This page presents an introduction to and analysis of the dilemma. It does so through the integration of real-world scenarios and case studies, examination of emerging economy contexts and exploration of the specific business risks posed by the dilemma. It also suggests a range of actions that responsible companies can take in order to manage and mitigate those risks.
Challenges in emerging markets
The right to privacy has been increasingly subject to restriction due to government responses to international and domestic terrorist threats. Domestic legislation has extended the reach of governments into the private life of citizens on the grounds of security, law enforcement, and the fight against terrorism, illegal immigration, welfare fraud and even administrative efficiency. Privacy International states that technological advances and the globalisation of information among other things put pressure on the few remaining privacy safeguards.
The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Martin Scheinin, also raises this concern. He highlights that an erosion of the right to privacy "takes place through the use of surveillance powers and new technologies, which are used without adequate legal safeguards. States have endangered the protection of the right to privacy by not extending pre-existing safeguards in their cooperation with third countries and private actors."
The Special Rapporteur also notes that violations of the right to privacy have an impact on due process rights, the freedom of movement, the freedom of association and the freedom of expression. The right to privacy underpins human dignity and is closely related to the freedom of speech. It is firmly enshrined in the International Bill of Human Rights and, in the view of the Human Rights Committee which monitors the implementation of the International Covenant on Civil and Political Rights (ICCPR), "this right is required to be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons".
The dilemma for responsible businesses is how companies can refrain from interfering with the right to privacy of employees and business partners when operating in or sourcing from emerging markets that present a high risk environment in terms of corruption, fraud, the liquidity of the business partner, or simply present national legal frameworks infringing upon the right to privacy of those individuals.
Authoritarian regimes are likely to expose companies to adverse impacts on the privacy of individuals. Domestic laws may be discriminatory and may require multinational corporations (MNCs) to share personal information about employees. Governments may rely on security forces and the monitoring of communications in order to track activists.
Companies, particularly in (but not limited to) the IT sector, may be faced with government requests to supply stored personal information for the authorities to use or to provide government agencies with automatic access to stored information. Government monitoring and censorship may not necessarily be made known to the MNC and discovery could result in dilemmas regarding the MNC presence in the country. These requests not only impact the right to privacy, they also affect other human rights, such as when the detection of certain personal information leads to discriminatory consequences. These consequences may include arrests and detentions and other punitive action by the state. MNCs are at risk of complicity in such abuses of human rights, even if they were unaware of the illegal, or indeed legal, activity at the time that it was undertaken.
Furthermore, serious health risks may impact heavily on the workforce in certain regions – for example, with respect to HIV/AIDS in South Africa. While companies have a legitimate interest in assessing health risks to ensure employee safety and productivity, they are faced with important restraints in the name of privacy protection and non-discrimination. For example, the ILO requires that companies do not stigmatise job candidates on the grounds of real or perceived HIV-status and it prohibits the involuntary testing or screening of candidates for HIV.
While these risks persist in developed economies, there generally exist more protections and better security to prevent abuse of privacy in the business environment. The risks are more prevalent in emerging markets, which has prompted companies to apply a higher degree of scrutiny to business partners and employees in unfamiliar environments. Particularly in weak governance zones, companies are faced with a higher risk when forming relationships with employees, business partners and clients that may damage their reputations or implicate them in violations of law or human rights abuses.
According to Privacy International's National Privacy Ranking (2007 last available data), emerging economies are among the worst offenders in terms of the protection of privacy. Malaysia, Russia, the Philippines and China all ranked in the highest risk category, indicating "endemic surveillance". The level of risk to which companies are exposed, due to their relations with third parties, increases as supply chains are largely international and complex. As important opportunities to engage in business activity are now often in unfamiliar environments such as emerging markets, risks are higher as rules may be different or even unclear, fast evolving and contradictory.
These risks can be minimised and mitigated by conducting strict due diligence on business partners or employees, which does not infringe on privacy. These processes may include intensified screening of the individuals concerned, such as background checks offered by a myriad of service providers, as well as the collection and storing of personal information. However, if not undertaken to the highest standards of integrity and legality, these mechanisms of due diligence may impact the right to privacy as protected in a number of domestic laws and international human rights instruments, such as Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights (ICCPR).
Defining the right to privacy
When attempting to demarcate the reach of the right to privacy and define its limitations, businesses may encounter difficulties. Privacy International states that definitions of the right to privacy differ relative to the context and environment and that there is no single definition. According to General Comment No. 16 to Article 17 of the ICCPR the right to privacy extends to all persons, including state authorities and private entities or individuals.
The right to privacy has many components. While not always mentioned as a separate right, it often materialises in different contexts such as breach of confidence in common law, the right to liberty, freedom of expression and due process, or even as a religious value. The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism states that the right to privacy supports other human rights "and forms the basis of any democratic society".
In 2009, the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Martin Scheinin, presented his report to the Human Rights Council which addresses the right to privacy in the fight against terrorism. It states that the right to privacy has two dimensions which have been expressed in the various human rights instruments, at the universal as well as the regional and domestic levels. Accordingly, the right entails the negative dimension, prohibiting any arbitrary interference with a person's privacy, family, home or correspondence as enshrined in the International Bill of Human Rights. It also contains the positive dimension of everyone having the right to respect for his/her private and family life and his/her home and correspondence as provided for in, for example, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.
The right to privacy is closely linked to human dignity and concerns the inviolability of personal information, the home and communications. Privacy International acknowledges that in many countries the right to privacy has been fused with data protection. Data protection is understood as the management of personal information. Privacy protection can be understood as drawing a line as to how far society can interfere with personal affairs.
The right to privacy is not an absolute right
The right to privacy can be restricted when necessary to protect a legitimate public interest such as public order (e.g. to facilitate criminal investigations, or to protect national security from the threat of terrorism). These restrictions may be implemented only by governments, and not by businesses. Businesses are required to cooperate with the government to meet the requirements posed by state security or other concerns.
In his report on privacy and the fight against terrorism, the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism states that because the right to privacy is not an absolute right, there are situations where "states have the legitimate power to limit the right".
For example, when an individual is investigated or screened by security agents and his/her personal information is shared among different security agencies in their effort to counter terrorism, the right to privacy is infringed upon. While countering terrorism is considered a legitimate public security goal justifying limitations to the right to privacy, interferences with the right need to be critically assessed.
However, countries with weak or restrictive governance systems may unduly use those restrictive permissions to infringe on the right to privacy in the interest of the state. In relation to the human right to privacy, these restrictions may be regarded as illegitimate. Businesses should be aware that the government may go beyond the scope of permitted restrictions and will thus have to exercise heightened due diligence, so as to not become complicit in illegitimate government conduct, e.g. passing on employee information which puts the employee in danger of being unduly prosecuted in violation of international human rights standards.
Unlawful and arbitrary interferences of the right to privacy
In General Comment No. 16 to Article 17 of the ICCPR, the prohibition of "unlawful interference" of the right to privacy means that "no interference can take place except in cases envisaged by the law" and the law itself must comply with all provisions of the ICCPR. "Arbitrary interference" also extends to interferences provided for under domestic law. This provision is to guarantee that all interferences with the right to privacy, as provided for by the law, shall be in accordance with the "provisions, aims and objectives of the Covenant and should be, in any event, reasonable in the particular circumstances."
Further, the comment states in paragraph 10 that "the gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies must be regulated by law". No private information should reach persons not authorised by law to receive those documents. Private information may not be used for purposes which are not in conformity with the ICCPR.
The comment further elaborates that to ensure the "most effective protection of his private life every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files and for what purposes." Individuals should also be able to "ascertain which public authorities or private individuals or bodies control or may control their files".
Permissible limitations
The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Martin Scheinin, clarifies that limitations to the right to privacy as codified in Article 17 of the ICCPR should pass the permissible limitations test. This test should be applied to measure whether any limitations are legitimate as measured against the scope of the right to privacy. The test is to be applied as follows:
While the right to privacy is a fundamental human right in itself, it also informs and supports other human rights. The principle of non-discrimination and the right to equality may be impacted by violations of the right to privacy. For example, this may occur where the sharing of personal information with governments triggers discrimination on the basis of discriminatory local laws and/or practice.
The right to privacy is closely linked to and may impact the freedom of expression. An example of this is where internet providers share information about dissidents with an authoritarian government and subsequent government action leads to human rights violations.
Further, the freedom of association may be impacted for instance when personal information about trade union affiliation is shared with governments, particularly when the affected individual experiences state-sanctioned discrimination and other human rights violations.
Other human rights which may be impacted include: freedom of thought, conscience and religion; freedom of assembly; the right to physical integrity; the right to liberty and security; the right to equality; and the right to health.
In the case of Köpke v Germany (2010), the European Court of Human Rights (ECtHR) held that covert video surveillance of a supermarket cashier, resulting in her dismissal for theft, did not amount to a breach of Article 8 ECHR (right to privacy), because a fair balance had been struck between; (i) the employee's right to respect for her private life; (ii) her employer's interest in the protection of its property rights, and; (iii) the public interest in the proper administration of justice. The Court did observe, however, that the competing interests concerned might well be given a different weight in future, in regard to the extent to which intrusions into private life were made possible by new and more sophisticated technologies.
The case came after a number of allegations that retailers, especially discount retailers, had been engaging in excessive surveillance techniques in order to spy on workers' movements and conversations. Pharmaceutical company Schlecker was alleged by Achim Neumann, of service sector union Ver.di, to have ordered store detectives and security staff to use spyholes in walls for hours at a time. Apart from claiming that the surveillance was being used for theft-detection, the company declined to comment on the accusations when approached by newspaper Bild am Sonntag.
Discount supermarket giant Lidl also claimed that supervisors had simply been trying to detect employee misconduct when accused by weekly newspaper Stern. The newspaper claimed it had obtained hundred-page logs of worker activity. The chain later apologised to workers and customers, claiming that store managers had exploited its employee misconduct policy.
In response to incidents such as these, on 25 August 2010, the German government approved a draft law concerning special rules for employee data protection, which covers nine key subject areas; employer internet searches; medical exams; automated data scanning; CCTV; tracking; biometric data, and; telephone, internet, and email monitoring. Having been reviewed by a number of parliamentary committees, the bill is currently awaiting final settlement. The government is currently reforming this law.
A California lawsuit filed last year against Facebook claims that the ‘Sponsored Stories' feature on the social networking website, by which a user's like of a brand's page is subsequently used as an advertisement for the company on the site, including their name and profile photo, is a violation of user privacy. The crux of the claim is that users were not able to opt-out of the feature.
As part of a proposed deal to settle the case, Facebook planned to give users more control over their ‘likes', and pay $10 million to the plaintiffs, and the same amount again to pro-privacy organisations. However, the presiding US District Judge Richard Seeborg rejected the settlement in August 2012, claiming that the monetary amounts are arbitrary and do not address the damage to the 100 million users who have already been used in the feature.
In August 2013, a US judge of the Northern District of California court approved a settlement of US$15 per Facebook user who submitted a valid claim, in addition to the reimbursement of expenses such as lawyers' fees. In total, the settlement amounts to US$20 million. The case sets a firm precedent for the protection of the right to privacy for users of online social media and networking sites.
Businesses face a range of risks in different scenarios with respect to different relationships with employees, business partners and customers as outlined below.
