A little over a month ago, the Polish parliament passed a law on organizational issues related to the Conference of Parties (COP24) of the UN Framework Convention on Climate Change (UNFCCC), which will meet next in December in Katowice, Poland. While the law has not received much international media attention, it has caused quite a stir amongst environmental non-governmental organizations and human rights activists, mainly due to two articles of the bill: article 22 prohibits participation in any spontaneous assembly between November 26 and December 16, 2018, in the city of Katowice, thus spanning the entire COP24 meeting; and article 17 authorizes the Polish government to collect participants’ personal data for reasons of public safety. As far as I understand the provision (thanks to unofficial translations by colleagues), article 17 permits, amongst others, that personal data of all COP24-participants be stored, without a need for concrete indications of a threat to public security and without the need to inform affected persons. In reaction, the Women and Gender Constituency at the UNFCCC has called upon Poland to repeal the bill and appealed to the European Commission and the Office for the High Commissioner of Human Rights to take measure to that end. In addition, a group of civil society organizations has called upon the Bureau of the Aarhus Convention to remind Poland of its obligations under the Aarhus Convention to ensure meaningful civil society participation in the upcoming environmental negotiations at COP24. But what are the specific human rights concerns caused by the bill?
Public safety I: spontaneous gatherings and the right to peaceful assembly
A civil and political rights classic, the right to freedom of peaceful assembly is enshrined in article 21 of the International Covenant on Civil and Political Rights (ICCPR) and article 11 of the European Convention on Human Rights (ECHR), both ratified by Poland. While the exercise of the right can be subject to legal regulation, a complete ban of spontaneous assemblies is consistently considered to be an unlawful restriction. Thus, the UN Special Rapporteur on the rights to freedom of peaceful assembly and of association recommended that “spontaneous assemblies should be recognized in law, and exempted from prior notification” (at 91). The Human Rights Committee, the ICCPR’s treaty-monitoring body, even spoke of a “right of spontaneous assembly” in a country report (at para 49). And the European Court for Human Rights has emphasized that disbanding a peaceful assembly solely because it was not notified to the authorities constitutes a disproportionate restriction on freedom of peaceful assembly when “an immediate response, in the form of a demonstration, to a political event might be justified” (at para 36).
Of course, public safety reasons might be invoked in order to justify a restriction on the right to freedom of assembly. Some might think of the French authorities deciding to ban the climate march at COP21 in Paris three years ago. While there was controversy at the time regarding the use of the French state of emergency to repress environmental activists, there are considerable differences to the situation today: Paris had suffered a severe terrorist attack at the Bataclan club mere weeks before hosting the COP. Intensive discussion with civil society organizations and the UNFCCC Secretariat had preceded the cancelling of the climate march. There was no preventive and absolute ban of all spontaneous gatherings put into place months in advance. Without indication of a threat to public safety, a blanket ban of spontaneous assemblies cannot be reconciled with Poland’s European and international human rights obligations.
Public safety II: storing personal registration data and data protection
Storing personal data is subject to restrictions flowing from the right to privacy enshrined in article 17 ICCPR and article 8 ECHR; in addition, article 8 of the Charter of Fundamental Rights of the European Union explicitly provides a right to protection of personal data (which the ECJ would probably consider applicable, given its broad interpretation of the Charter’s field of application and the EU data protection directive). Given the increasing complexity and constant shifts in multi-level data protection law, it is not my ambition to address in detail all legal questions arising from the constellation under review. But looking at some underlying principles of data protection law will illustrate the problem with the current bill: as emphasized by the UN Special Rapporteur on the right to privacy (in annex II), data collection is subject to the purpose-specification and the use limitation principle. This means that personal data can only be collected for a specified purpose and cannot be used for other purposes without consent of the affected individual, and it needs to be deleted permanently once the time required for the specified purpose runs out. These principles find expression in article 8 para 2 of the Charter of Fundamental Rights as well as in article 9 of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
As far as I can see, the purpose of storing the data of all participants of COP24 is to ensure security and public order during the COP. These purposes, next to crime prevention, are explicitly listed in the chapeau of article 17 of the Polish bill. One might ask to what extent storing the data of all participants of the COP24 by the Polish government serves the end of ensuring public safety in the first place. But even if answered in the affirmative, the storage would need to be proportionate. In this context, it is important to consider that the data collection foreseen in the bill is possible without the consent and information of affected persons. Regarding telecommunications surveillance, the ECHR has emphasized that secrecy contains an especially high risk of arbitrary exercise of an executive power. In article 18, the Polish bill clarifies that the data collection is subject to Polish data protection law (and thus, I assume, on an implementation of the EU Data Protection Directive) and international conventions ratified by Poland. This implies that secret data retention without concrete indication of a threat to public safety for all participants of the COP cannot readily be put into practice. Again, it is the blanket nature of the provision that is problematic from a rights perspective.
