Recommendation CM/Rec(2017x)xx of the Committee of Ministers to member states on the roles and responsibilities of internet intermediaries
THIRD revised Draft
1. In line with the jurisprudence of the European Court of Human Rights (hereinafter “the Court”), the Council of Europe member states have the obligation to secure to everyone within their jurisdiction the rights and freedoms contained in the Convention for the Protection of Human Rights and Fundamental Freedoms (ETS No. 5, hereinafter “the Convention”) both offline and online.
2. Access to the internet is a precondition for the exercise of Convention rights online. By enhancing the public’s ability to seek, receive and impart information without interference and regardless of frontiers, the internet plays a particularly important role with respect to the freedom of expression. It also enables significantly the exercise of other rights protected by the Convention, such as the right to freedom of assembly and association, the right to education, access to knowledge and culture, as well as participation in public and political debate and in democratic governance. However, the internet has also facilitated an increase of privacy-related offences and of the spread of certain forms of hate and incitement to violence, in particular on the basis of gender and race, which remain under-reported and rarely prosecuted.
3. A wide, diverse and rapidly evolving range of actors, commonly referred to as internet intermediaries, facilitate interactions between natural and legal persons on the internet by performing a variety of functions. Some connect users to the internet, enable the processing of information and data, or host and store web-based services. Others aggregate information and enable searches, and give access to, host and index content and services designed and/or operated by third parties. Some facilitate the sale of goods and services, including audio-visual services, and enable other commercial transactions, including payments. Intermediaries may also moderate and rank content, including through automated data processing techniques, and thereby exert forms of control which influence users’ access to information online in similar ways as media do, or they may perform other functions that resemble those of publishers. Often, intermediaries carry out several functions in parallel. A variety of network effects and mergers have led to the existence of fewer, larger entities that dominate the market in a manner that may jeopardise the opportunities for smaller intermediaries or start-ups.
4. The regulatory framework relating to the services provided by intermediaries is diverse, multi-layered and continuously evolving. States are confronted with the complex challenge of regulating an environment in which private actors fulfill a crucial role in providing services that have significant public service value. The task of regulation is further complicated by the global nature of the internet networks and services, by the anonymity of users, and by the volume of internet communication and the speed at which it is produced and processed. Owing to the fact that intermediaries operate across many countries, their actions may further be simultaneously relevant under several, sometimes conflicting, jurisdictions.
5. Internet intermediaries also have their own regulatory frameworks, usually in form of terms of service or community standards that often contain content restriction policies. These may be based on broad definitions that lend themselves to unpredictable interpretation and implementation practices, often without public oversight. Moreover, intermediaries collect, retain and process a wealth of information and data from and about users, which raises questions in relation to the users’ rights to freedom of expression and privacy. Effective reporting and complaints mechanisms may be lacking, be insufficiently transparent and efficient, or be provided only through automated processes.
6. In line with the UN Guiding Principles on Business and Human Rights and the Protect, Respect and Remedy Framework, intermediaries should respect the human rights of their users and third parties in all their actions. This includes the responsibility to act in compliance with applicable duties of care. The more market-dominant an intermediary and the more important the public service value of its platform and services for public discourse to thrive, the higher the duty of care that the intermediary must employ when developing and applying policies. Owing to the multi-functionality of intermediaries, which may be merely transmitting third-party content or performing more curatorial or editorial-like functions, special efforts are required to determine what function is being performed with respect to certain content in order to assign the corresponding duties and responsibilities.
7. The rule of law is a prerequisite for the protection and promotion of exercise of human rights online and for pluralistic and participatory democracy. Member states have the negative obligation to refrain from violating the freedom of expression and other human rights online. They also have a positive obligation to protect human rights and to create an enabling and safe environment for everyone to participate in the public debate and to express without fear their opinions and ideas, including those that offend, shock, or disturb. This positive obligation to ensure the exercise and enjoyment of rights and freedoms includes, due to the horizontal effects of human rights, the protection of individuals from the actions of private parties, among others by demanding compliance with applicable duties of care. It is further indispensable that due process guarantees are in place and access to effective remedies is facilitated vis-à-vis both states and intermediaries.
