Prolegomena on the Right to the Internet
Daniel-Mihail Șandru, Prolegomene privind dreptul la internet / Preliminary Considerations on the Right to the Internet [integral versiunea în limba română]
Daniel-Mihail ȘANDRU
Abstract
The right to the Internet is analysed from the perspective of the fundamental rights of European citizens, as enshrined in treaties and the Charter of Fundamental Rights of the European Union. The Internet constitutes an integral part, even a condition, for access to institutions and rights. The perspective adopted is that of Europe’s digital transformation, driven by reforms initiated in recent years in several key areas: data protection, digital markets, electronic identification and trust services for electronic transactions, equitable access to data and its fair use (Data Act), digital security, access to documents, and the regulation of the single market for digital services. All these reforms prioritize the citizen, yet the relationship is mediated by a tool, a technology to which citizens must have non-discriminatory access: the Internet. Access to the Internet encompasses a complex set of rights, not limited to the use of the Internet or email as means of identification and correspondence, but extending to the protection and guarantee of citizens’ rights to information, expression, privacy, and data protection. This study examines the extent to which states might be obligated to ensure Internet access and how fundamental rights of citizens are guaranteed in this context.
The research methodology focuses on analysing European Union legislation centred on the Internet, platforms, and rights exercised by European citizens online, as well as pertinent national legislation. The jurisprudence of the Court of Justice of the European Union and the European Court of Human Rights, along with relevant national jurisprudence and administrative practices, are also explored to investigate the existence of a right to the Internet.
Keywords: Internet, fundamental rights, European Union, European citizenship.
- Context and Perspective. The Need for Research
The theme “The Influence of Fundamental Principles of European Law on Romanian Law”[1] provides an opportunity not only to describe classical principles but also to explore the emergence of new ones or question the consequences of technology on the daily lives of ordinary citizens. The right to the Internet is one such potential right. The term “right to the Internet” is used here, though it can be debated whether we are discussing merely a “right of access” to the Internet or the guarantee of a “clean” Internet, ensuring minimal conditions for non-intrusive use, specifically regarding websites or applications. Citizens and non-governmental organizations increasingly claim new rights, often brought to public attention through European strategies and policies. This study seeks to separate ideological and media consumption aspects from the legal side, focusing on the juridical consequences of recognizing a right to the Internet, its content, and its boundaries.
The perspective adopted is that of positive law applicable in Romania and Europe, particularly within the European Union. Examples and references to the legislation of other states, notably the United States, are included, but the core of the research remains grounded in European law as applied in Romania. A secondary perspective draws from international law, including soft law, declarations, and other documents promoted by non-governmental organizations addressing rights and principles for the digital society[2]. These developments are seen as driving changes in the constitutional ecosystem, which was designed for a traditional society. However, constitutional principles must also adapt to the digital environment. A third approach addresses the regulation of the Internet as a system, focusing on its administration, which involves not only legal rules but also models of opportunity in its organization and functioning[3]. A practical perspective, rooted in private international law, examines the Internet as a forum for disputes that require resolution through predictable procedures[4].
The relevance and necessity of research on the Internet arise from its increasing use, not just for recreation but also in interactions between citizens and administrations, for contract conclusion, and for utilizing banking products. Ignoring or underestimating the risks associated with Internet use, the legal consequences of online actions, and the limitations imposed by economic operators, platforms, or companies for business protection and consumer loyalty are practical issues public authorities and institutions must address to safeguard citizens. A concerted effort by states is needed, starting from European Union legislation and supplementing it to protect the rights of citizens and operators, particularly small operators, most of which qualify as small and medium-sized enterprises.
Regarding Internet use, most citizens are vulnerable. Merely using the Internet does not imply knowledge or understanding of its functioning or the consequences of default settings on websites, platforms, or social networks. Individual vulnerability is significant because many users are unaware of how their data is used, cybersecurity risks, hidden costs associated with “free” Internet products, or manipulation through advertising and website functionality. Protecting these citizens is challenging without awareness and measures, from using appropriate passwords to avoiding malicious links and reasonable use of social networks.
