How can responsible companies protect their legitimate legal, ethical and commercial interests, assets and integrity in emerging economies while maintaining the right to privacy of employees, business partners and customers, when such rights are less well protected or where domestic laws infringe on privacy, and where there is high risk of exposure to corruption and fraud?

Challenges in emerging markets

The right to privacy has seen restrictions triggered by events over the past decade including 9/11 and the threat of terrorism. Domestic legislation has extended the reach of governments into the private life of citizens on the grounds of security, law enforcement, and the fight against terrorism, illegal immigration, welfare fraud and even administrative efficiency. Privacy International states that technological advances and the globalisation of information among other things put pressure on the few remaining privacy safeguards.1

The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Martin Scheinin, also raises this concern. He highlights that an erosion of the right to privacy "takes place through the use of surveillance powers and new technologies, which are used without adequate legal safeguards. States have endangered the protection of the right to privacy by not extending pre-existing safeguards in their cooperation with third countries and private actors."

The Special Rapporteur notes that violations of the right to privacy also have an impact on due process rights, the freedom of movement, the freedom of association and the freedom of expression.2 The right to privacy underpins human dignity and is closely related to the freedom of speech. It is firmly enshrined in the International Bill of Human Rights and, in the view of the Human Rights Committee which monitors the implementation of the International Covenant on Civil and Political Rights (ICCPR), "this right is required to be guaranteed against all such interferences and attacks whether they emanate from State authorities or from natural or legal persons".3

The dilemma for responsible businesses is how companies can refrain from interfering with the right to privacy of employees and business partners when operating in or sourcing from emerging markets that present a high risk environment in terms of corruption, fraud, the liquidity of the business partner, or simply present national legal frameworks infringing upon the right to privacy of those individuals.

For example, authoritarian regimes are known to significantly impact on the privacy of individuals. Domestic laws may have discriminatory effects and may require multinational corporations (MNCs) to share personal information about employees. Governments may rely on security forces and the monitoring of communications in order to track activists.

Companies, particularly in (but not limited to) the IT sector, may be faced with government requests to supply stored personal information for the authorities to use or to provide government agencies with automatic access to stored information. Government monitoring and censuring may not necessarily be made known to the MNC and discovery could result in dilemmas regarding the MNC presence in the country. These requests not only impact the right to privacy, they also affect other human rights, e.g. when the detection of certain personal information leads to discriminatory consequences. These consequences may include arrests and detentions and other punitive action by the state. MNCs are at risk of complicity in such abuses of human rights, even if they were unaware of the illegal, or indeed legal, activity at the time that it was undertaken.

Furthermore, serious health risks may impact heavily on the workforce in certain regions – for example, with respect to HIV/AIDS in South Africa – and may warrant health assessments of employees. While companies have a legitimate interest in assessing those risks to ensure employee safety and productivity, they are faced with important restraints in the name of privacy protection.

While these risks persist in developed economies, there generally exist more protections and better security to prevent abuse of privacy in the business environment. The risks are more prevalent in emerging markets, which has prompted companies to apply a higher degree of scrutiny to business partners and employees in unfamiliar environments. Particularly in weak governance zones, companies are faced with a higher risk when forming relationships with employees, business partners and clients that may damage their reputations or implicate them in violations of law or human rights abuses.4

According to Privacy International's National Privacy Ranking5, emerging economies are among the worst offenders in terms of the protection of privacy. The lowest ranking countries include Malaysia, Russia and China. India and the Philippines both rank in the highest risk category, indicating "endemic surveillance".6 The level of risk to which companies are exposed, due to their relations with third parties, increases as supply chains are largely international and complex.7 As important opportunities to engage in business activity are now often in unfamiliar environments such as emerging markets, risks are higher as rules may be different or even unclear, fast evolving and contradictory.

These risks can be minimised and mitigated by conducting strict due diligence on business partners or employees, which does not infringe on privacy. These processes may include intensified screening of the individuals concerned, such as background checks offered by a myriad of service providers, as well as the collection and storing of personal information. However, if not undertaken to the highest standards of integrity and legality, these mechanisms of due diligence may impact the right to privacy as protected in a number of domestic laws and international human rights instruments, such as Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights (ICCPR).

Defining the right to privacy

When attempting to demarcate the reach of the right to privacy and define its limitations, businesses may encounter difficulties. Privacy International states that definitions of the right to privacy differ relative to the context and environment and that there is no single definition.8 According to General Comment No. 16 to Article 17 of the ICCPR9 the right to privacy extends to all persons, including state authorities and private entities or individuals.

The right to privacy has many components. While not always mentioned as a separate right, it often materialises in different contexts such as breach of confidence in common law, the right to liberty, freedom of expression and due process, or even as a religious value. The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism states that the right to privacy supports other human rights "and forms the basis of any democratic society".10

In 2009, the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Martin Scheinin, presented his report to the Human Rights Council which addresses the right to privacy in the fight against terrorism.11 It states that the right to privacy has two dimensions which have been expressed in the various human rights instruments, at the universal as well as the regional and domestic levels.12 Accordingly, the right entails the negative dimension, prohibiting any arbitrary interference with a person's privacy, family, home or correspondence as enshrined in the International Bill of Human Rights. It also contains the positive dimension of everyone having the right to respect for his/her private and family life and his/her home and correspondence as provided for in, for example, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.13

The right to privacy is closely linked to human dignity and concerns the inviolability of personal information, the home and communications. Privacy International acknowledges that in many countries the right to privacy has been fused with data protection. Data protection is understood as the management of personal information. Privacy protection can be understood as drawing a line as to how far society can interfere with personal affairs.14

The right to privacy is not an absolute right

The right to privacy can be restricted when necessary to protect a legitimate public interest such as public order (e.g. to facilitate criminal investigations, or to protect national security from the threat of terrorism). These restrictions may be implemented only by governments, and not by businesses. Businesses are required to cooperate with the government to meet the requirements posed by state security or other concerns.

In his report on privacy and the fight against terrorism, the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism states that because the right to privacy is not an absolute right, there are situations where "states have the legitimate power to limit the right".15

For example, when an individual is investigated or screened by security agents and his/her personal information is shared among different security agencies in their effort to counter terrorism, the right to privacy is infringed upon. While countering terrorism is considered a legitimate public security goal justifying limitations to the right to privacy, interferences with the right need to be critically assessed.16

However, countries with weak or restrictive governance systems may unduly use those restrictive permissions to infringe on the right to privacy in the interest of the state. In relation to the human right to privacy, these restrictions may be regarded as illegitimate. Businesses should be aware that the government may go beyond the scope of permitted restrictions and will thus have to exercise heightened due diligence, so as to not become complicit in illegitimate government conduct, e.g. passing on employee information which puts the employee in danger of being unduly prosecuted in violation of international human rights standards.17

Unlawful and arbitrary interferences of the right to privacy

In General Comment No. 16 to Article 17 of the ICCPR, the prohibition of "unlawful interference" of the right to privacy means that "no interference can take place except in cases envisaged by the law" and the law itself must comply with all provisions of the ICCPR. "Arbitrary interference" also extends to interferences provided for under domestic law. This provision is to guarantee that all interferences with the right to privacy, as provided for by the law, shall be in accordance with the "provisions, aims and objectives of the Covenant and should be, in any event, reasonable in the particular circumstances."

Further, the comment states in its paragraph 10 that "the gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies must be regulated by law". No private information should reach persons not authorised by law to receive those documents. Private information may not be used for purposes which are not in conformity with the ICCPR.

The comment further elaborates that to ensure the "most effective protection of his private life every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files and for what purposes." Individuals should also be able to "ascertain which public authorities or private individuals or bodies control or may control their files".

Permissible limitations

The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, Martin Scheinin, clarifies that limitations to the right to privacy as codified in Article 17 of the ICCPR should pass the permissible limitations test. This test should be applied to measure whether any limitations are legitimate as measured against the scope of the right to privacy. The test is to be applied as follows:

• Any restrictions on the right to privacy must be provided for by the law
• The essence of the right to privacy may not be subject to restrictions
• Restrictions must be necessary in a democratic society
• Any discretion exercised when implementing the restrictions must not be unfettered
• Permissible restrictions must serve the enumerated legitimate aims and must be necessary for reaching the legitimate aim
• Restrictive measures must conform to the principle of proportionality: they must be appropriate to achieve their protective function; they must be the least intrusive instrument amongst those which might achieve the desired result; and they must be proportionate to the interest to be protected
• Any restrictions must be consistent with the other rights guaranteed in the ICCPR18

Privacy and the protection of other human rights

While the right to privacy is a fundamental human right in itself, it also informs and supports other human rights. The principle of non-discrimination and the right to equality may be impacted by violations of the right to privacy. For example, this may occur where the sharing of personal information with governments triggers discrimination on the basis of discriminatory local laws and/or practice.

The right to privacy is closely linked to and may impact the freedom of expression. An example of this is where internet providers share information about dissidents with an authoritarian government and subsequent government action leads to human rights violations.19

Further, the freedom of association may be impacted for instance when personal information about trade union affiliation is shared with governments, particularly when the affected individual experiences state-sanctioned discrimination and other human rights violations.20

Other human rights which may be impacted include: freedom of thought, conscience and religion; freedom of assembly; the right to physical integrity; the right to liberty and security; the right to equality; and the right to health.21

Real-world examples

Nokia Siemens Network (NSN) divests monitoring centre in Iran after accusations of privacy infringements

In a high risk environment for privacy violations such as Iran, companies may face the risk of misuse of products designed to intercept communications or facilitate surveillance. In 2009, Nokia Siemens Network (NSN) sold telecom technology enabling "lawful interception" for the purpose of law enforcement to the Iranian government-owned telecom company Irantelecom.22

In 2010, detained Iranian journalist Isa Saharkhiz and his son filed a lawsuit in Virginia against NSN for damages suffered after their 2009 arrest. Saharkhiz argued that he was arrested and detained after Iranian authorities tracked him using the technology sold to Irantelecom.23 NSN responded with a statement condemning the human rights violations suffered by Saharkhiz and his son but denied its responsibility.24 The lawsuit was later dropped,25 but the action was widely publicised by media and activist groups.

While NSN only provided the "lawful intercept" technology to be used in accordance with Iranian laws for law enforcement purposes,26 those laws may enable governments to infringe on the right to privacy, creating the risk of corporate complicity in privacy violations. It is also alarming that in the aftermath of post-election protests in 2009, a company affiliated with the Islamic Revolutionary Guards has moved to acquire a majority share in Iran's telecommunications monopoly.27

NSN has divested from the monitoring centre in Iran and, according to its own statement, is no longer involved with it apart from some technical contractual links.28 In the meantime, the company has made notable efforts to address the accusations in a transparent manner.29

Yahoo sued by Chinese dissidents

The first lawsuit alleging breach of privacy rights was brought against Yahoo in a US federal court under the Alien Tort Claims Act (ATCA) by the World Organization for Human rights USA on behalf of several Chinese dissidents. It was alleged that Yahoo had shared information with the Chinese government which subsequently led to the arrest and detention of several Chinese journalists and dissidents, impacting not only the right to privacy but also the right to freedom of speech.

One of the detained journalists, Shi Tao, was convicted of disclosing "state secrets" – a term very broadly defined by the Chinese government – after posting online a Chinese government order forbidding the media to report on the Tiananmen Square massacre.30 Another journalist, Wang Xiaoning, was allegedly tortured while in detention after Yahoo supposedly provided Chinese police with information linking him to postings on Yahoo sites31 which then led to his prosecution on the grounds of "subversion of state power" and "sharing of state secrets".32

A congressional hearing required representatives of Cisco, Google, Microsoft and Yahoo to report on their collaboration with the Chinese government. Yahoo representatives apologized for misleading Congress about the company's role in the case.33 After initial attempts to have the case dismissed,34 Yahoo agreed to settle the lawsuit. While details were not made public, Yahoo agreed to cover the plaintiff's legal costs and set up a fund to support political dissidents.35 In 2008, Yahoo Chief Executive Jerry Yang appealed to Condoleeza Rice before she was set to meet with Chinese government officials to help get the detained dissident journalists out of prison.36 However, both men remain in prison.

A second lawsuit was filed in February 2008 alleging that information provided by Yahoo to the Chinese authorities led to the detention of a Chinese dissident and the prosecution by Chinese authorities of another. The claims based on international law included torture, prolonged detention, intentional infliction of emotional distress, false imprisonment and assault.37

Allegations of excessive worker surveillance by German supermarkets lead parliament to discuss new privacy law

In the case of Köpke v Germany (2010), the European Court of Human Rights (ECtHR) held that covert video surveillance of a supermarket cashier, resulting in her dismissal for theft, did not amount to a breach of Article 8 ECHR (right to privacy), because a fair balance had been struck between; (i) the employee's right to respect for her private life; (ii) her employer's interest in the protection of its property rights, and; (iii) the public interest in the proper administration of justice. The Court did observe, however, that the competing interests concerned might well be given a different weight in future, in regard to the extent to which intrusions into private life were made possible by new and more sophisticated technologies.

