Re: Feedback on ICT Draft Sector Guidance for Public Consultation

Transcription

1 February 13, 2013 Shift and The Institute for Human Rights and Business Project Team, European Commission Human Rights Sector Guidance Project Submitted via to Re: Feedback on ICT Draft Sector Guidance for Public Consultation Human Rights Watch thanks the European Commission s Directorate-General for Enterprise and Industry for the opportunity to provide written comments on the ICT Draft Sector Guidance for Public Consultation ( Draft ICT Guidance ), as well as to participate in the recent roundtable held in Brussels to discuss this draft. Human Rights Watch (HRW) is a leading international, independent non-governmental organization committed to monitoring and ending human rights abuses globally. Since its establishment in 1998, our Business and Human Rights Division has investigated situations where business and economic activity have a negative impact on human rights and advocated responsible business practices based on respect for rights. We press governments to hold corporations responsible for abuses accountable. And we work with governments, multilateral institutions, and corporations to set standards for responsible corporate conduct. HRW is also a founding member of the Global Network Initiative, a voluntary, multi-stakeholder initiative for the ICT sector that focuses on freedom of expression and privacy. We appreciate that the European Commission (EC) wishes to provide concrete input for companies in this sector on how to fully implement the UN Guiding Principles on Business and Human Rights (the Guiding Principles). We are disappointed that the EC does not intend to make any aspect of the guidance binding on companies. To the contrary, the EC s CSR Policy Advisor, Tom Dodd, indicated at the January 31, 2013 Brussels Roundtable that guidance will not be adopted as a political document and instead may be issued with a disclaimer stating that it may not reflect the official view of the Commission. This represents a missed opportunity: Human Rights Watch believes that the most effective way to ensure respect for human rights online is to include mandatory measures that require companies to act responsibly. Nevertheless, we share the view that there is some value in further specifying the actions necessary to uphold the corporate responsibility to respect human rights. We note in particular that the project 1

2 description calls for detailed guidance focused on the corporate responsibility to respect human rights that will also have added value to businesses from other sectors facing similar human rights related issues and that should serve as a reference for businesses for the development of their own human rights policies and processes. In our view, considerable work is needed to revise the Draft ICT Guidance to achieve these aims, notwithstanding the larger issue of whether the EU will require their implementation. In particular, we wish to highlight three areas for improvement, each of which is briefly elaborated further below, as well as select section-specific comments. 1. Clearer delineation of the sector-specific context and organization by rights implicated 2. Incorporation of objective metrics and existing standards or good practice 3. Improvement of guidance regarding business relationships 4. Section-specific comments 1. Sector-specific context and organization We recommend organizing the guidance around specific themes/rights impacted to maximize the usefulness of the guidance an organizational scheme that should be carried out throughout the document, beyond the sector-specific context section. As the Draft ICT Guidance recognizes, the ICT sector is very diverse and each segment of the sector faces a slightly different, though interrelated, set of human rights risks. However, the Draft ICT Guidance does not map the most salient risks to the appropriate parts of the sector with enough specificity. By grouping together a wide range of possible human rights impacts or issues e-waste, labor, conflict mineral sourcing, freedom of expression, and privacy no one area receives adequate treatment, reducing the usefulness of the guidance in each section. Annex B (Activity-Stakeholder Matrix) provides a good starting point for identifying the most salient themes and many of these examples should be brought into the main body of the Guidance as additional case studies. Specific comments on definitional and terminology issues: A number of terms used in the Draft ICT Guidance are not defined or are not used consistently. For example: a. Over the top service providers (pg. 7) is never defined and could potentially refer to a wide range of online services. 2

3 b. Dual use (pg. 22) is a term that has specific meaning in national and international regulation, and existing statutory definitions should referenced or cited. There is also disagreement about what constitutes a legitimate dual use technology. c. End use operations (pg. 7) seems to encompass a much broader set of companies than the other categories and this term does not seem to be used throughout the document. d. Network and service providers, a term used throughout the document, is also a very broad term that sweeps in many parts of the sector that may face slightly different risks and may be regulated in very different ways. The document becomes much less practical as guidance when these differences are not identified in the document and when the guidance is not tailored to address those differences. 2. Objective metrics and incorporation of existing standards or good practice In each section, we recommend providing more objective benchmarks wherever possible, rather than merely posing questions to ask and issues to consider. If the goal is to provide useful and practical guidance to implementers within companies, we are concerned that the issues/questions format does not provide enough objective criteria for a company (or other stakeholder) to assess the company s progress in implementing a human rights policy or in tracking improvements over time. In addition, we recommend more direct incorporation of existing standards that have already been developed in this sector like those developed by the Global Network Initiative, by reference or more fully in the text itself. However, in specifically recognizing voluntary initiatives in the ICT sector, the Draft ICT Guidance should distinguish tools and guidance developed through meaningful, multistakeholder processes (with multi-stakeholder governance structures) and that are accompanied by an accountability mechanism. Finally, the Draft ICT Guidance lacks sufficient reference to accountability. The ICT sector is important because ICT companies increasingly provide the tools for public participation and human rights defense essential enabling tools for the exercise of a wide range of rights. The draft does not acknowledge concepts of ensuring justice for victims or punishing those responsible for violations of rights. Specific recommendations: a. While Box 7 on pg provides a good start in providing guidance for how companies should respond to government requests for user data or content restrictions, Box 7 should more directly incorporate guidelines already developed by the Global Network Initiative, 3