In recent years, academic papers on “Internet law” have addressed various legal relationships within the Internet but have not emphasized or questioned the possibility of access to the Internet as a right in itself. The consequences of such recognition are significant. This paper begins with an overview of regulations affecting the rights and obligations of users but then moves to a central question: Are these disparate regulations sufficient? Can these various rules, organized as in the disciplines of Internet law studies, lead to the conclusion that there is a right to the Internet? Would this not be an unjustified bureaucratic exercise to reorganize existing Internet regulations? Can the sum of certain rights configure a new right? While analogies might provide examples, they do not always work. Examining the application of fundamental rights, such as the right to dignity and non-discrimination, reveals that the Internet is a specific domain where regulations and fundamental rights intersect to protect citizens, users, and equally, website and platform operators. Even so, at the European level, there is no recognized right to the Internet or access to the Internet; hence, there is no support in positive law. Therefore, the third part of this study attempts to explore the possibility of establishing a right to the Internet. This involves analysing the consequences of applying regulations and fundamental rights in the online context, particularly the obligations of states derived largely from European Union regulations. States should protect the Internet and ensure it is “clean” for safe legal and economic use. The final part of this section considers the Internet as a service of general interest, then moves on to examine Internet regulations themselves. The concluding discussion addresses whether the Internet could be the subject of a fundamental right.
- Elements Regarding the Configuration of the Right to Internet Access
The right to internet access can be analysed from four perspectives that could shape the current state of law and reality[5]:
- Fundamental Rights: Non-discrimination, Good administration, Freedom of expression, Freedom of association, Cultural rights, Right to information, Electoral rights.
- Legislative Interferences: Data protection, Digital markets; Electronic identification and trust services for electronic transactions, Equitable access to and fair use of data (Data Act), Cybersecurity, Access to documents, Single market for digital services, Artificial intelligence.
- Regulations and Practices of Internet Operators: Digital markets, Social networks, Search engines, Generative AI (ChatGPT), Behavioural advertising, Abusive practices (consumer protection and competition law).
- European Policies: Digital strategy, Internet neutrality, Service of general interest, 5G technology, “Clean” internet, Competition policy.
- Fundamental Rights
The interpretation of fundamental rights, as currently recognized, is essential for protecting both individuals and legal entities on the internet. Some fundamental rights need to be examined to identify elements connected to the internet. A nuanced analysis of the development of the fundamental right to the internet from existing rights, or the emergence of a new right, must also be undertaken.
In this section of the outlined typology, dedicated to rights, we highlight the right to information. The internet currently plays an essential role in providing information, being, for many individuals, the sole source of information. Printed newspapers have nearly disappeared, and online newspapers and other sources of information generally do not allow users to escape the zone of surveillance and monitoring of online behaviour. Cookies are usually set to favour the newspapers, and few offer the option to choose between payment or cookie consent.
Information regarding political parties, their candidates, and related topics, particularly during election periods but not exclusively, is available on the internet. To safeguard both the right to vote and to be informed, users should not be tracked or profiled. Unlike commercial marketing, political advertising affects elections, democracy, and the rule of law (see, for instance, the Cambridge Analytica scandal).
Freedom of expression has certain limitations[6]. Censorship on the internet may arise from decisions made by authorities but can also stem from private entities, such as social networks, citing non-compliance with community standards. The introduction of artificial intelligence could exacerbate issues in moderating content on websites or social networks.
Questions arise as to whether it constitutes discrimination when certain citizens have internet access to online-only stores. However, it becomes clear that discrimination exists when public institutions or authorities publish essential information solely online. Similarly, there is discrimination when citizens are required to have an email address to open a bank account, mandatory for certain operations. Citizens may be indirectly compelled to use the internet, as in the situations mentioned above. In such cases, the state should ensure that internet usage does not harm its citizens. At present, full protection for individuals accessing the internet is lacking. This includes the right to privacy and the right to personal data protection. Although several institutions are linked to the internet (e.g., the Authority for the Digitalization of Romania, the National Supervisory Authority for Personal Data Processing, and, at the European level, the European Commission and the European Data Protection Board), they have not yet managed to ensure a “clean” internet for citizens. Access to the internet for exercising contractual rights is another concern. For example, when an individual refuses the recording of a phone conversation, the alternative communication methods – email or online forms – may disadvantage the individual or fail to represent genuine alternatives. In certain cases, internet access is a prerequisite for employment.
- Legislative Interferences
The first issue that arises is whether legislation with a specific regulatory purpose can be used to construct a fundamental right that does not exist in international conventions. From the outset, we state that the purpose of this paper is not to cut and paste to create an artificial construct. We are merely in the stage of noting the effects and impact of positive legislation on the internet and individuals’ rights in the online environment.