The case came after a number of allegations that retailers, especially discount retailers, had been engaging in excessive surveillance techniques in order to spy on workers' movements and conversations.38 Pharmaceutical company Schlecker was alleged by Achim Neumann, of service sector union Ver.di, to have ordered store detectives and security staff to use spyholes in walls for hours at a time. Apart from claiming that the surveillance was being used for theft-detection, the company declined to comment on the accusations when approached by newspaper Bild am Sonntag.39

Discount supermarket giant Lidl also claimed that supervisors had simply been trying to detect employee misconduct when accused by weekly newspaper Stern. The newspaper claimed it had obtained hundred-page logs of worker activity. The chain later apologised to workers and customers, claiming that store managers had exploited its employee misconduct policy.40

In response to incidents such as these, on 25 August 2010, the German government approved a draft law concerning special rules for employee data protection, which covers nine key subject areas; employer internet searches; medical exams; automated data scanning; CCTV; tracking; biometric data, and; telephone, internet, and email monitoring. Having been reviewed by a number of parliamentary committees, the bill is currently awaiting final settlement.

Facebook sued in privacy class-action for ‘Sponsored Stories' feature

A California lawsuit filed last year against Facebook claims that the ‘Sponsored Stories' feature on the social networking website, by which a user's like of a brand's page is subsequently used as an advertisement for the company on the site, including their name and profile photo, is a violation of user privacy. The crux of the claim is that users were not able to opt-out of the feature.41

As part of a proposed deal to settle the case, Facebook planned to give users more control over their ‘likes', and pay $10 million to the plaintiffs, and the same amount again to pro-privacy organisations. However, the presiding US District Judge Richard Seeborg has rejected the settlement, claiming that the monetary amounts are arbitrary and do not address the damage to the 100 million users who have already been used in the feature.42

The company's lawyers believe, however, that the settlement is reasonable and that they can address the judge's concerns without having to adjust it significantly.43

• For in-depth analysis and case studies relating to freedom of speech, see:
  Dilemma and case study analysis on freedom of speech

Back to top

Businesses face a range of risks in different scenarios with respect to different relationships with employees, business partners and customers as outlined below.

Diverse business relationships pose risk to assets and interests of businesses in unfamiliar emerging markets

Employees: Companies bestow the highest degree of trust and responsibility upon their employees. In unfamiliar emerging markets, the collection and processing of employee information may be necessary to avoid corruption in operations and the supply chain. The lack of employee integrity presents a high risk for employers and principals as any act by employees will be attributed to the company via the principal/agent relationship. Any liability resulting from the action of an employee may thus – with limitations – result in principal/employer liability. This warrants control and monitoring of employees to avoid liability or reputational damage.

Domestic legal requirements may infringe upon the right to privacy and even pose the risk of discrimination or other human rights infringements against employees. It is therefore critical that employee screenings are carried out in compliance with privacy requirements and in ways that protect the business from risks of complicity in other human rights infringements, such as discrimination either by the company or the government.

Emerging markets present higher risks to the health and safety of employees than developed economies. Interruptions to production caused by accidents, together with declining workforce morale as a result of poor working conditions, may have a detrimental impact on productivity. Hence, workplace monitoring and other measures to ensure health and safety as well as productivity may be warranted.

For example, Rio Tinto was faced with employee corruption allegations in China in 2009 when four of its Chinese employees were arrested. According to a Rio Tinto media release, the grounds of arrest related to:

• "Allegations of obtaining Chinese steel industry commercial secrets in breach of the provisions of Article 219 of the Chinese Criminal Law pertaining to the crime of violating commercial secrets.
• Allegations of commercial bribery in breach of the provisions of Article 163 of the Chinese Criminal Law pertaining to receipt of bribes by non-State personnel."44

The company supported their employees until they were proven guilty. In January 2010, the four Chinese employees were convicted and sentenced to between seven and 14 years in prison and Rio Tinto fired the employees. All wrongdoings were said to have taken place outside the company system and evidence of corruption was convincing.

Controversies remain about a lack of transparency as part of the trial covering commercial secrets was held behind closed doors. Thus the actual legal framework and requirements pertaining to such secrets remain unclear. In its verdict, the court said the four Rio Tinto employees helped obtain information from confidential strategy meetings of the China Iron and Steel Association (CISA).45

Business partners and suppliers: MNCs have an inherent interest in working with local business partners who are familiar with the language, culture and local business environment. Sometimes, national laws require foreign MNCs to operate in partnership with local organisations or individuals.46

Relationships with business partners present an inherent risk: First, both the company and its business partners act in their own interests, so the company will need to take appropriate precautions to protect its interests and assets. As a prudent company often expects business partners to act in their own interest, this element is factored into the relationship and companies will apply increased awareness and caution. However, increased scrutiny in background checks and screenings (particularly in an environment perceived to be corrupt and with a high volatility with respect to business relations and viability) may impact the right to privacy of the business partner.

Joint venture partners: Joint venture partners are often chosen for their local knowledge and expertise regarding the common project. In some countries in the Middle East, MNCs are required to work with local joint venture partners.47 Joint venture partners risk that the local business partner acts in self-interest on behalf of the joint venture possibly involving corruption or nepotism. MNCs thus have an interest in protecting themselves from those threats by implementing background checks on sources of capital, ownership, political connections, and status of the company48 but have to ensure to protect the privacy of joint venture partners.

Customers, clients, users: The privacy of customers and users needs to be protected and, in an environment where privacy protection becomes increasingly important, businesses have to be aware of their responsibility to protect customers or users of their products, such as internet, telecom or email service users. Some governments in emerging markets may have been known to infringe on the privacy rights of individuals and domestic laws may require companies to provide personal information. Additionally, customers may misuse products, such as surveillance or interception technologies to infringe upon the right to privacy of individuals and the company may risk complicity.

Diverse dilemma scenarios

Privacy in corrupt business environments

Emerging markets often present a high risk environment for corruption. Corruption "impedes economic growth, distorts competition and represents serious legal and reputational risks"49. Particularly in corrupt environments, companies need to protect their legal, ethical and commercial business interests and assets in order to ensure sustainable business operations and the provision of products and services while preserving their competitiveness.

Emerging markets present a high risk that employees of the company or its suppliers become involved in corruption and nepotism. Corruption in the world's emerging economies, where judicial effectiveness is impaired, rule of law is poor, poverty is endemic and cost of living increases are volatile, is generally more pervasive than in established Western markets (although it has been shown by Transparency International in its Global Corruption Report 200950 to be a challenge everywhere).51

Companies operating in a corrupt business environment face a "double" dilemma: they have to ensure that they are not implicated in corruption by employees or business partners in accordance with the UN Global Compact (UNGC) Tenth Principle on Anti-Corruption by applying a high standard of due diligence, yet they have to guarantee respect for the human right to privacy in accordance with their responsibility, as set out in UNGC Principles 1 and 2.52

The dilemma outlines a classic crux for responsible businesses. On the one hand, they are answerable to shareholders in relation to their primary goal of acting in their best interest, thus maximising profits and making good business decisions, which is why business needs to protect its interests and assets, i.e. by exercising anti-corruption due diligence. On the other hand, shareholders and stakeholders alike require the business to act ethically and, of course, within the limits of law, and expect them to exercise appropriate due diligence with respect to privacy. Both strands fall under the companies' duties within their responsibility to respect human rights including the responsibility to conduct human rights due diligence but present conflicting goals deserving protection.

The far reaching international and domestic legal frameworks for anti-corruption measures expose them to significant legal risks and require businesses to apply adequate due diligence mechanisms including screening and background checks.53 Companies' and suppliers' due diligence mechanisms54 may involve monitoring employees and acquiring and storing confidential information.

However, companies face a myriad of challenges: while ensuring integrity may be easier with respect to the company's own operations, this may not be the case for modern international supply chains which are often complex, extensive and obscure in emerging markets. Different relationships with employees, suppliers, and business and joint venture partners warrant different approaches to ensure integrity.

Stringent pre-screening and ongoing monitoring of employees may thus be advisable for companies in their endeavour to fight corruption and nepotism in operations and supply chains. Responsible businesses will have to assure that their monitoring and screening techniques are warranted and do not infringe on the right to privacy of the employees.

Businesses are at a high risk of becoming complicit in corruption via their suppliers or business partners in emerging markets. Confidential investigations may enable the company to find out about associations of the business partner and reveal whether the agent is trustworthy and reliable.

Frequently, possible joint venture partners will have local government connections. Even though they are important, these connections present a risk where government corruption is endemic. Unknown criminal interests of joint venture partners directly pose a hazard.

Integrity Due Diligence aims to provide red flags so businesses can tackle the risk of corruption in their operations and supply chains. It seeks to identify as much information as possible about prospective business partners or any third party which the company intends to collaborate with. It covers the third party's interests, reputation, activities, associations, track record and motives and involves the acquisition of publicly accessible information as well as information gained through external consultancies or confidential field work.55

Additionally, companies implementing whistle-blowing mechanisms may be exposed to challenges when exchanging information across different jurisdictions as privacy laws vary significantly.56

Carrying out Integrity Due Diligence may protect companies against criticism should liability arise despite such investigations.57 However, companies have to be aware of the implications these mechanisms may have for the right to privacy in order to mitigate the risk of complicity.

• For in-depth analysis and case studies relating to corruption, see:
  Dilemma analysis and case studies on corruption

Privacy and employee personal data

Acquiring and storing personal employee data may impact on the right to privacy of employees in a number of situations, particularly in emerging economies where domestic laws are in conflict with the international law on the protection of privacy. For example, in emerging economies with authoritarian governance structures, the right to privacy may be infringed upon when companies share employee information with the government. In some economies, this can result in discrimination against the employee, maybe even involving punitive action and human rights violations. In this scenario, infringing on the right to privacy has repercussions which may affect other human rights and thus presents an especially sensitive issue.

According to Privacy International's National Privacy Ranking, emerging economies are among the countries with the worst records in terms of governments obtaining access to personal data. These include China, India, Russia, the Philippines and Thailand. Businesses have to be particularly vigilant when obtaining sensitive data from employees. The characterisation of data as sensitive may vary from country to country.58 Companies should be aware of the different degrees of sensitivity in different market environments.

According to the UN Guidelines for the Regulation of Computerized Personal Data Files, data which may give rise to unlawful or arbitrary discrimination should not be compiled. This includes information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs and membership of an association or trade union.59 Exceptions have to conform to the International Bill of Human Rights and other relevant instruments protecting human rights and the principle of non-discrimination.

The ILO practice code on the protection of workers' personal data allows the collection of employee information on sex life, political, religious or other beliefs and criminal convictions only in exceptional circumstances. Data on trade union affiliation should generally not be collected unless in accordance with law or a collective agreement. Medical data should be collected only if required by law and only in cases directly related to the employee's protection while working.60

Examples include:

• Information on family planning: For example, in China, the one-child policy prohibits citizens from having more than one child. The policy is enforced through forced abortions and sterilisation and increases the risk of affected individuals being exposed to human rights violations such as arbitrary detention. The policy also increases the risk of trafficking. When a company collects this information supplied by employees on the number of children, the company risks complicity in those violations once passing on such information to state authorities, even if required by domestic law.
• Information about political affiliation: Obtaining and storing personal information about an employee's political affiliation may also impact privacy. This may occur, for example, where the government requires the sharing of such information for the purposes of monitoring or other integrity due diligence to combat corruption in operations and supply chains. Often, in countries with weak governance, corruption is facilitated through relationships with the party in power. While companies need to protect themselves against the hazard of being implicated in corruption, they must also protect the privacy of the employee or business partner against wrongful government requests which may in turn disadvantage the employee or even violate his/her human rights.
• Information about religious affiliation: If domestic laws or actions discriminate against certain religions, the storage or transfer of this information to government officials may violate the right to privacy when none of the possible exceptions to the right to privacy justify the government request.

• For in-depth analysis and case studies relating to freedom of religion, see:
  Dilemma and case study analysis on the freedom of religion

• Information about trade union affiliation: Trade unionists experience harassment and discrimination not only by some governments due to their affiliated membership, but also by companies. The International Bill of Human Rights provides for the freedom of association and ILO standards and auditing standards require that a company provide for the protection of trade unions and their members. In case of conflicting domestic law, companies shall provide for alternative mechanisms to freely elect workers' representatives. Thus, companies have to ensure that workers are not subject to discrimination, harassment, intimidation, or retaliation when sharing personal employee information with others, including the government.

• Only recently, a trade unionist claimed to have been denied work on a construction site based on a blacklist detailing his union membership in the UK and sued Balfour Beatty.61 While the company won the case, lawyers representing a group of around 40 other workers have prepared a class action suit against a number of firms in the construction industry that may have been implicated in similar activities.62

Privacy and employee health

HIV/AIDS: Companies operating in or sourcing from emerging markets with high rates of HIV/AIDS or other serious diseases may face heightened risks with respect to health and safety, productivity and high employee turnover.

