Extraterritoriality and digital surveillance – time for the lawyers and the advocates to bring the dialogue together

This weekend, as an ex-bureaucrat, I felt for the folk at the State Department.  It must have been a ridiculously busy weekend for those preparing for this week’s Human Rights Committee Hearing in Geneva.  On Friday, the New York Times leaked Harold Koh’s legal advice acknowledging that the US obligations under the International Covenant on Civil and Political Rights do not stop at the border.  The NYT article would have meant that the briefing folders that had been merrily making their way up the clearance chain in time to be packed into the delegation’s suitcases would have been discarded (or at least the sections on extraterritoriality would have been yanked out) and all the talking points would have needed to be rewritten. This is not just an important moment for bureaucrats or international human rights law junkies; it is potentially powerful for digital rights activists pushing for reform of global surveillance practices.  Digital rights advocates have been calling for the US government to end global mass suspicionless surveillance and to adhere to their international human rights law obligations.  There may be a strong moral case to support them, but when it comes to the NSA’s overseas activities, the discourse has often lacked a strong legal underpinning.  In order to push governmental policy on this issue, the dialogue needs to mature to the point where it is built on solid legal underpinnings.  The next couple of months bring an unprecedented opportunity to do just that.

The current state of the digital rights dialogue

Up until now, civil society dialogue has pushed the idea that States owe an obligation to respect privacy online for both citizens and non-citizens.  In an open letter to the UN High Commissioner for Human Rights, the Global Network Initiative “has urged the United States to recognize the right to privacy of non-U.S. persons and to strengthen reforms to effectively protect this right”.  The NGO-led International Principles on the Application of Human Rights to Communications Surveillance state that “In order for States to actually meet their international human rights obligations in relation to communications surveillance, they must comply with the principles set out below. These principles apply to surveillance conducted within a State or extraterritorially.”

But it’s hard to find anything in the digital rights sphere that actually specifies the nature and source of an extraterritorial international obligation.  You can’t really blame them.  While you may have a gut instinct that the “right” thing to do is to extend the article 17 right to privacy beyond a country’s borders, it’s actually really tough to make out the technical legal argument supporting this.  The issue goes to heart of what “control” means and whether the scope of a right can be determined by the ability of a State to impact it.  Tricky stuff.

The emerging ideas for a legal basis

One of the few academic articles to specifically tackle the issue of extraterritorial application of article 17 of the ICCPR to digital surveillance is by Peter Margulies.  This argues that the “effective control” test of jurisdiction is inadequate for the online context.  Instead, he posits a test of “virtual control” under which the ICCPR is “applicable when a state can assert control over an individual’s communications, even though it lacks control over the territory in which the individual is located, or over the physical person of that individual”.  I’m not sure that this argument is nuanced enough yet to be able to adopt it in legal cases (and indeed, digital rights groups may be unhappy with Margulies’ conclusion that US surveillance abroad actually complies with article 17).  However, it does go some way towards breaking down the issues and applying international legal reasoning to the issue.

Marko Milanovic has an excellent series of blog posts on the international human rights law implications of surveillance.  He argues that the best way of understanding jurisdiction and international surveillance is to treat rights differently according to whether they are “negative” or “positive”.  Accordingly, “The reason why the Convention would apply is because it should apply to all potential violations of negative obligations, e.g. the one to refrain from interfering with my privacy”.  This argument has a lot of force and makes sense of some of the confusing jurisdictional cases in international human rights law jurisprudence.  However, it is still early days and it is yet to be seen whether a court (or treaty body) would adopt this approach.

The NYT article has prompted a stream of shorter blog posts over the last couple of days, including a great “mini-forum” on Just Security (see especially Jennifer Daskal, Martin Scheinin and Manfred Nowak.  This does not really go into the same depth as Margulies' and Milanovic's analyses, but does go some way towards bringing the legal issue of extraterritoriality and surveillance to a slightly broader audience.

There has been some high-quality legal thinking on this issue but it is still at a fairly early stage of development, and discussion remains confined to international human rights law circles.

The opportunities for change

The best way to effect change to international digital surveillance is through powerful advocacy that speaks to the public but is also supported by strong legal reasoning that speaks to the government and bureaucrats.  Now is the moment to bring these dialogues together.

