Maintaining privacy

This page presents all relevant good practice case studies that showcase how business have addressed the Privacy dilemma. Case studies have been developed in close collaboration with a range of multi-national companies and relevant government, inter-governmental and civil society stakeholders. We also draw on public domain sources, including the UN Global Compact's own published Communications on Progress through which signatories are required to report on their performance against the Ten Principles.

The case studies explore the specific dilemmas and challenges faced by each organisation, good practice actions they have taken to resolve them and the results of such action. We reference challenges as well as achievements and invite you to submit commentary and suggestions through the Forum.

IN-DEPTH (Print seperately) Yahoo! Inc: Internet user privacy issues - China *

Lenovo: Comprehensive privacy policy - India

As an example of a two-layered approach to notifying customers of its privacy policy, Lenovo outlines the key provisions of its privacy policy on an easily accessible webpage while providing the link to its full privacy policy. Key provisions include the scope of application, why personal information is collected, how it is used, what choices consumers have with respect to the collection of their information, as well as contact information and the link to the full privacy notice. Lenovo’s privacy policy applies to Lenovo websites globally and can be accessed through any of their websites. See, for example, Lenovo India:

Gap Inc.: Establishing workers' grievance processes - Lesotho

Gap Inc has established Workers’ Grievance Processes at the local level in Lesotho. While these processes are primarily intended to remedy breaches of the company’s Code of Vendor Conduct – which is being adjusted according to the base code of the Ethical Trading Initiative and the standards of Social Accountability International – complaints relating to issues outside the Code may also be brought against the company which could include privacy breaches. Any worker, group of workers or worker representative in the factories where the mechanism applies may initiate grievance procedures. Grievance processes involve investigation, conciliation, mediation and arbitration. After a factory level process involving supervisors, departmental managers and company managers, the complaint is brought before the Gap Social Responsibility Manager. If the complaint still holds, the Lesotho National Development Corporation functions to try and resolve the conflict before it is brought before the Directorate of Dispute Prevention and Resolution (DDPR). This final procedural step involves conciliation and arbitration.

Google: Tackling government surveillance - Global

In an effort to transparently tackle government surveillance of personal information, Google regularly updates its Transparency Report signalling to users where government requests have been made to Google to provide information about users and remove content. The Transparency Report is a publicly accessible online tool which shows 1) where government requests have been made, and 2) where online traffic has been disrupted the free flow of information. With this tool, Google hopes to “help in ongoing discussions about the appropriate scope and authority of government requests”.

Global Network Initiative: Protecting and advancing privacy in the ICT sector - Global

In response to increasing government pressure to comply with national laws and policies which may conflict with the right to privacy and freedom of expression, companies in the Information and Communications Technology (ICT) sector have partnered under the umbrella of the Global Network Initiative (GNI). GNI is a multi-stakeholder initiative comprising companies, civil society organisations, investors and academics. Current members include Google, Microsoft, Yahoo!, Human Rights Watch, Human Rights First, Committee to Protect Journalists, Electronic Frontier Foundation, Center for Democracy and Technology, Calvert Group, Domini Social Investments, F&C Asset Management and the Berkman Center for Internet and Society at Harvard University. Among other things, GNI aims to address dilemmas companies may be facing including how national security can be balanced with privacy and freedom of expression. GNI provides a framework to help ICT companies respect and protect privacy rights, integrate privacy policies and procedures into corporate culture and decision making and communicate privacy practices with users. The initiative's core principles include privacy, freedom of expression, responsible company decision making, multi-stakeholder collaboration and governance, accountability and transparency. Members commit to an independent assessment process about how GNI principles are integrated within their organisation. Moreover, GNI aims to engage governments and international institutions in policy dialogue and provides shared learning opportunities.

Nokia Siemens Network - Review of sales mechanism to prevent technology misuse - Iran, Global:

In 2009, Nokia Siemens Network (NSN) was exposed to allegations that it delivered "surveillance technology" to MCCI (Mobile Communication Company of Iran). A law suit brought by Isa and Mehdi Saharkhiz against Nokia Siemens Networks was initiated in August 2010 but voluntarily withdrawn by the plaintiffs in November 2010. In response to these allegations of complicity in violations of the right to privacy and for fear of product misuse, NSN divested the monitoring center it had provided to MCCI (Mobile Communication Company of Iran) to implement lawful interception capability. NSN has established a mechanism to review sales to countries without a track record of respecting human rights or with a legacy of corruption. NSN complies with international trade embargos and respects US export control regulation of ICT technology to certain countries. NSN currently refrains from selling its products to Myanmar, North Korea and government-linked customers in Sudan. NSN also refrains from expanding the scope of its business in Iran and will not accept new customers.

