Recommendations for governments and policymakers

Tech companies will not—and in fact cannot—fully respect human rights unless governments uphold their own duty to protect human rights. Citizens must be able to hold governments accountable for how they exercise power over online speech and personal data.

Below is a summary of recommendations for governments informed by the findings of the RDR Corporate Accountability Index. These recommendations are intended for policymakers as well as policy advocates working to ensure that laws and government regulations support and sustain human rights online.

1. PROTECT HUMAN RIGHTS: Ensure that domestic laws and their implementation are consistent with international human rights standards. Law is essential to protect people from abuse, violence, and crime. At the same time, all laws affecting online speech or the use and sharing of personal data must adhere to human rights standards. Governments should avoid enacting laws that compel companies to violate, or facilitate the violation of, users’ rights to freedom of expression or privacy. Government agencies that enforce and implement laws must be subject to robust and effective oversight.
   1. Assess human rights risks and impact of laws: Laws that may affect freedom of expression and privacy should be subject to human rights impact assessments. Consistent with human rights standards, any restriction of the right to freedom of expression and opinion or the right to privacy must be prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued.
   2. Limit platform liability for third-party content: Any liability imposed on companies for third-party content should be consistent with international human rights instruments and other international frameworks, as outlined by the Manila Principles on Intermediary Liability (manilaprinciples.org).
   3. Enact and enforce comprehensive data protection laws in consultation with industry and civil society, with impact assessments to ensure that the laws can avoid unintended consequences for freedom of expression. Such laws should:
      • Require companies to clearly disclose to users the full lifecycle of their information, from collection, to use, to sharing, to retention and deletion.
      • Require companies to give users more control over the collection and sharing of their information, and to clearly disclose how users can exercise such control.
      • Require companies to implement and disclose appropriate policies and procedures for handling data breaches, and to notify users when their data has been compromised.
   4. Reform surveillance laws: Surveillance-related laws and practices should be assessed for their compliance with international human rights norms and reformed accordingly. Mass or “blanket” surveillance of entire populations or groups of people does not meet the “necessary and proportionate” test of human rights law.
   5. Support encryption: Governments should not weaken or undermine encryption standards, ban or limit users’ access to encryption, or enact legislation requiring companies to provide “backdoors” or vulnerabilities that allow for third-party access to unencrypted data, or to hand over encryption keys.
   6. Implement a system of robust oversight: Government power to restrict online speech or to access personal data is subject to credible oversight against abuse of censorship and surveillance powers. Without credible independent oversight, government measures to address criminal activities via private platforms and services, or to address other social, economic, and security challenges posed by new technologies, will be plagued by public and industry mistrust.
2. CORPORATE ACCOUNTABILITY: Companies should be required by law to implement board oversight, systematic internal and external reporting, and impact assessments to identify, evaluate, and mitigate potential human rights harms, including violations of users’ freedom of expression and privacy.
   • Require human rights due diligence: Companies should be compelled to conduct risk assessments to identify potential human rights impacts and harms that could occur in relation to the use of the company’s platform, service, or device. Governments should require companies to carry out credible due diligence, assessing the impact and risks of their operations and policies on users’ freedom of expression and privacy. Companies should also be required to provide meaningful grievance and remedy mechanisms, and to ensure that the law enables meaningful legal recourse and remedy for violations of these rights.
   • Require company disclosure of human rights risks: Disclosures should include risks associated with their business as well as steps companies are taking to mitigate those risks. Specifically, laws should require companies to publish information about potential human rights impacts or harms, including those related to freedom of expression and privacy; implement proactive and comprehensive impact assessments; and establish effective grievance and remedy mechanisms.
3. TRANSPARENCY: Governments should publish regular and accessible data disclosing the volume, nature, and purpose of all government requests made to companies affecting users’ freedom of expression and privacy. Companies should also be required by law to disclose meaningful and comprehensive information about the actions they take that may affect users’ freedom of expression or privacy.
   • Be transparent about demands made of companies: Governments should publish accessible information and relevant data about all requirements and demands made by government entities (national, regional, and local) that result in the restriction of speech, access to information, or access to service, or that require companies to share or provide access to user data.
   • Require corporate transparency: Companies should be required to include information about policies for enforcing rules or shaping speech, as well as data about the volume and nature of content that is restricted or removed, or accounts deactivated. Privacy laws and data protection regulations should include strong transparency and disclosure requirements so that users can make informed decisions about whether and how to use a product or service, and exercise meaningful control over how a company can use their information.
4. REMEDY: People have a right to meaningful and effective remedy, including legal recourse, when their privacy or freedom of expression rights are violated. Governments should ensure that individuals have a clear right to legal recourse when these rights are violated by any government authority or corporate entity, including when the violation occurs as the result of a government demand. Companies should be required by law to provide accessible and effective grievance and remedy mechanisms.
5. GLOBAL COLLABORATION AND ENGAGEMENT: Governments committed to advancing an internet that supports and sustains human rights should work proactively and collaboratively with one another, as well as with civil society and the private sector, to establish a positive roadmap for addressing public security threats without causing collateral violations of human rights.