The United Nations' Evolving Privacy Discourse and Corporate Human Rights Obligations

Introduction 

Ramifications of the Snowden revelations that laid bare mass surveillance practices of the United States and its allies have been manifold. One has been the initiation of a discourse at the United Nations (UN) on the "right to privacy in the digital age" (UN privacy discourse). This developing discussion is principally made up of a series of resolutions adopted by the UN General Assembly (UNGA) and the Human Rights Council (the Council). Between 2013 and 2018, the UNGA adopted four resolutions, and the Council adopted three follow-up resolutions.[1] As part of this, the Council installed a new mandate for the Special Rapporteur on the Right to Privacy in 2015.[2] A number of thematic reports prepared by the UN Office of High Commissioner for Human Rights (OHCHR) and UN Special Rapporteurs also form part of this emerging discourse.[3] This Insight discusses this less noticed development and highlights its interplay with the existing UN framework on "business and human rights."

Resolutions adopted as part of the UN privacy discourse present a number of novel features.[4] One is that they envision the human rights responsibilities of (internet) corporations as part of the right to privacy. This is a significant development in at least two respects. First, corporations owe no direct obligations in current international human rights law.[5] In specifying the role of (internet) businesses under the right to privacy, the resolutions cast corporations as duty bearers. Second, the resolutions concern solely the "right to privacy," meaning that the envisaged approach to corporate human rights responsibilities is "right-specific." This stands in stark contrast with the current UN framework on "business and human rights"—mainly the Ruggie Principles—which fashions corporate human rights responsibilities through what can be called a "generic" approach.[6] It is generic because the Ruggie Principles apply—at least in theory—to "all" human rights, including the right to privacy, and cover corporations of all stripes, including (internet) corporations. In practical terms, this means that the current generic approach does not consider nuances of what corporations operating in different sectors must do, or not do, to discharge their responsibilities.      

But the pursuit of a right-specific approach in the privacy resolutions invites the question of whether corporate human rights obligations in the digital context must move beyond the hitherto generic approach. As the title of the UN privacy discourse readily indicates, it considers the right to privacy and hence the role of corporations in the "digital" context. What makes this development all the more noteworthy is that the Council, working on freedom of expression on the internet, takes the same approach.[7]

Emerging Corporate Responsibilities for Privacy 

The design of corporate human rights responsibilities for privacy took place incrementally. It began with a mostly hortatory resolution recognizing the advent of corporate practices of "surveillance, interception and data collection."[8] Subsequent resolutions became more substantive in addressing the role of corporations both as agents of rights protection and of violation. This progression occurred in three steps. 

First, the resolutions acknowledge the risks posed to the right to privacy by the growing capability of internet businesses in collecting, processing, and using personal data.[9] Second, unlike the initial resolution, which merely "recalls" the human rights responsibilities of businesses under the Ruggie Principles, the latest resolutions unequivocally state that the Principles apply to the human right to privacy.[10] In view of the little attention paid to the role of (internet) corporations in the business and human rights discourse thus far, such recognition and affirmation is a significant step. Third, the resolutions call for a set of corporate responsibilities vis-à-vis the right to privacy:   

1. They "call upon" internet businesses to inform users about the collection, use, sharing, and retention of their personal data when there are possible risks to the right to privacy.[11]   This provision mirrors many data protection instruments worldwide, but is couched in vague language. It is not clear, for instance, whether the requirement includes data breach notification to users. The provision also leaves wide latitude to corporations in determining when to inform users.  
2. They "encourage" internet businesses to adopt transparency policies on government requests for user data.[12] Part of this undertaking is to reveal the extent and nature of routine requests of personal data made by law enforcement and intelligence agencies. In that sense, it does not seem to involve disclosure at an individual level. Corollary to this proviso is the "call" for states to ensure that "gag orders"—i.e. statutory or judicial orders preventing disclosure—are not unduly imposed on corporations.[13]
3. They "encourage" internet businesses to secure their communications and adopt technical solutions towards safeguarding the right to privacy of their customers.[14] This could include end-to-end encryption, which is increasingly being implemented by internet businesses. To reinforce this provision, the resolutions further call upon states to (i) offer digital literacy training on privacy enhancing technologies and (ii) to "refrain" from measures that oblige businesses to take steps that interfere with the right to privacy in an unlawful and arbitrary manner.[15] The latter appears to aim at circumstances where States require Internet corporations to install backdoors in their products, provide encryption key escrows, or even to decrypt data.  
4. They "call upon" internet businesses to implement administrative, technical, and physical safeguards to ensure that their data processing endeavors comply with the data protection principles of "lawful and fair processing," "use limitation" and "data security."[16] In addition, internet businesses are called upon to incorporate international privacy standards into the design of automated decision-making and machine learning technologies.[17] The latter provision essentially imports the principle of "privacy by design" enunciated in European data protection law.  