The Human Rights Committee tends to listen very closely to NGO input (partly in recognition of their valuable contribution, but also because the committee just does not have the resources to conduct extensive research on all the issues covered by the ICCPR in each State).  This means that the NGO community needs to be in the Committee’s ear over the coming week with helpful, informed and well-reasoned views on extraterritoriality and surveillance.

Another key opportunity will be the UN High Commissioner for Human Rights’ forthcoming report.  At the end of last year, the UN General Assembly passed a resolution recognizing the right to privacy in the digital age.  It backed away from any reference to extraterritorial obligations in the text of the resolution.  However, the resolution:

Requests the United Nations High Commissioner for Human Rights to present a report on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale to the Human Rights Council, at its twenty-seventh session, and to the General Assembly at its sixty-ninth session, with views and recommendations, to be considered by Member States;

This means that there is now an opportunity for a UN report to directly tackle the issue of extraterritorial application of the right to privacy to online surveillance.  Again, it will be important for civil society to make submissions that are well-reasoned, pragmatic and legally-robust.

Much of the advocacy and legal groundwork has been done – the challenge is in making sure that the two dialogues come together.

One heck of a timely UN report on government surveillance of communications

If it had happened on House of Cards, you’d have enjoyed the theater of it, but figured that the writers had taken some artistic license in the timing.  I mean, it just doesn’t happen in real life that the UN releases a report on the dangers of government surveillance on the internet immediately before the news breaks that the US Government has been conducting internet surveillance of previously unimagined proportions.  Critics could unkindly say this is because the UN is never ahead of the game, but in this case, you have to hand it to Frank La Rue – he has clearly authored an exceptionally timely report: 4 June 2013 – “Freedom of expression cannot be ensured without respect to privacy in communications,” United Nations Special Rapporteur Frank La Rue said today, calling for more global attention to the widespread use of surveillance technologies by States in violation of the human rights to privacy and freedom of expression.

5 June 2013 - The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America's largest telecoms providers, under a top secret court order issued in April.

6 June 2013 - The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants …. The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says. 

The right to privacy is a fundamental freedom in its own right (pardon the pun), but also as an important enabler for other rights such as the freedom of speech.  And yet, the right to privacy is a qualified right.  La Rue’s report notes that international human rights law is not sufficiently nuanced to provide clear guidance for countries and individuals when trying to understand what (if any) government intrusions into an individual’s electronic communications are acceptable.  In general terms, the right to privacy can be limited if the restrictions:

  1. are provided by the law;
  2. do not go to ‘the essence’ of the human right
  3. are necessary in a democratic society;
  4. are not subject to unfettered discretion;
  5. are necessary for reaching an enumerated legitimate aim; and
  6. are proportionate (ie the least intrusive instrument to achieve the desired result, and the restrictions are proportionate to the interest to be protected).

It may well be that the US government’s electronic surveillance activities are permissible restrictions on the right to privacy under international human rights law.  The answer is in the detail of whether the restrictions are ‘necessary’, ‘proportionate’ and sufficiently fettered.  To satisfy this test, the government would certainly need to make some pretty convincing arguments.  President Obama’s brief defence of the program focuses on the fact that the surveillance only looks at ‘meta-data’, in order to identify patterns. This type of pattern can be invaluable in identifying potential security threats, and national security is clearly a legitimate aim in a democratic society.  However, the intrusion on privacy is only acceptable if the level of discretion, oversight and proportionality are adequate, and this can by no means be assumed in the current circumstances.

La Rue’s report concludes by making 17 recommendations.  Many of these recommendations relate to transparency, accountability and public awareness.  For example, he states that laws governing electronic surveillance should meet ‘a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of and can foresee their application’.  In essence, his recommendations capture a sense that reasonable citizens should not be alarmed to learn of the type of surveillance that occurs, should acknowledge that the surveillance is of value and should be reassured that there are adequate oversight mechanisms in place.  Once again, his report is right on the money; the level of outcry in the US media and around water coolers this morning indicates that the current surveillance policies are not meeting the public 'sniff test'.  Something smells decidedly off.

So often, UN reports end with a plea for increased public awareness and further discussion about the issues, but any resulting debate is limited to the international law nerds and human rights nuts amongst us.  However, the freakishly good timing of La Rue’s report may just mean that the issues that he has raised capture mainstream attention and generate some real public debate.


