This is the first in a series of blog posts where we and a BSR member company review how business respects individual articles in the Universal Declaration of Human Rights (UDHR), 70 years after its adoption in 1948. This series has the support of the Office of the High Commissioner on Human Rights (OHCHR), but any views expressed here should not be attributed to OHCHR. This particular post, co-authored with Telenor, explores what the right to privacy means for business.
Article 12 of the Universal Declaration of Human Rights: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
When the Universal Declaration of Human Rights (UDHR) was adopted in 1948, there were around 10 million telephone lines in the world. At the time of writing this blog, there are more than 8.3 billion mobile connections (including “machine to machine” connections) and almost 5.1 billion unique mobile users. The emerging Internet of Things is expected to connect around 30 billion objects by 2020, while research group IDC estimates that the world creates 16 zettabytes (that’s 16 trillion gigabytes) of data a year today, and will increase ten-fold by 2025.
By any measure, the nature, scale, and complexity of the challenges companies face to respect the human right to privacy is growing substantially. They are also impacting all industries—there is not a single company in the world today untouched by the privacy challenge.
We believe there are five key elements to a business response to this challenge: distinguishing between different elements of the privacy agenda; appreciating the link between privacy and other human rights; understanding the severity of impact; adopting a privacy by design approach; and collaborating with a range of stakeholders.
First, it is important to distinguish between three related but different parts of the privacy agenda.
- Data security means having the right protections in place to protect against increasingly frequent, sophisticated, and malicious cyber-attacks, as well as guard against data breaches. This is primarily about defense.
- Consumer privacy relates to the desire to create value with the personal data shared with companies by users (such as tailored products and services), while being open and transparent about how personal data is collected and used, and providing user choice. This is primarily about policy choice, and increasingly about legal compliance as governments introduce new privacy regulations.
- Law enforcement relationships are primarily about company-to-government interactions. The interface between the business responsibility to respect human rights and the government duty to protect human rights informs how companies respond to government demands for personal data. While usually made to ensure the protection of human rights by governments, these demands in certain contexts can threaten the privacy rights of users or be made in a manner inconsistent with internationally recognized laws and standards.
Second, it is important to appreciate the link between privacy and other human rights—privacy is a gateway right in that it enables the realization of other rights. For example, if a human rights defender working in a high-risk country is a victim of hacking or has personal data wrongly shared with law enforcement agencies, then in turn this human rights defender faces far greater risks to life, liberty, and security of person (Article 3), the right to freedom of opinion and expression (Article 19), and the right to right to freedom of peaceful assembly and association (Article 20), among others.
Third, while privacy rights are held by everyone, some privacy violations have a more severe impact on human rights than others. For example, the privacy violation of the human rights defender in a high-risk country could have a far greater impact on human rights than, for example, a consumer receiving targeted adverts without their consent. Similarly, vulnerable populations, such as refugees, migrant labor, and children, could face far more severe consequences. While all privacy rights should be respected, a company’s human rights strategy should, in accordance with the UN Guiding Principles on Business and Human Rights, prioritize the most severe cases, and pay special attention to vulnerable populations.
Fourth, privacy by design should form an essential part of every company’s strategy to respect the human right to privacy. With privacy impacts arising through the use phase of products and services, it is essential that legal and privacy teams, research and design teams, and sales and marketing teams collaborate to fully integrate privacy during the design phase.
Fifth, multicompany and multistakeholder collaboration can substantially increase company leverage to protect the right to privacy. For example, in the information and communications technology (ICT) sector, the Global Network Initiative (GNI) brings together companies, investors, civil society organizations, and academics in a united effort to protect privacy when confronted with government demands, laws, or regulations that compromise privacy. Through shared principles, policy dialogue, and advocacy, the GNI has become an essential part of the private sector’s effort to respect the right to privacy in the ICT sector.
The nature, scale, and complexity of privacy risks have expanded greatly since 1948, and private-sector strategies for implementing respect for the human right to privacy has evolved during this time. We would like to leave readers with two key messages: first, that upheaval in a wide range of disruptive technologies—such as artificial intelligence, big data analytics, and the Internet of Things—is only going to accelerate, which means it is essential that companies adapt our business and human rights strategies to cope with this change; and second, that companies from all industries would be well served by both learning from the experience of the ICT sector so far, and by engaging proactively in a shared exploration of what is coming next.
You can read more about Telenor’s approach to privacy in its Sustainability Report and its Authority Requests Disclosure Report. Telenor’s approach is notable for the manner in which it covers both developed markets (such as Norway, Denmark, and Sweden) and emerging markets (such as Myanmar, Pakistan, and Bangladesh), as well as both the company’s own actions (such as privacy and security by design) and collaboration with other companies and stakeholders (such as the GNI).