Author: Isedua Oribhabor
This guide is meant to help ICT companies think through the impacts of their decisions in the context of conflict. The ad hoc approach many tech companies have repeatedly taken in response to conflict and crisis is not sustainable. Rather than embarking on a hodgepodge of voluntary measures, tech companies must take a measured, planned, and sustained approach to addressing their particular risk and exposure to human rights abuses in conflict. This guide provides framing questions for tech companies to consider in decision-making around market entry and escalating conflict. The guiding questions are meant to kick off the process for a robust and heightened human rights due diligence, and companies should work closely with civil society and impacted at-risk communities in navigating the harms and necessary mitigations these questions surface.
Framing business conduct
Russia’s 2022 invasion of Ukraine shone a spotlight on business conduct, with companies from across sectors making voluntary moves, without the pressure of sanctions, to withdraw from Russia and Belarus. While many companies still fell short of the ideal, the war in Ukraine has become a litmus test for how quickly companies can react in situations of conflict when put under international pressure. Other conflicts around the world, from the military junta crackdown in Myanmar, to the ongoing occupation of Palestine, have illustrated the sector’s persistent failure to reach for the highest standards of responsible conduct in all cases.
The UN Guiding Principles on Business and Human Rights (UNGPs) and OECD Guidelines for Multinational Enterprises (OECD Guidelines) have set the standard for responsible business conduct, stating that companies should seek to prevent or mitigate adverse human rights impacts, including by conducting human rights due diligence. The UNGPs in particular call for enhanced measures in conflict-affected areas, with the UN Working Group on Business and Human Rights clarifying that companies should undergo heightened human rights due diligence. As the Working Group notes, “Businesses are not neutral actors… Even if [they do] not take a side in the conflict, the impact of their operations will necessarily influence conflict dynamics.” Other international documents, such as the Legally Binding Instrument to Regulate, in International Human Rights Law, the Activities of Transnational Corporations and other Business Enterprises (Draft Treaty), include provisions on corporate due diligence, with the Draft Treaty requiring states to ensure that companies adopt and implement “enhanced human rights due diligence measures to prevent human rights abuses in occupied or conflict-affected areas, including situations of occupation.” At a minimum, a heightened human rights due diligence process should:
➡ evaluate the potential and actual impact of business operations on people and communities most at risk;
➡ consider the role a company’s presence plays in the conflict; and
➡ prioritize engagement with civil society to fully understand the context in which a company is operating.
In conflict situations, the tech sector can be particularly vulnerable to capture, misuse, and abuse as a means for exacerbating conflict or providing potential tools of war. For example, Russian aggressors targeted communications infrastructure was in Ukraine, forcing communications shutdowns, while also leveraging biometric surveillance systems to track dissidents and anti-war demonstrators at home; the Myanmar military reportedly pressured telecoms to hand over user data or install surveillance systems; and warring parties in Ethiopia’s civil conflict used social media platforms to spread propaganda and misinformation, escalating violence.
When conflict begins, companies must confront the decision of whether to leave or stay. For tech companies, whatever they decide carries great weight — whether it’s to leave and risk cutting people off from essential services and tools of communication entirely, or to stay and risk enabling state repression, censorship, and other human rights abuses. In navigating these difficult decisions, companies should prioritize the needs of the people and communities most at risk, and should work closely with civil society at every step. While companies are not expected to share confidential risk assessment information, they should be prepared to publicly answer for how they’ve considered human rights in their decision-making process.
Here, we address responsible business conduct in two phases: before market entry, and when companies are already operating in the midst of conflict.
The adage that prevention is the best medicine applies to the context of responsible business conduct in conflict. The ideal time for a company to address how to operate during conflict is not after a conflict has begun, but before the company enters the market. For tech companies, entry can include physically entering a new country or region, entering into business contracts and relationships with new governments, or extending services to customers and clients in new regions. Whatever the form of entry, companies should consider the human rights and humanitarian impacts of their presence. Responsible businesses conduct risk assessments considering legal and geopolitical issues such as corruption before they enter a market, recognizing their duty to put a plan in place should these risks materialize. Human rights risks should be treated with the same attention and included as part of standard risk management processes because these assessments can reveal early warning signs of impending crises. Consultation with civil society during the risk management process is essential to providing a full picture of the context into which a company is entering.
For tech companies, the salient human rights risks to consider during risk assessments will vary based on the type of product or service the company provides. However, regardless of where on the “stack” companies lie — that is, whether they are infrastructure providers, service platforms, or offer a combination of products and services — when they enter a market, they will need to address similar human rights risks to prepare for the possibility of operating in conflict.
When companies with stronger records of respect for human rights choose to enter markets where governments have a record of grave human rights violations, they often offer the explanation that if they don’t enter the market and provide those services, another company with lower or no respect for human rights will do so. However, companies operating on this basis should ask themselves whether they will be able to provide the same level of human rights protections to people in this new market as they do in other regions. This is particularly important for companies based in countries with a strong rule of law that enter into markets with weaker rule of law and human rights standards. Everyone who relies on a company’s services deserves the same level of human rights respect, regardless of where in the world they are located.
Companies, however, should be careful not to use these risk assessments as a blanket reason to avoid providing services in a region. That could further harm already marginalized or underserved communities by forcing them to rely on insecure services. Risk assessments upon entry must be nuanced – the objective is to determine how best companies can operate in a way that serves not only business interests but the human rights interests of the communities in the region.
