The legislative initiative to amend certain regulations aimed at ensuring the security of information space (draft to the Parliament of Republic of Moldova 123/2022) raises numerous questions in terms of maintaining a balance between freedom and security issues, as well as the use of formulations that can be interpreted ambiguously, which carries the risk of abuse in the implementation of the law in practice. The draft provides the adjustment of the existing framework by amending a number of acts, including laws on the Security and Intelligence Service (SIS), on freedom of expression and on electronic communications.
In May 2022, the bill was split into two parts and public discussions on new powers to the SIS continue. The Association “Comunitatea Internet” has addressed a number of expert recommendations to legislators to improve the proposed framework for legal regulation of information space.
Among the regulations proposed by the draft, it is worth mentioning the completion of the law on SIS, by establishing a new task of developing and implementing a system of measures aimed at detecting, preventing and counteracting actions which, according to the Information Security Concept of the Republic of Moldova, represent threats to information security.
As a new element in the tasks of the Security and Intelligence Service, there are enforceable indications to remove the causes and conditions that contribute to threats to the national security system, including threats to information security. The draft does not provide any further details on the limits of these enforceable indications (whether technical, financial, human or physical). The procedure is less clear in cases where the application of the guidelines mentioned requires financial expenditure by natural persons and/or legal entities or could lead to damages as a result of failure to fulfil obligations towards beneficiaries.
An example may be the need to stop maintenance, reservation/restoration services, which are processed exactly when the indications are received. It is impossible to postpone or pause the services provided without affecting some processes of legal entities and/or natural persons. In the event of service interruption, users of the resource may not have access to post, modify or delete managed data in order to carry out the indications. In particular it is worth mentioning the provisions of the national law expressly states that “damages, including lost profit, incurred by the enterprise as a result of the fulfilment of indications given by the authorities … shall be compensated… “. The associated risks are usually part of the final price that the beneficiaries of the product or service will pay. In this context guaranteed access to information will cost society more, which may lead to unfavorable conditions for free expression through the virtual environment. In particular, it is worth mentioning the authors’ statement that the draft does not contain aspects aimed at regulating entrepreneurial activity, respectively, it is not necessary to prepare a Regulatory Impact Analysis (RIA). That is, the authors considered that by approving this initiative, electronic service providers will not have an impact on their activity.
Other new provisions require online content hosting service providers and online content providers on the territory of Moldova to immediately stop the transmission or storage of content promoting disinformation and false information affecting information security when instructed to do so by the SIS. In this case, the difference between the ICT infrastructure of an Internet operator and that of a media resource or web information system has not been taken into account. A perfect example is related to a blog platform or web information system. In the case of a post or repost the online content hosting service provider may come up with a response that the resource is only hosted by them and the technical team does not have access to the content. The resource being only directly assigned to a natural person or a legal entity. That person can still post the information by himself or rent the resource and posting operations are carried out by another legal entity or natural person or by online content provider.
Project does not include qualifications that have to be proceeding in that case. Will the online content hosting service provider have to block the resource together with all subsystems of other persons? At the moment some web information systems use elements that ensure automatic reposting (according to some algorithms), respectively the owner of the system does not have possibilities of manual content management. If so, will the online content hosting service providers and/or online content providers still be obliged to close this resource? But if we imagine that the resource is part of a state system critical to the population, is it still to be blocked immediately?
Another element, which has not been taken into account, is the need for a procedure for authorizing these blockades, established by law. Such as carried out on the basis of a reasoned order of the authorized body and only with the authorization of the investigating judge or prosecutor with subsequent information to the judge. As well as informing the authorizing body (as an element of control and system of checks and balances) as a result of interruptions carried out (for cases when blocking is considered urgently necessary to ensure immediate prevention of major threats). That is, it can be performed on the basis of the motivated ordinance of the prosecutor, without the authorization of the investigating judge, and will be presented to him immediately, but not later than 24 hours from the end of the interruption, indicating the reasons for its execution. The investigating judge shall verify the legality of this procedural step. It should be noted that the state had described the authorization procedures in the withdrawn projects “BIG Brother” (draft to the Parliament of Republic of Moldova No.161/2016) and “security mandate” (draft to the Parliament of Republic of Moldova No.281/2014), but they are not part of the respective initiative. Respectively we can note the absence of a very important element.