What obligation for the UNFCCC Secretariat?
This entails a further thought: In order to store participants’ personal data, the Polish government needs to rely on the UNFCCC Secretariat, which retains registration data of all participants, who register through their Web site. Data is stored for future registration purposes and, according to a UNFCCC Secretariat speaker, data is shared with host countries upon their request, and especially in order to ensure processing visa applications for participants. To what extent is data sharing by the UNFCCC Secretariat subject to international human rights obligations? While not a party to international human rights treaties, it is generally acknowledged (even if the justification is hotly debated) that international organizations are in principle subject to the international human rights obligations that they are called upon to promote. While data sharing for the purpose of visa processing does not raise any human rights concerns, one might consider to what extent the blanket nature of the bill requires the UNFCCC Secretariat to request some form of assurance from host government to not secretly retain data of all COP-participants without concrete cause.
NGOs are in part worried about the secret storage of personal data because it leads at least subjectively to a large insecurity as to what will happen with the personal data and whether this might lead to reprisals in their countries of origin. In his last report, the UN Special Rapporteur on Human Rights Defenders concluded that the situation of environmental human rights defenders was deteriorating and that they were increasingly the subjects of reprisals ranging from significant restrictions of their work to physical violence and even documented cases of killings. Announcing to store participants’ data without cause might have the realistic potential of decreasing civil society participation at the upcoming COP. The UNFCCC Secretariat could work against this by not sharing data or at least requiring assurances that data will not be stored as a general rule and only when indications of a threat to public safety exists.
Between legal and political action
The law was signed by President Duda on January 29, 2018, and is currently in force. Of course, the Polish legislator is free to repeal the act or modify the provisions discussed in this post. I do not know under which conditions bills are subject to legal review under Polish constitutional law and what role the Polish ombudsperson might play in this regard. If the prohibition of spontaneous gatherings stays in place until the COP, activists could choose to ignore it – if a gathering was dissolved for the sole reason of contravening article 22 of the bill, legal action in front of the ECHR against such an act of dissolution would look promising, given past case law. This would of course require exhaustion of local remedies, including, in the case of interim measures, the exhaustion of domestic interim measures, which makes it uncertain whether legal relief could be achieved in a timely fashion. And an ex post affirmation of the legality of a spontaneous gathering and the illegality of its dissolution would be but a small consolation for civil society movements.
Exhaustion of domestic remedies would also be required regarding the data protection issue; in addition to the ECHR, one might consider the possibility of a preliminary ruling procedure in front of the ECJ (but it is not clear whether, even if legally conceivable, this is likely under current political circumstances). There are no legal means to assert a possible obligation of the UNFCCC Secretariat to ensure safe data use – here, affected NGOs will have to resort to political lobby work, as has been done e.g. through the letter to the Bureau of the Aarhus Convention. Next to the UNFCCC Secretariat, awareness could be raised with the UN Special Rapporteurs on the right to privacy, on human rights defenders, and on the rights to freedom of peaceful assembly and of association, all of whom receive individual communications. But this case also shows once more: individual legal redress is largely powerless where laws are intended to exercise political pressure (at least this is how a spokesperson of Greenpeace Poland views the bill and much could be and is said about the current state of the rule of law in Poland in light of the ongoing Article 7 procedure). Thus, it is perhaps not so surprising that the reaction to the bill has thus far been largely a political debate – but one in which legal arguments have a role to play.
A German version of this article has been posted on the Juwiss Blog.