Final Report Summary - MAPPING (Managing Alternatives for Privacy, Property and INternet Governance)
Building on the results of several EU FP7 projects including CONSENT (covering on-line consent and privacy in social networks), SMART and RESPECT (which cover smart and on-line surveillance, etc.) MAPPING's goal is to create an all-round and "joined-up" understanding of the many and varied economic, social, legal and ethical aspects of the recent developments on the Internet, and their consequences for the individual and society at large.
MAPPING specifically investigates and debates the existing innovation policies, business models and legal framework related to the implementation of the Digital Agenda for Europe and the changes needed to set up an improved governance structure for the EU innovation ecosystem. More specifically MAPPING looks at current issues in Internet Governance, Privacy, Personality and Business Models and Intellectual Property Rights (IPR) in an online environment.
The key to MAPPING's success is its mobilisation of a wide spectrum of ICT-related stakeholders and social actors from both EU Member States and other important international players, including academics, law and policy makers, ISPs, international and EU Internet governance bodies, NGOs, corporations and civil society organisations. The project provides these actors with a forum for informed discussion of issues related to the digital transition, such as problems of personal data and IPR protection online, business models and e-government applications based on the use of personal data, economic exploitation of IPRs and open innovation.
MAPPING has created a Road Map and a Policy Brief putting forward workable policy guidelines based on a multidisciplinary perspective on the latest and foreseeable developments in ICTs taking into account conflicting interests, perceptions and practices of different societal actors that shape the EU's technological future. MAPPING significantly contributes to creating an enabling framework for completing the digital transition and improving the innovation climate in the EU.
Project Context and Objectives:
Europe’s external relations and roles in the twenty-first-century global politics—through the European Union, Council of Europe, and individual European states—have been remarkable, and diverse in many areas such as security, culture and sports, science and technology, the rule of law, civil societies, etc. These relationships have been largely shaped by globalisation, and the political and economic dynamics within the continent, including challenges stemming from the Eurozone financial crisis, the influx of refugees and other migrants, the Brexit, terrorism, among others.
While these challenges are tackled, remarkable success has also been recorded in several areas, including the transition of the European societies to an information society. The use of information and communication technologies for various personal and business tasks is widespread, although there are still some people who are yet to be integrated into this information highway. This transformation has enabled many businesses to adopt a digital nature, of which the processing of data—personal and non-personal—is vital and represents the raw material (a new currency) of this era.
Even before the current boost of business models relying on the processing of personal information, European legal developments in protecting privacy and personal data against several threats resulting from the use of information technology in processing data have been remarkable. For instance, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108, 1981), drawn up within the Council of Europe remains the only binding international legal instrument in the field of data privacy. Currently, the extraterritorial approach adopted in the General Data Protection Regulation (GDPR) also shows the “global scope with local features” of the European data protection framework.
A few examples highlight the latter point: the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Also, a controller or processor not established in the European Union, but processes personal data of individuals who are in the Union are bound by the Regulation where the processing activities are related to the offering of goods or services, irrespective of whether payment is required; or the monitoring of their behaviour as far as their behaviour takes place within the Union.
In addition, the European regional courts have given landmark decisions with global reach. For example, concerning the right to be forgotten in Google v. Spain , the Court of Justice EU (CJEU) ruled that EU citizens have a right to erasure of their data and could request that commercial search firms, such as Google, remove links to private information, provided the information is no longer relevant. Also, the European Union actively seeks to foster a privacy-friendly adoption of free data flows as a topic in trade negotiations, such as the Economic Partnership Agreement (EPA) with Japan. All these have potential global influence in modelling several national data protection laws after that of Europe.
European efforts at advancing international cooperation to ensure the protection of Intellectual Property rights have also been well recognised in history. The Berne Convention for the Protection of Literary and Artistic Works (1886) and the Paris Convention for the Protection of Industrial Property (1883), for example, attest to these efforts of creating a minimum standard of protecting intellectual property, as well as non-discriminatory treatment across the globe. These Conventions have been signed by a majority of countries in the world today and have formed the basis for contemporary developments in this area.