Transparency – but what are we seeing?

Now that Microsoft has come to the party and is publishing a regular transparency report, there is a meaningful amount of publicly-available data about government requests for online records.  Looking at the data from Google, Twitter, Dropbox and Microsoft side-by-side raises some interesting questions. The trend towards publishing transparency reports is a welcome one.  It raises awareness and encourages users to think about what protections they’re entitled to and how private their online activities really are.  There are still some very noticeable gaps in the information available.  Facebook and Yahoo! store large amounts of personal data but are noticeably silent on the issue of transparency reports.  Perhaps they will follow in Microsoft’s footsteps and finally succumb to the pressure for transparency.

Consumer and privacy advocacy groups are alarmed at the increased volume of government data requests.  Back in January, EFF reported on the ‘troubling trend’ of the rise in government surveillance because there had been a 70% increase in requests for data since Google started releasing numbers in 2010.  Forums are awash with comments about government snooping and conspiracy theories.  Meanwhile, at last week’s Committee on the Judiciary Hearing, Richard Littlehale from the Tennessee Bureau of Investigation argued for calm in considering the increase in government requests.  He analysed the statistics as demonstrating that ‘just a tiny fraction of one percent of Google’s accounts were affected by government demands’.

Comparing the transparency reports of the different companies shows that Microsoft/Skype and Google are inundated with requests for data.  As you would expect, relative newcomers Dropbox and Twitter receive far fewer requests.  In 2012, there were 122,015 requests relating to Microsoft accounts, 15,409 requests relating to Skype accounts, 68,249 Google accounts, 2,614 Twitter accounts and 164 Dropbox accounts. Each of these statistics relates to the number of accounts affected.  As each user could have multiple accounts, this does not directly equate to the number of individuals affected but nonetheless gives a sense of the scale of the issue.

These are some pretty impressive numbers and they’re on the rise.  The volume of requests to Google has grown significantly even during the short 3 years that they have been publishing their transparency report.  Although the data is not available, it seems reasonable to assume that the other companies are also experiencing significant increases.  Just what do these statistics mean?  Is it time to sound the Orwellian alarm bells?

Of course, more users have been sending, posting and storing information online.  This comes not only from more users engaging with online products, but also through the expanded type of products being offered.  The growth in cloud computing and cloud product offerings such as Google Drive mean that there is more information being held by third parties.  Higher penetration of online products not only means more cute cats and emails home to Mom, but also more use by criminal elements.  This naturally piques the interest of law enforcement officers.

As law enforcement becomes more familiar with the use of online records as evidence, more officers appreciate its value and employ it as one of their investigative tools.  The process has also been simplified and demystified.  Only a few years ago, it was an impenetrable maze to try to work out how to request online records for most of the providers.  Now, many of the companies have publicly accessible guides for law enforcement.  This means that it’s not just the high-tech crime units that are aware of the ability and value in accessing online records, but also the local county sheriffs.

Upward trends in law enforcement requests for records from particular online products can also reveal that some applications are particularly attractive to criminal elements.  For example, in the past, certain messaging applications became havens for child pornography rings to the extent that the product was discontinued.  Criminals will always look for weaknesses in the system and loopholes where they feel that they can communicate with impunity.  Police will naturally want to follow these trends and pursue criminals by accessing these records.  At the same time, innocent users have a valid expectation of privacy over their communications.

This all means that more users are putting more information online and it’s being accessed by a wider range of law enforcement officers.  I don’t think this is necessarily alarming in itself – we are no longer in a society where people (innocent or criminal) handwrite their private documents and store them under lock and key in their filing cabinet and investigative techniques have to adjust accordingly.  However, it does mean that it is increasingly important to ensure that there are adequate systems in place for the way in which this information is stored, accessed and used.