Employees: Companies bestow the highest degree of trust and responsibility upon their employees. In unfamiliar emerging markets, the collection and processing of employee information may be necessary to avoid corruption in operations and the supply chain. The lack of employee integrity presents a high risk for employers and principals as any act by employees will be attributed to the company via the principal/agent relationship. Any liability resulting from the action of an employee may thus – with limitations – result in principal/employer liability. This warrants control and monitoring of employees to avoid liability or reputational damage.
Domestic legal requirements may infringe upon the right to privacy and even pose the risk of discrimination or other human rights infringements against employees. It is therefore critical that employee screenings are carried out in compliance with privacy requirements and in ways that protect the business from risks of complicity in other human rights infringements, such as discrimination either by the company or the government.
Emerging markets present higher risks to the health and safety of employees than developed economies. Interruptions to production caused by accidents, together with declining workforce morale as a result of poor working conditions, may have a detrimental impact on productivity. Hence, workplace monitoring and other measures to ensure health and safety as well as productivity may be warranted.
For example, Rio Tinto was faced with employee corruption allegations in China in 2009 when four of its Chinese employees were arrested. According to a Rio Tinto media release, the grounds of arrest related to:
The company supported their employees until they were proven guilty. In January 2010, the four Chinese employees were convicted and sentenced to between seven and 14 years in prison and Rio Tinto fired the employees. All wrongdoings were said to have taken place outside the company system and evidence of corruption was convincing.
Controversies remain about a lack of transparency as part of the trial covering commercial secrets was held behind closed doors. Thus the actual legal framework and requirements pertaining to such secrets remain unclear. In its verdict, the court said the four Rio Tinto employees helped obtain information from confidential strategy meetings of the China Iron and Steel Association (CISA).
Business partners and suppliers: MNCs have an inherent interest in working with local business partners who are familiar with the language, culture and local business environment. Sometimes, national laws require foreign MNCs to operate in partnership with local organisations or individuals.
Relationships with business partners present an inherent risk: First, both the company and its business partners act in their own interests, so the company will need to take appropriate precautions to protect its interests and assets. As a prudent company often expects business partners to act in their own interest, this element is factored into the relationship and companies will apply increased awareness and caution. However, increased scrutiny in background checks and screenings (particularly in an environment perceived to be corrupt and with a high volatility with respect to business relations and viability) may impact the right to privacy of the business partner.
Joint venture partners: Joint venture partners are often chosen for their local knowledge and expertise regarding the common project. In some countries in the Middle East, MNCs are required to work with local joint venture partners. Joint venture partners risk that the local business partner acts in self-interest on behalf of the joint venture possibly involving corruption or nepotism. MNCs thus have an interest in protecting themselves from those threats by implementing background checks on sources of capital, ownership, political connections, and status of the company but have to ensure to protect the privacy of joint venture partners.
Customers, clients, users: The privacy of customers and users needs to be protected and, in an environment where privacy protection becomes increasingly important, businesses have to be aware of their responsibility to protect customers or users of their products, such as internet, telecom or email service users. Some governments in emerging markets may have been known to infringe on the privacy rights of individuals and domestic laws may require companies to provide personal information. Additionally, customers may misuse products, such as surveillance or interception technologies to infringe upon the right to privacy of individuals and the company may risk complicity.
Emerging markets often present a high risk environment for corruption. Corruption "impedes economic growth, distorts competition and represents serious legal and reputational risks". Particularly in corrupt environments, companies need to protect their legal, ethical and commercial business interests and assets in order to ensure sustainable business operations and the provision of products and services while preserving their competitiveness.
Emerging markets present a high risk that employees of the company or its suppliers become involved in corruption and nepotism. Corruption in the world's emerging economies, where judicial effectiveness is impaired, rule of law is poor, poverty is endemic and cost of living increases are volatile, is generally more pervasive than in established Western markets (although it has been shown by Transparency International in its Global Corruption Barometer 2013 to be a challenge everywhere).
Companies operating in a corrupt business environment face a "double" dilemma: they have to ensure that they are not implicated in corruption by employees or business partners in accordance with the UN Global Compact (UNGC) Tenth Principle on Anti-Corruption by applying a high standard of due diligence, yet they have to guarantee respect for the human right to privacy in accordance with their responsibility, as set out in UNGC Principles 1 and 2.
The dilemma outlines a classic crux for responsible businesses. On the one hand, they are answerable to shareholders in relation to their primary goal of acting in their best interest, thus maximising profits and making good business decisions, which is why business needs to protect its interests and assets, i.e. by exercising anti-corruption due diligence. On the other hand, shareholders and stakeholders alike require the business to act ethically and, of course, within the limits of law, and expect them to exercise appropriate due diligence with respect to privacy. Both strands fall under the companies' duties within their responsibility to respect human rights including the responsibility to conduct human rights due diligence but present conflicting goals deserving protection.
The far reaching international and domestic legal frameworks for anti-corruption measures expose them to significant legal risks and require businesses to apply adequate due diligence mechanisms including screening and background checks. Company and supplier due diligence mechanisms may involve monitoring employees and acquiring and storing confidential information.
However, companies face a myriad of challenges: while ensuring integrity may be easier with respect to the company's own operations, this may not be the case for modern international supply chains which are often complex, extensive and obscure in emerging markets. Different relationships with employees, suppliers, and business and joint venture partners warrant different approaches to ensure integrity.
Stringent pre-screening and ongoing monitoring of employees may thus be advisable for companies in their endeavour to fight corruption and nepotism in operations and supply chains. Responsible businesses will have to assure that their monitoring and screening techniques are warranted and do not infringe on the right to privacy of the employees.
Businesses are at a high risk of becoming complicit in corruption via their suppliers or business partners in emerging markets. Confidential investigations may enable the company to find out about associations of the business partner and reveal whether the agent is trustworthy and reliable.
Frequently, possible joint venture partners will have local government connections. Even though they are important, these connections present a risk where government corruption is endemic. Unknown criminal interests of joint venture partners directly pose a hazard.
Integrity Due Diligence aims to provide red flags so businesses can tackle the risk of corruption in their operations and supply chains. It seeks to identify as much information as possible about prospective business partners or any third party which the company intends to collaborate with. It covers the third party's interests, reputation, activities, associations, track record and motives and involves the acquisition of publicly accessible information as well as information gained through external consultancies or confidential field work.
Additionally, companies implementing whistle-blowing mechanisms may be exposed to challenges when exchanging information across different jurisdictions as privacy laws vary significantly.
Carrying out Integrity Due Diligence may protect companies against criticism should liability arise despite such investigations. However, companies have to be aware of the implications these mechanisms may have for the right to privacy in order to mitigate the risk of complicity.
Acquiring and storing personal employee data may impact on the right to privacy of employees in a number of situations, particularly in emerging economies where domestic laws are in conflict with the international law on the protection of privacy. For example, in emerging economies with authoritarian governance structures, the right to privacy may be infringed upon when companies share employee information with the government. In some economies, this can result in discrimination against the employee, maybe even involving punitive action and human rights violations. In this scenario, infringing on the right to privacy has repercussions which may affect other human rights and thus presents an especially sensitive issue.
According to Privacy International's National Privacy Ranking, emerging economies are among the countries with the worst records in terms of governments obtaining access to personal data. These include China, India, Russia, the Philippines and Thailand. Businesses have to be particularly vigilant when obtaining sensitive data from employees. The characterisation of data as sensitive may vary from country to country. Companies should be aware of the different degrees of sensitivity in different market environments.
According to the UN Guidelines for the Regulation of Computerized Personal Data Files, data which may give rise to unlawful or arbitrary discrimination should not be compiled. This includes information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs and membership of an association or trade union. Exceptions have to conform to the International Bill of Human Rights and other relevant instruments protecting human rights and the principle of non-discrimination.
The ILO practice code on the protection of workers' personal data allows the collection of employee information on sex life, political, religious or other beliefs and criminal convictions only in exceptional circumstances. Data on trade union affiliation should generally not be collected unless in accordance with law or a collective agreement. Medical data should be collected only if required by law and only in cases directly related to the employee's protection while working.
Examples include:
Information on family planning: For example, in China, the one-child policy prohibits citizens from having more than one child. The policy is enforced through forced abortions and sterilisation and increases the risk of affected individuals being exposed to human rights violations such as arbitrary detention. The policy also increases the risk of trafficking. When a company collects this information supplied by employees on the number of children, the company risks complicity in those violations once passing on such information to state authorities, even if required by domestic law.
Only recently, a trade unionist claimed to have been denied work on a construction site based on a blacklist detailing his union membership in the UK and sued Balfour Beatty. While the company won the case, lawyers representing a group of around 40 other workers have prepared a class action suit against a number of firms in the construction industry that may have been implicated in similar activities.
HIV/AIDS: Companies operating in or sourcing from emerging markets with high rates of HIV/AIDS or other serious diseases may face heightened risks with respect to health and safety, productivity and high employee turnover.
The global nature of the challenge means it is likely that most multi-national companies will be impacted by HIV/AIDS. Aside from the impact HIV/AIDS is having on local consumer bases and the communities in which companies operate, the most direct impact is upon the workforce and those young adults (19-35 years) who are most mobile – from new employees to senior managers.
According to the International Labour Organization (ILO), as many as 36 million of the 39 million people living with HIV are engaged in some form of productive activity. Particularly the countries in sub-Saharan Africa, such as South Africa, Swaziland, Botswana, Lesotho, Zambia and Zimbabwe, the prevalence of HIV/AIDS is extremely high.
Examples of business sectors at high risk of being affected by the disease include logistics and transportation, mining, manufacturing, building and construction, as well as agribusiness. The workforce will be impacted by the disease in a number of emerging markets and it will be necessary for the company to tackle risks associated with the disease which impact on the workforce and productivity while ensuring that the privacy of employees is respected.
The ILO Recommendation concerning HIV and AIDS and the World of Work adopted by the International Labour Conference addresses HIV/AIDS in the workplace. It concerns all workers and all sectors of economic activity both public and private and formal and informal. According to Section III, "workers, their families and their dependants should enjoy protection of their privacy, including confidentiality related to HIV and AIDS, in particular with regard to their own HIV status." The Recommendation specifically prohibits the involuntary testing or screening of job candidates for HIV and also the stigmatisation of workers, job seekers and applicants on the grounds of real or perceived HIV-status.
General Health and Safety in the Workplace: Additionally, the monitoring of factories may also be warranted when aiming to retain sound health and safety protection for workers. For example, accidents in the workplace may be better assessed and investigated. Maintaining productivity may be another aim of monitoring employees. Additionally, if there appears to be a problem among the workforce related to alcohol or drug misuse, monitoring may be helpful to assess and prevent these incidents, as well as to support the employee and help rehabilitate.
In order to do that, companies or suppliers operating in emerging markets may install CCTV in the workplace in addition to monitoring correspondence. Additionally, private investigators may work for the company to ascertain these situations. However, the company needs to ensure that monitoring employees for the purpose of health and safety protection does not amount to infringing on the right to privacy.
Businesses have a strong interest in protecting their assets, products, trademarks and copyrights. They may operate in an environment where the theft and illegal sale of property, including intellectual property, poses a risk. In this case, companies should protect their commercial assets by running background checks on their employees and clients. At the same time, however, they will have to ensure that the privacy rights of those individuals are protected.