8. In order to render the rights enshrined in the Convention effective and practical for everyone, to promote their full and equal enjoyment without discrimination of any kind, and in view of building cohesive societies that are respectful of diversity, member states and intermediaries ought to support initiatives and programmes that aim at promoting media and literacy skills for accessing and managing the digital space, including through the education systems. Given the particularly high number of young and child users of the internet, member states and intermediaries ought to acknowledge the particular importance of empowering, protecting and supporting children in their safe access to rights in the digital environment.
9. Against this background and in order to provide guidance to all relevant actors who are faced with the complex task of protecting and respecting human rights in the digital age, the Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe, recommends that member states:
- implement the Guidelines included in this recommendation when developing and implementing legislative frameworks with regard to internet intermediaries and promote them in international and regional forums that deal with the roles and responsibilities of internet intermediaries;
- take all necessary measures to ensure that internet intermediaries fulfill their responsibilities to respect human rights in line with the UN Guiding Principles on Business and Human Rights and the Recommendation CM/Rec (2016)3 of the Committee of Ministers to member states on human rights and business;
- in implementing the Guidelines, take account of Committee of Ministers Recommendation 2016/5 on internet freedom; Recommendation 2016/3 on human rights and business; Recommendation 2016/1 on protecting and promoting the right to freedom of expression and the right to private life with regard to network neutrality; Recommendation 2015/6 on the free, trans-boundary flow of information on the internet; Recommendation 2014/6 on a Guide to human rights for internet users; Recommendation 2012/3 on the protection of human rights with respect to search engines; Recommendation 2012/4 on the protection of human rights with respect to social networking services; Recommendation 2007/16 on measures to promote the public service value of the internet; and the Human Rights guidelines for internet service providers, developed in 2008 by the Council of Europe in co-operation with the European Internet Service Providers Association which, as far as the responsibilities of internet service providers are concerned, are reinforced by this Recommendation.
- engage in a regular dialogue with stakeholders from the private sector, civil society, academia and the technical community, with a view to sharing information and discussing emerging technological developments related to internet intermediaries that impact the exercise and enjoyment of human rights and related legal and policy issues;
- encourage and promote the implementation of effective age and gender-sensitive media and information literacy programmes to enable adults, young people and children to enjoy the benefits and reduce the exposure to risks of the online communications environment, in cooperation with stakeholders from the private sector, civil society, education, academia and the technical community.
I – Duties and obligations of states
1.1.1. Any request, demand or other action by public authorities addressed to internet intermediaries that interferes with human rights and fundamental freedoms must be prescribed by law.
1.1.2. The powers of public authorities in relation to internet intermediaries must be defined by law and exercised within the limits conferred by law. States should not exercise pressure on internet intermediaries through non-legal means.
1.1.3. Laws, regulations and policies applicable to internet intermediaries, regardless of their objective or scope of application, including commercial and non-commercial activities, shall safeguard the effective protection of human rights and fundamental freedoms, and shall maintain adequate guarantees against arbitrary application in practice.
1.1.4. States shall not seek to absolve themselves from their obligation to secure human rights and fundamental freedoms online by transferring it to internet intermediaries.
1.1.5. The process of enacting legislation or other regulations applicable to internet intermediaries should be transparent and inclusive. States should regularly consult with all relevant stakeholders with a view to ensuring that an appropriate balance is struck between the general interest of the community, the interests of the users and the interest of the intermediary. Before adopting legislation or regulations, states should conduct impact assessments with respect to their potential negative impact on human rights.
1.1.6. States shall ensure that legislation, regulation, and policies related to internet intermediaries are interpreted, applied and enforced without discrimination on any ground, taking into account also multiple and intersecting forms of discrimination. The prohibition of discrimination may in some instances require special measures to address specific needs or correct existing inequalities. States should further take into account the substantial differences in size, function and organisational structure of intermediaries when developing, interpreting and applying the legislative framework in order to prevent possible discriminatory effects.
