Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.
Vietnam parliament approves restrictive cybersecurity measures
Parliament House in Hanoi. Photo by user Hieucd via Wikimedia Commons (CC BY-SA 4.0)
Lawmakers in Vietnam have passed a cybersecurity law limiting freedom of expression online and requiring tech companies to store data locally and to operate offices in the country.
Set to take effect on January 1, 2019 the law includes vague and broad provisions banning speech and posts deemed offensive to the ‘’nation, the national flag, the national anthem, great people, leaders, notable people and national heroes.’’ The law further prohibits the dissemination of ‘’incorrect information.’’ At the request of the Information and Communications Ministry or the Public Security Ministry, companies will have 24 hours to remove content in violation of the new law.
The law raises privacy concerns since it requires tech companies to store data on servers in Vietnam, making it easier for authorities to force companies to hand over user data.
Speaking to lawmakers before the vote, Vo Trong Viet, chairperson of the National Assembly’s Committee on Defense and Security defended the bill on security grounds. However, the bill’s adoption is part of a wider crackdown targeting government critics online, human rights activists, independent journalists and bloggers.
It remains unclear how tech companies will respond to these measures. In a brief statement the Asia Internet Coalition (AIC), an industry group that represents tech and internet companies in Asia including Facebook, Twitter, Google and Line, said that it was ‘’disappointed’ that the law was passed. ‘’The provisions for data localisation, controls on content that affect free speech, and local office requirements will undoubtedly hinder the nation’s 4th Industrial Revolution ambitions to achieve GDP and job growth,’’ according to the group’s statement.
Companies should conduct regular, comprehensive human rights risk assessments evaluating how laws affect freedom of expression and privacy in the jurisdictions in which they operate, and assess freedom of expression and privacy risks when entering new markets or launching new products. Companies should also seek ways to mitigate risks posed by those impacts. The 2018 Corporate Accountability Index found that while Facebook, Google, Microsoft and Oath disclose strong commitments to conduct human rights impact assessments, other major tech players lag behind. Both Apple and Samsung fail to disclose whether or not they regularly assess risks to freedom of expression associated with the laws of the jurisdictions where they operate or a new activity such as the launch of a new service or entry into a new market.
Net neutrality repeal goes into effect
The Federal Communications Commission’s (FCC) decision to repeal net neutrality protections went into effect on June 11. The 2015 rules, which required ISPs to treat all internet traffic equally, were repealed by the FCC last December, drawing criticism from digital rights groups.
The fight for net neutrality in the U.S. is, however, far from over. At the state level, a number of states started processes to protect net neutrality. Last month, the California Senate approved a bill to protect net neutrality.
After the Senate voted to repeal the FCC decision on May 16, digital rights groups and activists are now calling on the House of Representatives to follow suit. According to Wired, 170 lawmakers have already signed a petition to force a vote. For that to happen, a majority of representatives need to sign it.
A lawsuit filed by 23 state-attorneys to preserve net neutrality is also pending.
A free and open internet depends on the ability for all users to have equal access to content and services, which is not possible if ISPs block or delay certain types of content or apps. Telecommunications companies should therefore commit to not prioritize or block certain types of network traffic. As the 2018 Corporate Accountability Index research showed, most of the world’s leading telecommunications companies fall short of making such a public commitment. Of the ten telecommunications companies evaluated, Vodafone was the only company to clearly disclose that it does not prioritize, block, or delay certain types of traffic, applications, protocols, or content for reasons beyond assuring quality of service and reliability of the network.
UK fines Yahoo over data breach
UK data protection regulators have fined Yahoo £250,000 (around $334,000) over a massive data breach that dates back to 2014. The company only revealed the breach in 2016, blaming it on a state-sponsored attacker. Data of 500 million users, including 515,000 UK accounts, were affected. The stolen information included people’s names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers.
The investigation identified a number of ‘’failings’’ from the part of Yahoo including failing to ‘’take appropriate technical and organisational measures’’ to protect user data from unauthorised access and to comply with ‘’appropriate data protection standards.’’
Yahoo, which has since been acquired by Verizon and merged with AOL to form Oath, ia also facing lawsuits in the U.S. over a series of data breaches that occurred between 2013 and 2016 that affected all of the company’s 3 billion users.
Internet, mobile, and telecommunications companies should clearly disclose their processes for responding to data breaches. Oath was among 18 out of 22 companies evaluated by the 2018 Corporate Accountability Index that failed to reveal any information on how they respond to data breaches, including whether or not they commit to notify relevant authorities without undue delay and their process for notifying data subjects affected by the breach.
