What’s the harm in sharing company data with the government? Three recent news stories demonstrate the significant human rights risks that arise when companies share data with law enforcement agencies: Motel 6 was fined over US$7 million for sharing guest lists with U.S. immigration authorities. Bloomberg News reported that 7-Eleven Inc. had shared information with U.S. immigration that led to raids in over 100 of the company’s franchises. And in China, the Associated Press revealed that more than 200 automotive manufacturers, including Tesla, Volkswagen, BMW, Daimler, Ford, General Motors, Nissan, and Mitsubishi, are sharing location information and other important data to government-backed monitoring centers.
There are many good reasons why companies share data with law enforcement agencies. This can include transport and logistics companies addressing human trafficking and smuggling, travel and tourism companies seeking to prevent child sexual abuse, and financial services companies tackling money laundering and the illegal funding of terrorist organizations. There are also many ways in which companies are called upon to assist with criminal investigations or with matters of public safety and national security.
However, these scenarios come with two common challenges: The first is providing appropriate assistance to law enforcement efforts that have the protection of human rights as a core purpose, while at the same time protecting the privacy rights of customers and users. Second, companies must work out how to constrain assistance to law enforcement efforts that may not have the protection of human rights as a core purpose, as can be the case in governments that don’t respect the rule of law, or that regularly violate the human rights of their citizens.
This leads me to my central theme: the public currently lacks sufficient insight into how companies are navigating these two challenges, the strategies companies and governments can deploy to enhance human rights protections, and the transparency necessary to scrutinize whether these human rights protections are being implemented.
The public currently lacks sufficient insight into ... the strategies companies and governments can deploy to enhance human rights protections and the transparency necessary to scrutinize whether these human rights protections are being implemented.
Encouragingly, the technology industry has developed practices that indicate a path forward. In 2010, Google published the world’s first law enforcement relationship report (which the company called a “transparency report”) listing the number of requests the company received from governments to restrict content or hand over user data. The report explained how relevant legal processes worked and described when and how Google chose to challenge these requests to protect their users’ rights to freedom of expression and privacy. Since then, more than 70 internet and telecommunications companies have started publishing regular law enforcement relationship reports.
While much remains to be done to ensure that data are managed appropriately, this transparency has brought three essential benefits:
- Awareness: The reports have substantially raised awareness about the complex data sharing relationships between governments and companies, resulting in higher quality public policy proposals on key human rights issues.
- Advocacy: The reports have enabled civil society organizations and human rights defenders to advocate for improved privacy protections. More strikingly, companies have used the reports to expose privacy violations committed by governments and advocate for greater human rights protections on behalf of their users.
- Accountability: The reports have provided a place for companies to explain the processes and procedures in place to respect and protect the human rights of their users, allowing them to be held accountable for their approach by civil society organizations and users. The reports have also enabled civil society organizations around the world to better understand the nature and volume of data requests made by their home governments, advocate for improved rule of law and data protections, and hold governments to account.
However, as the three cases of Motel 6, 7-Eleven Inc., and automakers in China illustrate, technology companies are not the only ones receiving requests for data and assistance from law enforcement agencies. These requests extend to companies in the transport and logistics, travel and tourism, retail, healthcare, financial services, and other sectors as well.
Indeed, with the emergence of the internet of things, facial recognition, and artificial intelligence, the amount of data collected, processed, and shared by non-technology companies is exploding. And there is no doubt that law enforcement agencies will increasingly demand access to this information. In a world of increasingly ubiquitous data, it is essential that all companies incorporate data sharing considerations into their human rights due diligence and strategies.
There is an urgent need to enhance disclosure practices across all industries that receive requests for data and assistance from law enforcement agencies.
For this reason, I believe there is an urgent need to enhance disclosure practices across all industries that receive requests for data and assistance from law enforcement agencies. By establishing the norm that all companies, regardless of sector, issue thorough, transparent, and informative law enforcement relationship reports, we increase the likelihood that personal data will be better managed by the private sector and that civil society, business, and governments are more able to hold each other accountable.