Going beyond the guidelines - legal and moral responsibilities on ICT companies

YouTube this week introduced a face-blurring tool to protect activists from being recognised by their online activities.  Human rights groups will no doubt welcome the initiative as it comes in response to calls from groups such as Witness.  Some web companies demonstrate a commitment to not only reducing the negative human rights impacts of their activities, but also to actively improving the positive impacts that they may have.  The uptake of some of the voluntary guidelines on corporate social responsibility and human rights demonstrates a willingness to go beyond the minimum requirements.  But what responsibilities do tech companies really owe to users in other countries?  Is this solely a question of moral responsibility and ethics, or is there a legal obligation?  And should moral responsibility be reflected in a legally-binding regime? Broadly speaking, international human rights law is only binding on States, not companies or individuals.  States have obligations to persons within their jurisdiction. In order to protect the rights of persons within their jurisdiction, States may need to regulate the conduct of companies operating there.  In this way, a State may use its domestic law to impose obligations on companies in an effort to implement its obligations under international law.  However, in many cases there will not be any relevant domestic law, particularly in States that do not have a robust approach to human rights protection or those that are actively abusing their residents’ human rights.  So, while international human rights law provides a useful benchmark for companies in understanding the scope and permissible limits on human rights, it does not actually impose any direct obligations on companies.

Even though international human rights law does not impose direct obligations on companies, there are still ways in which companies may be legally liable for actions that breach individual human rights.  Red Flags provides a great, very brief summary of some of the ‘liability risks for companies operating in high-risk zones’ and I will mention a few of the key legal areas in the following discussion.  It is also worth noting that actions that have an adverse human rights impact can be regulated by laws that are not specifically targeted at ‘human rights’ protection.  For example, many countries have criminal legislation that operates extraterritorially for companies that bribe foreign public officials (this is mandated under the UN Convention against Corruption and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions).

Human rights obligations under US law

The US is unusual in potentially imposing domestic liability on companies for actions not complying with international law standards even when they occur beyond US territory.  The Alien Tort Claims Statute (28 USC §1350) is the most (in)famous of these, with companies potentially having civil liability for actions that they commit ‘in violation of the law of nations or a treaty of the United States’.  Yahoo! previously settled a case that was brought under the ATS arising from the alleged provision of information by a Yahoo! subsidiary to the Chinese Government that enabled authorities to identify, arrest and subsequently torture political activists (Wang Xiaoning v Yahoo!).  Similarly, Cisco is in the middle of defending an action under the ATS as a result of their provision of software to the Chinese Government that is alleged to have been a part of the ‘Great Firewall of China’ that enabled the torture of political dissidents (Du v Cisco and Doe v Cisco).  The future of actions against companies under the ATS is currently in the balance.  This is because the Supreme Court is grappling with the question of whether companies (ie legal persons, as opposed to ‘real’ persons) can be liable under the ATS in the case of Kiobel v Royal Dutch Petroleum Co.  Depending on the decision in Kiobel, companies that commit major human rights violations may find themselves squarely in the cross hairs of ATS litigants in the US courts.

It had been argued that the Torture Victim Protection Act (18 USC §2340) creates liability for corporations as well as individuals who committed acts of torture outside of the United States.  After an inconsistent approach in various courts, in April of this year the Supreme Court held unanimously that the TVPA only applies to natural persons, not organisations (and, by corollary, not to corporations) (Mohamad v Palestinian Authority).

Two pieces of legislation are worth mentioning even though they do not create liability as such: The California Transparency in Supply Chains Act; and the Global Online Freedom Act.  Since entering into force at the start of this year, the Transparency in Supply Chains Act requires retailers or manufacturers doing business in California with annual worldwide gross receipts exceeding $100 million to disclose via a ‘conspicuous link’ on their main website their efforts to address risks related to slavery and human trafficking in their supply chains.