The global nature of the challenge means it is likely that most multi-national companies will be impacted by HIV/AIDS. Aside from the impact HIV/AIDS is having on local consumer bases and the communities in which companies operate, the most direct impact is upon the workforce and those young adults (19-35 years) who are most mobile – from new employees to senior managers.

According to the International Labour Organization (ILO), as many as 36 million of the 39 million people living with HIV are engaged in some form of productive activity.63 Particularly the countries in sub-Saharan Africa, such as South Africa, Swaziland, Botswana, Lesotho, Zambia and Zimbabwe, the prevalence of HIV/AIDS is extremely high.64 South Africa, a country which has just been invited to join the BRICS countries of emerging economies alongside Brazil, Russia, India and China, has the highest rate of HIV/AIDS infections worldwide.65

Examples of business sectors at high risk of being affected by the disease include logistics and transportation, mining, manufacturing, building and construction, as well as agribusiness. The workforce will be impacted by the disease in a number of emerging markets and it will be necessary for the company to tackle risks associated with the disease which impact on the workforce and productivity while ensuring that the privacy of employees is respected.

The ILO Recommendation concerning HIV and AIDS and the World of Work adopted by the International Labour Conference addresses HIV/AIDS in the workplace. It concerns all workers and all sectors of economic activity both public and private and formal and informal. According to Section III, "workers, their families and their dependants should enjoy protection of their privacy, including confidentiality related to HIV and AIDS, in particular with regard to their own HIV status."

• For in-depth analysis and case studies relating to HIV/AIDS, see:
  Dilemma and case study analysis on HIV/AIDS

General Health and Safety in the Workplace: Additionally, the monitoring of factories may also be warranted when aiming to retain sound health and safety protection for workers. For example, accidents in the workplace may be better assessed and investigated. Maintaining productivity may be another aim of monitoring employees. Additionally, if there appears to be a problem among the workforce related to alcohol or drug misuse, monitoring may be helpful to assess and prevent these incidents, as well as to support the employee and help rehabilitate.

In order to do that, companies or suppliers operating in emerging markets may install CCTV in the workplace in addition to monitoring correspondence. Additionally, private investigators may work for the company to ascertain these situations. However, the company needs to ensure that monitoring employees for the purpose of health and safety protection does not amount to infringing on the right to privacy.

Privacy and the risk of property theft

Businesses have a strong interest in protecting their assets, products, trademarks and copyrights. They may operate in an environment where the theft and illegal sale of property, including intellectual property, poses a risk. In this case, companies should protect their commercial assets by running background checks on their employees and clients. At the same time, however, they will have to ensure that the privacy rights of those individuals are protected.

• A high risk of employee theft exists for high value products such as diamonds. For example, Namgem, a cutting and polishing unit which is run by a joint venture between the Namibian government and De Beers in Namibia, reported that a large number of diamonds worth US$2.6 million had been stolen from the factory safe in September 2010.66 Several news outlets reported that the theft was believed to be an inside job and showed no signs of a break-in.67 One report states that thefts in this particular De Beers unit appeared to have happened on a number of occasions.68

According to Deloitte's Innovation in Emerging Markets report, one of the main threats for manufacturers operating in emerging markets is intellectual property theft.69 "Companies run the danger of having their trade secrets, or even entire products, copied by competitors." In the Axendia survey published by PwC Achieving Global Supply Chain Visibility, Control & Collaboration in Life Sciences: Business Imperative, Regulatory Necessity, a large number of industry executives cite manufacturing and sourcing from emerging markets such as China, India, Brazil and Mexico involved a high risk of counterfeiting (44% of industry executives) and illegal product diversion (35% of industry executives).70

Moreover, governments in emerging markets pose the risk of intellectual property theft. A recent New York Times article states that the US views intellectual property theft in China to be a major problem.71 The article states that "[t]echnology companies, for example, continue to notice Chinese government agenciesdownloading software updates for programs they have never bought, at least not legally."

• For example, Google has faced intellectual property theft according to a statement from 2010.72 Google reported that it detected a highly sophisticated cyber attack in December 2009 which resulted in intellectual property theft. Google's investigations showed that twenty additional companies including internet, finance, technology, media and chemical sectors had been targeted. The attack also included the attempt to access accounts of Chinese human rights activists. Google also reported that accounts of advocates for human rights in China had been routinely accessed by third parties.

Businesses have to apply a heightened standard of due diligence to protect their property through intensified screenings, background checks and monitoring of employees as well as business partners. Companies will thus face the dilemma of having to ensure the right to privacy of their employees and business partners while attempting to adequately and diligently scrutinise these individuals.

Privacy and the business partner's ability to fulfil contractual obligations

Emerging markets may present volatile business environments and business partners may face challenges fulfilling the obligations as set out in the contract with the MNC. The Center for International Private Enterprise (CIPE) highlights that companies should not only be aware of reputational damage caused by being implicated in corruption, but also of the costs of unreliability. Businesses "should be aware if their suppliers are near bankruptcy or whether they'll be in business long enough to complete the contract." The paper points out that ultimately, "companies are answerable to both shareholders and courts for their business and compliance decisions."73

While the financial viability of a business partner should be picked up by any due diligence process pertaining to the business partner, the risk of defaulting on a contract when engaging with a business partner in an environment prone to economic insecurities may be higher and harder to detect. Accordingly, this warrants a higher degree of scrutiny of business partners which may impact on the privacy of business partners. Companies have to ensure that integrity due diligence to mitigate the risk of business partners defaulting on a contract is carried out with the necessary respect for the right to privacy of the business partner.

Emerging market business environments often pose the risk of volatility with respect to the viability of local business. Often, MNCs are unfamiliar with local business partners and thus may desire to apply a higher threshold of scrutiny to protect their assets and be sure that the business partners will be able to fulfil contractual obligations and avoid the risk of bankruptcy of the business partner, particularly in markets with a volatile business environment, such as emerging markets.

Privacy and money laundering – "Know your customer" programs

"Know your customer" (KYC) programmes are employed by banks, financial institutions and regulated companies to monitor the identities and backgrounds of their customers. For example, the shift in investment banking toward developing countries and often unfamiliar emerging markets74 exposes them to a higher risk environment in terms of financial crime, money laundering and the financing of terrorist activities, particularly in countries or regions known to be exposed to a high level of corruption, trafficking, terrorism or other crimes. Many business sectors may be implicated. These include the legal profession, real estate, accounting, trusts, precious metals and stones, casinos, money services, and insurances.75

According to the KPMG 2007 Global Anti-Money Laundering Survey, an estimated US$1 trillion is being laundered every year by drug dealers, arms traffickers and other criminals.76 The report states that growing regulatory expectations and rapid changes in the financial services industry make combating money laundering a major challenge for the banking sector. The internationalisation of the banking sector has triggered an array of initiatives and regulation. For example, the IMF has intensified its efforts in the area and includes Offshore Financial Centres (OFCs) in their assessments. The US Patriot Act extraterritorially extends US standards to foreign economies in order to prevent money laundering and the financing of terrorist activities. The Basel II Standard put forward by the Basel Committee on Banking Supervision requires banks to collect and share large amounts of data which may include customer data protected by data protection legislation. The standards developed by the intergovernmental Financial Action Task Force (FATF)77, the financial services industry standards by the Wolfsberg Group78 and legislation at the national and supranational level, such as the International Convention for the Suppression of the Financing of Terrorism and the EU Third Money Laundering Directive, put pressure on banks to exercise rigid due diligence to avoid becoming implicated in money laundering.79

The KPMG 2007 Global Anti-Money Laundering Survey states that the regulatory pressure has increased testing and monitoring and the acceptance of a risk-based approach determines the level of due diligence already at the account opening stages. Costs for transaction monitoring are highest among the already high and increasing costs related to anti-money laundering efforts by banks.

Banks thus have to ensure that they are free of any money-laundering activity and have to engage in heightened scrutiny of customers. At the same time, they must observe their responsibility to respect human rights (including the right to privacy) and to comply with domestic privacy laws. Particularly with an increased regulatory and industry focus on so-called politically exposed persons (PEPs), the implementation of such programmes may result in infringements on privacy including domestic data protection laws.

• For example, Swiss banks were said to have broken privacy laws by letting the transaction company SWIFT (Society for Worldwide Interbank Financial Telecommunications) pass on customer information to US authorities without informing customers about the data transfer. SWIFT conducts transfers worth $6 trillion per day between 7,800 financial organisations. According to the report, the Belgian Data Privacy Commission stated that it "must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law. In this context SWIFT should from the beginning have been aware that, apart from the application of American law, also the fundamental principles under European law must be complied with, such as the principle of proportionality, the limited storage period, the principle of transparency, the requirement for independent control and the requirement for an appropriate level of protection."80

Privacy and product misuse

Products sold by a company may be misused by customers that engage in human rights abuses. In order to avoid the risk of complicity in such abuses, companies may wish to run checks so as to ensure that their products will not be used in this context.

Business operations in the field of surveillance technologies are particularly at risk that their products are misused by governments facilitating the identification and arrest of political, religious and human rights activists and impacting on the right to privacy of those affected.

Business sectors that may be prone to risk of complicity in product misuse include, for example, the health and technology sectors, the information communications technologies sector, as well as chemical and fertiliser companies and businesses in the transportation equipment sector.

In these scenarios, companies can be implicated in impacting on the right to privacy in two ways. On the one hand, they have to screen buyers, thus having to be cautious to not infringe on the right to privacy of the buyers. On the other hand, the buyer may negatively impact on the right to privacy of individuals by misuse of the products purchased from the company. An example of this is where companies sell surveillance equipment or telecommunications equipment enabling communication interception.

• For in-depth analysis and case studies relating to product misuse, see:
  Dilemma and case study analysis on product misuse

Privacy and the ICT sector

As part of domestic efforts to regulate the Internet, service providers are often asked to provide personal user information to governments. In some emerging markets, such as China and Iran, governments have a record of using this information to spy on citizens often resulting in punitive action against the citizen.81 Internet and communication companies operating in environments where freedom of speech is restricted usually find themselves in an exposed position, particularly in times of protest against the government. A heightened level of awareness is thus expected from such companies to avoid complicity in privacy violations which often lead to further human rights violations.

Telecom companies and internet providers are particularly at risk when operating in environments where monitoring and surveillance of citizens by state authorities is used to spy on the individuals with the aim to locate and subsequently silent dissidents. The abuse of the right to the privacy of communication will then lead to further rights violations, such as violations of the freedoms of speech, association and assembly. Privacy International reports that internet providers and telecommunications companies are often required by law to retain and store user information.82

Iranian cybercrime laws require companies to store all data sent or received by internet company customers.83 Egypt requires traffic from all internet providers to pass through the state-run Egypt Telecom and authorities regularly detain bloggers. Egypt thus ranks among the Committee to Protect Journalists' 10 Worst Countries to be a Blogger84 among Myanmar, Iran, Syria, Cuba, Saudi Arabia, Vietnam, Tunisia, China and Turkmenistan.

China extensively censors and monitors internet activity. The government expects internet service providers to filter searches and monitor email traffic. The Committee to Protect Journalist reports that 24 bloggers had been imprisoned in 2009. The internet is heavily censored and restricted in Myanmar and the Burmese government monitors emails and other communication methods.85 In Turkmenistan, the state-owned internet service provider monitors email accounts.86 In Saudi Arabia, online writers may face harsh punishments, including flogging and detention, when publishing texts deemed heretical according to a fatwa issued in September 2008.87

In addition, the violation of the right to privacy by government activities poses a risk to company sales. For example, according to the Open Net Initiative's (ONI) report "Access Controlled"88, the Syrian Interior Ministry and the Syrian Telecommunications Institution have banned the sale of cell phones that have GPS and have WAP services that are not being properly monitored by the service providers. Mobile phone stores were instructed not to sell certain models.89 Businesses face the dilemma of losing business when not abiding by domestic laws and regulation which is known to infringe on the privacy of citizens.

• For example, Google experienced a substantial cyber-attack aimed at accessing accounts of Chinese human rights activists and international advocates for human rights in China on a continuous basis, according to a statement made in 2010.90 Google reports that access to the accounts had not been made possible by a security breach on the part of Google, but probably via software placed on the users' computers. According to US government reports, the Chinese government is leading a number of such attacks in order to infringe on US interests.91

Acts of privacy intervention

The right to privacy may be abused in a situation where companies should or wish to apply a heightened standard of due diligence involving scrutinising employees, business partners or customers, or where there government requires the MNC to make available personal information about employees, business partners or customers.