Hunton & Williams LLP - Centre for Information Policy Leadership - Global:

In 2001, the law firm Hunton & Williams and leading companies founded the Centre for Information Policy Leadership (CIPL) to develop and encourage responsible information governance. CIPL collaborates with industry leaders, consumer organizations and government representatives in policy development to ensure privacy. CIPL content and research is available to the public and research addresses, among other topics, conflicting legal requirements and government use of private sector data.

Facebook: Improving user privacy – EU

Following a December 2011 report by the Data Protection Commission in Ireland, where Facebook’s non-US business is headquartered, the social network website decided to review a number of its features in the name of heightened user privacy. The company has discontinued its facial-recognition technology for new users in the European Union (EU), with existing users in the region set to receive the same protection by next month, until it can be brought into line with EU guidance. According to the report, Facebook has also made encouraging steps to improve transparency for users by granting them greater control over settings, and easier access to personal data. The company has proven prone to allegations of privacy violations in the past, including having to settle an American class-action lawsuit for US$9.5m after its now defunct ‘Beacon’ feature failed to require user consent for the dissemination of their internet activity.

Amazon: Protecting customer purchase records from government surveillance – US

On 25 October 2010, won a federal lawsuit preventing the North Carolina Department of Revenue (NCDOR) from collecting personally identifiable records detailing purchases from the site of individual customers in the state, for the purpose of a tax audit of the company. According to US District Judge Marsha J. Pechman, the fulfilment of the Department’s request would have amounted to a violation of the First Amendment of the US Constitution, which acts to protect individuals from having the expressive content of the books, music, and audio-visual materials they have purchased, disclosed to the government.

DuckDuckGo: Maintaining a clear and absolute search engine privacy policy – Global

On 8 July 2010, internet search engine DuckDuckGo posted its privacy policy, which, unlike the 4000 and 1800 word documents on the websites of Microsoft and Google respectively, is just 10 words long: “By default, DuckDuckGo does not collect or share personal information”. The majority of the site’s privacy policy page highlights why users should value this approach, pointing out that search engines which do garner such information, use it to deliver more spam and advertisement-filled results, compromising the privacy of its users in the process. The philosophy behind DuckDuckGo’s policy is that transparency helps build user trust, which subsequently attracts more business.

Twitter: Taking extra steps to inform users of government requests for account information – US

In January 2011, following an initially sealed US Department of Justice court order to reveal account information of individuals associated with secret information publisher WikiLeaks, Twitter successfully pushed for the order to be unsealed. This allowed the micro-blogging site to inform the relevant users of the court order’s existence. Had Twitter not taken such action, it would have been obliged to hand over user information to the government without informing the account holders. Twitter stated after event that these actions followed its general policy of user notification in such instances, where legally possible, in order to help protect user rights.

ICT sector: Lobbying governments to reform surveillance practices - US

In December 2013, eight American ICT companies (AOL, Apple, Facebook, Google, LinkedIn, Twitter, Yahoo and Microsoft) urged governments to assess and reform their surveillance laws and practices. The US government has been encouraged to lead this initiative. Internet companies have been targeted by journalists after it was revealed by US National Security Agency (NSA) contractor, Edward Snowden,that the agency was accessing and monitoring the content of the servers of some ICT companies (and the data centres of Yahoo and Google in particular). The ICT companies have asked permission from the US Foreign Intelligence Surveillance Court to disclose some of the government’s requests for user data under the Foreign Intelligence Surveillance Act – an act that will throw transparency on the demands made on them by the US government. In particular, Facebook, AOL, Apple, Google, Microsoft and Yahoo addressed members of the US Committee on the Judiciary, demanding that US surveillance laws and practices be assessed in terms of accountability and oversight. All of these companies have also pledged to challenge court decisions prohibiting or restricting the sharing of such information with their customers. Furthermore, both Google and Yahoo promised to strengthen data encryption from 2014 to offer greater protection of their customers’ data.


Microsoft: Transparent reporting of requests for customer data from law enforcement bodies – US/Global

In March 2014, Microsoft published legal demands for customer data from law enforcement officials around the world. The company published the requests in a dedicated Law Enforcement Requests Report (Report).  The Report – which is updated every six months – sets out:

  • How many requests the company has received
  • How many “accounts or identifies” might be affected
  • How many requests the company complied with
  • Whether the company provided content or non-content data

At this stage, the Report does not include data with respect to national security requests – all though permission has been given to start publishing data around the number of such requests. Microsoft is publishing this data to help “customers understand the clear principles Microsoft follows in responding to legal demands for customer data” and to help “advocates and policymakers better arrive at an appropriate balance between public safety and customer privacy”.