Through various platforms of engagement (the World Intellectual Property Organization (WIPO), World Trade Organization (WTO) and United Nations (UN)), several European nations have actively participated in several international treaties supplementing these Conventions such as the TRIPS Agreement (1994); UNESCO Universal Copyright Convention (1952); the WIPO Internet Treaties (the Copyright Treaty (1996) and the WIPO Performances and Phonogram Treaty (1996), etc.
European states and stakeholders have also strongly participated in other fora, including the multi-stakeholder framework of Internet governance—IGF, IETF, ICANN, EuroDIG. Europe has visibly supported keeping the Internet open and free-flowing. In 2015, for example, the European Union adopted the first EU-wide net neutrality rules which create individual and enforceable rights for end-users to access and distribute Internet content and services of their choice. The rules made blocking and throttling the Internet illegal, as well as abolish roaming charges in the EU. The same strategy is also seen in the Council of Europe’s Internet Governance Strategy 2016-2019.
However, events such as massive data breaches and cybercrime threaten individuals, as well as companies and governments, putting fundamental rights of citizens and the European economy at risk. This not only calls for enhancing the level of IT-security globally and strengthening the weak link, but also collaboration among policymakers, LEAs, IT-security experts, technical bodies and companies. Supporting approaches such as the Microsoft Geneva Convention , which requires the collaboration of all these actors, can be seen as an additional form of engagement for the European nations and institutions. It is, however, important to note that in this collaborative environment that is envisaged, ensuring proper protection of fundamental rights should be at the forefront.
The Snowden revelations, a few months after the start of the MAPPING project, show that several European states have programmes that engage in mass surveillance of the citizens. This calls for a discussion on how to build and restore trust to the information society and ensure that appropriate oversight is in place to enforce the rule of law in the online system. The public mistrusts the activities of Secret Intelligence Service (SIS) and restoring trust in these services is important for them to properly fulfil their mandate while at the same time respect citizen’s rights. In that regard, the MAPPING project successfully engaged with the intelligence community during the International Intelligence Oversight Forum (IIOF) events. The important platform for engagement could be used to develop remedies for the surveillance on a global scale.
Other initiatives such as the UNESCO Internet Universality indicators could support states in assessing the status quo with regard to fundamental rights on the Internet, and therefore, help the European Union in their efforts to strengthen fundamental rights online. It is important that everyone should be able to exercise their fundamental human rights and freedoms online as well as offline. Global engagement that aims at protecting citizens from cybercrime, insecurity, unlawful surveillance in the online environment should not cease. This requires that Europe must continue to engage with the rest of the world as these issues have a global impact and require a global solution. Europe through the platforms of the European Union, Council of Europe, United Nations, UNESCO, WIPO, WTO, OECD, OSCE, ICANN, IGF, EuroDIG, individual states and other expert groups with international representation must continue its engagement with the rest of the world.
Against this broad background the primary objectives of the MAPPING project were to:
1. Provide fora for stakeholders where research meets practice for better coordination and utilisation of knowledge
2. Foster and contribute to the debate in the three focus areas of the MAPPING project: Internet Governance, privacy, personality and business models and intellectual property rights
3. Map Internet Governance: describing status quo and offering a platform for discussions, including desirable developments from a EU perspective
4. Chart right to privacy considerations in the development of business models using personal data
5. Refresh intellectual property rights debate: balancing exclusive rights with the interests of growth and innovation
6. Ensure public engagement: bringing science closer to society
7. Determine a Road Map for further engagement and learning.
8. Create sustainability for the activities started in the MAPPING project.
Project Results:
Recent developments on the Internet and their consequences for the individual and society at large have elicited discussions on how policies and legal frameworks could not only be implemented to regulate these developments, but also incentivise innovation and new business models while respecting, protecting and promoting human rights. Areas of tension have already been seen in large-scale electronic surveillance, privacy and personal data protection, intellectual property protection (IPR), among others. Yet, the information society cannot function properly if technology developments are stifled by regulatory policies.
