Recommendation CM/Rec(2018)2 - Council of Europe

Recommendation of the Committee of Ministers to member States on the roles and responsibilities of internet intermediaries
Document type
Policy Document
Luiz Fernando
Marrey Moncau

The recommendation is divided in two items aimed at the protection and promotion of human rights and fundamental freedoms in the digital environment. While the first item deals with the "Obligations of States", the second item is focused on the "Responsibilities of Internet Intermediaries". 

1) Obligations of States

The Obligations of States chapter is focused on the aspects of legality, legal certainty and transparency, the establishment of adequate safeguards for freedom of expression and for privacy and data protection. Each of these points is summarized below.

Legality - any request or action should be prescribed by law, exercised within the limits conferred by law and constitute a necessary and proportionate measure in a democratic society. States should not exert any kind of pressure through non-legal means

Legal Certainty and transparency - "Any legislation applicable to internet intermediaries and to their relations with States and users should be accessible and foreseeable." Laws should be clear and sufficiently precise, and "legislation should clearly define the powers granted to public authorities as they relate to internet intermediaries." The recommendation also encourage states to be transparent about content takedowns and disclosures of personal data to authorities by making available comprehensive information on the requests addressed to intermediaries.

Safeguards for Freedom of Expression - The Recommendation reaffirms that any restriction of freedom of expression should respect the three-step test enshrined in international human rights documents (shall be prescribed by law, pursue a legitimate aim, and be necessary in a democratic society and be proportionate to the aim pursued). The document also states that: 

  • "State authorities should obtain an order by a judicial authority or other independent administrative authority, whose decisions are subject to judicial review"
  • "State authorities should ensure that effective redress mechanisms are made available and adhere to applicable procedural safeguards"
  • State authorities should not impose a general obligation to monitor content.
  • State authorities should not make intermediaries liable for "third-party content which they merely give access to or which they transmit or store". Intermediaries may be considered co-responsible "if they do not act expeditiously to restrict access to content or services as soon as they become aware of their illegal nature, including through notice-based procedures.""

The recommendation also states that State authorities should take into account that the use of automated means to identify illegal content have a limited ability to assess context, and therefore should not prevent "the legitimate use of identical or similar content in other contexts."

Safeguards for privacy and data protection - Following the same pattern, the Recommendation affirms that any restriction of privacy and data protection shall be prescribed by law, pursue a legitimate aim, and be used only when necessary and proportionate in a democratic society. The document also states that: 

  • legal frameworks and the ensuing policies and practices of intermediaries should "uphold the principles of data protection (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage time limitations and data security, including integrity and confidentiality)".
  • Surveillance measures undertaken by States "should be targeted, precisely defined, subject to effective external oversight".
  • "State authorities should ensure that appropriate complementary safeguards, such as explicit consent of the data subject, apply to the automatic processing of special categories of data".
  • States should ensure that intermediaries provide users with "prompt, transparent and effective reviews for their grievances and alleged terms of service violations, and provide for effective remedies, such as the restoration of content, apology, rectification or compensation for damages."

2) Responsibilities of internet intermediaries

This chapter of the document refers to the United Nations Guiding Principles on Business and Human Rights and states that intermediaries should respect human rights and freedoms "independently of the States’ ability or willingness to fulfill their own human rights obligations."

The chapter begins with statements indicating that any interference on the free flow of information and ideas should be based on clear and transparent policies. The Recommendation also notes that Internet intermediaries should carry regular due diligence assessments "of their compliance with the responsibility to respect human rights and fundamental freedoms and with their applicable duties", and should provide products and services without any discrimination.

The Responsibilities of internet intermediaries chapter is focused on the aspects of transparency and accountability, content moderation by intermediaries, use of personal data by intermediaries, and access to effective remedies by users. Each of these points is summarized below.

Transparency and accountability - Internet intermediaries should ensure that policies and guidelines specifying the rights of users are accessible and written in plain language. These documents and content moderation policies should be publicly available. The recommendation affirms that the process of drafting terms of service and policies should be inclusive, and encourages internet intermediaries to collaborate with human rights advocates, consumer organizations, and other groups representing users. Intermediaries are also encouraged to publish regular transparency reports.

Content moderation - Content moderation should be carried out using the "least restrictive technical means and should be limited in scope and duration to what is strictly necessary to avoid the collateral restriction or removal of legal content." Restrictions should be followed by information to the public explaining which content and restricted and on what legal basis. The recommendation affirms that staff members engaged in content moderation should receive a proper initial training, and restates that automated content moderation have limited ability to assess context, therefore requiring human review where appropriate and affirming that restrictions "should not prevent the legitimate use of such content in other contexts".

The Recommendation also affirms that if a content restriction based on intermediaries' policies is related to serious crimes, the "restriction should be accompanied by adequate measures to ensure that evidence is retained for effective criminal law investigations". Intermediaries that have specific knowledge of the restricted content "should report this to a law-enforcement authority without undue delay."

Use of personal data - The obligations to internet intermediaries related to the use of personal data include: not disclose personal data to third parties unless required by law or requested by a judicial authority or an administrative authority subject to judicial review; the processing of personal data should be limited to the necessary in relation to a specific purposes and should be subject to the "free, specific, informed and unambiguous consent of users"; "Users have the right to access their personal data and to obtain correction, deletion and blocking of it"; Tracking and profiling of users should be transparent and should not infringe the user's exercise of human rights.

Access to an effective remedy - "Internet intermediaries should make available – online and offline – effective remedies and dispute resolution systems that provide prompt and direct redress in cases of user, content provider and affected party grievances". The recommendation also affirms that intermediaries "should not include in their terms of service waivers of rights or hindrances to the effective access to remedies, such as mandatory jurisdiction outside of a user’s country of residence or nonderogable arbitration clauses."

Topic, claim, or defense
General or Non-Specified
Privacy or Data Protection
Freedom of Expression
Document type
Policy Document
Issuing entity
Transnational Organization (Includes Bilateral Agreement)
Type of service provider
General or Non-Specified
Issues addressed
Notice Formalities
Trigger for OSP obligations
Procedural Protections for Users and Publishers
Limitation on Scope of Compliance (Geographic, Temporal, etc.)
OSP obligation considered
Block or Remove
Monitor or Filter
Data Retention or Disclosure