1.1.7. States should ensure that legislation, regulation and policies relating to internet intermediaries are effectively implementable, flexible, and scalable, and that they do not unduly restrict the operation and flow of internet-based trans-border communication.
1.2.1. Any legislation applicable to internet intermediaries and to their relations with states and users must be accessible and predictable as to the effects. All laws should be clear and sufficiently precise to enable intermediaries and users to regulate their conduct. The laws should create a safe and enabling online environment for private communications and public debate and comply with relevant international standards.
1.2.2. Any legislation must include clear restrictions to the powers, discretionary or non-discretionary, granted to public authorities in relation to internet intermediaries, particularly when exercised by the executive branch or by law enforcement. The law must indicate the scope of such discretion to protect against arbitrary application.
1.2.3. States should make publicly available, in a timely and regular manner, comprehensive information on the number, nature and legal basis of restrictions of human rights, such as regarding content removal or disclosure of personally identifiable information, that they have applied in a certain period through requests addressed to intermediaries. States should encourage intermediaries to disclose anonymised or aggregated information about interferences with the exercise of rights and freedoms online, whether based on court or administrative orders, private complainants’ requests, or enforcement of their own content restriction policies.
1.2.4. In the interest of legal certainty, states should exercise their jurisdiction only when mandated to do so under international law or in cases of universal jurisdiction. With a view to avoiding legal uncertainty and conflicts of laws and developing common approaches and jurisdictional principles, states should commit to cooperating amongst themselves and with all relevant stakeholders in cases where different laws apply, including through appropriate non-state forums.
1.3.1. Any request, demand or other action by public authorities addressed to internet intermediaries to restrict access (including blocking or removal of content), or any other measure that interferes with freedom of expression, must be based on law, pursue one of the legitimate aims foreseen in Article 10 of the Convention, be necessary in a democratic society and proportionate to the aim pursued. State authorities must carefully evaluate possible, including unintended, impacts of any restrictions before applying them, while seeking to apply the least intrusive measure.
1.3.2. State authorities shall seek to obtain an order by a judicial authority or other fully independent and impartial state entity when demanding intermediaries to restrict access to unlawful content. State authorities should not require internet intermediaries to restrict access to third-party content based on their own assessment of its lawfulness. They should further ensure that internet intermediaries do not restrict access to third-party content based on their own assessment of its lawfulness without ensuring proper redress mechanisms and adherence to due process guarantees.
1.3.3. State authorities should not directly or indirectly impose a general obligation on intermediaries to monitor content to which they give access, or which they transmit or store, be it by automated means or not. Before addressing any request to internet intermediaries or promoting, alone or with other states or international organisations, co-regulatory approaches by internet intermediaries, state authorities should consider whether their action may lead to general content monitoring. They should further consider that such monitoring is usually performed through automated means that are unable to assess context properly. The imposition of sanctions for non-compliance may prompt over-regulation and speedy take-down of all dubious content, which may result in an overall chilling effect for the freedom of expression online.
1.3.4. States should ensure in law and in practice that intermediaries are not held liable for third-party content with respect to which their function is limited to hosting unless they do not act expeditiously to remove or disable access to information or services as soon as they become aware of their illegal nature. Notice-and-take-down procedures should not be designed in a manner that incentivises the take-down of legal content. When intermediaries remove content based on their own terms of service, state authorities should not consider this as a form of control that precludes the exemption from liability. All content restrictions should allow notice of such restriction to both the content producer/issuer and users seeking access to the content.
1.3.5. In order to ensure that identical content, which has been determined as illegal by a judicial authority or other fully independent and impartial state entity, is effectively prevented from being re-uploaded, states should closely co-operate with intermediaries to secure the blocking of such content in line with the principles of legality, necessity and proportionality.
