The corporations’ dilemma: navigating government access to information
Technology can help to prevent conflict, but it can also facilitate human rights abuses, and companies that collect user data are in the middle of the debate.
In conflict situations and in countries under authoritarian rule, government access to data poses multiple human rights challenges for corporations.
Technology can be instrumental in realizing human rights in conflict and post conflict countries by enabling freedom of expression or helping to prevent violent conflict through democratic mobilization and exchange. Two such examples are the Tunisian Jasmine Revolution in 2011—where social media played a large role in protests against government misconduct—and the pro-democracy protests in the Hong Kong Umbrella Movement of 2014. At the same time, technology has a record of facilitating human rights abuses, such as government surveillance of opposition members in Ethiopia or silencing dissidents in the UAE.
Companies are increasingly collecting data that allow in-depth insights into their users’ private and professional circles, political opinions, patterns of consumption, and geographic location. Data profiling of individuals has become easier, cheaper, and widespread, as the Cambridge Analytica case has shown. Also governments can—and do—monitor their citizens’ behavior based on data facilitated by new technologies. State actors show growing interest in obtaining data collected by corporations. According to corporate transparency reports, information by AccessNow, data from complaint mechanisms and the Ranking Digital Rights’ Corporate Accountability Index, government requests for user data from companies are growing.
Activists wanting to protect human rights related to data access must recognize the complexities of threats to corporate personnel or infrastructure".
In conflict situations and in countries under authoritarian rule, government access to data poses multiple human rights challenges for corporations. Once disclosed, data might be used by governments to infringe on people’s rights. Yet, if companies do not comply with requests, drastic retaliatory measures might follow, such as threats and violence to the local workforce or seizure of telecommunications infrastructure. As many companies want to adhere to the UN Guiding Principles on Business and Human Rights and protect freedom of expression and privacy, or at least face public pressure to do so, corporate actors must weigh their data decisions carefully.
Government requests for data disclosure are not limited to authoritarian states or conflict areas. These requests are also widespread in Western/OECD-states, especially under the rhetoric of preventing terrorism. However, the potential consequences in authoritarian states and conflict zones can have more severe consequences, such as detentions of opposition members, silencing of minorities, escalation of conflict or, in extreme cases, violent attacks against human rights defenders.
Since introducing its bi-annual transparency reporting in 2010, Google has documented steadily rising figures of third-party user data requests. In 2010, Hong Kong authorities issued about 140 requests for user data. Leading up to the Umbrella Movement in 2014, this figure rose to 726 requests. Google handed data to authorities in respectively 48% (January-July) and 43% (August-December) of the cases in 2014. Yet, how Google determines when to hand over data is described under legal processes for user data requests in rather opaque ways: inside the US, the written request must be “signed by an authorized official of the requesting agency and issued under an appropriate law”. Outside the US, the standard procedure would be via Mutual Legal Assistance Treaties, and other diplomatic or cooperative arrangements. User data can also be disclosed in response to valid legal process from non-US government agencies, in consistency with international norms, US law, Google's policies and the law of the requesting country.
In other instances, companies have pushed back against government data disclosure requests and have been recognized by civil society for good practices dealing with data-related human rights challenges. Telefonica, for example, has received praise from civil society for its increasingly transparent reporting practices. Also, in January 2016, Guinea’s post and telecommunications regulator demanded cooperation from telecommunications companies to set up a central control centre for all voice and data traffic. The regulator requested that companies to hand over all call detail records and subscriber data from the previous month. Three of Guinea’s largest operators, Orange, MTN, and Cellcom, denied the request, stating that it lacked a “total absence of legal basis,” and would violate privacy protections. Whereas Human Rights Watch did receive information indicating that two of the companies ultimately agreed to comply, Orange allegedly stood with its decision.
These cases illustrate that government requests for data disclosure, and user data specifically, put corporations in a dilemma. Companies that operate social media and technology platforms are often able to decline government requests; however, telecommunications companies usually make considerable infrastructure and/or personnel investments on the ground and rely on a cooperative relationship with governmental actors to keep their operating licenses. Orange, as one example, has highlighted the challenges of operating in countries when governments pressured the company to disclose user information during social uprisings, such as in Egypt and Tunisia.
In response to these dilemmas, the telecommunications industry established the Telecommunications Industry Dialogue, which published its Guiding Principles on Freedom of Expression and Privacy in 2013. In the last year, the Telecommunications Industry Dialogue merged with the Global Network Initiative (GNI), a multi-stakeholder platform set up in 2008 to uphold human rights both in the telecommunications and the internet sector. The GNI is increasingly working on complicated cases of government requests, under tension between the protection of privacy, freedom of expression, and personal security.
Understanding the key factors for corporate decision-making is critical. Activists wanting to protect human rights related to data access must recognize the complexities of threats to corporate personnel or infrastructure. Often, the situation is not clear-cut. Companies have started to identify ways to work jointly on these challenges, but much more remains to be done.
Transparency about how companies deal with government data disclosure requests has to be increased by providing higher quality insights on the basis of more granular and case-specific information. This would entail analysing complex cases based on actual results, to enable learning in the industry, which would then allow practice-oriented guidance about the corporate scope of action in a dilemma situation to be formulated.
Many tech giants are members of progressive networks, such as the GNI, and have sufficient organizational capacity to raise the level playing field. By introducing a credible system for evaluating human rights impacts of data handovers to governments, these actors can exert their market power to improve corporate conduct world-wide. The industry has to move beyond reporting to mitigate the negative impacts that their technological services can have on their users.
Isabel Laura Ebert is a research associate at Institute for Business Ethics, University of St. Gallen, Switzerland. Her PhD research explores how companies can ethically deal with government data disclosure requests, and her new findings with Dr. Melanie Coni-Zimmer (PRIF) will be presented at the 2018 Amsterdam Privacy Conference.