Skip to main content
SpringerLink
Log in

Regulation of Cyberspace and Human Rights

  • Chapter
  • First Online:
Public International Law of Cyberspace

Part of the book series: Law, Governance and Technology Series ((LGTS,volume 32))

Abstract

The advent of the Internet and online activities creates the greatest challenges for privacy, freedom of expression, and other related human rights. This is the area where cyber activities have the most impact on the modern-day society. While the US gives a top priority to the freedom of expression, Europe accords more importance to privacy than the freedom of expression. A clash between these two differing priorities influences, to a large extent, the different levels and scopes of human rights protection in cyberspace across the Atlantic Ocean. International legal standards balancing human rights, on the one hand, and national security and/or law and order, on the other hand, in such areas as personal data protection, extraterritorial law enforcement measures, and the implementation of exceptions to the exercise of rights and freedoms in cyberspace, are enshrined in the 1966 International Covenant on Civil and Political Rights as well as in regional human rights instruments, such as the European Convention on Human Rights. National law of the States Parties to these instruments must comply with these international legal standards. The European Union has the world’s most advanced legal system of protection of personal data in cyberspace, and the right to be forgotten has now been upheld by the European Court of Justice. This is an area where the private sector, especially Internet service providers, can play an active role in balancing the customer’s human rights and the demand from law enforcement authorities for the private sector’s cooperation in protecting society from harm.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Zoe Kleinman, “Spyware use in domestic violence ‘escalating’,” BBC, 22 Dec. 2014. See also an introductory analysis on the applicability of international human rights law to cyberspace in David P. Fidler, “Cyberspace and Human Rights,” in Research Handbook, eds. Tsagourias and Buchan, 94–117.

  2. 2.

    “Firm says phone apps spy on HK protesters,” China Post, 3 Oct. 2014, 1.

  3. 3.

    Chris Baraniuk, “Microsoft reveals details of Windows 10 usage tracking,” BBC, 7 Jan. 2016.

  4. 4.

    Some States may join forces to undertake surveillance against target individuals. See, e.g., the allegation by Edward Snowden of the existence of the “Five Eyes Intelligence partnership” between the US, UK, Canada, Australia, and New Zealand involving mass surveillance activities (Tim Hume, “Snowden, Assange, Greenwald, Dotcom: Can this gang of four take down a PM?,” CNN, 15 Sept. 2014).

  5. 5.

    See, e.g., “Facebook accused of mining private messages,” Al Jazeera, 3 Jan. 2014.

  6. 6.

    Tallinn Manual 2.0, chap. 11 International telecommunications law, citing Prosecutor v. Nahimana et al. (the Media case), ICTR Case No. ICTR-99-52-A, App. Ch. Judgment (28 Nov. 2007).

  7. 7.

    For a detailed analysis of the moral responsibilities of online service providers, see, M. Taddeo and L. Floridi, “The Debate on the Moral Responsibilities of Online Service Providers”, Sci. Eng. Ethics 22 (2016): 1575, esp. at 1585, 1590–1597.

  8. 8.

    “China releases reporter jailed in Yahoo e-mail case,” Taiwan News, 9 Sept. 2013, 3. Shi was released on 23 Aug. 2013, fifteen months before the end of his prison sentence. At a US congressional hearing in Nov. 2007, Jerry Yang, Yahoo!’s CEO, apologized to Shi’s family (ibid.).

  9. 9.

    “Facebook loses battle over users’ fake name in Germany,” BBC, 29 Jul. 2015.

  10. 10.

    UN Guiding Principles for Business and Human Rights (New York and Geneva: United Nations Publication HR/PUB/11/04, 2011). The Principles add that operational-level mechanisms should also be based on engagement and dialogue between the stakeholder groups.

  11. 11.

    Report of the Office of the UN High Commissioner for Human Rights, “The Right to Privacy in the Digital Age”, 30 Jun. 2014, UN Doc. A/HRC/27/37, paras. 43–46.

  12. 12.

    Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, UN Doc. A/HRC/32/38 (11 May 2016), paras. 68–70. This has partly led to a call by the UN General Assembly for business enterprises to, among other things, undertake greater responsibility in respecting human rights in accordance with the UN Guiding Principles on Business and Human Rights, including the right to privacy in the digital age; inform their customers about the collection, use, sharing and retention of their data that may affect their right to privacy and to establish transparency policies, as appropriate; and work towards establishing secure communications and the protection of individual users against arbitrary or unlawful interference with their privacy, including by developing technological solutions (A/C.3/71/L.39/Rev. 1, 16 Nov. 2016).

  13. 13.

    ICJ Rep. 2010, p. 639. For an analysis of this case, see, Sandy Ghandhi, “Human Rights and the International Court of Justice,” 11 Human Rights L. Rev. 527 (2011).

  14. 14.

    ICJ Rep. 2010, p. 639.

  15. 15.

    For a detailed analysis of the ASEAN Declaration, see, American Bar Association Rule of Law Initiative, The ASEAN Human Rights Declaration: A Legal Analysis (Washington, DC, American Bar Assoc., 2014).

  16. 16.

    The 47 members of the Council of Europe are Albania, Andorra, Armenia, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Moldova, Monaco, Montenegro, Netherlands, Norway, Poland, Portugal, Romania, Russian Federation, San Marino, Serbia, Slovak Republic, Slovenia, Spain, Sweden, Switzerland, the former Yugoslav Republic of Macedonia, Turkey, Ukraine, and United Kingdom.

  17. 17.

    General Comment no. 34 – Freedoms of opinion and expression (ICCPR document CCPR/C/GC/34, 12 Sept. 2011), para. 15.

  18. 18.

    It cannot be an enforceable human right to enjoy the benefits of scientific progress or other rights under the 1966 International Covenant on Economic, Social and Cultural Rights (ICESCR), either. See, David P. Fidler, “Cyberspace and human rights”, 104–110.

  19. 19.

    Report of the Office of the UN High Commissioner for Human Rights, “The Right to Privacy in the Digital Age”, 30 Jun. 2014, para. 14. See also, Titus Stahl, “Indiscriminate mass surveillance and the public sphere”, Ethics Inf. Technol. 18 (2016): 33.

  20. 20.

    Rob Lever, “Yahoo plans for ‘end to end’ e-mail encryption”, AFP, 15 Mar. 2015.

  21. 21.

    Weiser and Bicos Beteiligungen GmbH v. Austria, no. 74336/01, ECHR 2007-IV, §45.

  22. 22.

    Amann v. Switzerland [GC], no. 27798/95, ECHR 2000-II, §§69–70.

  23. 23.

    Rotaru v. Romania [GC], no. 28341/95, ECHR 2000-V, §§ 43–44.

  24. 24.

    Lee A. Bygrave (Data Privacy Law: An International Perspective (Oxford: Oxford University Press, 2014), 112) argues that in Europe the right to privacy is preferred to the freedom of speech.

  25. 25.

    Inter-American Juridical Committee, Annual Report 2012, p. 45.

  26. 26.

    Cf. UNODC, Comprehensive Study on Cybercrime, xix and xxi. See also, Oliver Diggermann and Maria Nicole Cleis, “How the Right to Privacy Became a Human Right,” European Human Rights L. Rev. 14 [2014]: 441.

  27. 27.

    Inter-American Juridical Committee, Annual Report 2012, p. 47.

  28. 28.

    The Human Rights Committee itself considers its views in interpreting the ICCPR and its Optional Protocol to be determinative and authoritative (CCPR/C/GC33, paras. 11 and 13).

  29. 29.

    HRC, ICCPR General Comment no. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, 8 Apr. 1988.

  30. 30.

    382 U.S. 479 (1965).

  31. 31.

    per Douglas J., delivering the opinion of the Court.

  32. 32.

    389 U.S. 317 (1967).

  33. 33.

    Jordan J. Paust, “Can You Hear Me Now?: Private Communication, National Security, and Human Rights Disconnect,” Chicago JIL 15 (2015): 612, 629.

  34. 34.

    486 U.S. 351 (1988).

  35. 35.

    488 U.S. 445 (1989). The “plain view principle” must be carefully considered in light of the existing related constitutional restrictions on the invasion by privacy by government agents, though. See, Mark Tunick, Balancing Privacy and Free Speech: Unwanted attention in the age of social media (London and New York: Routledge, 2015), 67–68.

  36. 36.

    533 U.S. 27, 31–41 (2001).

  37. 37.

    “Turkey to investigate massive leak of personal data,” Al Jazeera, 6 Apr. 2016.

  38. 38.

    “Facebook accused of mining private data messages,” loc. cit., 3 Jan. 2014.

  39. 39.

    Meaning that a remedy is available in law to any person whose right to privacy is violated or threatened by an unlawful act or omission of a government official or a private individual or entity engaged in the gathering, collecting, or storing of data or information regarding the person, family, home and correspondence.

  40. 40.

    See, Bygrave, Data Privacy Law, chap. 3: National Data Privacy Laws and at 205.

  41. 41.

    Bundesverfassungsgericht, decisions volume 27, 1 at 6. See further, Gerritt Hornung and Christoph Schnabel, “Data Protection in Germany I: The population census decision and the right to information self-determination,” Computer L. & Security Rep. 25 (2009), 84.

  42. 42.

    See, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 OJ L 281/31; Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), 2002 OJ L 201/37; Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 2006 OJ L 105/54. Cf. François Dubuisson, “Les restrictions à l’accès au contenu d’internet et le droit à la liberté d’expression” in Société Française pour le Droit International, Colloque de Rouen: Internet et le droit international (Paris: Editions A. Pedone, 2014), 133–164.

  43. 43.

    Productores de Música de España (Promusicae) v. Telefónica de España SAU, Case C-275/06, ECLI:EU:C:2008:54, paras. 44, 63–64.

  44. 44.

    [2010] OJ C83/47.

  45. 45.

    Christopher Kuner, “An international legal framework for data protection: Issues and prospects,” Computer Law & Security Rev. 25 (2009): 307 at 308–309; id., “Extraterritoriality and the Fundamental Right to Data Protection,” EJIL Talk!, 16 Dec. 2013.

  46. 46.

    Rotaru v. Romania [GC], no. 28341/95, ECHR 2000-V, §44. Cf. Juliane Kokott and Christoph Sobotta, “The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR,” International Data Privacy Law 3 (2013): 222 at 224, and see other differences between privacy and data protection at 225–226.

  47. 47.

    Volker und Markus Schecke GbR and Hartmut Eifert v. Land Hessen, Joined Cases C-92/09 and C-93/09, ECLI:EU:C:2010:662, para. 52.

  48. 48.

    Ibid., para. 53.

  49. 49.

    Art. 1, Convention 108.

  50. 50.

    European Court of Human Rights’ Research Division, National security and European case-law (Strasbourg: Council of Europe/European Court of Human Rights, 2013), paras. 129–135.

  51. 51.

    Supra note 42. On 25 June 1999, the Directive was incorporated into the 1992 Agreement on the European Economic Area (EEA).

  52. 52.