Implications for the Business and Human Rights Regime

In casting corporations as duty-bearers, the UN privacy discourse challenges the conventional wisdom in international human rights law. Specifying corporate responsibilities under the right to privacy moves past, as noted above, the generic approach that epitomizes the UN business and human rights framework. Under the current generic approach, corporations are merely called upon to respect human rights, to exercise due diligence to avoid violating rights, and when violations occur, to remedy them.[18] Thus, it leaves open the specifics of how such general responsibilities are to be discharged. Applied to the digital context, it would mean that technology companies like Google would determine what constitutes respect, due diligence, and remedy in the course of their complex data collection and processing ventures. 

Regardless of the motive behind the right-specific approach (and whether it was a deliberate move), it may have its own merits. One is that it can spell out the obligations of corporations in respecting and protecting the right in question. The nature and scope of corporate obligations under the right to (digital) privacy and the right to freedom of expression online can be different. In that sense, a right-specific approach tailors corporate obligation based on nuances of the relevant right. As the highlight in the preceding section reveals, the privacy resolutions—to a degree—specify corporate responsibilities in securing the right to privacy in the digital context. This approach not only limits the discretion of corporations in discharging their responsibilities but also simplifies the task of monitoring compliance. Compliance can be better evaluated against a clear set of obligations, as opposed to generic and malleable requirements of due diligence.   

But, it might also present challenges. In particular, it would create a fragmented approach compared with the broader UN regime on business and human rights. If the privacy resolutions (and for that matter the free speech resolutions) ultimately culminate in a treaty, and assuming the right-specific approach is maintained, we would have two disparate regimes for corporate human rights obligations since the ongoing treaty process at the Council, which seeks to translate the Ruggie Principles into a binding treaty, appears to continue with the generic approach.[19] Whether having two parallel regimes is a desirable outcome remains an open question. Institutionally, we are also facing fragmentation. The current UN framework on business and human rights has its own institutional machinery that involves a working group[20] and a multi-stakeholder forum.[21] Thus, installing a separate framework for a set of (digital) rights—so far privacy and free speech—may involve some redundancy. 

It may be that the right-specific approach is a response to the realities of the digital space that warrants a special regime of corporate human rights obligations. If that is the case, such a sector-specific regime—in line with the precedent of the privacy and free speech discourses—would need to address a broad range of rights other than the right to privacy and free speech. This would create further fragmentation. Beyond regulatory fragmentation, the existence of competing regimes may result in varying and inconsistent levels of protection between various human rights.

Conclusion

As this Insight has highlighted, the privacy resolutions inaugurate a novel approach to corporate responsibility for human rights. This is an ongoing initiative open to further developments, and possibly leading to a privacy treaty. The latest UNGA resolution "encourages" the Council and the OHCHR to remain "seized" of the matter and even to consider further themes such as artificial intelligence, automation, and machine learning that obviously would engage the role of internet corporations.[22] At present, corporate human rights obligations in this field are merely soft law but present important normative implications for the broader UN discourse on business and human rights that deserve closer consideration. 

About the Author: Kinfe Micheal Yilma is a lecturer at Addis Ababa University Law School and is currently completing a PhD at The University of Melbourne Law School.