First, we highlight the role of personal data protection in safeguarding the individuals concerned, particularly minor users and other vulnerable persons. The operation of websites and platforms is favourable to businesses when a wide range of data is processed. On the other hand, profiling individuals can affect their decision-making capacity through manipulation. A true balance between the two competing interests is difficult to achieve, and there are still steps to be taken for the internet to become “clean”. The General Data Protection Regulation (GDPR)[7] contains direct references to the internet[8], but the essence of the legislation is that its application is particularly relevant in the online environment. This can be inferred from the application of GDPR principles, as most practical issues are related to websites, search engines, platforms, or social networks. Violations of the rights of data subjects on the internet are significantly more numerous, with cumulative risks stemming from processed data and where fines are the highest[9].
The regulation on digital markets[10] is recent and produces effects in relationships between large operators and SMEs, with a strong impact on citizens. It is an example of public regulation interference in this area. The regulation indirectly influences individuals’ rights on the internet, such as access to data, the right to deletion, or data portability[11]. Individuals’ rights acquire new dimensions due to processing by multiple operators and the interoperability of digital platforms with their commercial users. A Wired analysis shows that the regulation on digital markets will rewrite the way the internet is used; over time, applied analyses will be possible regarding the impact of this regulation on the internet[12].
Electronic identification is essential for the functioning of operators on the internet, for state administrations, and for trust among users[13]. As observed in a 2012 study, digital identity was introduced mainly in the state-citizen relationship, but it is increasingly required between individuals and/or legal entities[14]. However, numerous problems arise. The most important relate to data security, practices of social networks and platforms[15]. According to recital 12 of the Preamble to the Regulation, “one of the objectives (…) of the regulation is to remove existing barriers to the cross-border use of electronic identification means used in Member States for authentication, at least for public services”. The need for interconnected databases at the European Union level, for example in the issue of migration, is a relevant example[16]. Interconnection in the field of health is underway, driven by the recent medical crisis.
In 2023, the European Union regulated fair access to data and its proper use (Data Act)[17]. The regulation emphasizes the need to remove barriers to data sharing that hinder the optimal allocation of data for the benefit of society. Recital 2 of the Preamble lists the obstacles to data sharing: “Among these barriers are the fact that data holders are not incentivized to voluntarily enter into data-sharing agreements, uncertainties regarding data-related rights and obligations, the costs of contracting and implementing technical interfaces, the high level of information fragmentation in data silos, poor metadata management, the absence of semantic and technical interoperability standards, bottlenecks that impede access to data, the lack of common data-sharing practices, and the abusive use of contractual imbalances concerning data access and use”. This regulation is essential for development and innovation. However, practical problems related to data transfer and compliance with privacy and data protection rights are foreseeable.
Cybersecurity in the European Union and worldwide is a major concern. Economic activities, especially critical infrastructure such as transport or health, as well as people’s everyday activities, depend on digital technologies, particularly the internet. Cyberattacks and cybercrime affect individuals, corporations, states, and international organizations. The European Union has legislation[18] that is constantly improving, but the field itself is evolving due to technological developments. The cybersecurity regulation recognizes vulnerabilities for children, but the ways in which they access the internet remain under parental control, who are often outpaced by technology. Social networks have not implemented measures to protect children, and fines for violations of GDPR are sporadic and without systemic consequences[19]. Online stores store a wide range of data, exposing them to cyber risks. Authorities and public institutions have implemented weak technical and organizational measures, allowing attackers to penetrate and sell data. Cybersecurity is very costly for internet operators, but it is part of their economic activity and must be planned as such in their overall expenditure.
- Regulations and Practices of Internet Operators
Although this typology of regulations and practices of internet operators may partially overlap with the section on legislation, it must be noted that some practices of internet operators may escape the scope of regulation. Self-regulation and the establishment of proprietary standards by platforms or social networks are legally and ethically questionable. Behavioural advertising, which is the foundation of the operator-user relationship, involves practices such as cookies, tracking, monitoring, recording, etc.
- European Union Policies
The policies of the European Union address the internet both as a technology – through the regulation of internet neutrality and 5G technology – and as a functional framework, particularly for protecting citizens in various aspects (e.g., data protection, electronic payments, social networks, artificial intelligence) or even smaller operators (protected, for example, by the Digital Markets Regulation[20]). Shaping the digital future of Europe[21] is the focus of documents from the Commission and the Council since 2020, which outline the EU’s strategies in the digital field. Internet neutrality is a topic closely linked to privacy and data protection, as per Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The European Data Protection Supervisor has issued an opinion on this matter[22].