This calls for a balanced approach in order to harness the benefits of technological innovations, draw the limits of permissible actions, and integrate the appropriate legal safeguards in the core of these innovative activities. MAPPING, with this current Road Map, aims at supporting policymakers to promote the changes that are needed to encourage and react to ongoing technological developments and their impacts on the economy and society. To this end, the project is based on the three pillars of Internet Governance, Privacy and IPR. These three pillars allowed widespread multi-stakeholder mobilisation and dialogue between a wide spectrum of ICT-related stakeholders and social actors.
There are of course several achievements over the four years of the project. Some of these are listed below. The rest of the document focuses on two central outputs of the project: a. Roadmap for Internet governance, Privacy and Intellectual Property; and b. a draft legal instrument text on Surveillance on the Internet including an explanatory memorandum. Both of these two outputs bring together the work done in the four years in the three pillars of the MAPPING project.
A. Multiple Results of the four years of the MAPPING project
- Mobilisation of stakeholders
Based on the dialogue and participation plan of the MAPPING project, more than 15 meetings bringing together stakeholders from all over Europe and where possible, from outside Europe (including the United States, Australia, Asia). Apart from smaller roundtables and workshops each focused on one the themes of the MAPPING pillars, the project organised an annual General Assembly (in Rome, Hannover, Prague, Malta) bringing together stakeholders from all the three pillars of the MAPPING project. (All the roundtables, workshops and assemblies and final conference proceedings are recorded in MAPPING deliverables).
- Research recording state of the art developments
To inform the debates during the mobilisation of stakeholders event, the MAPPING consortium partners carried out research recording state of the art developments in Internet Governance (including the technical setup of the internet); Privacy and Business models; and Intellectual Property. (All the research done is documented in MAPPING deliverables and in publications of the consortium partners)
- Awareness Campaigns
MAPPING project launched the Awareness campaign in the Autumn of 2017. The MAPPING Awareness Campaign is part of the overall communication strategy of the MAPPING project with a specific focus on one of the project’s main stakeholder groups. It aims at public at large by bringing closer the core MAPPING issues of Internet Governance, Privacy, and Intellectual Property Rights. The MAPPING Awareness Campaign went public on social media, released a series of introductory videos, and created a platform featuring more than 100 articles related to MAPPING issues. All messages are published in a way comprehensible to general public and non-insiders.
Check our videos on IG, Privacy and Social Media, and Open Innovation!
- Privacy: https://youtu.be/f0jg7mTS9ik
- Internet Governance: https://www.youtube.com/watch?v=oaeyu2ipyTQ
- Open Innovation: https://youtu.be/GD2wCS2xwWQ
B. The MAPPING Roadmap
The Road Map (recorded in Deliverable 7.4) first looks at how Europe engages with the rest of the world, taking a broader look at Europe’s external relations and roles in the twenty-first-century global politics. Although the Road Map seeks to address European decision makers and actors primarily, the reality of the Internet and its governance, which is global and polycentric, makes it imperative that the formulation process has reached out to state and non-state actors from in- and outside Europe. The cyberspace, for example, is potentially exploited by cyber-criminals on a global scale, and the changes that are occurring in this space favour the cyber criminals due to a growing criminal network across the globe and a lack of capabilities in governments and industry. There is the potential for escalation and retaliation if a global approach is not taken in solving the problem, encouraging governments to work more collaboratively with all relevant stakeholders. Therefore, in appropriate places, the Road Map’s recommendations will have a global focus.
