has the EU acted as a standard bearer of liberal norms that might temper the alleged illiberalism of some national anti-terrorism laws? “The security mindset is percolating through the whole EU system,” a commission official, who requested anonymity because of the sensitivity of the issue, told CPJ. In 2002, the EU had already adopted a Framework Decision on Terrorism, followed in 2010 by an Internal Security Strategy in Action. But these vaguely worded documents did not please many freedom of speech groups. “It could potentially affect freedom of expression,” Jeppesen, of the Center for Democracy & Technology, told CPJ. “There is indeed a clear difference between propaganda and broadcasting or reporting on it.”
A cyber security strategy presented by the commission in 2013 called on member states to respect EU data protection law and take full account of individuals’ rights when sharing information related to cyber security. A commission directive to ensure harmonized network and information security across the EU is under discussion.
The EU counterterrorism strategy has a renewed urgency in the aftermath of a number of attacks in Europe and amid controversy around EU citizens returning from fighting with the Islamic State and other radical groups in Syria and Iraq. The EU has been trying to get a trans-border role, with Counter-Terrorism Coordinator Gilles de Kerchove coordinating the response with EU law enforcement agency Europol. In July 2015, at the initiative of the Council, Europol set up an Internet referral unit modeled on the Counter Terrorism Internet Referral Unit in the U.K., to flag terrorist or violent extremist content and work with the industry to remove it. “Ninety-three percent of the sites flagged by Scotland Yard are removed by Google,” de Kerchove said at a European Policy Centre event CPJ attended in Brussels in July 2015. “The idea is to build on ChecktheWeb, a high-security portal launched in 2007 at Europol to coordinate the collection of data on terrorist organizations.”
In April 2015, the commission submitted a five-year Agenda for Security to the Parliament to combat terrorism, organized crime, and cybercrime. The document starts with a solemn reminder of the Lisbon Treaty commitment to fundamental rights and democratic oversight over EU policies on internal security. It delved into the media factor and announced details of a forum with IT companies, law enforcement, and civil society. This EU Internet forum, the document added, “will focus on deploying the best tools to counter terrorist propaganda on the Internet and in social media. In cooperation with IT companies the forum will also explore the concerns of law enforcement authorities on new encryption technologies.”
De Kerchove confirmed that approach. In an internal document obtained by civil liberties group Statewatch, he wrote: “The European Commission should be invited to explore rules obliging Internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities to communications (i.e., share encryption keys).”
IT companies will increasingly be expected to play the game, “whereas after Snowden they have been developing new systems to avoid being seen as working with the NSA,” de Kerchove added at the Brussels event.
Many counter-extremism measures, including censoring Internet speech and publishing government propaganda such as Cameron’s strategy in the U.K. to create de-radicalization programs, are viewed by civil society and researchers as limited in their effectiveness. The proposals on encryption have implications under international law, notably for the absolute right to freedom of opinion, as David Kaye, U.N. special rapporteur on freedom of opinion and expression, discussed in his June 2015 report on international legal protection for encryption.
“Journalists do not know what means can be legally used against them, how the law specifically protects them.”
-Alain Lallemand, International Consortium of Investigative Journalists
Some journalists told CPJ they are nervously observing these maneuvers. How far will the surveillance bureaucracy go? Their own privacy and sources’ confidentiality are increasingly undermined by legal and illegal surveillance and even by the perception that no information is safe from peeping services. “In a privacy-unfriendly world, you are safe as long as you don’t stand out,” McNamee, of European Digital Rights, told CPJ. “If a journalist is searching on criminality or corruption, there is a chance that he/she will attract attention. The awareness about unchecked surveillance carries a risk of serious self-censorship.”
Lallemand, of the International Consortium of Investigative Journalists, added, “Sources are overwhelmed by technological advances in surveillance and have sometimes only a vague idea of the traceable information they can involuntarily leave when contacting journalists. And the danger often comes less from the national police or intelligence services but from snipers [detectives, pirates] and foreign secret services. It implies a change of mindset to be up to the new threats.”
“In a privacy unfriendly world you are safe as long as you don’t stand out.”