According to Privacy International, privacy comprises four different aspects:

• Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records. It is also known as "data protection"
• Bodily privacy, which concerns the protection of people's physical selves against invasive procedures such as genetic tests, drug testing and cavity searches
• Privacy of communications, which covers the security and privacy of mail, telephones, e-mail and other forms of communication, and
• Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks92

These aspects of privacy can be infringed in various ways:

• Information privacy and data protection: when companies supply personal employee or customer data to unauthorised persons, including authoritarian government regimes, this could amount to the abuse of the right to privacy
• Bodily privacy: administering health or drug tests, for example when operating in an environment where poor health and drug use is most prevalent, may impact the right to privacy of employees
• Privacy of communications: when monitoring employee communications in the workplace, the company will have to ensure that privacy requirements are met
• Territorial privacy: CCTV surveillance of the workplace may impact the right to privacy of employees; background and ID checks and screenings may impact the privacy rights of employees, business partners, and customers

Back to top

Examples of scenarios companies might face when operating in emerging economies include:

China: Privacy protection in China lacks a coherent legal framework according to privacy law firm Hunton & Williams. However, numerous new laws affecting personal information have been promulgated, including a consumer protection law, tort law, medical records regulation, social insurance law, credit reference regulation and an anti-money laundering banking regulation.93

The Chinese Law on Guarding State Secrets was revised in April 2010 to tighten controls on citizens who discuss "state secrets" on the phone or online. Telecom and internet companies are required to inform the Chinese government about those customers and any such activity.94 "State secrets" is a broadly defined term used by the Chinese government to restrict the freedom of speech and other human rights with respect to "information that concerns state security and interests and, if leaked, would damage state security and interests in the areas of politics, economy and national defence, among others" as formulated in the law. Officials decide on whether information is to be considered a state secret and such determinations cannot be challenged.95

Telecoms operators must preserve data on call and messaging charges and email service providers must record IP addresses, email addresses, and sending and receiving times of all emails and preserve this information for 60 days.96 Freedom House reports that censoring and filtering software, which is often produced by American companies, has been used to delete banned words and messages from bulletin boards or chat rooms and to examine the user's location, browsing patterns and email messages. Many companies censor themselves because they may face legal consequences when not cooperating.97

China: According to Human Rights Watch (HRW), the Chinese government's censorship and surveillance of the Internet is ‘the most advanced in the world.'98 A March 2011 report, "Internet Enemies" by Reporters Without Borders (RWB) classified China as an ‘internet enemy', along with such countries as Saudi Arabia, Burma, Cuba and North Korea. The report notes that "all of these countries mark themselves out not just for their capacity to censor news and information online but also for their almost systematic repression of internet users." RWB claims that China's Great Firewall system is ‘the world's most consummate censorship system' filtering any keywords that could be deemed sensitive. Following uprisings in the Middle East in the first quarter of 2011, search results linked to words, such as ‘Egypt", ‘Tunisia' and ‘democracy' were censored and blocked. The awarding of the Nobel Peace Prize to imprisoned dissident, Liu Xiaobo also resulted in stringent censorship of online searches.99

RWB claim that a number of private companies aid the Chinese government in monitoring and controlling internet use, citing Yahoo! and Microsoft's self-censored search engines in particular. According to HRW, foreign companies have, at some point, been willing to accommodate Beijing's censorship demands in order to operate in China's large market. HRW reports that these companies have censored their materials in response to pressure and instructions from the Chinese government. HRW also accuses the companies of allowing officials to access the email accounts of private citizens, noting that information provided to the government has been used to imprison dissidents. RWB cite the case of cyber-attacks against human rights activists via accounts on Google's email service Gmail in 2010 that led to Google's decision to put an end to its Chinese operations. Amendments to the State Secrets Law in April 2010 attempted to depict internet and telecom censorship as national security measures, ensuring that companies keep a close track of transmissions and report any conduct vaguely defined as a violation. Since February 2010 the Department of Propaganda has also attempted to remove anonymity for internet presence by "exploring an identity authentication system for users of online forums."100

The Chinese one-child policy prohibits citizens from having more than one child. The policy is enforced through forced abortions and sterilisation and increases the risk posed to affected individuals of being exposed to human rights violations, such as arbitrary detention. The policy also increases the risk of trafficking. When a company collects this information supplied by employees on the number of children, the company risks complicity in those violations once passing on such information to state authorities, even if required by domestic law.

According to the report "I Don't have a Choice over My Own Body", the Chinese government ties compliance with its one-child policy to the provision of employment and social services.101 In accordance with local laws and regulations, violators of the policy in government but also in private sector jobs may lose their jobs, party membership or end-year bonuses and may find themselves barred from promotions, being denied access to education, or be discriminated against in health care matters.102 The Lynyi City Population and Family Planning Bureau has publicised cases demonstrating violations of the one-child policy and their consequences. Cases demonstrate how workers have been expelled from the party and dismissed from work, in both the public and private sectors. In 2007, for example, a store assistant manager was expelled from the party and his wife was dismissed from working on a chemical plant when they had a second child in violation of the policy.103

The Chinese Population and Family Planning Law restricts the number of children per family to one for the majority of the population. Depending on which provincial family planning law is applicable, women may be required to use a certain birth control method or forced to undergo gynaecological testing, or abortion (including late abortions) or sterilisation procedures.104 Children born out of wedlock or exceeding the permitted number are often denied a residence permit leading to increased discrimination and hardship.

Provincial and local authorities have commenced the practice of requiring married persons to sign "Letters of Responsibility for Family Planning Goals". These are to be understood as contracts by which the signatory agrees to fully comply with the various aspects of the family planning laws, thus in effect also to testing, applications for birth permits, sterilisation or forced birth control. The 2010 Chinese Human Rights Defenders report "I Don't Have a Choice over My Own Body" highlights that some companies also require their employees to sign such agreements.105

The same report cites an online forum post by a Chinese woman about the involvement of companies in those practices: "In our work unit, if we do not get IUDs [intrauterine device] inserted, then the office cannot be rated an ‘excellent office' by the end of the year..."106 Indeed, state-owned companies as well as private companies are supporting the family planning offices in the enforcement of those rules and practices.

The report states: "In order to enforce the family planning policy, local governments tie compliance with the policy into the provision of social services and employment. Especially for those working for the government, in work units closely related to the government, or in some big private companies whose family planning matters are managed by the government, violators of the policy may be stripped of their jobs and/or their Party membership and their entire work unit and those responsible for the unit might not be given awards or bonuses at the end of the year. Violators might be barred from receiving promotions or obtaining government positions in the future, barred from the military, denied access to education, or discriminated against in health care matters."107

According to reports by Amnesty International and CHRD, for example, thousands of Chinese women are at risk of forced sterilisation when they already have at least one child. If the employer reveals this information upon the request of state officials, the company may be seen as complicit in the violation of the rights to privacy, family and physical integrity and in the violation of the principle of non-discrimination against women as protected in the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW). Amnesty reports that family members have been arrested over the course of 2010 in order to pressure women into the sterilisation procedure.

India: As of February 2011, Indian intelligence agencies want to prolong the period for phone and internet companies to store customer personal data from six to 12 months. The Ministry of Home Affairs has asked the Department of Telecom to make sure that mobile and internet service providers will store all data relating to email communications, including email addresses, names of recipients, subject of email and attachment name and type. The intelligence agency states that those measures are required to address challenges to security and the rapidly changing technologies.108

The move comes shortly after the Ministry of Communications and Information Technology published three draft rules concerning privacy, including rules on the Reasonable Security Practices and Procedures and Sensitive Personal Information, Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The rules prohibit the collection of broadly defined sensitive information unless to be used for lawful purposes. Affected service providers should have processes and measures in place to secure the acquired information from abuse which will have to be demonstrated to the authorities in case of a data breach.109

In September 2012, the government announced a plan to set up a web-monitoring agency to monitor the internet and social media networks for malicious content, with the power to pass any relevant information onto security agencies and state police for preventative action. The move follows recent violence in the state of Assam during which it is alleged that various websites were misused to spread inflammatory rumours and doctored videos of violence in order to spread panic. According to the government, the agency will only be established following the implementation of a legal regime for the sufficient protection of individual privacy and freedom of expression.110

Russia: The law prohibits arbitrary interference with privacy, including government monitoring of correspondence, telephone conversations and other means of communication without a warrant. However, according tothe US Department of State's 2011 Human Rights Report,there were allegations that government officials and others engaged in electronic surveillance without judicial permission. Considering the abovementioned misuse of law enforcement equipment to inflict torture and surveillance technology to intrude on rights to privacy, including the freedom of expression and correspondence, the sale of security enforcement products could pose a risk in Russia.

While the Ministry of Information and Communication maintains that no telecommunication or internet activity information will be obtained without a court order, it was reported on 2 May 2011 that the Yandex search engine company had provided personal data to the Federal Security Service (FSB) on anti-corruption bloggers, who later received anonymous enquiries about their connection to an online anti-corruption project.111

Indonesia: Indonesia has one of Asia's fastest growing HIV rates, with an adult prevalence rate of 0.2% (some 270,000 people), up from 0.1% (93,000 people) in 2001. In January 2008, it was reportedthat the Asian Development Bank (ADB) claimed that Indonesia's construction boom is driving an "exponential" rise in HIV/AIDS infections as migrant workers are more likely to engage in high-risk sex.

In 2004, the Ministry of Manpower and Transmigration issued a decree on HIV/AIDS prevention and control in the workplace, which requires companies to protect workers with HIV/AIDS from discriminatory action and treatment. Under the decree, employers are prohibited from conducting HIV tests as part of recruitment requirements or as compulsory regular medical check-ups. However, enforcement of these provisions has been weak. However, there remains no law in Indonesia which prohibits employment discrimination on the grounds of HIV status.

Iran: According to the US Department of State's Human Rights Report 2011 , the government severely restricts the right to privacy and civil liberties, including the freedom of expression, freedom of assembly, freedom of association, freedom of movement, as well as freedom of religion. For example, numerous trade union organisers were arrested. Security forces monitor the social activities of citizens and telephone conversations. The government also monitors internet communications, especially via social networking sites such as Facebook, Twitter and YouTube.

The 2011 report indicates numerous instances of security forces arresting journalists and human rights activists, along with members of their families, as well as searching the homes and offices of such persons, seizing private documents in the process, contrary to the constitutional right to privacy.

In the same year, there were also examples of both men and women being arrested, sometimes violently, for failure to adhere to an appropriately ‘Islamic' dress code.

In this high risk environment for privacy violations, companies may face misuse of products designed to intercept communications or facilitate surveillance. In 2009, Nokia Siemens Network sold telecom technology enabling "lawful interception" for the purpose of law enforcement to the Iranian government-owned telecom company Irantelecom.112 In October 2010, detained Iranian journalist Issa Saharkhiz and his son filed a lawsuit in Virginia against Nokia Siemens for damages suffered after their 2009 arrest. Saharkhiz argues that he was arrested and detained after Iranian authorities tracked him using the technology sold to Irantelecom.113

While Nokia Siemens only provided the "lawful intercept" technology to be used in accordance with Iranian laws for law enforcement purposes114, those laws may enable governments to infringe on the right to privacy, creating the risk of corporate complicity in privacy violations. It is also alarming to hear that, in the aftermath of post-election protests in 2009, a company affiliated with the Islamic Revolutionary Guards has moved to acquire a majority share in Iran's telecommunications monopoly.115

Back to top

Legal risks

Businesses are faced with a range of legal risks. The current international legal framework is complex and governed by many different regimes. While the International Bill of Human Rights embraces the protection of privacy as a fundamental human right, various other international instruments lay the groundwork for the implementation of the right to privacy and provide for specific privacy principles.

The majority of states protect privacy as a constitutional matter and have some form of privacy and data protection law in place. Hence, lawsuits to remedy violations and abuses of the right are likely. Additionally, some privacy protection laws have extraterritorial reach.

With privacy protection featuring prominently as an international concern in the age of globalised data-flows and business operations, together with intergovernmental and supranational cooperation on global security and other matters, a trend toward harmonising privacy protection on a universal level is visible.

Businesses are currently faced with a myriad of legal obligations on the domestic and international levels and have to master different legal risks to be able to fulfil their responsibility to respect human rights. Enhanced privacy protection regulation is to be expected on the international level in the near future, so businesses should be prepared to cope with heightened demands for privacy protection. Companies can face lawsuits or may be asked to participate in alternative dispute resolution to resolve privacy breaches.

The risk of complicity in other human rights violations is high when the right to privacy has been abused. The right to privacy is closely linked to human dignity and as such relates to many other human rights, including freedom of speech, freedom of conscience and religion, freedom of association, freedom of assembly, the right to physical integrity, the right to liberty and security, the right to equality, the principle of non-discrimination and the right to health.

International Instruments

International Bill of Human Rights and other UN instruments

The right to privacy as protected under the international legal framework in Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights (ICCPR), stipulates that no one shall be subjected to arbitrary or unlawful interferences with his privacy, family, home or correspondence, or to unlawful attacks on his honour or reputation. Article 17 ICCPR additionally sets forth that everyone has the right to the protection of the law against such interference or attacks. Additionally, the International Convention on the Protection of the Right of All Migrant Workers and Members of Their Families reiterates the right to privacy for migrant workers and their families in its Article 14, and the UN Convention on the Rights of the Child protects the privacy of children in Article 16.

UN Guidelines for the Regulation of Computerized Personal Data Files

The UN Guidelines were adopted by a General Assembly resolution.116 As such, the Guidelines are non-binding on UN member states. However, the Guidelines can be seen as recording the minimum of privacy requirements consented to by the UN General Assembly comprising all 192 members of the UN. They require states to implement principles into domestic legislation to protect computerized personal data files.

