News

Due Diligence and Why it Matters

 

On 31 July 2018, the CCWP-HR held a special meeting to explore the concept of “Due Diligence and Why it Matters.” Several subject experts joined the conversation to present on their areas of expertise. They were:

  • Michael Samway – President of the Business and Human Rights Group and veteran tech policy advisor
  • Michele Neylon – CEO of Blacknight, Chair of the I2 Coalition, and GNSO Councillor
  • Collin KurreCCWP-HR Co-chair and ARTICLE 19’s lead on developing impact assessments for internet providers
  • Raphaël Beauregard-LacroixNCSG member and author of a recent CCWP-HR guest post on ICANN, GDPR, and human rights

The meeting drew two dozen community members from a range of stakeholder groups: commercial and non-commercial actors, registrars, registries, and even the ICANN Ombud. Topics discussed included ICANN’s human rights policy commitment, and the broader application of due diligence to the ICT sector. Speakers also presented various methodological approaches, a sample workflow, and updates on progress toward developing DNS-specific due diligence tools.

Following the guest presentations, a discussion kicked off on the UNGP concept of using leverage to encourage partners and suppliers to uphold human rights principles. Participants highlighted the need for clear context, scope, and definitions in order to ensure that ICANN upholds its human rights commitment without going beyond its limited mission and mandate.

Read minutes from the meeting here or by clicking the image below. Recordings, chat log, and other meeting notes can be found on the NCSG Wiki.

ICANN CCWP-HR - Due Diligence and Why It Matters

- August 2018

ICANN at a Crossroads: GDPR and Human Rights

The European Data Protection Board certainly has been keeping its records straight. Its 27 May statement starts with the following:

“WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003.”

All internet users have dealings with the Internet Corporation for Assigned Names and Numbers, yet the vast majority have never heard of ICANN. Responsible for deciding how the Domain Name System (DNS) is run, ICANN may be a technical standard-setting body, but its policies and activities acquire political nuances more often than not. At its core, there is a distinction between ICANN the organisation, incorporated in California, and the ICANN community, a multistakeholder group of volunteers who develop the policies that are subsequently implemented by the organisation.

Fifteen years ago, and only a few years after ICANN was established, European data protection regulators had already spotted the flaws with ICANN’s WHOIS service, a public database of registrants’ contact details. At the end of 2017, mere months before European General Data Protection Regulation (GDPR) came into effect, ICANN had yet to devise a plan to make its WHOIS registrant database compliant. However, this is no longer the era of paltry fines for violating data protection laws, when compliance was at best facultative.

Data protection as a human right

Here it’s important to recall the diverse origins of data protection law. At the EU level, the 1995 Data Protection Directive aimed to harmonize the regulation of automated data processing in order to fulfill the EU’s goal of free movement of goods and services (see recitals 7 and 8). In parallel, data protection began to be conceived as a human right, a notion that reached a more concrete with the Treaty of Lisbon and the 2009 European Union Charter of Fundamental Rights. Today’s GDPR, which replaces the old directive, explicitly relies on the EU’s human rights framework for its rationale (see recital 1 and following).

Unlike traditional human rights legislation, the GDPR contains concrete provisions for direct enforcement. That is, it grants entitlements to individuals against other legal persons beyond the state, i.e. companies. In addition, the contemplation of hefty fines for violation (up to 4% of global annual turnover for business entities), which is not an enforcement mechanism usually associated with human rights. This stick is what triggered the compliance rush witnessed over the past year, and the numerous subscription confirmation emails received from organisations long forgotten.

The GDPR is also interesting in that it creates an extremely specific and detailed bundle of rights to the benefit of EU citizens and residents against any data controller and processor, wherever they may be located. The EU thus acted according to a highly pragmatic conceptualisation of “online jurisdiction” similar to that of the Canadian courts in the 2017 Equustek case. In this high-profile copyright infringement case, the Canadian Supreme Court ruled that Google had to delist the incriminated website from its search results on a worldwide basis, not only under the google.ca subdomain. If a full de-listing meant applying Canadian law beyond its borders, so be it (it is worth noting the order failed at the enforcement level in the US.) With the GDPR, the EU adopts a similar perspective: individuals must be protected, even if it means potentially reaching out to every single data controller and processor in the world.

Extraterritoriality in cyberspace?

The application of laws based on residency, citizenship, or other non-territorial bases isn’t new. Tax law, notably from the US, is often applied in a similar way. The internet makes such an application of law even more salient, as individuals create and manage legal relationships across territories at an unprecedented scale. This can be unsettling for the “territorial” states, hence the observed trend toward extraterritoriality. States seek to have their laws apply to individuals irrespective of their physical location, particularly when dealing with internet-related issues, as a means of obtaining immediate legal effectivity. Regardless of whether GDPR’s alleged extraterritoriality is good or bad, it can be said that states, the EU, and courts will most likely favour an interpretation of “online jurisdiction” which maximizes their power and their perceived efficiency at enforcing their own laws.