The discussion of this issue is hardly in its infancy; reform of ECPA has been on and off the cards for years (culminating in the last-minute failure to pursue the legislative amendments at the end of last year).  At last week’s committee hearing, there was a new level of consensus that access to users’ content should only be through showing of probable cause.  However, underneath this veneer of agreement, each of the witnesses revealed important differences of opinion.  The Department of Justice advocated substantial carve-outs from the probable cause standard should be afforded for civil litigation.  The law enforcement representative had a wish list including access to SMS messages and mandatory time limits on compliance with government requests.  Questioning by committee members revealed that there was confusion about the difference between traffic data and content and a troubling lack of understanding about how services such as targeted advertising on Gmail accounts affects privacy.  As with most legislative reform, the devil is in the detail and there is a lot of work ahead before there can be agreement on a Bill.

Access to online records needs to be addressed now.  The uncertainties between different jurisdictions and the growing agreement that aspects of ECPA infringe the fourth amendment of the Constitution are unacceptable both from a user’s perspective and also from the commercial perspective of companies that have to navigate this legal minefield on a daily basis.  The law is certainly in need of reform and the problem is only going to get worse.  However, the statistics do not necessarily mean that we are in the grip of a government conspiracy.  While we are no longer in the 1986 world of the original ECPA, we are also a long way from George Orwell’s 1984.

Going beyond the guidelines - legal and moral responsibilities on ICT companies

YouTube this week introduced a face-blurring tool to protect activists from being recognised by their online activities.  Human rights groups will no doubt welcome the initiative as it comes in response to calls from groups such as Witness.  Some web companies demonstrate a commitment to not only reducing the negative human rights impacts of their activities, but also to actively improving the positive impacts that they may have.  The uptake of some of the voluntary guidelines on corporate social responsibility and human rights demonstrates a willingness to go beyond the minimum requirements.  But what responsibilities do tech companies really owe to users in other countries?  Is this solely a question of moral responsibility and ethics, or is there a legal obligation?  And should moral responsibility be reflected in a legally-binding regime? Broadly speaking, international human rights law is only binding on States, not companies or individuals.  States have obligations to persons within their jurisdiction. In order to protect the rights of persons within their jurisdiction, States may need to regulate the conduct of companies operating there.  In this way, a State may use its domestic law to impose obligations on companies in an effort to implement its obligations under international law.  However, in many cases there will not be any relevant domestic law, particularly in States that do not have a robust approach to human rights protection or those that are actively abusing their residents’ human rights.  So, while international human rights law provides a useful benchmark for companies in understanding the scope and permissible limits on human rights, it does not actually impose any direct obligations on companies.

Even though international human rights law does not impose direct obligations on companies, there are still ways in which companies may be legally liable for actions that breach individual human rights.  Red Flags provides a great, very brief summary of some of the ‘liability risks for companies operating in high-risk zones’ and I will mention a few of the key legal areas in the following discussion.  It is also worth noting that actions that have an adverse human rights impact can be regulated by laws that are not specifically targeted at ‘human rights’ protection.  For example, many countries have criminal legislation that operates extraterritorially for companies that bribe foreign public officials (this is mandated under the UN Convention against Corruption and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions).

Human rights obligations under US law

The US is unusual in potentially imposing domestic liability on companies for actions not complying with international law standards even when they occur beyond US territory.  The Alien Tort Claims Statute (28 USC §1350) is the most (in)famous of these, with companies potentially having civil liability for actions that they commit ‘in violation of the law of nations or a treaty of the United States’.  Yahoo! previously settled a case that was brought under the ATS arising from the alleged provision of information by a Yahoo! subsidiary to the Chinese Government that enabled authorities to identify, arrest and subsequently torture political activists (Wang Xiaoning v Yahoo!).  Similarly, Cisco is in the middle of defending an action under the ATS as a result of their provision of software to the Chinese Government that is alleged to have been a part of the ‘Great Firewall of China’ that enabled the torture of political dissidents (Du v Cisco and Doe v Cisco).  The future of actions against companies under the ATS is currently in the balance.  This is because the Supreme Court is grappling with the question of whether companies (ie legal persons, as opposed to ‘real’ persons) can be liable under the ATS in the case of Kiobel v Royal Dutch Petroleum Co.  Depending on the decision in Kiobel, companies that commit major human rights violations may find themselves squarely in the cross hairs of ATS litigants in the US courts.

It had been argued that the Torture Victim Protection Act (18 USC §2340) creates liability for corporations as well as individuals who committed acts of torture outside of the United States.  After an inconsistent approach in various courts, in April of this year the Supreme Court held unanimously that the TVPA only applies to natural persons, not organisations (and, by corollary, not to corporations) (Mohamad v Palestinian Authority).