In general, the Mapping project is based on the three pillars of Internet Governance, Privacy and IPR. However, many interconnections, new laws and game-changing technologies, potentially disruptive, have emerged during the project lifespan. Consequently, the dialogue became more cross-sectoral, leading to the five main issues of concern around which the Road Map will gravitate. The first three issues have been selected as the most salient among the many sub-issues in which the domain of Internet governance could be articulated. The fourth issue pertains to the domain of privacy, while the fifth one to that of IPR. The five issues of concern are:
• Surveillance, focusing on how to upgrade the modus operandi of the governmental institutions that safeguard the public and combat crime, as they face constant and changing threat patterns while continuing to safeguard the rights to privacy, freedom of expression and the right to information. These two demands are often presented as contradicting each other, but MAPPING has developed a model that reconciles them using a holistic approach to human rights and public security. This is reflected in the “Working Draft Legal Instrument on Government-led Surveillance and Privacy.”
• Affordable remedies for reputation, freedom of expression and right to information: online dispute resolution (ODR), with a focus on how to overcome the difficulties encountered by citizens and users when looking for viable and affordable remedies for reputation offences and defamation online in a way that is consistent the need to assure freedom of expression and protect the right to information. The ability to identify and prosecute defamers is key to deterring defamation, and successful ODR in prosecuting such cases will increase the ability of citizens in defending their rights.
• Cybercrime and Cybersecurity, where many questions emerge on how to integrate measures, strategies, resources and capacities to cope with risks and threats on the Internet and how to strengthen the prosecution activities and collaboration among law enforcement agencies (LEAs) and other concerned actors. A key issue is how to deal with the market failures regarding security, in particular, externalities (one party’s lack of security affects others) and information asymmetry (end-users do not have the skills and knowledge required to evaluate the security of the products and services they use).
• Privacy and personal data, in which emerges a picture of disconnection between the realities of data processing—the massive use of data (personal and non-personal) in business and public domains (involving new “game-changing” technologies), and the ability to enforce transparency and data subjects’ rights when using innovative technologies. There is also a problematic interplay between technical standards, legal requirements, and economic policy considerations around privacy and data protection.
• Open innovation in intellectual property rights, where there appears to be a tension between the current IPR framework and open innovation strategies, programs and initiatives to support the development and growth of enterprises, innovators and citizens, and to protect their rights.
The Road Map contains a discussion of the main open questions which have been identified in each issue presented above. To tackle those questions, a set of policy recommendations was formulated. For each recommendation, some implementation options, including pathways such as legal reforms, technological solutions or societal developments have been proposed. This policy brief, however, contains an abridged version of the Road Map, especially focused on recommendations and implementing options.
In a nutshell, these recommendations drafted around the five broad topics mentioned above, include:
1. Evaluate the text and the process of the draft legal instrument on government-led surveillance and privacy and consider options to take this promising development forward.
2. Carry out research to identify how ODR could be used relating to privacy, freedom of expression or right to information.
3. Consider reviewing and updating the relevant legislative framework in the EU and the Member States on ODR implementation.
4. Assess necessity to fund pilot projects, start-ups and/or existing operators of ODR platforms.
5. Raise awareness of users and parties about ODR platforms where they could send complaints.
6. Develop solutions for challenges that LEAs encounter during investigations, particularly, those preventing them from legally accessing data.
7. Close the expertise gap present among all actors involved in criminal justice proceedings tackling cybercrime, e.g. LEAs, prosecution, lawyers and judges.
8. Enhance the resilience of organisations and consumers against cyber attacks.
9. Modernise and expedite the slow-paced mutual legal assistance (MLA) procedures including increasing cooperation between all the stakeholders in the MLA process (governments, the private sector and law enforcement).
10. Support ongoing legal reform of the CoE Convention 108.
11. Foster operationalisation and standardisation of data protection by design and by default.
12. Strengthen the enforcement of European data protection rules.
13. Provide further guidance and data protection impact assessment methodology for processing involving special categories of data.
14. Promote the synchronisation of GDPR security requirements with IT-standards and protocols.
15. Increase transparency and promote public awareness on the impact of personal data processing, including IT-security.
16. Support universities and research centres within the EU to become more entrepreneurial by introducing entrepreneurship training on new business models as part of the educational curricula.