1.3.6. In cases where the function of intermediaries consists of producing or managing content available on their platforms or where intermediaries perform curatorial or editorial-like functions, including through operation of algorithms, state authorities should apply an approach that is differentiated and graduated in line with Recommendation CM/Rec(2011)7 of the Committee of Ministers to member States on a new notion of media. They should acknowledge in particular the role that intermediaries play in content production and dissemination and guarantee the appropriate level of protection, while providing a clear indication of the ensuing duties and responsibilities.
1.3.7. When assigning the applicable duties and responsibilities of intermediaries who are engaged in curatorial or editorial-like functions, including the production and dissemination of content, states should encourage appropriate self-regulatory or devise co-regulatory mechanisms, taking due account of the extent that their action may negatively affect the ability of the intermediary to provide services of significant public value, such as platforms for public discourse and democratic debate.
1.4.1. Any demand or request by state authorities addressed to internet intermediaries to access or store personal information or other data of their users, or any other measure which interferes with the right to privacy, must be based on law and pursue one of the legitimate aims foreseen in Article 8 of the Convention and must be necessary and proportionate to the aim pursued. The protection of the right to privacy and data protection extends to devices used to access the internet or store data.
1.4.2. State authorities should ensure that their regulatory frameworks and the ensuing policies and practices of intermediaries who are located within their territory uphold the principles of data processing (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage time limitations, integrity and confidentiality) and guarantee the rights of the data subject in full compliance with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No.108).
1.4.3. State authorities should seek to respect and promote the right to confidentiality of private communications facilitated by internet intermediaries through private messaging services.
1.4.4. Surveillance measures undertaken by states, in co-operation with internet intermediaries or not, must be targeted and comply with Article 8 of the Convention. They must in particular be mandated by law and must include sufficient procedural and oversight safeguards. All surveillance must be authorised by a judicial authority or other fully independent and impartial state entity.
1.5.1. States should guarantee access to judicial procedures that ensure the impartial review of all claims of violations of Convention rights online, such as the right to freedom of expression, the right to privacy, or the right not to be discriminated against, in compliance with Article 6 of the Convention.
1.5.2. States should guarantee an effective remedy for all violations of human rights and fundamental freedoms by internet intermediaries, in compliance with Article 13 of the Convention. This includes ensuring that intermediaries provide access to prompt, transparent and effective review of user grievances and alleged terms of service violations, and provide for effective remedies, including judicial review, when internal and alternative dispute settlement mechanisms prove insufficient or where the affected parties opt for judicial redress or appeal.
1.5.3. States should proactively seek to reduce all legal, practical or other relevant barriers that could lead to a denial of access to an effective remedy for grievances of users, third parties and internet intermediaries.
1.5.4. States should engage in age and gender-sensitive media and information literacy promotion activities to ensure that all users are effectively made aware of their rights and freedoms online, in particular regarding their right to access to an effective remedy vis-à-vis both state authorities and internet intermediaries.
II - Responsibilities of internet intermediaries with regard to human rights and fundamental freedoms
2.1.1. Internet intermediaries should in all their actions respect the internationally recognised human rights and fundamental freedoms of their users and of third parties who are affected by their activities. This responsibility, in line with the UN Guiding Principles on Business and Human Rights, exists independently of the states’ ability or willingness to fulfil their own human rights obligations and therefore, in case of contradiction with internationally recognised human rights standards, may compete with the responsibility to comply with the applicable legislative framework at national level.
2.1.2. The responsibility of intermediaries to respect human rights and to employ adequate duties of care applies regardless of their size, sector, operational context, ownership structure, or nature. The scale and complexity of the means through which intermediaries meet their responsibility may vary, however, taking into account the human rights impact and public service value of the services provided by the intermediary. The more important the public service value of an intermediary’s platform and services for public discourse to thrive, the higher the duty of care that the intermediary must employ when developing and applying policies.
2.1.3. All interference by intermediaries with the free and open flow of data and communications should be based on clear policies and must be limited to specific legitimate purposes, such as to preserve the integrity, universality and security of the network, or to prevent access to or dissemination of content that has been determined as unlawful by a judicial authority or other fully independent and impartial state entity.