    Decision of the EEA Joint Committee No 83/1999 of 25 June 1999 amending Protocol 37 and Annex XI (Telecommunication services) to the EEA Agreement, EUR-Lex-22000D1123(08).

  53. 53.

    Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford: Oxford University Press, 2013), 40.

  54. 54.

    Ibid., 83–91, 210–255; Bygrave, Data Privacy Law, 206.

    In 2006, the Secretariat of the International Law Commission listed the following national laws as having been influenced by the EU Directive: Argentina: Personal Data Protection Act “Ley de Proteccion de los Personales” (Act 25.326) of 4 October 2000; Australia: 1988 Privacy Act and the 2000 Privacy Amendment Act (private sector); Austria: Personal Data Protection Act 17 August 1999 and Landers’ legislations to implement the EC Directive; Brazil: Anteprojeto de Lei No. 61/1996; Anteprojeto de Lei No. 151; Belgium: Law on Privacy Protection in relation to the Processing of Personal Data, 8 December 1992, modified by the implementation law of 11 December 1998 and Secondary Legislation of 13 February 2001; Canada: the 2001 Personal Information Protection and Electronic Document Acts (PIPEDA); Chile: Ley No. 19.628, Sobre la Proteccion de la Vida Privida, 28 August 1999; Cyprus: The Processing of Personal Data (Protection of the Individual) Law of 2001, as amended in 2003 and the Regulation of Electronic Communications and Postal Services Law of 2004; Czech Republic: Personal Data Protection Act, 4 April 2000; Denmark: Act on Processing of Personal Data (Act No. 429), 31 May 2000, Germany: Federal Data Protection Act (Bundesdatenschutzgesetz), 18 May 2001 and Landers’ Data Protection laws adopted to implement the European Directive; Estonia: Data Protection Act, 12 February 2003; Finland: Finnish Personal Data Act (523/1999), 22 April 1999, as Amended on 1 December 2000 and Finnish Data Protection Act in Working Places of 2004; France: Law 2004–801 modifying law 78–17 of 6 January 1978; Greece: Implementation Law 2472 on the Protection of individuals with regard to the processing of personal data entered into force 10 April 1997; Ireland: Data Protection Act 1998, amended by Data Protection Act 2003, 10 April 2003; Hungary: Act LXIII on the Protection of Personal Data and Public Access to Data of Public Interest of 1992, Act IV of 1978 on the Criminal Code on Misuse of personal data and misuse of personal information and Data Protection Act, 14 December 2001 (Act XXVI) as amended by Act XXXI of 2002; Italy: Protection of individuals and other subjects with regard to the processing of personal data Act No. 675, 31 December 1996 and New Data Protection Code entered into force 1 January 2004; Israel: Data protection Law enacted in 1981 and amended in 1996; Japan: the Act of the Protection of Personal Information, Law No. 57 of 2003; Latvia; Personal Data Protection Law Amended by Law of 24 October 2004; Lithuania: Law on Legal Protection of Personal Data, 21 January 2003, No IX-1296, with Amendments of 13 April 2004; Luxembourg: Data Protection Law, 2 August 2001; The Netherlands: Personal Data Protection Act, 6 July 2000 (the former sectoral Codes of conduct are under review to become legislations); New Zealand: Privacy Act, 1 July 1993; Poland: Act on the Protection of Personal Data, 29 August 1997 amended on 1 January 2004; Paraguay: Data protection law in Paraguay, Act No. 1682 Regulating Private Information; Portugal: Personal Data Protection Law 67/98 of 26 October 1998; Republic of Korea: Act on the Protection of Personal Data maintained by Public Agencies Act (Act No. 4734) of 1994, the Act on the Promotion and Protection of Information Infrastructure, (Act No. 5835) of 1999; Russian Federation: Law of the Russian Federation on Information, computerization, and Information Protection of 25 January 1995; Slovenia: 1999 Personal Data Protection Act (based on Council of Europe Convention) and Act Amending the Personal Data Protection Act in July 2001; Slovakia: Act No. 428/2002 coll. on Protection of Personal Data, as Amended by the Act No. 602/2003 Coll., Act No. 576/2004 Coll. and the Act No. 90/2005 Coll.; Spain: Ley Organic 15/1999 de Proteccion de Dates de Caracter Personal, 13 December 1999; Sweden: Personal Data Act 1998: 204 of 29 April 1998 and Regulation 1998:1191 of 3 September 1998; Switzerland: Swiss Federal Act on Data Protection 235.1 (DPA) of 19th June 1992; Tunisia: Personal Data Protection Law No 2004–63, 27 July 2004; United Kingdom: Data Protection Act of 16 July 1998 completed by legislation of 17 February 2000 (Report of the International Law Commission on the Work of the Fifty-eighth Session (2006), UN Gen. Ass. Off. Records, 61st Sess., Supplement No. 10 (A/61/10), Annex D (Protection of personal data in transborder flow of information), note 32).

    One may add to this list Colombia’s Statutory Law containing general provisions for the protection of personal data (dated 16 Dec. 2010), Costa Rica’s Law on the Protection of the Individual against the Processing of Personal Data (dated 7 Jul. 2011), and Mexico’s Federal Law on the Protection of Personal Data Possessed by Private Persons (in force on 6 Jul. 2010). See, Permanent Council of the OAS, Committee on Political and Juridical Affairs, Comparative Study: Data Protection in the Americas (OEA/Ser. G CP/CAJP-3063/12, 3 Apr. 2012).

    The Russian Federal Law on Personal Data (No. 152-FZ, dated 27 Jul. 2006) also contains provisions similar to those in the EU Directive.

  55. 55.

    Art. XIV(c)(ii), GATS. See also, Lee A. Bygrave, Data Protection Law: Approaching Its Rationale, Logic and Limits (The Hague: Kluwer, 2002), 83.

  56. 56.

    For in-depth analyses of the proposed reform, see, Christopher Kuner, “The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law,” Privacy & Security L. Rep., 11 PVLR 06, 02/06/2012; Christopher Kuner, Cédric Burton, and Anna Pateraki, “The Proposed EU Data Protection Regulation Two Years Later,” loc. cit. 13 PVLR 8, 01/06/2014; Peter Hustinx, “The Reform of EU Data Protection: Towards more effective and more consistent data protection access across the EU,” in Le développement du droit européen en matière de protection des données et ses implications pour la Suisse, eds. Astrid Epiney and Tobias Fasnacht (Zurich: Schulthess, 2012), 15–22. Cf. Serge Gutwirth et al. eds., European Data Protection: In Good Health? (Dordrecht: Springer, 2012).

  57. 57.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 OJ L 119/1, in force on 25 May 2018.

  58. 58.

    European Commission Press Release, Agreement on Commission’s EU data protection reform will boost Digital Single Market, 15 Dec. 2015.

  59. 59.

    Christopher Kuner, “Data Protection Law and the International Jurisdiction on the Internet (Part 2),” Int’l J. Law & Information Techno. 18 (2010): 225, note 110.

  60. 60.

    Art. 7 (a) of the Directive.

  61. 61.

    See Article 29 Data Protection Working Party, Advice paper on special categories of data (“sensitive data”), Ref. Ares (2011) 444105 – 20/04/2011; Claire Levallois-Barth, Sensitive data protection in the European Union (Brussels: Bruylant, 2007).

  62. 62.

    Doc. CJI/RES. 186 (LXXX-O/12). Cf. Bygrave (Data Privacy Law, chap. 5) whose core principles of data privacy law are: fair and lawful processing; proportionality; minimality; purpose limitation; data subject influence; data quality; data security; and sensitivity.

  63. 63.

    Report of the International Law Commission on the Work of the Fifty-eighth Session (2006), supra note 54, paras. 11 and 23–32.

  64. 64.

    Kokott and Sobotta, “The distinction between privacy and data protection,”, 225.

  65. 65.

    “Google agrees privacy policy changes with data watchdog,” BBC, 30 Jan. 2015.

  66. 66.

    E.g., telephone metadata are those on the identity of the caller and the person called and the duration of the call, but not the content of the call itself.

  67. 67.

    Massimo Calabresi, “The Surveillance Society,” Time, 19 Aug. 2013, 38–43. Cf. “NSA collect 200 m texts per day,” BBC, 17 Jan. 2014; “US and UK ‘spy on virtual games like World of Warcraft’”, BBC, 9 Dec. 2013.

    In relation to the UK, see “UK spies ‘intercepted webcam images of Yahoo users’”, BBC, 27 Feb. 2014.

  68. 68.

    Molly Crain, “The biggest myth about phone privacy,” BBC, 6 Feb. 2015.

  69. 69.

    Dana Priest and William Arkin, “Blinded by information overload,” Sydney Morning Herald, 20 Jul. 2010, 14; Peter Galison and Martha Minow, “Our Privacy, Ourselves in the Age of Technological Intrusions,” in Human Rights in the ‘War on Terror’, ed. Richard Ashby Wilson (Cambridge: Cambridge University Press, 2005), 258 at 286.

  70. 70.

    As admitted by US President Obama in his Remarks on Review of Signals Intelligence, 17 Jan. 2014.

  71. 71.

    “Edward Snowden documents show NSA broke privacy rules,” BBC, 16 Aug. 2013.

  72. 72.

    Digital Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, Joined Cases C-293/12 and C-594/12, ECLI:EU:C:2014:238, paras. 26–27, 37. This ruling has been endorsed by the Office of the UN High Commissioner for Human Rights (Rep. of the Office of the UN High Commissioner for Human Rights on The right to privacy in the digital age, paras. 19–20).

  73. 73.

    A/HRC/28/L.27 (24 Mar. 2015).

  74. 74.

    Katz v. United States, 389 U.S. 347 (1967).

  75. 75.

    Smith v. Maryland, 442 U.S. 735, 744 (1979). For a criticism on the case, see, Stuart Macdonald, “Dataveillance and terrorism: Swamps, haystacks and the eye of providence,” in Routledge Handbook of Law and Terrorism, eds. Genevieve Lennon and Clive Walker (London and New York: Routledge, 2015), 147 at 162.

    Note, however, that some US statutes afford protection to data held by third parties. See 8 U.S.C. §3123 for prospective transactional data and 18 U.S.C. §2703(c), (d) for stored information on the communications that have already taken place.

  76. 76.

    United States v. Forrester, 512 F.3d 500 (2008). Note, however, that Justice Sotomayor considered changing this approach in the Supreme Court case of United States v. Jones, 132 U.S. 949 (2012) by stating that not all information voluntarily disclosed is disentitled to Fourth Amendment protection.

  77. 77.

    Gramm-Leach-Bliley Act, Public Law 106–102 (106th Congress), Title V (Privacy), §§501–510.

  78. 78.

    977 F.Supp. 2d. 129 (E.D.N.Y., 2013).

  79. 79.

    The court in that case explained that a cell phone user could easily protect the privacy of location data by turning off the function that identified the location data. In addition, a search warrant had to be obtained in order to access geolocation data of the cell phone user.

  80. 80.

    Civil Action No. 13-0851 (RJL), esp. at 49, 56.

