Dunstan Allison-Hope, Managing Director, Advisory Services
I’ve been an advocate of corporate transparency on non-financial issues since the mid-1990s when, as a student activist, I struggled to solicit answers from companies about their climate change impacts.
Climate reporting is mainstream these days of course, thanks to investor pressure, the excellent Carbon Disclosure Project, and company experimentation with transparency.
So you can imagine my enthusiasm in more recent years when Google, Microsoft, and Twitter published law-enforcement reports, which set out the volume of demands for user data received from governments worldwide, the percentage complied with, and a narrative explaining the company’s approach.
However, these reports—which were totally voluntary and weren’t required by any global reporting standard—were sometimes met with criticism for what they didn’t show. Cynics pointed out that it was impossible to know what happened as a result of sharing user data, that we didn’t know what types of laws were being enforced, and that comparisons between companies were difficult owing to the wide variety of services offered and the vastly different markets served.
Then along comes PRISM and the furor over the big brother state. This is a huge story, covering critical issues of national security, surveillance, and privacy. Highly sensitive issues are at stake, and speculation runs wild about who may be sharing what with whom. Quite understandably and quite reasonably, we got whipped up into a collective frenzy.
Sitting quietly in the background during this time, but with an importance, credibility, and influence that would slowly emerge during the news cycle, are the company law enforcement reports. The companies diligently pointed out that the all-important FISA requests were not in fact included in the reports for legal reasons but asked the U.S. government for permission to change that. Then on Friday, the U.S. government provided approval (with some important limits), and Microsoft, Facebook, Apple, and most recently, Yahoo, immediately disclosed numbers, while Google is waiting in an attempt to secure approval for even more detailed disclosure.
For sure, there are all sorts of important issues of law, policy, and corporate responsibility still to be discussed and debated. But I’d like to take this moment to celebrate the fact that the cynics were wrong about the law-enforcement reports: In fact, the reports have come to play an absolutely critical role in shaping and informing the debate and have helped push for further disclosure from the government.
It is thanks to these voluntary disclosures by companies that we now know the true scale of PRISM (answer: much less than we feared) and that, owing to the various narratives and explanations accompanying the reports, we can have a much more informed debate about the law-enforcement process in the digital age. These insights didn’t come from government; they came from business.
There is a lesson here, too, for the future of corporate responsibility. Despite the cynics, public reporting and transparency are critical for sustainability and for the protection of human rights. Reporting has come a long way since the mid-1990s. Some of it is great and some of it is truly awful, and we still have a lot of work to do to make our reporting frameworks (GRI, SASB, and IIRC, and so on) effective. But let’s take this moment to appreciate that the value of reporting vastly outweighs the methodological shortcomings seized upon by cynics and recognize the efforts of companies like Google, Microsoft, and Twitter that have gone well beyond legal requirements to make this moment possible.
For BSR's position on companies' responsibility to balance law-enforcement requests and human rights issues, see our blog "In the Era of PRISM, ‘Knowing and Showing’ on Human Rights."