P

The GNI Principles at Work

PUBLIC REPORT ON THE THIRD CYCLE OF INDEPENDENT ASSESSMENTS OF GNI COMPANY MEMBERS 2018/2019

cmyk / RGB BK / GREYSCALE SOCIAL Lorem ipsum D35852 ED6345 5566AD 347587 298VA0 59C5CE E6EBEF 705C6B E6EBEF A563A2 825B7A 63C3A4 4A936A A6CE40 Global Network Initiative

The GNI Principles at Work Public Report on the Third Cycle of Independent Assessments of GNI Company Members

2018/2019

Follow Us

Twitter: @theGNI : #theGNI

Contact Us

718 7th Street NW Washington DC 20001 202-793-3053 [email protected] globalnetworkinitiative.org Table of Contents

Executive Summary 1

1) Introduction 4

2) 2018/2019 Assessments 9 Assessor Findings 12 Process Review 12 Case Studies 16 Company Determinations 48 Facebook 51 Google 55 Microsoft 59 Millicom 63 Nokia 67 Orange 71 Telefónica 75 Telenor Group 79 Telia Company 83 Verizon Media 86 Vodafone Group 89

3) Improvement Over Time 92

4) Lessons & Opportunities 101

5) Looking Ahead 106

Appendices 110 Appendix I: Acronyms and Abbreviations 110 Appendix II: Assessment Review Recommendations 111 Executive Summary

This is the public report on the 2018/2019 independent assess- implement the GNI Principles on Freedom of Expression and ments of 11 member companies of the Global Network Initiative Privacy (“the GNI Principles”). This report marks the third cycle (GNI): Facebook, Google, Microsoft, Millicom, Nokia, Orange, of GNI company assessments. Based on a detailed evaluation Telefónica, Telenor Group, Telia Company, Verizon Media, and of confidential reports prepared by independent assessors, and Vodafone Group. This assessment cycle covered a two-year the querying of the assessors and member companies, GNI’s period, from July 1, 2016, to July 1, 2018 (“the assessment multistakeholder Board of Directors reviewed the assessments period”). However, only for this assessment cycle, the relevant and determined that each company is making good-faith efforts period of review for Millicom, Nokia, Orange, Telefónica, Telenor to implement the GNI Principles with improvement over time. Group, Telia Company, and Vodafone Group spanned from their accession to GNI on March 27, 2017, to July 1, 2018. “The assessment process strives to GNI was launched in 2008. Its mission is to protect and advance increase company transparency while freedom of expression and privacy rights in the information and communications technology (ICT) sector by setting a global protecting users’ rights through ample standard for responsible decision making and serving as a access to information.” multistakeholder voice in the face of government restrictions GARE SMITH, Foley Hoag LLP and demands. GNI brings together ICT companies, civil society (including human rights and press freedom groups), academics, The independent assessments were conducted according to academic institutions, and investors from around the world to the GNI Assessment Toolkit by assessors accredited by the provide a framework for responsible company decision making, GNI Board as meeting independence and competency criteria foster accountability by member companies, offer a safe space established by GNI, who then participated in mandatory for shared learning, and provide a forum for collective advocacy assessor training. Assessors received access to information, in support of laws and policies that promote and protect including relevant documents in secure settings. They also freedom of expression and privacy. had access to key company personnel, from frontline teams to senior management, and conducted a total of 125 interviews. 1 A unique feature of GNI is its independent assessment process Assessments included an examination of 86 case studies, which that relies on a methodology designed to allow GNI’s civil looked at how the companies are dealing with government society, academic, and investor board members (non-company requests and demands in practice. The GNI Board met four board members) insight into member company efforts to times over the course of 2019 to review the 11 company reports 2 Executive Summary are exercising their responsibility to upholdthe rule law of are exercising responsibility their sector the from ICT growing across companies number of awindow provides into how a assessments of This cycle human norms. rights bring laws into their alignment with international andpolicies andother stakeholders to engage to governments society civil disruptions, forgreaternetwork and the need collaboration with transparency, to responding challenges government-ordered to around andimpediments challenges state operating includeongoing These environment forcompanies. also into provide insights the external The assessments assessment. andimpact as human (HRDD) duediligence rights tools such andguidance ontopics anddeveloping companies, inside operations, ways to training enhance andexpand efforts integratecompanies Principles into the GNI business their consideration how of includefurther inthe report identified andareas Points progress forfuture of sharedments. learning shares the fromThis findings the 11 report company assess companies. to individual recommendations specific assessor case studies of and someexamples includes this report public, information.protected To increase transparency with the legally orotherwise confidential disclosing without requests, to andrespond governmentshow review how the companies information inaggregate form inorder oranonymized to primarily presents Thisto Principles. report implement the GNI allows internal discussion of andprocesses companysystems Italso with GNI’s non-company board members. requests to share governmentcompanies of cases anddiscuss sensitive design. Itallows is by confidential process assessment The GNI determinations. making their before assessor discussionand engage with eachcompany and indetailed - steps will include: steps will include: sector. inthe ICT andprivacy expression of freedom Specific andpromoteto protect into ourwider efforts cycle assessment will forward, workGoing GNI to integrate from insights this assessment. its will communicate of the outcome to the publicabout policy. eachcompany After the this publication of report, to accountability, collaboration, shared learning, andpublic grounded ininternational human law rights andcommitments principles, andprivacy fundamental expression of freedom of to set acommon commit can sector the ICT of segments shows from different how companies process The assessment GNI. organizations of inside andoutside society andcivil academics, includinginvestors, stakeholders, other key and companies, regulators, by governments, efforts dedicated requires ating environment companies ICT for rights-respecting the oper orlimit rights andprivacy expression of freedom press own. onits challenges to privacy sup Pushing backonefforts and expression of freedom No face today’s single company can online content communications. anddigital sophisticated government control measures over to assert users andcustomersbillions of while dealingwith increasingly of rights andprivacy expression the of freedom and respect ● ● ● ments on freedom of expression and privacy rights. andprivacy expression of onfreedom ments enhance GNI’s collaborative engagement with govern Using to from insights inform the assessment and and shared learning andwithin constituencies, across The into integration from findings the of assessments cycle, assessment strengthen GNI ourstandards forthe fourth andpractices to process the assessment of review A complete - - - 3 Executive Summary Telecommunications equipment vendor companies Internet 1 4