At the federal level, the Global Online Freedom Act is a Bill that aims to ‘prevent United States businesses from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance, to fulfill the responsibility of the United States Government to promote freedom of expression on the Internet, to restore public confidence in the integrity of United States businesses’.  It has been floating around in various incarnations for several years, with the most recent version being passed by a House Committee on 27 March.  Similar to the Transparency in Supply Chains Act, the GOFA would create a reporting regime for internet communications services companies.  Companies would be required to detail their ‘human rights due diligence’ (drawing on the OECD Guidelines for Multinational Enterprises), privacy policies and policy on advising users when content has been filtered or blocked.  It would also establish export controls on certain telecommunications equipment.  The jury seems to be out on whether the latest incarnation of the GOFA could eventually become law, but in any case it does not seem likely that it will enter into force any time soon.

Moral obligations and duties beyond the law?

Anupam Chander wrote an interesting article setting out some of the philosophical arguments that could form the basis for a moral obligation owed by web companies to people in the ‘unfree’ world.  He argues that it is erroneous to apply the same ideas about corporate obligations (or lack thereof) in their interaction with citizens in a free society to corporate interactions with those living in repressive regimes.  As part of this, he argues that ‘given the special role of new media in empowering or oppressing individuals, it seems incumbent upon us to demand the inculcation of a professional ethic among new media companies to protect the freedom-enhancing aspects of cyberspace’.  He explains that ‘new media can either help give voice to dissidents or help perfect totalitarianism’.

Since the Arab Spring, there have certainly been some compelling arguments made about the power of web companies to affect the rights of users in repressive regimes and the moral responsibility that this creates.  However, it is not just the persuasiveness of the arguments about a moral responsibility that cause web companies to go above and beyond the low bar that is set by the international legal framework.  Instead, there seems to be something delightfully self-reinforcing about the freedom of the internet and web companies’ reliance on the trust of their users.

In other global businesses, it is often not the companies’ customers whose human rights are most likely to be affected by the companies’ actions.  For example, in the extractive industries, workers in Burma who may be subject to labour rights violations by a multinational company are not intended to be customers for the oil and gas that they are working to extract.  Instead, the customers are half a world away in developed countries in Europe and America.  This contrasts with a social networking business such as Twitter, where individuals in repressive regimes such as Egypt are able to be users of the product.  While perhaps not possessing the commercial clout of users in more wealthy markets, they are nonetheless part of the business structure.

Moreover, web companies’ branding and reputation is often tightly intertwined with notions of freedom of information and expression. Google’s mission is ‘to organize the world’s information and make it universally accessible and useful’.  In light of this mission statement, being implicated in censorship and suppression of freedom of expression would undermine their brand credibility.  The richness of information sharing and transparency on the internet also makes it more difficult for web companies to adopt sloppy human rights policies because their users are likely to catch them out.  Companies that rely on users’ willingness to share their personal information using their products cannot afford to be caught out too many times!

While there may not be a perfect alignment between the human rights policies that it is in a web company’s business interests to uphold and the human rights standards embodied in international law, there is at least some overlap.  It is this overlap that encourages companies to adopt voluntary guidelines and participate in industry initiatives.

Guide to the guidelines - human rights, business and the ICT sector

Complex and interesting areas of international legal policy can be difficult to navigate.  Once an issue gains a profile in policy circles, everyone with an interest in the topic rushes to develop guidelines to help others navigate the area.  While the issue of human rights and web companies is still comparatively new, there are guidelines from the field of corporate social responsibility that can be drawn upon.  ICT-specific guidelines are also mushrooming at the moment.  In light of this, I thought it timely to develop a quick guide to the guidelines. There is an abundance of material on corporate social responsibility, with some of it approaching human rights more broadly and some creating sector specific guidance.  I will outline a couple of the key general CSR guideline initiatives and the guidelines that are specific to the ICT sector.  Once you start delving into specific issues such as environmental sustainability, fair trade or bribery or markets with particular vulnerabilities such as conflict zones, you find a whole host of additional stakeholders and reference materials.  Some notable examples include the OECD Risk Awareness Tool for Weak Governance Zones, the ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy and the Extractive Industries Transparency Initiative.