  81. 81.

    Stephen Collinson, “Panel delivers US surveillance report: official,” AFP, China Post, 15 Dec. 2013, 3.

  82. 82.

    573 U.S. 2473 (2014).

  83. 83.

    Ibid., at 2494–2495, citation omitted.

  84. 84.

    President Obama said:

    “I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata”.

    ….

    Because of the challenges involved, I’ve ordered that the transition away from the existing program will proceed in two steps. Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of the current three. And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding or in the case of a true emergency.

    Next, step two, I have instructed the intelligence community and the Attorney General to use this transition period to develop options for a new approach that can match the capabilities and fill the gaps that the Section 215 program was designed to address without the government holding this metadata itself. … (Remarks on Review of Signals Intelligence, 17 Jan. 2014).

  85. 85.

    Public Law No: 114–23, 129 Stat. 268 (2015).

  86. 86.

    UN Doc. A/RES/45/95 (14 Dec. 1990).

  87. 87.

    Ibid., operative para. 4.

  88. 88.

    Ibid., operative para. 5.

  89. 89.

    Alexander Beck and Christopher Kuner, “Data Protection in International Organizations and the New UNHCR Data Protection Policy: Light at the End of the Tunnel?,” EJIL Talk!, 31 Aug. 2015. They report that the Policy took into consideration, among other things, the 1980 OECD Guidelines, the 1981 Council of Europe Convention 108, the 1995 EU Directive 95/46, the 2005 APEC Privacy Framework, ECOWAS’ 2010 Supplementary Act on Personal Data Protection, and the 2012 Draft for an EU General Data Protection Regulation as well as the 2009 Madrid Resolution.

  90. 90.

    Global Principles on National Security and the Right to Information (New York: Open Society Foundations, 2013).

  91. 91.

    Available at: https://en.necessaryandproportionate.org/text.

  92. 92.

    Christopher Kuner, “Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future,” OECD Digital Economy Papers, No. 187, OECD Publishing (2011), 7, 24–25.

  93. 93.

    Art. 25(1) and (2).

  94. 94.

    See, e.g., Commission Decision (EC) 2004/915 of 27 Dec. 2004 amending Decision (EC) 2001/497 concerning the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, [2004] OJ L385/74, Clauses II(i) and III; Safe Harbour Onward Transfer Principle, cited in Kuner, “Regulation of Transborder Data Flows”, 25.

  95. 95.

    Bodil Lindqvist, Case C-101/01, ECLI:EU:C:2003:596, paras. 67–71.

  96. 96.

    See, Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford: Oxford University Press, 2013), 11–14.

  97. 97.

    Article 26 – Derogations provides:

    1. 1.

      By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an Privacy Shield of protection within the meaning of Article 25(2) may take place on condition that:

      1. (a)

        the data subject has given his consent unambiguously to the proposed transfer, or

      2. (b)

        the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request, or

      3. (c)

        the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party, or

      4. (d)

        the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims, or

      5. (e)

        the transfer is necessary in order to protect the vital interests of the data subject, or

      6. (f)

        the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

    2. 2.

      Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

  98. 98.

    Christopher Kuner, “Extraterritoriality and International Data Transfers in EU Data Protection Law,” University of Cambridge Legal Studies Research Paper Series No. 49/2015 (Aug. 2015), contends: “… The use of adequate safeguards thus assumes that there is no ‘adequate protection’ in the country to which the transfer will be made” (ibid., 5).

  99. 99.

    Ibid., 5–6.

  100. 100.

    Kuner, Transborder Data Flows, 179.

  101. 101.

    482 U.S. 522, 544 n. 29, 543–545 (1987).

  102. 102.

    Ibid., 544 n. 8 (emphasis added).

  103. 103.

    No. 09-cv-03552 (ED. Pa. Oct. 7, 2010).

  104. 104.

    The Court referred to the US Fed. Rules of Civil Procedures, Rule 26(c) (1) PROTECTIVE ORDERS which reads:

    1. (1)

      In General. A party or any person from whom discovery is sought may move for a protective order in the court where the action is pending or as an alternative on matters relating to a deposition, in the court for the district where the deposition will be taken. The motion must include a certification that the movant has in good faith conferred or attempted to confer with other affected parties in an effort to resolve the dispute without court action. The court may, for good cause, issue an order to protect a party or person from annoyance, embarrassment, oppression, or undue burden or expense, including one or more of the following:

      1. (A)

        forbidding the disclosure or discovery;

      2. (B)

        specifying terms, including time and place, for the disclosure or discovery;

      3. (C)

        prescribing a discovery method other than the one selected by the party seeking discovery;

      4. (D)

        forbidding inquiry into certain matters, or limiting the scope of disclosure or discovery to certain matters;

      5. (E)

        designating the persons who may be present while the discovery is conducted;

      6. (F)

        requiring that a deposition be sealed and opened only on court order;

      7. (G)

        requiring that a trade secret or other confidential research, development, or commercial information not be revealed or be revealed only in a specified way; and

      8. (H)

        requiring that the parties simultaneously file specified documents or information in sealed envelopes, to be opened as the court directs.

  105. 105.

    Legis. Decree No. 196 of 30 June 2003 (Italy).

  106. 106.

    Available at: http://www.treasury.gov/resource-center/terrorist-illicit-finance/Terrorist-Finance-Tracking/Documents/Final-TFTP-Agreement-Signed.pdf. See also “US to access Europeans’ bank data in new deal,” BBC, 8 Jul. 2010.

  107. 107.

    EU-US Agreement on the processing and transfer of financial messaging data for purposes of the US Terrorist Finance Tracking Programme.

  108. 108.

    Claudia Hillebrand, “EU-US Agreement on SWIFT bank data transfer,” Europe on the Strand (7 Jul. 2010); “US to access European’s bank data in new deal,” BBC, 8 Jul. 2010.

  109. 109.

    Official Journal L 0215, 11/08/2012 P. 5–0014.

  110. 110.

    Letter from the Article 29 Data Protection Working Party dated 6 Jan. 2012 addressed to Members of the Civil Liberty, Justice and Home Affairs (LIBE) Committee of the European Parliament (Ref. Ares(2012)15841–06/01/2012).

    It was also reported in Sept. 2016 that the US Dept. of Homeland Security was planning to have travellers to the US enter on their visa application and arrival forms the information associated with their “online presence”, or “social media identifier” while in the US. The rationale was that this would help detect potential threats by criminals and terrorists since past experience seemed to show that they, whether intentionally or not, had provided previously unavailable information via social media that revealed their true intentions. (Ivana Kottasova, “Why U.S. border agents want to know your Twitter handle”, CNN, 21 Sept. 2016.)

  111. 111.

    379 F. Supp. 2d 299 (E.D.N.Y. 2005).

  112. 112.

    18 U.S.C. § 2701, et seq. (1986).

  113. 113.

    §2702(a) of the ECPA stipulates:

    1. (1)

      a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and

    2. (2)

      a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service ….

      The statute defines “electronic communication service” as “any service which provides to users the ability to send or receive wire or electronic communications” (18 U.S.C. § 2510(15)).

  114. 114.

    The disclosure was published by The Washington Post and The Guardian on 7 June 2013.

  115. 115.

    Alan Wehler, “The Future of EU Data Protection: Challenges in light of PRISM,” 3 Oct. 2013, available at http://safegov.org/2013/10/3/the-future-of-eu-data-protection-challenges-in-light-of-prism.

  116. 116.

    AFP, “Austrian sues Facebook over privacy,” Bangkok Post, 9 Apr. 2015.

  117. 117.

    Maximillian Schrems v. Data Protection Commissioner (Hogan J.), 18 Jun. 2014 [2013 No. 765JR].

  118. 118.

    Opinion of Advocate General Bot of 23 Sept. 2015, Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (Request for a preliminary ruling from the High Court (Ireland)). For criticisms of this opinion, see Christopher Kuner, “Safe Harbor in stormy seas: The Advocate General Opinion in Schrems,” Cambridge J.I. & Comp. L. blog, 29 Sept. 2015, essentially that while the Safe Harbor Agreement could be strengthened and that intelligence access to data be restricted, invalidating it completely “would send a signal to third countries in other regions that it is futile for them to even attempt to adapt their law to EU standards since they have no chance of satisfying them”, bearing in mind that only six adequacy decisions have been issued for States outside Europe (i.e., Argentina, Canada (commercial organisations), Israel, New Zealand, Uruguay, and the US Dept. of Commerce’s Safe Harbor Privacy Principles) in the 17 years since the EU Directive came into force.

  119. 119.

    Maximillian Schrems v. Data Protection Commissioner, Case C-362/14, ECLI:EU:C:2015:650. See also, “Get off of my cloud: A European court ruling presages a transatlantic battle over data protection”, Economist, 10 Oct. 2015, 55–56.

  120. 120.

    Public Law No. 114–126 (02.24/2016).

  121. 121.

    “Restoring trust in transatlantic data flows through strong safeguards: European Commission presents EU-U.S. Privacy Shield,” European Commission Press Release, 29 Feb. 2016.

  122. 122.

    For a critical analysis of the Privacy Shield in light of Schrems, see, Christopher Kuner, “Reality and Illusion in EU Data Transfer Regulation Post Schrems,” University of Cambridge Fac. of Law Research Paper (14 Feb. 2016).

  123. 123.

    APEC Privacy Framework (Singapore: APEC Secretariat, 2005). The member economies are: Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Rep. of Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, Philippines, Russia, Singapore, Chinese Taipei (Taiwan), Thailand, US, and Vietnam.

  124. 124.

    These Principles regulate prevention of harm; notice; collection limitations; uses of personal information; choices of the individual or organization regarding the collection, use, and disclosure of his/its personal information; integrity of personal information; security safeguards; access and correction; and accountability.

  125. 125.

    However, one legal scholar argues that the possibilities of a global, legally binding data protection instrument remains elusive in the foreseeable future due to the considerable differences in the approaches to data protection around the world caused by cultural, historical and legal factors as well as the lack of consensus on which international organization could coordinate or oversee such global data protection regime (Christopher Kuner, “The European Union and the Search for an International Data Protection Framework”, Groningen JIL 2 (2014): 55 at 59–60, 66).

  126. 126.

    Human Rights Committee, General Comment no. 34, Article 19, Freedoms of opinion and expression, 12 Sept. 2011, CCPR/C/GC/34, paras. 18–19.

  127. 127.

    E.g., Desmond Butler, “Turkish prosecutor seeks to block social media after deadly shootout,” China Post, 7 Apr. 2015, 2; id., “Turkey restores access to Twitter, YouTube, threatens Google ban over militant group’s photos,” US News & World Report, 6 Apr. 2015.

  128. 128.

    Decision No. 2014/3986 (2 Apr. 2014).

  129. 129.

    Decision No. 2014/4705 (29 May 2014).

  130. 130.

