8. Recommendations for governments

Even in the absence of policy and regulatory reform, all companies in the Index can take immediate steps to improve their respect for users’ rights. Yet the 2018 Index results also highlight the extent to which government, law, and politics shape companies’ ability to respect users’ freedom of expression and privacy. The rights of internet users around the world will be better protected and respected if governments take the following measures:

Privacy: Enact and enforce comprehensive data protection laws in consultation with industry and civil society, with impact assessments to ensure that the laws can avoid unintended consequences for freedom of expression.

Such laws should:

  • Require companies to clearly disclose to users the full lifecycle of their information, from collection, to use, to sharing, to retention and deletion.

  • Require companies to give users more control over the collection and sharing of their information, and to clearly disclose how users can exercise such control.

  • Require companies to implement and disclose appropriate policies and procedures for handling data breaches, and to notify users when their data has been compromised.

Security: Support appropriate incentives for companies to adopt industry standard security practices and require appropriate disclosure to users.

Research and Development: Support development of technologies and business models that maximize individual control over personal data as well as the information and content that people create. Most immediately, support development of a viable system for users to indicate they do not want to be tracked across the internet, and establish incentives for companies to make a clear commitment to respect these preferences.

Corporate accountability: Ensure that laws and regulations maximize companies’ ability to be transparent and accountable with users about how they receive and handle government and other third-party requests to restrict speech or information flows, or to share user information. Laws that prevent transparency and cannot be justified on public security grounds, in line with international human rights standards, should be reformed.

Government accountability: Publish government transparency reports that disclose the volume, nature, and legal basis for requests made to companies to share user information or restrict speech. This should be a fundamental component of any nation’s commitment to open government.[101]

Judicial remedy: Ensure that adequate judicial remedies are in place for internet users whose freedom of expression and privacy rights are violated.

Corporate remedy: Require companies to provide and implement effective mechanisms for grievance and remedy that are accessible to users who believe that their freedom of expression and privacy rights have been violated in connection with the use of a company’s products and services.

Legislative accountability: Carry out human rights due diligence to ensure that laws and regulations governing ICT sector companies do not have a negative impact on internet users’ freedom of expression and privacy as defined by the Universal Declaration of Human Rights[102] and international human rights instruments, such as the International Covenant on Civil and Political Rights.[103] Where laws are not compatible with human rights standards, reform should include:

  • Surveillance reform: Reform surveillance-related laws and practices to comply with the thirteen “Necessary and Proportionate” principles,[104] 
a framework for assessing whether current or proposed surveillance laws and practices are compatible with international human rights norms.

  • Limit legal liability imposed on companies for their users’ speech and other activities, consistent with the Manila Principles on Intermediary Liability, a framework of baseline practices and standards to ensure that regulation of ICT sector companies does not result in the violation of users’ rights.[105]

  • Protect the right to anonymous online activity as central to freedom of expression, privacy, and human rights. Refrain from requiring companies to document users’ identities when it is not essential to provision of service.

  • Do not enact laws or policies that undermine encryption. Strong encryption is vital not only for human rights, but also for economic and political security.

Footnotes

[101] “Working Group 3- Privacy and Transparency” (Freedom Online Coalition, November 2015), https://www.freedomonlinecoalition.com/wp-content/uploads/2015/10/FOC-WG3-Privacy-and-Transparency-Online-Report-November-2015.pdf.

[102] “Universal Declaration of Human Rights” (United Nations, December 10, 1948), http://www.un.org/en/universal-declaration-human-rights/.

[103] “International Covenant on Civil and Political Rights” (United Nations, December 16, 1966), http://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx/.

[104] “International Principles on the Application of Human Rights to Communications Surveillance,” Necessary and Proportionate, accessed March 22, 2018, https://necessaryandproportionate.org/principles/.

[105] “Manila Principles on Intermediary Liability,” Manila Principles, accessed March 22, 2018, https://www.manilaprinciples.org/.

[106] Global Commission on Internet Governance, “One Internet,” Centre for International Governance Innovation, June 21, 2016, https://www.cigionline.org/publications/one-internet.