Global Compact Self Assessment Tool

‘The United Nations Global Compact is a strategic policy initiative for businesses that are committed to aligning their operations and strategies with ten universally accepted principles in the areas of human rights, labour, environment and anti-corruption’.  Announced by the then UN Secretary-General Kofi Annan in 1999, the Global Compact catalysed a string of corporate social responsibility initiatives.  The UN Global Compact Checklist seeks to operationalise the Global Compact by expanding the principles of the Compact into a self-assessment checklist for companies. The Global Compact Self Assessment Tool was developed by a collection of Danish government, NGO and industry groups in consultation with the UN Global Compact Secretariat.  The Self Assessment Tool:

  • Is an interactive online tool
  • Is general and non-sector specific, as it reflects the UN Global Compact
  • Does not specifically address rights such as privacy and freedom of expression or the vexed issue of working in jurisdictions where domestic laws and practices infringe international human rights.

UN Guiding Principles on Business and Human Rights

Hot on the heels of the excitement generated by the Global Compact, John Ruggie was appointed as the Special Representative of the Secretary-General on the issue of human rights and transnational corporations and other business enterprises.  Ruggie’s six years of work culminated in the UN Guiding Principles on Business and Human Rights, which were endorsed by the Human Rights Council on 16 June 2011.  The Guiding Principles:

  • Cover the roles of States, State-owned companies and private companies in upholding human rights
  • Are based on the full range of civil, political, social, economic, cultural and labour rights found in the international bill of human rights
  • Require companies to have in place policies, due diligence and remediation practices for human rights compliance issues
  • Focus on situations where States may need to deal with companies that are having an adverse impact on human rights rather than the situation where companies are operating in jurisdictions with sub-standard human rights practices.

OECD Guidelines for Multinational Enterprises

The OECD proudly notes that these are the only ‘multilaterally agreed and comprehensive code of responsible business conduct that governments have committed to promoting’.  They have been endorsed by all OECD member countries, as well as 11 non-member countries (Argentina, Brazil, Egypt, Latvia, Lithuania, Morocco, Peru and Romania).  The guidelines:

  • Were originally developed in 1976, with the most recent update in 2011
  • Require member countries to establish a complaints procedure and point of contact
  • Contain 11 Chapters - concepts and principles, general policies, disclosure, human rights, employment and industrial relations, environment, combating bribery, consumer interests, science and technology, competition and taxation
  • Were updated in 2011 to include a new human rights chapter that is consistent with the UN Guiding Principles on Business and Human Rights.
  • Note that international human rights obligations are owed by States, but nonetheless require companies to respect human rights in accordance with the international legal obligations of the countries in which they operate and with domestic laws
  • Include an obligation to prevent or mitigate adverse human rights impacts that are directly linked to their business activities
  • Require companies to undertake due diligence in their supply chain
  • Include a chapter on science and technology, which aims to promote ‘the diffusion by multinational enterprises of the fruits of research and development activities among the countries where they operate, contributing thereby to the innovative capacities of host countries’.

The Global Network Initiative – ‘Principles’, ‘Implementation Guidelines’ and ‘Governance, Accountability and Learning Framework’

The GNI was launched in 2008 as a cooperative effort between ICT companies, academia and NGOs.  It seeks to create ‘a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector’.  The Principles:

  • Are specific to the ICT sector
  • Directly address situations in which companies may be operating in jurisdictions in which the local government is not upholding its international human rights law obligations.
  • Are part of a broader membership system, which entails a commitment to implementing the principles and to undergoing monitoring and evaluation processes
  • Require companies to have human rights policies, due diligence procedures and mitigation strategies.
  • Give concrete guidance on issues such as how to handle requests for information from law enforcement agencies.

