FREEDOM AND SAFETY
The 2019 Ranking Digital Rights Corporate Accountability Index evaluated 24 of the world’s most powerful internet, mobile ecosystem, and telecommunications companies on their publicly disclosed commitments and policies affecting freedom of expression and privacy. These companies held a combined market capitalization of nearly USD 5 trillion. Their products and services are used by a majority of the world’s 4.3 billion internet users.
People have a right to know. Companies have a responsibility to show. The 2019 RDR Index evaluated 24 companies on 35 indicators examining disclosed commitments, policies, and practices affecting freedom of expression and privacy, including corporate governance and accountability mechanisms. RDR Index scores represent the extent to which companies are meeting minimum standards. Yet few companies scored above 50 percent. While the results reveal some progress, many problems have persisted since the first RDR Index was launched in 2015.
Progress: Most companies have made meaningful efforts to improve. Of the 22 companies evaluated in the previous RDR Index, 19 companies disclosed more about their commitments, policies, and practices affecting users’ freedom of expression and privacy.
Persistent problems: People around the world still lack basic information about who controls their ability to connect, speak online, or access information, or who has the ability to access their personal information under what circumstances. Governments are responding to serious threats perpetrated through networked communications technologies. While some regulations have improved company disclosures, policies, and practices, other regulations have made it harder for companies to meet global human rights standards for transparency, responsible practice, and accountability in relation to freedom of expression and privacy. Even when faced with challenging regulatory environments in many countries, companies must take more affirmative steps to respect users’ rights.
If the internet is to be designed, operated, and governed in a way that protects and respects human rights, everyone must take responsibility: companies, governments, investors, civil society organizations, and individuals - as employees of companies, as citizens of nations, as consumers of products, and as users of a global communications network.
Below are our top-line recommendations for companies and governments. More detailed recommendations can be found at the end of Chapters 3, 4, and 5. Chapter 6 proposes questions for investors to ask companies.
Regardless of the legal environment, companies are responsible for the impact of their products, services, and business operations on human rights. All companies evaluated in the RDR Index can make many improvements immediately, even in the absence of legal and policy reform.
1. Go beyond legal compliance: No legal regime covered by the RDR Index enables or requires the full range of actions companies should take to respect and protect users’ human rights. For companies that are committed to respecting freedom of expression and privacy as human rights, the RDR Index indicators offer clear standards to follow.
2. Be transparent: Companies should disclose comprehensive and systematic data and other information that enables users to have a clear understanding of how online speech can be restricted or manipulated, and how personal information can be accessed and used - by whom and under what authority.
3. Get serious about oversight and due diligence: Board oversight and comprehensive due diligence mechanisms are necessary to identify how freedom of expression and privacy may be affected by the company’s business, and to ensure that the company works to maximize the protection of users’ human rights.
4. Offer effective grievance and remedy mechanisms: Users need to be able to report harms and seek remediation when their freedom of expression or privacy rights are violated in connection with using the company’s platform, service, or device.
5. Innovate for better governance of data and speech: Work with civil society, investors, and governments to create new approaches for addressing threats to individuals and societies while also protecting users’ rights.
Governments should uphold their duty to protect human rights if companies are to fully respect human rights, consistent with the U.N. Guiding Principles on Business and Human Rights. Citizens must be able to hold government accountable for how it exercises power over online speech and personal data.
1. Uphold human rights standards: Strong data protection law is essential for protecting privacy. Government also has a duty to protect people from violence and crime. At the same time, all laws affecting online speech, or the use and sharing of personal data by any entity, must uphold human rights standards. Governments should not enact laws that compel companies to violate, or facilitate the violation of, users’ rights to freedom of expression or privacy. Any restriction of the right to freedom of expression and opinion or the right to privacy must be prescribed by law, necessary to achieve a legitimate aim (consistent with human rights standards), and proportionate to the aim pursued.
2. Commit to robust oversight: Ensure that government power to restrict online speech or access personal data is subject to meaningful oversight against abuse of censorship and surveillance power. Without credible oversight, government measures to address harmful and malicious activities via private platforms and services, or to address other social, economic, and security challenges, will be plagued by public and industry mistrust.
3. Implement and require transparency: Publish regular and accessible data disclosing the volume, nature, and purpose of all government requests made to companies affecting users’ freedom of expression and privacy. Companies should also be required by law to disclose meaningful and comprehensive information about the full range of actions companies take that may affect users’ freedom of expression or privacy.
4. Require strong corporate governance: Companies should be required by law to implement board oversight, systematic internal and external reporting, and impact assessments to identify, evaluate, and mitigate potential human rights harms, including violations of users’ freedom of expression and privacy.
5. Ensure adequate access to remedy: People have a right to meaningful and effective remedy, including legal recourse, when their privacy or freedom of expression rights are violated. Companies should also be required by law to provide accessible and effective grievance and remedy mechanisms.