People in Saudi Arabia have the right to protect their personal data and information from the prying eyes of the government. Against a backdrop of Saudi Arabia’s ongoing human rights abuses, citizens are now facing further human rights risks with Google’s plans of establishing a Cloud region in the country. In December 2020, Google announced it will be expanding and opening a cloud center in the Kingdom. Access Now, along with 38 organizations & individuals are urging Google to immediately halt these plans until it outlines clear steps for how it intends to mitigate adverse human rights impacts.
“Establishing a Google Cloud in Saudi Arabia — a state with an atrocious track record of human rights abuses — is a dangerous plan,” said Marwa Fatafta, MENA Policy Manager at Access Now. “Ripe for exploitation, Google is handing over personal data directly into the palms of a brutal regime who has spared no effort to oppress and spy on its citizens.”
On January 26, 2021, Access Now and the Canadian Internet Policy and Public Interest Clinic (CIPPIC) raised the alarm, and requested information from Google on the due diligence process it has carried out. In its reply, Google reiterated its commitment to human rights, stating that “an independent human rights assessment was conducted for the Google Cloud Region in Saudi Arabia,” taking all necessary steps to address matters that the groups raised. Google did not, however, specify what those steps were or whether consultations were held with potentially affected users.
With Saudi Arabia’s human rights track record, Google should uphold its human rights commitments by:
- Conducting a robust, thorough human rights due diligence process, and publishing a summary of findings, including steps it is taking to mitigate risks of adverse human rights impacts;
- Drawing red lines around what types of government requests concerning Cloud regions it will not comply with because they are inconsistent with human rights norms;
- Insulating staff from extra-legal pressure to exceed their authorized access procedures and policies;
- Preventing or mitigating risks of adverse human rights impacts and clearly communicating steps it is taking to this end before implementing plans to build cloud regions in other countries; and
- Developing baseline standards for where to host cloud services that take into account Google’s human rights responsibilities to guide expansion into new countries.
The government of Saudi Arabia has a long history of silencing activists, human and women’s rights defenders, and journalists, and violating the basic rights of its citizens through extrajudicial killings, detention and torture, and the use of spyware to track and censor. This disturbing new step by Google raises more concerns with fears that this cloud center could leverage more power to the government of Saudi Arabia in further facilitating human rights abuses.
Google and other cloud service providers — including Microsoft, who has operated in Saudi Arabian cloud centers since 2018, and Amazon Web Services (AWS), who opened its first cloud center in the region in Bahrain in 2019 — have a responsibility to protect people’s data as they expand their global cloud footprints, especially in countries where they are already at risk. It is crucial that these companies consult with human rights organizations and potentially impacted communities in order to develop baseline standards that elevate their human rights responsibilities. When expanding into new countries, Big Tech must implement the highest standards of security around user data, draw red lines around what types of government requests they will not comply with, and be prepared to push back against those that are inconsistent with human rights norms.
Read the full statement.