A high risk of employee theft exists for high value products such as diamonds. For example, Namgem, a cutting and polishing unit which is run by a joint venture between the Namibian government and De Beers in Namibia, reported that a large number of diamonds worth US$2.6 million had been stolen from the factory safe in September 2010.Several news outlets reported that the theft was believed to be an inside job and showed no signs of a break-in. One report states that thefts in this particular De Beers unit appeared to have happened on a number of occasions.
According to Deloitte's Innovation in Emerging Markets report, one of the main threats for manufacturers operating in emerging markets is intellectual property theft. "Companies run the danger of having their trade secrets, or even entire products, copied by competitors." In the Axendia survey published by PwC Achieving Global Supply Chain Visibility, Control & Collaboration in Life Sciences: Business Imperative, Regulatory Necessity, a large number of industry executives cite manufacturing and sourcing from emerging markets such as China, India, Brazil and Mexico involved a high risk of counterfeiting (44% of industry executives) and illegal product diversion (35% of industry executives).
Moreover, governments in emerging markets pose the risk of intellectual property theft. A Financial Times article states that the US Secretary of Commerce warned that China's weak intellectual property protections and selective application of the law hinders foreign investment in the country, despite efforts to reassure investors that their technology is safe. The article highlights the case of UK-based petrochemical producer Ineos, which is pursuing a lawsuit against its joint venture partner, Sinopec, China's largest oil refiner. According to the report, Ineos alleges that "Sinopec replicated its process in a new petrochemical complex without paying license fees."
Google claims to have faced intellectual property theft according to a statement from 2010. Google reported that it detected a highly sophisticated cyber attack in December 2009 which resulted in intellectual property theft. Google’s investigations showed that twenty additional companies including internet, finance, technology, media and chemical sectors had been targeted. The attack also included the attempt to access accounts of Chinese human rights activists. Google also reported that accounts of advocates for human rights in China had been routinely accessed by third parties.
Businesses have to apply a heightened standard of due diligence to protect their property through intensified screenings, background checks and monitoring of employees as well as business partners. Companies will thus face the dilemma of having to ensure the right to privacy of their employees and business partners while attempting to adequately and diligently scrutinise these individuals.
Emerging markets may present volatile business environments and business partners may face challenges fulfilling the obligations as set out in the contract with the MNC. The Center for International Private Enterprise (CIPE) highlights that companies should not only be aware of reputational damage caused by being implicated in corruption, but also of the costs of unreliability. Businesses "should be aware if their suppliers are near bankruptcy or whether they'll be in business long enough to complete the contract." The paper points out that ultimately, "companies are answerable to both shareholders and courts for their business and compliance decisions."
While the financial viability of a business partner should be picked up by any due diligence process pertaining to the business partner, the risk of defaulting on a contract when engaging with a business partner in an environment prone to economic insecurities may be higher and harder to detect. Accordingly, this warrants a higher degree of scrutiny of business partners which may impact on the privacy of business partners. Companies have to ensure that integrity due diligence to mitigate the risk of business partners defaulting on a contract is carried out with the necessary respect for the right to privacy of the business partner.
Emerging market business environments often pose the risk of volatility with respect to the viability of local business. Often, MNCs are unfamiliar with local business partners and thus may desire to apply a higher threshold of scrutiny to protect their assets and be sure that the business partners will be able to fulfil contractual obligations and avoid the risk of bankruptcy of the business partner, particularly in markets with a volatile business environment, such as emerging markets.
"Know your customer" (KYC) programmes are employed by banks, financial institutions and regulated companies to monitor the identities and backgrounds of their customers. For example, the shift in investment banking toward developing countries and often unfamiliar emerging markets exposes them to a higher risk environment in terms of financial crime, money laundering and the financing of terrorist activities, particularly in countries or regions known to be exposed to a high level of corruption, trafficking, terrorism or other crimes. Many business sectors may be implicated. These include the legal profession, real estate, accounting, trusts, precious metals and stones, casinos, money services, and insurances.
The UN Office on Drugs and Crime estimate that US$2 trillion is laundered every year by drug dealers, arms traffickers and other criminals. The report states that growing regulatory expectations and rapid changes in the financial services industry make combating money laundering a major challenge for the banking sector. The internationalisation of the banking sector has triggered an array of initiatives and regulation. For example, the IMF has intensified its efforts in the area and includes Offshore Financial Centres (OFCs) in their assessments. The US Patriot Act extraterritorially extends US standards to foreign economies in order to prevent money laundering and the financing of terrorist activities. The Basel II Standard put forward by the Basel Committee on Banking Supervision requires banks to collect and share large amounts of data which may include customer data protected by data protection legislation. The standards developed by the intergovernmental Financial Action Task Force (FATF), the financial services industry standards by the Wolfsberg Group and legislation at the national and supranational level, such as the International Convention for the Suppression of the Financing of Terrorism and the EU Third Money Laundering Directive, put pressure on banks to exercise rigid due diligence to avoid becoming implicated in money laundering.
The KPMG 2014 Global Anti-Money Laundering Survey notes that an increasing trend toward regulation has transformed anti-money laundering compliance into a complex issue cutting across legal, risk, operations and tax. KPMG notes that minimum compliance with due diligence is no longer sufficient to protect companies.
Banks have to ensure that they are free of any money-laundering activity and have to engage in heightened scrutiny of customers. At the same time, they must observe their responsibility to respect human rights (including the right to privacy) and to comply with domestic privacy laws. Particularly with an increased regulatory and industry focus on so-called politically exposed persons (PEPs), the implementation of such programmes may result in infringements on privacy including domestic data protection laws.
For example, Swiss banks were said to have broken privacy laws by letting the transaction company SWIFT (Society for Worldwide Interbank Financial Telecommunications) pass on customer information to US authorities without informing customers about the data transfer. SWIFT conducts transfers worth $6 trillion per day between 7,800 financial organisations. According to the report, the Belgian Data Privacy Commission stated that it "must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law. In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection."
Products sold by a company may be misused by customers that engage in human rights abuses. In order to avoid the risk of complicity in such abuses, companies may wish to run checks so as to ensure that their products will not be used in this context.
Business operations in the field of surveillance technologies are particularly at risk that their products are misused by governments facilitating the identification and arrest of political, religious and human rights activists and impacting on the right to privacy of those affected.
Business sectors that may be prone to risk of complicity in product misuse include, for example, the health and technology sectors, the information communications technologies sector, as well as chemical and fertiliser companies and businesses in the transportation equipment sector.
In these scenarios, companies can be implicated in impacting on the right to privacy in two ways. On the one hand, they have to screen buyers, thus having to be cautious to not infringe on the right to privacy of the buyers. On the other hand, the buyer may negatively impact on the right to privacy of individuals by misuse of the products purchased from the company. An example of this is where companies sell surveillance equipment or telecommunications equipment enabling communication interception.
As part of domestic efforts to regulate the Internet, service providers are often asked to provide personal user information to governments. In some emerging markets, such as China and Iran, governments have a record of using this information to spy on citizens often resulting in punitive action against the citizen. Internet and communication companies operating in environments where freedom of speech is restricted usually find themselves in an exposed position, particularly in times of protest against the government. A heightened level of awareness is thus expected from such companies to avoid complicity in privacy violations which often lead to further human rights violations.
Telecom companies and internet providers are particularly at risk when operating in environments where monitoring and surveillance of citizens by state authorities is used to spy on the individuals with the aim to locate and subsequently silent dissidents. The abuse of the right to the privacy of communication will then lead to further rights violations, such as violations of the freedoms of speech, association and assembly. Privacy International reports that internet providers and telecommunications companies are often required by law to retain and store user information.
Iranian cybercrime laws require companies to store all data sent or received by internet company customers. According to the Freedom on the Net report issued by Freedom House, Iran is currently investing in building the national information network, called SHOMA. While this investment will increase the efficiency of internet services, Freedom House also notes that it will enable the authorities to better control the flow of internet traffic within Iran.
India is currently revising its encryption policy, following criticism by civil society that the existing draft would increase user and business vulnerability to data breaches and cyber-crime. In September 2015, the Indian government withdrew the draft policy on encryption because it required users and businesses to store encrypted data as plain text for 90 days and make it available if necessary, to security agencies. The policy would have included within its scope social media messaging services.
Egypt requires traffic from all internet providers to pass through the state-run Egypt Telecom and authorities regularly detain bloggers. Egypt thus ranks among the Committee to Protect Journalists' 10 Worst Countries to be a Blogger among Myanmar, Iran, Syria, Cuba, Saudi Arabia, Vietnam, Tunisia, China and Turkmenistan. Egypt's government has developed a sophisticated system of monitoring internet and mobile phone usage, which it has used to curb opposition and dissent. Voice over internet protocol (VoIP) providers, such as Skype and social media sites, such as Twitter and Facebook, are regularly subject to interference or disabled.
China extensively censors and monitors internet activity. The government expects internet service providers to filter searches and monitor email traffic. The Committee to Protect Journalists reports that 44 journalists and bloggers were in jail in China in 2014, which constitutes 19% of all journalists in prison in the world. A November 2015 amendment to the country's criminal code may increase the risk of association with violations of freedom of expression, as it permits the arrest of journalists and bloggers on grounds of spreading false news about disasters or epidemics, or causing serious social disorder.
The internet is heavily censored and restricted in Myanmar and the Burmese government monitors emails and other communication methods. The October 2013 Telecommunications Law, which established a foundation for the privatisation of the industry, also reduced, but did not abolish, prison terms for online activity. Although state censorship of media was officially lifted in 2012, the authorities continue to exert pressure on media outlets or journalists publishing content deemed sensitive, for example, content referencing human rights or corruption allegations. According to the Committee to Protect Journalists, Myanmar remains in the top-ten most censored countries in the world and there are currently 10 journalists and bloggers in prison on charges of anti-state activities.
In Turkmenistan, the state-owned internet service provider monitors email accounts.
In Saudi Arabia, online writers may face harsh punishments, including flogging and detention, when publishing texts deemed heretical according to a fatwa issued in September 2008. Social media is heavily monitored and non-violent liberal dissidents are prosecuted for statements made online. In 2015, the Ministry of Culture and Information issued new regulations for online news media, which included strict criteria for the qualifications of editors and licensing requirements. The country was deemed one of the top ten most censored countries in the world in 2014, according to the Committee to Protect Journalists.
In addition, the violation of the right to privacy by government activities poses a risk to company sales. For example, according to the Open Net Initiative's (ONI) report "Access Controlled", the Syrian Interior Ministry and the Syrian Telecommunications Institution have banned the sale of cell phones that have GPS and have WAP services that are not being properly monitored by the service providers. Mobile phone stores were instructed not to sell certain models. Businesses face the dilemma of losing business when not abiding by domestic laws and regulation which is known to infringe on the privacy of citizens.
For example, Google experienced a substantial cyber-attack aimed at accessing accounts of Chinese human rights activists and international advocates for human rights in China on a continuous basis, according to a statement made in 2010. Google reports that access to the accounts had not been made possible by a security breach on the part of Google, but probably via software placed on the users' computers. According to US government reports, the Chinese government is leading a number of such attacks in order to infringe on US interests.