    See, e.g., Norwood v. the United Kingdom (dec.), no. 23131/03, ECHR 2004-XI; Sürek v. Turkey (no. 1)[GC], no. 26682/95, ECHR 1999-IV; Zana v. Turkey, 25 November 1997, Reports of Judgments and Decisions 1997-VII; Erbakan v. Turkey, no. 59405/00, 6 July 2006; Vajnai v. Hungary, no. 33629/06, ECHR 2008; Leroy v. France, no. 36109/03, 2 October 2008; Féret v. Belgium, no. 15615/07, 16 July 2009; Gül and Others v. Turkey, no. 4870/02, 8 June 2010. These cases are cogently analyzed in Antoine Buyse, “Dangerous Expressions: The ECHR, Violence and Free Speech”, 63 Int’l & Comp. L. Quarterly 491; id., “Words of Violence: Relating Violent Conflict Escalation to the Boundaries of the Freedom of Expression”, 36 Human Rights Quarterly 779 (2014).

  131. 131.

    Cf. Reno v. American Civil Liberties Union, 521 U.S. 844 (1997); Dawn C. Nunziato, “The Beginning of the End of Internet Freedom,” Georgetown J. Int’l L. 45 (2014),: 383 at 398–402, 404–410.

  132. 132.

    “Google backs down over Blogger porn rule change,” BBC, 27 Feb. 2015.

  133. 133.

    www.torproject.org. Tor is reported to have been originally designed by the US Naval Research Laboratory to assist its operations and to help individuals living under repressive regimes and to continue to receive funding from the US Dept. of State (Jane Wakefield, “Huge raid to shut down 400-plus dark net sites,” BBC, 7 Nov. 2014).

  134. 134.

    Mark Ward (“Tor’s most visited sites host child abuse images,” BBC, 30 Dec. 2014), reporting on the study by Dr. Gareth Owen of the University of Portsmouth in the UK which found approx. 80,000 hidden sites on Tor, with the five biggest number of hidden services being the sites selling illegal drugs, underground markets, fraud sites, sites providing mail services, and those dealing with the virtual currency bitcoin.

  135. 135.

    Post Note No. 488 (Mar. 2015); Kevin Rawlinson, “Banning Tor unwise and infeasible, MPs told,” BBC, 10 Mar. 2015. For an analysis on Tor, cf. also, Singer and Friedman, Cybersecurity and Cyberwar, 108–110.

  136. 136.

    Sean Gallagher, “Under the hood of I2P, the Tor alternative that reloaded Silk Road,” Ars Technica, 14 Jan. 2015; Kate Knibbs, “I2P: The Super-Anonymous Network That Silk Road Calls Home,” Gizmodo, 23 Jan. 2015.

  137. 137.

    Act No. 3848 of May 12, 1986, as amended [2005] PrivLRes 2.

  138. 138.

    Online Real-Name Case, Constitutional Court of Korea, 2010 Honma 47 (23 Aug. 2012).

  139. 139.

    Doc. A/HRC/23/40 (17 Apr. 2013), para. 49.

  140. 140.

    For a philosophical discussion on the meaning of privacy, see, Tunick, Balancing Privacy and Free Speech, 24–61. See also, Paul Bernal, Internet Privacy Rights: Rights to Protect Autonomy (Cambridge: Cambridge University Press, 2014), where the author argues that the right to privacy aims primarily at protecting the autonomy of a person, including civil rights such as the freedom of speech, association, or assembly as well as other aspects of that person’s freedom to live as one would like to.

  141. 141.

    Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, ECLI:EU:C:2014:317, para. 93.

  142. 142.

    Ibid., para. 99, and cf. also paras. 81, 82, 97, and 100.

  143. 143.

    Ibid., para. 88.

  144. 144.

    Ibid., para. 98. For a brief analysis of situations in various States regarding the demand for search engines to remove or restrict access to unwanted information, see, Tunick, Balancing Privacy and Free Speech, 195–201.

  145. 145.

    Christopher Kuner, “The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines: Current Issues and Future Challenges,” Studies of the Max Planck Institute Luxembourg for International, European & Regulatory Procedural Law (Ashgate: Nomos/Brill, 2015), 9, citing paras. 82 and 100 of the Judgment in Costeja.

  146. 146.

    See, e.g., La Quadrature du Net, “The Right to be Forgotten: Don’t Forget the Rule of Law!,” 17 July 2014, available at: https://www.laquadrature.net/en/the-right-to-be-forgotten-dont-forget-the-rule-of-law. See also, Ifex, “How ‘The Right to be Forgotten’ affects privacy and free expression”, 21 July 2014, available at: https://www.ifex.org/europe_central_asia/2014/07/21/right_forgotten/; cf. also, David J. Stute, “Privacy Almighty?: The CJEU’s Judgment in Google Spain SL v. AEPD,” Michigan JIL 36 (2015): 649 at 672–680.

  147. 147.

    Kuner, supra note 145 at 22, arguing that the Court could have mentioned the ECtHR’s decision in Times Newspaper Ltd. v. the United Kingdom (nos. 1 and 2), nos. 3002/03 and 23676/03, ECHR 2009, §27, which held that Internet news archives fall within the ambit of the protection of the freedom of expression under Art. 10 of the ECHR.

  148. 148.

    “The right to be forgotten: Drawing the line,” Economist, 4–10 Oct. 2014, 64–65. See also, Mark Scott, “Google cuts links, and makes sure people know,” International New York Times, 4 Jul. 2014, 1; Richard Waters and Henry Mance, “Google in U-turn on removal of news links,” Financial Times, 4 Jul. 2014, 1; Robert Cookson and Sally Davies, “Tough choices on what to forget,” Financial Times, 4 Jul. 2014, 13.

    The statistics released by Google on 10 Oct. 2014 revealed that Google had removed over 200,000 Web links from its European search results after reviewing approx. 145,000 individual requests submitted from 32 countries (“Japan court orders Google to remove man’s search results,” China Post, 12 Oct. 2014, 5). However, according to BBC (12 Oct. 2014), Google was reported to have removed 498,737 links from search results since May 2014, including 63,616 pages following requests from the UK which accounted for 18,304 requests, the third highest in the EU. According to data released on its website, Google removed 35% – or 18,459 – of unwanted links to web pages following requests from the UK. Facebook removed 3353 links across Europe, whereas YouTube deleted 2392 URLs. For a subsequent development regarding such requests for removal, see, Glenn Chapman, “Google gets 348,085 ‘forget’ requests in Europe,” AFP, 26 Nov. 2015, also in Yahoo! News, 26 Nov. 2015, and China Post, 27 Nov. 2015, 6. See also, “Northern Ireland teenager sues Facebook over nude photo”, BBC, 8 Sept. 2016.

  149. 149.

    Taddeo and Floridi, “The Debate on the Moral Responsibilities of Online Service Providers”, 1593–1594.

  150. 150.

    The protection accorded by domestic law to publishers of information concerning convicted persons insofar as it is in the interest of the public to receive such information is well recognized in various legal systems. See, e.g., judgment of Thailand’s Supreme Court no. 7435/2541.

  151. 151.

    A. v. Google, Amsterdam District Court, 18 Sept. 2014, ECLI:NL:RBAMS:2014:6118. Also summarized in Joran Spauwen and Jens van den Brink, “Dutch Google Spain ruling: More Freedom of Speech, Less Right To Be Forgotten For Criminals,” Meld je nu aan voor de Media Report Nieuwsbrief!, 24 Sept. 2014, available at: http://www.mediareport.nl/persrecht/26092014/google-spain-judgment-in-the-netherlands-more-freedom-of-speech-less-right-to-be-forgotten-for-criminals/.

    One author contends that “doxing” (the intentional public realease onto the Internet of personal information about an individual by a third party) may be justified conceptually where it is necessary to reveal the individual’s wrongdoing and such revelation is in the public interest (David M. Douglas, “Doxing: a conceptual analysis”, Ethics Inf. Technol. 18 (2016): 199).

  152. 152.

    Costeja, paras. 53–56. The Court held that the operator of the search engine is the “controller” in respect of the processing, within the meaning of the EU Directive, because it is the operator which determines the purposes and means of the processing.

  153. 153.

    Kuner, “The Court of Justice of the EU Judgment on Data Protection and Internet Search Engines: Current Issues and Future Challenges”, Studies of the Max Planck Institute Luxembourg for International, European & Regulatory Procedural Law, 13.

  154. 154.

    Ibid., 14–16.

  155. 155.

    http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf.

  156. 156.

    Doc. 14/EN WP225, para. 20, quoting para. 88 of the Judgment.

  157. 157.

    Leo Kelion, “Google told to expand right to be forgotten,” BBC, 24 Nov. 2014, and see the debate between the editor of USA Today (“Europe tries to foist Internet scrubbing on U.S.”) and Marc Rotenberg, “Google’s position makes no sense,” USA Today, 23 Jan. 2015, 9A. The former cites cultural and legal gaps as the main reasons for Google not to uphold the “right to be forgotten” in the US. The latter counters that it has been Google’s traditional practice to erase links to stolen credit card numbers and bank records from all its search engines wherever they are; hence, Google should respect the right of an individual to have personal information removed for all Internet domains.

  158. 158.

    Ken Sakakibara, “Tokyo court orders Google to delete search results that implied criminality,” Asahi Shimbun, 10 Oct. 2014; “Japanese court orders Google to remove harmful search results,” RT News, 10 Oct. 2014.

  159. 159.

    420 U.S. 469 (1975).

  160. 160.

    101 P.3d 552 (2005). For a discussion of this case, see, Tunick, Balancing Privacy and Free Speech, 17, 117–118.

  161. 161.

    Апетьян: Это продолжение линии властей ЕС на регулирование Интернета [Apetyan: This is the continuation of the EU government’s policy to regulate the Internet], available at http://vz.ru/news/2014/6/4/690049.html.

  162. 162.

    See, e.g., “Women and jihad: Caliphate calling,” Economist, 28 Feb. 2015, 52; “How ISIS is winning the propaganda war,” Time, 6–13 Jul. 2015, 10; “Islamic State: The propaganda war,” Economist, 15 Aug. 2015, 41–42. For its part, the French Government has launched a website entitled “Stop jihadism” to counter jihadist propaganda (Sandrine Amiel, Ariana Williams and Laura Smith-Spark, “France launches website to counter jihadist propaganda,” CNN, 28 Jan. 2015).

    ISIL is currently at the top of the list of enemies of the US Govt.’s Arizona Cyber Warfare Range (AZWR) entrusted with, among other things, taking down radicalizing Internet accounts and websites (“Cyber warfare: The new international warfront”, Al Jazeera, 23 Oct. 2016).

  163. 163.

    Laurie Segall, “An app called Telegram is the ‘hot new things among Jihadists’,” CNN, 18 Nov. 2015; Erica Fink, Jose Pagliery, and Laurie Segall, “Technology and the fight against terrorism,” loc. cit., 24 Nov. 2015.

  164. 164.

    Admiral James Stavridis, “An 8-step plan to defeat ISIS,” Time, 30 Nov.-7 Dec. 2015, 31. The Admiral is a former NATO commander and a retired US Navy Admiral.

  165. 165.