The draft provides the existence of a list of online content sources promoting disinformation/false information affecting information security with an indication of the reasons why the source has been included in that list. Based on the provisions of the law on freedom of expression, here it has been omitted how to proceed in case of single or multiple reposts (with indication of the original resource) that are made by individuals through blogs, social network pages or other personalized information posting resources (such as Telegram, TikTok, Facebook, Instagram, LinkedIn, Twitter). It should be noted that the media is protected in this context by article 28 of the law on freedom of expression, while individuals are deprived of this protection. Respective reposts (with indication to the original resource) of individuals may potentially be considered disinformation and will be a subject for blocking.
As regards the reasons why the online content source was included in the list and the false information affecting information security, it should be noted that this mandatory reason must be proven not only by electronic evidence proving the posting, but also by arguments of belonging to the information according to the exact criteria stipulated by the national framework. Otherwise, it will leave room for subjective or erroneous expressions. In the absence of clear regulations indicating the criteria and methodology for attributing information to disinformation and the resource to the resource promoting disinformation, the authors risk reaching the presumption of tacit guilt for the entire national virtual environment. This is contrary not only to national legislation, including some provisions of the law on freedom of expression, but also to international treaties on human rights and fundamental freedoms, to which the Republic of Moldova is a party.
It would be appropriate to discuss another obligation of the network and/or electronic communications service provider, which is incomplete or erroneous in the draft of the law – to immediately block the access of users in the Republic of Moldova to sources with illegal content. Nowadays, a slightly more advanced user can “raise the flag of another state”, using services such as virtual private network (VPN) or proxy server not only for the browser, but also for the whole range of applications on the smart phone, computer, IoT equipment. Respectively, technologically providers have no instruments to execute this indication without changes to the existing ICT infrastructure. Similarly, these changes are based on obligations to tacitly provide more details about the user (individual or equipment). This seems to be an abusive processing of personal data and is in contradiction with the provisions of the law on protection of personal data and the General Data Protection Regulation.
Adding an element to the law on freedom of expression, which provides the qualification of information as disinformation/information … by assessing it as a result of monitoring using appropriate methodologies, will still remain dubious in the absence of an exact stipulated procedure.
The adjustment of the law on electronic communications makes it compulsory to place contact information that would allow the identification of natural persons. In the absence of this information and the impossibility of identifying the owner of the website in order to contact him/her to remedy the deficiencies, access to resources should be blocked by Internet service providers until the violations and reasons for blocking decisions are remedied. The authors have mentioned the procedure providing for unblocking of the web page after placing the information as provided for in the draft of the law, as well as introducing an element of attempt to inform the owner before blocking. However, the provisions are incomplete and do not contain terms, obligations of state bodies and rights of civil society. For example, following examination of the draft remains unclear with some dubious moments, such as: Will it be considered the examination of the page to some contacts as a complete verification or will the officials try to find the person including by addressing the online content hosting service provider? What would be the procedure for trying to inform the owner of the website? If the phone number is called only once, will this be considered a sufficient attempt to inform?
In relation to the significant risks that the draft of the new law will bring, a number of recommendations have been addressed to legislators, including:
- Stipulation of a notion that exactly establishes “enforceable indications on the removal of causes and conditions”, elaboration of the procedure for filing enforceable indications with exact determination of these, as well as the limits (being technical, financial, human or physical) for enforceable indications;
- Clarification of the moments when the fulfillment of the respective indications will be able or will lead (directly or indirectly) to affect/stop the activity of the electronic service providers and other entities;
- Consultation with technical experts, online content hosting service providers, online content providers and web developers on technical situations that might affect the momentary execution of the enforcement indications;
- Introduction in the law of the procedure for authorizing the blocking of resources;
- Introducing a notion of “promoting disinformation”;
- Introduction of an obligation for the state to draw up technical norms and a procedure for examining and attributing publications to disinformation and false information;
- To enforce article 26 of the law on freedom of expression for individuals who are not journalists, but are bloggers or digital influencers;
- To clarify the timing of the need to accurately identify users using VPNs or proxies, in the context of the obligation of network and/or electronic communications service provider to immediately block access of users from the Republic of Moldova to certain sources. That is, the identification will be based only on IP address or other methods.
- Reviewing of the procedure for informing the owner of the website to remedy deficiencies (related to disinformation and/or lack of contact details) detected by state institutions, indicating deadlines and mandatory steps, as well as the procedure for unlocking web pages indicating deadlines and mandatory steps.
For procedures that will not be a part of the law, and will be reflected in the subordinate documents, this fact should be mentioned in the draft with the indication of the term and obligation of the state institutions, designated responsible for drafting these regulations.