GNI Publishes Assessment Report of Member Companies, Proposes Measures to Strengthen Free Expression, Privacy in ICT Sector

Mark Stephens, GNI, Chair
Mark Stephens, GNI, Chair

The Global Network Initiative (GNI) has published a public report from an independent assessment of 11 of its member companies with recommendations on how the companies can contribute to protecting and advancing freedom of expression and privacy rights in the information, communications and technology (ICT) sector globally.

The 115-page report, which covers four Internet companies, six telecommunications network operators and one telecommunications equipment vendor, is published in English, Arabic, Chinese, French, Hindi, Russian, Spanish and Turkish.

The companies assessed in the report are Facebook, Google, Microsoft, Millicom, Nokia, Orange, Telefónica, Telenor Group, Telia Company, Verizon Media, and Vodafone Group.

The assessment cycle covered a two-year period, from July 1, 2016, to July 1, 2018 (“the assessment period”). However, for some of the companies, namely Millicom, Nokia, Orange, Telefónica, Telenor Group, Telia Company, and Vodafone Group, their review covered the period from their joining GNI on March 27, 2017, to July 1, 2018.

The recommendations made by the independent assessors for companies to consider, based on findings from the current assessment cycle, cover broad areas such as Context of the Assessment, Governance, Due Diligence and Risk Management, Freedom of Expression and Privacy in Practice, as well as Transparency and Engagement. 

On the Context of Assessment, several recommendations touched on suggested changes to company practices to better prepare for and enable future assessments. 

On the issue of Governance, the recommendations included preparing and facilitating dedicated briefing sessions or reports for new Chief Executive Officers and/or other senior management on company efforts related to implementing the GNI Principles; ensuring that policies and procedures relating to the GNI Principles are consistently applied across all company products or business units, including recently acquired companies; formalizing reporting processes on issues relating to freedom of expression and privacy, to avoid confusion over who reports to whom, as well as formalizing processes for monitoring and follow up. This could include systems to share information with other internal company teams who may encounter similar issues and thereby facilitate learning within the company.

They also recommended creating a centralized human rights programme within the company to enhance current activity to implement the GNI Principles and ensure that structures are in place to improve implementation during periods of growth or change; integrating commitments to GNI into the hiring and onboarding of staff, such as including human rights as a company value within the hiring process, with considerations for those roles that directly engage with freedom of expression and privacy rights.

The companies were also advised to consider developing or enhancing onboarding programmes for new employees, including those directly responsible for government requests and making processes for escalation of freedom of expression and privacy issues to higher levels of the company sufficiently resilient in the face of increasing interest from employees as well as the public. 

On the issue of Due Diligence and Risk Management, it was recommended that the companies should periodically reassess company human rights policies and guidelines, which could include risk assessments and determinations about the most salient or material risks that the company faces with regard to freedom of expression 95 and privacy.

It was also suggested that they should be implementing processes with dedicated resources to perform due diligence around business relationships other than suppliers, which could include taking extra steps to address safeguards for freedom of expression and privacy with third-party relationships. Such third-party relationships range from network operator site leases, agents, and partners to Internet company developer communities.

Other recommendations on the topic include enhancing efforts to mitigate freedom of expression and privacy risks from suppliers by mapping out how different functions within the company, such as security, supply chain, legal, to engage with suppliers, which would help determine how to further strengthen oversight of supplier performance; developing and implementing appropriate processes to conduct human rights due diligence and/or impact assessments when digesting and integrating the results of human rights due diligence (HRDD) and HRIAs into overall company risk reporting, which could entail providing guidance on the use of company risk tools and ensuring they are being used for freedom of expression and privacy issues. 

Recommendations under Freedom of Expression and Privacy in Practice, include developing country-specific policies and procedures to assist local personnel in operationalizing company-wide policies to implement the GNI Principles, in view of the challenges that arise in implementing the Principles in different countries; and considering a centralized system to track implementation of policies and procedures relevant to the GNI Principles across company business units.

Companies were also advised to consider conducting periodic internal audits of company law enforcement response functions to help ensure the consistent application of policies and procedures; and strengthening efforts to seek the assistance, as needed, of relevant government authorities, international human rights bodies or non-governmental organizations when faced with a government restriction or demand that appears overly broad, unlawful, or otherwise inconsistent with international human rights laws and standards on freedom of expression or privacy. 

On the issue of Transparency and Engagement, the recommendations include increasing transparency to users, when permitted by law, about how long government requests, including personal information provided by governments in the request, are retained by the company; and promoting curiosity within the company on freedom of expression and privacy, to raise awareness and enhance consideration of these rights in the company’s activities.

Other recommendations were working with multi-stakeholder coalitions comprising companies, civil society organizations, and others,to engage with governments to encourage legal reforms that would enable the company to disclose to its customers that they have been the subject of a government request, provided such disclosures do not interfere with an ongoing government investigation or national security interests; and encouraging more frequent multi-stakeholder gatherings and work with GNI to facilitate engagement at the local level to better understand the impact of company 96 operations in specific geographic areas.

Launched in 2008, GNI brings together companies in the information and communications technology (ICT) sector; civil society organizations, including human rights and press freedom groups; investors, academics and academic institutions as well as investors from around the world to enhance freedom of expression and privacy in the ICT sector.

Its mission is to protect and advance freedom of expression and privacy rights in the ICT sector by setting a global standard for responsible decision making and serving as a multi-stakeholder voice in the face of government restrictions and demands.

It seeks to provide a framework for responsible company decision making, foster accountability by member companies, offer a safe space for shared learning, and provide a forum for collective advocacy in support of laws and policies that promote and protect freedom of expression and privacy.

A major feature of GNI is its independent assessment process that relies on a methodology designed to allow GNI’s civil society, academic, and investor board members insight into the efforts of member companies to implement the GNI Principles on Freedom of Expression and Privacy.

The recently published 115-page report marks the third cycle of GNI company assessments, which is based on a detailed evaluation of confidential reports prepared by independent assessors, and the querying of the assessors and member companies, by which GNI’s multi-stakeholder Board of Directors is able to determine whether each company is making good-faith efforts to implement the GNI Principles with improvement over time.

The independent assessments were conducted according to the GNI Assessment Toolkit by assessors accredited by the GNI Board as meeting the independence and competency criteria established by GNI.  The assessors then participated in mandatory assessor training and received access to information, including relevant documents in secure settings.

They also had access to key company personnel, from frontline teams to senior management, and conducted a total of 125 interviews.

The assessments included an examination of 86 case studies, which looked at how the companies are dealing with government requests and demands in practice, after which the GNI Board met four times over the course of 2019 to review the 11 company reports

The GNI Principles are grounded in international human rights law and informed by the corporate responsibility to respect human rights, as articulated in the United Nations Guiding Principles on Business and Human Rights (UNGPs).

The GNI Principles state the overarching commitment of members to collaborate in the advancement of user rights to freedom of expression and privacy in the context of government demands while the GNI Implementation Guidelines provide more detailed guidance to ICT companies on how to put the GNI Principles into practice, all as providing the framework for collaboration among companies, NGOs, investors, and academics.

GNI says commitment to the GNI Principles has had a meaningful impact on ICT companies’ practices, as reported by the Ranking Digital Rights and the Corporate Accountability Index.

As at December 31, 2019, GNI had 64 members from 23 countries across Africa, Asia, Europe, Latin America, North America, and the Middle East, including the companies assessed during the latest cycle, which are estimated to be serving billions of users worldwide.