    “US and UK ‘spy on virtual games like World of Warcraft’”, BBC, 8 Dec. 2013.

  166. 166.

    “Twitter suspends Somali militants’ account,” New York Times, 6 Sept. 2013.

  167. 167.

    “Google: Impossible to filter all YouTube ‘terror’,” Al Jazeera, 28 Jan. 2015.

  168. 168.

    Laurie Segall, “The secret hackers trying to bring down ISIS,” CNN, 20 Nov. 2015.

  169. 169.

    Para. 3, Joint Statement dated 11 Jan. 2015, available at: http://ec.europa.eu/dgs/home-affairs/what-is-new/news/news/docs/20150111_joint_statement_of_ministers_for_interrior_en.pdf.

  170. 170.

    “British Prime Minister David Cameron called for a ban on messaging services that the government can’t snoop on,” CNN, 13 Jan. 2015.

  171. 171.

    GCHQ is the UK Govt.’s intelligence and security organization. For more details see its official website: http://www.gchq.gov.uk/Pages/homepage.aspx.

  172. 172.

    Intelligence and Security Committee of Parliament, Report on the intelligence relating to the murder of Fusilier Lee Rigby (25 Nov. 2014), 7.

  173. 173.

    Ibid., 146, footnote omitted, emphasis original. See also, Andrew Keen, “Is the internet a safe haven for terrorists?,” CNN, 28 Nov. 2014.

    In an interview with the BBC television channel, the head of the British Security Service (MI5) said in September 2015 that online data encryption was creating a situation where the police and intelligence agencies could no longer obtain under a proper court warrant the communication of people they believed to be terrorists, and that this was against public interests (“MI5 boss warns of technology terror risk,” BBC, 17 Sept. 2015).

  174. 174.

    For an analysis of the debate on encryption in the context of the fight against security threats after the 13 Nov. 2015 terrorist attacks in Paris, France, see “The terrorist in the data: How to balance security with privacy after the Paris attacks,” Economist, 28 Nov. 2015, 21–23. Cf. also, Haley Sweetland Edwards, “Why we can’t unscramble the fight over encryption”, Time, 25 Jan. 2016, 21–22.

  175. 175.

    Pub. L. No. 103–414, 108 Stat. 4279 (codified at 47 U.S.C. §§1001–1010). CALEA will be discussed in Sect. 3.3.2 below.

  176. 176.

    Erika Kinetz, “China plays down anti-terror law concerns,” AP, 3 Mar. 2015.

  177. 177.

    An Act to enact the Security of Canada Information Sharing Act and the Secure Air Travel Act, to amend the Criminal Code, the Canadian Security Intelligence Service Act and the Immigration and Refugee Protection Act and to make related and consequential amendments to other Acts, 2nd Session, 41st Parliament.

  178. 178.

    “Canada’s anti-terrorism bill: Let freedom ring,” Economist, 21 Mar. 2015, 33. In February 2016, Privacy International, an NGO in special consultative status with the UN Human Rights Council, submitted a written statement to the Council expressing concerns about the right to privacy in surveillance laws of China, France, Kenya, the Netherlands, Pakistan, Switzerland, and the UK (Doc. A/HRC/31/NGO/X, 10 Feb. 2016).

  179. 179.

    For some real-life examples of loopholes in such a wide net of intelligence surveillance, see, Dana Priest and William Arkin, “Blinded by information overload,” Sydney Morning Herald, 20 Jul. 2010, 14.

    Galison and Minow bluntly conclude: “Successful law enforcement efforts, e.g. arrest of major al-Qaeda leaders, did not come from trolling through millions of private e-mails, correlating their contents with the book borrowing or video rentals; it [sic.] has come from targeted cell phones and pavement pounding police work. To date, it is at most a tiny minority of terrorists who have been convicted as a result of data mining consumers and government records. …” (Galison and Minow, “Our Privacy, Ourselves in the Age of Technological Intrusions”, 286).

  180. 180.

    Human Rights Committee, General Comment no. 16: Article 17 (Right to Privacy), para. 4.

  181. 181.

    Id., Antonius Cornelis Van Hulst, 8 Apr. 1998, Communication No. 903/1999, para. 7.7.

  182. 182.

    See, Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, 28 Dec. 2009, A/HRC/13/37, para. 17; Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, 17 Apr. 2013, A/HRC/23/40, para. 29.

  183. 183.

    Human Rights Committee, General Comment no. 34, Article 19 (Freedoms of opinion and expression), para. 25.

  184. 184.

    Ibid., para. 46.

  185. 185.

    Report of the Office of the High Commissioner for Human Rights, “The Right to Privacy in the Digital Age,” para. 29.

  186. 186.

    Ibid., para. 24.

  187. 187.

    Ibid., para. 25, and see also paras. 26–27.

  188. 188.

    Human Rights Committee, Toonen v. Australia, 25 Dec, 1991, Communication No. 488/1992. See also the last preambular para. of the UN Human Rights Council resolution on the Right to Privacy in the Digital Age adopted without a vote on 26 Mar. 2015 (A/HRC/28/L.27) which reaffirms that States must ensure that any measure taken to combat terrorism is in compliance with their obligations under international law, in particular international human rights, refugee and humanitarian law.

  189. 189.

    UN Doc. A/HRC/17/27 (16 May 2011), para. 24. See also, Bruce Schneier, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (New York: W.W. Norton, 2015).

  190. 190.

    UN Doc. A/HRC/29/32 (22 May 2015), para. 43.

  191. 191.

    Ahmet Yıldırım v. Turkey, no. 3111/10, ECHR 2012, and see esp. the concurring opinion of Judge Paulo Pinto de Albuquerque at §§27–28.

  192. 192.

    Ibid. Also analyzed by Dawn C. Nunziato, “The Beginning of the End of Internet Freedom,” Georgetown J. Int’l L. 45 (2014): 383 at 396–8, 404, 407.

  193. 193.

    Klass and Others v. Germany, 6 September 1978, Series A no. 28, §§ 33–38; Weber and Saravia v. Germany (dec.), no. 54934/00, ECHR 2006-XI, §78.

  194. 194.

    Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, no. 62540/00, 28 June 2007; Liberty and Others v. the United Kingdom, no. 58243/00, 1 July 2008, §§56–57.

  195. 195.

    Malone v. the United Kingdom, 2 August 1984, Series A no. 82, §67. Followed in Liberty v. the United Kingdom.

  196. 196.

    See, M.M. v. the United Kingdom, no. 24029/07, 13 November 2012, §193.

  197. 197.

    Kruslin v. France, 24 April 1990, Series A no. 176-A, §33 (emphasis added).

  198. 198.

    See, Amann v Switzerland, §76, where the ECtHR states that the legal basis must be sufficiently clear and detailed. See also ECtHR, Malone v. the United Kingdom, §§67–68, where the ECtHR underlines that:

    the law must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to this secret and potentially dangerous inference with the right to respect for private life and correspondence …

  199. 199.

    See ECtHR, Weber v. Germany, §94; see also ibid., §95, where the ECtHR defined the following minimum safeguards that must apply in domestic law:

    the nature of the offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed.

  200. 200.

    Ibid., §93.

  201. 201.

    Klass and Others v. Germany, §58.

  202. 202.

    Malone v. the United Kingdom, §67.

  203. 203.

    Ibid., para. 68.

  204. 204.

    Digital Rights Ireland Ltd., paras. 28–29.

  205. 205.

    Big Brother Watch and Others v. the United Kingdom (communicated case), no. 58170/13, 7 January 2014.

  206. 206.

    Ibid., at Complaints.

  207. 207.

    Jemima Stratford and Tim Johnston, “The Snowden ‘Revelations’: Is GCHO Breaking the Law?,” European Human Rights L. Rev. 14 [2014]: 129, 135–137.

  208. 208.

    Tallinn Manual 2.0, chap. 6 International human rights law.

  209. 209.

    Leander v. Sweden, 26 March 1987, Series A no. 116.

  210. 210.

    E.g., Klass v. Germany; Necessary and Proportionate, “International Principles on the Application of Human Rights Law to Communications Surveillance – Background and Supporting International Legal Analysis,” May 2014, available at: https://necessaryandproportionate.org/legalanalysis, 42.

  211. 211.

    Evans v. the United Kingdom [GC], no. 6339/05, ECHR 2007-I, §77.

  212. 212.

    Z v. Finland, 25 February 1997, Reports of Judgments and Decisions 1997-I, §95; see also ECJ, Digital Rights Ireland Ltd., para. 48.

  213. 213.

    Fred H. Cate, James X. Dempsey, and Ira S. Rubinstein, “Systematic Government Access to Private-Sector Data,” International Data Privacy Law 2 (2012): 195, 197–198.

  214. 214.

    Klass v. Germany, §48.

  215. 215.

    Ibid., §49.

  216. 216.

    Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, para. 60 (citation omitted).

  217. 217.

    Malone v. the United Kingdom, §68. This is also the gist of the ECtHR’s ruling in Segerstedt-Wiberg and Others v. Sweden, no. 62332/00, ECHR 2006-VII

  218. 218.

    Kennedy v. the United Kingdom, §153.

  219. 219.

    European Court of Human Rights’ Research Division, National security and European case-law, para. 33, citing Klass, §§55–56, and Kennedy, §167.

  220. 220.

    See, Necessary and Proportionate, “International Principles”, 43.

  221. 221.

    Ibid., 44 referring to BVerfGE 120, p. 274, citation on p. 328.

  222. 222.

    Hogefeld v. Germany (dec.), no. 35402/97, 20 January 2000; inadmissible.

  223. 223.

    Uzun v. Germany, no. 35623/05, ECHR 2010, §§77–81.

  224. 224.

    Digital Rights Ireland Ltd., para. 59.

  225. 225.

    S. and Marper v. the United Kingdom [GC], nos. 30562/04 and 30566/04, ECHR 2008, §119, where the ECtHR found that:

    [t]he material may be retained irrespective of the nature or gravity of the offence with which the individual was originally suspected or of the age of the suspected offender; fingerprints and samples may be taken – and retained – from a person of any age, arrested in connection with a recordable offence, which includes minor or non-imprisonable offences. The retention is not time-limited; the material is retained indefinitely whatever the nature or seriousness of the offence of which the person was suspected.

    The ECtHR reached a similar conclusion in Segerstedt-Wiberg and Others v. Sweden, no. 62332/00, ECHR 2006-VII.

  226. 226.

    [2009] EWCA Civ. 414, per Dyson LJ at paras. 84 and 85. See also the opinion of Lord Collins of Mapesbury, ibid., paras. 96–100. This case is analyzed in details in Roger Brownsword and Morag Goodwin, Law and the Technologies of the Twenty-First Century: Text and Materials (Cambridge: Cambridge University Press, 2012), 426 et seq.

  227. 227.

    “GCHQ does not breach human rights, judges rule,” BBC, 5 Dec. 2014; Laura Smith-Spark, “Tribunal censures UK over US surveillance data sharing,” CNN, 6 Feb. 2015; “UK court says spies’ Internet surveillance was unlawful,” Al Jazeera, 6 Feb. 2015.

