What policies, processes, and procedures do companies need to have in place in order to protect the fundamental human rights of freedom of expression and privacy?

This question was central to the first independent assessments of corporate implementation of the Global Network Initiative ("GNI") Principles, conducted this past year and announced on April 18 with the release of GNI's second annual report.

Foley Hoag is very pleased to have been selected as one of the three assessors for this first round of independent assessments, which focused on the three founding GNI companies - Google, Microsoft, and Yahoo!.

At the time of the GNI report's release, Arvind Ganesan, GNI Board Member and Director of Business and Human Rights at Human Rights Watch, observed,

Balancing rights to free expression and privacy with government requests is no easy task for ICT companies. These assessments are an important milestone demonstrating the value of a collaborative, but rigorous approach.

The independent assessments focused on each company's policies, processes, and procedures to protect freedom of expression and privacy rights, with specific focus on the following issues:

Responsible Company Decision-Making

  • Board review, oversight, and leadership - To what extent does the Board of Directors review the impact of the company's operations on freedom of expression and privacy?
  • Human rights impact assessments - How does the company utilize human rights impact assessments to identify circumstances in which freedom of expression and/or privacy rights might be jeopardized?
  • Partners, suppliers, distributors - How does the company seek to ensure that its partners, suppliers, and distributors operate in a manner consistent with the Principles?

Integration into Business Operations

  • Structure - What internal structures help ensure that the company's commitments are integrated into its decision-making and operations?
  • Procedures - What procedures help ensure consistent implementation of corporate policies intended to protect freedom of expression and privacy?
  • Employees - How does the company communicate its commitments to employees?
  • Complaints and assistance - Does the company have grievance procedures to response to employees and other stakeholders can raise concerns about the company's implementation of the GNI Principles?

Freedom of Expression

  • Government demands, laws, and regulations - What policies and procedures guide the company's response to government demands, laws, and regulations that might infringe on users' freedom of expression rights?
  • Communication with users - How does the company communicate with users regarding its policies and procedures for responding to government demands to remove or limit access to content or to restrict communications? How does the company disclose to users when content has been restricted or blocked by the company in response to government restrictions?

Privacy

  • Data collection - How does the company assess the human rights risks associated with the collection, storage, and retention of users' personal information in the jurisdictions in which it operates?
  • Government demands, laws, and regulations - What policies and procedures guide the company's response to government demands, laws, and regulations that might infringe on users' privacy rights?
  • Communication with users - How does the company communicate to users what personal information it collects? How does the company communicate to users its procedures for responding to government demands for users' personal information?

These questions, central to the GNI's implementation guidelines, reflect the fundamental importance of supporting a company's external commitments with strong internal management systems.

Ultimately, there is no "one size fits all" approach to managing these issues responsibly. Each company must assess the specific risks associated with its activities and determine how best to avoid, mitigate, and manage those risks in the context of its own internal structures, its external relationships, and the nature and location of its operations.

The GNI Principles allow for this flexibility. As Susan Morgan, Executive Director of GNI, observed in conjunction with the report's release, "[e]ach company is taking its own approach to implementation and we're starting to see some different examples of how the companies are meeting their commitments."

Through our own involvement in the assessment process, it was clear that each of the three companies involved faced different challenges and that addressing these challenges effectively required approaches that were both specific to each company's internal management systems and guided by commitments to internationally-recognized human rights.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.