The right to privacy may be abused in a situation where companies should or wish to apply a heightened standard of due diligence involving scrutinising employees, business partners or customers, or where there government requires the MNC to make available personal information about employees, business partners or customers.
According to Privacy International, privacy comprises four different aspects:
These aspects of privacy can be infringed in various ways:
In October 2015, the European Court of Justice ruled that the European Commission transatlantic Safe Harbour agreement is invalid and cannot replace the supervisory powers of national authorities. The Safe Harbour Agreement permitted US companies to use a single standard for consumer privacy and data storage in the US as well as in the EU. However, different regulations in the US and the EU meant that European data, stored in the US, might be subject to a degree of surveillance which is considered illegal in the EU. The Court's ruling followed an appeal associated with the case brought by privacy advocate, Max Schrems, against Facebook. Schrems had alleged that Facebook violated his privacy by transferring his data to the US where it may have been subject to surveillance.
In 2014, Microsoft was required by the Thai authorities to assist in the investigation of an email account alleged to have been used to distribute false information that negatively impacted Thailand's stock exchange. The user information and IP address supplied to the authorities were used in the trial of Katha Pachachirayapong in March 2014, who was accused of spreading rumours about the ill-health of Thailand's King. Katha was charged under the Computer Crime Act – a law that bans internet users from posting any false information online – and he was sentenced to two years and eight months in prison. Microsoft stated that they conducted due diligence of the information request, when originally received in 2009, but were not informed that it was part of a lese majeste case (a case involving an offence against the monarch). The case illustrates the risks companies encounter when operating in countries where national laws require the sharing of user information with authorities conducting prosecutions in an undemocratic context.
In a high risk environment for privacy violations such as Iran, companies may face the risk of misuse of products designed to intercept communications or facilitate surveillance. In 2009, Nokia Siemens Network (NSN) sold telecom technology enabling "lawful interception" for the purpose of law enforcement to the Iranian government-owned telecom company Irantelecom.
In 2010, detained Iranian journalist Isa Saharkhiz and his son filed a lawsuit in Virginia against NSN for damages suffered after their 2009 arrest. Saharkhiz argued that he was arrested and detained after Iranian authorities tracked him using the technology sold to Irantelecom. NSN responded with a statement condemning the human rights violations suffered by Saharkhiz and his son but denied its responsibility. The lawsuit was later dropped, but the action was widely publicised by media and activist groups.
While NSN only provided the "lawful intercept" technology to be used in accordance with Iranian laws for law enforcement purposes, those laws may enable governments to infringe on the right to privacy, creating the risk of corporate complicity in privacy violations. It is also alarming that in the aftermath of post-election protests in 2009, a company affiliated with the Islamic Revolutionary Guards has moved to acquire a majority share in Iran's telecommunications monopoly.
NSN has divested from the monitoring centre in Iran and, according to its own statement, is no longer involved with it apart from some technical contractual links. In the meantime, the company has made notable efforts to address the accusations in a transparent manner.
The first lawsuit alleging breach of privacy rights was brought against Yahoo in a US federal court under the Alien Tort Claims Act (ATCA) by the World Organization for Human rights USA on behalf of several Chinese dissidents. It was alleged that Yahoo had shared information with the Chinese government which subsequently led to the arrest and detention of several Chinese journalists and dissidents, impacting not only the right to privacy but also the right to freedom of speech.
One of the detained journalists, Shi Tao, was convicted of disclosing "state secrets" – a term very broadly defined by the Chinese government – after posting online a Chinese government order forbidding the media to report on the Tiananmen Square massacre. Another journalist, Wang Xiaoning, was allegedly tortured while in detention after Yahoo supposedly provided Chinese police with information linking him to postings on Yahoo sites which then led to his prosecution on the grounds of "subversion of state power" and "sharing of state secrets".
A congressional hearing required representatives of Cisco, Google, Microsoft and Yahoo to report on their collaboration with the Chinese government. Yahoo representatives apologized for misleading Congress about the company's role in the case. After initial attempts to have the case dismissed, Yahoo agreed to settle the lawsuit. While details were not made public, Yahoo agreed to cover the plaintiff's legal costs and set up a fund to support political dissidents. In 2008, Yahoo Chief Executive Jerry Yang appealed to Condoleeza Rice before she was set to meet with Chinese government officials to help get the detained dissident journalists out of prison. Wang Xiaoning was freed in August 2012 and Shia Tao a year later.
A second lawsuit was filed in February 2008 alleging that information provided by Yahoo to the Chinese authorities led to the detention of a Chinese dissident and the prosecution by Chinese authorities of another. The claims based on international law included torture, prolonged detention, intentional infliction of emotional distress, false imprisonment and assault.
Businesses are faced with a range of legal risks. The current international legal framework is complex and governed by many different regimes. While the International Bill of Human Rights embraces the protection of privacy as a fundamental human right, various other international instruments lay the groundwork for the implementation of the right to privacy and provide for specific privacy principles.
The majority of states protect privacy as a constitutional matter and have some form of privacy and data protection law in place. Hence, lawsuits to remedy violations and abuses of the right are likely. Additionally, some privacy protection laws have extraterritorial reach.
With privacy protection featuring prominently as an international concern in the age of globalised data-flows and business operations, together with intergovernmental and supranational cooperation on global security and other matters, a trend toward harmonising privacy protection on a universal level is visible.
Businesses are currently faced with a myriad of legal obligations on the domestic and international levels and have to master different legal risks to be able to fulfil their responsibility to respect human rights. Enhanced privacy protection regulation is to be expected on the international level in the near future, so businesses should be prepared to cope with heightened demands for privacy protection. Companies can face lawsuits or may be asked to participate in alternative dispute resolution to resolve privacy breaches.
The risk of complicity in other human rights violations is high when the right to privacy has been abused. The right to privacy is closely linked to human dignity and as such relates to many other human rights, including freedom of speech, freedom of conscience and religion, freedom of association, freedom of assembly, the right to physical integrity, the right to liberty and security, the right to equality, the principle of non-discrimination and the right to health.
International Bill of Human Rights and other UN instruments
The right to privacy as protected under the international legal framework in Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights (ICCPR), stipulates that no one shall be subjected to arbitrary or unlawful interferences with his privacy, family, home or correspondence, or to unlawful attacks on his honour or reputation. Article 17 ICCPR additionally sets forth that everyone has the right to the protection of the law against such interference or attacks. Additionally, the International Convention on the Protection of the Right of All Migrant Workers and Members of Their Families reiterates the right to privacy for migrant workers and their families in its Article 14, and the UN Convention on the Rights of the Child protects the privacy of children in Article 16.
UN Guidelines for the Regulation of Computerized Personal Data Files
The UN Guidelines were adopted by a General Assembly resolution. As such, the Guidelines are non-binding on UN member states. However, the Guidelines can be seen as recording the minimum of privacy requirements consented to by the UN General Assembly comprising all 192 members of the UN. They require states to implement principles into domestic legislation to protect computerized personal data files.
ILO code of practice on the protection of workers' personal data
The 1997 ILO code of practice on the protection of workers' personal data provides guidance as to how best to protect employees' personal data in the form of a non-binding recommendation. It is specifically designed to guide not only legislation but also work rules and addresses the public and the private sector.
ILO Recommendation concerning HIV/AIDS and the World of Work
The 2010 ILO Recommendation concerning HIV/AIDS and the World of Work further elaborates on the principles established in the 2001 ILO code of practice on HIV/AIDS and the world of work, including the protection of the privacy of employees affected by HIV/AIDS. As a general principle, Title III of the ILO Recommendation requires that "workers, their families and their dependants should enjoy protection of their privacy, including confidentiality related to HIV and AIDS, in particular with regard to their own HIV status." Additionally, no workers should be required to undergo testing or disclose their HIV status.
A specialised section on testing explains in further detail that testing is to be voluntary and confidential and requires consent and counselling. No requirement should be made to test workers. Any test results should be confidential and workers should not be required to disclose any HIV status. The ILO Recommendation additionally requires that adequate procedures are in place to remedy any violations of these provisions.
The OECD Guidelines on the Protection of Privacy
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data address member countries of the OECD. The Guidelines are concerned with balancing the need for privacy protection and ensuring a free flow of information across borders. They are based on basic principles governing the application in national jurisdictions and on the international level. On the international level, OECD members should abide by principles assuring the free flow of information and adhere to legitimate restrictions.
In June 2007, member governments of the OECD adopted the Recommendation of the Council on Cross-border Cooperation in the Enforcement of Law Protecting Privacy. The recommendation asks member states to foster the establishment of an "informal network of Privacy Enforcement Authorities and other appropriate stakeholders to discuss the practical aspects of privacy law enforcement cooperation, share best practices in addressing cross-border challenges, work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns".
In 2009, the Global Privacy Enforcement Network (GPEN) was set up by 13 OECD member states' privacy enforcement agencies to facilitate cross-border privacy enforcement cooperation. The network aims to share information, trends and experiences about privacy enforcement, provide for training, and engage in dialogue with the private sector.
The APEC Privacy Framework
Similarly, adapting to the requirements of the OECD Guidelines, APEC member countries have adopted the APEC Privacy Framework setting out the APEC information privacy principles to ensure the free flow of information across borders while ensuring privacy protection. The principles apply to personal information controllers in the public and private sectors alike. The focus is on such aspects of privacy protection which are most important to international trade.
Similar to the OECD initiatives, the APEC Privacy Framework is implemented by a number of initiatives. The APEC Data Privacy Pathfinder commits states to work together to ensure the accountable cross-border flows of data. The Data Privacy Individual Action Plan provides information about the status of implementation of the APEC Privacy Framework in APEC economies. The APEC Cross-border Privacy Enforcement Arrangement (CPEA) aims to facilitate information sharing among the relevant authorities, ensure effective cross-border cooperation and encourage information sharing and cooperation on privacy investigation and enforcement with authorities outside APEC.
The European Privacy Protection Framework
Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms protects the right to privacy in member states of the Council of Europe. It states that there should be no interference with the right to respect for private and family life, home and correspondence, "except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".
The 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was the first binding international instrument to protect individuals against abuses which may result from the collection and processing of personal data. The 1989 Council of Europe Recommendation on the protection of personal data used for employment purposes comprises all data principles as outlined below to be addressed by domestic legislation of Council of Europe member states. A proposal to modernise and amend the Recommendation takes into account changes in the world of work, including the international dimension of work generally with personal data being handled across continents.
Similarly, the EU 1995 Data Protection Directive is currently under review by the European Commission with a view to modernising and improving the EU data protection system. It applies to data processed by automated means and traditional paper files aiming to protect the rights and freedoms of persons. The Directive asks member states to make their laws applicable to data controllers situated outside the European Union but uses equipment situated on the territory of a member state.
In the process of developing an updated privacy protection framework, the European Commission and the Article 29 Data Protection Working Party proposed that the responsibility of data controllers including private businesses should be enhanced by the requirement to conduct privacy impact assessments. The proposed comprehensive approach on personal data protection in the European Union specifically aims to tackle new challenges posed with respect to the privacy of individuals including the need to take into account data transfers outside the EU and calls for the promotion of universally applicable privacy principles.