  228. 228.

    Stratford and Johnston, “The Snowden ‘Revelations’”, 130. The article summarizes the contents of the internal report submitted by the authors to the Chairperson of the All Party Parliamentary Group on Drones.

  229. 229.

    [2016] UKIPTrib 15_110-CH, esp. para. 62.

  230. 230.

    International Strategy for Cyberspace, 5.

  231. 231.

    Ibid.

  232. 232.

    Ibid., 20.

  233. 233.

    Ibid., 20, 21.

  234. 234.

    692 F.3d 185 (2nd Cir. 2012).

  235. 235.

    Ashcroft v. al-Kidd, 131 U.S. 2074, 2081 (2011), quoting Vernonia Sch. Dist. 47J v. Acton, 515 U.S. 646, 653 (1995).

  236. 236.

    Phillippi v. CIA, 546 F.2d 1009 (D.C. Cir., 1976) and 655 F.2d 1325 (D.C. Cir., 1981).

  237. 237.

    592 F.3d 60, 76 (2nd Cir. 2009).

  238. 238.

    552 F.3d 157 (2d Cir. 2008).

  239. 239.

    547 U.S. 843, 846 (2006), quoting United States v. Knights, 534 U.S. 112, 118–119 (2001).

  240. 240.

    Foreign Intelligence Surveillance Act, Pub. L. No. 95–511, 92 Stat. 1783 (codified at 50 U.S.C. §§1801–1811 (2000)).

  241. 241.

    See, e.g., Pete Yost, “Gov’t threatens Yahoo with huge fine over e-mails,” Detroit News, 12 Sept. 2014.

    The NSA Report: Liberty and Security in a Changing World by the President’s Review Group on Intelligence and Communications Technologies (Dec. 2013, pp. 152–53) emphasizes:

    Section 702 authorizes the NSA to intercept communications of non-United States persons who are outside the United States only if it reasonably believes that a particular “identifier” (for example, an e-mail address or a telephone number) is being used to communicate foreign intelligence information related to such matters as international terrorism, nuclear proliferation, or hostile cyber activities. (Emphasis original)

  242. 242.

    As in the case of, e.g., Microsoft’s plan to set up data centres in 3 Indian cities by the end of 2015 to offer its commercial cloud services from these centres as it seeks to tap into the Indian market where the Internet use is growing fast (“Microsoft to tap into US$2 trillion Indian cloud storage market,” China Post, 1 Oct. 2014, 2). As of June 2014, Microsoft’s global network of data centres included over one million computers in more than 100 data centres at over 40 States (Steve Lohr, “Microsoft Protests Orders for E-mail Stored Abroad,” New York Times, 11 Jun. 2014, B1 at B2). Also, Google operates 12 cloud computing data centres around the world, with 7 in the Americas, 2 in Europe, and 3 in Asia (Singapore, Taiwan, Hong Kong), each being customized to the respective regions and local climate to optimize efficiency (“Google to increase investment in Taiwan cloud data center: report,” Taiwan News, 9 Oct. 2014, 3). Cf. also “The cheap, convenient cloud,” Economist, 18 Apr. 2015, 54–55; Rob Crossley, “Where in the world is my data and how safe is it?,” BBC, 9 Aug. 2016.

  243. 243.

    See, Zack Whittaker, “Yes, U.S. authorities can spy on EU cloud data. Here’s how,” Between the Lines, 1 Feb. 2013.

  244. 244.

    Cf. Sajai Singh et al., “Technology Surveillance” in Legal Issues in the Global Information Society, eds. Dennis Campbell and Chrysta Bán (Dobbs Ferry, NY: Oceana, 2005), chap. 3 at 92–93, 104–111.

  245. 245.

    Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1154 (2013).

  246. 246.

    ACLU v. National Security Agency, 493 F.3d 644, 671 (6th Cir. 2007). See also, Joseph Menn, “Secret US court approved wider NSA spying”, Reuters (20 Nov. 2013).

  247. 247.

    Klass v. Germany, §§55–56. See also Kennedy v. the United Kingdom, §§128, 159–170, 190.

  248. 248.

    Rotaru v Romania, §59.

  249. 249.

    App. No. 47143/06, Judgment of 4 Dec. 2015, para. 167.

  250. 250.

    Ibid., para. 171, citations omitted.

  251. 251.

    Ibid., para. 238.

  252. 252.

    Ibid., paras. 302–305.

  253. 253.

    Human Rights Committee, Concluding Observations, USA, 23 Apr. 2014, para. 22 (c).

  254. 254.

    Menn, supra note 246.

  255. 255.

    “US court revises 1 of 4 requests from NSA: judge,” AFP, 16 Oct. 2013.

  256. 256.

    In re: Application of the FBI for an Order Requiring the Production of Tangible Things, No. BR 14–01 (FISA Ct. Mar. 7, 2014).

  257. 257.

    E.g., a large number of telephone calls from Washington, DC were intercepted after a typo error in a computer programme which had entered “202”, which is the telephone area code for Washington, DC, into a data query instead of “20”, which is the international dialing code for Egypt.

  258. 258.

    E.g., interception of data of foreign targets despite the fact that the targets had entered the US; or the mistaken belief that the targets were non-US citizens but the targets were in fact US citizens. US law prohibits collecting such data on US citizens or foreign citizens who are in the US.

  259. 259.

    “Edward Snowden documents show NSA broke privacy rules,” BBC, 16 Aug. 2013.

  260. 260.

    Remark on Review of Signals Intelligence.

  261. 261.

    Pub. L. 114–23, 129 Stat. 268 (2015).

  262. 262.

    Section 110 of the Act, entitled “Rule of Construction”, provides:

    Nothing in this Act shall be construed to authorize the production of the contents (as such term is defined in section 2510(8) of title 18, United States Code) of any electronic communication from an electronic communication service provider (as such term is defined in section 701(b)(4) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881(b)(4)) under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.).

  263. 263.

    Joe Miller, “Google and Apple to introduce default encryption,” BBC, 19 Sept. 2014; “Digital Privacy: Cryptography for dummies,” Economist, 29 Nov. 2014, 67–68. See also efforts to have a fully encrypted smartphone which protects users from prying governments, industrial rivals, and hackers (Ron Lever, “Encrypted Blackphone battles snoopers,” China Post, 20 Jan. 2014, 6).

    However, while this applies to data on an Apple or Android device, data put in the cloud could still be accessible to law enforcement agencies. Besides, as one research report points out,

    although [cloud service providers] will share data when required by a warrant, court order or subpoena, they often open up the scope to other general “legal processes,” a term without specific legal content and therefore potentially too broad. Further, only a handful of companies explicitly state that they will attempt to challenge judicial and law enforcement requests when they think they can be excessive or illegitimate. … (K. Stylianou, J. Venturini and N. Zingales, “Protecting user privacy in the Cloud: an analysis of terms of service,” Euro. J. Law & Techno. 6 (2015), 100).

  264. 264.

    Jack Nicas, “Google Faces Challenges in Encryption Android Phones,” Wall St. J., 15 Mar. 2016, B1.

  265. 265.

    “WhatsApp expands encryption to protect messages,” Al Jazeera, 6 Apr. 2016; James Griffiths, “WhatsApp adds end-to-end encryption for all communications,” CNN, 6 Apr. 2016.

  266. 266.

    Evan Perez, “Why the FBA Director really wants to be able to access your iPhone,” CNN, 16 Oct. 2014, reporting FBI Director James Comey’s speech at the Brookings Institution, where he reasons that “if the bad guys don’t back up their phones routinely or of they opt out of uploading to the cloud, the data will only be found on the encrypted devices”. See also “Yahoo executive challenges NSA over encryption demands,” BBC, 24 Feb. 2015.

  267. 267.

    Pub. L. No. 103-414, 108 Stat. 4279 (codified at 47 U.S.C. §§1001–1010).

  268. 268.

    28 U.S.C. §1651.

  269. 269.

    In re Order Requiring Apple, Inc. to Assist in the Execution of a Search Warrant Issued by the Court, 149 F. Supp. 3d 341 (E.D.N.Y. 2016).

  270. 270.

    “Apple faces US appeal to force it to unlock iPhone,” BBC, 8 Mar. 2016.

  271. 271.

    In re Search of an Apple iPhone Seized during an Execution of an Apple iPhone Seized during the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 (Govt.’s Application for Order Compelling Apple Inc. to Assist Agents in Search), No. ED 15-0451M, 2016 U.S. Dist. LEXIS 20543 (C.D. Cal. Feb. 16, 2016).

  272. 272.

    Dave Lee, “Apple ordered to unlock San Bernardino gunman’s phone,” BBC, 17 Feb. 2016; Tami Abdollah and Eric Tucker, “Apple resisting magistrate order to share iPhone information,” AP, 17 Feb. 2016; Evan Perez and Tim Hume, “Apple opposes judge’s order to hack San Bernardino shooter’s iPhone,” CNN, 18 Feb. 2016.

  273. 273.

    See a detailed account of this incident in Lev Grossman, “Inside Apple’s Code War,” Time, 28 Mar. 2016, 24–31.

  274. 274.

    Daisuke Wakabayashi, “Apple’s Encryption Puzzle,” Wall St. J., 16 Mar. 2016, B1.

  275. 275.

    Laurie Segall, Jose Pagliery, and Jackie Watters, “FBI says it has cracked terrorist’s iPhone without Apple’s help,” CNN, 28 Mar. 2016; “FBI-Apple case: Investigators break into dead San Bernardino gunman’s iPhone,” BBC, 29 Mar. 2016; Rory Cellan-Jones, “Meeting Cellebrite – Israel’s master phone crackers”, BBC, 26 Sept. 2016.

  276. 276.

    Evan Perez, Pamela Brown, and Shimon Prokupecz, “Sources: Data from San Bernardino phone has helped in probe,” CNN, 20 Apr. 2016.

  277. 277.

    “FBI ‘may be able to unlock’ San Bernardino iPhone,” BBC, 22 Mar. 2016; Leo Kelion, “Israel’s Cellebrite linked to FBI’s iPhobe hack attempt,” BBC, 23 Mar. 2016.

  278. 278.

    Dave Lee, “Apple’s FBI row is just beginning,” BBC, 22 Mar. 2016; Leon Kelion, “Cracked iPhone: Should you be worried?,” BBC, 29 Mar. 2016; Julian Sanchez, “The real meaning of Apple’s battle with the FBI over encryption,” Time, 7 Mar. 2016, 18; Elaine Campbell,: “The New Age of Surveillance”, Harvard L. Bull. (Spring 2016): 38–44. See also, Ilias Chantzos and Shireen Alam, “Technological Integrity and the Role of Industry in Emerging Cyber Norms,” in International Cyber Norms, eds. Osula and Rõigas, chap. 10 at 212–213, 216–220.

  279. 279.