17. Developing further the EU Open Innovation Strategy and Policy Group (OISPG) and other engagement bodies by increasing their role and multiplying their activities.
18. Include an open-innovation impact assessment in each new intellectual property rights policy.
19. Introduce a mandatory wide stakeholder consultation process before the adoption of IPR policies.
20. Redefining the conditions of “fair use” or exceptions and limitations for non-commercial exchanges or creative content on the internet.
C. Draft legal text on Surveillance on the Internet including explanatory memorandum
The draft text for a Legal Instrument (LI) on Government-led Surveillance and Privacy (Deliverable 4.8) is the result of meetings and exchanges between the MAPPING project and several categories of stakeholders shaping the development and use of digital technologies (DTs). These include leading global technology companies, experts with experience of working within civil society, law enforcement, intelligence services, academics and other members of the multi-stakeholder community shaping DTs and the transition to the Digital Age.
The subject matter of this legal instrument is surveillance through digital technology. It aims at safeguarding the fundamental rights and freedoms of persons with regard to the deployment and use of surveillance systems, as well as non-surveillance data when used for surveillance purposes.
This instrument is intended to apply to all Law Enforcement Agencies (LEA) and Security & Intelligence Services (SIS) and public-mandated entities acting on their behalf. While LEA and SIS are organized differently from state to state and the tasks and operational requirements as well as their capabilities differ, the impact of their activities on human dignity and fundamental rights are often similar in nature. Nevertheless, LEAs and SIS have separate functions.
The provisions have been developed using the results of multiple research projects (including MAPPING, RESPECT and SMART). Additionally, international and national best-practices have been taken in account. These insights were combined with the experiences and expertise of all parties involved in contributing to drafting the text which was facilitated by members of the Security, Technology & e-Privacy Research Group (STeP) at the University of Groningen in the Netherlands.
The provisions of the LI are based on international human rights law. Ultimately, this draft should aid states and the multi-stakeholder community to protect, respect and promote human dignity. The LI aims at giving detailed guidance for government-led or organized surveillance using electronic means. This is necessary for both human rights and the responsible and dignified conduct of state authority and powers.
This version is the basic text that has most recently been discussed during the joint public events which were held in Rome on 18-19 January 2018 and Malta on 12-14 February 2018. Further consultation sessions may be announced in the future possibly even in the context of a MAPPING2 project. This text also includes some amendments that were suggested in submissions received after the 2018 meetings. This text attempts to reflect and put up for discussion the many views received by the MAPPING project to date. The MAPPING Project consortium does not necessarily agree with all parts of the text which are included. They are being presented in the spirit of open discussion.
The LI was drafted as a blueprint for any form of soft law or hard law, anything ranging from a non-binding recommendation to a (global or regional) international treaty, that would allow states to join the consensus and form a new group which puts emphasis on the promotion and protection of human rights in the Digital Age. Its adoption would help plug gaps in human rights protection identified in international law especially those related to jurisdiction and minimum standards,
After the introduction and presentation of methodology in Section I., Section II. of this document is divided in two parts. The first part includes the different substantive provisions of the LI, with the text written in Italic. Underneath each section follows the text of the proposed explanatory memorandum relevant for that section. The explanatory memorandum was created to provide context and hopefully facilitate the understanding of the intent of the authors of the LI. Section III. contains the main sources of the document.
This draft has been developed with a strong focus on substance and irrespective of any institutional or legislative framework. Hence, many procedural provisions (such as the ones referring to signature and entry into force) are not included.
The further development of this legal instrument should be undertaken in the context of the other recommendations to be found in the Road Map and Policy Brief produced by the MAPPING project.