Internet access must be understood in all its complexity[23]. In the UPC Telekabel Wien case, the Court held that it is consistent with EU law for a national court to impose an injunction on an internet access provider (IAP) requiring it to block its customers’ access to certain copyright-protected content hosted abroad. A remarkable element of this decision is that a court can issue an injunction specifying only the desired outcome for the IAP, such as effectively reducing access to copyright-protected content while respecting authorized access to other content. The choice of means is left to the IAP.
This decision has been criticized for allowing vague outcome-based specifications that rely on the assumption that there is an effective and acceptable measure to achieve the result, an assumption that is far from evident[24].
- Can We Discuss a Fundamental Right to the Internet?
In this third section, the question of whether a fundamental right to the internet exists remains open. Doctrine can develop arguments and justify the need for a constitutional-level guarantee or inclusion in European treaties on fundamental rights; however, its recognition must be established in positive law. Initially, we consider that the jurisprudence of European courts – the Court of Justice of the European Union and the European Court of Human Rights – may eventually recognize this as a distinct right.
Far from completing an extensive study on internet access, we have taken a first step in this research by developing a typology of sources that could lead us toward recognizing a right to the internet – a right to access the internet – not merely a right to the technology itself. We have not provided or focused on examples of countries with pioneering legislation on the fundamental right to the internet, as these are currently singular cases or stem from the concept of providing a service of general interest, which is not the same as a human right.
The internet is essential in citizens’ lives, particularly in their relationships with institutions and public authorities. The need to strengthen the interest in access to the internet – or at least to a “clean” internet – must be supported by states and, possibly, the European Union. The examples provided in this article indicate that the internet is not merely a means of leisure but is closely tied to citizens’ obligations in a democratic society.
Internet access must be equal and non-discriminatory, obligating states to assist vulnerable individuals and address current issues related to location tracking, voice monitoring, profiling, and the large-scale collection and sale of certain types of data.
Conclusions
The subject of the right to internet access is neither simple nor without vested interests from major internet operators or even states. A right to internet access implies expenses for effective citizen protection. The internet is evolving and may become more expensive and more restrictive in terms of access, particularly concerning user identification. Currently, both the dissimulation of identity by users/citizens and unfair practices by operators remain constant elements. Order in internet usage is necessary, ensuring the protection of both citizens and operators.
Vinton Cerf, often considered one of the founding fathers of the internet, published an article in 2012 in The New York Times titled “Internet Access is not a Human Right”, from which we quote a fragment: “Technology is an enabler of rights, not a right itself. There is a high bar for something to be considered a human right. In short, it must be among the things we need as humans to lead healthy, meaningful lives, such as freedom from torture or freedom of conscience. It is a mistake to place any particular technology in this exalted category because over time, we will come to value the wrong things. For example, at one time, if you didn’t have a horse, it was hard to earn a living. But the important right in that case was the right to earn a living, not the right to a horse. Today, if I were granted the right to have a horse, I’m not sure where I would put it.” Just over ten years have passed since this article was written. Has anything changed in the nature of the internet to elevate it to the category of fundamental rights?
[1] Daniel-Mihail ȘANDRU is a Senior Researcher (Grade I) and the Coordinator of the European Law Studies Center at the “Acad. Andrei Rădulescu” Institute of Legal Research of the Romanian Academy. He can be contacted at mihai.sandru@csde.ro. Website: www.mihaisandru.ro. This material was prepared for the annual scientific communications session, “Fundamental Constitutional Principles and Their Reflection in the Branches of the Legal System”, organized by the “Acad. Andrei Rădulescu” Legal Research Institute of the Romanian Academy. Internet links were last checked on April 1, 2024. Details: csde.ro. An improved version of the study was published in the volume of the mentioned conference. This article is the English version of the one published in the journal Studii și cercetări jurdice (Studies and Legal Research), No. 2/2024. Special thanks go to Mr. Marius Mitrea for translating the text.
[2] Edoardo Celeste, Digital Constitutionalism: The Role of Internet Bills of Rights, Routledge, 2022.
[3] Roxana Radu, Negotiating Internet Governance, Oxford University Press, 2019. At other times, internet law is viewed from a cultural perspective, focusing on legal culture: Kathy Bowrey, Law and Internet Cultures, Cambridge University Press, 2005.
[4] Pedro de Miguel Asensio, Conflict of Laws and the Internet, Edward Elgar, 2020.
[5] A fifth element is the case law of national and European courts. Jurisprudence is considered more a consequence of the current state of law and fact. However, the first recognition of the right to internet access could come from European jurisdictions.