ILO code of practice on the protection of workers' personal data

The 1997 ILO code of practice on the protection of workers' personal data provides guidance as to how best to protect employees' personal data in the form of a non-binding recommendation. It is specifically designed to guide not only legislation but also work rules and addresses the public and the private sector.117

ILO Recommendation concerning HIV/AIDS and the World of Work

The 2010 ILO Recommendation concerning HIV/AIDS and the World of Work118 further elaborates on the principles established in the 2001 ILO code of practice on HIV/AIDS and the world of work119, including the protection of the privacy of employees affected by HIV/AIDS. As a general principle, Title III of the ILO Recommendation requires that "workers, their families and their dependants should enjoy protection of their privacy, including confidentiality related to HIV and AIDS, in particular with regard to their own HIV status."120 Additionally, no workers should be required to undergo testing or disclose their HIV status.

A specialised section on testing121 explains in further detail that testing is to be voluntary and confidential and requires consent and counselling. No requirement should be made to test workers. Any test results should be confidential and workers should not be required to disclose any HIV status. The ILO Recommendation additionally requires that adequate procedures are in place to remedy any violations of these provisions.

The OECD Guidelines on the Protection of Privacy

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data address member countries of the OECD. The Guidelines are concerned with balancing the need for privacy protection and ensuring a free flow of information across borders. They are based on basic principles governing the application in national jurisdictions and on the international level. On the international level, OECD members should abide by principles assuring the free flow of information and adhere to legitimate restrictions.

In June 2007, member governments of the OECD adopted the Recommendation of the Council on Cross-border Cooperation in the Enforcement of Law Protecting Privacy. The recommendation asks member states to foster the establishment of an "informal network of Privacy Enforcement Authorities and other appropriate stakeholders to discuss the practical aspects of privacy law enforcement cooperation, share best practices in addressing cross-border challenges, work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns"122.

In 2009, the Global Privacy Enforcement Network (GPEN) was set up by 13 OECD member states' privacy enforcement agencies to facilitate cross-border privacy enforcement cooperation. The network aims to share information, trends and experiences about privacy enforcement, provide for training, and engage in dialogue with the private sector.

The APEC Privacy Framework

Similarly, adapting to the requirements of the OECD Guidelines, APEC member countries have adopted the APEC Privacy Framework setting out the APEC information privacy principles to ensure the free flow of information across borders while ensuring privacy protection. The principles apply to personal information controllers in the public and private sectors alike.123 The focus is on such aspects of privacy protection which are most important to international trade.

Similar to the OECD initiatives, the APEC Privacy Framework is implemented by a number of initiatives. The APEC Data Privacy Pathfinder commits states to work together to ensure the accountable cross-border flows of data.124 The Data Privacy Individual Action Plan provides information about the status of implementation of the APEC Privacy Framework in APEC economies. The APEC Cross-border Privacy Enforcement Arrangement (CPEA) aims to facilitate information sharing among the relevant authorities, ensure effective cross-border cooperation and encourage information sharing and cooperation on privacy investigation and enforcement with authorities outside APEC.

Regional instruments

The European Privacy Protection Framework

Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms protects the right to privacy in member states of the Council of Europe. It states that there should be no interference with the right to respect for private and family life, home and correspondence, "except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".

The 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was the first binding international instrument to protect individuals against abuses which may result from the collection and processing of personal data.125 The 1989 Council of Europe Recommendation on the protection of personal data used for employment purposes comprises all data principles as outlined below to be addressed by domestic legislation of Council of Europe member states. A proposal to modernise and amend the Recommendation takes into account changes in the world of work, including the international dimension of work generally with personal data being handled across continents.126

Similarly, the EU 1995 Data Protection Directive127 is currently under review by the European Commission with a view to modernising and improving the EU data protection system. It applies to data processed by automated means and traditional paper files aiming to protect the rights and freedoms of persons. The Directive asks member states to make their laws applicable to data controllers situated outside the European Union but uses equipment situated on the territory of a member state.

In the process of developing an updated privacy protection framework, the European Commission128 and the Article 29 Data Protection Working Party129 proposed that the responsibility of data controllers including private businesses should be enhanced by the requirement to conduct privacy impact assessments. The proposed comprehensive approach on personal data protection in the European Union specifically aims to tackle new challenges posed with respect to the privacy of individuals including the need to take into account data transfers outside the EU and calls for the promotion of universally applicable privacy principles.130

International cooperation

The US-EU and US-Swiss Safe Harbor Frameworks

Based on the abovementioned European Commission Directive on Data Protection and the application of the principle of "adequacy" in relation to personal data transfer between the EU and non-EU countries, the US Department of Commerce in consultation with the European Commission developed the "Safe Harbor" privacy protection framework. It serves to bridge the different privacy frameworks and to streamline compliance with the EU Directive for US organisations. A similar framework has been developed with Switzerland.131

US companies and other organisations under the jurisdiction of the Federal Trade Commission (FTC) can join the Safe Harbor Framework based on a self-certification scheme. Enforcement of the framework will be carried out in accordance with US laws. Companies participating in the framework are expected to have in place a dispute resolution system in addition to verification and remedy requirements. The persistent failure to comply with the Safe Harbor privacy principles may be considered deceptive and actionable under the Federal Trade Commission Act. Civil penalties in this case may amount to $12,000 daily. In 2009, the US Federal Trade Commission initiated proceedings against six organisations which falsely claimed membership of the EU-US Safe Harbor framework.132

Safe Harbor incorporates seven Safe Harbor Privacy Principles: notice, choice, and transfers to third parties, access, security, data integrity and enforcement. Transfers to third parties of personal information will have to be in conformity with those principles, i.e. the third party should ideally participate in the Safe Harbor framework or provide written confirmation that it has privacy protection in place which provides the same level of protection as the Safe Harbor principles.133 Many companies have joined the Safe Harbor framework and are listed on a government website.134

The Madrid Resolution on International Standards on the Protection of Personal Data and Privacy

The Madrid Resolution on International Standards on the Protection of Personal Data and Privacy was adopted by 50 representatives from domestic privacy protection agencies worldwide under the aegis of the Spanish Data Protection Agency.135 Representatives from five continents agreed on the text integrating a consensus on privacy protection derived from the different legislations. It addresses the public and the private sectors with regard to "any processing of personal date, wholly or partly by automatic means, or otherwise in a structured manner". It includes basic principles of lawfulness and fairness, purpose specification, the proportionality principle, the data equality principle, the openness principle and the accountability principle.

It also includes principles relating to the legitimacy of processing as well as rights of the data subject. The rights of the data subject include the right of access, the right to rectify and delete and the right to object. Additionally, the Resolution requires security measures to protect personal data and re-iterates the duty of confidentiality. Signatories are to take proactive measures to implement measures for better privacy protection compliance, they shall monitor the observance of the principles and cooperate and coordinate their efforts of international privacy protection.

National legal instruments with extraterritorial reach136

General privacy laws are provided for in most countries and compliance is usually ensured by an oversight body. Domestic privacy protection models also include industry rules enforced by the industry and overseen by an oversight body. In lieu of a general legal framework for privacy, countries may opt to protect and enforce privacy on a sector level, as, for example, in the US. Additionally, companies or industry bodies set up codes of practice aiming to self-regulate the protection of the right to privacy. Privacy International claims that self-regulation has not proven to adequately fulfil and enforce these policies.137

The US Global Online Freedom Act was enacted to prevent US companies from cooperating with repressive governments who censor and monitor the internet. The act prohibits US companies providing internet search engines, communications or hosting service in countries known to restrict and monitor internet activities from locating any personally identifiable information. To comply with the Act, US businesses have to report any disclosure requests from another government to the State Department Office of Global Internet Freedom and the Attorney General. The Attorney General has the authority to prohibit a business from complying with the government request.138 The extraterritorial nature of the act puts US businesses at risk of violating the law when they disclose information upon government requests in other countries.

• The US Federal Trade Commission is active in pursuing breaches of consumer privacy by companies. For example, in June 2010, Twitter agreed to settle charges brought by the Federal Trade Commission for failure to sufficiently safeguard consumer information. Hackers had been able to obtain unauthorised control over Twitter accounts of Barack Obama and Fox News.139

Other risks

In addition to legal risks posed by various international and domestic laws and treaty regimes sanctioning privacy abuses, businesses are exposed to scrutiny by auditors and stakeholders possibly translating into significant reputational risks.

Auditing standards

The application of standards, such as ISO 26000 and SA 8000, may pose a risk of the revelation of non-compliance in relation to privacy standards.

The ISO 26000 standard on social responsibility140 addresses privacy in its standards about workers and consumers. According to the standard, labour practices with respect to employment and employment relationships should include the protection of personal data and the privacy of workers.141 Additionally, with respect to consumer issues, organisations, particularly those collecting and handling personal information, have the responsibility to protect the security of such information and the privacy of consumers.142

Consumer issue 5 of the standard provides for consumer data protection and privacy. According to the standard, consumer privacy is to be protected by "limiting the types of information gathered and the ways in which such information is obtained, used and secured"143. So that personal data collection does not infringe on the privacy of consumers, an organisation should144 limit data collection, obtain the consent of the consumer, only employ lawful and fair means to obtain data, specify the purpose of data collection and only disclose information within this realm, secure personal data and disclose the identity of and hold accountable the data controller.

Further, the standard addresses privacy in the organisation's process of reviewing their actions and practices related to social responsibility. With respect to reporting progress and performance to governments, NGOs or other bodies, organisations should "confirm the reliability of systems for protecting the security and privacy of data".145 In this respect, ISO 26000 suggests that independent experts or groups examine data collection, storing and handling by the organisation. It particularly outlines that reviewing the social responsibility performance becomes necessary when there are concerns about the protection of private information, such as financial, medical or personal data.

Reputational risks and stakeholder expectations

In addition to the 2009 Madrid Privacy Resolution, the 2009 Madrid Privacy Declaration was signed by over 100 civil society organisations and privacy experts, reaffirming the necessity to protect the right to privacy and calling particularly on EU and OECD member states to fulfil their obligations to enforce the right to privacy based on the respective instruments. The Madrid Declaration also notes the concern of the signatories that corporations acquire personal data without independent oversight.

Civil society expectations are an important indicator to assess the risk of legal action against companies. Companies risk the publicising of privacy abuses which can significantly damage their reputation. The companies' stakeholders, including employees, business partners and customers, care about their privacy. Consumers, in particular, will pay attention to privacy concerns.

For example, the Ponemon Institute, a privacy research centre, published a survey about the "Most Trusted Companies for Privacy". While the interest of consumers in privacy can be doubted, for example when taking into account individuals' information sharing activities on social networking internet sites, users were very concerned about their privacy when privacy settings of those websites were changed and took the time to revise their account settings.146

Sensitive data (e.g. data about health, sexual orientation, race, etc.) is a particular concern for individuals. Disclosing such information to third parties, for example, raises fears of embarrassment, stigmatisation or the need to explain oneself.147 This fear may not only impact online consumer behaviour,148 but may also raise concerns among employees and business partners about engaging with a company.

Often, passing on personal customer information to authoritarian regimes means that the affected individual may face court proceedings and/or discriminatory or punitive action by state authorities, including arrests, imprisonment, torture, all of which have an impact on other human rights of the individual. In addition to the risk of complicity, the highly sensitised nature of those cases may implicate the company's reputation.

Various NGO's and blogs are focused on with privacy concerns and publicise privacy "breaches". For example, Privacy International is a UK-based NGO which has campaigned for and assessed privacy protection for over twenty years. According to the group, "privacy forms the bedrock of freedoms".149 The Privacy Foundation at the University of Denver's Sturm College of Law conducts research and provides privacy education to legal professionals and the general public.

Blogs include:

• Hunton Privacy Blog: Hunton & Williams is a top law firm for privacy; its privacy and information management practice contributes privacy protection information in this blog
• Pogowasright.org/Databreaches.net/http://www.phiprivacy.net/: pogowasright.org is an independent blog attempting to raise awareness of privacy news and issues; Databreaches.net is a spinoff from pogowasright.org and specifically aims to collect reports on privacy breaches; another spinoff is phiprivacy.net which compiles privacy issues surrounding health information

Commercial risks

Data breaches infringing on the privacy of individuals are very expensive. In April 2010, the Ponemon Institute, a privacy research centre, published a survey on the Global Cost of Data Breach which found that, in 2009, the average global data breach costs comprising organisations in the US, UK, Germany, France and Australia amounted to US$3,425,381 per data breach incident. This included an average global cost of US$1,642,878 of lost business per data breach incident. The global average cost per compromised customer record was US$142.150 The institute also found that costs of data breach continue to increase.151 Another study by the institute Benchmark Study on Patient Privacy and Data Security found that data breaches in US hospitals cost healthcare organisation US$6 billion annually.