2.1.4 Internet intermediaries should engage in regular assessments of the possible future human rights impacts of new policies, products or services they intend to develop, or of commercial interactions they intend to undertake. In all their actions they should be mindful of the significant public service value of the services they deliver and should seek to avoid and mitigate any adverse effects on the principle of network neutrality or the effective exercise of rights of their users or third parties.
2.1.5. Internet intermediaries should engage in regular due diligence assessments of their compliance with the responsibility to respect human rights and fundamental freedoms and with their applicable duties of care. This should include an assessment of the direct and indirect human rights impacts of all their actions, both on users and third parties, and an appropriate follow-up to these assessments by acting upon the findings, and monitoring and evaluating the effectiveness of identified responses. Intermediaries should conduct these assessments as openly as possible and encourage active user engagement.
2.1.6. Intermediaries should seek to ensure that their actions do not have direct or indirect discriminatory effects on their users or other parties affected by their actions, including on those that have special needs or disabilities or may face structural inequalities in their access to rights. Intermediaries should further ensure that their terms of service agreements and internal policies are applied and enforced consistently, without discrimination of any kind, and in compliance with applicable due process safeguards. The prohibition of discrimination may under certain circumstances require that intermediaries make special provisions for certain users or groups of users in order to correct existing inequalities.
2.2.1. Internet intermediaries should ensure that all terms of service agreements and policies specifying the rights of users and the standards and practices for content moderation and the processing and disclosure of user data are publicly available in clear, plain language and accessible formats. Users should be notified of all changes in relevant policies regarding their terms of service and operating conditions as applicable and without delay, and in formats that they can easily access and understand.
2.2.2. The process of developing and applying terms of service agreements, community standards and content restriction policies should be transparent, accountable and inclusive. Intermediaries should seek to engage in collaboration and negotiations with consumer associations, human rights advocates, and other organisations representing the interests of users before adopting policies. Intermediaries should seek to empower their users to engage in processes of evaluating, reviewing and revising, where appropriate, intermediaries’ policies and practices.
2.2.4. Internet intermediaries should clearly and transparently inform their users about the operation of automated data processing techniques in the performance of their functions, including the operation of algorithms that facilitate searches based on user profiling or the distribution of algorithmically selected and personalised content, such as news.
2.2.5. Intermediaries should regularly publish transparency reports that provide specific, anonymised information about all interference with the free publication, dissemination and access to information and ideas by users and with free and open data traffic, and about all requests received for such interference, whether based on court orders, private complainant’s requests or enforcement of their own content restriction policies, so as to enable affected parties to regulate their conduct.
2.3.1. Internet intermediaries should respect the rights of users to receive and impart information, opinions and ideas. They should not on a general basis monitor content to which they give access, or which they transmit or store to actively seek out unlawful content. All measures taken to restrict access to, remove, or block content on behalf of a state should be effectuated through the least restrictive means, following a careful assessment of their effectiveness and proportionality to the pursued aim. All restriction of content should be limited in scope to the precise remit of the order and should be accompanied with a notice that is visible to users and affected third parties, explaining which content has been restricted and on what basis, and providing information on procedural safeguards and available redress mechanisms.
2.3.2. When restricting access to content in line with their content restriction policies, intermediaries should do so in a transparent and non-discriminatory manner. All content restriction must be performed by the least restrictive technical means and must be only as broad and maintained for as long as strictly necessary to avoid the collateral removal of legal speech. Intermediaries should further ensure that users and third parties are fully aware of the nature of the content restriction, including with respect to its legal basis, and are fully notified, including with respect to their possibilities to challenge the restriction.
2.3.3. Given the importance of their role and the impact that their actions may have on the ability of users to exercise their freedom of expression online, all staff of intermediaries who are engaged in content moderation should be adequately trained as to the applicable international human rights standards, their relationship with internal standards, and action to be taken in case of conflict. They should further be provided with appropriate working conditions. This includes the allocation of sufficient time for deciding on the legality of content and opportunities to seek qualified legal advice where necessary.
