Self-Regulation of Fundamental Rights? The EU Code of Conduct on Hate Speech, Related Initiatives and Beyond

in Ojanen, Tuomas; Petkova, Bilyana (Eds.) Fundamental Rights Protection Online: the Future Regulation of Intermediaries (2020)

This contribution will give a brief overview of EU legislation encouraging self-regulation, such as codes of conduct, communications and recommendations and propose an alternative approach towards ... [more ▼]

This contribution will give a brief overview of EU legislation encouraging self-regulation, such as codes of conduct, communications and recommendations and propose an alternative approach towards fighting illegal content on online platforms, which ventures squarely into co-regulation. There is no formal and straightforward definition on what constitutes illegal hate speech. However, hate speech might be classified as targeting minority groups in a way that promotes violence or social disorder and hatred. The use of social media and online platforms to spread illegal content and hate speech has increased progressively during recent years, as content may be disseminated anonymously and further shared by other users. Therefore, the timely removal or blocking of access to illegal content is essential to limit the wider dissemination and harm of individuals targeted by hate speech. The prominent role of online platforms in revolutionizing modern communication and as influencers of the public opinion has increasingly come to the attention of policy makers. Since online platforms provide an important stage for phenomena such as ‘fake news’, ‘hate speech’ or ‘disinformation’, the pressure to take more responsibility over content hosted by them has grown. The EU Commission took action via several attempts to set certain rules for online intermediaries, mostly relying on non-binding agreements, often in the form of self-regulatory measures, such as codes of conduct, guidelines and recommendations. These measures have raised concerns regarding possible limitations of Freedom of Expression, because they require online platforms to adjudicate on the legality of content, often by relying on automated systems. Meanwhile decisions over the unlawfulness of hate speech and “disinformation” are often notoriously difficult. The deployment of algorithms to analyse the content generated on platforms, such as recognition and filtering technologies, bear risks and pitfalls of automated compliance solutions. Although the use of algorithms to monitor content online still happens based on the “human-in-the-loop principle”, the diligence and efficiency with which illegal content can be reviewed is also dependent on the financial capacity and resources of each company. In addition, these privatized removal procedures maybe influenced by commercial interests and lack effective appeals mechanisms. All these issues throw up serious questions about the democratic legitimacy of self-regulatory removal procedures An alternative solution, proposed in this article, would require platforms to apply a risk-based approach to preventing and removing illegal content. The norms and standards of such an approach would be based on duty of care and be subject to regulatory oversight. It is suggested that the current self-regulatory proposals be replaced by co-regulatory solutions. [less ▲]

Follow the Money, If You Can - Possible Solutions for Enhanced FIU Cooperation Under Improved Data Protection Rules

E-print/Working paper (2019)

Financial information can play a key role in tackling Money Laundering (ML), Terrorist Financing (TF) and combatting serious crime more generally. Preventing and fighting ML and the financing of terrorism ... [more ▼]

Financial information can play a key role in tackling Money Laundering (ML), Terrorist Financing (TF) and combatting serious crime more generally. Preventing and fighting ML and the financing of terrorism were top priorities of the European Agenda on Security, which might explain the fast developments regarding the regulation of Anti-Money Laundering (AML) and Counter Terrorism Financing (CTF). During the past years, the European Commission (Commission) proposed several legal texts to reform the current AML framework and to facilitate timely law enforcement (LE) access to financial data for the prevention, detection, investigation and prosecution of serious crime. The line between administrative sanctions and criminal law measures seems to become increasingly blurred, as the latest proposals are no longer based on an internal market provision, but on police and judicial cooperation legal bases. Financial Intelligence Units (FIUs) play a crucial role in analysing and exchanging information concerning suspicious transactions, serving as intermediaries between the private sector and Law Enforcement Authorities (LEAs). Because of the international nature of financial crime, cooperation between FIUs is of paramount importance. Yet, due to different organizational settings in the EU Member States, FIUs are not always able to exchange data effectively, which leads to information gaps. One of the reasons why the data exchange between FIUs is impeded are data protection rules that apply differently depending on the organizational structure of the FIUs in the 28 Member States. Whereas some FIUs must adhere to the stricter data protection rules under the General Data Protection Regulation (GDPR), others may exchange data more flexibly within the scope of the data protection Directive for police and criminal justice authorities (LED). Therefore, the counter-argument to granting broader LE-access rights to financial data by LEAs could be to enable a more effective exchange of data between FIUs. This article argues that FIUs should be able to process personal data within the scope of the LED, in order to have more flexibility to receive, analyse and exchange data: On the one hand, the LED provides sufficiently high data protection standards and adequate safeguards for data subjects while allowing FIUs to carry out their tasks effectively under harmonized rules. On the other hand, this would be an argument to strengthening the role of FIUs as neutral intermediaries instead of granting additional access to personal data by LEAs. [less ▲]

Interoperability of EU Databases and Access to Personal Data by National Police Authorities under Article 20 of the Commission Proposals

in European Data Protection Law Review (2018), 4/2018(4), 470-482

This contribution assesses data protection concerns relating to the processing of personal data carried out pursuant to Article 20 of the interoperability proposals, which were published by the European ... [more ▼]

This contribution assesses data protection concerns relating to the processing of personal data carried out pursuant to Article 20 of the interoperability proposals, which were published by the European Commission on 12 December 2017. The proposals seek to enable all centralised EU databases for security, border and migration management to be interconnected by 2023. Under Article 20 of the proposals, Member States would be permitted to implement national provisions that allow national police authorities to query one of the interoperability components with biometric taken during an identity check. Such queries shall prevent irregular migration and ensure a high level of security within Union. In particular, this article seeks to examine the data protection concerns arising with regard to streamlined law enforcement access to non-law enforcement databases included in the interoperable framework, and addresses risks for individuals to become subject to unfair processing under Article 20 of the interoperability proposal. [less ▲]

