Our methodology places heavy emphasis on Human Rights Impact Assessments. Because HRIA’s are a relatively new concept for many companies in the ICT sector, we thought it would be helpful to share an excerpt from a book chapter about HRIAs written by one of our advisors, Michael Samway, former Vice President and Deputy General Counsel of Yahoo!, now a visiting fellow at NYU’s Stern Center for Business and Human Rights and visiting scholar at Georgetown University.
The following is reproduced with the author’s permission from:
Michael A. Samway, “Business, Human Rights and the Internet: A Framework for Implementation” in Human Dignity and the Future of Global Institutions (eds. Arend and Lagon, Georgetown University Press, 2014)
Companies must be committed to exploring human rights risks that arise based on corporate products, services and actions, especially in challenging markets where the rule of law is weak. Companies should conduct extensive research on the human rights landscape in these markets, much as they might do research on a country’s tax code or on the backgrounds of the officers of a company they plan to acquire. The idea is not to create from scratch a report that looks like a U.S. Department of State country report or an international NGO report on human rights. Those reports, prepared by experts, are available to the public. Companies must consult those sources, as well as numerous others, and members of a company’s human rights program should also call on individual, academic, NGO, policy, government and other experts for input and analysis. Forming institutional partnerships and developing relationships of trust in those stakeholder communities allows for confidential consultations and input invaluable to companies in mitigating risk and in creating value.
Using those, among many other, sources is a starting point for the research, or due diligence, a company should conduct in the field of human rights as it relates to the ICT sector. From its research, a company should prepare a human rights impact assessment (HRIA). HRIAs are particularly useful when entering new markets or launching new products or services. HRIAs should not be static and should be updated as market circumstances or business plans change. Ultimately, the HRIA informs and guides the evolving corporate strategies to protect ICT company customers’ rights to freedom of expression and privacy. As part of a company’s executive commitment to human rights, employees should be aware of, and engaged in, the human rights due diligence process.
Companies should also publicly commit to this process to demonstrate to the public the company is committed to making responsible decisions where its business may intersect human rights. An HRIA should be in writing and should help form a library of reports inside a company.
The detailed report may have significant sensitive and proprietary information and may need to remain confidential in part and redacted if disclosed. The company should also treat the information about local circumstances in a careful manner. For example, publicly criticizing local officials can poison key relationships and undermine business entry into a market. Certain disclosures might present risks of retaliation by state officials against local employees. Local employees should also be made aware of potential risks so they know the parent company’s actions may be seen as unfriendly toward the local government and that the repercussions may be felt by the local employees.
One way to route a completed HRIA internally is to send it to corporate executives and for review, signature and assurance they will share the relevant messages or instructions with their own business teams. That may be a message of emphasis and acknowledgement, with the human rights team communicating the detailed operational points to the involved employees and to the executive team members.
An HRIA in the ICT sector should include at least the following topic areas:
- The international legal and moral foundations for the rights to freedom of expression and privacy. This section should review the UDHR and covenants later adopted by U.N. member states plus the state of customary international law on the subject. The review should also cover the conclusions reached in the U.N. Framework on Business and Human Rights, including the principles of the state duty to protect, corporate responsibility to respect and both actors’ obligation to provide reasonable avenues for remedy.
- The general human rights landscape in the relevant country or region, with a particular focus on rule of law, freedom of expression and privacy. This is the research that gives a company and its employees in-depth background on the issues that relate to the operations or business of the company. Companies perform due diligence on a local market’s economy, business conditions and regulatory climate. Companies must consider the human rights implications in a manner just as in-depth and detailed. Much of this information is already in the public domain and produced by various international human rights organizations, the United Nations and national governments themselves.
- Local laws regarding free expression and privacy. Companies should have a clear sense of what the law in a local jurisdiction requires of local businesses. This review would include not only the corporate aspects such as registration and filing requirements but also the laws that apply to the area of the business where human rights may be implicated. A company should become familiar with the laws, regulations, court decisions or administrative practices regarding the protections of free speech and privacy.
- Business and product plans for entry into the market. In order to map the company’s products and services to the potential risk areas, the team leading the HRIA should outline the projected business plans for the particular market. Support for the HRIA process must come from across disciplines in the business. The operations and strategy teams, for example, must provide input on current plans for product development and distribution in certain markets. This ensures the core team conducting the HRIA knows what the business teams (whether sales, product, engineering, operations or other) are planning and can develop strategies to limit human rights risks.
- The potential to promote human rights. To the extent an ICT company’s products have the potential to promote social good and human rights – whether through access to information or communications tools or both – the company should reiterate this objective in the HRIA. It is, after all, part of the decision calculus on entry into a challenging market.
- Risk scenarios based on the company’s products and operations. In this section, the team leading the HRIA process should explain the possible intersection points between the business and human rights issues. This should be based on experience at the company and also based on what industry counterparts, NGOs, academic experts, media, diplomats and others might say about likely risk scenarios. One example of a risk area may be where the laws as written provide protections of certain rights but the laws as enforced in practice do not provide that protection.
- Proposed strategies for mitigating those risks and protecting human rights. This section may offer technical detail about system architecture and jurisdictional choices. For example, an ICT company may establish business operations in a local market but limit local employees’ editorial decision-making, where feasible, in order to limit exposure to content take-down requests by governments. Similarly, a company may limit local employee access to user information. If feasible from a business and engineering perspective, for example, a company may locate computer servers with sensitive information in markets where access can be more effectively limited in a jurisdiction with stronger rule of law. This concluding section of the HRIA should also explain the company’s overall commitment to high-level principles and ongoing engagement with internal and external stakeholders.