2.3.4. Recognising that automated means of content restrictions may be necessary to prevent the reappearance of content that is identical to what has already been determined as unlawful, intermediaries should carefully assess the human rights impact of automated content management, taking into account the limited ability of algorithms to assess context, the resulting risk of over- and under-blocking, and the effect this may have on the services they provide for public debate.
2.4.1. Internet intermediaries should limit the collection of personal data from users to what is directly necessary in the context of a clearly defined and explicitly communicated purpose. The processing, including collection, retention, aggregation or sharing of personal data must be based on a legitimate interest and, unless otherwise provided by law, on the free, informed and explicit consent of the user with respect to the specific purpose in line with the Convention for the Protection of Individuals with regard to Automated Processing of Personal Data (ETS No. 108).
2.4.2. Intermediaries should minimise the collection and processing of personal user data, including through application of the ‘privacy by default’ and ‘privacy by design’ principles. User data should only be aggregated and migrated across multiple devices or services following the free, informed and explicit consent of users. Users should be informed about their rights to review, modify, and delete personal data and to object to the processing of their personal data. They further should be informed about their right to withdraw their consent at any time in which case all processing of personal data based on the consent of the user should be terminated.
2.4.3. Any tracking and profiling of users by intermediaries should be fully transparent towards users. In order to protect their users’ online identity, internet intermediaries should not employ profiling and digital tracking techniques that may impact on the user’s exercise of human rights without having obtained the free, informed and explicit consent of their users. Intermediaries should seek to protect their users from tracking and profiling by third parties. They should employ adequately trained staff to oversee all matters related to the disclosure of user data to third parties in line with their responsibilities and duties of care under international data protection and privacy standards.
2.4.4. Intermediaries should not disclose personal user data unless requested to do so by a judicial authority or other fully independent and impartial state entity that has determined that the disclosure is consistent with applicable laws and standards, necessary in a democratic society and proportionate to the legitimate aim pursued.
2.5.1. Internet intermediaries should make available effective complaint mechanisms and dispute resolution systems that provide prompt and direct redress in cases of user grievances and alleged violations of terms of service. While the complaint mechanisms and their procedural implementation may vary with the size, impact and role of the internet intermediary, all remedies must allow for an impartial and independent review of the alleged violation.
2.5.2. All complaint mechanisms should comply with due process safeguards and should be accessible, equitable, rights-compatible and transparent. They should further include in-built safeguards to avoid conflicts of interest when the company is directly administering the mechanism, for example, by involving oversight structures. Complaints mechanisms should not negatively impact the opportunities for complainants to seek recourse through national, including judicial, review mechanisms.
2.5.3. Intermediaries should ensure that all users and third parties affected by their actions have full and easy access to transparent information about applicable complaints mechanisms, the various stages of the procedure, indicative time frames, and expected outcomes.
2.5.4. Intermediaries should not include in their terms of service waivers of rights or hindrances to the effective access to remedies, such as mandatory jurisdiction outside of a user’s country of residence or non-derogable arbitration clauses.
2.5.5. Intermediaries should seek to provide access to alternative review mechanisms that can facilitate the resolution of disputes that may arise between users. Intermediaries should not, however, make alternative dispute mechanism obligatory as the only means of dispute resolution.
2.5.6. Intermediaries should engage in dialogue with consumer associations, human rights advocates and other organisations representing the interests of users to ensure that their complaint mechanisms are designed, implemented, and evaluated through participatory processes. They should further regularly analyse the frequency, patterns and causes of complaints received in order to learn lessons for improving their policies, procedures and practices and for preventing future grievances.
2.5.7. Intermediaries should engage in targeted age and gender-sensitive efforts to promote the awareness of all users of their rights and freedoms online, both vis-à-vis states and intermediaries, including in particular information about applicable complaints mechanisms and procedures.