2. The 2019 RDR Index ranking: Company highlights and trends

Most companies covered by previous RDR Indexes have made tangible improvements since 2015. In the past year alone, 19 of the 22 companies that were evaluated in the 2018 RDR Index made some improvements. Yet all continue to fall short in disclosing basic information to users about the design, management, and governance of the digital platforms and services that affect human rights around the world.

The Ranking Digital Rights Corporate Accountability Index measures companies’ public commitments and disclosures against standards for disclosure, policy, and practice that companies should meet in order to demonstrate respect for users’ freedom of expression and privacy rights. RDR Index scores represent the extent to which companies are meeting minimum standards. Only eight of the 24 companies evaluated scored 50 percent or higher. The highest score was just 62 percent. There is much room for improvement, even when laws are not in alignment with human rights standards, and especially when regulatory requirements lag behind marketplace realities and actual harms to users.

Figure 1: The 2019 RDR Corporate Accountability Index ranking

The highest scoring companies demonstrated relatively strong governance and oversight of human rights. They not only made clearer commitments to users’ freedom of expression as well as privacy, they also disclosed mechanisms for governance and oversight of ways that their businesses might pose risks to users’ rights. Nor is it a coincidence that the top-ranking companies are members of the Global Network Initiative (GNI), a multi-stakeholder initiative focused on upholding principles of freedom of expression and privacy in relation to government requests. GNI member companies commit to a set of principles and guidelines for their implementation, which include due diligence processes as well as transparency and accountability mechanisms.23

The RDR Index evaluates group-level policies for relevant indicators and up to five services, depending on company type. For a breakdown of the individual services evaluated, see: rankingdigitalrights.org/index2019/companies.

For more about how companies are scored, see: rankingdigitalrights.org/index2019/report/index-methodology/#evaluation

2.1 Internet and mobile ecosystem highlights

Microsoft earned first place in this year’s ranking, un-seating Google, which previously held a diminishing lead since the first RDR Index was published in 2015. Microsoft’s overall score of 62 out of a possible 100 was primarily due to strong policies and disclosures in the Governance and Privacy categories, including a number of improvements. Microsoft’s policies and disclosures related to its governance and oversight of risks affecting users’ freedom of expression and privacy topped all other internet and mobile ecosystem companies, beating Google’s governance score by 14 percentage points. Consistent application of privacy policies across all evaluated services also earned Microsoft the highest privacy score among internet and mobile ecosystem companies, edging out Google and Apple.

Google and Verizon Media (formerly Oath and originally Yahoo) are now tied for second place among internet and mobile ecosystem companies, and in the RDR Index overall. This tie is primarily due to Verizon Media’s much stronger showing on governance oversight and risk assessment, even though Google disclosed more information overall about its policies and practices in the Freedom of Expression and Privacy categories of the RDR Index. Verizon Media also distinguished itself as the most improved U.S.-based company in the 2019 RDR Index (see Figure 2 “Year-on-year score changes” below). Most notably, it rose from sixth to third place in the Freedom of Expression category.

Facebook maintained fourth place among internet and mobile ecosystem companies. Its weak disclosure of governance and oversight mechanisms caused it to lag behind some of the other companies. Most notably, its oversight and risk assessment mechanisms demonstrated too narrow a focus on government demands, and showed no evidence that the company conducts risk assessments on how it enforces its terms of service or uses automated decision-making and targeted ads—all of which are key factors contributing to Facebook’s widely reported failure to rein in hate speech and failure to protect users from unwanted and unexpected privacy violations, among other issues.24 Facebook scored comparatively well on its transparency reporting, publishing data about content restrictions as well as government demands for user information, though its disclosure of content restriction requests declined due to lack of clarity around the report’s coverage of restrictions related to WhatsApp and Messenger. Laudably, in 2018, Facebook published its first ever Community Standards Enforcement Report with regularly updated data about the nature and volume of content it restricted due to rule violations.25 It also improved some disclosures about how it handles user information. Facebook slightly improved its disclosure of options for people to control their own user information —an area in which it disclosed less than all other internet and mobile ecosystem companies last year—by stating that users can delete some types of user information that it collects. However, overall it disclosed less choice for users to control the collection, retention, and use of their information than all of its peers other than Baidu and Mail.Ru.

2.2 Telecommunications company highlights

Telefónica shot ahead of all other telecommunications companies in 2019, disclosing significantly more than its peers about policies affecting freedom of expression and privacy. The Madrid-based multinational with operations across Latin America and Europe also made more improvements than all other companies in the RDR Index by a wide margin (see Figure 2 “Year-on-year score changes” below). Notably, Telefónica’s governance score was also the highest in the entire RDR Index. The company also disclosed more information about policies and practices affecting online expression than any other telecommunications company.

Vodafone dropped to second place after being the leading telecommunications company in 2018. It was the only other telecommunications company to score more than 50 percent overall (out of a total possible 100). AT&T dropped to third place among telecommunications companies, down from first in 2017, mainly due to lack of improvement (see Figure 2 below) and a relatively low governance score compared to most of its European peers.