Two pieces of legislation are worth mentioning even though they do not create liability as such: The California Transparency in Supply Chains Act; and the Global Online Freedom Act.  Since entering into force at the start of this year, the Transparency in Supply Chains Act requires retailers or manufacturers doing business in California with annual worldwide gross receipts exceeding $100 million to disclose via a ‘conspicuous link’ on their main website their efforts to address risks related to slavery and human trafficking in their supply chains.

At the federal level, the Global Online Freedom Act is a Bill that aims to ‘prevent United States businesses from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance, to fulfill the responsibility of the United States Government to promote freedom of expression on the Internet, to restore public confidence in the integrity of United States businesses’.  It has been floating around in various incarnations for several years, with the most recent version being passed by a House Committee on 27 March.  Similar to the Transparency in Supply Chains Act, the GOFA would create a reporting regime for internet communications services companies.  Companies would be required to detail their ‘human rights due diligence’ (drawing on the OECD Guidelines for Multinational Enterprises), privacy policies and policy on advising users when content has been filtered or blocked.  It would also establish export controls on certain telecommunications equipment.  The jury seems to be out on whether the latest incarnation of the GOFA could eventually become law, but in any case it does not seem likely that it will enter into force any time soon.

Moral obligations and duties beyond the law?

Anupam Chander wrote an interesting article setting out some of the philosophical arguments that could form the basis for a moral obligation owed by web companies to people in the ‘unfree’ world.  He argues that it is erroneous to apply the same ideas about corporate obligations (or lack thereof) in their interaction with citizens in a free society to corporate interactions with those living in repressive regimes.  As part of this, he argues that ‘given the special role of new media in empowering or oppressing individuals, it seems incumbent upon us to demand the inculcation of a professional ethic among new media companies to protect the freedom-enhancing aspects of cyberspace’.  He explains that ‘new media can either help give voice to dissidents or help perfect totalitarianism’.

Since the Arab Spring, there have certainly been some compelling arguments made about the power of web companies to affect the rights of users in repressive regimes and the moral responsibility that this creates.  However, it is not just the persuasiveness of the arguments about a moral responsibility that cause web companies to go above and beyond the low bar that is set by the international legal framework.  Instead, there seems to be something delightfully self-reinforcing about the freedom of the internet and web companies’ reliance on the trust of their users.

In other global businesses, it is often not the companies’ customers whose human rights are most likely to be affected by the companies’ actions.  For example, in the extractive industries, workers in Burma who may be subject to labour rights violations by a multinational company are not intended to be customers for the oil and gas that they are working to extract.  Instead, the customers are half a world away in developed countries in Europe and America.  This contrasts with a social networking business such as Twitter, where individuals in repressive regimes such as Egypt are able to be users of the product.  While perhaps not possessing the commercial clout of users in more wealthy markets, they are nonetheless part of the business structure.

Moreover, web companies’ branding and reputation is often tightly intertwined with notions of freedom of information and expression. Google’s mission is ‘to organize the world’s information and make it universally accessible and useful’.  In light of this mission statement, being implicated in censorship and suppression of freedom of expression would undermine their brand credibility.  The richness of information sharing and transparency on the internet also makes it more difficult for web companies to adopt sloppy human rights policies because their users are likely to catch them out.  Companies that rely on users’ willingness to share their personal information using their products cannot afford to be caught out too many times!

While there may not be a perfect alignment between the human rights policies that it is in a web company’s business interests to uphold and the human rights standards embodied in international law, there is at least some overlap.  It is this overlap that encourages companies to adopt voluntary guidelines and participate in industry initiatives.