4 including 1) narrowly interpreting and implementing requests; 2) seeking modification where requests are overbroad; 3) challenge requests where possible; and 4) developing clear criteria for when decisions should be escalated within a company. 1 b. While design, integration, and implementation of human rights policies is key, the Draft ICT Guidance should also emphasize the need to focus on desired outcomes that is, respect for human rights of those affected. That desired outcome should be a critical indicator in assessing and improving performance of company practices and policies over time. c. In both the Policy Commitment/Embedding Respect and Due Diligence sections, the Draft ICT Guidance could incorporate concepts of privacy by design, where companies embed privacy considerations in all stages of a product s life cycle (design to disposal). 2 Privacy by design principles have relevance for device and network equipment manufacturers and a wide range of online service providers. For example, the GNI Implementation Guidelines direct participating companies to assess and address the human rights risks associated with the collection, storage, and retention of personal information. 3 d. In the key point box on pg. 33, guidance on testing the extent of the conflict is vague and could be interpreted as incorporating only the bare minimum of what companies should do to mitigate the possible human rights impact where national law conflicts with international standards. For laws that implicate freedom of expression and privacy, this is a very common scenario and far more specific guidance should be provided, building particularly on guidance provided in Box 7. In addition, engagement with stakeholders should be considered necessary (not merely well-advised ) in legal environments where conflicts are likely or during periods of heightened risk for example, during times of unrest, during politically sensitive events like elections, or when there have been significant changes in the political or legal operating environment. 3. Improvement of guidance on business relationships We recommend more detailed treatment of the risks related to business relationships throughout the Draft ICT Guidance, but especially in the assessing impacts, integrating and acting, and tracking and communications sections. Risks related to business relationships will be more acute for certain parts of the sector, including telecommunications service providers, certain software makers, and device /

5 network equipment manufacturers. The Draft Guidance would benefit from specific case studies or boxes for example, providing more specific guidance on how to address risks of laws that impose local partnership requirements or where potential partners are partially (or wholly) state owned. Specific recommendations: a. The Draft ICT Guidance should be more specific in providing examples of how companies should be exercising due diligence and leverage with its business partnerships and relationships. In section (e) on pg. 15, the guidance states that a policy commitment is critical to communicating a company s expectations of its business partners, but the Guidance never clearly states that companies should be directly exercising its leverage to ensure partners, suppliers, and distributors (and other business relationships) also incorporate and implement the company s human rights policy. b. In the last bullet point in section C (pg. 16), the Draft ICT Guidance suggests that companies ask whether they have discussed their policy commitment with partners in an appropriate manner. This language articulates a much lower expectation than the rest of the document in its treatment of leverage and due diligence. Additional specific criteria could include, for example, regular assessments of the impact of business relationships in an ongoing way, assessing and seeking modification of contracts over time, and independent monitoring for implementation of human rights policies by partners. c. In section (e) on pg. 15, the section should also address relationships with distributors and third party vendors, with particular relevance to software, device, and equipment manufacturers. d. The discussion of complicity throughout the document is unclear and can lead to misunderstandings, such as language on pg. 26 and 47 that suggests that companies have no responsibility with regard to remedies for human rights violations that are directly linked to them through business relationships. 4. Other section-specific comments a. Policy Commitment and Embedding Respect: i. Under Key Considerations on pg. 11, the guidance should emphasize the importance of establishing internal accountability and oversight mechanisms to embedding respect throughout an organization. ii. Under section C.3.a. (top of pg. 12), the list of human rights issues for manufacturing companies should also include the rights of privacy and freedom of expression. It is also unclear what is meant by services 5

6 companies in the first bullet point. b. Integrating and Acting: i. On pg. 27, the guidance recognizes that there may be legitimate, legal reasons for government requests. The guidance should be more specific about whether legitimate and legal means consistent with international human rights standards on freedom of expression and privacy. A government request may be legal under local law, but inconsistent with human rights standards. ii. In Box 7, companies should also establish criteria for when escalation of government requests up the company s decision-making chain should be mandatory. iii. Box 9 on intermediary liability does not reflect clear guidance provided by the UN Special Rapporteur on freedom of opinion and expression Frank La Rue in his 2011 report on the Internet: The Special Rapporteur believes that censorship measures should never be delegated to a private entity, and that no one should be held liable for content on the Internet of which they are not the author. Indeed, no State should use or force intermediaries to undertake censorship on its behalf. 4 c. Tracking: On pg. 35, the guidance should be more definitive about the importance of stakeholder engagement processes and operational-level grievance mechanisms these mechanisms do perform important roles, rather than can perform. d. Communicating: i. Box 15 should also cover communications with users about when their user data has been or will be disclosed at the request of a government, to the maximum extent allowable under the law. ii. Reporting should also include reporting of human rights impact assessments to the maximum extent

7 e. Grievance mechanisms: In Box 19, the last bullet point should also emphasize the need for communicating to users the outcome of their appeal, as well as the justification for the decision. ## For more information, please contact Cynthia M. Wong, Senior Researcher on Internet & Human Rights, Human Rights Watch, 7