In addition, the violation of the right to privacy by government activities poses a risk to company sales. For example, according to the Open Net Initiative's (ONI) report "Access Controlled"152, the Syrian Interior Ministry and the Syrian Telecommunications Institution have banned the sale of cell phones that have GPS and WAP services that are not being properly monitored by the service providers. Mobile phone stores were instructed not to sell certain models.153 Businesses face the dilemma of losing business when not abiding by domestic laws and regulation which will most probably infringe on the privacy of citizens.

Operational risks

Companies implicated in privacy infringements may face problems relating to workforce retention. When employees fear that their employer passes on personal information which may in turn undermine the worker's ability to work or lead to discriminatory or punitive action by state authorities, workers may choose different employers. In addition, customers may turn away from companies which pass on personal information to governments. This problem is likely to be particularly pronounced where the governments concerned have authoritarian governance structures and may use personal information passed on by companies to enforce domestic laws which are in conflict with the international human rights law principle of non-discrimination.

Back to top

The business and human rights framework as a guideline

According to the UN "Protect, Respect and Remedy" policy framework154 as recently updated and elaborated in the Guiding Principles for the Implementation of the UN "Protect, Respect and Remedy" Framework155 business has a responsibility to respect all human rights. To meet the requirements of the responsibility to respect human rights, the "Protect, Respect and Remedy" framework notes that a responsible company should avoid the infringement of the rights of others and address adverse impacts that may occur. This includes that businesses engage in human rights due diligence156to the level commensurate with the risk of infringements posed by the country context in which a company operates, its own business activities and the relationships associated with those activities.157

The Guiding Principles for the Implementation of the UN "Protect, Respect and Remedy" Framework aim to provide "concrete and practical recommendations" about how businesses can operationalise their responsibility to respect human rights. The Guiding Principles have been formally submitted to the Human Rights Council which will decide on the endorsement of the principles in June 2011.

According to the Guiding Principles, the responsibility to respect human rights requires responsible companies to

• Implement a human rights policy
• Apply human rights due diligence
• Provide for remediation.158

The framework, as clarified by the draft Guiding Principles document specifies the main components of human rights due diligence:

A statement of policy articulating the company's commitment to respect human rights and providing guidance as to the specific actions to be taken to give this commitment meaning:This policy should be informed by appropriate internal and external expertise and identify what the company expects of its personnel and business partners. The policy should be approved at the most senior level and communicated internally and externally to all personnel, business partners and relevant stakeholders. In addition, it should be reflected in appropriate operational policies and procedures

Periodic assessment of actual and potential human rights impacts of company activities and relationships:Human rights due diligence will vary in scope and complexity according to the size of a company, the severity of its human rights risks and the context of its operations. Impact assessment must be continuous, recognising that human rights risks may change over time as companies' operations and operating contexts evolve. The process should draw on internal and external human rights experts and resources. Furthermore, it should involve meaningful engagement with potentially affected individuals and groups, as well as other relevant stakeholders

Integration of these commitments into internal control and oversight systems: Effective integration requires responsibility for addressing such impacts to be assigned to the appropriate level and function. It also requires appropriate internal decision-making mechanisms, budget allocation and oversight processes

Tracking of performance:Tracking of performance should be based on appropriate qualitative and quantitative metrics and should draw on feedback from both internal and external stakeholders. In addition, it should inform and support continuous improvement

Public and regular reporting on performance:When reporting, companies should take into account the risks the communication of certain information may pose to stakeholders themselves, or to company personnel. In addition the content of the reports should be subject to the legitimate requirements of commercial confidentiality

Remediation:Where business enterprises identify responsibility for adverse impacts, they should provide for or cooperate in their remediation through legitimate processes

The following suggestions have been adapted from the business and human rights framework as laid out in the draft Guiding Principles for the Implementation of the UN "Protect, Respect and Remedy" Framework to facilitate the protection of the right to privacy for businesses operating in, sourcing from or distributing to emerging markets.

They are based on the international privacy protection frameworks and recommendations outlined above, i.e. the UN Guidelines on the regulation of computerized personal data files (UN Guidelines), the ILO practice code on the protection of workers' personal data159 (ILO Code), the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines), the APEC Privacy Framework160 (APEC Framework), the EU framework for privacy protection161 (EU Framework), the Madrid Resolution,162 the US-EU Safe Harbor Framework,163and the ISO 26000 standard on social responsibility (ISO 26000).

Companies can seek specific guidance on this and other issues relating to international labour standards from the ILO Helpdesk.164 This aims to help company managers and workers understand the ILO approach to socially responsible labour practices and to assist in the development of good industrial relations. The ILO Helpdesk website also contains detailed factsheets and links to information, resources and frequently asked questions on labour issues, using the ILO Declaration of Principles concerning Multinational Enterprises and Social Policy as the framework.

Specific actions that responsible business might take include: 165

1. Policy statement

A statement of policy shall articulate the company's commitment to respect human rights and provide guidance as to the specific actions to be taken to give this commitment meaning. This policy should be informed by appropriate internal and external expertise and identify what the company expects of its personnel and business partners. The policy should be approved at the most senior level and communicated internally and externally to all personnel, business partners and relevant stakeholders. In addition, it should be reflected in appropriate operational policies and procedures.166

Companies should be aware how their activities impact on the right to privacy and implement a human rights policy addressing privacy. This policy statement should ensure that information and data collected about employees, business partners or customers is treated with respect for the human right to privacy. Prior to developing a human rights policy the "Guide for Business: How to Develop a Human Rights Policy"167 suggests to assign senior management responsibility, to involve all business operations, to conduct a policy gap analysis and policy mapping and to consult with internal and external stakeholders.

Firstly, companies can pledge to abide by human rights standards and international frameworks as outlined above. Secondly, privacy policies should include a commitment to adhere to the basic principles of privacy protection as provided for in the abovementioned instruments. Businesses should pledge to adhere to the following principles168:

• Preventing harm
• Lawfulness and fairness
• Non-discrimination
• Notice provision
• Collection limitation
• Purpose specification
• Accuracy and integrity
• Security and confidentiality
• Interested person access
• Accountability

Ensure clarity

According to a survey cited in the 2010 US Federal Trade Commission (FTC) report "Protecting Consumer Privacy in an Era of Rapid Change", consumers often think that the term "privacy policy" means that a company will not share any personal information.169 Additionally, in practice, privacy policies are often long and incomprehensible, making it difficult for consumers to read and understand. In turn, this may undermine the applicability of further privacy principles as outlined below. An Internet Privacy Policy Study170 published on the FTC website which surveyed Fortune 500 companies found that "only 1% of the privacy policies met the guidelines for a clear and conspicuous privacy policy written in plain and simple language".171 The study found that approximately 30% of the privacy policies required the equivalent of a postgraduate education to understand them.

Companies should thus adjust their privacy policies to be transparent, easily accessible and understandable.

Companies should avoid lengthy and too detailed privacy policies and simplify their policies

Companies may choose to opt for an easily understandable, standardised privacy policy

Additionally, companies should aim to increase consumer education efforts172

To make privacy policies more transparent and efficient, companies increasingly opt to implement multilayered privacy policies to inform customers.173 The OECD Privacy Statement Generator EU Article 29 Data Protection Working Party has endorsed the concept of multilayered notices in Opinion 10/2004.174

Multilayered notices comprise at least a condensed notice highlighting all key factors and a complete notice including all legal requirements. Multilayered notices make it easier for customers to understand and compare different privacy notices.175 Currently, such layered notices may comprise three steps176:

Short notice: provides minimum information such as the identity of the data controller, contact details and purpose of processing personal information

Condensed notice: easily accessible document including information on the scope of application, what personal information is collected, how this information is used and shared, consumer choices and access options

Full notice

• For an example of a two-layered approach to notifying customers of its privacy policy, see Lenovo case study

2. Human rights due diligence

The aims of implementing human rights due diligence processes are to identify, prevent and mitigate adverse impacts companies may have on human rights and to account for their performance on an ongoing basis.177 Human rights due diligence entails a risk assessment to the level commensurate with the risk of infringements posed by the country context in which a company operates, its own business activities and the relationships associated with those activities.178 Depending on the risks involved, the size of the company and the context of business operations, scale and complexity of the risk assessment may vary. It includes a human rights impact assessment, the integration of commitments into internal control and oversight systems, performance tracking and public and regular reporting.

The Global Network Initiative (GNI) provides more specific guidance for companies to integrate privacy and freedom of expression into business operations. It is a collaborative multi-stakeholder initiative which aims to protect privacy and freedom of expression in the ICT sector. GNI participants include companies, civil society organizations, investors and academics. Participants pledge to implement core principles on responsible company decision making, freedom of expression, privacy, multi-stakeholder collaboration and governance, accountability and transparency.179 Those principles and their implementation guidelines provide ICT companies and their stakeholders with guidance on how to protect and advance privacy and freedom of expression.

The GNI implementation guidelines provide ICT companies with guidance on human rights impact assessments and how to integrate privacy and freedom of expression into business operations. Company boards are to review company operations and their impact on privacy and freedom of expression through regular management reports and in risk management processes. Board members shall also participate in privacy risk training.180

Human rights impact assessment

Human rights impact assessments181 serve to identify and assess the actual or potential human rights impacts of companies' activities and associated relationships prior to and during business activities. The assessment involves:

• Identification of impacted people
• Identification of human rights issues and standards
• Projection of adverse impact on human rights
• Consultations with potentially affected groups

Businesses can mitigate human rights risk, including the risk to the right to privacy, when they are fully aware of the potential and actual impacts of their activities on human rights, particularly where governance is weak, or a culture or legal environment is known to infringe on the right to privacy, as is often the case in emerging markets. The human rights impact assessment as proposed by the UN Special Representative serves to understand the impact business activities may have on the human rights of those individuals affected by the company's business activities and to assess how the legal, economic and cultural environment impacts human rights. The company can then make an informed decision about how to mitigate those impacts by developing mechanisms, procedures and systems integrating human rights into internal strategies and procedures, hence "operationalising" human rights.

The Guide to Human Rights Impact Assessment and Management (HRIAM) is a tool businesses can use to conduct such assessments.182 The Guide also provides information on management processes and systems. For example, where a business knows that a heightened standard of scrutiny needs to be applied in corrupt business environments, or with respect to health issues impacting severely on the workforce, then the company should be aware that this may infringe on the right to privacy.

According to the GNI implementation guidelines, ICT companies should identify how privacy (and freedom of expression) may be jeopardised or advanced by company operations. Appropriate risk mitigation strategies should be developed when:

• Reviewing of procedures about how to respond to government demands for data
• Entering new markets, especially when those markets are known to restrict privacy and freedom of expression
• Reviewing policies, procedures and activities of business partners and suppliers
• Designing and introducing new products and services183

Additionally, when a company knows that laws in a certain country impact the right to privacy, the company can take precautions so as to avoid complicity in privacy violations by the government. If laws discriminate against certain individuals or groups of individuals, then companies should be aware that they may be asked, particularly by authoritarian regimes, to supply information on their workers or customers which may infringe on the right to privacy.

Integration of human rights commitments into internal control and oversight systems

Effective integration184 requires responsibility for addressing such impacts to be assigned to the appropriate level and function. It also requires appropriate internal decision-making mechanisms, budget allocation and oversight processes. The Guide to Human Rights Impact Assessment and Management may help companies to manage and control their human rights impacts.

In addition, GNI provides guidance on how ICT companies can integrate privacy into business operations. According to the GNI implementation guidelines, this should inform

• Structure, including a senior-directed human rights team
• Procedures, including written procedures, documentation of policies and compliance, means of remediation, assurance processes to ensure compliance with privacy requirements, record keeping of demands for government restrictions
• Employee communications
• Complaints and assistance procedures, including escalation procedures and whistle-blowing mechanisms

The actual and potential impacts on privacy for businesses operating in, sourcing from or distributing to emerging markets have been outlined above.185 The suggestions below address those issues based on the International Bill of Rights and the different international legal frameworks and policies on privacy, such as the UN Guidelines on the regulation of computerized personal data files186, the ILO practice code on the protection of workers' personal data187, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,188 the APEC Privacy Framework189, the EU framework for privacy protection190, the Madrid Resolution,191 the US-EU Safe Harbor Framework192 and the ISO 26000 standard on social responsibility. While these frameworks address different contexts and issues, the principles of privacy protection can be found in all of them and should inform the implementation of privacy policies and management systems for business activities in emerging markets.

The following suggestions aim to help businesses to internalise privacy protection and operationalise the more general principles of preventing harm, collecting and processing personal information lawfully and fairly, as well as applying the principle of non-discrimination.

General principles:

- Prevent harm

This basic principle to prevent harm193 to individuals requires companies to protect against the misuse of information collected about business partners, employees or customers. While the right to privacy is not an absolute right and may thus be balanced against public interests such as security, workers may not waive their right to privacy as stated in the ILO Code.