Guide to the guidelines - human rights, business and the ICT sector

Complex and interesting areas of international legal policy can be difficult to navigate.  Once an issue gains a profile in policy circles, everyone with an interest in the topic rushes to develop guidelines to help others navigate the area.  While the issue of human rights and web companies is still comparatively new, there are guidelines from the field of corporate social responsibility that can be drawn upon.  ICT-specific guidelines are also mushrooming at the moment.  In light of this, I thought it timely to develop a quick guide to the guidelines. There is an abundance of material on corporate social responsibility, with some of it approaching human rights more broadly and some creating sector specific guidance.  I will outline a couple of the key general CSR guideline initiatives and the guidelines that are specific to the ICT sector.  Once you start delving into specific issues such as environmental sustainability, fair trade or bribery or markets with particular vulnerabilities such as conflict zones, you find a whole host of additional stakeholders and reference materials.  Some notable examples include the OECD Risk Awareness Tool for Weak Governance Zones, the ILO Tripartite Declaration of Principles concerning Multinational Enterprises and Social Policy and the Extractive Industries Transparency Initiative.

Global Compact Self Assessment Tool

‘The United Nations Global Compact is a strategic policy initiative for businesses that are committed to aligning their operations and strategies with ten universally accepted principles in the areas of human rights, labour, environment and anti-corruption’.  Announced by the then UN Secretary-General Kofi Annan in 1999, the Global Compact catalysed a string of corporate social responsibility initiatives.  The UN Global Compact Checklist seeks to operationalise the Global Compact by expanding the principles of the Compact into a self-assessment checklist for companies. The Global Compact Self Assessment Tool was developed by a collection of Danish government, NGO and industry groups in consultation with the UN Global Compact Secretariat.  The Self Assessment Tool:

  • Is an interactive online tool
  • Is general and non-sector specific, as it reflects the UN Global Compact
  • Does not specifically address rights such as privacy and freedom of expression or the vexed issue of working in jurisdictions where domestic laws and practices infringe international human rights.

UN Guiding Principles on Business and Human Rights

Hot on the heels of the excitement generated by the Global Compact, John Ruggie was appointed as the Special Representative of the Secretary-General on the issue of human rights and transnational corporations and other business enterprises.  Ruggie’s six years of work culminated in the UN Guiding Principles on Business and Human Rights, which were endorsed by the Human Rights Council on 16 June 2011.  The Guiding Principles:

  • Cover the roles of States, State-owned companies and private companies in upholding human rights
  • Are based on the full range of civil, political, social, economic, cultural and labour rights found in the international bill of human rights
  • Require companies to have in place policies, due diligence and remediation practices for human rights compliance issues
  • Focus on situations where States may need to deal with companies that are having an adverse impact on human rights rather than the situation where companies are operating in jurisdictions with sub-standard human rights practices.

OECD Guidelines for Multinational Enterprises

The OECD proudly notes that these are the only ‘multilaterally agreed and comprehensive code of responsible business conduct that governments have committed to promoting’.  They have been endorsed by all OECD member countries, as well as 11 non-member countries (Argentina, Brazil, Egypt, Latvia, Lithuania, Morocco, Peru and Romania).  The guidelines:

  • Were originally developed in 1976, with the most recent update in 2011
  • Require member countries to establish a complaints procedure and point of contact
  • Contain 11 Chapters - concepts and principles, general policies, disclosure, human rights, employment and industrial relations, environment, combating bribery, consumer interests, science and technology, competition and taxation
  • Were updated in 2011 to include a new human rights chapter that is consistent with the UN Guiding Principles on Business and Human Rights.
  • Note that international human rights obligations are owed by States, but nonetheless require companies to respect human rights in accordance with the international legal obligations of the countries in which they operate and with domestic laws
  • Include an obligation to prevent or mitigate adverse human rights impacts that are directly linked to their business activities
  • Require companies to undertake due diligence in their supply chain
  • Include a chapter on science and technology, which aims to promote ‘the diffusion by multinational enterprises of the fruits of research and development activities among the countries where they operate, contributing thereby to the innovative capacities of host countries’.

The Global Network Initiative – ‘Principles’, ‘Implementation Guidelines’ and ‘Governance, Accountability and Learning Framework’

The GNI was launched in 2008 as a cooperative effort between ICT companies, academia and NGOs.  It seeks to create ‘a collaborative approach to protect and advance freedom of expression and privacy in the ICT sector’.  The Principles:

  • Are specific to the ICT sector
  • Directly address situations in which companies may be operating in jurisdictions in which the local government is not upholding its international human rights law obligations.
  • Are part of a broader membership system, which entails a commitment to implementing the principles and to undergoing monitoring and evaluation processes
  • Require companies to have human rights policies, due diligence procedures and mitigation strategies.
  • Give concrete guidance on issues such as how to handle requests for information from law enforcement agencies.