Transborder Access to e-Evidence by Law Enforcement Agencies: A first comparative view on the Commission's Proposal for a Regulation on a European Preservation/Production Order and accompanying Directive

in SSRN (2018)

As communication nowadays commonly takes place via electronic means, the use of electronic evidence (e-evidence) is becoming a crucial element in criminal investigations. Due to the borderless nature of ... [more ▼]

As communication nowadays commonly takes place via electronic means, the use of electronic evidence (e-evidence) is becoming a crucial element in criminal investigations. Due to the borderless nature of the internet, many criminal investigations include a cross-border dimension and therefore, commonly require access to electronic data and evidence that are stored outside the territorial jurisdiction of the investigating authority. Since data are typically held by private companies that are often located in a different country than the investigator, law enforcement authorities (LEAs) are either dependent on the willingness of these service providers to cooperate on a voluntary basis, or to resort to existing legal procedures for obtaining the data for investigations. The relevant procedures under the current framework to access data stored outside the European Union is based on so-called Mutual Legal Assistance Treaties (MLATs), whereas judicial cooperation within the EU is, inter alia, governed by the Directive on the European Investigation Order in the form of the national transposition acts of the Member States. Because e-evidence is, due to its volatile nature, prone to modification and deletion, the timely acquisition of stored data is vital for LEAs. Therefore, informal cooperation between LEAs and private companies is a common method to obtain e-evidence, thereby bypassing the lengthy and often ineffective Mutual Legal Assistance (MLA) mechanisms. Such direct cooperation between law enforcement and private companies, which is commonly carried out on a unilateral basis, has led to a fragmented framework for the acquisition of data. Against this background, the European Commission, on 17 April 2018, proposed new rules on access to e-evidence, to secure and obtain preserved data faster and more effectively and to ensure that all providers that offer services in the EU are subject to the same obligations. Similar developments regarding the adoption of comparable legislative acts and instruments regarding direct law enforcement access to data stored by private companies take place elsewhere in Europe and beyond: The Council of Europe is currently preparing a 2nd Additional Protocol to the Budapest Convention on enhanced international cooperation, whereas in the U.S., the Clarifying Lawful Overseas Use of Data Act on rules for cross-border law enforcement investigations was enacted in March 2018. This contribution will address concerns regarding the role of private companies as ‘extended arm’ of LEAs and the measures that seek to cope with the legal uncertainty and fragmentation that emerged with the informal public-private relationships around the acquisition of e-evidence. The article suggests that the initiatives on different levels might result in even more conflicts of laws than is currently the case, if lacking a coordinated and coherent approach in Europe and internationally. Moreover, the article discusses the impact of the abovementioned developments with regard to EU data protection standards. The compliance of the new rules on access to e-evidence with the EU data protection acquis, namely the GDPR and Directive (EU)2016/680, will be one of the relevant matters covered in this article. [less ▲]

Interoperability and Law Enforcement Access to Personal Data. Data Protection Rights of Third Country Nationals in the light of the CJEU’s Case Law

in Europarättslig tidskrift (2018), 2/2018

Connecting Personal Data of Third Country Nationals: Interoperability of EU Databases in the Light of the CJEU's Case Law on Data Retention

E-print/Working paper (2018)

On 12 December 2017, the EU Commission presented a proposal on the interoperability of EU large-scale Information Systems. The proposal seeks to enable all centralised EU databases for security, border ... [more ▼]

On 12 December 2017, the EU Commission presented a proposal on the interoperability of EU large-scale Information Systems. The proposal seeks to enable all centralised EU databases for security, border and migration management to be interconnected by 2020. The underlying IT systems retain data of Third Country Nationals (TCNs), namely travellers, applicants for international protection, information relating to visa applications or data on missing persons and criminals. With the proposal, the Commission seeks to create new possibilities to exchange information, manage migration challenges and to enhance the Union’s internal security. The interconnectivity of databases would introduce fundamental changes to the current structure of EU IT-systems and requires careful consideration and assessment of compliance with EU data protection standards. This also means that access to information in an interoperable system must be strictly aligned to the access rights of the underlying databases and that requesting authorities only obtain the data that they are authorized to access. With interoperability, data once held in silos would be retained in three new centralized databases and would be more easily accessible, also for the prevention, investigation and prosecution of crime. Where criminal investigations previously required multiple searches in separate databases, this cascading safeguard shall progressively be abandoned to streamline access to personal data by law enforcement authorities. Despite simplified access conditions, this would require new types of processing operations for which the interoperability proposal does not provide a legal basis. During recent years, several judgments of the Court of Justice of the European Union (CJEU) have highlighted the difficulty of striking a proper balance between the fundamental rights to privacy and data protection, enshrined in Article 7 and 8 of the Charter of Fundamental Rights of the European Union (EU Charter) with an increased demand for security and the surveillance of potential criminals. The Court repeatedly pointed out the need to strike a fair balance between these (allegedly) competing interests and emphasised that law enforcement authorities should not be granted access to personal data without prior authorization. Using the CJEU’s judgments as vehicle and considering the assumption that TCNs risk to become subject to data retention measures in a disproportionate manner, the following analysis seeks to assess both existing EU databases and their foreseen interoperability against the requirements established by the Court in order to evaluate their (in)-compatibility with the fundamental rights standards enshrined in the EU Charter. [less ▲]

United Kingdom ∙ Investigatory Powers Tribunal: Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Ors Part II

in European Data Protection Law Review (2017), 3(3), 387-393