An overly cynical (and factually wrong) conclusion would be that ICANN, as a non-profit California corporation, is not subject to human rights law, as they only create legal relations between governments and individuals. This would stem from an understanding of human rights law as a solely vertical arrangement between states and individuals, which disregards how an entity like ICANN can interfere with “horizontal” human rights entitlements, like those put into place by the GDPR. Recent events show that enforcing corporate respect for human rights is not some civil society pipe dream: a German court already ruled that ICANN’s last-minute GDPR compliance plan is not quite compliant.

Human rights at ICANN, beyond the Bylaw

ICANN has found itself in a double bind: on one side, an expansive understanding of jurisdiction is gaining ground around the world; on the other, a set of human rights norms, previously constrained to treaties and the often staid world of public international law, is finding a new horizontality. The standard for personal data protection has been decidedly raised, prompting us to rethink what human rights compliance means. ICANN’s global mission is tied to the functioning of internet, but its operations can severely interfere with individuals’ exercise of human rights, as well as the commitments of governments to uphold these rights.

Developing a high-level commitment, as ICANN did with its 2017 Human Rights Bylaw, is a first step. However, viable solutions must, at the same time, go deeper. Indeed, the operationalisation of ICANN’s human rights bylaw must pass through a refocusing of the lens, away from international treaties and into the low-level application of human rights norms at the transnational and national level. Rather than biding time before fines mandate action, the ICANN community should carry out sustained research and documentation of ICANN’s concrete interference with human rights, both existent and potential. The multistakeholder community should also put in place the necessary efforts to go beyond the mere human rights bylaw and into real compliance assessment, an ever-evolving activity that requires constant attention and monitoring.

In a 17 May letter, European commissioners asked ICANN, through its CEO, to “show leadership and demonstrate that the multi-stakeholder model actually delivers.” Be it taunting or encouraging, this challenge underscores the current need for intentional, proactive leadership from both the ICANN organisation and its community. Beyond enhancing its accountability, proactively identifying and preventing human rights violations might just prevent further debacles the next time a human rights law (not so) suddenly becomes applicable to ICANN. As California adopts its own improved data protection law, that time may come sooner than expected.

 

This guest post, contributed by NCSG Member Raphaël Beauregard-Lacroix, originally appeared on CircleID.
If you are interested in contributing a guest post to the CCWP-HR website, please contact us.

- July 2018

HRIAs in ICANN: Constructive Innovation to Benefit Society

Operationalizing ICANN’s human rights bylaw is an opportunity for the ICANN community to continue its leadership in multistakeholder innovation. Perhaps more importantly, work carried out to develop and refine tools like human rights impact assessments has the potential to generate benefits beyond the ICANN community, the DNS, and even the ICT sector. It would be myopic for the ICANN community to squander this unique opportunity for innovation.

Building on Existing Best Practices

Human rights impact assessments (HRIAs) are a systematic process to investigate, measure, and address the potential and actual human rights impacts. They are increasingly used by companies and civil society alike to pinpoint issues of highest risk and concern in general, within subsidiaries, before acquisitions, or across partnerships. HRIAs are also a systematic, holistic way to mitigate risk and reputational harms by pre-emptively identifying and addressing human rights impacts of policies, products, and operations. HRIAs differ from other types of assessments, such as environmental impact assessments, in that they are rooted in international human rights frameworks.

Developing New Tools

Multistakeholder HRIAs are premised on meaningful inclusion and stakeholder engagement throughout the process, with representatives from companies and communities coming together to jointly develop and undertake impact assessments. Such a collaborative approach has the potential to achieve a more accountable process, while generating trust among participants. Multistakeholder impact assessments also overcome the perceived biases of strictly company-led HRIAs, which are often conducted internally with little consultation from civil society or affected communities, and community-led assessments, which may lack crucial information about decision-making processes.

In impact assessments, the term “communities” generally refers to groups of people living in the same locality. When applied in the ICANN context, however, the term “community” expands exponentially to encompass the entirety of Internet users, as well as other companies, academia, technical operators, and even governments. Multistakeholder HRIAs in ICANN have the potential to benefit from the differing perspectives and skill sets of these stakeholder groups, thereby resulting in an impact assessment that is potentially more comprehensive, actionable, and technically sound.

Acting on Commitments

In 2016, ICANN added the Core Value of “respecting internationally recognized human rights as required by applicable law” to its bylaws. The provision was made at the time, however, that the new human rights bylaw would remain dormant unless and until a framework of interpretation (FoI) was developed and approved by the ICANN Board. With the FoI successfully developed, the implementation of ICANN’s Human Rights Bylaw is imminent and each Supporting Organization and Advisory Committee is now responsible for “developing their own policies and frameworks to fulfill the Core Value.”

Leaders in the ICANN community should consider how tools such as multistakeholder HRIAs can be incorporated into their respective decision-making processes, lest this opportunity for proactive innovation to benefit the global public interest go to waste. The CCWP-HR remains available as a forum for related discussions moving forward.

(more…)

- June 2018