green book
LEGAL RELATIONS ON THE INTERNET
green book
LEGAL RELATIONS ON THE INTERNET Based on discussions between government officials, civil society, and IT professionals held in April-August, 2019
џ
Under general editorship
џ
Vitaliy Moroz џ
Authors Julia Kazdobina Dmytro Dubov Anastasia Barovska Vitaliy Moroz
Design and layout Karina Strokan
џ
Literary Editor Oksana Plaksii
џ
Project manager Kateryna Kunytska
The "Legal Relations on the Internet" Green Book was prepared following the discussions of the governmental agencies, civil society, and IT professionals, conducted by NGO "Internews Ukraine" in April-August, 2019 in partnership with the Ukrainian Foundation for Security Studies. The Green Book is the result of ice breaker between public and non-state stakeholders in the development of the Internet and information policy and attempts to build up a common understanding of the information field problems, including the issues of Internet freedom and digital rights. The aim is to improve the quality of the new legislative initiatives development in Ukraine on the Internet and infosphere areas. The Green Book will be useful for the law-making initiatives and legislators pursuing efforts on getting understanding of the Internet and infosphere challenges context in the light of the democratic world international practices. The project targets both civil society and the IT community, as well as the Ukrainian government officials. The final beneficiaries of the project are the Ukrainian citizens, including Internet users. The publication produced within the "Green Book on Internet Governance and Information Policy in Ukraine as a Tool for Advocacy in Decision Making Process" project, implemented by NGO "Internews Ukraine", funded by the USAID through the American non-governmental organization "Counterpart International, Inc.". Ideas and views expressed in this publication reflect positions of the authors and closed working meetings participants and may not be in line with those of the United States Agency for International Development (USAID), the American non-governmental organization "Counterpart International, Inc." and "Internews Ukraine". Project site: netfreedom.org.ua © NGO "Internews Ukraine", 2019
STRUCTURE 4
INTRODUCTION
6
RESEARCH METHODOLOGY
8
1. INTERNET IN UKRAINE: CURRENT STATISTICS AND SOCIOLOGY
12
2. KEY ISSUES OF LEGAL RELATIONS ON THE INTERNET:
12
2.1 Subjects of legal relations on the Internet
16
2.2 Internet Governance
22
2.3 Digital Rights: general approaches
30
2.4 Personal data
35
2.5 Interaction of Ukraine (state, civil society) with Facebook, Google, and Twitter
42
2.6 Internet content regulation
55
2.7 Cybersecurity
60
CONCLUSION
INTRODUCTION Throughout the history of independent Ukraine, the Internet evolved here under the most favorable conditions. Historically, governments did not thwart free development of the Net, and this non-interference made it possible for providers and operators to compete. As of 2019, there are approximately 6,000 providers registered in Ukraine, while by various estimates the number of Internet access providers on the market ranges from 1,500 to 3,500. The mobile market, on the contrary, is consolidated - its key positions are occupied by three operators. With the increasing role of technology and Internet development globally, online social relationships became special and an indispensable modern life attribute. Therefore, all over the world, and in Ukraine, in particular, the debate increasingly grows over who and how should formalize the Net legal relations: the state exclusively (regulation), the state with private business and civil society (coregulation), or it should not be formalized at all with voluntary self-regulation used at the technical communities level? As of 2019, Ukraine has an objective necessity to build up Internet legal relations: џ џ џ џ
the security situation is vocal about a balance between freedom of expression and the need for protection; at the same time, rapid technological development creates both new opportunities and risks; there is no legal framework meeting current challenges and supported by all stakeholders; international Internet law is getting on the fast track, for starters, at the level of the Council of Europe acts and the European Union law.
Each of these factors can be a serious reason to address the Internet legal relations topic, and having them aggregated - even more so. The Green Book on Internet legal relations Project, initiated by NGO "Internews Ukraine" and the Ukrainian Foundation for Security Studies, is a result of a public request for quality Internet law.
4
The laws proposed over the last few years did not stand up to expert criticism, lacked in balance and were rejected by the civil society. At the same time, as discussions have shown, the government officials are also aware of the need to improve the current legislation. The international community support for the project, in particular, as a Counterpart International grant, means that our partners also find it necessary to pay more attention to the Internet regulation in Ukraine. Awareness of the need to "build bridges" between decision-makers became a project basis. The main Internet area stakeholders are the government institutions, the IT community, and the civil society. The systematic communication between them is just in its dawn. Also, the stakeholders do not see eye to eye about the Internet Governance key aspects and adhere to various approaches. In particular, civil society is more concerned with Internet rights and freedoms protection, while the government officials discourse is more focused on the security issues. To consolidate the stakeholders’ views and proposals, we chose a Green Book format to outline the directions and content of a policy on a particular area or issue, and offered alternatives for discussion. Usually, Green Books are preliminary to White Papers, outlining specific decisions, including regulations. Open public discussion of the problems identified in Green Books makes it possible to form a broad public consensus on the development directions, the policy content, and the mechanisms for its implementation. The "Legal Relations on the Internet" Green Book’s goal is to outline the range of problems in this area and to determine, through the expert discussions, the possible and acceptable to all stakeholders ways to address these issues. The Green Book, as a document defining a specific window of opportunities, relies primarily on the needs and challenges Ukraine faces. At the same time, the international standards and norms became benchmarks for the solutions search.
5
RESEARCH METHODOLOGY The Green Paper elaboration was based on a mixed methodology that made it possible to solve two key tasks: џ џ
to frame the problematic area for discussions; to choose the discussion format.
The following logical sequence of actions was used to identify the topics for discussion. First, we identified two groups of problems with the Internet legal relations build-up: 1) independent of the Ukrainian authorities, for example, the domain names distribution. They were ignored; 2) connected with the authorities’ response: some actions or, conversely, abstention.This group of problems was taken for further analysis. To structure the second group of problems into subgroups we used the so-called social problems pyramid,1 which made it possible to reach various problem awareness levels: џ џ џ
ittle-known, poorly understood at the current stage, but significant problems; fuzzy, known in privy problems; well-known problems that usually need to be addressed in detail.
For example, the state and the information giants interaction was not a vexed point before the 2016 UK, USA elections influence issues. Then it belonged to the first subgroup. New challenges now are the impact of modern technologies, primarily Artificial Intelligence, on information legal relations (such as the problem of the deep fake). The first subgroup also includes robotics, legal consequences of additive technologies’ usage, biotech, and other issues. The GDPR problem and Internet of Things are the examples of the second subgroup, and resource blocking of the third one. 1 https://www.ipas.org.ua/images/doc/Library/DistCourses/PublPolicy/1_Synopsis.pdf
6
In general, the structure of the legal relations on the Internet problematic area covers the subjects of management issues (Internet resources, information flows, allowed and prohibited content, etc.), as well as the management system itself (at the supranational and national levels). Such problems understanding and solving in their interconnection and dynamics requires the systematic approach and prognostic tools. The final step in this task was to formulate the topics for the discussion’s participants. However, not every suggested topic received an audience or at least one of the audiences’ responses, and not every topic sparked heated debates. This was also reflected in the final version of the Green Paper. The second task was to choose the format of the discussion of the proposed topic. Among various options, we gave preference to discussions (from Latin discussio review, research), which is a method of organizing a purposeful and orderly exchange of opinions, ideas, and arguments in a group. An important feature of discussion that distinguishes it from other types of communication is reasoning.2 The discussion provides: џ џ
џ џ
active exchange of thoughts and ideas; overall view of the problem (the polarity of views was partly due to the activity spheres, such as technical or legal, but not to being in different stakeholder groups); multilateral communication; earch for new solutions or common grounds.
The discussions during the Green Paper production made it possible: to present and analyze the discussion participants’ personal experiences (with a lot of the authorities actions getting clear to other stakeholders); to find out the problem (for example, in regards of bill No. 6688); to identify potentially acceptable and unacceptable solutions (such as a mechanism for blocking resources); and to search for consensus. The discussion effectiveness was achieved through the participants' expertise and the Chatham House rule: the discussion content is public with no participants’ names mentions.
2 https://uk.wikipedia.org/wiki/%D0%94%D0%B8%D1%81%D0%BA%D1%83%D1%81%D1%96%D1%8F
7
1. INTERNET IN UKRAINE: CURRENT STATISTICS AND SOCIOLOGY Despite the negative demographic processes (migration, negative dynamics in the birth and death rates differences), the Internet is gaining its popularity in Ukraine. The Factum Group researchers noted that as of September 2019, the number of Internet users among the population increased to 71%, reaching 22.96 million.3 65% of these users access the Internet at home, and 22% go online exclusively with smartphones. A year ago, in 2018, the Internet audience in Ukraine reached 21.4 million people, according to AdMixer.4 However, Internet coverage rates vary slightly in different studies. In August 2017, Gemius reported on 22.1 million of the Internet users.5 Among them, 19.3 million people accessed the Internet via desktop and laptop computers, 10.5 million via smartphones/mobile phones, and 2.6 million via tablets. A large number of users accessed the Internet via multiple devices at the same time. The InMind researchers, who conducted their survey in October 2019, supported by USAID-Internews, also give figures indicating the Internet penetration increase in 2019. 3 https://www.epravda.com.ua/news/2019/10/11/652498// 4 https://blog.admixer.ua/wtf/wtf-online-audience-ukraine-upd/ 5 http://www.gemius.com.ua/vse-stati-dlja-chtenija/gemiusaudience-za-serpen-2017-roku.html
8
According to InMind, 71% of the Ukrainians use the Internet every day, which is 12% more than a year ago.6 In general, the number of regular Internet users increased from 48% to 72% in 5 years. At the same time, the number of Ukrainians with no Internet access at all in 2019 decreased from 18% to 15%, compared to 2018. The Ukrainians mostly use the Internet for instant messaging. The share of this option users increased from 45% last year to 77% this year. People also search the web for relevant information (71%), use social networks (61%) and e-mail (58%), read news (56%). Ukraine is a great example of a country with a competitive market for Internet access services. Over 6,000 providers are registered here, given the most liberal business conditions and the lack of the state's interest in the industry over-regulating in the 1990s and 2000s. According to various reports, with 1500-3500 providers in the market, over the last few years trend turned to market consolidation. The largest players in the fixed network access services are Ukrtelecom, Kyivstar, Volia, Triolan, Fregat, Datagroup, Lanet, and others.7 Most of the mobile Internet services are provided by three operators: Kyivstar, Vodafone Ukraine, Lifecell. The cost of Internet connection services in Ukraine remains low, compared to other countries. The monthly subscription fee for a 100 MB/s broadband Internet service package usually does not exceed 120-150 UAH, and some providers often dump with a promotional home Internet broadband connection monthly fee of 75 UAH for a year. In 2018-2019, some providers’ representatives consistently emphasized the gradual rise in the Internet services fees to help companies run in profit. Another important Internet accessibility indicator is the data transmission speed. According to the Speedtest Global Index rating by Ookla, in August 2019, Ukraine ranked 52nd out of 122 countries in terms of broadband Internet access.8 This is 10 positions lower than in 2017. And although in Ukraine the speed increased over the last two years, the technologies develop and the Internet speed grows all over the world, so the study showed slower performance for Ukraine, compared to the world. Accordingly, on average, the broadband Internet speed in Ukraine as of 2019 is 42.7 MB/s for downloads and 49.5 MB/s for uploads. Meanwhile, in two years, from 2017 to 2019, the mobile Internet speed in Ukraine increased significantly. According to the Speedtest Global Index, in 2017 Ukraine ranked 107th, and in 2019 went thirty points up to 87 position. On average, the mobile Internet speed in Ukraine is 21.26 MB/s (8.63 - in 2017) for downloads and 11.45 MB/s (2.44 - in 2017) for uploads.
6 https://netfreedom.org.ua/article/internet-staye-osnovnim-dzherelom-informaciyi-dlya-ukrayinciv-rezultatidoslidzhennya 7 https://ukr.lb.ua/economics/2017/11/20/382276_hto_kontrolyuie_ukrainskiy_internet.html 8 https://www.speedtest.net/global-index
9
3G mobile services launch in 2015 gave a significant impetus to the mobile Internet development in Ukraine and led to a surge in smartphone sales. At the beginning of 2018, the government offered to sell 4G mobile internet frequencies licenses, and in late March 2018, Kyivstar, Vodafone, and Lifecell announced their first subscribers using 4G services in major Ukrainian cities.9 And in October 2019, the government and the mobile operators signed a memorandum on 5G service introduction in 2020. What are the Most Popular Websites among the Ukrainians? In August 2019, a Kantar TNS CMeter research found that the top five websites among the Ukrainians are google.com, youtube.com, facebook.com, rozetka.com.ua, and wikipedia.org.10 The Russian social network VKontakte, with its 5 million users monthly audience, was ranked only 17th. However, this data is likely underestimated as it may not account for users circumventing websites blocking with VPN technology. Accordingly, 5 million people audience is serviced by providers not blocking Russian websites under sanctions. Researchers’ data on the Internet audience figures often differ. The Internet Association of Ukraine orders researches from Factum Group. These studies show that the top 5 websites as of August 2019 include the following resources: google.com, youtube.com, facebook.com, ukr.net, and instagram.com. The Russian11 service VK.com was ranked 6th. The PlusOne research data show 13 million Facebook and 11 million Instagram users in Ukraine as of July 2019.12 Researchers say that in February 2019, the Facebook administration massively removed fake accounts. At that time, the number of the Ukrainian Facebook users dropped from 13 million to 12 million and Instagram users - from 11 to 10 million people, but within a few months, the social network indicators increased again.