- Honour the principle of lawfulness and fairness

In accordance with the UN, the ILO, the ISO standard and the EU directive, data collection and processing should be fair and lawful and honour internationally recognised human rights principles. According to the UN Guidelines, the principle requires that information should be used in conformity with the purposes and principles of the Charter of the United Nations referencing the respect for human rights. While many privacy protecting instruments honour the principle to abide by domestic privacy laws, in some countries there are few legal constraints (e.g. on workplace surveillance).194 Thus, in emerging markets, companies will often be faced with a lack of privacy protection and even encounter privacy infringing laws and practices further impacting other human rights and the principle of non-discrimination. For example, with respect to the privacy rights of employees, countries in sub-Saharan Africa as well as Thailand and China have come under scrutiny for a lack of privacy protection.195

- Respect the principle of non-discrimination

Both the UN and the ILO require adherence to the principle of non-discrimination. The UN Guidelines prescribe that data should not be collected which may lead to unlawful or arbitrary discrimination, e.g. information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an association or trade union. While exceptions to this rule may be allowed to protect national security, public order, public health or morality, as well as the rights and freedoms of others, those exceptions have to be consistent with the International Bill of Human Rights and the other relevant instruments protecting human rights and preventing discrimination.196

According to the ILO practice code on the protection of workers' personal data general principles, the processing of personal data should not have the effect of unlawfully discriminating in employment or occupation.

Which information and data to collect and how:

- Know what information you can collect

Generally, "sensitive" data needs special justifications to be collected, stored and processed. Such data is often likely to give rise to unlawful or arbitrary discrimination and should therefore not be collected. However, businesses operating in emerging markets may have a heightened need to collect such data in order to protect their assets and interests.

The UN Guidelines consider data about racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an association or trade union to be sensitive data which should not be collected. The Madrid Declaration and the ILO practice code add data about criminal convictions or health to the list of personal data which should principally not be collected.

The ILO practice code allows the collection of such data only in exceptional circumstances "if the data are directly relevant to an employment decision and in conformity with national legislation".197 Data on the worker's trade union membership or activities should only be collected in accordance with a law or collective agreement. The ILO practice code limits the collection of personal health data to determine a worker's fitness for a particular type of employment, in accordance with occupational health and safety requirements and to determine entitlement to, and to grant, social benefits. Medical testing may not be compulsory.198

Compliance with domestic laws in emerging markets poses challenges to businesses when aiming to comply with the requirements set out as part of their responsibility to respect the human right to privacy as described above. Companies should thus have in place measures and processes to avoid the collection of sensitive data. First, any collection should be proportional to the needs and balancing tests may help companies to determine their need. Second, if the collection of such data is proportional to the purpose, i.e. when the impact on privacy weighs less than the need for the collection of the data, companies should aim to keep the information confidential. Confidentiality agreements between the employer and business partners, employees or customers may shield the company from having to comply with government requests for personal data which would violate the right to privacy.199

- Provide proper notice to concerned individuals

The instruments mentioned above require that individuals are informed of any data collection processes, the rules that govern the process and their rights. The APEC Privacy Framework's Notice Principle requires information controllers to "provide clear and easily accessible statements about their practices and policies".200 A privacy policy notice should include information such as:

• A statement that personal information is being collected
• The purposes of such information collection
• To whom this information will be disclosed
• Who controls the personal information
• Choices and means offered to employees, customers or business partners to limit disclosure and to access and correct their information

The ILO practice code recommends that workers and their representatives should be kept informed of any data collection process, the rules that govern the process and their rights.

In accordance with the OECD Guideline, "openness" with respect to data collection, storage or use of personal data may involve, for example, publicised information from the data controller about data collection and processing.201

In any case of personal information collection and processing, the company must inform the person whose data is being collected and processed. Notification, however, will not exempt companies from having to obtain consent and abide by other privacy standards as outlined below.

A company's privacy policy should serve to inform employees, customers and business partners about what they are to expect. In addition to being aware of the privacy policy, business partners may have to be informed separately in the respective contract agreement with the company.

The notice principle provides the basis for privacy protection and often goes hand in hand with the Choice principle as provided for in the APEC Frivacy Framework and outlined below.

When having to provide personal information to governments, the Global Network Initiative proposes ICT companies disclose to users the applicable domestic legal framework and the company's policies to respond to government requests; which information about users the company collects. Additionally, companies are required to assess their measures to support transparency about the collection, storage and retention of personal user data.202

- Obtain the consent of the individual to collect personal information

Where necessary and appropriate, the individual whose data is being collected should have the right to be asked for his/her consent. This will specifically apply in the case of the collection of sensitive data.203

For example, when applying a heightened standard of integrity due diligence204 as part of a corruption risk assessment in an emerging market environment prone to corruption, the company will have to inform the respective persons and obtain their consent to screening processes implemented to ensure the integrity of the agent, consultant, or joint venture partners, contractors or in public procurement.

- Limit the collection of personal data to information that is relevant to the purposes of data collection

The ILO, ISO 26000, the OECD and APEC endorsed the principle of limiting the collection of personal data. The ILO practice code asks employers to reduce as far as possible the amount and kind of information collected. The APEC Privacy Framework states that "the collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or the consent of, the individual concerned."205

Similarly, the OECD's collection limitation principle requires lawful and fair means of collection and the consent of the data subject and comprises limits on the collection of particularly sensitive data. ISO 26000 recommends limiting the collection of personal data to such information that is essential for product and services provision, or requires the informed and voluntary consent of the consumer.206

- Specify the purpose of collecting and processing personal information

The UN, the ILO, ISO, the OECD and APEC require that data is collected and used only for the purposes initially specified. The UN Guidelines require that all data collected relates to the specified purpose and that consent of the individual concerned is necessary to use or disclose data for purposes incompatible with those specified. According to the ILO practice code, data should be collected only for the purposes for which they were originally collected. If data is to be processed for purposes other than those used, the controller has to make sure that the new purpose is not incompatible with the original purpose. The ILO practice code additionally prohibits using data to control the behaviour of workers.

How to process and store personal information:

- Provide individuals with choice in relation to data collected about them

In accordance with the APEC Privacy Framework Choice principle, "individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation of the collection, use and disclosure of their personal information."207 This principle shall ensure that individuals are notified of their choice with respect to the collection, use, transfer and disclosure of personal information. The mechanisms for exercising choice should be accessible and affordable. Additionally, ease of access and convenience when exercising choice should be taken into account.

The US-EU Safe Harbor Framework provides that affirmative or explicit (opt-in) choice must be available for sensitive information, when it shall be disclosed to a third party or used for a purpose other than originally intended or subsequently authorised by the individual.208Accordingly, the affected individual needs to consent to such data transfers or use of his data.209 In its recent report Protecting Consumer Privacy in an Era of Rapid Change, the US Federal Trade Commission (FTC) recommends protecting sensitive information through an enhanced consent mechanism in the form of affirmative express consent.210 Under FTC case law, companies must provide disclosures and opt-in consent when they wish to use personal information for a purpose which is materially different from the original purpose of information collection and processing.211

When collecting publicly available information, the provision of choice may not be necessary or may be impracticable. Additionally, providing choice may be unnecessary in a business context when business contact information is being passed on. In employment relationships, it may be impracticable to abide by the choice requirement when personal employee information is used for employment purposes (e.g. when employee information is centralised in the human resources department).

Both the notice and the choice principles are foundational principles of privacy protection. However, the FTC criticises that the principles as currently applied only have a limited force of protecting individuals. A major concern was the consumers' lack of understanding, which undermines the application of the two principles and the principle of informed consent as outlined below.

The FTC also outlines situations in which "commonly accepted practices" may not warrant the application of the choice principle. This includes, for example, information collection and processing for the purposes of product and service fulfilment, customer satisfaction surveys, and fraud prevention.

- Ensure accuracy and integrity of personal information

The UN, the ILO, the OECD, APEC and the EU data directive adhere to the principle of accuracy of the data collected. This comprises the accuracy of data when collected and the maintenance of the integrity of the data throughout the storage and use of the data. The principle also involves the right of the person concerned to have incorrect data held about him corrected. The ILO practice code asks employers to verify on a continuous basis that the data is accurate, up-to-date and complete. In the case of incorrect or incomplete data, workers shall have the right to demand deletion or rectification.

- Protect and secure gathered information

UN, ILO, ISO, OECD, APEC and EU privacy protection instruments all contain the principle of security and confidentiality. The UN Guidelines require appropriate measures to secure and protect personal information against accidental loss or destruction and against unauthorised access, or fraudulent misuse of data. Similarly the ILO practice code requires employers to ensure that personal data are protected against loss, unauthorised access, use, modification or disclosure. The APEC Framework states that safeguards should be proportional to the severity of the harm threatened and take into account the sensitivity of the information and its context.

- Ensure confidentiality

Information collected, stored and processed should be treated confidentially, particularly when sensitive information is concerned. The Madrid Resolution and the ILO practice code require that anyone involved in the process of collection and processing of personal information shall be bound by the duty of confidentiality. This obligation shall remain valid even after the relationship with the concerned person has ended.212

The ILO practice code requires confidentiality when handling medical information in line with the ILO Occupational Health Services Recommendation No. 171.213

Particular issues arise with respect to information which can be relevant for the company to protect against corruption, i.e. asking the business partner/employee about his/her political affiliation. This may be necessary because individuals with close ties to the ruling party are more likely to be implicated in corruption or nepotism, particularly in emerging markets, where local structures are traditionally based on the leadership of certain families or groups.

While the company may decide to demand this information, or may be required to do so in accordance with domestic laws, it may decide to keep this information confidential or follow processes to attempt to minimise the risk of human rights abuses. Confidentiality agreements between the employer and the employee may protect the company against having to pass on the information.

- Ensure access of concerned persons to information gathered about them

All instruments guarantee the access of individuals to the information held about them. The concerned person has the right to know if any of his/her personal information is being processed and to examine and obtain this information. The concerned person also has the right to erase or rectify unlawful, unnecessary or inaccurate data.

According to the APEC Privacy Framework, this does not apply when the burden of access provision is disproportionally high, when confidential commercial information is at issue, or where the privacy of others would be violated. Confidential commercial information is information which the company has protected from disclosure, where the disclosure would facilitate the exploitation of such information by a competitor and which would cause significant financial loss.214

If possible, requested information should be separated from confidential commercial information to enable access by the individual. Where this is not possible, businesses may deny access to such information but should provide the individual with a detailed explanation and information as to how to challenge the denial of access.

- Apply the proportionality principle and balancing tests

The Madrid Resolution advocates that "the processing of personal data should be limited to such processing as is adequate, relevant and not excessive in relation to the purposes" of collecting and processing personal data. The processing of personal data should be limited to the minimum that is necessary.

Balancing tests will help to assess whether information is required within the framework of employment or other business relationships. The need to collect and process personal data should be weighed against the consequential privacy infringement. This is particularly necessary with respect to sensitive data, including data about ethnicity, political and religious affiliation or opinions, health, and sex life.215 The impact on privacy in these cases is more intrusive and a greater margin of justifying data collection and processing will have to be applied.

- Avoid long retention periods

Data retention should be limited to a reasonable and appropriate period. Long retention periods bear the risk that the data is used for purposes other than originally intended and increase the risk of the theft of such data. The US Federal Trade Commission thus recommends to swiftly and securely dispose of data for which companies no longer have any specific business need.216

Accountability

Many of the instruments mentioned require that the person controlling personal data should be held accountable for complying with the principles of privacy protection. ISO 26000 and the APEC framework require the disclosure of the identity of the data controller. The Madrid Resolution sets forth that the person responsible for data collection shall "have the necessary internal mechanisms in place for demonstrating such observance both to data subjects and to the supervisory authorities in the exercise of their powers".217 According to the ILO practice code, the data controller should be regularly trained so as to ensure the privacy implications of collecting personal data.218

EXAMPLE 1: Government requests for the transfer of private data

Ensure adequate management systems are in place: According to the guide Human Rights Translated, companies should develop management criteria "for deciding the precise circumstances under which the company may be prepared to comply with government requests for the transfer of private data" particularly when local authorities are known to improperly limit the freedom of expression and to prosecute dissidents.

Comply with international law where possible: In this classic conflict of laws situation, companies are stuck in the middle – between their responsibility to respect human rights and their obligation to abide by domestic laws. Emerging economies often have weak laws in place. In this case companies should, in accordance with Guiding Principle 21 proposed by the UN Special Representative of the Secretary General on Business and Human Rights, ensure compliance with international law to the largest extent possible.

Avoid unnecessary collection and processing of information: When domestic laws are in direct conflict with international human rights standards, companies face an outright dilemma. Laws can infringe on the privacy of individuals but have to be implemented by the company. For example, an employee may lose his job, welfare benefits, residence permits, may experience societal discrimination, his access to public services may be restricted, his/her citizenship rights (such as the right to vote) may be infringed, or he/she may face punitive action, such as detention, torture, or other punishment enforced as a result of the application of the discriminatory law. In this case, information requested by the government from the company may put an individual in a situation where he will be a victim of discriminatory laws and government enforcement.

