Aditi Mohapatra, Associate Director, ICT, and Dunstan Allison-Hope, Managing Director, Advisory Services, BSR

In the past week, there has been much discussion about how the U.S. government undertakes surveillance and how it uses telephone and internet communications data for law enforcement. While others have explored the important details of how this all works—great articles are available here, here, and here—at BSR, we’ve been reflecting on some of the corporate responsibility and underlying ethics issues at stake, especially as they relate to privacy, security, and law enforcement relationships. And while current press coverage focuses on the impact of the NSA revelations on the internet and telecommunications sector, companies across all industries—including healthcare, financial services, retail, and transportation—should pay attention, as they all interact with law enforcement agencies in some shape or form.

A key reference point for understanding “what good looks like” for corporate responsibility is the Guiding Principles on Business and Human Rights. Two aspects are especially relevant: the important distinction between the “state duty to protect” and the “business responsibility to respect” human rights, and the notion that companies should “know and show” their human rights impacts.

A key question in this regard is how companies interface with law enforcement agencies, given that the result of such interactions can in many instances produce positive outcomes (i.e., protect human rights through effective law enforcement) while in other instances cause harm (i.e., violate human rights when governments abuse their laws). 

As neither extreme option is tenable (always collaborate with law enforcement agencies versus never collaborate), how can companies map out a middle ground that most effectively upholds their responsibility to respect human rights? 

Given the helpful framework provided by the Guiding Principles, we believe there are two key categories of responsibility—“know” and “show”—around which companies can formulate their approach.

“Know”: The Importance of a Principled Approach

Companies—not governments—develop technologies, products, and services, and manage operations. For this reason, it is important that companies undertake human rights assessments to understand their potential human rights impacts and develop strategies accordingly. In the area of law enforcement relationships, companies would be wise to develop approaches that respect both the duty to comply with legal requirements and the responsibility to respect the human rights of their users and customers.
In doing so, there are multiple issues to consider—many of them ethically complex—including:

• Whether there is a distinction between collaboration with different forms of law enforcement, such as national security matters or egregious human rights violations on the one hand, and “day-to-day” law enforcement on the other hand.
• Whether an approach should vary by geography based on factors such as how well a government upholds its duty to protect human rights. If a company assists in country X, what are the ethics of denying similar assistance in country Y? On what principled basis may assistance be withheld? 
• Whether it is right or wrong to proactively increase the efficiency and effectiveness of law enforcement, or to make their tasks more difficult. Is it the “right” thing for a company to make the job of law enforcement easier? If it is, how can this be achieved in ways that still respect the rights of the user/customer?
• Whether, when receiving demands for assistance, the requested data is overly broad or not sufficiently tailored. How much data is too much?

“Show”: The Importance of Transparency

Transparency serves two key purposes: It is an important tool to advance the public’s understanding of the issues at stake, and it demonstrates that companies are taking their responsibility to respect human rights seriously. Transparency is especially important in circumstances, like the PRISM case, where notions of right and wrong are ethically complex and still being formed.

Several companies have made real progress by issuing “transparency” reports, including Microsoft, Google, and Twitter, and are now asking the U.S. government for permission to expand the scope of what they can disclose to include items more directly related to national security issues. The latter step—of calling for the U.S. government to take action that would increase transparency on these issues—is in itself an important act of corporate responsibility. Collectively, however, the business and human rights community can make progress in other areas too.

• Companies in the internet industry and beyond—such as banking, retail, and transportation—can experiment with their own transparency and reporting on why, how, and to what extent they work with law enforcement. 
• Global reporting guidelines, such as those provided by the Global Reporting Initiative, can develop new advice on how companies can increase their transparency on these issues. It is striking that the newly released G4 guidelines still only contain one indicator on privacy, and it is not an indicator that would cover the issues at stake in this debate.
• Governments themselves—especially given their “duty to protect human rights”—should be encouraged to produce their own transparency reports on how they protect privacy during law enforcement and what they ask of companies.

The Guiding Principles tell us that it is the state, not the company, that has the “duty to protect” human rights—therefore it is incumbent on governments to put in place transparent and fair laws and regulations that uphold all human rights. However, to fulfill their “responsibility to respect,” companies would be wise to exercise a “know and show” approach to the issues above, provide the public with a greater understanding of how they navigate this challenging space, and encourage greater transparency by governments worldwide.

To read more about BSR's perspective on PRISM and transparency, please read our blog "Take That, Cynics! As Companies Detail PRISM Involvement, Transparency Proves Its Value."