– Joe McNamee, European Digital Rights
When it comes to the protection of sources, journalists are unable to rely on support from EU-wide legislation. In 2000, the Council of Europe’s Committee of Ministers issued a recommendation on how to implement protection in domestic legislation, but it is left to member states to set their own laws. Since 2005, Belgium, seat of the most important EU institutions, has gone from being one of the worst countries to one of the best in this area. The obligation to reveal sources there is limited to information absolutely necessary to prevent an infraction that would risk a person’s integrity and when there is no other way to get that information. Other member states, however, have some distance to travel, even if journalists can count on the usually protective rulings of the European Court of Human Rights.
“Protection of journalistic sources is one of the basic conditions for press freedom,” the court stated in its 1996 landmark decision in the Goodwin v. United Kingdom case. The U.K. was condemned for ordering William Goodwin, a trainee journalist with Engineer magazine, to reveal the identity of his source on a company’s confidential corporate plans. “Both the order requiring the journalist to disclose his source as well as the fine imposed on him for refusing to do so gave rise to a violation of his right to freedom of expression under Article 10 of the European Convention on Human Rights,” the court wrote. In its ruling, the court found: “Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest. As a result, the vital public-watchdog role of the press may be undermined and the ability of the press to provide accurate and reliable information may be adversely affected.”
The Strasbourg court is still considered a stalwart defender of the protection of sources, despite a 2009 ruling that included a caveat for when a journalist may be forced to reveal an identity. In the Financial Times and Others v. The United Kingdom judgment, the European Court of Human Rights qualified its support for protection of journalists’ sources by warning that “malicious intent” may in certain circumstances justify an order to disclosure.
The debates on counterterrorism measures and source protection are closely related to Data Protection and Data Retention. EU legislation on privacy, as spelled out in Articles 7 and 8 of the Charter of Fundamental Rights and in the EU Data Protection Directive, is protective of individual’s rights. In his strategy paper, presented in March 2015, Giovanni Buttarelli, the new European data protection supervisor, said the EU must “lead by example as a beacon of respect for data protection and privacy.” The battle is not won, though. A data protection reform package is currently being discussed but, according to a blog by a coalition of Brussels-based digital rights organizations, the council’s proposals are like “a wolf in sheep’s clothing,” and would lower the existing level of data protection below the standards required to be in line with the EU treaties.
How can privacy concerns, so essential for the protection of sources, be reconciled with the journalists’ right to report and investigate? The current directive, under Article 9, provides that exemptions have to be made where personal data are processed solely for journalistic purposes. In 2014, with the reform of the directive in mind and prior to the European Parliament elections, the European Federation of Journalists, which represents journalist unions, underlined in its manifesto the need for a journalistic exemption in EU data protection law. The European Newspaper Publishers Association is on the same page. “The journalistic exemption should be binding,” its director, Cunningham, told CPJ.
The Data Retention Directive was pushed through by the 2005 U.K. Council presidency and adopted in March 2006. Drafted in the aftermath of terror attacks in Madrid in 2004 and London in 2005, it was meant to facilitate the EU response in investigating organized crime and terrorism. The directive stated that telecoms companies had to store data—phone numbers, IP addresses, and other key telecom and Internet traffic data—for a minimum of six months and a maximum of 24 months, and make them available to police.
This directive sparked concerns from privacy and press freedom groups and underlined the differences between EU and U.S. legislation. The U.S. has no mandatory retention law. As private companies, Internet service providers are free to store or delete data as they see fit. In the U.S., a court order can be used to make service providers deliver data on users. “Government-mandated data retention impacts millions of ordinary users by compromising online anonymity which is crucial for whistleblowers, investigators, journalists, and those engaging in political speech,” wrote the U.S.-based Internet freedom advocacy group Electronic Frontier Foundation.
In 2014, judging on a constitutional challenge to the Irish data retention law by privacy advocacy group Digital Rights Ireland, the Court of Justice struck down the directive as invalid and in violation of fundamental rights. The court’s advocate general, Pedro Cruz Villalón, said it interfered with the right to privacy and protection of personal data. It also considered that the directive did not provide enough safeguards to ensure protection against the risk of abuse and any unlawful access to these data. CPJ welcomed that decision, saying in an April 2014 statement that it “underlines the dangers to privacy posed by the mass collection of transactional data.”
A number of member states, including Belgium and Germany, have complied with the ruling; others are procrastinating. If they do not comply, they expose themselves to infringement proceedings from the commission. “Over a year after the court ruling, it is finally time for the commission to act,” said McNamee, of European Digital Rights in July 2015. “EU member states cannot be allowed to break European law with impunity.”