9 http://ain.ua/2018/12/26/4g-itogi-2018 10 https://tns-ua.com/news/reyting-populyarnih-saytiv-za-serpen-2019 11 https://inau.ua/news/dani-doslidzhen-internet-audytoriyi-ukrayiny-za-serpen-2019 12 https://mmr.ua/show/facebook_ta_instagram_v_ukrayini_vidalili_1_mln_botiv_i_otrimali_stilyki_zh_novih_ koristuvachiv
10
Change in Facebook and Instagram users number in Ukraine mln mln mln
Quantity
mln
Month
Illustration: PlusOne agency
The most Facebook users are in Kyiv (55%), Lviv (39%), and Dnipropetrovsk (35%) regions. The lowest penetration is recorded in Chernihiv and Zaporizhzhia regions 27%. With 61% or 7.6 million female users and about 39% or 4.9 million male users, Facebook is dominated by women in Ukraine.
11
2. KEY ISSUES OF LEGAL RELATIONS ON THE INTERNET: 2.1 SUBJECTS OF LEGAL RELATIONS ON THE INTERNET џ
Problem statement
At the moment, the subjects’ of legal relations on the Internet functioning, their responsibilities and responsibilities establishment (in fact, meaning the definition of the legal relations) are fraught with insufficient legal support, including: џ
џ
џ
џ
The Law "On Telecommunications", adopted in 2003, is outdated and does not meet current requirements and the European integration processes in Ukraine (several relevant bills on electronic communications were submitted instead of it 13 ); Uncertainty in Internet resources status,14 which, on the one hand, stands in light of the professional journalism standards usage on the Internet news websites, causes lack of responsibility in case of false information dissemination and, on the other hand, does not protect them from censorship, and deprives employees of the journalist status; The network users legal status, their rights and responsibilities while using the Net remains unclear as well. This status is mostly under pressure of two opposite trends: total users de-anonymization followed by applying the rules similar to offline (mostly governmental approach), and total users anonymity with no any regulation or state intervention (radical human rights approach); Lack of a clear understanding of the very interference limits in the Net working principles and cyberspace by different actors (both state and nonstate ones), and such interference constraints.
Additionally, experts point out that the National Commission for State Regulation in Communications and Informatization (NCCRI) serves as a national IT-sphere regulator and is directly subordinate to the President, and its decisions are not always transparent.15
13 http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=57401 https://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=66311 14 Except for offline media websites, operating according to Art. 1 of the Law "On Print Media in Ukraine": "print media can include other media (plates, diskettes, tapes, videotapes, etc.), distribution of which is not prohibited by the current legislation of Ukraine." An expanded interpretation of this article allows subsuming the Internet to other media. 15 https://ms.detector.media/web/online_media/obmezhennya_prav_v_interneti_riziki_dlya_ukraini/
12
џ
A brief history
According to the internationally accepted approach proposed by Yochai Benkler, Internet Governance should be divided into impact areas, with technical, infrastructure and content areas as the keys.16 Subjects of legal relations on the Internet can be nominally divided into two large groups: 1) setting such relations boundaries;17 2) dealing with these them. The first group includes: 1.1) international organizations that џ џ
establish common engagement rules, for example, Internet Governance Forum (IGF), Internet Society (ISOC); set the interaction technical parameters, such as the Internet Corporation for Assigned Names and Numbers (ICANN) responsible for coordinating the Internet Protocol address space rules usage and domain names system; Internet Engineering Task Force (IETF) responsible for technical basis and core protocols standardization;
1.2) national authorities involved in legal relations on the Internet regulation: џ џ џ џ
first of all, the legislative body - the Verkhovna Rada of Ukraine; a profile central executive authority, currently the Ministry of Digital Transformation of Ukraine; the regulator - NCCRI; non-governmental organization managing .UA domain address and names space on the Internet.
The second group includes the following subjects and subgroups: 2.1) telecommunication operators and providers that ensure the Internet functions as an information system. They mainly provide the following types of information services: connection (providing access to the network); administration (ensuring functioning of technical means for maintaining the Internet address space); hosting (placing customers’ information resources on web servers and providing access to these resources); network navigation services (creation of web portals facilitating the search and access to the network information resources). 16 http://www.benkler.org/Benkler_Wealth_Of_Networks.pdf 17 With its online resources, this group of subjects also acquires the characteristics of the second group, but this is not significant for our analysis.
13
2.2) producers, owners, and distributors of information and information resources that form Internet content. First of all, they create electronic information resources, own the rights on them, ensure their functioning and satisfaction of the users’ information needs. 2.3) entities providing specific services for electronic (network) agreements (contracts) on the Internet, that is, everything covered by the term "e-commerce (commerce)" (online shops, online casinos, online auctions, etc.); 2.4) consumers (users) of telecommunication services. These are individuals and legal entities that need, order, and receive these services. In spite of the subjects of legal relations on the Internet diversity and a range of issues related to their functioning, the government and non-governmental sector representatives discussion focused on two issues: џ џ
online media regulation; obligations for providers to store computer data.
While talking about online media regulation, the participants actively turned to international experience. They cited the example of Belarus, which adopted a law on mass media updated to provide opportunities for voluntary online media registration. As a result, online resources receive a number of incentives, in particular in terms of official accreditation. Another example is Germany, with no mass media registration but with business entities registration instead. At the same time, an analog of our National Commission for State Regulation in Communications and Informatization regulates there audiovisual content, video blogs, in particular. While discussing the providers’ obligations to store computer data, the government officials representatives noted that the Law "On Telecommunications" asks for the connection data retention by providers for three years. But the stored data are not those stipulated by the Convention on Cybercrime (traffic data) but indicated on the receipt, i. e. information on the provided services: numbers of minutes and seconds charged. Deletion of information from the networks, described in the Convention, is almost impossible: most crimes are not serious, this automatically prohibits the removal of information from the electronic system according to procedural law. For example, in an action against the system, it is not possible to delete the procedural information from that system because it is not a serious crime under the article. We did not implement these Convention on Cybercrime provisions in full, in particular, we have neither definition of digital evidence, nor the rules on computer data storage. The non-government sector representatives concerns on whether such data retention could violate human rights met the unequivocal answer: It cannot. The content of the conversations is not disclosed. This is not an interception. These are connection specifications." 14
Ń&#x;
Trends
While elaborating online news resources status regulation, it is worth to take into account the Council of Europe Recommendation CM/Rec(2011)7 of the Committee of Ministers to member states on a new notion of media, stating the need to "adopt a new, broad notion of media which encompasses all actors involved in the production and dissemination, to potentially large numbers of people, of content (for example information, analysis, comment, opinion, education, culture, art and entertainment in text, audio, visual, audiovisual or other form) and applications which are designed to facilitate interactive mass communication (for example social networks) or other content-based large-scale interactive experiences (for example online games), while retaining (in all these cases) editorial control or oversight of the contents".18
18 http://sumynews.com/decentralizationreform/3151/rekomendacziyi-komitetu-ministriv-rady-evropy20117-shhodo-novogo-vyznachennya-media.html
15
2.2 INTERNET GOVERNANCE џ
Problem statement
Ukraine is part of a worldwide network. The network rapid development and its extraterritoriality give rise to the states' attempts to respond to this phenomenon and to link it to the classical paradigms of sovereignty. In its most radical form, this leads to attempts to fully control the content and infrastructure of the network within each country, like in China or Russia. The second pole is the absolute network freedom, which is de facto recognized as a separate space with its own rules. In such circumstances, Ukraine needs to find its strategic approach to the Internet Governance issue, which would ensure balanced respect for the stakeholders’ interests. џ
General context
With the information or post-industrial society development, social relations are increasingly based on the exchange of information. At the turn of the millennium, the rapid development of the Internet as a decentralized system actualized the network legal regulation issue, which raised concerns among all those associating the Internet with a space free from any interference or regulation. However, the World Wide Web became a sort of space for free information sharing with paid services, tech giants (Facebook, Google) building their business models based on the users’ personal data collection and exploitation, and undemocratic regimes able to use the Internet as a weapon against democracy. The term Internet Governance is well-known among IT professionals, government officials, and the public sector. Internet Governance means a set of general principles, rules, and regulations governing the evolution and use of the Internet and supporting governments, business and civil society in finding agreement on the related issues. At the same time, the Internet Governance "liberalization" can be ensured only within rather virtual limits. First of all, because Internet Governance does not mean any governing in the direct sense of the word, it is a distributed system that does not require centralized management. At the same time, Internet Governance is a subject of a big politics, that is why it is the key world powers discussion agenda. For the first time, this issue appeared at the international level after two rounds of the World Summit on the Information Society (WSIS), held in Geneva in 2003 and Tunisia in 2005.
16
The Summit's final document, the Agenda for the Information Society, was approved in Tunisia. This document addressed the Internet Governance problem in detail, proposed the definition of the term, provided a list of problem areas, and stated the commitment to launch an Internet Governance Forum (IGF), under United Nations auspices, to create a platform for the WSIS decisions implementation. The first Forum meeting was held in 2006, and since 2010 Ukraine hosts the Ukrainian Internet Governance Forum. In its Statement on Internet Governance (2009), the European Commission linked the global Internet security and stability with respect for human rights, including freedom of expression, privacy, personal data protection, and cultural and linguistic diversity. One of the key issues still under discussion is what conceptual approach should be used to create an Internet Governance model. Although this issue raised for the first time in 2006, it became particularly acute during the World Conference on International Telecommunications (WCIT-12), dedicated to the important telecommunication development issues and, in particular, the current International Telecommunication Regulations revision. In 2013, during the Fifth World Telecommunication/ICT Policy Forum (WTPF), multistakeholderism as a stakeholder dialogue was proclaimed a basic approach to Internet Governance that states should rely on. In particular, the member states were requested "to explore ways and means for greater collaboration and coordination between governments, the private sector, international and intergovernmental organizations, and civil society, as well as greater participation in multistakeholder processes, with a view to ensure that the governance of the Internet is a multistakeholder process that enables all parties to continue to benefit from the Internet." In 2016, to properly implement human rights on the Internet, the Committee of Ministers of the Council of Europe adopted a recommendation on Internet freedom, recognizing the risks associated with Internet access regulation and the service providers’ capabilities. As stated in Recommendation CM/Rec(2016)5, Internet Government mechanisms at the national, regional or global level should be based on Internet freedom understanding. States have rights and obligations over international policies related to the Internet. While enforcing their sovereign rights, states must, according to international law, refrain from any action that may directly or indirectly harm natural or legal entities, within or outside their jurisdiction. Any national decision or action to restrict human rights and fundamental rights on the Internet must comply with the international obligations and, in particular, be law-based. Adherence to the principles of proportionality and guaranteed access to legal remedies, as well as the right to be heard and to seek the proper safeguards for the process, are important in a democratic society.
17
In Ukraine, this issue is no less urgent. A nationwide Internet Governance strategy is still not implemented. Therefore, public policy does not implement any program that could, at least gradually, solve the Internet Governance problem in Ukraine. The absence of such a strategy implies, first of all, unclear situation with a public authority responsible for development and implementation of a unified state Internet Governance policy, and therefore the "limits" (organizational, technological, and ideological) for the state involvement in the Internet Governance, as well as defining of the players (stakeholders) with some responsibilities and rights in the Internet Governance implementation, remain unclear. The Ministry of Digital Transformation is likely to become such an authority." This state of affairs is caused, first of all, by the absence of a political vision of the problem. Ukraine still has no preferred type of Internet Governance. The nongovernmental sector (mostly involved in the IGF-UA organizing) is largely driven by the ICANN's multistakeholder approach and policies, namely, the state's noninterference in the Internet Governance (or its minimal partnership). Governmental and Non-Governmental Representatives’ Opinions The accuracy in the Internet Governance related wording, which is the basis of any effective legal relations, remains important both for the public and civil sector. The non-governmental sector representatives stress that there are "too many proposals to improve the translation [of the term]. When I hear "Internet regulation", "Internet control" terms, they remind of China, Russia, and other countries trying to censor. While "governance" or "Internet Governance" is about the development of common rules, policies, approaches, solutions - anything to make the Internet work." Also, "Internet Governance is measured in various areas: legal, ethical, technical, and economic. Internet accessibility is a benefit for the community. But all players need to agree on the standards and the Internet usage consequences. The state, business, and society must agree on these standards." Admittedly, public authorities (especially the security and defense sector), when referring to the Internet Governance, think in categories of "regulation" and not "governance" (while emphasizing that there is no legislation in Ukraine that "regulates the Internet"). The non-governmental sector representatives agree as well: "The state does not understand the discourse. It wants to address cybersecurity issues. The difference between information security and technical security should be kept in mind. In some ways, we can understand the state as it must protect the cyberspace. But it needs to define what exactly it must protect. Another issue is the information environment of the rest of the society. One message does not fit here. Technical and information security issues should be distinguished. Another part of the problem is a lack of an adequate definition of the very concept of the Internet: "We got used to the "Internet network" wording." There are three versions of different laws on electronic communications, and none of them is in compliance with European law.