The US-EU and US-Swiss Safe Harbor Frameworks
Based on the abovementioned European Commission Directive on Data Protection and the application of the principle of "adequacy" in relation to personal data transfer between the EU and non-EU countries, the US Department of Commerce in consultation with the European Commission developed the "Safe Harbor" privacy protection framework. It serves to bridge the different privacy frameworks and to streamline compliance with the EU Directive for US organisations. A similar framework has been developed with Switzerland.
US companies and other organisations under the jurisdiction of the Federal Trade Commission (FTC) can join the Safe Harbor Framework based on a self-certification scheme. Enforcement of the framework will be carried out in accordance with US laws. Companies participating in the framework are expected to have in place a dispute resolution system in addition to verification and remedy requirements. The persistent failure to comply with the Safe Harbor privacy principles may be considered deceptive and actionable under the Federal Trade Commission Act. Civil penalties in this case may amount to $12,000 daily. In 2009, the US Federal Trade Commission initiated proceedings against six organisations which falsely claimed membership of the EU-US Safe Harbor framework.
Safe Harbor incorporates seven Safe Harbor Privacy Principles: notice, choice, and transfers to third parties, access, security, data integrity and enforcement. Transfers to third parties of personal information will have to be in conformity with those principles, i.e. the third party should ideally participate in the Safe Harbor framework or provide written confirmation that it has privacy protection in place which provides the same level of protection as the Safe Harbor principles. Many companies have joined the Safe Harbor framework and are listed on a government website.
The Madrid Resolution on International Standards on the Protection of Personal Data and Privacy
The Madrid Resolution on International Standards on the Protection of Personal Data and Privacy was adopted by 50 representatives from domestic privacy protection agencies worldwide under the aegis of the Spanish Data Protection Agency. Representatives from five continents agreed on the text integrating a consensus on privacy protection derived from the different legislations. It addresses the public and the private sectors with regard to "any processing of personal date, wholly or partly by automatic means, or otherwise in a structured manner". It includes basic principles of lawfulness and fairness, purpose specification, the proportionality principle, the data equality principle, the openness principle and the accountability principle.
It also includes principles relating to the legitimacy of processing as well as rights of the data subject. The rights of the data subject include the right of access, the right to rectify and delete and the right to object. Additionally, the Resolution requires security measures to protect personal data and re-iterates the duty of confidentiality. Signatories are to take proactive measures to implement measures for better privacy protection compliance, they shall monitor the observance of the principles and cooperate and coordinate their efforts of international privacy protection.
General privacy laws are provided for in most countries and compliance is usually ensured by an oversight body. Domestic privacy protection models also include industry rules enforced by the industry and overseen by an oversight body. In lieu of a general legal framework for privacy, countries may opt to protect and enforce privacy on a sector level, as, for example, in the US. Additionally, companies or industry bodies set up codes of practice aiming to self-regulate the protection of the right to privacy. Privacy International claims that self-regulation has not proven to adequately fulfil and enforce these policies.
The US Global Online Freedom Act was enacted to prevent US companies from cooperating with repressive governments who censor and monitor the internet. The act prohibits US companies providing internet search engines, communications or hosting service in countries known to restrict and monitor internet activities from locating any personally identifiable information. To comply with the Act, US businesses have to report any disclosure requests from another government to the State Department Office of Global Internet Freedom and the Attorney General. The Attorney General has the authority to prohibit a business from complying with the government request. The extraterritorial nature of the act puts US businesses at risk of violating the law when they disclose information upon government requests in other countries.
The US Federal Trade Commission is active in pursuing breaches of consumer privacy by companies. For example, in June 2010, Twitter agreed to settle charges brought by the Federal Trade Commission for failure to sufficiently safeguard consumer information. Hackers had been able to obtain unauthorised control over Twitter accounts of Barack Obama and Fox News.
In November 2015, the UK government published a Bill on Investigatory Powers. According to the Home Office, the Bill will "better equip law enforcement and intelligence agencies to meet their key operational requirements, and address the gap in these agencies' ability to build intelligence and evidence where subjects of interest, suspects and vulnerable people have communicated online." The Bill will address issues raised by David Anderson QC, the official reviewer of counter-terrorism legislation, who was tasked with assessing bulk surveillance powers used by the police and security services under the Regulation of Investigatory Powers Act 2000. Anderson's report considered privacy safeguards, transparency and oversight in relation to changing technology.
Other risks
In addition to legal risks posed by various international and domestic laws and treaty regimes sanctioning privacy abuses, businesses are exposed to scrutiny by auditors and stakeholders possibly translating into significant reputational risks.
In March 2013, a group of operators and vendors in the telecommunications Industry issued a set of guiding principles on freedom of expression and privacy. Taking as its baseline the UN Guiding Principles, the Telecommunications Industry Dialogue on Freedom of Expression and Privacy sets out ten due diligence principles to guide and inform participating companies as they engage with external stakeholders. The telecommunications guiding principles include: having policies; conducting regular human rights impact assessments; establishing procedures to evaluate government data requests and strategies to address these requests while minimising adverse impacts; prioritising the safety of personnel; training employees; sharing knowledge with stakeholders; public reporting on implementing the principles; establishing grievance mechanisms; and informing the development of regulations and policies that support freedom of expression. The companies currently participating in the industry dialogue include Alcatel-Lucent, At&t and Millicom Nokia, Orange, Telefonica, TeliaSonera, Telenor Group and Vodafone.
The Electronic Industry Citizenship Coalition (EICC) also includes privacy within its Code of Conduct which came into effect on 1 April 2015. Article 4 on Intellectual Property states, "intellectual property rights are to be respected; transfer of technology and knowhow is to be done in a manner that protects intellectual property rights; and, customer information is to be safeguarded." Article 8 of the Code's section on Ethics, states that, "Participants are to commit to protecting the reasonable privacy expectations of personal information of everyone they do business with, including suppliers, customers, consumers and employees. Participants are to comply with privacy and information security laws and regulatory requirements when personal information is collected, stored, processed, transmitted, and shared."
The application of standards, such as ISO 26000 and SA 8000, may pose a risk of the revelation of non-compliance in relation to privacy standards.
The ISO 26000 standard on social responsibility addresses privacy in its standards about workers and consumers. According to the standard, labour practices with respect to employment and employment relationships should include the protection of personal data and the privacy of workers. Additionally, with respect to consumer issues, organisations, particularly those collecting and handling personal information, have the responsibility to protect the security of such information and the privacy of consumers.
Consumer issue 5 of the standard provides for consumer data protection and privacy. According to the standard, consumer privacy is to be protected by "limiting the types of information gathered and the ways in which such information is obtained, used and secured". So that personal data collection does not infringe on the privacy of consumers, an organisation should limit data collection, obtain the consent of the consumer, only employ lawful and fair means to obtain data, specify the purpose of data collection and only disclose information within this realm, secure personal data and disclose the identity of and hold accountable the data controller.
Further, the standard addresses privacy in the organisation's process of reviewing their actions and practices related to social responsibility. With respect to reporting progress and performance to governments, NGOs or other bodies, organisations should "confirm the reliability of systems for protecting the security and privacy of data". In this respect, ISO 26000 suggests that independent experts or groups examine data collection, storing and handling by the organisation. It particularly outlines that reviewing the social responsibility performance becomes necessary when there are concerns about the protection of private information, such as financial, medical or personal data.
In July 2014, the International Organization for Standardization (ISO) published ISO/IEC 27018, the first international standard on cloud privacy. ISO/IEC 27018 establishes standards for processing personally identifiable information (PII) in a cloud computing environment. For example, new controls prohibit the use of customer data for advertising and marketing purposes without the customer's express consent.
In addition to the 2009 Madrid Privacy Resolution, the 2009 Madrid Privacy Declaration was signed by over 100 civil society organisations and privacy experts, reaffirming the necessity to protect the right to privacy and calling particularly on EU and OECD member states to fulfil their obligations to enforce the right to privacy based on the respective instruments. The Madrid Declaration also notes the concern of the signatories that corporations acquire personal data without independent oversight.
Civil society expectations are an important indicator to assess the risk of legal action against companies. Companies risk the publicising of privacy abuses which can significantly damage their reputation. The companies' stakeholders, including employees, business partners and customers, care about their privacy. Consumers, in particular, will pay attention to privacy concerns.
For example, in 2012 the Ponemon Institute, a privacy research centre, published a survey about the "Most Trusted Companies for Privacy". While the interest of consumers in privacy can be doubted, for example when taking into account individuals' information sharing activities on social networking internet sites, users were very concerned that their privacy rights are being diminished or undermined by these technologies. Respondents considered that substantial security protections, no data sharing without consent, and the ability to be forgotten are the top three privacy features that businesses and government organisation should have in place.
Sensitive data (e.g. data about health, sexual orientation, race, etc.) is a particular concern for individuals. Disclosing such information to third parties, for example, raises fears of embarrassment, stigmatisation or the need to explain oneself. This fear may not only impact online consumer behaviour, but may also raise concerns among employees and business partners about engaging with a company.
Often, passing on personal customer information to authoritarian regimes means that the affected individual may face court proceedings and/or discriminatory or punitive action by state authorities, including arrests, imprisonment, torture, all of which have an impact on other human rights of the individual. In addition to the risk of complicity, the highly sensitised nature of those cases may implicate the company's reputation.
Various NGO's and blogs are focused on with privacy concerns and publicise privacy "breaches". For example, Privacy International is a UK-based NGO which has campaigned for and assessed privacy protection for over twenty years. According to the group, privacy is "the foundation upon which other human rights are built". The Privacy Foundation at the University of Denver's Sturm College of Law conducts research and provides privacy education to legal professionals and the general public.
Blogs include:
Data breaches infringing on the privacy of individuals are very expensive. In April 2010, the Ponemon Institute, a privacy research centre, published a survey on the Global Cost of Data Breach which found that, in 2009, the average global data breach costs comprising organisations in the US, UK, Germany, France and Australia amounted to US$3,425,381 per data breach incident. This included an average global cost of US$1,642,878 of lost business per data breach incident. The global average cost per compromised customer record was US$142. The institute also found that costs of data breach continue to increase. The latest version of the report, published in 2013, found that the healthcare industry experienced the highest cost per lost record ($233), followed by the financial industry ($215) and pharmaceuticals ($207). Another study by the institute Benchmark Study on Patient Privacy and Data Security, published in 2012, found that data breaches in healthcare organisations cost up to US$7 billion annually. There is an increasing trend in data breaches costing more than $500,000.
In addition, the violation of the right to privacy by government activities poses a risk to company sales. For example, according to the Open Net Initiative's (ONI) report "Access Controlled", the Syrian Interior Ministry and the Syrian Telecommunications Institution have banned the sale of cell phones that have GPS and WAP services that are not being properly monitored by the service providers. Mobile phone stores were instructed not to sell certain models. Businesses face the dilemma of losing business when not abiding by domestic laws and regulation which will most probably infringe on the privacy of citizens.
Companies implicated in privacy infringements may face problems relating to workforce retention. When employees fear that their employer passes on personal information which may in turn undermine the worker's ability to work or lead to discriminatory or punitive action by state authorities, workers may choose different employers. In addition, customers may turn away from companies which pass on personal information to governments. This problem is likely to be particularly pronounced where the governments concerned have authoritarian governance structures and may use personal information passed on by companies to enforce domestic laws which are in conflict with the international human rights law principle of non-discrimination.
