This article was first published on The Local.
This week in Seoul, while speaking at a ministerial-level conference on Internet governance issues, Sweden’s foreign minister Carl Bildt did a remarkable thing.
SeoulCyber2013 is the first high-level meeting on Internet governance since the summer, when Edward Snowden began revealing the extremes to which the US and other countries will go to surveil internet use, with scant regard for user privacy. Post-Snowden, these conferences can no longer ignore the fact that among the biggest threats to a thriving Internet are states’ own policies and actions, including those made by democracies in the absence of transparency and public oversight.
What the limits should be of state action in cyberspace is far from settled. At the Stockholm Internet Forum in May 2013, a coalition of civil society organizations first mooted a set of legal principles that would constrain state cyber-surveillance activities. In their view, to the extent that surveillance is necessary to protect the interests of a state’s citizens, it should be conducted in accordance with human rights law, protecting privacy and freedom of expression.
These principles, now 13 in number and listed on the Necessary & Proportionate campaign site, make for a remarkable document, because by signing it, the 280 sponsoring NGOs are explicitly conceding that surveillance can be a legitimate state activity, in certain cases trumping an individual’s right to privacy. Although the influential Electronic Frontier Foundation signed it, some of its activist members felt this conciliatory act was hard to swallow.
At first, the 13 principles did not seem to gain much traction with states. In Sweden, some members of the Internet policy establishment were privately dismissive of such initiatives — Sweden, they argued, had already had a vigorous and contentious parliamentary debate about surveillance which had resulted in the FRA (signals intelligence) law. Re-opening that particular can of worms just to adhere to a wish list of best practices was not a viable or desirable option. But this was a sentiment from the pre-Snowden era.
In September, the principles were submitted by NGOs to the United Nations Human Rights Council in Geneva, where they got a favorable hearing by UN human rights experts, including the Special Rapporteur Frank La Rue.
And now for that remarkable thing in Seoul. Bildt, near the end of his speech, proposed a set of principles to constrain state surveillance that mirrors most of the core principles enumerated by the NGOs. He called on state surveillance activities to abide by the legal principles of legality, legitimate aim, necessity and adequacy, proportionality, judicial authority, transparency and public oversight. (Do read the texts for a precise definition of each of these terms.)
Suddenly, Sweden is heading for common ground with NGOs in balancing the prerogatives of digital statecraft with the human rights of Internet users. The overlap is not complete — Bildt’s speech skips a number of additional principles proposed in the NGO document — but there is no doubt that this step amounts to tangible progress in getting these principles promoted to norms that states can aspire to, with Sweden being the first country (that I am aware of) to openly articulate this ambition.
Of course, the devil is in the details, and questions remain: Are there policy implications for the Swedish government in embracing these principles, or will the government maintain that Swedish law already conforms to all these norms? One example: The principle of transparency calls on states to, in Bildt’s words, “provide information on how the surveillance legislation works in practice.” The FRA law as it stands today only compels the signals intelligence agency to report back to the “relevant authorities”; the Swedish public most certainly does not get access to how it works “in practice”, not even to aggregate information on how often requests are made, or broadly to what end. Still, thinking creatively, it’s worth noting that there is nothing in the FRA law that prohibits the government from sharing aggregated information with the public.
Meanwhile, are the “missing” principles missing because they directly contradict current Swedish law? For example, is the principle of ensuring the integrity, security and privacy of communications systems, which would prohibit states from forcing Internet service providers to preemptively retain customers’ metadata, “missing” from Bildt’s list because it contravenes Sweden’s data retention law, passed in 2012 to put the country in line with European directives?
And amid press reports of Sweden frequently sharing intelligence with the NSA, will there be policy adjustments towards countries that do not share Sweden’s principles for ethical surveillance practices? In the same vein, it would be hypocritical of Sweden to uphold these principles if the FRA gets to circumvent them merely by outsourcing all ethically questionable intelligence gathering to a less scrupulous foreign ally.
Where do we go from here? By next year’s Stockholm Internet Forum, why not present the results of an independent audit assessing Sweden’s practical compliance with these principles? Let’s say Sweden scores a 6 out of 13. That would be enough to propel the country into first place in a one-country league table of all countries submitting themselves to such public scrutiny, and it would begin a process that the rest of the world can join to build a freer, more secure Internet for all.
The Law on Personal Data Protection was enacted in 1990. [ fn 159 ] It broadly adopts the basic principles of the OECD Guidelines on the Protection of Privacy and the Council of Europe’s Convention. Specifically, the law regulates the security of personal data in data files; restricts third-party access and use only upon the written consent of the data subject; provides for data subject access to his or her files; and permits the transfer of personal data to other countries only if the recipient country has guaranteed “full protection of personal data” to include that held on “foreign citizens.” However, the Slovenian law merely provides for a somewhat nebulous “republican organ” oversight of personal data protection practices, and therefore is not compliant with the pan-European instruments on data protection, including the EU’s Privacy Directive.