The Council of Europe Human rights guidelines for Internet service providers

As keeper of both the European Convention on Human Rights and the European Convention on Cybercrime, it is no surprise that the Council of Europe has prepared guidelines on human rights and cybercrime issues.  In 2008, the Council of Europe endorsed the Human Rights Guidelines for Internet Service Providers, which were developed in cooperation with the European Internet Services Providers Association (EuroISPA).  The Guidelines:

  • Emphasise the need for ISPs to provide information to customers about their rights and obligations regarding privacy, unlawful content and circumstances in which they may need to disclose customers’ private information
  • Caution ISPs to ensure that any removal or filtering of content is strictly in accordance with the law
  • Cross-reference existing CoE standards relevant to ISPs such as those on freedom of communication on the internet, protection of personal data, promoting the freedom of expression, etc.
  • Do not address circumstances in which the local government is contributing to the human rights abuses but rather focus on private threats to internet users’ rights.

The Council of Europe Guidelines for the Cooperation between law enforcement and internet service providers against cybercrime

2008 was a busy year for the Council of Europe in this space, because not only did it endorse guidelines on human rights and ISPs, but also guidelines on law enforcement and ISPs.  The Guidelines:

  • Provide practical tips on how law enforcement and ISPs can work to improve their working relationships.
  • Encourage law enforcement and ISPs to uphold human rights in their dealings and to ensure that due legal process is adhered to, but do not provide specific guidance on human rights issues.

European Commission

The European Commission’s Directorate-General for Enterprise and Industry selected the ICT sector as one of three business sectors that will be the focus of a new, year-long project to develop sector-specific guidance on the corporate responsibility to respect human rights.  The guidelines will be based on the UN Principles and are due to be completed by the end of 2012.  The Commission promises ‘extensive consultations with enterprises and all concerned stakeholder groups’.

GRI Telecommunications Sector Supplement

The Global Reporting Initiative is a non-profit organisation that aims to promote economic, environmental and social sustainability by developing a comprehensive sustainability reporting framework.  The GRI's Telecommunications Sector Supplement is intended to be used in conjunction with the general reporting guidelines.  Although it has not progressed beyond the ‘pilot’ stage, is available upon request from GRI.  Key features include:

  • applies to service providers and equipment manufacturers
  • provides guidance on reporting procedures, not on substantive policies
  • principles are general enough that they can be adapted to current technology issues (this is particularly important because the supplement was developed in 2002-2003 - before Twitter even existed!)
  • PR3 requires reporting on respect for privacy and PA7 on access to content.  PA7 notes that this includes policies on freedom of expression, censorship and interaction with government on issues such as surveillance.

Electronic Industry Citizenship Coalition Code of Conduct 

'The EICC is a coalition of the world’s leading electronics companies working together to improve efficiency and social, ethical, and environmental responsibility in the global supply chain.'  The EICC certainly has some big name members in the ICT sector, including Adobe, Apple, Foxconn, Cisco, Microsoft and HTC (not all of whom necessarily have a squeaky-clean human rights record!).  Any company is open to adopt the code of conduct, but membership of the EICC indicates a commitment to its implementation and compliance with the organisation’s by-laws.  The Code of Conduct:

  • Outline standards for labour, health and safety, the environment and business ethics; also outlines the elements of an acceptable system to manage compliance with the Code
  • Businesses firstly must comply with local laws, but are encouraged then to go beyond
  • Provides no ICT specific guidance or direction relating to privacy or freedom of expression.

Guide to Human Rights Impact Assessment and Management

This is a collaboration between the International Business Leaders Forum (IBLF) and International Finance Corporation (IFC), in association with the United Nations Global Compact.  Full details are only available to registered users on the website.  The Guide:

  • Started life as an interactive online tool but is now also available in pdf format
  • Focuses on procedures to assess and respond to human rights risks, rather than suggesting the human rights policy content
  • Establishes an online forum aimed at encouraging businesses to share their experiences and learn from each other
  • Provides guidance on the four elements of human rights due diligence, as advanced in the UN 'Protect, Respect and Remedy' Framework.