[6] For the case law of the European Court of Human Rights: Access to the Internet and Freedom to Receive or Impart Information and Ideas, 2022, available at https://www.echr.coe.int/documents/d/echr/FS_Access_Internet_RON.
[7] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1.
[8] Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) [2016] OJ L119/1, Recital 24 (regarding profiling): “To ascertain whether a processing activity can be considered as ‘monitoring the behaviour’ of data subjects, it should be determined whether individuals are tracked on the internet, including the potential subsequent use of personal data processing techniques that involve profiling a natural person, particularly for making decisions concerning them or analysing or predicting their personal preferences, behaviours, and attitudes”.
Recital 65 (regarding the right to rectification and the right to erasure): “This right is particularly relevant where the data subject gave their consent as a child without fully realizing the risks involved in the processing and later wishes to remove such personal data, especially from the internet”.
[9] Data Protection Commission, Conclusion of Inquiry into Meta Ireland (22 May 2023) https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland accessed 1 April 2024, regarding a €1.2 billion fine imposed on Meta (Facebook). Luxembourg National Commission for Data Protection (CNPD), Decision regarding Amazon Europe Core S.à r.l. (30 July 2021) https://cnpd.public.lu/en/actualites/international/2021/08/decision-amazon-2.html accessed 1 April 2024, concerning a €746 million fine imposed on Amazon. Data Protection Commission, Decision in Instagram Inquiry (5 September 2022) https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-instagram-inquiry accessed 1 April 2024, relating to a €405 million fine imposed on Meta (Instagram).
[10] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Regulation) [2022] OJ L265/1.
[11] Bárbara da Rosa Lazarotto, “The Right to Data Portability: A Holistic Analysis of GDPR, DMA and the Data Act” (2024) 15(1) European Journal of Law and Technology.
[12] Khari Johnson, ‘Europe Prepares to Rewrite the Rules of the Internet’ Wired (28 October 2022) https://www.wired.com/story/europe-dma-prepares-to-rewrite-the-rules-of-the-internet/ accessed 1 April 2024.
[13] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC [2014] OJ L257/73.
[14] Clare Sullivan, “Digital Identity and Mistake” (2012) 20(3) International Journal of Law and Information Technology 223–224.
[15] Bridgette Wessels, ‘Identification and the Practices of Identity and Privacy in Everyday Digital Communication’ (2012) 14(8).
[16] Shirin Madon and Emrys Schoemaker, ‘Digital Identity as a Platform for Improving Refugee Management’ (2021) 31(6) Public Administration and Development 929–953.
[17] Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules for fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) [2023] OJ L2854, 22.12.2023.
[18] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on cybersecurity certification for information and communications technology and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) [2019] OJ L151/15.
[19] European Data Protection Board, ‘Dutch DPA: TikTok Fined for Violating Children’s Privacy’ (22 July 2021) https://www.edpb.europa.eu/news/national-news/2021/dutch-dpa-tiktok-fined-violating-childrens-privacy_en accessed 1 April 2024.
[20] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) [2022] OJ L265/1.
[21] European Commission, Shaping Europe’s Digital Future (19 February 2020) https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/shaping-europes-digital-future_ro accessed 1 April 2024.
Council of the European Union, Shaping Europe’s Digital Future (9 June 2020) https://data.consilium.europa.eu/doc/document/ST-8711-2020-INIT/ro/pdf accessed 1 April 2024.
[22] European Commission, Communication to the European Parliament, the Council, the Economic and Social Committee, and the Committee of the Regions: The Open Internet and Net Neutrality in Europe (Brussels, 19 April 2011) COM (2011) 222 final.
European Data Protection Supervisor, Opinion on Net Neutrality, Traffic Management, and the Protection of Privacy and Personal Data (2012/C 34/01).
See para 4: “Net neutrality refers to an ongoing debate about whether internet service providers (ISPs) should be allowed to limit, filter, or block access to the internet or otherwise affect its performance. The concept of net neutrality is based on the impartial transmission of information over the internet, regardless of content, destination, or source, as well as the principle that users should be able to decide what applications, services, and hardware they want to use. This means that ISPs cannot, on their own initiative, prioritize or reduce access speeds for certain applications or services”.
[23] Case C-314/12 UPC Telekabel Wien [2014] ECLI:EU:C:2014:192, Judgment of 27 March 2014.
[24] Maurice Schellekens, “The Internet Access Provider: Unwilling or Unable?” (2015) 23(3) International Journal of Law and Information Technology 310–321.