Potential Impact:
Impact through mobilisation of stakeholders
As previously noted in this report, the MAPPING project has achieved considerable impact with different stakeholder groups, including civil society, experts working for international organizations; large Internet corporations, experts from LEAs and the judiciary; experts from the intelligence agencies communities; start-ups and academics. The evidence of this impact can be seen through (a) the large continued participation of different stakeholder groups in all of the MAPPING events; (b) the willingness of different stakeholders to continue engaging with the MAPPING consortium (as outlined in deliverable 7.3 on MAPPING Sustainability).
This impact also has a cascading effect: stakeholders who were engaged in the MAPPING debates have passed on the work developed in MAPPING to other fora. In this way the impact of MAPPING has been much wider than initially anticipated.
Impact due to continued relevance of the MAPPING topics
The three main areas of focus of the MAPPING project – Internet Governance, Privacy and Intellectual Property – have remained very actual and relevant. Given their continued relevance, the impact of the MAPPING Roadmap and Policy Brief are expected to have an important impact in the development of policies in these three areas of focus.
Impact of the draft legal text on surveillance and privacy
Given the collaboration between the mandate of the UN Special Rapporteur for Privacy (SRP) http://www.ohchr.org/EN/Issues/Privacy/SR/Pages/SRPrivacyIndex.aspx & MAPPING project a wide structured public consultation was held about new legal measures at international law intended to improve the protection of privacy in this age of ubiquitous surveillance. Through this public consultation the draft of the legal text on surveillance and privacy (proposed in deliverable 4.8) was widely debated. While it is too early to measure its impact, one can expect that this draft will be considered as a good basis for further consultation.
Dissemination
MAPPING project results are and will continue to be effectively disseminated, following the complex and interrelated communication scheme and strategies, which have been adjusted according to our experience in the project so far. The special attention in the middle phase of the project implementation was paid to the widening of the MAPPING network and deepening of the targeted communications with stakeholders, using approaches such as:
a) engaging external experts, using partner-centred engagement tactics
b) liaison with other projects and initiatives
The ultimate goal of this cooperation is to contribute to the creation of an enabling framework for the digital transition and to improve the global governance structure as well as the EU innovation ecosystem.
The list of the external events with planned participation of MAPPING partners was updated every year.
The communication flow of MAPPING project has been running as a “distributed system”, all parts of which are working towards the main goals with their specific inputs. Some partners are more focusing dissemination activities on their national communities, while other partners are focused more on the international professional communities. A significant part of general and specific project communication is running directly at European and/or international levels accordingly. After the 48 project months, and based on the evidence maintained, the project accomplished all of the planned objectives in the field of dissemination and communication as well as targets developed during the execution of the project.
All project activities, including thematically oriented workshops, round tables and working party meetings, were supported by dissemination towards particular stakeholders and according to the needs of the WP leaders. Vice versa, all those actions are helping to spread targeted information about the project effort and objectives.
A lot of effort of all partners was put into dissemination of MAPPING activities and outputs at external events, including high level national, European, and International gatherings, such as Internet Governance Forum (IGF 2014, 2015, 2016, and 2017), World Summit on Information Society 2016, EuroDIG 2015 and 2017, INTERPOL global events, and significant events of the UNESCO and the UN. In total the evidence is gathered about 200 events with MAPPING presence and visibility.
The MAPPING project organised a large number of events within its own capacity. These include general assemblies, round tables, consultative meetings, focus groups, side-event workshops, and the final conference. A special visibility was gained at the MAPPING App Competition Award ceremony that took place in Hannover at the CeBit annual fair in March 2016 (support to the WP5 action). At the end of the project a whole range of projects and communities have been touched and have been interested in long-term cooperation with the MAPPING project and MAPPING expert community. These communities have expressed the willingness to continue in the cooperation beyond the official project life span.
An extended list of dissemination events are found in section 4.2 of this report.
List of Websites:
https://mappingtheinternet.eu/
Prof. Joseph A. Cannataci j.a.cannataci@step-rug.nl
Prof. Jeanne Mifsud Bonnici g.p.mifsud.bonnici@step-rug.nl
Ms. Bettina Zijlstra, LL.M b.zijlstra@step-rug.nl