Access welcomes today’s report by the Global Network Initiative on its assessments of the three founding GNI members: Google, Microsoft, and Yahoo!. The Public Report on the Independent Assessment Process addresses how the companies in question respond to government requests “implicating freedom of expression or privacy rights” and describes the assessment of these processes against the GNI Principles. According to the report, all three companies were found to be in compliance with the Principles, as per a case review by independent assessors.
We recognize the GNI’s sector-leading efforts and note their progress in working to advance freedom of expression, privacy, and other human rights. Today’s report is another step forward for the founding companies, and towards realizing the promise of the GNI. However, we believe that significant information is still missing, and that improvements must be made before the next round of assessments.
The assessments detailed in the report represent the culmination of the GNI’s three-phase process: The first is a self-reporting stage, while the second looks at policies and procedures. This process is intended as an innovative way for diverse stakeholders to monitor corporate efforts to respect the privacy and free expression rights of users.
The Phase III assessments look at case studies of human rights risk scenarios involving government requests that the companies have received, and the implementation of the GNI Guiding Principles in those instances. The case studies are a window into some of the pressing human rights issues faced by companies on a regular basis. However, the fact that the case studies to be reviewed were proposed by the companies themselves, from a set of relevant instances known only by the companies, raises some questions about the rigor of the assessment process.
Moreover, the report notes that the assessors — KPMG, PricewaterhouseCoopers, and Foley Hoag — struggled to obtain all of the necessary information about the companies’ policies and practices. Externally, the assessors faced constraints such as legal limits on disclosure of national security related requests and user privacy considerations. Internally, the companies chose to withhold certain information by asserting attorney-client privileges and claims of protection of trade secrets (the full assessments are presented to the GNI Board, which is made up of representatives of other, competing companies).
While the legal limits on what the companies can say about national security-related requests they receive are well documented, the absence of substantial discussion on this issue in this report is a particularly critical omission, even as the GNI and its member companies have been outspoken on the issue of mass surveillance.
The GNI has made a commitment to reviewing its assessment process now that its three founding members have gone through a full cycle (and before new members begin the process). This review is an opportunity to institute a more robust process in the future. Specifically, we recommend:
- The assessors need full and unfettered access to company data and personnel, to the extent legally permitted;
- Assessor recommendations should be made public for each GNI member. The lack of detailed recommendations broken down by company makes it difficult for groups outside the GNI to hold the companies accountable;
- Non-company members of GNI should be more fully involved in the assessment process. In particular, the assessors must give greater consideration to the case studies proposed by academics, investors, and civil society stakeholders. These stakeholders should also be more fully involved in the case study selection process; and
- The companies must transparently and publicly communicate on their progress implementing the recommendations, based on a public timeline, with appropriate consequences for non-compliance.
On the final point about transparency and public timelines: The reports’ recommendations include calls for greater human rights due diligence, more granular transparency reporting, and improving stakeholder and user engagement, and promise a six month timeline for doing so. This is a welcome step. However, unless the companies publicly report the actions they are taking to address these gaps, they can’t be effectively held accountable to the recommendations. It’s also not clear what sanctions, if any, the companies may face if they fail to deliver.
Overall, we see this public report as an innovative advance toward a more transparent and accountable tech sector, and congratulate those who were involved. We look forward to working alongside the GNI and its member companies to further extend and defend the digital rights of users around the world. Access will soon release a deeper analysis of the report’s substantive recommendations to the companies.