18
In the Association Agreement with the EU, we pledged to bring our legislation in this area fully in line with European law within three years. And this means that we have to follow at least three directives: on copyright, cybersecurity, and electronic communications", - stress the non-state sector experts. Another issue is multistakeholderism itself. It should be acknowledged that for the officials, who charge in terms of the legislation requirements and the degree of real state influence of the infrastructure component management, this issue is rather of theoretical importance: "The Internet is a complex ecosystem. And, on the one hand, the state shapes the legal framework, and, on the other hand, there is such a regulator as business... The state is centered on network communications management". When asked about what laws regulate the Internet Governance issues in Ukraine, the government officials refer to general regulatory documents (such as the Law of Ukraine "On Information" or "On Telecommunications") or specific documents that regulate security and punishment issues (the Law of Ukraine "On the Basic Principles of Ensuring Cybersecurity of Ukraine" or the Civil Code). For governmental bodies, the Internet Governance issue is not so much a partnership process but rather the non-governmental sector involvement in the formulation of rules to be defined by the state: "Business entities, NGOs should be invited to discuss such laws as, for example, the draft law on digital rights, the draft regulation of the broadband access development." Meanwhile, for the nongovernmental sector, it is a matter of effective partnering with the involvement of a range of actors (but with real and intense government involvement). On the other hand, it is the state representatives who point at the problems in Internet resources usage as a result of the adoption of the imperfect law: "Language Law. It has some requirements for websites. They must be first downloaded in Ukrainian. The law sanctions penalties for the violations. But the problem is that there are some Ukrainian sites in the .UA domain zone with the end-users abroad, who will find the interface in Ukrainian instead of usual, say, English." That is why non-state stakeholders insist on the idea that Ukraine does not need to adopt new laws but rather to analyze the existing ones and take measures to force them to work properly." A bright example in the case is the state participation in the IGF-UA (and in the IGF in general) as a major Internet Governance forum. It mostly remains an event for business and non-governmental organizations: "Who has heard of the IGF? Who was at these events? It is mainly represented by the technical community, then civil society, with the state underrepresented", - say civic society members. However, this event should become a real-world wide-ranging tool for the Internet Governance issues. Currently, the involvement of the state in this format arouses little enthusiasm among the non-governmental stakeholders: "The [state] involvement is rather formal. It was always difficult to entice government officials there. They did not understand it, and still do not understand. I hardly ever heard about Ukraine being normally participating in international bodies.
19
At some point, there was such understanding at the state level, with the organized joint Ukrainian official delegations including governmental, business, and civil society representatives. And after 2008, it all stopped. Nowadays, there are no such properly organized delegations to realize this multistakeholderism approach. I can register for any forum on my own. But there is no any center in Ukraine to properly deal with it… In 2016, the government did not come to the [IGF-UA] forum at all." This is mainly due to the lack of an assigned governmental authority formally responsible for the issue: "Today, telecommunications-related functions are divided across several agencies. We do not have a single body to shape the policy in these areas. What is the State Agency [for e-Governance]? It has no voice and cannot come to the Cabinet of Ministers without a call. There is no central executive body combining these functions." Anonymity is another issue with no strategic consensus upon. The authorities point on the need to identify users and subscribers: "I would start with the anonymity of users or subscribers. What is the world experience regarding this? Try to access the Internet without your passport in Japan - you will not succeed. Everyone accessing the network must be identified. This is a common European practice". For the governmental agencies (especially those dealing with the security issues), deanonymization is a part of the deemed Internet chaos streamlining, build-up of the understandable scope for action, and offline rules shifting to online. Therefore, the government agencies almost always and almost in any country focused on reducing the users' anonymity. On the other hand, civil society takes the right to anonymity as one of the Internet freedom markers, and any attempts to limit this right can provoke a lot of resistance. This is an issue for a broad professional debate in Ukraine. At the same time, parties came to a consensus on education, which is a necessary condition for effective Internet functioning. It is interesting to note that the authorities’ representatives especially emphasize this: "We do not have a problem with Internet penetration, our problem is to teach people to use the Internet. In villages, the problem is not in the Internet service providers' absence. They come and invite to subscribe for their services, but people just do not need it. We need a state program. We will never have the digital economy unless the society understands what it is and how to use it. There are no problems with the providers’ entry and Internet penetration. We have a problem with our users. I believe that the demand should be formed. If not to teach gramma, she will not use the registers, etc. The Poles focused on population 50+, not 70+. And we, in fact, have to focus on 40+.» џ
Trends
In Ukraine, the Internet Governance issue should be not a matter of constant debate, but a clear vector of the joint movement of the state and all interested stakeholders. The new government under President Volodymyr Zelensky implement these plans in some parts.
20
However, this issue will still need clear regulatory and institutional support, first and foremost: џ
Implementation of the necessary measures aimed at enshrining the key Internet Governance concepts and, above all, the most basic concept of the Internet, consistent with the EU legislation (finalization of the telecommunications legislation reforms in line with the commitments made under the Association Agreement), in the legislation.
џ
Assigning of a government institution (at the specialized central executive bodies’ level) responsible for the Internet Governance issues, and liaison with stakeholders in this area.
џ
Enshrining by such a body some public policy basics on the Internet Governance in an official government document or as part of a broader national information society policy building in Ukraine. The basic Internet Governance model described there should be based on a multistakeholderism approach.
џ
Creation of legislative and institutional conditions for full-fledged partnership in making decisions on Internet Governance issues at all levels of government and public life.
џ
Initiation of a broad public discussion on the ways to reform the administrative structure of the electronic communications public administration, including steps to ensure the regulators’ financial independence, the introduction of sanctions for violations to protect the consumer rights, a plan of systematic actions on information security issues, and ensuring the principle of technological neutrality.
џ
Internet anonymity remains a conflict issue, dwarfing consensus-building between the state and the non-state sector. It will require more intensive professional dialogue to find a compromise between the personal citizens’ freedoms and society safety demands in general.
џ
An educational component in the responsible use of the Internet area is a basic part all stakeholders must be involved in. This will require qualitative regulatory support from the parliament, institutional and organizational support from the government, and active involvement of the public and business in some practical activities.
21
џ
2.3 DIGITAL RIGHTS: GENERAL APPROACHES
џ
Problem statement
Human rights is a category determining the legal relations between a person, society and the state. With the advent of the Internet, there emerged a new space for human rights realization, and hence a discussion about the specificities of rights in the online space, or as they are often called, "digital rights". Digital rights regulation is a rather new phenomenon, and the system of relevant international rules is currently in the making, which also must/should be reflected in the national laws. Experts point out that Ukraine lacks a systematic approach of the state to the "digital rights" issue (definitions, complex mechanisms, procedures, and rules). Another problem is that relevant legislative initiative was criticized both by civil society and international organizations.19
19 Internet and users’ digital rights regulation in Ukraine. Analysis of the law / Olexandr Burmagin // https://netfreedom.org.ua/jak-v-ukraini-regulujtsia-internet-ta-tsyfrovi-prava-korystuvachiv
22
At the moment, human rights defenders in Ukraine name the following citizens’ general digital rights violations: 20 џ џ
џ
џ
Internet availability/quality of the providers’ services are uneven across the country;21 Restriction of access to the Internet resources and restriction of content that occurs through the mechanism of sanctions against relevant legal entities (Odnoklassniki, OJSC Mail.RU Ukraine, OJSC VKontakte, OJSC Yandex, etc.). Experts emphasize the problem of extrajudicial blocking; Digital human rights restriction by unnecessary digital services imposing, spam, in particular, which is against the provisions of the Budapest Convention on Cybercrime and the Law of Ukraine "On Consumer Rights Protection"; 22 Violation of citizens' right to information, and especially on the Internet, through the dissemination of single fakes, and cohesive misinformation campaigns. Even though the right to reliable information has not yet become a part of the international agreements, in 2012, the UN Human Rights Committee resolution on the Right to Truth 23 was adopted. Experts predict it will be included in the human rights catalog in the future and propose to formulate it as a "right not to be misled".24
20 Experts distinguish the following two groups of rights: џ digital rights of a general nature, infringements affecting an unlimited number of individuals; џ digital rights of an individual nature, infringements affecting individuals and with no direct impact on a wide audience. // https://www.ppl.org.ua/wp-content/uploads/2019/06/%D0%97%D0%B2%D1%96%D1%82%D1%82%D1%80%D0%B0%D0%B2%D0%B5%D0%BD%D1%8C-2019%D1%80%D0%BE%D0%BA%D1%83.pdf 21 Experts notice rather affordable prices for Internet access services in Ukraine, and the number of Ukrainians with access to the Internet and the speed of its adoption are increasing. But at the same time, there is still a difference in Internet coverage in cities and small towns and only 35% of the population use smartphones: // https://zmina.info/articles/obmezhennjia_prav_v_interneti_riziki_dljia_ukrajini/ 22 Also, Section 1 of Article 19 of the Law of Ukraine "On Consumer Rights Protection" forbids unfair business practices, in particular, misleading or aggressive activities (containing some elements of coercion, harassment, influencing or potentially able to influence consumer's freedom of choice or behavior in purchasing products). Besides, according to Part 5 of Article 19 of the law, such forms of entrepreneurial practice as constant sending phone, fax, electronic, or other messages without consumer consent are prohibited as aggressive. That is, in particular, SMS spa // https://rpr.org.ua/news/5-vypadkiv-koly-vy-ne-zdohaduvalysya-scho-vashi-tsyfrovi-prava-porushuyutsya/ 23 https://www.ohchr.org/EN/Issues/Truth/Documents/A_HRC_21_7.pdf 24 https://medium.com/swlh/do-we-need-new-human-rights-in-the-era-of-fake-information-db092c96b961
23
Among the digital rights violations, there were recorded: personal pages hacks; subscribers confidential information collection and dissemination by the mobile service provider; court-sanctioned provision of excessive and disproportionate access to consumer information on the Internet access; threat of personal data leakage and loss of funds through a fake advertising of a bank offering surveys to collect information, etc.25 Ń&#x;
A brief history
The only regulatory act of Ukraine mentioning digital rights is the Action Plan for the Concept for the Development of the Digital Economy and Society of Ukraine for 26 2018-2020, providing the development of such rights list according to the Ukraine's commitments to the European integration process and other international commitments to the international organizations Ukraine is a participating member of, and the submission of proposals for their implementation. The Ukraine's international commitments on human rights are, first of all, those connected with its membership in the United Nations and the Council of Europe. All international treaties, ratified as required, are a part of the domestic law, according to Art. 9 of the Constitution of Ukraine. 27
In 2012, the United Nations Human Rights Council (UNHRC) adopted a resolution on "Promotion, protection and enjoyment of human rights on the Internet", proclaiming that all offline human rights should be equally respected online. The UN and its structures practice have a mechanism for resolutions reviewing/updating. In 2014, 2016, and 2018, the resolution on human rights on the Internet was revised and amended in 5-15 points.28
25 https://www.ppl.org.ua/monitoring/monitoring-cifrovix-prav 26 On approval of the Concept for the Development of the Digital Economy and Society of Ukraine for 20182020, and approval of the Action Plan for its Implementation: Decree of the Cabinet of Ministers of Ukraine No. 67-p, January 17, 2018 // https://www.kmu.gov.ua/ua/npas/pro-shvalennya-koncepciyi-rozvitkucifrovoyi-ekonomiki-ta-suspilstva-ukrayini-na-20182020-roki-ta-zatverdzhennya-planu-zahodiv-shodo-yiyirealizaciyi 27 The United Nations Human Rights Council (UNHRC) is one of the most important international forums for human rights defenders. At its sessions, the UN Human Rights Council adopted resolutions on a wide range of human rights issues. Although these resolutions are not binding on states, like treaties are, they are an important source of international human rights standards as a form of "soft law". As a multilateral forum, the UNHRC has a broad mandate to make recommendations to the General Assembly for further international human rights law development // https://www.gp-digital.org/wpcontent/uploads/2017/12/NavigatingtheHRC.pdf 28 The promotion, protection and enjoyment of human rights on the Internet // http://digitallibrary.un.org/record/845728/files/A_HRC_32_L-20-EN.pdf http://digitallibrary.un.org/record/845728/files/A_HRC_32_L-20-RU.pdf
24
The 2018 version of the resolution for the first time recognizes, in particular, that international human rights law must be the basis of the technology companies' policies and conditions of service. This last point is of prime importance, given discussions on social networks’ role in online content regulation. "Right to privacy in the digital age" is another important UN resolution adopted by the General Assembly on 18 December 2013. The document stresses the global and open nature of the Internet and the rapid development of information and communication technologies as drivers of progress towards development in various forms.29 The latest version of the resolution, adopted in 2017, reaffirmed that "the same rights as people have offline should also be protected in an online environment, including the right to privacy".30 The Council of Europe's position on digital rights is enshrined in a series of documents. The Budapest Convention on Cybercrime, created by the Council of Europe in 2001,31 remains the only one recognized international treaty on the protection of freedom, security, and human rights on the Internet.32 Convention is a binding international legal instrument that requires parties to modernize and harmonize their criminal law against hacking, and other security breaches, including copyright infringement, computer fraud, child pornography, and other cyber offenses.33 In 2005, the "Declaration on human rights and the rule of law in the Information Society"34 was adopted and became the first attempt to define the legal framework in this area. The Human Rights in the Information Society section of the Declaration contains 8 points: the right to freedom of expression, information and communication; the right to respect for private life and correspondence; the right to education and general access to the new information technologies; the prohibition of slavery and forced labor; the right to a fair trial and to no punishment without law; the protection of property; the right to free elections; freedom of assembly.