The Council of Europe Human rights guidelines for Internet service providers

As keeper of both the European Convention on Human Rights and the European Convention on Cybercrime, it is no surprise that the Council of Europe has prepared guidelines on human rights and cybercrime issues.  In 2008, the Council of Europe endorsed the Human Rights Guidelines for Internet Service Providers, which were developed in cooperation with the European Internet Services Providers Association (EuroISPA).  The Guidelines:

  • Emphasise the need for ISPs to provide information to customers about their rights and obligations regarding privacy, unlawful content and circumstances in which they may need to disclose customers’ private information
  • Caution ISPs to ensure that any removal or filtering of content is strictly in accordance with the law
  • Cross-reference existing CoE standards relevant to ISPs such as those on freedom of communication on the internet, protection of personal data, promoting the freedom of expression, etc.
  • Do not address circumstances in which the local government is contributing to the human rights abuses but rather focus on private threats to internet users’ rights.

The Council of Europe Guidelines for the Cooperation between law enforcement and internet service providers against cybercrime

2008 was a busy year for the Council of Europe in this space, because not only did it endorse guidelines on human rights and ISPs, but also guidelines on law enforcement and ISPs.  The Guidelines:

  • Provide practical tips on how law enforcement and ISPs can work to improve their working relationships.
  • Encourage law enforcement and ISPs to uphold human rights in their dealings and to ensure that due legal process is adhered to, but do not provide specific guidance on human rights issues.

European Commission

The European Commission’s Directorate-General for Enterprise and Industry selected the ICT sector as one of three business sectors that will be the focus of a new, year-long project to develop sector-specific guidance on the corporate responsibility to respect human rights.  The guidelines will be based on the UN Principles and are due to be completed by the end of 2012.  The Commission promises ‘extensive consultations with enterprises and all concerned stakeholder groups’.

GRI Telecommunications Sector Supplement

The Global Reporting Initiative is a non-profit organisation that aims to promote economic, environmental and social sustainability by developing a comprehensive sustainability reporting framework.  The GRI's Telecommunications Sector Supplement is intended to be used in conjunction with the general reporting guidelines.  Although it has not progressed beyond the ‘pilot’ stage, is available upon request from GRI.  Key features include:

  • applies to service providers and equipment manufacturers
  • provides guidance on reporting procedures, not on substantive policies
  • principles are general enough that they can be adapted to current technology issues (this is particularly important because the supplement was developed in 2002-2003 - before Twitter even existed!)
  • PR3 requires reporting on respect for privacy and PA7 on access to content.  PA7 notes that this includes policies on freedom of expression, censorship and interaction with government on issues such as surveillance.

Electronic Industry Citizenship Coalition Code of Conduct 

'The EICC is a coalition of the world’s leading electronics companies working together to improve efficiency and social, ethical, and environmental responsibility in the global supply chain.'  The EICC certainly has some big name members in the ICT sector, including Adobe, Apple, Foxconn, Cisco, Microsoft and HTC (not all of whom necessarily have a squeaky-clean human rights record!).  Any company is open to adopt the code of conduct, but membership of the EICC indicates a commitment to its implementation and compliance with the organisation’s by-laws.  The Code of Conduct:

  • Outline standards for labour, health and safety, the environment and business ethics; also outlines the elements of an acceptable system to manage compliance with the Code
  • Businesses firstly must comply with local laws, but are encouraged then to go beyond
  • Provides no ICT specific guidance or direction relating to privacy or freedom of expression.

Guide to Human Rights Impact Assessment and Management

This is a collaboration between the International Business Leaders Forum (IBLF) and International Finance Corporation (IFC), in association with the United Nations Global Compact.  Full details are only available to registered users on the website.  The Guide:

  • Started life as an interactive online tool but is now also available in pdf format
  • Focuses on procedures to assess and respond to human rights risks, rather than suggesting the human rights policy content
  • Establishes an online forum aimed at encouraging businesses to share their experiences and learn from each other
  • Provides guidance on the four elements of human rights due diligence, as advanced in the UN 'Protect, Respect and Remedy' Framework.