ASSESSMENT CYCLE OF THE THIRDKEY NUMBERS 11 ASSESSED COMPANIES ASSESSORS ACCREDITED 12

assessments to perform selected assessors 7 6 network operators network Telecommunications

BOARD MEMBERS BOARD 10 9 1 BOARD MEMBERS BOARD among representatives of that constituency group that onthe of board.among representatives constituency distributed shall evenly seats be open forthose group, the votingauthority constituency where In cases there in a representatives. company upto arebe 10 board seats open

COMPANY

describes the composition of the board. of There can the composition describes Charter Governance The GNI NON-COMPANY NON-COMPANY

125 INTERVIEWS

1 CASE STUDIES 86 ➤ investors, andinvestors, academics) (civil organizations, society MEMBERS NON-COMPANY GNI SUGGESTIONS BY RESPONDED TO STUDIESCASE 33 1 1) Introduction GNI IN THE ICT SECTOR ACCOUNTABILITY 1) Introduction ECOSYSTEM

The GNI Principles are rooted in the rule of law and internation- About the Global Network Initiative ally recognized laws and standards for human rights. GNI was This is the public report on the third cycle of the Global Network founded to address the gap that can arise in this system, when Initiative (GNI) independent company assessment process. governments use national laws to compel ICT companies to

GNI brings together companies, civil society organizations, take actions that infringe upon the freedom of expression and investors, and academics to enhance freedom of expression privacy rights of users. As a multistakeholder initiative, GNI’s and privacy in the information and communications technology core commitments complement the national laws and regu- (ICT) sector. By committing to the GNI Principles on Freedom of Expression and Privacy (“the GNI Principles”), our members lations that affect ICT sector companies, including consumer work to actively promote and facilitate responsible company privacy and data protection regulations. In this regard, GNI decision making and serve as a multistakeholder voice in the should be viewed as one component of a wider ecosystem of face of government restrictions and demands. Since it was launched in 2008, GNI has helped companies improve their accountability for ICT companies around the world. policies and procedures, provided a forum for shared learning, and promoted collaborative policy engagement in support of freedom of expression and privacy rights. As of December 31, “making good-faith efforts to implement the GNI Principles 2019, GNI had 64 members from 23 countries across Africa, with improvement over time” during the period covered by the Asia, Europe, Latin America, North America, and the Middle assessment.2 East, including the companies assessed during this cycle serving billions of users worldwide. Visit GNI’s website and The GNI Principles are grounded in international human rights watch this video to learn more. law and informed by the corporate responsibility to respect human rights articulated in the UN Guiding Principles on About the Assessment Process Companies participating in GNI are independently assessed periodically on their progress in implementing the GNI 5 Principles. The purpose of the assessment is to enable the GNI Board to determine whether each member company is 2 For the four previously assessed companies, the assessment period was from July 1, 2016, to July 1, 2018. Only for this assessment cycle, the relevant period of review for Millicom, Nokia, Orange, Telefónica, Telenor Group, Telia Company, and Vodafone Group spanned from their accession to GNI from March 27, 2017 to July 1, 2018. 6 Introduction Rights (RDR) Corporate Index (RDR) Rights : Accountability Digital the Ranking by as reported practices, companies’ on ICT PrinciplesCommitment to has the GNI impact had ameaningful andacademics. investors, NGOs, also provide the framework forcollaboration amongcompanies, Principles and into onhow the to GNI practice, put companies mentation guidance to provide more ICT detailed Guidelines government Imple of The demands. GNI inthe context privacy and in the user expression advancement to rights of of freedom state the overarching to collaborate members commitment of Multinational Enterprises the ‘ Principles”), Guiding andHumanis GuidingPrinciples (“UN the informed UN onBusiness by Rights Principles The these application of andCultural (“ICESCR”). Social Rights on Economic, andthe InternationalInternational Covenant andPolitical (“ICCPR”) Rights onCivil Covenant the dards includingthe Universal Declaration forhuman Human rights, (“UDHR”), of Rights 4 3 “As inprevious iterations of theRDR andHumanBusiness (UNGPs). Rights