29
The right to privacy in the digital age // https://www.ohchr.org/en/issues/digitalage/pages/digitalageindex.aspx
30 Propositions and comments // https://www.ohchr.org/Documents/Issues/DigitalAge/ReportPrivacyinDigitalAge/INCLO.pdf 31 European requirements for the personal data protection in e-commerce / Olexiy Mervynsky // http://pnzzi.kpi.ua/30/30_p34.pdf 32 The Budapest Convention on Cybercrime // http://zakon0.rada.gov.ua/laws/show/994_575 33 Handbook on European data protection law // https://rm.coe.int/16805966a8 34 Declaration on Human Rights and the Rule of Law in the Information Society // https://www.coe.int/t/dgap/goodgovernance/Activities/Public_participation_internet_governance/Declaratio n-Information-Society/011_DeclarationFinal%20text_en.asp
25
Therefore, from this list, it is clear that these are mostly rights considered basic even before the information society build-up.35 In 2012, the Committee of Ministers of the Council of Europe created Committee of experts on rights of Internet Users (MSI-DUI) "not to create new human rights, but to explore the possibility of applying existing rights to the Internet".36 In 2013, the Political Declaration "Freedom of Expression and democracy in the digital age: opportunities, rights, responsibilities" 37 was adopted; it states, inter alia, that "Access to the Internet is inextricably linked to human rights, in particular to the exercise of the right to freedom of expression. We acknowledge the fundamental importance for people to be able to express themselves and access information on the Internet without undue restrictions, thus enabling them to effectively exercise their rights under Article 10 of the European Convention on Human Rights." In 2013, the Council of Europe also adopted a resolution on Internet Freedom:38 "Access to the Internet is a key tool enabling people to effectively seek, receive and impart ideas and opinions. Interfering with access can undermine participation in democratic processes and affect the dissemination of information and expression in the public interest. Any interference must meet the requirements of Article 10, paragraph 2, of the European Convention on Human Rights". Thus, the European community recognized access to the Internet as a basic human right. In 2014, the Committee of Ministers of the Council of Europe endorsed the Recommendation CM/Rec (2014) 6 on a Guide to human rights for Internet users 39 and noted that all member states of the Council (Ukraine as well) are obliged to secure human rights and fundamental freedoms enshrined in the instruments they have ratified. This obligation is also valid in the context of Internet use. No one should be subjected to unlawful interference with the exercise of their human rights and fundamental freedoms when using the Internet.
35 Zolotar O. O. Human Rights and Freedoms: An Information Dimension // IT Law: Problems and Prospects for Development in Ukraine: Proceedings of a Scientific and Practical Conference. Lviv: Lviv Polytechnic National University 2016. P. 59–69 // http://www.lp.edu.ua/sites/default/files/news/2016/3900/attachments/maket_it_konfer.pdf 36 Recommendation CM/Rec(2014)6 of the Committee of Ministers to member States on a guide to human rights for Internet users – Explanatory Memorandum // https://rm.coe.int/16804d5b31 37
Political Declaration And Resolutions // https://rm.coe.int/1680484e65
38 Political Declaration And Resolutions // https://rm.coe.int/1680484e65 39 Recommendation CM/Rec(2014)6 of the Committee of Ministers to member States on a Guide to human rights for Internet users // https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680 4d5b31 https://rm.coe.int/16802e3e96
26
The guide became one of the key international documents systematizing basic rights and restrictions on the Internet. In 2018, Ukrainian media NGOs initiated the signing of the Declaration of the Free Internet 40 as an advocacy tool for the promotion of digital rights and the free development of the Internet in Ukraine. The declaration, in particular, defines «everyone's right to access the Internet" and describes the network as "one of the key means of realization of everyone's right to freedom of information, to disseminate information, and to express their views freely." џ
Governmental and non-governmental representatives’ views on the problem
In terms of digital rights, the opinions divided with no regard to the experts’ belonging to the governmental or non-governmental sectors, but rather by their attitudes to such rights. The first position was about no distinction between digital and offline rights: "We mean that human rights, which humans always had, just got a new dimension of their realization." The second position was about taking digital rights as a specific phenomenon that needs to be understood: "We must first determine what rights we are talking about." Government and non-government representatives’ understanding of the responsibility for user rights protection, in some points differ and in some points coincide. In discussions on the issue, both groups focused on personal data protection. However, the topic details were different. The authorities’ representatives stick to the position of the shared responsibility for all legal relations subjects: "Everyone must secure for their personal data by themselves. The service provider must be responsible for the sent data to be transferred to the address with no third parties access. The state must be responsible for the personal data it is securing. There is a law on personal data protection. The Ukrainian Parliament Commissioner for Human Rights is authorized to control over personal data law observance." Non-governmental representatives focus on the current system shortcomings: "Users' rights protecting is more of an ombudsman's issue. However, we have a failure with the independent body required by the Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data, which is the Ukrainian Parliament Commissioner for Human Rights.
40 В Україні ініціювали Декларацію вільного інтернету // https://netfreedom.org.ua/article/v-ukrayiniiniciyuvali-deklaraciyu-vilnogo-internetu
27
We have an outdated law that should have been an alternative and counterbalance to the Law "On access to public information". It does not take into account the realities. The mechanism of users’ rights violations proving and the law enforcement agencies effectiveness are the problematic areas in protecting users rights." Some experts consider it necessary to carry out educational activities aimed at both Internet users and the society at large, to better understand how to use the Internet safely, cyber hygiene, and network self-regulation. Ń&#x;
Trends
According to the non-governmental sector experts, Internet security must be guaranteed by the state. At the same time, digital rights regulation and legal restriction should be developed transparently and openly, and access blocking can be justified only by court decision based on cogent reasons.41 Experts emphasize that any actions in the digital rights area should be developed in a balance between information protection and freedom of expression, the UN position and the ECtHR practice, with taking into account the world experience.42 When drafting laws, it is important to keep in mind that the Constitution regulates human rights issues. Therefore, it is logical to propose to supplement Section II of the Constitution of Ukraine 43 with a rule that establishes the equal application of fundamental rights and freedoms online and offline. Since digital rights realization is impossible without the use of the Internet, it is important to fix in law the possibility to access the Internet as a public service.
41 https://zmina.info/articles/obmezhennjia_prav_v_interneti_riziki_dljia_ukrajini/ 42 https://zmina.info/articles/obmezhennjia_prav_v_interneti_riziki_dljia_ukrajini/ 43 http://zakon.rada.gov.ua/laws/show/254%D0%BA/96-%D0%B2%D1%80
28
We suggest using the approach proposed in the Council of Europe Committee of Ministers Recommendation to member states on a Guide to human rights for Internet users44 as a basis for structuring and content for all digital rights-related regulations: 1. General rules. 2. Access and non-discrimination. 3. Freedom of expression and information. 4. Assembly, association and participation. 5. Privacy and data protection. 6. Education and literacy. 7. Children and young people. 8. Effective remedies.
44 Recommendation CM/Rec(2014)6 of the Committee of Ministers to member States on a Guide to human rights for Internet users // https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680 4d5b31
29
2.4 PERSONAL DATA Ń&#x;
Problem statement
Public and private companies collect more and more citizens’ personal data, justifying it either with a necessity to improve the quality of services or to enhance the safety of citizens. Meanwhile, the right to personal data protection and minimization of their collection by the state is a direct requirement of some European documents and can be linked with certain provisions of the Convention on Human Rights. Ń&#x;
General context
The information processes development significantly updated the privacy and consumers' personal information security issue. While until the mid-twentieth century, data collection was executed in predominantly classical forms and the amount of such information was relatively insignificant, the development of computer technologies, automated data processing capabilities, as well as the service industry development and IT giants emergence, led to an avalanche of personal data collection, processing, and correlation. Definitely, in the current context, the personal data flow becomes reasonable and, to a certain extent, a requirement of time, but the key issue - necessity and sufficiency is still on the agenda. Every year, the urgency of the issue increases, because the level of privacy constantly goes down (as technological capabilities expand), and possibilities for personal data usage only get bigger.
30
At least since the mid-1970s, this problem began to appear within Western politicians’ and state institutions’ view, and in 1981, the Council of Europe adopted one of the key documents - the Convention for the protection of individuals with regard to automatic processing of personal data. The principles, this convention is based upon, remain relevant and must be the basis for improving legislation. At the same time, IT development, Internet platforms (social networks, marketplaces), in particular, shifts focus in personal data collection and usage - while before the state and its structures (security above all) were taken as the main privacy principles violators, now such violations are often committed by non-state actors and structures. Personal data and their usage have a clear political dimension - a Cambridge Analytica issue showed that personal data can also be a tool directly influencing the electoral process. A series of scandals with the collection (and further dissemination) of excessive amounts of personal data by social networks created a basis for the intensification of national and supranational efforts to protect personal data. To this end, the EU adopted the General Data Protection Regulation (GDPR), significantly increasing the citizens’ ability to control what data they collect and how process them, and to stop these activities. Under the GDPR, companies are obliged to inform citizens more broadly about what data they collect and what they plan to do with them. Failure to comply with these rules will result in significant penalties - the largest fine for 2019 is the fine levied by the U.K.'s Information Commissioner on the British Airways - EUR 204 million, and in 2018, the French regulator CNIL imposed a fine of EUR 50 million on Google. There are also examples of smaller fines in other European countries under the new regulation (in Austria - EUR 4,000, in Portugal - EUR 400,000, in Denmark - EUR 200,000, in Poland - almost EUR 220,000). The situation with personal data protection in Ukraine has its history. In 2010, Ukraine ratified the Council’s of Europe Convention for the protection of individuals with regard to automatic processing of personal data, and Additional Protocol to it. In 2011, to implement this convention, the Law of Ukraine "On Protection of Personal Data" was adopted, and at the same time, the State Service of Ukraine on Personal Data Protection was created. For a number of reasons, the Ukrainian Parliament Commissioner for Human Rights was further responsible for personal data protection. However, there are some questions on whether the Commissioner is in institutional capacity to fulfill this function in full. Currently, the level and quality of the Ukrainian citizens’ personal data protection are most often characterized by the words "catastrophe" and "chaos" - data trade involving various state databases (with the Ukrainian citizens’ personal data) became widespread, while punishments for such crimes are disproportionate to harm. Bringing citizens to court for crimes in this area is a rare case and cannot take a form of safety precautions.
31
For example, a citizen’s attempt to sell a Ukrainians’ personal data database was only fined for UAH 17,000. Moreover, even in case of proven guilty of the accused, the courts often find no "victims", although apparently the victims are all those whose data could be accessed by outsiders. Security challenges with preserving personal data collected by the government institutions are no minor issues. At least in 2014, Ukraine began actively implement IT-based management of public services, in particular, in such sensitive areas as health care. Despite some responsible government structures’ requirements on the security of such information processing, Ukrainian and foreign experts express their doubts about this protection effectiveness. The greatest concern now is for the health care situation - eHealth system, already partially launched in 2017, even at its design stage had rather limited data security requirements (including user identification). It is often unclear who manages these data and response for their retention. European integration is another strategic issue related to personal data protection. The Association Agreement contains several articles that either explicitly state the Ukraine's obligation to protect personal data (in particular, Article 15, Section 3), or mention it in the context of other areas of the Agreement implementation. The rapprochement of Ukraine and the EU also raises questions about the adaptation of the GDPR requirements and its application possibilities to the Ukrainian practices. The authorities’ efforts on these issues are fragmentary and largely situational. Threats to personal data brought to attention by the non-governmental sector representatives are either ignored or left unresolved, sometimes due to purely political reasons, and in other cases due to the misunderstanding of the threats actuality. The latter is a specifically difficult problem because if in the normative sense (in defining a clear legal relations framework in this area) the requirements for protection can be changed, the perception of the threats remains a difficult issue, critical for the full implementation of regulatory decisions, even completely unambiguous ones. џ
Governmental and Non-Governmental Representatives’ Opinions
For government structures, the personal data protection issue is almost irrelevant - it is mentioned solely in a context of finding a more efficient model of technical protection of information. Meanwhile, the non-governmental sector representatives point out at a wider range of issues, and above all, the normative one: "We have serious problems with regulation. We have underregulation or misregulation. At the same time, we have to understand: we face the same challenges as Europe, although we have our specificity, often not understood in Europe." In this context, the GDPR implementation is a major concern. Although the Ombudsman's Office developed a draft law on the GDPR implementation in Ukraine, it raises many questions.
32
The non-governmental sector even often than the state one advocates for its implementation's restraint in Ukraine: "As for the GDPR. Definitely, the GDPR should not be implemented blindly. The key missing point, and this is also what makes the GDPR effective, is the oversight body one can reach in case of a breach. This is the key point." At the same time, the GDPR is proposed to consider in a broader context than purely personal data protection and privacy issues: "At present, personal data regulations are viewed not in the 'person - state' but the ‘person - Internet platform’ context. Platforms shift from the content platform concept to the editor concept. They promote certain content. The European colleagues praise the GDPR for opportunities to advance requests to these big platforms using our data. What we lack is a well-established communication between the Ukrainian government and online platforms. While the EU market has leverage, Ukraine does not have any of the kind," non-governmental experts explain. Experts also point out that the GDPR adoption mechanism and its actual application practice still need to be studied: "The GDPR is an example of how several stakeholder groups can add to the document. The GDPR was worked out by European experts in personal data protection. It is not perfect. For Ukraine, it can be useful not to copy but to explore how it works." But at the same time, the following is emphasized: "The Europeans, when adopting the GDPR, designed it wisely, and took into account large corporations’ and users’ interests. They also say that Ukraine should not blindly copy the whole process. A lot of issues conflict with the GDPR, and we are to address them one by one." There are also some concerns about such a law implementation forms chosen by the state - the question is in the state’s readiness (at the institutional, regulatory, judicial levels) for such implementation. Government officials say they get ready to address potential problems, and in general, are ready to implement the law: "As part of our digital law, we planned to train judges and lawyers. It will be a simple court appeal, and relevantly trained persons will adjudge on the GDPR issues," they note. At the same time, both sides state that the Ukrainian legislation on personal data protection is outdated and needs major updates. And, referring to the European laws elaboration experience, they underscore the need to work together on the legislation updates: "But if, regarding personal data, you say we should draft bills together with business and civil society, I think, it will sound rational." Users' personal data protection should be an integral part of the discussion about their processing. The security shortcomings, already identified by the experts in the governmental systems related to the citizens' personal data processing (such as health care), should be eliminated, and the security requirements must be at the heart of all such initiatives.
33
џ
Trends
Priority in personal data public policy shaping should be given to the institutional capacity building, legal framework improvement, and Ukrainian law adaptation to the EU requirements and security priorities: џ
A full-featured audit of the Ukrainian personal data protection institutional model effectiveness should be prepared. Since these powers in 2014 were delegated to the Verkhovna Rada Human Rights Ombudsperson, a comprehensive assessment of the Ombudsperson's ability to perform relevant functions in the current context should be carried out. Ukraine needs an effective oversight body in this area, working with the citizens’ appeals and providing effective assistance.
џ
Ukrainian legislation on personal data (and their protection) needs a full review regarding the current European approaches to this problem, the Association Agreement requirements as well as other international instruments’ (ratified and approved in Ukraine) requirements in this area should be implemented in full.
џ
Legislative initiatives in the personal data protection area should be also aimed at creation of a space for improving a dialogue with IT giants, in particular, social networks and Internet marketplaces, on this issue. Their actual extraterritoriality requires effective solutions to protect the Ukrainian citizens’ data in the same way as the other countries citizens’ data.
џ
The GDPR is not only a pan-European regulatory act but also the EU strategic vision on the personal data area. Given the Ukrainian progress in the European integration, we must develop our strategy of such a vision adaptation to the Ukrainian conditions. Appropriate changes should inevitably involve the nongovernmental sector and business to create a balanced consensus document.
џ
Personal data security should be a key element to any governmental initiative and regulatory change. Requirements for such systems cybersecurity should be substantially increased (based on the international cybersecurity standards), and the responsibility for violation of the personal data processing rules (or for unauthorized dissemination) should be strengthened.
34
2.5 INTERACTION OF UKRAINE (STATE, CIVIL SOCIETY) WITH FACEBOOK, GOOGLE, AND TWITTER џ
Problem statement
Social interaction moving into online space, social networks forming as platforms for communication/expression of own position and users’ news sources created new conditions for public discourse and led to new, yet unresolved, issues in the legal relations field. With traditional and fully motivated democratic interest and influence of the state on such discourse functioning (guarantee of the right to information, hate speech and discrimination prohibition, anti-defamation norms, etc.), online social relations regulation is one of the modern challenges for a democratic society, given human rights and freedoms are the priorities in this space. According to a Kantar TNS CMeter research , since July 2017, the list of three websites most visited by the Ukrainians remain unchanged: Google, Youtube, Facebook. In the same period, Instagram consistently ranked 11-13th. These resources served approximately 22, 17, 15-16, and 6 million users monthly, respectively.45 In 2018-2019, 23% of the Ukrainian population received news (information) from social networks, and 12% trust them. Among those Ukrainians who use social networks as the main source of information, 74.2% prefer Facebook, another 33.5% - Instagram, and 7.2% - Twitter. The majority of social networks active users (56%) name convenience as their main reason to use them for getting information on current events, since a lot of information from various sources is gathered there in one place. Another 31% explain their choice by the faster speed of news appearing there, compared to media. 3 out of 4 social networks’ active users (77%) agree on a lot of misinformation and fakes there. At the same time, 51% believe that measures to combat them should be taken by the networks’ owners and managers, 39% - by the state, 28% - by the networks’ users themselves.46 Currently, there are several factors complicating the information giants’ regulation in Ukraine: џ
online communications and mass media are not defined in the legal framework;
45 https://tns-ua.com/page/1?s=Рейтинг+популярних+сайтів+ 46 Information sources, media literacy and Russian propaganda: nationwide poll results // https://detector.media/infospace/article/164308/2019-03-21-dzherela-informatsii-mediagramotnist-irosiiska-propaganda-rezultati-vseukrainskogo-opituvannya-gromadskoi-dumki/
35
џ
technology giants are not officially represented at the national level. That is the case of Google, which owns YouTube and Facebook, which owns Instagram and WhatsApp.47 Google LLC, registered in Ukraine in 2010, focuses on advertising. There is no Facebook representative office in Ukraine. And the appointment of a Policy Manager responsible for liaison with Ukraine from the Facebook Warsaw office became a significant breakthrough in June 2019.
The lack of comprehensive institutionalized cooperation with the information giants and certain state leverages over them lead to situations when the claims are ignored or delayed. For example, despite the agreement, Facebook did not disclose funding for political advertising during the presidential elections in Ukraine, including one that appeared during a period of silence.48 Although on April 20 and 21, 2019, 1171 targeted advertisements were posted on the official Facebook page of one of the presidential candidates - an unprecedented number for the Ukrainian elections campaign.49 џ
General context 50
Google and Facebook are the 3rd and 6th level intermediary companies (providers). As intermediaries, these online Internet services do not produce but store information and facilitate its dissemination. џ
47
Currently, Google and Facebook are governed according to US law, international human rights law, self-regulatory instruments, and national laws. From the very beginning of the Internet development, this area was taken as a self-regulatory one. In particular, self-regulation is enshrined in the Council’s of Europe documents, stating that the member states should encourage selfregulation of content distribution on the Internet,51 elaboration of self-regulatory standards for Internet subjects’ representatives as well.
So in the future we will appeal directly to Google or Facebook.
48 https://tyzhden.ua/Politics/229964 49 https://oporaua.org/en/blog/vybory/vybory-prezydenta/vybory-prezydenta-2019/18466-tomos-evropaliftove-gospodarstvo-iak-oda-agituvali-za-poroshenka-u-facebook 50 There are some Internet intermediaries' classifications, such as the one proposed by the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. According to it, Google belongs to the intermediaries called "search engines and portals on the Internet", while Facebook - to "platforms for interactive networking" (Global trends in freedom of expression and media development. Digital media, 2015 UNESCO, 2017). 51 Declaration of Freedom of Communication on the Internet (2003), Recommendation of the Committee of Ministers to member states on self-regulation concerning cyber content (2001)
36
џ
The Internet intermediaries "protection" is provided by a number of influential Council’s of Europe documents limiting their liability, in particular, the Electronic Commerce Directive (2000), the Declaration on freedom of communication on the Internet (2003), and the Guidelines for Internet service providers (2008).52
At the same time, the amount of information disseminated through these companies, the speed of dissemination, as well as the availability of specific algorithms for information provision, and ultimately the impact on the state processes, make it necessary to accept greater responsibility for these companies than purely intermediary. These aspects became the reasons for the adoption in France of a law "contra la manipulation de l'information".53 The law provides the legal rules for the elections period, and the general legal rules. The first is the requirement for the digital platforms’ transparency, and the lawsuit procedure reviewing in an expedited manner - for a possibility to quickly stop the fake news spread. Besides the elections periods, the law imposes on digital platforms the obligation to cooperate with the state, in particular, those platforms that exceed a certain number of connections per day 54 must have a legal representative in France and make their algorithms public. Platforms are also required to take measures to counteract fake news and to make these measures publicly visible. The German Network Enforcement Act 55(2017) actually compels social networks to comply with national law in the form of effective reporting on illegal content and its compulsory removal. Platforms also should remove any information reported by the users as the law violation (if it is), within 24 hours, or within seven days, if the case is more complicated.56 Both France and Germany provided some mechanisms to control social networks’ activities to counteract the inaccurate information dissemination and to impose penalties for breaches of the law.
52
"Problems of public authorities interaction with Google and Facebook on counteracting fake news dissemination" (analytical report) // International conference "The Hybrid War Decade: Lessons Learned to Move Forward Successfully". Kyiv, 2018. 31 p.
53 Loi n° 2018-1202 du 22 décembre 2018 relative à la lutte contre la manipulation de l'information. https://www.legifrance.gouv.fr/eli/loi/2018/12/22/2018-1202/jo/texte 54 The relevant limits are set in a decree that came into force on April 15, 2019: it applies to platforms with more than five million unique visitors per month in France, and transparency obligations start at a fee of more than 100 before tax. // Décret n ° 2019-297 du 10 april 2019 relatif aux obligations d'information des opérateurs de plateforme en ligne assurant la promotion de contenus d'information se rattachant à un débat d'intérêt général, Journal officiel, 11 April, 2019 55 https://goo.gl/2CreR1 56 https://tyzhden.ua/World/229965
37
The EU countries signed the Code of Practice on Disinformation57with Facebook, YouTube, Microsoft, and Twitter representatives; it stipulates that companies will check and remove hate speech posts within 24 hours after users reported on such violation. џ
In Europe, Google and Facebook also launched a special portal for the EU police inquiries. The portal allows to process requested information faster. Ukraine does not have access to it.
In recent years, Ukraine made some progress in its interaction with Facebook. From the authorities side, the Cyberpolice and the Ministry of Information Policy add to this cooperation. џ
The Cyberpolice started its cooperation with Facebook in the fall of 2018. At first, this was predominantly on the criminal cases and suicide issues, and later the attention focus shifted to the electoral process information security.
At present, Ukraine institutionalized the following mechanisms: џ џ
џ
57
liaison through the Cyberpolice Situation Center and the Police Communications Officer at the Facebook office in Dublin; request for international legal assistance. Сurrently, Ukraine actively uses this mechanism and sends more and more requests; this is how the practice is developed; the so-called emergency requests when there is a real threat to people's lives. These are the cases where the law of the country the information company is registered in obliges it to disclose information to avoid a threat to human life.
https://ec.europa.eu/digital-singlemarket/en/news/code-practice-disinformation
38
Before the elections, the Cyberpolice took notice on fakes dissemination in Facebook and proposed an initiative: in case of finding similar information, immediately request from a network to remove the fake. In this way, the problem was minimized. Taking into account the initiative from the Ukrainian side, Facebook accelerated the "political ad library" implementation. This mechanism is quite effective. Meanwhile, in overall, the cooperation effectiveness is not sufficient yet. Ukraine receives a positive response if it is directly in line with the Facebook policy, which is based on US law and the company policy. As for information campaigns and propaganda, Facebook has its own internal program, as they call it - a program to counteract coordinated information operations. At the current stage, the company is concerned with the non-genuine users’ dominance who use propaganda to influence elections. The cooperation with the Ministry of Information Policy was related to fence-mending concerning: џ
џ џ
support of the exchange of information on situations when the Ukrainian users were blocked if the detailed information on the reasons and circumstances of the blocking was provided. The Ministry officials may, if necessary, send detailed information about the Ukrainian users’ blocking for further consideration of the facts proving the Facebook community standards violation;58 counteracting the electoral processes interference; 59 verification of government pages on Facebook.60
According to experts, the government's cooperation with Facebook develops, but Google's readiness for such actions is not yet evident. џ
Governmental and Non-Governmental Representatives’ Opinions
The governmental and non-governmental sectors representatives’ positions on Ukraine’s fence-mending with the information giants are mostly the same: it is necessary to establish such rules and reach such agreements that will be beneficial for both the Ukrainians and the companies. Both groups members also understand that Ukraine is a small market for Google and Facebook, which in general affects the choice of the leverages over the companies, including the legislative ones. Therefore, currently, there is no talk either about heavy regulation of the platforms' activities, or pressure on them.
58 http://mip.gov.ua/news/2516.html 59 http://mip.gov.ua/news/2917.html 60 http://mip.gov.ua/news/2234.html
39
Fence-mending with the information giants is associated with the stakeholders’ involvement in the international events (such as #EuroDig2019, IGF), these companies’ representatives take part in, and where global discourse on the Internet engagement can be understood. Unlike the civil society, government officials are far less likely to participate in such events. This is largely due to the fact that until September 2019, the government had no assigned authority responsible for the internet. A non-governmental sector representative: "It would be better if we could activate some co-regulatory mechanisms to achieve common interests. There are following areas for combining the civil society, government, and platforms efforts: џ џ џ
elections, hate speech; media identification on the Internet for differentiating "fake media outlets and groups" from media adhered to the editorial standards; cybercrimes counteracting.»
An authorities’ representative: "As a country we tend to adjust rather than to influence the tech giants." The European Union practices demonstrate that Google and Facebook can be named monopolists in some information reporting and control. If no one controls or restricts the monopolist, it tends to abuse power. Therefore, the monopoly needs some appropriate legislative mechanisms of regulation.61 It is advisable to encourage competition. This position is in line with the US Democratic Party representatives’ ideas on antitrust legislation, allowing tech giants to turn into "giants" and then to "disintegrate" into some smaller units - for example, Facebook should sell Instagram and WhatsApp.62 However, such a proposal is unlikely to be widely supported. џ
Trends
Further search for mechanisms of interaction between Ukraine and Google and Facebook is important both in the general context of information security of the country and in terms of counteracting the fake information dissemination in particular, and as a strategic resource for the future, since it is not possible at the moment to name all potential risks and threats. Therefore, institutionalized collaboration should become a tool for overall sustainability promotion, both national and transnational.
61 https://www.ukrinform.ua/rubric-presshall/2729174-ci-moze-facebook-buti-efektivnim-sodo-protidii-movinenavisti-ta-dezinformacii.html 62 https://tyzhden.ua/World/229965
40
Currently, the government agencies, Google, and Facebook develop their relations on the content issues in two main modes: џ џ
request/complaint (the state bodies appeal to national laws; consolidation of requirements to response in a separate law); cooperation (the state bodies appeal to self-regulatory documents; co-regulation principles’ implementation).
The state bodies' requests to online intermediary companies are related to deletion and/or restriction of access to content.63 Requests can be submitted by people and legal entities, centrally and differentially, directly to online services or through the law enforcement agencies of the headquarters’ country. Government-mandated content restriction must be accompanied by government communication with citizens on their content restriction requests to the companies.64 Fixing the terms of information deletion in a separate law is one of the forms of state regulation on the requests/complaints responding. Governmental bodies’ attention to Google's and Facebook's self-regulatory acts, as well as the Global Network Initiative created Principles and Implementation Guidelines,65 describing possibilities of cooperation with governments to promote freedom of expression and privacy, and recognizing cooperation with the state as adding to the GNI principles promotion, should be a basis for mutually beneficial cooperation. Co-regulation as a kind of cooperation. Obviously, in the search for interaction mechanisms, Ukraine will proceed from the fact of шеі membership in the Council of Europe, and therefore the need to follow its recommendations, in particular, regarding the Internet intermediaries’ responsibility. On the other hand, the Doctrine of Information Security of Ukraine defines the "legislative regulation of the mechanism of detection, fixation, blocking, and deletion (of the prohibited content) from the information space of the state, in particular, from the Ukrainian segment of the Internet",66 as an information policy priority.
63 Failure to comply with company rules or relevant local laws may result in content being removed without government request. 64 goo.gl/na2Ehy 65 https://globalnetworkinitiative.org/sites/default/files/GNI-Principles-on-Freedom-of-Expression-andPrivacy_0.pdf 66 http://www.president.gov.ua/documents/472017-21374
41
There is an opinion stating that further functioning of the information giants as intermediaries is strategically unprofitable for Ukraine. Google’s and Facebook’s status change (reclassification) for media also requires analysis. This will also lead to changes in the legal basis for interaction with them. Currently, contract and commercial law is the legal basis for the relationship with such Internet services but in case of their status changed to media this will be mass communications (media) law. Valid algorithms for information search and selecting news sources, news feeds settings, news promotion, and website ranking, which is a kind of editorial process, are the reasons for defining Google and Facebook as media.67
2.6 INTERNET CONTENT REGULATION џ
Problem statement
In Ukraine, discussions on the Internet content legislative regulation issue often limited it to talks on such a restrictive tool as websites access blocking. This focus is narrow since the National Security and Defense Council’s of Ukraine decision on sanctions imposing requires the development and implementation of a mechanism for information resources blocking by the operators and providers. Several draft laws were introduced to the Verkhovna Rada to implement this decision, and none of them was approved due to the strong resistance of the IT community and NGOs. Even though web resources access blocking is widely used in various countries for vulnerable groups' protection (children, women, LGBTs), intellectual property rights' protection, etc., in Ukraine, it is mainly understood in the freedom of speech context, where governmental and non-governmental sectors’ approaches to restrictions are significantly different. In general, in Ukraine, the Internet content regulation problem comes beyond the blocking mechanism introduction and has three dimensions: џ
џ џ
The need to adapt Ukrainian legislation to European law (this implies, among other things, the state’s role reducing and introduction of more effective safeguards against human rights’ violations); The need to adapt the legislative framework to changes in the information and other areas, caused by digital technologies development; The need to counteract the Russian Federation’s activities, with their effectiveness increased through digital technologies development.
67 "Problems of public authorities interaction with Google and Facebook on counteracting fake news dissemination" (analytical report) // International conference "The Hybrid War Decade: Lessons Learned to Move Forward Successfully". Kyiv, 2018. 31 p.
42
Is Regulation Necessary? Various participants' views on the need for regulation diverged. While the Internet Association of Ukraine (InAU) representatives believe that "we do not need Internet regulation, but self-regulation", the government sector representatives emphasize the need for state regulation: "Threats that new technologies bring are evolving. As long as states exist, there must be some regulation. The state must create certain conditions in the information sphere, and assign tasks to certain bodies. When there are no specific rules, it is difficult to prevent abuse of law and technology." The law enforcement officials also stressed the need for a legal framework as a basis for the information security sector, which they said remains imperfect. Non-governmental and governmental sectors’ experts agreed that a person has a right to freedom of expression and at the same time there should be a legal framework for this right's implementation. Such legal frameworks exist in a traditional media sphere, but they should also be established on the Internet since online and offline rights cannot be different. Opinions on what this framework should be and whether this issue is sufficiently settled in Ukraine did not coincide. However, the experts agreed that liability mechanisms should be provided for fraudulent Internet subjects. Both authorities’ and NGO representatives pointed out at some gaps in current legislation. According to the NGO representatives, rule-making should be applied to journalist work online or in social networks, especially during the elections, online media work, and protection of the online media journalists’ rights. Some NGO representatives mentioned the example of Germany, which, according to them, regulates the video bloggers’ activities. The officials stressed the need to adopt a law defining the legal basis and mechanisms for website blocking. Although the civil society reaction to bill No. 6688 was very negative, the law enforcement officers consider the document good because it is "aimed to introduce resource blocking mechanisms in criminal proceedings and defined certain procedure, changes to the Criminal Code, investigating prosecutor’s and investigating judge’s powers, and how providers should fulfill their obligations." The security sector representatives stressed that sometimes rights and freedoms should be ceded for their own and state security's sake, but there must be a clear legal mechanism for such restrictions. The state and non-state experts’ views on this mechanism’s design significantly diverged. State Regulation and Internet Content Distribution Specifics The state's ability to directly regulate legal relations on the Internet is very limited since, like the rest of the users, it can access the network only through intermediaries such as providers. Regulation through the intermediaries is practiced not only in the virtual world. According to law, doctors and pharmacies do not sell certain medicaments without prescription, and shops do not sell cigarettes and alcohol to young people until a certain age.
43
The Internet is a global network with no formal frontiers. This means that information resources with prohibited content may be physically outside of the state jurisdiction, but the Ukrainian citizens will have free access to them. According to a discussion with the government officials, it is not difficult for intruders to direct users to such websites with the help of some traffic enhancement tools. Some intermediaries, such as social networks and other tech giants, for example, Google, can also appear outside the state jurisdiction.So they are not covered by Ukrainian law, and the Ukrainian state does not influence how they regulate content on their platforms. Also, this regulation is nontransparent, as it is often implemented with the help of algorithms protected like business secrets. The accountability mechanisms’ implementation is complicated because of the right to anonymity and inaccessibility of users’ and content producers’ data, that human rights defenders find positive, especially in repressive regimes states. Another Internet peculiarity is that a majority of web resources not only provide users access to certain information but also collect information about them. Further, these user data can be used for direct information sharing or targeting for the benefit of business, politicians, or other entities trying to influence the user's choice. Besides, the lack or imperfection of content moderation mechanisms due to the different players’ criteria inconsistency, complexity in their application due to a large amount of information, the AI-based mechanisms imperfection (in particular, insensitivity to context, false positives, false negatives) lead to unobstructed publishing of unlawful or harmful content. Another named problem is connected with the mechanisms of rapid, viral dissemination of information and statements thrown in at some point of time and with some emotional coloring, and their repetitive exposure to users. Such content is often manipulative, inaccurate, one-sided, may violate users' rights or threaten national security. However, there are no mechanisms for deletion of widely distributed online content even recognized by a court or other legitimate authority as a subject for deletion. There is also a lack of mechanisms for rapid response to the distribution of viral content violating rights and/or leading to negative consequences offline (such as violence). Threats to Information Sphere While discussing threats to the information sphere, the security sector representatives stressed that, since 2014, Ukraine faces the threatening impact of certain resources on public opinion.
44
Some officials found threats in the very fact malicious content spreading: "Malicious content should not be distributed. Not stopping it is a crime continuation. Without actions taken, there will be one case, then ten cases, and tomorrow - a thousand of them. This is an incitement to crime. And this is a reason for blocking, to stop content dissemination." The law enforcement officials identified the sites used by terrorist organizations as a threat to national security. It was also argued that the critical statements outbursts are not always incited by the outside players: "I am far from taking criticism on the President or the authorities as certainly "Kremlin’s hand". The citizens of Ukraine have the right to critical expression, and, by international standards, this right must be protected. The government explained the blocking and other restrictive measures by a hybrid war, while the western countries’ criticism by having no similar processes in those countries: "We have a hybrid war, so we respond in such a way to hybrid threats." The social sector representatives, among other things, find the threat in the state itself. "In fact, there are two, maybe three threats. First is a threat from the state. The state has been trying to set some rules for the last 15 years. The second problem is the external risk, Russia. The third problem is the low-level interests, the people in search of their benefit." The Doctrine of Information Security of Ukraine identifies 7 current threats to the national interests and national security in the information sphere. Two of them may require legislative regulation for content distribution: џ
џ
special information operations aimed at defense capability undermining, demoralizing the personnel of the Armed Forces of Ukraine and other military formations, provoking extremist manifestations, fueling panic moods, exacerbating and destabilizing the socio-political and socio-economic situation, inciting inter-religious conflicts; spreading calls for radical actions, promoting isolationist and autonomous concepts of coexistence of regions in Ukraine.68
The indirect linkage of the information/statements’ dissemination with such actions’ effects in the real world significantly complicates legislative constraints, which is an effective definition of the legal relations in this matter. Although terrorist content is mostly considered a threat, researches show that to achieve a result sought by the content distributors, there must be certain conditions, for example, a difficult socio-economic situation.69
68 https://www.president.gov.ua/documents/472017-21374 69 Ines von Behr, Anais Reding, Charlie Edwards, Luke Gribbon Radicalisation in the digital era. The use of the internet in 15 cases of terrorism and extremism. https://www.rand.org/pubs/research_reports/RR453.html
45
In certain circumstances, not only criminalized or overtly harmful statements/ information can harm. For example, a person has a right to tell the wrong things. However, false information, repeatedly disseminated through a large number of channels, can create a false world perception, which then affects the user’s or the groups’ of users behavior. Such a tool as astroturfing - creation of an illusion of widespread support for a phenomenon, in the virtual space, in particular - is widely used by propagandists to influence social processes in other countries. Each country has its own characteristics, making it vulnerable to external influence. These include, for example, the public conflict or imperfect government mechanisms. Inaccurate information, trustworthy information distributed to a certain audience or at a particular moment of time, emotionally colored statements or reports on events, although they are not illegal or too harmful, can play a significant role in fomenting conflicts or undermining confidence in the state institutions. This linkage and conditions for information security threats caused by current vulnerabilities need further research.
46
Subject of Regulation and Protection The subject of regulation/protection largely determines the approaches applied. The Ukrainian state approach does not coincide with the international one, and with the civil society approach as well. The social sector representatives emphasized the need for a common approach: "Are we talking about business, security, or human rights? We are talking about common things that should be the criteria for all these laws.Âť The Doctrine of Information Security of Ukraine stated the need to protect information sovereignty. The Law "On the National Informatization Program" defines the information sovereignty of the state as the "ability of the state to control and regulate flows of information from the outside to keep them within the laws of Ukraine, the rights and freedoms of citizens, to guarantee national security of the state.Âť This approach contrasts with one of the international organizations guided by the Universal Declaration of Human Rights (UDHR). In particular, Article 19 of the Declaration states that "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.Âť The NGOs representatives stressed the importance of protecting the human right to freedom of expression and access to information that the state can restrict only under certain conditions, and also mentioned that there was a right to secure information space. The difference in approaches causes the difference in the path choice: either to create the same rules for all participants - or to try to differentiate for internal and various external players. Content Restriction Issues Various groups representatives have different motives and views on content restriction criteria. The IT industry representatives mainly use the emotionally charged word "censorship" to denote any regulation and strongly oppose it. The law enforcement officials find restrictions necessary to prevent and end crime, protect the national security, they are stick to the thought that some situations require to back out of some rights. Human rights defending NGOs agree on the need for regulation, but emphasize that restrictions on rights must meet the criteria set out in Article 10 of the European Convention on Human Rights and other international norms.
47
During the meetings, it was emphasized that providers/operators primarily follow a special law - the Law of Ukraine "On Telecommunications". According to the private sector representatives, it clearly states how the operator should behave. Article 39.18 of this law obliges telecommunications operators "to restrict their subscribers’ access to resources, disseminating child pornography, by a court decision." During the discussion, the law enforcement officials emphasized the need to develop a legal mechanism restricting access the Internet content, notably for NSDC imposed sanctions decisions enforcement. In their opinion, the Law "On Sanctions" should be improved so that "restriction of access to resources would be not in the section 'and other types of sanctions' but spelling out in detail who and how exactly should enforce it." They also referred to Article 10 of the European Convention on Human Rights but stressed that the state has the right to impose restrictions in the interest of national security: "There are legal rules that we should apply in legislation when accompanying considering of the draft laws on restrictions on access to resources. There is Article 10 of the Convention on Human Rights. They provide certain restrictions that are in accordance with law. I do not see conflict and the attack on freedom of speech." The law enforcement officials also stressed the NATO countries’ limitations, calling them "censorship": "NATO colleagues have never spoken in favor of censorship on the Internet; they stand for the criteria transparency. They have censorship and believe me, it's tougher than here. The main thing is to keep the criteria transparent. If a criterion is not democratic, then society can influence and change it." The need to block more and more websites was explained by the aggressor country opening other sites. According to one of the discussion participants, the Ukrainian legislation already contains grounds for content restriction in various laws, but these rules are scattered across different legislative acts and need to be systematized. Regarding the criteria, some participants of the discussion with the government officials emphasized the difficulty in finding agreement on the following criteria: "But the situation is difficult, who defines the criteria? Everyone has different views. The law says about the dissemination of the prohibited information. This is what should not be allowed. And the responsibility comes for the dissemination of such content. Just make a criteria list... It will always be incomplete. Experts will ask questions and there will be no consensus on the definitions.» Based on the positions of international law on which human rights NGOs rely, the right to freedom of expression is not absolute and can be restricted (under Article 4 of the International Covenant on Civil and Political Rights (ICCPR). Restrictions in the interests of national security can be imposed "in time of public emergency which threatens the life of the nation and the existence of which is officially proclaimed".70 70 zakon.rada.gov.ua/laws/show/995_043
48
Also, these restrictions should: 1) prescribed by law 2) have a legitimate aim 3) be necessary in a democratic society. The legitimate aim is defined more or less widely by various international instruments. Thus, under Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms,71 the right to freedom of expression can be restricted "in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary". The Siracusa principles on the limitation and derogation provisions in the International Covenant on Civil and Political Rights 72 define legitimate national security interests as aimed to "protect the existence of the nation or its territorial integrity or political independence against force or threat of force". Proportionality is a criterion that is fundamental in terms of human rights protection. The test of proportionality is that the court must consider whether the proposed restriction is the "least restrictive" for the intended purpose. When it comes to restrictions in the interests of national security, it is about protecting the population from acts of violence, terrorism, and so on.73 When it comes to website blocking, human rights defenders believe that entire resource blocking because of some content or pages with prohibited content is a disproportionate measure. However, given the Internet particularities described above, the transfer of these principles to the digital realm requires further study and reflection. It is also recognized at the UN level. One of the discussion participants referred to the UN report The Age of Digital Interdependence: 74 " in many cases it is far from obvious how human rights laws and treaties drafted in a pre-digital era should be applied in the digital age," the report said.
71 https://zakon.rada.gov.ua/laws/show/995_004 72 http://legislationline.org/ru/documents/action/popup/id/14624 73 https://globalfreedomofexpression.columbia.edu/wp-content/uploads/2016/01/A-Callamard-NationalSecurity-and-FoE-Training.pdf 74 “The Age of Digital Interdependence� Report of the High-level Panel on Digital Cooperation. https://digitalcooperation.org/wp-content/uploads/2019/06/DigitalCooperation-report-web-FINAL-1.pdf
49
Institutional Decisions The issues of institutional structure necessary for restrictions imposing and such bodies’ powers were discussed rather fragmentary. The discussion participants criticized the existing institutional structure for too many institutions and functioning without meeting the real needs. The social sector representatives emphasized that the decision to block websites is solely the court competence. But the government officials disagreed with them: "The state is obliged to protect itself. A law enforcement agency cannot go to court to block anything; there must be a government agency understanding what content is harmful/not harmful. This is the case in Germany, the United States, Great Britain, etc." The NGO representatives acknowledged the courts’ busyness and ordinary judges’ ignorance in the information sphere related issues related. At present, there is no clear understanding among the participants what a body could regulate the freedom of expression online. There was an idea about a body similar to the Ukrainian National Council for TV and Radio Broadcasting but devoted to the Internet issues. One of the participants proposed a body in its form similar to the National Expert Commission of Ukraine on the Protection of Public Morality but defending national security: "On the one hand, it could be a public authority, and on the other hand, involving experts in its activities. It could be a kind of semi-state expert body making decisions, assessing content, and judging in compliance with the law." Another proposition was to assign the information commissioners, a kind of Commissioner for Information Sphere. It was reiterated that content providers do not regulate content. Intermediaries’ Responsibility The Internet services providers’ representatives emphasized that they do not produce content by themselves, but merely act as neutral intermediaries and cannot be responsible for third-party content. The NGO representatives supported them and accused the state in trying to shift its responsibility to the providers. On the other hand, the social sector representatives raised a question of the websites containing some prohibited content but located outside of the Ukrainian jurisdiction: "It will be very hard to fight fake websites, supported by Russia. The hosting and the editorial office can be located outside of Ukraine, with the content targeted to Ukraine. This problem could be solved either by blocking, what is not the best solution for us, or by collaborating with Facebook, Google. Many users reach websites through them.» Using intermediaries for imposing restrictions is not a new or unique tactic for the Internet. In his book, Who Controls the Internet, Tim Wu and Jack Goldsmith give an example of the counterfeit goods sale regulation. It is obvious that the state cannot stop such goods production as it takes place abroad. However, it can recognize such goods sale illegal in its territory. Large retailers then act as intermediaries that are either to comply with the law or to pay a fine. On the Internet, the role of such intermediaries belongs to ISPs.
50
In general, there are three types of intermediary liability 75 recognized in the world: "broad immunity" as in the US, "contingent liability" as in Europe, and "strict liability" as in Russia and China. In the US, intermediaries are exempt from liability for third-party content under Section 230 of the Communications Decency Act. They may either respond or not to the illegal content. According to Tarleton Gillespie, author of the book Custodians of the Internet: Platforms, Content Moderation, and the Hidden Decisions That Shape Social Media, such a decision is typical for the United States because it favors business at the public interest expense. The European approach is to put no responsibility on the intermediaries for the content they do not know about. However, they are obliged to respond within a certain period after receiving reports on such content or to pay a fine. More details on the intermediaries’ responsibility can be found in the Recommendation CM/Rec(2018)2. Guidelines for States on actions to be taken vis-à-vis internet intermediaries.76 In Russia and China, providers are responsible for the content, and thus they have to actively monitor traffic. Moreover, in China, banned content criteria are unclear, and penalties are high. Thus, the state forces providers to apply excessive restrictions. The more complex logic is applied to such rules concerning Internet platforms and search engines, which do not produce the content by themselves but cannot be considered neutral intermediaries as well since they can influence the content exposure to users with the help of algorithms. The majority of them set their own rules but this is not the subject of this section. Restrictions’ Effectiveness and Alternatives to Blocking Some NGOs find human rights’ violations in the Presidential Decrees No. 133/2017 and No. 126/2018 on imposing economic sanctions against the Russian social networks and some online services. Also, there is no agreement between NGOs and public authorities on such decision effectiveness. For example, according to the NGO "Human Rights Platform", "blocking of the social networks VKontakte and Odnoklassniki did not prevent the dissemination of harmful content on the Internet. 10 out of 118 (court given) sentences (i. e. 8.5%) were related to materials distributed in these social networks after May 16, 2017, and the mentioned decree of the President of Ukraine."77
75 Fostering freedom online: the role of Internet intermediaries. https://unesdoc.unesco.org/ark:/48223/pf0000231162 76 https://rm.coe.int/1680790e14 77 L. Opryshko, V. Volodovska, M. Dvorovy. Freedom of speech on the Internet. Legislative initiatives and practice of criminal proceedings in Ukraine in 2014-2018. Analytical report, Kyiv, March 2019
51
According to the law enforcement officials, "statistics show that people stopped visiting such websites and the networks lost in number of users. The state indicated the direction but did not start pursuing, punishing, etc. And that was enough." The civil servants also emphasized that sanctions on social networks were imposed not only to restrict access to certain content: "There is a fundamental difference, security issue falls out of this model. Russians’ profits dropped manyfold since VPN does not provide room for targeting. We fought not only against propaganda but also with intelligence service. And this task was accomplished." Some other Russian Internet resources related threats were also mentioned: "Yandex has all the Trojan virus’ signs, and it is a question whether the state should let such product in its cyberspace.» As Tim Wu and Jack Goldsmith explain in their book, the governmental controls usually need not be perfect to be effective, the goal is to create enough obstacles and raise certain activities' costs. "The law need not be completely effective to be adequately effective. All the law aims to do is to raise the costs of the activity in order to limit that activity to acceptable levels." Noone judge on the effectiveness of a law prohibiting bank robbery by the fact that sometimes these robberies occur, Tim Wu and Jack Goldsmith explain. Very often, the law is passed with the understanding that a small percentage of responsibility avoidance will take place since full control is possible but too expensive for the state. The social sector representatives emphasize that blocking can be ineffective for technical reasons because the network’s specifics either provide possibilities for easy blocking bypass or make it difficult to block some resources sharing location with other resources.78 The NGO representatives also emphasized that technology development makes blocking even less effective: "The IT community has a clear thesis: with technology development blocking becomes impossible. One tries to block a site - and it keeps changing IP address every second. The state proposes decisions confronted by new technological solutions. And these decisions are ineffective." They also mentioned blocked sites’ mirrors and argued on whether providers should block them too. Deep Internet traffic analysis equipment installation (Deep Packet Inspection) threatens privacy. This was also acknowledged by the government officials: "If you set up DPI to block certain content, then DPI and certificates installation is also required for each user. This means people will understand that all their traffic, including what they write and watch, is open to all special services, in particular, the police, security service, etc." Among blocking negative effects, the panelists mentioned a possible increase in the blocked resources popularity: "Should blocking be massive? I am far from being sure. It's just to make them super popular. But what if to avoid massive blocking, and isolate 5-10 key resources?"
78 https://zaborona.com/interactive/nash-onlajnleviafan/?fbclid=IwAR33AW9tqjPscwqCjJhfUgxCQ8YH4XrsDEW66fYF-PV7uZxsawqg92w4XrA
52
Despite the technical possibilities to avoid blocking, this practice is increasingly used in various countries. It meets difficulties and human rights community resistance. In Australia, attempts to block websites with misleading content led to blocking a large number of websites not implicated in it.79 The UK adopts restriction of access to pornographic content for children. According to the Digital Economy Act 80(2017), providers must block access to pornographic websites and allow access only for age-verified users.81 This rule implementation meets technical difficulties and was postponed several times since there are no methods developed for users’ age identification without violation of their right to privacy. However, many countries block access to websites allowing the exchange of content protected by intellectual property rights. Blocking skeptics underlined that the fight against foreign influences should be realized in other ways. They proposed to carry out some educational campaigns, "to introduce strategic communications, and to fund national public broadcasting service to damp the hostile prepackaged news stories." Blocking skeptics also stressed that malicious content dissemination is often caused by some real-life phenomenon that can not be overcome by blocking access to some content. In their opinion, it is not the content should be removed but the primal cause of its appearance and dissemination. The discussion participants also stressed that rapid technology development would not allow legislation to be static as over time it will be necessary to migrate to new technologies. Cost of Equipment and Who Should Pay for It While criticizing current initiatives for content restrictions, the ISP’s representatives raised an issue of the equipment installation costs, and also mentioned that such equipment specifications most probably indicate an attempt to give preferences to a specific market participant. Subscribers will share expenses for equipment installation costs since operators will compensate these expenditures by the price increase. In a market-oriented economy, business entities are an important part of society, they not only provide services but also pay taxes. The state has its profit from their existence and taxes, so in such cases, they are not put under pressure but offered various incentives, such as temporary tax exemption, subsidies, and other methods making compliance to law less burdensome or more attractive to business entities. However, this decision should be made after extensive discussion and introduction of some safety measures against possible misuse of the access to information collected with the help of the mentioned equipment.
79 www.computerworld.com.au/article/621872/government-releases-guidelines-website-blocking-power/ 80 Digital Economy Act 2017 // www.legislation.gov.uk/ukpga/2017/30/pdfs/ukpga_20170030_en.pdf 81 Burges M. The UK porn block, explained (July 11, 2019) // www.wired.co.uk/article/porn-block-uk-wiredexplains
53
Execution of Decisions Execution of decisions was mainly discussed in the context of providers being not obliged to comply with the NSDC decision on blocking since such decisions are only applied to the executive authorities. In case there is a decision on blocking legitimacy the execution issue should also be standardized. Appeal Procedures Appealing against the decisions on content distribution was not discussed during the meetings, but appealing is an important part of the mechanism for the infringed rights restoring. Distrust in State Actions Distrust in state actions in general and the Internet, in particular, was evident during discussions involving the social sector and the IT community representatives. This attitude, among other things, is caused by some authoritarian traditions in public administration, corruption scandals around the law enforcement agencies, traditions of decision-making motivated by political expediency rather than law, abuse of power. "All these laws are written to block resources quickly, if necessary," this opinion is quite common in the social sector. Distrust of the state is traditional for the technical community, whose representatives from the very beginning of the Internet development considered it a space of absolute freedom, free from the "territorial governments" interference.82 Any attempt of the state to interfere with the functioning of a network, based on a complex system of relationships between various Internet services providers, looks hostile. In Ukraine, this hostility is exacerbated by the repressive nature of the law enforcement bodies under insufficiently standardized regulation. The participants of the discussions with the government officials also acknowledged this distrust: "There is nothing wrong with blocking. This is a matter of trust in prohibiting institutions. We are always suspicious of the state and institutions.Âť This situation makes it difficult to find regulatory solutions to protect the public interests.
82 "A Declaration of the Independence of Cyberspace"by John Perry Barlow // www.eff.org/cyberspaceindependence
54
2.7 CYBERSECURITY џ
Problem statement
In Ukraine, cybersecurity did not become a subject of consensus between the state and the experts. The measures and legislative initiatives often offered by the public authorities in this area raise experts’ doubts in their effectiveness. On the other hand, experts often propose solutions that are unacceptable (or unrealistic) to the state. џ
General context
Cybersecurity is a process inevitably accompanying the information society development. The emergence of new information technologies (or greater adoption of the existing ones) raises questions about human and state security in the process. Each state tries to respond to these challenges, either alone or in coordination with other countries. In-between discussions resulted in the adoption of the Council of Europe created Convention on Cybercrime and the development in almost all developed countries of the strategic documents on cybersecurity (in some countries they got 2-3 modifications). Besides the general strategies, they increasingly frequently adopt special laws standardizing new, emerged from informatization, relations in society. In 2019, the European Parliament and the Council of the European Union also adopted a relevant law for the EU (The EU Cybersecurity Act), modeling the new EU cybersecurity architecture. Ukraine has a similar document valid since 2018.
55
At the same time, in Ukraine, the situation is in some part complicated with highly heterogeneous process of cybersecurity legislation development - a range of regulatory documents de facto belonging to this sphere (including the Laws of Ukraine "On Information Protection in Information and Telecommunication Systems", "On Telecommunications", "On State Secret" and others), as well as by-laws on requirements to information protection, were formed in the early 90's, and their functioning logic was based on the dominant idea of the state as the only real cyberspace entity that performs effective self-regulation, defines, and establishes rules. However, with the further ICT and market-oriented economy development, the situation changed radically - more and more non-state actors are applying for stakeholder positions: private organizations, specialized associations, individual IT experts, and volunteer activists. At the same time, cyberspace becomes more and more private - both in terms of IT infrastructure control and considering who are the main objects for protection - although state secrets or public information resources are still subjects of increased authorities’ attention, increasing attention is paid to purely private objects’ protection: banking, transport, energy, aviation, and other critical infrastructure elements. However, the state slowly responds to this change, almost with no change in cybersecurity approaches or transformation in the legal relations nature, and poorly adapting international practices to the present-day needs. The expert community and business representatives insist on a larger and faster transformation of approaches, accusing government agencies of slowness and unwillingness to change. Admittedly, this is largely due to the fact that cybersecurity actors and nongovernmental stakeholders stick to quite different imperatives and goals. For the former, the key is in comprehensive security of the resources they are directly responsible for, in addition, in forms and methods that they can control and confirm. For others, the key issues are in measures’ effectiveness, reduction of state interference in the private companies’ affairs, minimization of regulatory influence and objects of protection involvement in the safe approaches development. џ
Governmental and Non-Governmental Representatives’ Opinions
Despite unlike approaches, both the governmental and non-governmental sectors are mostly concerned with the same problems. Meanwhile, their approaches to finding solutions are either partially or completely different. One of the examples is the imperfection of cybercrime legislation, in particular, regarding subscriber connection data retention by the providers (as required by the Convention on Cybercrime). "There are no requirements in the law requiring these data to be stored. Also, we have not implemented the Convention on Cybercrime in full, just in terms of urgent data retention," the authorities’ representatives said, although, according to them, "The Law 'On Telecommunications' obliges the operator to keep information about the subscriber connection for a period of limitation.
56
But it is so poor exposed that operators save some payments, though there must be data on time on the network entry/exit." On the other hand, the private sector focuses on the lack of implementation of the Convention on Cybercrime, in particular, by pointing to a strategic problem - inaccurate Convention translation, largely distorting its content and purpose. Therefore, translation clarification and the documents further full implementation should be a basis for legal framework streamlining. The governmental entities, as well as the private ones, are concerned with providing secure access to the Internet to all clients (including state bodies) in Ukraine. "Ukraine ranks 4th in terms of the cheap Internet. On the other hand, we have the least number of secure Internet services. Secure services mean no spam pornography and negative content filtering. Just try to find if it is written somewhere ‘we provide non ad or virus Petya related services’. There are no such services - or just a few," the state officials say. But the solution they propose - maximum use of CSIS in all spheres - is unacceptable to the private sector, reasonably presuming that CSIS does not provide effective protection for systems. Instead, independent experts suggest focusing on generally recognized international standards (ISO 27001, NIST, and others). In the Law of Ukraine "On the Basic Principles of Ensuring Cybersecurity of Ukraine", the state mentioned a possibility of such standards applying, but the practical steps are extremely small. Not solving this problem also creates difficulties for the state itself when customers require operators to have reliable and secure access to meet their needs. The non-governmental sector representatives draw attention to the problems of the law enforcement officers’ and judges’ training quality, because often they are unable to understand the cybercrime nature, and therefore prove ineffective when citizens facing these types of crimes need real assistance. An investigator does not understand what to ask from an operator, what is an electronic proof, how to add it to a criminal case etc. Without training the prosecutor's office, the prosecutor will not understand how one can "steal through the Internet". Often we cannot prove a crime to the Cyberpolice. Prosecutors and courts do not understand cybercrime. At least one or two court staff have to undergo retraining," the non-governmental representatives say. The security sector representatives agree on the problem and believe that it should be solved not only by the state but also by attracting the scientific expert potential of the non-governmental sector. Further European integration will also lead to a problem of the Ukrainian legislation harmonization with European law. Already at this stage, it is important to raise a question of Ukraine's (legislative) ability to carry out approaches set out in the EU Cybersecurity Act. It can be expected that some approaches, outlined in this document, will spark a heated debate over attempts to implement them, as it currently happening in the EU countries. In particular, it is a rule about the gradual transition to certified IT products, which raises further questions on such certification nature and the certification centers’ ability to make their work qualitatively. It should be recognized that in Ukraine, where the level of trust in state structures remains consistently low, these issues will also be a subject of intense debate.
57
Most of the problems arising in this area can and should be solved within the framework of an effective public-private partnership. Also, such mechanisms implementation is a requirement of both the Cyber Security Strategy of Ukraine (adopted in 2016) and the Law of Ukraine "On the Basic Principles of Ensuring Cybersecurity of Ukraine" (2017). At the same time, the current Law of Ukraine "On Public-Private Partnership" is completely unsuitable for this task, and the mutual distrust of governmental structures and the non-state sector only complicates the situation. Therefore, there is a need for confidence-building measures and clear and comprehensible tools for public-private partnerships in the cybersecurity area. The social sector also raises questions about the institutional capacity of the current cybersecurity model in Ukraine, considering it largely redundant and inefficient (by powers and number of structures involved, by their largely restrictive approaches). The governmental structures assess the current model as generally positive, pointing out that state structure powers, in general, are clearly divided and legally defined, and capacity problems exist mainly due to financial or personnel difficulties. џ
Trends
A key solution to the most problematic issues is to build a sustainable and effective public-private partnership system to address not only separate challenges but also the whole complex of problems inherent to the cybersecurity sector. Therefore, the basic directions for further regulatory development should include: џ
џ
џ
џ
Build-up of the appropriate regulatory and legal support for public-private partnerships in cybersecurity area. The Law of Ukraine "On Public-Private Partnership" requires clarification, and the provisions on forms and instruments of public-private partnership in the Law of Ukraine "On the Basic Principles of Ensuring Cybersecurity of Ukraine" should be specified more precisely too. Public-private partnerships should become an integral part of the Ukraine's overall cybersecurity policy process. The task is to provide all necessary conditions for such a partnership, allowing participants to choose the speed of its establishment. Clarification of the Convention on Cybercrime translation, and taking actions for its full implementation into national law. The clarification process should be a part of a dialogue process between the governmental and non-governmental structures and can take place through the parliamentary structures intermediary. Drafting requirements to law enforcement officers, prosecutors' offices, and judges for their digital competences within their powers’ limits and necessary for the effective citizens' rights protection in the digital world. Clarification of the legal requirements for the protection of information on the international standards basis, gradually becoming the main criterion for the protection of the governmental and private telecommunications systems and a condition for providing services to the governmental agencies.
58
џ
џ
џ
Start of the activities on early and gradual harmonization of the Ukrainian legislation on cybersecurity with relevant European regulatory acts and directives. Gradual approximation of the Ukrainian regulatory documents with the provisions of the European documents requires an intensive dialogue at the level of the parliamentary structures, which can not only serve as discussion mediators but also add drafted decisions into legislation. Critical infrastructure's protection against cyber attacks remains one of the key vectors for the state cybersecurity policy. At the same time, the state should not stick to purely voluntary regulation methods but instead actively follow consultation and co-regulation principles, relying on international approaches and practices. Building trust in cyberspace requires not only informal activities but also the introduction of some well-defined venues permanently responsible for this task. Western countries’ experience demonstrates feasibility of even confidencebuilding instruments defining in the legislature. An important element of such activities is the implementation of some joint projects by the governmental and non-governmental structures, exchange of information on cyber incidents, and measures to improve digital education for the general audience. Therefore, draft regulatory activities should be aimed at simplifying such projects’ implementation, in particular, budget legislation improving (simplifying projects’ co-financing), introducing digital skills (and not only them) into the educational process, and creating legislative prerequisites for the Cyber Incident Information Centers. At the same time, these measures should only simplify such activities without forcing governmental or non-governmental structures into them.
59
CONCLUSION Subjects of Legal Relations and Digital Rights Rapid technological development, the need to protect human rights in the digital age, as well as the challenges to the democratic countries in the 21st century, and the security situation require Ukraine to search for the solutions in the online legal relations sphere. џ
These solutions are available through the active stakeholders' involvement in the search for a balance between freedom of expression and the need for protection. In this regard, it is important to change the stakeholders' mutual distrust (state vs civil society and business) to their interaction
џ
The legal relations subjects’ rights and responsibilities on the Internet require a dialogue based on the multiculturalism approach and making appropriate proposals on every group functions.
џ
Online human rights, or digital rights, became an indispensable part of the general catalog of human rights in the 21st century. Digital rights regulatory support has two key points: 1) everything related to human rights, first of all, must be reflected in the Constitution of Ukraine; 2) the details of the regulation must comply with the requirements of the Council of Europe, in particular, the Recommendation of the Committee of Ministers of the Council of Europe to member states on a Guide to human rights for Internet users.
џ
The mechanisms of interaction between the state and the technological giants (Google, Facebook, and others) need to be institutionalized, as well as the legal support behind such interaction.
Internet governance џ
Absent precise concepts and definitions related to "Internet Governance", in particular, in the Ukrainian legislation, remain a significant obstacle to the adoption of its effective model in Ukraine. This situation is directly linked with uncertainty in other important concepts, including the term "Internet". Most of these problems can be solved through the approximation of the Ukrainian legislation to European law;
џ
Given the ongoing discussions about the governance model, most subjects of legal relations agree on multistateholderism to be the basis for consensusbuilding. At the same time, it is only now that the state is approaching to assigning of a government institution responsible for "Internet Governance", and the broader government involvement in IGF-UA should become a priority;
60
џ
Public-private partnership is a key element in the development not only of a proper Internet Governance model but also of generally adequate legislation, as well as in preventing the imperfect laws enactment and defining debating points (e. g. Internet anonymity).
Personal data џ
Security of the users' personal data is one of the key challenges of the 21st century worldwide, but in Ukraine this issue remains mainly on the margins of the governmental management discourse;
џ
GDPR and the prospect of its implementation in Ukraine remain one of the important issues in the discussions between the governmental and nongovernmental sectors. The key problems are the lack of the institutional capacity (in particular, the absence of a supervisory body) that will emerge in case of GDPR implementation, as well as a lack of communication between the Ukrainian government and online platforms;
џ
Safety and security of the citizens' personal data (including processing and disposal of personal data) remain a key challenge for the state in this area; however, the state institutions’ attention (especially against the background of the announced plans for large-scale digitization) is insufficient.
Cybersecurity џ
Despite the Ukrainian cybersecurity legislation renewal, when it comes to requirements for cyber defense standardization the state still uses outdated approaches.
џ
Cyber defense approaches renewal (including the expansion of the international standards ISO 27001 and NIST usage) should become a dominant factor in public policymaking in this area, and the process of such requirements updating should be a subject of the broad public-private dialogue;
џ
The speed of the Council of Europe Convention on Cybercrime implementation is also unsatisfactory, and this process is fraught with many debating issues (between government and business), in particular on the subscribers’ connection data storage by providers. This issue is fused with another broader problem - the inaccuracy in the Convention translation itself in no small part distorts its content and purpose;
џ
The "technical" competence level of cybersecurity judges and law enforcement officials dealing with cybersecurity and online legal relations remains unsatisfactory, and this leads to a low level of crime investigations in this area. Large-scale educational initiatives for judges and law enforcement agencies are one of the solutions for improving their understanding in this area;
61
џ
Ukraine's European integration aspirations any time soon will spotlight an issue of the state's ability to align the Ukrainian legislation with the best European legislative practices. This reconciliation process should start now.
Internet Content Regulation The legal norms making in the field of state Internet content regulation is tangled with the need to have often contradictory stakeholders positions on fundamental issues agreed, including the subject of protection; the limits of state intervention in the information sphere in general and in the Internet in particular; the state intervention in the information sphere during a hybrid interstate conflict; the distrust to the state and, thus, a reluctance in allowing the law enforcement agencies to use the means of restricting freedom of expression on the Internet. Without the stakeholders’ rapprochement and the confidence-building measures between them, the efforts to regulate the legal relations in this area will remain ineffective and will also result in a confrontation between the civil society, the technical community and the state. To bring together the stakeholders, the civil society, and the public authorities, we propose the following activities: џ
Discussions and proposals generation on legislative changes to finally determine the fundamental state approach to protecting the citizens from the illegal and destructive content delivery, and other methods of influence on civic consciousness and choices;
џ
For various stakeholders groups representatives - a joint study of the theoretical and practical principles of the Internet legal relations regulation in the democratic countries, as well as joint expert seminars on this topic;
џ
Sharing knowledge about the international human rights law provisions, the latest threats in the information field, available technical tools, benefits and risks of their usage for restricting the freedom of speech on the Internet;
џ
Discussions on possible measures to control the state restraints on the Internet;
џ
Educational activities and discussions for raising public awareness for a wider audience.
We propose to involve the state and non-governmental analytical institutions representatives, media organizations, MPs and their assistants, representatives of the content producers’ organizations in such events.
62
List of authors Anastasia Barovska (section 2, subsections 2.1, 2.3, 2.5); Dmitry Dubov (section 2, subsections 2.2, 2.4, 2.7); Vitaliy Moroz (section 1); Julia Kazdobina (section 2, subsection 2.6).
The photos are licensed for non-commercial use. Sources and Copyrights: Depositphotos.com: AllaSerebrina (обкладинка), EdZbarzhyvetsky (обкладинка). Pixabay.com: Gerd Altmann (1), (2), MabelAmber (4), (5). Flickr.com: EU Civil Protection and Humanitarian Aid (3), Ministry of Defense of Ukraine (6), HCC Public Information Office (7). Unsplash.com: Jez Timms (8).