    Wesley Bruer, “FBI paid more than $1 million to hack San Bernardino shooter’s iPhone, Comey says,” CNN, 21 Apr. 2016. It was later reported that Dr. Sergei Skorobogatov, a computer scientist at Cambridge University, has succeeded in cloning memory chips from iPhone 5C to bypass the passcode and unlock the data in memory on the iPhone. The electronic components used in the process cost merely US$100 (“Harware hack defeats iPhone passcode security”, BBC, 19 Sept. 2016).

  280. 280.

    “US pushes Apple for access to iPhones in criminal cases,” BBC, 8 Apr. 2016.

  281. 281.

    Larry Nuemeister, “Brooklyn Case Takes Front Seat in Apple Encryption Fight,” AP, 8 Apr. 2016.

  282. 282.

    “US drops request for Apple to reveal data,” Bangkok Post, 23 Apr. 2016.

  283. 283.

    “The Feds Have Abandoned Another iPhone Unlocking case in Boston,” Motherboard, 8 Apr. 2016; Scott Malone, “U.S. judge in Boston ordered Apple to help law enforcement examine iPhone,” Reuters, 8 Apr. 2016.

  284. 284.

    United States v. Michaud, No. 3:15-cr-05351-RJB. Ibid., Doc. 166–2, filed 28 Mar. 2016, Declaration of FBI Special Agent Daniel Alfin in Support of the Motion for Reconsideration. For background of the case, see, “FBI Is Pushing Back Against Judge’s Order to Reveal Tor Browser Exploit,” Motherboard, 29 Mar. 2016; “FBI resists call to reveal Tor hacking secrets,” BBC, 30 Mar. 2016.

  285. 285.

    No. 4:16-cr-00016-HCM-RJK, at *40 ff.

  286. 286.

    Boris Segalis, Andrew Hoffman, and Kathryn Linsky, “Federal Cybersecurity Information Sharing Act signed into law,” cybercrime, Regulatory response, 3 Jan. 2016, available at: http://www.dataprotectionreport.com/2016/01/federal-cybersecurity-information-sharing-act-signed-into-law/.

  287. 287.

    Paul Cruickshank, Andrew Carey and Michael Pearson, “British police tricked terror suspect into handing over phone, source says,” CNN, 1 Apr. 2016.

  288. 288.

    573 U.S. 2473 (2014).

  289. 289.

    Kevin Rawlinson, “Apple complies with greater proportion of US data demands,” BBC, 19 Apr. 2016.

  290. 290.

    Charles Riley, “The Great Firewall of China is nearly complete,” CNN, 30 Dec. 2014; “Chinese access to Gmail cut, regulators blamed,” Taiwan News, 31 Dec. 2014, 6; Matthew Pennington, “China Web freedom group faces online disruption,” AP, 19 Mar. 2015; Kevin Rawlinson, “Anti-censorship China activists ‘under DDoS attack’,” BBC, 19 Mar.2015; “Great walls of fire,” Economist, 4 Apr. 2015, 28; Hannah Beech, “The Other Side of the Great Firewall,” Time, 22 Jun. 2015, 24–29; “China politics: Creating a digital totalitarian state”, Economist, 17 Dec. 2016, 20–23. It was also reported that the Chinese Government allegedly censored the pollution monitors in mobile apps during the seven-day Asia-Pacific Economic Cooperation (APEC) meeting in Beijing in Nov. 2014 (Louise Watt, “US pollution data on Beijing blocked on app,” China Post, 12 Nov. 2014, 13). Cf. also, Nigel Inkster, “China in Cyberspace” in Cyber Challenges and National Security, ed. Reveron, chap. 12.

  291. 291.

    Noah Feldman, “Could trade law curb Chinese hackers?,” Bloomberg View, 3 Sept. 2014.

  292. 292.

    Tim Hume and Feng Ke, “Apple slammed in China for pulling firewall-busting app OpenDoor,” CNN, 4 Oct. 2013.

  293. 293.

    “China shuts Apple’s film and book services,” BBC, 22 Apr. 2016.

  294. 294.

    “Final Cybersecurity Law Enacted in China”, Hunton & Williams LLP’s Privacy & Information Security Law Blog, 8 Nov. 2016, available at: https://www.huntonprivacyblog.com/2016/11/08/final-cybersecurity-law-enacted-china/.

  295. 295.

    Charles Riley, “BlackBerry will keep operating in Pakistan,” CNN, 1 Jan.2016. For a strong criticism of the Russian Government in relation to cyberspace, see, Andrei Soldatov and Irina Borogan, The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries (New York: Public Affairs, 2015).

  296. 296.

    Hope King, “Facebook and WhatsApp might be the next Apple in encryption fight,” CNN, 10 Mar. 2016.

  297. 297.

    Shasta Darlington, “Brazil blocks WhatsApp,” CNN, 3 May 2016.

  298. 298.

    Rory Cellan-Jones, “WhatsApp and the backdoor battle,” BBC, 6 Apr. 2016.

  299. 299.

    See, Safeguarding National Security (Section 24 of the Freedom of Information Act), available at http://ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Freedom_of_Information/Detailed_specialist_guides/safeguarding_national_security_section_24_foi.ashx.

  300. 300.

    “Panama Papers: Mossack Fonseca says leak came from hack,” Al Jazeera, 6 Apr. 2016; Jane McCallion and Aaron Lee, “Panama Papers: Leak ‘Victim’ Mossack Fionseca says outsider hacked its system,” IT PRO, 6 Apr. 2016.

  301. 301.

    Jeremy Scahill and Josh Begley, “The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle,” The Intercept, 19 Feb. 2015; “Sim card firm links GCHQ and NSA to hack attacks,” BBC, 25 Feb. 2015.

  302. 302.

    169 F. Supp. 2d 1181, at 1186 et seq. (N.D. Cal, Nov. 7, 2001).

  303. 303.

    433 F. 3d 1199 (9th Cir. 2006). See also, Henrik Spang-Hanssen, Cyberspace & International Law on Jurisdiction: Possibilities of Dividing Cyberspace into Jurisdictions with Help of Filters and Firewall Software (Copenhagen: DJØF Publishing, 2004), chap. 34: Are the Cases Violations?; id., Public International Computer Network Law Issues (Copenhagen: DJØF Publishing, 2006), chap. 6: An international dispute on the Internet – California Yahoo! Inc. versus France.

  304. 304.

    See the analysis by Jonathan Bourguignon, “La recherche de preuves informatiques et l’exercice extraterritorial des compétences de l’Etat,” in Colloque de Rouen: Internet et le droit intenational, 357–372. See examples of prohibited extraterritorial enforcement jurisdiction in Maziar Jamnejad and Michael Wood, “The Principle of Non-intervention,” Leiden JIL 22 (2009): 345, 372.

  305. 305.

    2007 SCC 26 (CanLII) (2007) 2 SCR 292, para. 87, quoted in Pål Wrange, “Intervention in National and Private Cyberspace and International Law,” in International Law and Changing Perceptions of Security: Liber Amicorum Said Mahmoudi, eds. J. Ebbesson et al. (Leiden/Boston: Brill Nijhoff, 2014), 307 at 313.

  306. 306.

    Art. 32, Budapest Convention.

  307. 307.

    Amalie M. Weber, “The Council of Europe’s Convention on Cybercrime,” Berkeley Technology Law J. 18 (2003): 425, 433.

  308. 308.

    Milanovic, Extraterritorial Application of Human Rights Treaties, 38.

  309. 309.

    Communication No. R.12/52, U.N. Doc. Supp. No. 40 (A/36/40) at 176 (1981), para. 12.3.

  310. 310.

    Human Rights Committee, General Comment no. 31, The nature of the general legal obligation imposed on States Parties to the Covenant, 26 May 2004, CCPR/C/21/Rev.1/Add.13, para. 10. See also, id., Lopez Burgos v. Uruguay, 29 July 1981, Communication no. 25/1979, at para. 12.3 and Human Rights Committee, Celiberti de Casariego v. Uruguay, 29 July 1981, Communication no. 56/1979, para. 10.3.

  311. 311.

    Cf., e.g., the interpretation of exercise of authority and control over persons for the purposes of establishing a jurisdictional link between such persons and a State Party to the ECHR for the purpose of Art. 1 of the ECHR in Al-Skeini and Others v. the United Kingdom [GC], no. 55721/07, ECHR 2011; Marko Milanovic, “Al-Skeini and Al-Jedda in Strasbourg,” Euro. JIL 23 (2012): 121; id., “Human Rights Treaties and Foreign Surveillance”, Harvard Int’l LJ 56 (2015): 81, 116–118; Samantha Miko, “Al-Skeini v. United Kingdom and Extraterritorial Jurisdiction under the European Convention for Human Rights”, Boston College Int’l & Comp. L. Rev. 35 (2013): 63, 76–79. For an in-depth analysis of somewhat conflicting decisions on the interpretation of facts in this matter, see, Milanovic, Extraterritorial Application of Human Rights Treaties, 134 et seq. and cf. Paust, “Can You Hear Me Now?”, 621–625.

    See also, Hassan v. the United Kingdom [GC], no. 29750/09, ECHR 2014, esp. §§142–151, and Jaloud v. Netherlands [GC], no. 47708/08, ECHR 2014, esp. §§142–151.

  312. 312.

    Catan and Others v. the Republic of Moldova and Russia [GC], nos. 43370/04, 8252/05 and 18454/06, ECHR 2012, §115. Of course, as one author points out, for the purpose of State responsibility, as explained in Chap. 2 above, “effective control” in this context means a State remains liable for action of its agents who are under its “effective control” (Milanovic, Extraterritorial Application of Human Rights Treaties, 171).

  313. 313.

    Milanovic, “Human Rights Treaties and Foreign Surveillance”, 112.

  314. 314.

    Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, ICJ Rep. 2004, p. 136, at pp. 178–180, paras. 108–111.

  315. 315.

    Ibid., p. 179, para. 109, and p. 180, para. 111.

  316. 316.

    See, Report of the Office of the High Commissioner for Human Rights, “The Right to Privacy in the Digital Age”, para. 34.

  317. 317.

    See, Human Rights Committee, Concluding Observations, USA, 23 Apr. 2014, CCPR/C/USA/CO/4, at para. 4. See also, Necessary and Proportionate, “International Principles”, 17.

  318. 318.

    Johnson v. Eisentrager, 339 U.S. 763, 769, 771 (1950) (per Jackson J.).

  319. 319.

    United States v. Verdugo-Urquidez, 494 U.S. 259, 266 (1990) (per Rehnquist CJ, writing for the plurality).

  320. 320.

    Ibid., 275 (internal citation, quotation marks and brackets omitted). The search of Verdugo-Urquidez’s residence was made in Mexico while he was being held in the US and the Court assumed, without discussion, that the search was extraterritorial. This leads one learned author to point out that this judgment confirms the assumption under the Fourth Amendment doctrine that what matters is the location of the property being searched, rather than the location of either the person who is a target of the search or the agent doing the search. See, Jennifer Daskal, “The Un-Territoriality of Data,” Yale LJ 125 (2015): 326.

  321. 321.