The principles Microsoft applies in responding to legal requests include:

  • The need for a “valid subpoena or legal equivalent” before the company considers releasing a customer’s non-content data
  • The need for a court order or warrant before the company considers releasing a customer’s content data

Vodafone: Publication of a Law Enforcement Disclosure report to support transparency – Global

Vodafone was one of the first telecommunications companies to publish a Law Enforcement Disclosure report, which:

  • Explains Vodafone’s approach to responding to official demands for customer information
  • Analyses the legal rights governments have with respect to customer information
  • Provides statistics (where it is legal to do so and numbers are not already published by the host government) on how many demands the company has received for customer information from law enforcement agencies – on a country-by-country basis

The report covers all 29 of Vodafone’s directly controlled businesses – including joint ventures in Australia, Kenya and Fiji. In a demonstration of transparency, Vodafone has committed to providing this information in its annual Sustainability Report on an ongoing basis. Full details are available at the link below.


Microsoft: Supporting Student Privacy though common set of principles– Global

In October 2014, Microsoft was one of the first 14 companies to support the Student Privacy Pledge developed by the Future of Privacy Forum and the Software & Information Industry Association. The Pledge outlines a common set of principles to protect the privacy of student information. By February 2015, over 100 companies were reported to have signed up.

In 2015, as part of its ongoing efforts to consolidate robust privacy protections, Microsoft became the first major cloud provider to comply with ISO/IEC 27018, the new international standard on cloud privacy published by the International Organization for Standardization (ISO). ISO/IEC 27018 establishes standards for processing personally identifiable information (PII) in a cloud computing environment. For example, new controls prohibit the use of customer data for advertising and marketing purposes without the customer’s express consent.

Cisco: Managing security and privacy risk through Trust and Transparency Center – Global

In 2015, Cisco launched the Trust and Transparency Center online, which is dedicated to providing information, resources and answers to cybersecurity questions and to helping manage security and privacy risk.The Centre includes Cisco’s Trust Principles, which describe their commitment to protect customer, product and company information, and it provides information about security policies and data protection programs. Cisco’s twice yearly transparency report is also published through the Center, providing public information about the requests for customer data Cisco has received from law enforcement agencies around the world. The Center also clarifies Cisco’s principled approach to responding to personal data requests from national and foreign law enforcement or intelligence agencies, which includes, for example requiring a legal warrant and notifying the customer of the request, unless prohibited by law. The launch of the Center illustrates the company’s effort to build trust-based relations regarding cybersecurity with customers, partners, shareholders and employees.



Telecommunications Industry: Dialogue on Freedom of Expression and Privacy - Global

In March 2013, a group of operators and vendors in the telecommunications industry issued a set of guiding principles on freedom of expression and privacy. The companies currently participating in the industry dialogue include Alcatel-Lucent, At&t and Millicom Nokia, Orange, Telefonica, TeliaSonera, Telenor Group and Vodafone. Taking as its baseline the UN Guiding Principles, the Telecommunications Industry Dialogue on Freedom of Expression and Privacy (TID) sets out ten due diligence principles to guide and inform participating companies as they engage with external stakeholders. The TID also provides a mechanism by which telecommunications companies can collaborate to promote and implement their guiding principles. For example, in February 2016, the organisation announced that seven of its members companies would join with the Global Network Initiative (GNI) to promote and advance freedom of expression and privacy around the world. These companies include Millicom, Nokia, Orange, Telefonica, Telenor Group, TeliaSonera and Vodafone. As observers in the first year and then full members, the companies will participate in GNI committees and policy work to share best practice on human rights due diligence and review guidelines that cover the ICT sector.


The Electronic Industry Citizenship Coalition (EICC): Comprehensive Code of Conduct - Global

The Electronic Industry Citizenship Coalition (EICC) includes privacy within its Code of Conduct which went into effect on 1 April 2015. Article 4 on Intellectual Property states, “intellectual property rights are to be respected; transfer of technology and knowhow is to be done in a manner that protects intellectual property rights; and, customer information is to be safeguarded.” Article 8 of the Code’s section on Ethics, states that, “Participants are to commit to protecting the reasonable privacy expectations of personal information of everyone they do business with, including suppliers, customers, consumers and employees. Participants are to comply with privacy and information security laws and regulatory requirements when personal information is collected, stored, processed, transmitted, and shared.” The EICC was founded in 2004 by eight electronics companies, including major electronics brands and large Tier 1 suppliers, for the purpose of creating an industry-wide standard on social, environmental and ethical issues in the electronics supply chain. EICC’s board now includes representatives from Cisco, Hewlett Packard, Celestica Inc., Intel, Philips, Western Digital, Molex, Best Buy, Apple Inc., and EMC. The Senior Executive Advisory Council includes the following companies: AMD, Celestica, Dell, EMC, Hewlett Packard, Intel, Jabil, Logitech, Microsoft, ON Semiconductor, Seagate and Xerox. Now the Coalition has over 100 member companies, employing over 5.5 million people worldwide. Member companies, as well as their Tier 1 suppliers, are required to implement the EICC Code of Conduct and benefit from extensive training opportunities to support this process.

* Taken from: UN Global Compact et al, Human Rights Translated: A Business Reference Guide