The UN ‘Protect, Respect and Remedy' Framework for Business and Human Rights provides guidance on how to protect individuals and communities from corporate related human rights harm.
The framework is comprised of three key principles:
The framework states that in addition to complying with national laws businesses have a responsibility, in the context of the countries where they operate, to respect human rights through their own business activities and through their relationships with third parties – such as business partners and entities in their supply chains. To meet this responsibility, the framework notes that businesses should engage in human rights due diligence and specifies the main components of the process:
Policies: Including a human rights policy containing broad commitments, supported by more detailed guidance in specific functional areas
Impact assessment: Including assessments that explicitly reference internationally recognised human rights and are used by companies to avoid potential negative human rights impacts on an ongoing basis
Integration: Including the embedding of respect for human rights throughout a company
Tracking performance: Including regular updates of human rights impact and performance
The Guiding Principles for the Implementation of the UN "Protect, Respect and Remedy" Framework aim to provide "concrete and practical recommendations" about how businesses can operationalise their responsibility to respect human rights. According to the Guiding Principles, the responsibility to respect human rights requires responsible companies to:
The UNGPs apply to all States and to all business enterprises, both transnational and others, regardless of their size, sector, location, ownership and structure.
The UNGPs have experienced widespread uptake and support from both the public and private sectors, and numerous companies have publicly stated their commitment to the Guiding Principles. The UN Guiding Principles Reporting Framework is also used by companies to report on how they respect human rights.
Companies can seek specific guidance on this and other issues relating to international labour standards from the ILO Helpdesk. This aims to help company managers and workers understand the ILO approach to socially responsible labour practices and to assist in the development of good industrial relations.
Specific actions that responsible business might take include:
A statement of policy shall articulate the company's commitment to respect human rights and provide guidance as to the specific actions to be taken to give this commitment meaning. This policy should be informed by appropriate internal and external expertise and identify what the company expects of its personnel and business partners. The policy should be approved at the most senior level and communicated internally and externally to all personnel, business partners and relevant stakeholders. In addition, it should be reflected in appropriate operational policies and procedures.
Companies should be aware how their activities impact on the right to privacy and implement a human rights policy addressing privacy. This policy statement should ensure that information and data collected about employees, business partners or customers is treated with respect for the human right to privacy. Prior to developing a human rights policy the "Guide for Business: How to Develop a Human Rights Policy" suggests to assign senior management responsibility, to involve all business operations, to conduct a policy gap analysis and policy mapping and to consult with internal and external stakeholders.
Firstly, companies can pledge to abide by human rights standards and international frameworks as outlined above. Secondly, privacy policies should include a commitment to adhere to the basic principles of privacy protection as provided for in the abovementioned instruments. Businesses should pledge to adhere to the following principles:
Ensure clarity
According to a survey cited in the 2010 US Federal Trade Commission (FTC) report "Protecting Consumer Privacy in an Era of Rapid Change", consumers often think that the term "privacy policy" means that a company will not share any personal information. Additionally, in practice, privacy policies are often long and incomprehensible, making it difficult for consumers to read and understand. In turn, this may undermine the applicability of further privacy principles as outlined below. An Internet Privacy Policy Study published on the FTC website which surveyed Fortune 500 companies found that "only 1% of the privacy policies met the guidelines for a clear and conspicuous privacy policy written in plain and simple language". The study found that approximately 30% of the privacy policies required the equivalent of a postgraduate education to understand them.
Companies should thus adjust their privacy policies to be transparent, easily accessible and understandable.
Companies should avoid lengthy and too detailed privacy policies and simplify their policies
Companies may choose to opt for an easily understandable, standardised privacy policy
Additionally, companies should aim to increase consumer education efforts
To make privacy policies more transparent and efficient, companies increasingly opt to implement multi-layered privacy policies to inform customers. The OECD Privacy Statement Generator EU Article 29 Data Protection Working Party has endorsed the concept of multi-layered notices in Opinion 10/2004.
Multi-layered notices comprise at least a condensed notice highlighting all key factors and a complete notice including all legal requirements. Multi-layered notices make it easier for customers to understand and compare different privacy notices. Currently, such layered notices may comprise three steps:
Short notice: provides minimum information such as the identity of the data controller, contact details and purpose of processing personal information
Condensed notice: easily accessible document including information on the scope of application, what personal information is collected, how this information is used and shared, consumer choices and access options
Full notice
The aims of implementing human rights due diligence processes are to identify, prevent and mitigate adverse impacts companies may have on human rights and to account for their performance on an ongoing basis. Human rights due diligence entails a risk assessment to the level commensurate with the risk of infringements posed by the country context in which a company operates, its own business activities and the relationships associated with those activities. Depending on the risks involved, the size of the company and the context of business operations, scale and complexity of the risk assessment may vary. It includes a human rights impact assessment, the integration of commitments into internal control and oversight systems, performance tracking and public and regular reporting.
The Global Network Initiative (GNI) provides more specific guidance for companies to integrate privacy and freedom of expression into business operations. It is a collaborative multi-stakeholder initiative which aims to protect privacy and freedom of expression in the ICT sector. GNI participants include companies, civil society organizations, investors and academics. Participants pledge to implement core principles on responsible company decision making, freedom of expression, privacy, multi-stakeholder collaboration and governance, accountability and transparency. Those principles and their implementation guidelines provide ICT companies and their stakeholders with guidance on how to protect and advance privacy and freedom of expression.
The GNI implementation guidelines provide ICT companies with guidance on human rights impact assessments and how to integrate privacy and freedom of expression into business operations. Company boards are to review company operations and their impact on privacy and freedom of expression through regular management reports and in risk management processes. Board members shall also participate in privacy risk training.
Human rights impact assessment
Human rights impact assessments serve to identify and assess the actual or potential human rights impacts of companies' activities and associated relationships prior to and during business activities. The assessment involves:
Businesses can mitigate human rights risk, including the risk to the right to privacy, when they are fully aware of the potential and actual impacts of their activities on human rights, particularly where governance is weak, or a culture or legal environment is known to infringe on the right to privacy, as is often the case in emerging markets. The human rights impact assessment as proposed by the UN Special Representative serves to understand the impact business activities may have on the human rights of those individuals affected by the company's business activities and to assess how the legal, economic and cultural environment impacts human rights. The company can then make an informed decision about how to mitigate those impacts by developing mechanisms, procedures and systems integrating human rights into internal strategies and procedures, hence "operationalising" human rights.
The Guide to Human Rights Impact Assessment and Management (HRIAM) is a tool businesses can use to conduct such assessments. The Guide also provides information on management processes and systems. For example, where a business knows that a heightened standard of scrutiny needs to be applied in corrupt business environments, or with respect to health issues impacting severely on the workforce, then the company should be aware that this may infringe on the right to privacy.
According to the GNI implementation guidelines, ICT companies should identify how privacy (and freedom of expression) may be jeopardised or advanced by company operations. Appropriate risk mitigation strategies should be developed when:
Additionally, when a company knows that laws in a certain country impact the right to privacy, the company can take precautions so as to avoid complicity in privacy violations by the government. If laws discriminate against certain individuals or groups of individuals, then companies should be aware that they may be asked, particularly by authoritarian regimes, to supply information on their workers or customers which may infringe on the right to privacy.
Integration of human rights commitments into internal control and oversight systems
Effective integration requires responsibility for addressing such impacts to be assigned to the appropriate level and function. It also requires appropriate internal decision-making mechanisms, budget allocation and oversight processes. The Guide to Human Rights Impact Assessment and Management may help companies to manage and control their human rights impacts.
In addition, GNI provides guidance on how ICT companies can integrate privacy into business operations. According to the GNI implementation guidelines, this should inform
The actual and potential impacts on privacy for businesses operating in, sourcing from or distributing to emerging markets have been outlined above. The suggestions below address those issues based on the International Bill of Rights and the different international legal frameworks and policies on privacy, such as the UN Guidelines on the regulation of computerized personal data files, the ILO practice code on the protection of workers' personal data, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the APEC Privacy Framework, the EU framework for privacy protection, the Madrid Resolution, the US-EU Safe Harbor Framework and the ISO 26000 standard on social responsibility. While these frameworks address different contexts and issues, the principles of privacy protection can be found in all of them and should inform the implementation of privacy policies and management systems for business activities in emerging markets.
The following suggestions aim to help businesses to internalise privacy protection and operationalise the more general principles of preventing harm, collecting and processing personal information lawfully and fairly, as well as applying the principle of non-discrimination.
General principles:
- Prevent harm
This basic principle to prevent harm to individuals requires companies to protect against the misuse of information collected about business partners, employees or customers. While the right to privacy is not an absolute right and may thus be balanced against public interests such as security, workers may not waive their right to privacy as stated in the ILO Code.
- Honour the principle of lawfulness and fairness
In accordance with the UN, the ILO, the ISO standard and the EU directive, data collection and processing should be fair and lawful and honour internationally recognised human rights principles. According to the UN Guidelines, the principle requires that information should be used in conformity with the purposes and principles of the Charter of the United Nations referencing the respect for human rights. While many privacy protecting instruments honour the principle to abide by domestic privacy laws, in some countries there are few legal constraints (e.g. on workplace surveillance). Thus, in emerging markets, companies will often be faced with a lack of privacy protection and even encounter privacy infringing laws and practices further impacting other human rights and the principle of non-discrimination. For example, with respect to the privacy rights of employees, countries in sub-Saharan Africa as well as Thailand and China have come under scrutiny for a lack of privacy protection.
- Respect the principle of non-discrimination
Both the UN and the ILO require adherence to the principle of non-discrimination. The UN Guidelines prescribe that data should not be collected which may lead to unlawful or arbitrary discrimination, e.g. information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an association or trade union. While exceptions to this rule may be allowed to protect national security, public order, public health or morality, as well as the rights and freedoms of others, those exceptions have to be consistent with the International Bill of Human Rights and the other relevant instruments protecting human rights and preventing discrimination.
According to the ILO practice code on the protection of workers' personal data general principles, the processing of personal data should not have the effect of unlawfully discriminating in employment or occupation.
Which information and data to collect and how:
- Know what information you can collect
Generally, "sensitive" data needs special justifications to be collected, stored and processed. Such data is often likely to give rise to unlawful or arbitrary discrimination and should therefore not be collected. However, businesses operating in emerging markets may have a heightened need to collect such data in order to protect their assets and interests.
The UN Guidelines consider data about racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an association or trade union to be sensitive data which should not be collected. The Madrid Declaration and the ILO practice code add data about criminal convictions or health to the list of personal data which should principally not be collected.
The ILO practice code allows the collection of such data only in exceptional circumstances "if the data are directly relevant to an employment decision and in conformity with national legislation". Data on the worker's trade union membership or activities should only be collected in accordance with a law or collective agreement. The ILO practice code limits the collection of personal health data to determine a worker's fitness for a particular type of employment, in accordance with occupational health and safety requirements and to determine entitlement to, and to grant, social benefits. Medical testing may not be compulsory.