    See, Report of the Office of the High Commissioner for Human Rights, “The Right to Privacy in the Digital Age”, para. 35.

    According to US President Obama:

    … the legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas. This is not unique to America; few, if any, spy agencies around the world constrain their activities beyond their own borders. And the whole point of intelligence is to obtain information that is not publicly available. But America’s capabilities are unique, and the power of new technologies means that there are fewer and fewer technical constraints on what we can do. That places a special obligation on us to ask tough questions about what we should do. … (Remarks on Review of Signals Intelligence, 17 Jan. 2014).

  322. 322.

    Daskal (“The Un-Territoriality of Data”, Part III(A)) suggests that the Fourth Amendment protections should apply to US person targets and non-US person targets alike, absent a determination by clear and convincing evidence that collection does not include communications to or from a US person, and does not include other data, such as stored documents, generated in whole or part by a US person. Cf. Orin S. Kerr, “The Fourth Amendment and the Global Internet”, 67 Stanford. L. Rev. (2015): 285. Kerr (at 290 ff.) contends that online contacts should not create Fourth Amendment protection under Verdugo-Urquidez, and that the Fourth Amendment should apply only when a person monitored has sufficient physical or legal contacts with the US. When the US Government does not know whether the person has Fourth Amendment rights, “such monitoring should be deemed constitutional as long as investigators had a reasonable, good faith belief that their conduct complied with the Fourth Amendment”. When a person with Fourth Amendment rights communicates with another who does not have such rights, the US Government “must fully satisfy the Fourth Amendment standards for monitoring the person with Fourth Amendment rights”.

  323. 323.

    50 U.S.C. §1881a.

  324. 324.

    Daniel Severson, “American Surveillance of Non-U.S. Persons: Why New Privacy Protections Offer Only Cosmetic Change,” Harvard ILJ 56 (2015): 465, 474–476, 482.

  325. 325.

    Ibid., note 26 and at 471–472.

  326. 326.

    Ibid., 479.

  327. 327.

    CCPR/C/SR.1405 (24 Apr. 1995), para. 20.

  328. 328.

    CCPR/C/USA/4 (22 May 2012), para. 505 and see also CCRP/C/USA/Q/4/Add.1 (13 Sept. 2013), para. 2.

  329. 329.

    See the statement of the German Government representative before the Federal Constitutional Court, in: Bundesverfassungsgericht (Federal Constitutional Court), Judgment of 14 Jul. 1999, BVerfGE 100, 313, at 338. The present author is grateful to his colleagues at the IGEs of the Tallinn Manual 2.0 for this information.

  330. 330.

    Rep. of the Office of the UN High Commissioner for Human Rights on The right to privacy in the digital age, paras. 35–36; Marko Milanovic, “Extraterritorial access to information: Rights and duties of States” (panel discussion, Sixth Committee of the UN General Assembly, New York, 28 Oct. 2014); id., “Human Rights Treaties and Foreign Surveillance”, 87–101; Sarah Cleveland and Carly Nyst in Summary of the Human Rights Council panel discussion on the right to privacy in the digital age (UNGA Doc. A/HRC/28/39 dated 19 Dec. 2014), paras. 22, 48, respectively.

  331. 331.

    Rep. of the Office of the UN High Commissioner for Human Rights on The right to privacy in the digital age, para. 34.

  332. 332.

    Charlie Savage, “The U.S. Seems Unlikely to Accept That Rights Treaties Apply to Its Actions Abroad,” New York Times, 6 Mar. 2014.

  333. 333.

    The present author finds that this conclusion is supported by the analysis in Milanovic, Extraterritorial Application of Human Rights Treaties, 222–226; and see also, Paust, “Can You Hear Me Now?”, 618–619.

  334. 334.

    Pp. 3–4 of the memorandum, emphasis original. Cf. also comments on this memorandum by Marko Milanovic, who mostly concurs with Koh, except for a few points. Unlike Koh, Milonovic would extend the positive obligation to ensure human rights whenever a State de facto has effective control over territory, as held by the ECtHR in Loizidou v. Turkey (merits), 18 December 1996, Reports of Judgments and Decisions 1996-VI (M. Milanovic, “Harold Koh’s Legal Opinions on the US Position on the Extraterritorial Application of Human Rights Treaties,” EJIL Talk!, 7 Mar. 2014, and see also, id., Extraterritorial Application of Human Rights Treaties, 141).

  335. 335.

    Harold Koh, “Extraterritorial access to information: Rights and duties of States” (panel discussion, Sixth Committee of the UN General Assembly, New York, 28 Oct. 2014).

  336. 336.

    See, Milanovic, Extraterritorial Application of Human Rights Treaties, 209–222.

  337. 337.

    Milanovic, “Human Rights Treaties and Foreign Surveillance”, 123.

  338. 338.

    UN Human Rights Committee, Concluding Observations on the Fourth Report of the United States of America, para. 9 (26 Mar. 2014), available at: http://justsecurity.org/wp-content/uploads/2014/03/UN-ICCPR-Concluding-Observations-USA.pdf.

  339. 339.

    Tallinn Manual 2.0, chap. 6 International human rights.

  340. 340.

    Ibid.

  341. 341.

    Weber and Saravia v. Germany, §72.

  342. 342.

    Liberty and Others v. the United Kingdom, no. 58243/00, 1 July 2008, esp. §69.

  343. 343.

    See, Necessary and Proportionate, “International Principles”, 5.

  344. 344.

    Human Rights Watch Inc. & Ors v. The Secretary of State for the Foreign & Commonwealth Office & Ors, UKIPT 15_165-CH (16 May 2016), para. 64.

  345. 345.

    Ibid., para. 58.

  346. 346.

    It reads:

    Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law.

    The preceding provisions shall not, however, in any way impair the right of a State to enforce such laws as it deems necessary to control the use of property in accordance with the general interest or to secure the payment of taxes or other contributions or penalties.

  347. 347.

    Human Rights Watch Inc. & Ors, para. 59.

  348. 348.

    Ibid., para. 60. The IPT asserted that the ECtHR, including in its judgment in Liberty v. the United Kingdom, had not specifically addressed the question of interception of e-mails or telephone calls passing by cable or airwave through the territory of a Contracting State to the ECHR which were sent or made to and received by persons outside the Contracting State alleged to violate the ECHR, and that, therefore, the IPT was “obliged by domestic law not to more than to keep pace with [the ECtHR]. …” (ibid.).

  349. 349.

    Banković and Others v. Belgium and Others (dec.) [GC], no. 52207/99, ECHR 2001-XII.

  350. 350.

    A. and Others v. the United Kingdom [GC], no. 3455/05, ECHR 2009, esp. §252.

  351. 351.

    [2004] UKHL 56, per Lord Bingham of Cornhill (para. 45 et seq.), which has been followed, e.g., by Lord Hope of Craighead (paras. 136–139).

  352. 352.

    Memorandum and Order, In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 13 Mag. 2814 (S.D.N.Y. Apr. 25, 2014).

  353. 353.

    On the territorial-based limits of the US judiciary’s warrant authority founded on respect of other States’ sovereignty and desire to avoid international political or diplomatic disputes, see, Daskal, “The Un-Territoriality of Data”, Part I(C).

  354. 354.

    In re A Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466 (S.D.N.Y. 2014).

  355. 355.

    Microsoft Corp. v. United States (In re: A Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation), 829 F.3d 197 (2d Cir., 2016).

  356. 356.

    Ibid., *26.

  357. 357.

    Ibid., *note 24 (emphasis original).

  358. 358.

    Ibid., *31.

  359. 359.

    Ibid., *31–32.

  360. 360.

    See, e.g., ibid., at *6 and *34–38.

  361. 361.

    Ibid., *40.

  362. 362.

    Ibid., *42. Judge Lynn, while concurring in the judgment, considers that ‘the dispute [in that case] is not about privacy, but rather about the international reach of American law’. He strongly urges Congress to revise the SCA:

    with a view to maintaining and strengthening the [SCA’s] privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and others data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations addressing the most serious kinds of transnational crimes) against the interests of other sovereign nations. (Sep. op. of Judge Lynn, at *6 and *20, respectively).

  363. 363.

    See also, Steve Lohr, “Microsoft Protests Order for E-mail Stored Abroad,” New York Times, 11 Jun. 2014, B1; “Under my thumb: Governments grapple with law enforcement in the virtual world,” Economist, 10 Oct. 2015, 56; Kate Westmoreland, “Jurisdiction over user data - what is the ideal solution to a very real world problem?”, CIS blog, 24 Jul. 2014, available at: http://cyberlaw.stanford.edu/blog/2014/07/jurisdiction-over-user-data-what-ideal-solution-very-real-world-problem.

  364. 364.

    Matthew Wall, “Can we trust cloud providers to keep our data safe?,” BBC, 29 Apr. 2016; id., “Is that app you’re using for work a security threat?”, BBC, 11 Oct. 2016, reporting on cybersecurity risks caused by cloud computing that allows cloud-based apps to gain access to the camera, location, data and contacts on mobile phones using the apps with little, if any, control by the apps’ users or regulatory agencies.

  365. 365.

    Leo Kelion, “GCHQ and NSA ‘track Google cookies’,” BBC, 11 Dec. 2013.

  366. 366.

    “US Supreme Court approves expanded hacking powers,” BBC, 29 Apr. 2016.

  367. 367.

    “US moves to limit jurisdiction over data stored abroad,” Telecoms.com , 13 Feb. 2015, available at: http://telecoms.com/398521/us-moves-to-limit-jurisdiction-over-data-stored-abroad/.

  368. 368.

    “GCHQ can monitor MPs’ communications, court rules,” Guardian, 14 Oct. 2015.

  369. 369.

    Judge Stein Schjolberg, The Third Pillar in Cyberspace: An International Court or Tribunal for Cyberspace, 5, 12–13, available at: http://www.cybercrimelaw.net/documents/131112_Draft_Treaty_text_on_International_Criminal_Tribunal_for_Cyberspace.pdf.

    A similar idea appears in Philippe Currat, “La cour pénale international: un exemple de ‘E-Court’?,” in Colloque de Rouen: Internet et le droit international, 87–109.

  370. 370.

    UNODC, Comprehensive Study on Cybercrime, xxv.

  371. 371.

    Ibid., xxvi.

  372. 372.

    Ibid., at xxv. Ideally, the present author considers that international cooperation in this field should be real-time in nature.

  373. 373.

    Ibid.

  374. 374.

    Ibid., xxvi.

  375. 375.

    Daskal, “The Un-Territoriality of Data”, Part III(C).

Author information

Authors and Affiliations

  1. Royal Thai Embassy, Moscow, Russia

    Kriangsak Kittichaisaree

Authors
  1. Kriangsak Kittichaisaree
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Kittichaisaree, K. (2017). Regulation of Cyberspace and Human Rights. In: Public International Law of Cyberspace. Law, Governance and Technology Series, vol 32. Springer, Cham. https://doi.org/10.1007/978-3-319-54657-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-54657-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54656-8

  • Online ISBN: 978-3-319-54657-5

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation