Can a ban on the use of hyperlinks, leading to libelous content, violate freedom of expression?

By Lefteris Chelioudakis

On 4 November 2018, the European Court of Human Rights (ECHR) adjudged unanimously in its decision in the case Magyar Jeti Zrt v. Hungary that the prohibition to use hyperlinks leading to libelous content may violate the right of freedom of expression.

According to the facts of the case the applicant company (444.hu), which maintains a news website has been found guilty of disposal of libelous material by the national courts of Hungary. The main cause was that they had published an article that was hosting a hyperlink to an interview on Youtube, which was later found to contain libelous content.

Specifically, the bus that was transferring a group of hooligans, on its way to attend a football match, had parked in front of a school. The school had mostly Roma students, and the hooligans started shouting racist chants against them, throwing beer bottles, while one of the hooligans peed in front of the school. The children’s teacher called the police and the hooligans left only when the police arrived in point.

On the same day, the Head of the local Roma community gave an interview for the incident stating that the hooligans were members of the extremely right-wing Hungarian political party “Jobbik”.

The said interview has been made accessible on YouTube. The day after, 444.hu published an article on its website on the incident, attaching a hyperlink to the relevant interview.

In its decision, the ECHR underlined the importance of hyperlinks for the proper functioning of the Internet and made a distinction of hyperlinks from traditional publications, as the ones guide the users to available material and the others provide material.

The Court also found that the Hungarian law on strict liability for libelous material dissemination had excluded the possibility of any substantial assessment of the applicant company’s right on freedom of expression. Therefore, national courts should have examined the case more closely, as the relevant provisions could undermine the flow of information on the internet, preventing the use of hyperlinks by creators and issuers.

Moreover, the ECHR recalled that, for journalists, the protection of the right on freedom of expression of article 10 depends on the principle of good faith and the accuracy of factual elements, so that “reliable and precise” information are provided, according to journalistic ethics. Consequently, the protection provided from the specified right does not cover the possibility of spreading false news.

Lastly, the ECHR stressed that when third-party rights are at stake, it is necessary to achieve a fair balance between freedom of expression, as protected by Article 10 and the right to privacy as protected under Article 8 of the European Convention of Human Rights.

More information on the case can be found on the website The IPKat.


Protection of Personal Data and Sexual Exploitation

By Anastasia Karagianni

The murder of the 21-year old Eleni at Rhodes urged the Greek society to finally face the real “scale” that rape can reach. Rape is not only the sexual contact without the consent of the other person. It is the force to sexual intercourse, the physical violence or a serious and imminent threat, that are undertaken to commit this inadvertent sexual intercourse. Rape can result in death, as we have seen.

Nevertheless, sexual harassment exists also in the digital world. How? In recent times it takes place due to personal data breach. Specifically, studies show that 4% of the adolescents aged 12-17 admit that they have sent sexual messages, which depicted them naked or half-naked, to other users, and 15% of the adolescents confess that they have received such material. This is called “sexting”, namely, the exchange of photographs and messages with mainly sexual content using applications installed in smartphones or other electronic devices. However, sometimes the exchange of these messages is carried out without the consent of the depicted person. In this case, the right to privacy of the person depicted is violated.

What are these personal data? Personal data are information related to a person. They might contain “sensitive” or “non-sensitive” information. This information is becoming personal when connected, directly or indirectly, with the specific person. It therefore concerns different information, which, if gathered together, can lead to identification of an individual. This information, therefore, characterize the biological, physical and mental existence of the person as well as its social, political, financial and cultural existence. In this connection, because of the sexual content of the message, the naked/half-naked picture of the person is considered personal data, as it concerns the user’s sex life.

But how can the infringement of personal data lead to sexual exploitation? Since a picture appears in the internet, it is difficult to control its circulation. In most cases, these photographs are sent within the framework of a confidential relation between the sender and the recipient. So far, this does not create any problem. Problems arise when this relationship is harmed or based on false information. The circulation of this material in a secondary level without the consent of the person depicted, and several times without him/her knowing, to other users, constitutes an infringement of his/her priveacy and violation of his/her sexual integrity, when it takes place in view of leacher acts, and the trafficking of pornographic material.

About two years ago, Lina, 22-years old, committed suicide, falling from the ninth floor of her Student Residence in Thessaloniki. A prosecutor’s investigation has been ordered in order to make an online investigation for traces of possible criminal behaviour for observation, retention and processing of personal data, threats via the Internet for action or tolerance and committing felony association, as it seems that the girl regularly received threats that her personal pictures would be published on the Internet.

The New Regulation for the Protection of Personal Data of the European Union safeguards the right to be forgotten , the right to information and access to data, the right to correction and to objection against their processing.

The Greek legislation and the case-law provides a high level of protection. It only remains to be understood from us.

*If you face problems on the Internet and you are under 18 years old, call 2106007686. Trust the helpline of the National Centre for Safe Internet.


Actions in national and european level regarding e-evidence

Today, Wednesday 5 December 2018, in view of the upcoming meeting of the Council of Justice and Home Affairs of the European Council (6-7 December), 18 organizations sent a letter to all the EU Member States, putting forward their vivid concerns regarding the approach suggested by the Austrian Presidency in the draft Regulation on European production and preservation orders for electronic evidence in criminal matters (“e-evidence”).

Among these organizations are EDRi, Electronic Frontier Foundation, the Council of Bars and Law Societies of Europe – CCBE, Access Now, Privacy International and many national digital rights organizations, including Homo Digitalis.

We believe that the solution proposed by the Austrian Presidency do not manage to adequately address important issues, which arise from the legislation in question. For example, the text:

– greatly reduces the possibility for enforcing authorities to refuse recognition and enforcement of an order on the basis of a violation of the Charter of Fundamental Rights;

– wrongly assumes non-content data is less sensitive than content data, contrary to case law of the Court of Justice of the European Union (CJEU) and the European Court of Human Rights (ECtHR) – notably the CJEU Tele 2 judgment (cf. para.99) and the ECtHR’s case Big Brother Watch and others v. UK (cf. para.355-356);

– contemplates the possibility to issue orders without court validation, disregarding what the CJEU has consistently ruled, including in its Tele 2 judgment (para. 120).

– does not provide legal certainty; and

– undermines the role of executing states, thereby undermining judicial cooperation.

Similar views have been expressed by the European Data Protection Board (EDPB), judges such as German Association of Judges, companies like Internet Service Providers, academia, Bar Associations, the Meijers Committee, among many others.

In the national level, Homo Digitalis submitted today its letter to the Greek Ministry of Justice (Protocol no. 4568/5.12.2018), expressing its concerns for these provisions.

You can find a copy of our letter in Greek here.

You can learn more on the action in the European level here.


8 digital rights organizations ask for transparency regarding the new Data Protection Commissioner of Serbia

Today, 4 December, EDRi, Access Now, APTI, EFN, Epicenter.works, Open Rights Group, Privacy International and Homo Digitalis sent a joint letter to the National Assembly of the Republic of Serbia, requesting a transparent procedure regarding the appointment of the new Data Protection Commissioner of the country.

This is the second action in the Balkans in which Homo Digitalis takes part in, aiming at the provision of adequate safeguards for human rights in the contemporary digital age.

The letter is available here.


The Norwegian Consumer Council files a complaint against Google

On November 27, 2018 the Norwegian Consumer Council filed a complaint against Google. Based on a new study, Google is accused of using deceptive design and misleading information to manipulate its users.

More particularly, Google is accused of tracking users through “Location History” and “Web & App Activity”, which are settings integrated into all Google accounts.

For the users with Android software, such as Samsung and Huawei smartphones users, it is extremely difficult to avoid this tracking.

According to the complaint, some of the techniques used by Google to push the users to share their location are:

Deceptive click-flow: The click-flow when setting up an Android device pushes users into enabling “Location History” without being aware of it. This contradicts legal obligations to ask for informed and freely given consent.

Hidden default settings: When setting up a Google account, the Web & App activity settings are hidden behind extra clicks and enabled by default..

Repeated nudging: Users are repeatedly asked to turn on “Location History” when using different Google services even if they decided against this feature when setting up their phone.

Google’s intention is to elicit users’ consent, so that users agree on being constantly tracked, thus revealing very important aspects of their personalities! Which are these aspects?

What does Google know exactly? Does Google know, for example, if you are in your living room, your bedroom or even your toilet? How many times per minute does it track you? When you take a cigarette break at work is Google there with you? Does Google know when you are on a date? Does it know your religious beliefs? Your health history? Learn more about all these in the official video by the Norwegian Consumer Council. More information can be found here.


Homo Digitalis sends a letter to the Greek Parliament regarding the draft law on PNR data

On November 15, 2018, the draft law on “Responsibilities of airline companies regarding PNR data – adaptation of the legislation with Directive (EU) 2016/681” was submitted to the Greek Parliament.

Homo Digitalis submitted an open letter on November 27, addressed to all the Members of the Greek Parliament; this letter was meant to call their attention to this draft law, which does not provide for adequate protection, according to the requirements set by the Court of Justice of the European Union (CJEU) with its Opinion 1/15, dated 26 July 2017, on the EU-Canada agreement regarding PNR data.

It must be noted that this data may reveal the movement pattern of a person, such as travel time, departure location and destination, his/her email address and postal address, as well as the persons travelling with him/her, but also other relevant data, such as hotel reservations; all these reveal information for work or personal transportation, but also the social interactions of a person, including friends or partners.

Homo Digitalis underlined that:

    1. The national “PNR data Unit” must be an authority responsible for the prevention and prosecution of terrorist and serious crimes or part of such an authority.
    2. There is no provision for a system, which will record access to the PNR data
    3. There is no provision for judicial control prior to the grant of access to investigation and other authorities
    4. The time for which PNR data is maintained exceeds the absolutely necessary timeframe
    5. The PNR data of underage persons, which are transmitted, must be described in a clear and precise manner
    6. The PNR data transmitted must not reveal religious beliefs or health information of the passenger

You can read the whole letter in Greek here.


What are cookies?

By Ιason Chontzopoulos* and Konstantinos Kakavoulis

When we visit a website for the first time, the following message appears “this website uses cookies to ensure you get the best experience”.

But what are these famous cookies? Do they really improve our experience on the internet? And if so, do they do so with no cost?

What are cookies?

They are small files with information, created by websites while we visit them. They are equivalent to short text files, in which the information is usually codified, or has an ids form, so it does not appear to be coherent, when a human reads them. These files and the information they contain, are created by the computer, in which the server operates. Each website uses only the cookies that it has created itself.

How are cookies used?

They serve to add functionality to the websites we visit. For example, they are used for a website to recognise us. Since they are created by the website, they do not include personal information.

They usually recognise the browser we have used during our previous entry. The principle on which the websites are based is that each of our clicks is independent from the previous one. Cookies were created to denote the continuous relation between the two clicks (on the same site).

Are there different types of cookies?

Yes! We can distinguish cookies according to their functionality, in simple cookies, session cookies and tracking cookies.

1) Simple cookies serve as information storage. Online retailers use such cookies just to remember the products that we have already chosen to buy. Other information could be the technical characteristics, statistics related to how many times we have visited the website, which language we choose, which page layout we prefer etc.

2) Session Cookies: the most common are the authentication cookies, that help to identify our profile, as we previously mentioned. According to their application, they can have a limited duration (temporary cookies). Usually we can find temporary cookies in the website of banks, which expire for safety reasons after a fixed period and we have to re-insert our particulars.

In other cases, the option “Remember Me” or “Keep me Logged in”, sets them active until we explicitly choose to disconnect (permanent cookies).

It is noteworthy that authentication cookies constitute an essential privacy element on the internet and they are always dispatched codified. There are also technologies that can increase the certification’s safety and reliability and operate at the same time with cookies.

3) Lastly, there are tracking cookies. The third-party tracking cookies constitute the most frequently disputed tracking cookies category, as they focus on the service’s improvement apart from those, which are offered from the website. Advertising is included in these services. Cooperating websites obtain the right to use cookies, so as to collect information related to our Internet surfing behaviour. The fact that third services, besides the website itself, can install cookies extend their use beyond the prime reason for which cookies have been created; this is obviously the improvement of the services of the initial website and is served by the simple cookies and the authentication cookies.

There are tools that help us check the information flow we share through cookies. We can see below one of these tools, where the shared information is recorded in cooperating undertakings.

Does this seem complicated? You should try this tool to find out live with whom you share each click at any time!

So, do cookies target me?

As we mentioned above, usually cookies aim at recognising the browser we use and our IP address. Cookies rarely contain personalised characteristics, which indicate the user’s identity. The combination of these specific elements with other sources may be used for the identification of natural persons; for this reason the functioning of cookies is regulated by legislation.

What does the legislation provide for cookies?

The EU General Data Protection Regulation (GDPR) includes a provision concerning cookies.

Specifically, Recital 30 of the Regulation, provides:

“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In simple terms, if cookies can identify a natural person, they are subject to GDPR. Of course not all cookies can identify a person, but most of them -if combined with third sources- can.

For websites to be compatible with the GDPR and not be at risk of being fined under its provisions, they must either stop collecting cookies, which can identify a natural person, or establish an adequate and lawful reason for the collection and the processing of such information.

Significant changes that the GDPR brought in cookies use

1) Tacit consent in cookies use is no longer sufficient. The website user must explicitly provide his/her consent to cookies installation from the website. This is the reason why the messages we mentioned at the beginning of the article, are displayed each time we visit a new website. These messages may seem merely embarrassing, at first sight, but having read this article, you should have a second thought before you click “I accept” next time.

2) The message “By using this website, you agree in the use of cookies” is not sufficient. User’s granted consent must be genuine and consistent with his free will; the user should really have the choice not to accept the cookies installation.

3) The user must have the possibility to withdraw his/her consent as easily as he/she provided it. Therefore, websites must give users the possibility to change their mind and change their original choice at any time, by offering them easy and rapid access in the relevant menu – equally easy and rapid with the one they had when they first visited the website.

What can I do if a website does not comply with the above obligations relating to cookies?

Take a look at the guide that Homo Digitalis has prepared on what you can do and to whom you can address if you face problems with the processing of your personal data. You have to follow the same steps in case a website infringes the legislation on cookies.

Can a website function without cookies?

Cookies obviously multiplied the possibilities of websites and in many cases increased their safety.

Their use is clearly a design choice for each website, but the use of certain cookies has purely technical nature. An example is the online shops we previously mentioned.

Cookies with technical nature are necessary. Websites are accessible through various devices and browsers. The various devices and browsers require particular treatment for technical reasons; therefore, the use of simple cookies with technical data is considered necessary. In this way, the website’s layout changes so as to fit in requisite needs, as for example the adaptation of the website to mobile phones and small screens.

This does not apply to tracking cookies. The use of tracking cookies has attracted world-wide interest in recent years, in particular related to the purpose for which the collected data is exploited. For this reason, the legislation aims to help cookies’ use come into open, giving rights and an option for users to choose. At the same time, it requires transparency in the use of cookies by companies and provides for large fines, in order for companies to comply with their obligations.

Homo Digitalis, faithful to the values it represents, does not place cookies at its website visitors’ devices, in order to analyse the effectiveness of the design and the presentation of our website or identity its visitors (tracking cookies).

We don’t, therefore, make notes of your activity in our website. The only cookie that our website uses is called PHPHSESSID.

This specific cookie cannot identify any natural person and does not note user’s personal data. It is only of technical nature, serving the server’s function.

*Ιason Chontzopoulos is a data scientist based in Zurich. He is an electrical and computer engineer, having studied in National Polytechnic School of Athens and ETH Zurich.

*Source of the main photo: https://www.howtogeek.com/327268/why-do-some-websites-have-pop-up-warnings-about-cookies/


Letter to the European Data Protection Board for the ceasement of GDPR abuse

Today, Monday 21 November 2018, ApTI, Privacy International, EDRi and 15 more digital rights organizations, including Homo Digitalis, sent a letter to the European Data Protection Board, notifying also the Romanian Data Protection Authority and the European Commission.

The reason for this letter is the abuse of the data protection law provisions, in order to unveil the journalistic sources behind the RISE Project in Romania. This project aims at shedding light into corruption and money laundering cases. With this letter the organizations request that the abuse of the GDPR provisions comes to an end, since it puts into risk the freedom of the press in Romania.

Learn more here and read the letter here.


Letter to Mark Zuckerberg

“Dear Mark Zuckerberg:

What do the Philadelphia Museum of Art, a Danish member of parliament, and a news anchor from the Philippines have in common? They have all been subject to a misapplication of Facebook’s Community Standards. But unlike the average user, each of these individuals and entities received media attention, were able to reach Facebook staff and, in some cases, receive an apology and have their content restored. For most users, content that Facebook removes is rarely restored and some users may be banned from the platform even in the event of an error.”

This is how the open letter to Facebook’s CEO from the part of 80 organizations worldwide begins. Among them are the most prominent digital rights organizations. From the part of Greece, the letter was signed by Homo Digitalis.

With this letter, we asked Facebook:

– To create and implement a mechanism through which the users of the platform will be able to appeal against content moderation decisions,

– to re-review the content, which has been removed, by a human, rather than an algorithm, when an appeal is launched against such removal,

– to give clear, detailed and personalized justifications to each user regarding the reasons why his/her content was removed,

– to inform the user on his/her right to appeal such a decision, 

– to publish regularly transparency reports regarding the implementation of its Community Standards.

With more than 2 billion users, Facebook is the biggest communication platform worldwide. It is normal for some of the decisions regarding content moderation taken either by Artificial Intelligence systems or by the human personnel, to be wrong.

The users must be safeguarded from such potential faults and must have the right to request re-review when their content has been removed.

The full letter can be found here.