As tech companies consider entering new markets, we urge them to put processes in place to address potential conflict by thinking through the applicable legal frameworks of the market they are considering, the human rights record of the government and any other parties to the conflict if it is already ongoing, and the risk and mitigation options for the tech sector in the region. Further, they should consider the cost associated with implementing the mechanisms necessary to ensure a company’s infrastructure or services remain rights-respecting part of the essential startup costs for entering a new market.
Guiding questions for tech market entry
- What concerns does the export control regulator have regarding the country?
- Does the country have an existing clear regulatory framework which is grounded on international human rights standards and norms?
- Is there a regulatory framework on privacy and freedom of expression?
- Is there a regulatory framework governing law enforcement agency (LEA) requests to companies? Does it contain requirements for necessity and proportionality?
- Is there legislation limiting the rights of certain groups or communities?
- What is the perceived judicial effectiveness in the country?
- Are the judges and the courts independent and free to rule based on the law? Have there been recent threats to judicial independence?
- Do individuals in the country have the right to effective and equal access to justice and remedy in case of violations of international human rights law or international humanitarian law, including the rights to non-discrimination, participation, and inclusion?
- What is the overall human rights situation/record in that country?
- How stable are the existing administration and public institutions?
- Are there any reported issues regarding corruption of public officials and authorities?
- Are there any reports of persecution of minority or vulnerable groups and communities?
- Are there any reports of unnecessary or unlawful use of force by any government authorities or any parties to an existing conflict?
- Are there restrictions to civic space, including threats to civil society organizations?
- Have you consulted with civil society in the region to understand potential human rights risks?
- What technology are you seeking to deploy? What is its intended use as well as intended users? What are the impacts of potential misuse of the technology?
- What activities or services may be directly or indirectly linked to the armed conflict?
- How could this direct or indirect use linked to conflict potentially impact vulnerable communities?
- What is the overall state of the existing ICT infrastructure?
- Do you have a plan in place to safeguard against unwarranted and illegal law enforcement access to your customer data?
Responsible conduct during conflict
By the time conflict arises, responsible companies should already have a plan in place, informed by thorough human rights due diligence and consultation with civil society, of how to operate in a rights-respecting manner. Lack of proper preparation for conflict leads to the hodgepodge and inconsistent approach we now see in the tech sector. For example, while some online platforms responded promptly to the 2022 escalation of Russia’s invasion of Ukraine, they failed to take swift action in response to conflicts in Syria and in Myanmar.
While there is no simple answer as to whether a company should continue to operate in a particular region when conflict arises, all companies in this situation should conduct heightened human rights due diligence, evaluating the human rights and humanitarian impacts that arise from their continued presence or potential withdrawal.
Unlike the questions surrounding market entry, for tech companies, the decision to withdraw from conflict regions or continue operating relies heavily on where in the stack the company lies. An infrastructure provider withdrawing from a country could mean that people in the country are cut off from essential and secure means of communicating, whereas a social media platform continuing to operate without strengthened human rights processes may run the risk of exacerbating conflict through the spread of mis- and disinformation.
Furthermore, responsible business conduct around exit also depends on the level of exit considered. Companies contemplating a full market exit and complete wind down of their operations in a country have different human rights risks to consider than companies that may demonetize their provision of services or partially disengage in other ways.
Companies may also face regulatory pressure to exit when conflict arises. When considering whether to exit due to sanctions or other regulatory pressure, consultation with civil society is key. In some cases, this collaboration has led to civil society successfully advocating for exemptions to sanctions that allow companies to continue providing services to people and communities at risk.
In all these scenarios, how companies choose to leave or stay matters and they should be prepared to publicly communicate the steps around their decision, to the extent possible, and to demonstrate to those who rely on their services how they will ensure continued respect for human rights.
As companies make decisions about their continued operations in the midst of conflict, we urge them to consider how they may contribute to the conflict either by their continued presence or withdrawal and what safeguards they can put in place.
Guiding questions during conflict
- Do you have a plan in place on how to respond to crisis or conflict situations? Was this plan developed in consultation with civil society and affected communities?
- Have you performed a heightened human rights due diligence?
- Where in the stack do you lie? Do you provide critical infrastructure? Are there alternatives to the services you provide that are not owned or controlled by state actors or other parties to the conflict?
- What impact would your continued presence have on the conflict situation? Would your services be used to support the actors perpetrating the conflict?
- Have you taken steps to strengthen your infrastructure and services against unlawful access?
- Are you providing clear communications to your customers and users describing any limitations, restrictions, or changes in service they may experience?
- Are you able to preserve documentation of human rights abuses that can be used to hold perpetrators accountable?
- Are you publicly communicating the steps you’re taking to ensure continued respect for human rights as conflict escalates?
- Is exit the only option?
- What level of exit are you considering? Is it a temporary halt of operations or a permanent departure? Is it a full wind down of operations or limitation of services?
- What human rights impact will leaving have on your customers, employees, and others in your supply chain?
- Are there other companies that are not owned or controlled by state actors or other parties to the conflict that can provide services to your customers?
- Do you have physical infrastructure to leave behind? What is your plan for any infrastructure you leave behind?
- What are your plans for customer data?
- If you sell or transfer operations to a new service provider:
- Are there human rights clauses embedded in the relevant contracts to prevent abuse or misuse by your product?
- How will the terms of the contract be monitored for compliance and enforced?
- Have you published the results of your human rights impact assessment for wider scrutiny? And consulted your external stakeholders who may be impacted?
Resources on responsible business conduct and conflict
The following non-exhaustive resources provide a deeper dive into different facets of responsible business conduct and heightened human rights due diligence during conflict.
Navigating the surveillance technology ecosystem: A human rights due diligence guide for investors – Surveillance Tech Accountability Project