Two new telecommunications companies were added to the RDR Index in 2019: Telenor of Norway and Deutsche Telekom of Germany, which ranked fourth and fifth, respectively, among their peers. Deutsche Telekom scored highest in the entire RDR Index on privacy due to the strong policies and practices of its home operating company, while Telenor ranked fourth among telecommunications companies in both governance and freedom of expression. Notably, Telenor scored higher than Orange, the French telecommunications company and fellow GNI member by nine points. Orange’s strong governance at the global group level did not make up for its much weaker disclosures related to freedom of expression and privacy at the service level in its home operating market.

To read or download a company’s individual report card, see: rankingdigitalrights.org/index2019/companies

2.3 Notable changes

After Telefónica’s dramatic 16 percentage point increase, next in line for most improved were Baidu of China, followed by Yandex of Russia, and Tencent, another Chinese company.

The Chinese companies’ sharp improvements—mainly on some of the Privacy category indicators related to their security practices and handling of user information—appear to have been influenced by new data protection measures issued in China in May 2018.26 Still, these companies remained near the bottom of the RDR Index: in 2019 Tencent ranked tenth out of 12 internet and mobile ecosystem companies, while Baidu moved up to eleventh from last place, trading places for the lowest score with Russia’s Mail.Ru.

Yandex’s improvements appeared unrelated to any Russian regulatory changes, reflecting the company’s own initiative to improve. Its overall score jumped by five points, due mainly to significant improvements in the Governance category: it published a formal commitment to protect users’ human rights and disclosed employee training on privacy issues. Mail.Ru, the other Russian company, made no notable improvements.

For details of year-on-year score changes for each company, see: rankingdigitalrights.org/index2019/compare

Fig 2 – Year-on-year score changes (2018-2019)

While Apple distinguished itself in the 2018 RDR Index as the most improved company by a wide margin, in 2019 it made limited changes, primarily focusing on improving the accessibility of data about government requests to restrict accounts or hand over user information, as well as improved disclosure about encryption practices.27 In the Privacy category, Apple tied with Google for second place behind Microsoft among internet and mobile ecosystem companies. Most notably, Apple remains the only company in the entire RDR Index that clearly disclosed that it does not track users across the internet. As discussed in Chapters 3 and 4, Apple’s policies and disclosures related to freedom of expression continued to lag behind all other U.S.-based companies in the RDR Index.

América Móvil of Mexico and Bharti Airtel of India both made notable improvements in the past year, primarily in the Governance category, as will be further discussed in the next section.

The scores of the two companies from the Middle East and North Africa (MENA) region—Etisalat and Ooredoo—declined slightly. Ooredoo of Qatar, already ranked at the bottom of the RDR Index, did not publish any privacy policy, and received no credit in the Governance category. In second to last place Etisalat of the United Arab Emirates, which also did not publish a privacy policy, scored in the low single digits in the same two categories. Both disclosed little related to online expression other than details about what activities and types of speech are not allowed.

The other company whose score declined between 2018 and 2019 was Samsung, the South Korea-based mobile ecosystem company that uses Google’s Android operating system. This decline was largely due to a decrease in transparency and clarity about its security policies and practices.

Samsung’s relatively low ranking in the RDR Index stands in marked contrast with Kakao, the South Korea-based internet company which outscored Samsung by 21 percentage points in the overall RDR Index, and which earned high scores on five indicators in the Privacy category. Kakao’s competitive showing in the RDR Index overall and strong disclosures and policies in key areas show that corporate accountability for users’ human rights can occur in any culture or region where rule of law, freedom of the press, and civil and political rights are highly valued and well defended.

Research for the 2019 RDR Index was based on company policies that were active between January 13, 2018 and February 8, 2019. New information published by companies after February 8, 2019 was not evaluated in this year’s Index. Note that some of the 2018 RDR Index scores were adjusted to align with the 2019 RDR Index evaluation.

For more about our methodology, see: rankingdigitalrights.org/index2019/report/index-methodology/#evaluation

Footnotes

[23] “The GNI Principles,” Global Network Initiative, accessed April 22, 2019, globalnetworkinitiative.org/gni-principles/ 

[24] “Facebook says it was ‘too slow’ to fight hate speech in Myanmar,” Reuters, August 16, 2018, www.cnbc.com/2018/08/16/facebook-says-it-was-too-slow-to-fight-hate-speech-in-myanmar.html; Ariana Tobin, Madeleine Varner, and Julia Angwin, “Facebook’s Uneven Enforcement of Hate Speech Rules Allows Vile Posts to Stay Up,” ProPublica, December 28, 2017, www.propublica.org/article/facebook-enforcement-hate-speech-rules-mistakes; Michelle Castillo, “Facebook’s Mark Zuckerberg: ‘I’m responsible for what happened’ with data privacy issues,” CNBC, April 4, 2018, www.cnbc.com/2018/04/04/mark-zuckerberg-facebook-user-privacy-issues-my-mistake.html

[25] “Community Standards Enforcement Report,” Facebook, accessed April 22, 2019, transparency.facebook.com/community-standards-enforcement 

[26] “National Standards on Information Security Technology – Personal Information Security Specification GB/T 35273-2017 (“PI Specification”),” (Standardization Administration of China, May 2018), www.gb688.cn/bzgk/gb/newGbInfo?hcno=4FFAA51D63BA21B9EE40C51DD3CC40BE

[27] “Year-on-year Comparison,” 2018 Ranking Digital Rights Corporate Accountability Index, rankingdigitalrights.org/index2018/compare