The UN Guidelines adopted by the UN General Assembly ask governments to stay within the limits provided for in the UN Charter when allowing exceptions to the right to privacy based on justifications such as national security, order, morality, etc. However, this limitation does not help businesses to withstand the pressure from governments to provide the information requested.

Companies should always ensure that only information which is relevant to employment is collected, provide proper notification of the effects of collecting certain information, and ensure that the data subject has the choice to give this information. When in doubt, the collection of sensitive information such as trade union or political information and information about family members should be avoided.

Support individual against government requests: The company, having ensured that its assets are not in danger, may opt to protect the employee, particularly by further providing employment, health service, and benefits to the concerned individual or advocate on the individual's behalf or support organisations or individuals in doing so. This may ensure that the company has made every effort to ensure respect for human rights.

• For an example about how to transparently tackle government surveillance of personal information, see Google case study.

EXAMPLE 2: Employee drug and alcohol testing

According to the 1993 ILO Guiding principles on drug and alcohol testing in the workplace[219] workers should have the right to make informed decisions as to whether to undergo medical testing. Employers should honour the workers' right to choose a doctor, the right to representation if needed, the right to notification that testing will be carried out as part of a pre-employment screening programme, and the right to information on test results.

Ensure knowledge of domestic privacy laws: Laws with respect to obtaining and storing medical information differ from country to country and range from prohibiting the collection of such information to the sanctioning of failing to collect such information. For example, while Kenya and Tanzania laws ban HIV screening, Nigeria and Cameroon have adopted policies addressing the threat of HIV while honouring the principle of non-discrimination against workers living with HIV/AIDS. General health tests, particularly drug tests, may be required by law, as in the UK where the failure to comply with the requirement of drug testing as part of the employment agreement may result in disciplinary action.220

Ensure non-discrimination: An independent medical review of the test results should be available for employees. Employees showing positive alcohol or drugs tests results should not be discriminated against and rehabilitation and re-integration into the workforce should be made possible. The employer should encourage and support the employee to participate in counselling or treatment programmes.

Balancing tests should be applied by employers to weigh the need for such testing, taking into account the nature of the jobs involved. In some situations, the right to privacy may outweigh the need to administer tests. In accordance with the principle of proportionality, the company should determine whether or not the interest in collecting and processing personal data outweighs the impact on the right to privacy of the individual.

Strengthen the role of the occupational physician: Companies should aim to honour the privacy principles with regard to health and drug testing to the largest extend possible. When companies have an interest in collecting, or are required to collect, this information and have obtained the consent of the individual, confidentiality of medical information pertaining to drug or health tests can be ensured by strengthening the role of the occupational physician. For example, in countries such as Finland, France, Belgium, Germany and Austria, drug test results are communicated to the occupational doctor instead of the employer. The doctor will then only inform the employer of whether or not the person is fit to work, without revealing the specifics of the drug test results.221

Ensure accuracy of test results: Companies will also have to bear in mind that the results of health or drug tests may be false or misleading due to human errors or previous positive testing. Certain legal substances such as poppy seed, Vicks inhalers, Ibuprofen may also result in positive results. Decisions taken based on misleading or false medical testing may expose the employer to legal action by the employee.222

Performance tracking

Monitoring and tracking223 a company's human rights performance drives continuous improvement and will also enable companies to receive critical feedback from their stakeholders. In accordance with the Guiding Principles on Business and Human Rights, namely Principle 20, performance tracking should be based on appropriate qualitative and quantitative indicators and draw on feedback from internal and external sources including affected stakeholders.224

Performance tracking should be integrated into internal reporting processes involving performance contracts, reviews, surveys and audits. As part of the evaluation of human rights performance, the Guide to Human Rights Impact Assessment suggests companies should have monitoring assessments in place, as well as reporting processes and evaluations.225

In accordance with the Guide, privacy performance tracking and monitoring should aim to assess:

• Privacy risks and impacts, taking into account different stakeholders
• The adequacy and efficacy of privacy implementation and enforcement systems
• The occurrence of grievances relating to privacy
• The achievement of conformity with external commitments and legal requirements

Monitoring mechanisms may include:

• Timely reports from project managers assigned to implement privacy protection mechanisms and resolution processes to address any performance shortages
• Supervisory site visits
• Independent human rights audits, i.e. through external consultants

Evaluation mechanisms should measure performance against the key indicators (as outlined above) of privacy protection. They should include the assessment of the relevance, impact, efficiency, sustainability and flexibility of the mechanisms put in place to ensure privacy protection.226

Public and regular reporting on performance

When reporting, companies should take into account the risks the communication of certain information may pose to stakeholders themselves, or to company personnel. In addition, the content of the reports should be subject to the legitimate requirements of commercial confidentiality. In accordance with the Guide to Human Rights Impact Assessment, public reports to stakeholders on human rights performance, including privacy should contain:

• Information on how human rights risks and impacts, including those relevant to privacy, have been addressed by the company
• Information on grievance mechanisms and procedures in places
• Information on stakeholder engagement processes
• Lessons learned and action plans to address shortcomings relevant to the respect for human rights, including the right to privacy
• Information on how the company measures human rights impacts227

Integrated reporting

While this can be communicated in sustainability reports separate from financial reports, companies may consider opting for an integrated reporting approach marrying both financial and sustainability reporting in one report. This will help companies to perform more sustainably and to better understand how human rights risks impact on overall company performance. It also ensures that human rights are efficiently operationalised. The Global Compact supports integrated reporting for the Communications on Progress submitted by their participants228 and there is a business school movement for the integration of reports.229

3. Remediation

Where business enterprises identify responsibility for adverse impacts, they should provide for or cooperate in their remediation and offer routes to judicial or non-judicial grievance mechanisms. Businesses can provide for operational-level grievance mechanisms as recommended in the Draft Guiding Principles.230 Operational level grievance mechanisms are administered by companies alone or in collaboration with relevant stakeholders and are accessible directly to "individuals and communities who may be adversely impacted by a business enterprise".231 Operational-level grievance mechanisms may help companies to identify human rights impacts and grievances and make it possible to address such grievances and remediate human rights impacts at an early stage. The online platform BASESwiki232 provides a vast array of information and the opportunity to share information about a number of dispute resolution mechanisms between business and society at the global and local levels.

• For example of grievance mechanisms at the local level, see Gap Inc case study

4. Consult with relevant stakeholders

Companies should consult with relevant stakeholders to get their advice and comments on their privacy protection practices and mechanisms and to find solutions to privacy dilemmas. Guidance from the UN Global Compact, the Guide to Human Rights Impact Assessment and the IFC Good Practice Handbook on Stakeholder Engagement help companies to identify and engage with the relevant stakeholders.

Particularly in situations where government requests may compromise a company's human rights policy, the consultation with stakeholders will shed light on the expectations of the company. The guide Human Rights Translated suggests to "consult with human rights experts and key stakeholders on acceptable solutions in situations where the company is at risk of violating its stakeholders' right to privacy including in circumstances where the company is required to comply with lawful governments requests to hand over data to aid criminal investigations".

Relevant stakeholders at the local and global levels can include workers, trade unions, local communities, NGOs and other civil society and advocacy groups, academia and governments. Stakeholder panels may be an effective mechanism for companies to receive advice and commentary on company practices relating to privacy. Stakeholder panels are considered good company practice and can help companies, among other things, to assess human rights impacts, build trust among stakeholders, mitigate risks and prevent disputes.233

With respect to privacy, relevant stakeholders include:

• Workers, groups of workers and workers' representatives
• Trade unions
• Local groups aimed at protecting human rights in general and privacy in particular
• Global advocacy groups, such as Privacy International
• Government agencies protecting privacy such as, for example, the Telecom Regulatory Authority of India which regulates privacy in telecommunications
• Consumer protection groups and agencies

The Global Network Initiative (GNI) is a collaborative multi-stakeholder initiative which aims to protect privacy and freedom of expression in the ICT sector. It includes companies, civil society organizations, investors and academics. Participants pledge to implement core principles on responsible company decision making, freedom of expression, privacy, multi-stakeholder collaboration and governance, accountability and transparency.234 Those principles and their implementation guidelines provide ICT companies and their stakeholders with guidance on how to protect and advance privacy and freedom of expression.

GNI requires participating companies to engage in multi-stakeholder collaboration to promote public policies in line with the core GNI principles protecting privacy and freedom of expression. Additionally, GNI advises companies to have in place a confidential internal advisory forum to provide guidance as to how to advance freedom of expression and privacy. GNI participants pledge to create a learning, collaboration and communication program and promote global dialogue about GNI principles and their implementation involving interested companies, industry associations, advocacy NGOs and other civil society organisations, universities, governments and international institutions.235

5. Provide for proper privacy training

In accordance with the Guide to Human Rights Impact Assessment, training key managers in the company, particularly those directly processing personal information, is required as part of an adequate privacy management system. Additionally, training of employees throughout the company may be advised to minimise the risk of privacy infringements.

Standard 22 of the Madrid Resolution encourages organisations involved in the processing of personal information to regularly implement training, education and awareness programmes to ensure the full understanding and compliance of those involved in these processes with appropriate laws and the organisation's privacy policy and management systems.

The US-EU Safe Harbor Framework requires companies seeking certification of the framework to demonstrate that employee training is implemented to ensure compliance with the Safe Harbor principles.

In its recent Privacy Report, the US Federal Trade Commission recommends that companies designate personnel to conduct employee trainings on privacy as part of a comprehensive privacy programme. These programmes should be proportionate to the risks faced by companies when dealing with personal data. A company which collects and processes large amounts of data and sensitive data has to apply a heightened standard of care.236

Back to top

Human rights impact of privacy infringements

The right to privacy is related to and impacts on many other human rights including the overarching fundamental principle of non-discrimination. When the right to privacy is impacted, businesses risk complicity in other human rights abuses. Other human rights impacted by infringements on the right to privacy include:

Equality and non-discrimination, Articles 2, 3, 14, 26 ICCPR: The principle of non-discrimination and the right to equality may be impacted by violations of the right to privacy, for example when a prospective employee is not hired on the basis of personal information shared which concerns race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.

Equality and the principle of non-discrimination may also be impacted where the sharing of personal information with governments triggers discrimination on the basis of discriminatory local laws and/or practice. In emerging markets, authoritarian governance structures often go hand in hand with a discriminatory legal environment. In these situations, information shared about employees and their political or trade union affiliation, medical conditions, family circumstances, sexual orientation, etc. may lead to the enforcement of discriminatory laws or practices against the concerned individual, thus violating the principle of non-discrimination.

Freedom of expression, Article 19 (2) ICCPR: The right to privacy is closely linked to and may impact the freedom of expression, for example, when internet providers share information about dissidents with an authoritarian government and subsequent government action leads to human rights violations.237

Freedom of association (Article 22 ICCPR, Article 8 IESCR): Further, the freedom of association may be impacted, i.e. when personal information about trade union affiliation is shared with governments, particularly when the affected individual experiences state-sanctioned discrimination and other human rights violations.238

Freedom of thought, conscience and religion (Article 18 ICCPR): If personal information is shared about the religious background of an individual, those individuals may be discriminated against either by government enforcement of discriminatory laws or societal discrimination.

Freedom of assembly (Article 21 ICCPR): The exercise of the right requires private communications and meetings, for example of dissidents organising protests against authoritarian regimes. Sharing such information with a third party may hinder the exercise of the right while impacting on the right to privacy. For example, if a company sells surveillance technologies to governments, it has to be aware that such technology may be used to spy on protestors.239

Right to physical integrity (Articles 6 and 7 ICCPR): The right to physical integrity may be impacted when, for example, personal information shared about regime dissidents leads to torture or other harm inflicted. This was alleged by one Chinese dissident having been detained after Yahoo had shared his personal information with the Chinese government.240

Further, as Chinese law does not allow more than one child, sharing information about an individual having more than one child may result in forced sterilisations thus impacting on the right to physical integrity.241 This also impacts the right to found a family as recognised in Article 23 ICCPR, Article 10 ICESCR.

Right to liberty and security (Article 9 ICCPR): For example, unlawful or arbitrary detentions resulting from the sharing of personal information about dissidents in an authoritarian regime violate the right to liberty and security.

International privacy protection frameworks

Universal Declaration of Human Rights, Article 12

International Covenant on Civil and Political Rights, Article 17

International Convention on the Protection of the Right of All Migrant Workers and Members of Their Families, Article 14

UN Convention on the Rights of the Child, Article 16

UN Guidelines for the Regulation of Computerized Personal Data Files

ILO code of practice on the protection of workers' personal data

ILO Recommendation concerning HIV/AIDS and the World of Work

ILO code of practice on HIV/AIDS and the world of work

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

APEC Privacy Framework

Regional privacy protection frameworks

Council of Europe

European Convention for the Protection of Human Rights and Fundamental Freedoms

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

1989 Council of Europe Recommendation on the protection of personal data used for employment purposes

European Union

EU 1995 Data Protection Directive

EU 2002 Directive on Privacy and Electronic Communications

International cooperation

"Safe Harbor" privacy protection framework

Madrid Resolution on International Standards on the Protection of Personal Data and Privacy

Back to top