Compliance with domestic laws in emerging markets poses challenges to businesses when aiming to comply with the requirements set out as part of their responsibility to respect the human right to privacy as described above. Companies should thus have in place measures and processes to avoid the collection of sensitive data. First, any collection should be proportional to the needs and balancing tests may help companies to determine their need. Second, if the collection of such data is proportional to the purpose, i.e. when the impact on privacy weighs less than the need for the collection of the data, companies should aim to keep the information confidential. Confidentiality agreements between the employer and business partners, employees or customers may shield the company from having to comply with government requests for personal data which would violate the right to privacy.
- Provide proper notice to concerned individuals
The instruments mentioned above require that individuals are informed of any data collection processes, the rules that govern the process and their rights. The APEC Privacy Framework's Notice Principle requires information controllers to "provide clear and easily accessible statements about their practices and policies". A privacy policy notice should include information such as:
The ILO practice code recommends that workers and their representatives should be kept informed of any data collection process, the rules that govern the process and their rights.
In accordance with the OECD Guideline, "openness" with respect to data collection, storage or use of personal data may involve, for example, publicised information from the data controller about data collection and processing.
In any case of personal information collection and processing, the company must inform the person whose data is being collected and processed. Notification, however, will not exempt companies from having to obtain consent and abide by other privacy standards as outlined below.
A company's privacy policy should serve to inform employees, customers and business partners about what they are to expect. In addition to being aware of the privacy policy, business partners may have to be informed separately in the respective contract agreement with the company.
The notice principle provides the basis for privacy protection and often goes hand in hand with the Choice principle as provided for in the APEC Privacy Framework and outlined below.
When having to provide personal information to governments, the Global Network Initiative proposes ICT companies disclose to users the applicable domestic legal framework and the company's policies to respond to government requests; which information about users the company collects. Additionally, companies are required to assess their measures to support transparency about the collection, storage and retention of personal user data.
- Obtain the consent of the individual to collect personal information
Where necessary and appropriate, the individual whose data is being collected should have the right to be asked for his/her consent. This will specifically apply in the case of the collection of sensitive data.
For example, when applying a heightened standard of integrity due diligence as part of a corruption risk assessment in an emerging market environment prone to corruption, the company will have to inform the respective persons and obtain their consent to screening processes implemented to ensure the integrity of the agent, consultant, or joint venture partners, contractors or in public procurement.
- Limit the collection of personal data to information that is relevant to the purposes of data collection
The ILO, ISO 26000, the OECD and APEC endorsed the principle of limiting the collection of personal data. The ILO practice code asks employers to reduce as far as possible the amount and kind of information collected. The APEC Privacy Framework states that "the collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or the consent of, the individual concerned."
Similarly, the OECD's collection limitation principle requires lawful and fair means of collection and the consent of the data subject and comprises limits on the collection of particularly sensitive data. ISO 26000 recommends limiting the collection of personal data to such information that is essential for product and services provision, or requires the informed and voluntary consent of the consumer.
- Specify the purpose of collecting and processing personal information
The UN, the ILO, ISO, the OECD and APEC require that data is collected and used only for the purposes initially specified. The UN Guidelines require that all data collected relates to the specified purpose and that consent of the individual concerned is necessary to use or disclose data for purposes incompatible with those specified. According to the ILO practice code, data should be collected only for the purposes for which they were originally collected. If data is to be processed for purposes other than those used, the controller has to make sure that the new purpose is not incompatible with the original purpose. The ILO practice code additionally prohibits using data to control the behaviour of workers.
How to process and store personal information:
- Provide individuals with choice in relation to data collected about them
In accordance with the APEC Privacy Framework Choice principle, "individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation of the collection, use and disclosure of their personal information." This principle shall ensure that individuals are notified of their choice with respect to the collection, use, transfer and disclosure of personal information. The mechanisms for exercising choice should be accessible and affordable. Additionally, ease of access and convenience when exercising choice should be taken into account.
The US-EU Safe Harbor Framework provides that affirmative or explicit (opt-in) choice must be available for sensitive information, when it shall be disclosed to a third party or used for a purpose other than originally intended or subsequently authorised by the individual. Accordingly, the affected individual needs to consent to such data transfers or use of his data. In its recent report Protecting Consumer Privacy in an Era of Rapid Change, the US Federal Trade Commission (FTC) recommends protecting sensitive information through an enhanced consent mechanism in the form of affirmative express consent. Under FTC case law, companies must provide disclosures and opt-in consent when they wish to use personal information for a purpose which is materially different from the original purpose of information collection and processing.
When collecting publicly available information, the provision of choice may not be necessary or may be impracticable. Additionally, providing choice may be unnecessary in a business context when business contact information is being passed on. In employment relationships, it may be impracticable to abide by the choice requirement when personal employee information is used for employment purposes (e.g. when employee information is centralised in the human resources department).
Both the notice and the choice principles are foundational principles of privacy protection. However, the FTC criticises that the principles as currently applied only have a limited force of protecting individuals. A major concern was the consumers' lack of understanding, which undermines the application of the two principles and the principle of informed consent as outlined below.
The FTC also outlines situations in which "commonly accepted practices" may not warrant the application of the choice principle. This includes, for example, information collection and processing for the purposes of product and service fulfilment, customer satisfaction surveys, and fraud prevention.
- Ensure accuracy and integrity of personal information
The UN, the ILO, the OECD, APEC and the EU data directive adhere to the principle of accuracy of the data collected. This comprises the accuracy of data when collected and the maintenance of the integrity of the data throughout the storage and use of the data. The principle also involves the right of the person concerned to have incorrect data held about him corrected. The ILO practice code asks employers to verify on a continuous basis that the data is accurate, up-to-date and complete. In the case of incorrect or incomplete data, workers shall have the right to demand deletion or rectification.
- Protect and secure gathered information
UN, ILO, ISO, OECD, APEC and EU privacy protection instruments all contain the principle of security and confidentiality. The UN Guidelines require appropriate measures to secure and protect personal information against accidental loss or destruction and against unauthorised access, or fraudulent misuse of data. Similarly the ILO practice code requires employers to ensure that personal data are protected against loss, unauthorised access, use, modification or disclosure. The APEC Framework states that safeguards should be proportional to the severity of the harm threatened and take into account the sensitivity of the information and its context.
- Ensure confidentiality
Information collected, stored and processed should be treated confidentially, particularly when sensitive information is concerned. The Madrid Resolution and the ILO practice code require that anyone involved in the process of collection and processing of personal information shall be bound by the duty of confidentiality. This obligation shall remain valid even after the relationship with the concerned person has ended.
The ILO practice code requires confidentiality when handling medical information in line with the ILO Occupational Health Services Recommendation No. 171.
Particular issues arise with respect to information which can be relevant for the company to protect against corruption, i.e. asking the business partner/employee about his/her political affiliation. This may be necessary because individuals with close ties to the ruling party are more likely to be implicated in corruption or nepotism, particularly in emerging markets, where local structures are traditionally based on the leadership of certain families or groups.
While the company may decide to demand this information, or may be required to do so in accordance with domestic laws, it may decide to keep this information confidential or follow processes to attempt to minimise the risk of human rights abuses. Confidentiality agreements between the employer and the employee may protect the company against having to pass on the information.
- Ensure access of concerned persons to information gathered about them
All instruments guarantee the access of individuals to the information held about them. The concerned person has the right to know if any of his/her personal information is being processed and to examine and obtain this information. The concerned person also has the right to erase or rectify unlawful, unnecessary or inaccurate data.
According to the APEC Privacy Framework, this does not apply when the burden of access provision is disproportionally high, when confidential commercial information is at issue, or where the privacy of others would be violated. Confidential commercial information is information which the company has protected from disclosure, where the disclosure would facilitate the exploitation of such information by a competitor and which would cause significant financial loss.
If possible, requested information should be separated from confidential commercial information to enable access by the individual. Where this is not possible, businesses may deny access to such information but should provide the individual with a detailed explanation and information as to how to challenge the denial of access.
- Apply the proportionality principle and balancing tests
The Madrid Resolution advocates that "the processing of personal data should be limited to such processing as is adequate, relevant and not excessive in relation to the purposes" of collecting and processing personal data. The processing of personal data should be limited to the minimum that is necessary.
Balancing tests will help to assess whether information is required within the framework of employment or other business relationships. The need to collect and process personal data should be weighed against the consequential privacy infringement. This is particularly necessary with respect to sensitive data, including data about ethnicity, political and religious affiliation or opinions, health, and sex life. The impact on privacy in these cases is more intrusive and a greater margin of justifying data collection and processing will have to be applied.
- Avoid long retention periods
Data retention should be limited to a reasonable and appropriate period. Long retention periods bear the risk that the data is used for purposes other than originally intended and increase the risk of the theft of such data. The US Federal Trade Commission thus recommends to swiftly and securely dispose of data for which companies no longer have any specific business need.
Many of the instruments mentioned require that the person controlling personal data should be held accountable for complying with the principles of privacy protection. ISO 26000 and the APEC framework require the disclosure of the identity of the data controller. The Madrid Resolution sets forth that the person responsible for data collection shall "have the necessary internal mechanisms in place for demonstrating such observance both to data subjects and to the supervisory authorities in the exercise of their powers". According to the ILO practice code, the data controller should be regularly trained so as to ensure the privacy implications of collecting personal data.
EXAMPLE 1: Government requests for the transfer of private data
Ensure adequate management systems are in place: According to the guide Human Rights Translated, companies should develop management criteria "for deciding the precise circumstances under which the company may be prepared to comply with government requests for the transfer of private data" particularly when local authorities are known to improperly limit the freedom of expression and to prosecute dissidents.
Comply with international law where possible: In this classic conflict of laws situation, companies are stuck in the middle – between their responsibility to respect human rights and their obligation to abide by domestic laws. Emerging economies often have weak laws in place. In this case companies should, in accordance with Guiding Principle 21 proposed by the UN Special Representative of the Secretary General on Business and Human Rights, ensure compliance with international law to the largest extent possible.
Avoid unnecessary collection and processing of information: When domestic laws are in direct conflict with international human rights standards, companies face an outright dilemma. Laws can infringe on the privacy of individuals but have to be implemented by the company. For example, an employee may lose his job, welfare benefits, residence permits, may experience societal discrimination, his access to public services may be restricted, his/her citizenship rights (such as the right to vote) may be infringed, or he/she may face punitive action, such as detention, torture, or other punishment enforced as a result of the application of the discriminatory law. In this case, information requested by the government from the company may put an individual in a situation where he will be a victim of discriminatory laws and government enforcement.
The UN Guidelines adopted by the UN General Assembly ask governments to stay within the limits provided for in the UN Charter when allowing exceptions to the right to privacy based on justifications such as national security, order, morality, etc. However, this limitation does not help businesses to withstand the pressure from governments to provide the information requested.
Companies should always ensure that only information which is relevant to employment is collected, provide proper notification of the effects of collecting certain information, and ensure that the data subject has the choice to give this information. When in doubt, the collection of sensitive information such as trade union or political information and information about family members should be avoided.
Support individual against government requests: The company, having ensured that its assets are not in danger, may opt to protect the employee, particularly by further providing employment, health service, and benefits to the concerned individual or advocate on the individual's behalf or support organisations or individuals in doing so. This may ensure that the company has made every effort to ensure respect for human rights.
EXAMPLE 2: Employee drug and alcohol testing
According to the 1993 ILO Guiding principles on drug and alcohol testing in the workplace workers should have the right to make informed decisions as to whether to undergo medical testing. Employers should honour the workers' right to choose a doctor, the right to representation if needed, the right to notification that testing will be carried out as part of a pre-employment screening programme, and the right to information on test results.
Ensure knowledge of domestic privacy laws: Laws with respect to obtaining and storing medical information differ from country to country and range from prohibiting the collection of such information to the sanctioning of failing to collect such information. For example, while Kenya and Tanzania laws ban HIV screening, Nigeria and Cameroon have adopted policies addressing the threat of HIV while honouring the principle of non-discrimination against workers living with HIV/AIDS. General health tests, particularly drug tests, may be required by law, as in the UK where the failure to comply with the requirement of drug testing as part of the employment agreement may result in disciplinary action.
Ensure non-discrimination: An independent medical review of the test results should be available for employees. Employees showing positive alcohol or drugs tests results should not be discriminated against and rehabilitation and re-integration into the workforce should be made possible. The employer should encourage and support the employee to participate in counselling or treatment programmes.
Balancing tests should be applied by employers to weigh the need for such testing, taking into account the nature of the jobs involved. In some situations, the right to privacy may outweigh the need to administer tests. In accordance with the principle of proportionality, the company should determine whether or not the interest in collecting and processing personal data outweighs the impact on the right to privacy of the individual.
Strengthen the role of the occupational physician: Companies should aim to honour the privacy principles with regard to health and drug testing to the largest extend possible. When companies have an interest in collecting, or are required to collect, this information and have obtained the consent of the individual, confidentiality of medical information pertaining to drug or health tests can be ensured by strengthening the role of the occupational physician. For example, in countries such as Finland, France, Belgium, Germany and Austria, drug test results are communicated to the occupational doctor instead of the employer. The doctor will then only inform the employer of whether or not the person is fit to work, without revealing the specifics of the drug test results.
Ensure accuracy of test results: Companies will also have to bear in mind that the results of health or drug tests may be false or misleading due to human errors or previous positive testing. Certain legal substances such as poppy seed, Vicks inhalers, Ibuprofen may also result in positive results. Decisions taken based on misleading or false medical testing may expose the employer to legal action by the employee.
Performance tracking
Monitoring and tracking a company's human rights performance drives continuous improvement and will also enable companies to receive critical feedback from their stakeholders. In accordance with the Guiding Principles on Business and Human Rights, namely Principle 20, performance tracking should be based on appropriate qualitative and quantitative indicators and draw on feedback from internal and external sources including affected stakeholders.
Performance tracking should be integrated into internal reporting processes involving performance contracts, reviews, surveys and audits. As part of the evaluation of human rights performance, the Guide to Human Rights Impact Assessment and Management suggests companies should have monitoring assessments in place, as well as reporting processes and evaluations.
In accordance with the Guide, privacy performance tracking and monitoring should aim to assess:
Monitoring mechanisms may include:
Evaluation mechanisms should measure performance against the key indicators (as outlined above) of privacy protection. They should include the assessment of the relevance, impact, efficiency, sustainability and flexibility of the mechanisms put in place to ensure privacy protection.
Public and regular reporting on performance
When reporting, companies should take into account the risks the communication of certain information may pose to stakeholders themselves, or to company personnel. In addition, the content of the reports should be subject to the legitimate requirements of commercial confidentiality. In accordance with the Guide to Human Rights Impact Assessment and Management, public reports to stakeholders on human rights performance, including privacy should contain:
Integrated reporting
While this can be communicated in sustainability reports separate from financial reports, companies may consider opting for an integrated reporting approach marrying both financial and sustainability reporting in one report. This will help companies to perform more sustainably and to better understand how human rights risks impact on overall company performance. It also ensures that human rights are efficiently operationalised. The Global Compact supports integrated reporting for the Communications on Progress submitted by their participants and there is a business school movement for the integration of reports.
Where business enterprises identify responsibility for adverse impacts, they should provide for or cooperate in their remediation and offer routes to judicial or non-judicial grievance mechanisms. Businesses can provide for operational-level grievance mechanisms as recommended in the Draft Guiding Principles. Operational level grievance mechanisms are administered by companies alone or in collaboration with relevant stakeholders and are accessible directly to "individuals and communities who may be adversely impacted by a business enterprise". Operational-level grievance mechanisms may help companies to identify human rights impacts and grievances and make it possible to address such grievances and remediate human rights impacts at an early stage. The online platform BASESwiki provides a vast array of information and the opportunity to share information about a number of dispute resolution mechanisms between business and society at the global and local levels.
Click here for company-specific case studies about this dilemma.
Companies should consult with relevant stakeholders to get their advice and comments on their privacy protection practices and mechanisms and to find solutions to privacy dilemmas. Guidance from the UN Global Compact, the IFC Guide to Human Rights Impact Assessment and the IFC Good Practice Handbook on Stakeholder Engagement help companies to identify and engage with the relevant stakeholders.
Particularly in situations where government requests may compromise a company's human rights policy, the consultation with stakeholders will shed light on the expectations of the company. The guide Human Rights Translated suggests to "consult with human rights experts and key stakeholders on acceptable solutions in situations where the company is at risk of violating its stakeholders' right to privacy including in circumstances where the company is required to comply with lawful governments requests to hand over data to aid criminal investigations".
Relevant stakeholders at the local and global levels can include workers, trade unions, local communities, NGOs and other civil society and advocacy groups, academia and governments. Stakeholder panels may be an effective mechanism for companies to receive advice and commentary on company practices relating to privacy. Stakeholder panels are considered good company practice and can help companies, among other things, to assess human rights impacts, build trust among stakeholders, mitigate risks and prevent disputes.
With respect to privacy, relevant stakeholders include:
The Global Network Initiative (GNI) is a collaborative multi-stakeholder initiative which aims to protect privacy and freedom of expression in the ICT sector. It includes companies, civil society organizations, investors and academics. Participants pledge to implement core principles on responsible company decision making, freedom of expression, privacy, multi-stakeholder collaboration and governance, accountability and transparency. Those principles and their implementation guidelines provide ICT companies and their stakeholders with guidance on how to protect and advance privacy and freedom of expression.
GNI requires participating companies to engage in multi-stakeholder collaboration to promote public policies in line with the core GNI principles protecting privacy and freedom of expression. Additionally, GNI advises companies to have in place a confidential internal advisory forum to provide guidance as to how to advance freedom of expression and privacy. GNI participants pledge to create a learning, collaboration and communication program and promote global dialogue about GNI principles and their implementation involving interested companies, industry associations, advocacy NGOs and other civil society organisations, universities, governments and international institutions.
In accordance with the Guide to Human Rights Impact Assessment, training key managers in the company, particularly those directly processing personal information, is required as part of an adequate privacy management system. Additionally, training of employees throughout the company may be advised to minimise the risk of privacy infringements.
Standard 22 of the Madrid Resolution encourages organisations involved in the processing of personal information to regularly implement training, education and awareness programmes to ensure the full understanding and compliance of those involved in these processes with appropriate laws and the organisation's privacy policy and management systems.
The US-EU Safe Harbor Framework requires companies seeking certification of the framework to demonstrate that employee training is implemented to ensure compliance with the Safe Harbor principles.
In its recent Privacy Report, the US Federal Trade Commission recommends that companies designate personnel to conduct employee trainings on privacy as part of a comprehensive privacy programme. These programmes should be proportionate to the risks faced by companies when dealing with personal data. A company which collects and processes large amounts of data and sensitive data has to apply a heightened standard of care.
Human rights impact of privacy infringements
The right to privacy is related to and impacts on many other human rights including the overarching fundamental principle of non-discrimination. When the right to privacy is impacted, businesses risk complicity in other human rights abuses. Other human rights impacted by infringements on the right to privacy include:
Equality and non-discrimination, Articles 2, 3, 14, 26 ICCPR: The principle of non-discrimination and the right to equality may be impacted by violations of the right to privacy, for example when a prospective employee is not hired on the basis of personal information shared which concerns race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.
Equality and the principle of non-discrimination may also be impacted where the sharing of personal information with governments triggers discrimination on the basis of discriminatory local laws and/or practice. In emerging markets, authoritarian governance structures often go hand in hand with a discriminatory legal environment. In these situations, information shared about employees and their political or trade union affiliation, medical conditions, family circumstances, sexual orientation, etc. may lead to the enforcement of discriminatory laws or practices against the concerned individual, thus violating the principle of non-discrimination.
Freedom of expression, Article 19 (2) ICCPR: The right to privacy is closely linked to and may impact the freedom of expression, for example, when internet providers share information about dissidents with an authoritarian government and subsequent government action leads to human rights violations.
Freedom of association (Article 22 ICCPR, Article 8 IESCR): Further, the freedom of association may be impacted, i.e. when personal information about trade union affiliation is shared with governments, particularly when the affected individual experiences state-sanctioned discrimination and other human rights violations.
Freedom of thought, conscience and religion (Article 18 ICCPR): If personal information is shared about the religious background of an individual, those individuals may be discriminated against either by government enforcement of discriminatory laws or societal discrimination.
Freedom of assembly (Article 21 ICCPR): The exercise of the right requires private communications and meetings, for example of dissidents organising protests against authoritarian regimes. Sharing such information with a third party may hinder the exercise of the right while impacting on the right to privacy. For example, if a company sells surveillance technologies to governments, it has to be aware that such technology may be used to spy on protestors.
Right to physical integrity (Articles 6 and 7 ICCPR): The right to physical integrity may be impacted when, for example, personal information shared about regime dissidents leads to torture or other harm inflicted. This was alleged by one Chinese dissident having been detained after Yahoo had shared his personal information with the Chinese government.
Further, as Chinese law does not allow more than one child, sharing information about an individual having more than one child may result in forced sterilisations thus impacting on the right to physical integrity. This also impacts the right to found a family as recognised in Article 23 ICCPR, Article 10 ICESCR.
Right to liberty and security (Article 9 ICCPR): For example, unlawful or arbitrary detentions resulting from the sharing of personal information about dissidents in an authoritarian regime violate the right to liberty and security.
International privacy protection frameworks
Universal Declaration of Human Rights, Article 12
International Covenant on Civil and Political Rights, Article 17
International Convention on the Protection of the Right of All Migrant Workers and Members of Their Families, Article 14
UN Convention on the Rights of the Child, Article 16
UN Guidelines for the Regulation of Computerized Personal Data Files
ILO code of practice on the protection of workers' personal data
ILO Recommendation concerning HIV/AIDS and the World of Work
ILO code of practice on HIV/AIDS and the world of work
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
Regional privacy protection frameworks
Council of Europe
European Convention for the Protection of Human Rights and Fundamental Freedoms
European Union
EU Directive 2009/136/EC (amending, among others, Directive 2002/58/EC on privacy and electronic communications)
EU Directive 2006/24/EC on the retention of data (amending Directive 2002/58/EC on privacy and electronic communications)
"Safe Harbor" privacy protection framework
Madrid Resolution on International Standards on the Protection of Personal Data and Privacy
@TalkHumanRights / @globalcompact
Website: By Verisk Maplecroft in partnership with the United Nations Global Compact