Index, thetop governance scores this Not all GNI member companies are ranked by Ranking . Rights. are ranked Digital companies Ranking member by Not allGNI Specifically, the GNI Principles are based oninternationally the GNI lawsSpecifically, recognized andstan GNI ASSESSMENT CYCLES ASSESSMENT GNI AT AGLANCE 2013/2014 CYCLE ASSESSMENT 2015/2016 2018/2019 Protect, Respect, and Remedy’ Framework for Guidelines andtheOECD andRemedy’ Respect, Protect,

. NUMBER OF COMPANIES ASSESSED 11 5 3 3 The GNI Principles The GNI

4 INTERNET SERVICESINTERNET NUMBER OF COMPANIES 5 4 3

- -

5 vendor.equipment operators,including telecommunications andan network — 11included companies the largest thus number far — The case studies: specific of andareview review process acompany both includes company assessment An independent TELECOMMUNICATIONS

government requests.” and privacy, primarily inrelation to principles of freedom of expression organization that focuses onupholding members of GNI,amultistakeholder year allwent to companies that are 2019 RDR Corporate Accountability Index, p. 25. Index, Corporate RDR 2019 Accountability ● ● NUMBER OF COMPANIES 2018/2019 independent company assessment cycle independent company assessment 2018/2019

company implemented the GNI Principles company implemented inpractice. the GNI each company inorder to show whether andhow the for cases specific anumber of The case studies assess to Principles. implement andprocedures the GNI policies, systems, acompany’s examines review The process 0 0 6 NUMBER OF EQUIPMENT VENDORS 0 0 1

5 ACCREDITED ASSESSORS NUMBER OF 12 5 7

7 Introduction ples Reporting Framework. See also GNI Assessment Toolkit, p. Assessment 3. also GNI See Framework. Reporting ples ing best practices from standards. various practices ing best publicreporting andstudy and recommendations from cycles past assessment 6 Principles.” these of the andevaluation implementation of assessment independent (a)through of asystem transparency with the publicand(b) accountable held will be Principles “Participants state: The GNI and Confidentiality Accountability, Transparency, and Step-by-Step Guide to learn more. Toolkit.introduced Q&A the Assessment the Assessment See and somecompanies, of assurance reporting sustainability of relates to the process discussed how GNI’s assessment Principles andImplementation the GNI reviewed Guidelines, . The atraining trainingdelivered assessors to accredited all12 GNI cycle, this of assessment atIn the 2018, September outset assess. they frommaintaining the independence companies standards professional the highest which and includemeeting criteria GNI, required by andcompetency independence must the meet assessors Accredited companies. member of assessments independent Board are to eligible conduct organizations the Only multistakeholder by accredited GNI Framework documents, and Reporting Guidance Assessment is of the the revising result and efficient more transparentto process make the Thisassessment effort kit Tool the Assessment developed GNI Prior to the assessments, 7 assessments forprevious the methodology The , a comprehensive overview of the assessment methodology. the assessment of overview , acomprehensive

The Toolkit Initiative GuidingPrinci andthe (GRI) UN draws from the Reporting Global Reporting Framework that are described documents Guidance andReporting Assessment . 6 processing the lessons the lessons processing 7 - - - “The process of“The implementing theGNI “The confidentiality“The of theassessment process. inanopen possible be otherwise to that gain andprovide feedback companies insights would not academia, society, andother investors, from civil members Board allows GNI Strict confidentiality andprocedures. policies, company systems, andconfidential governmentof requests cases sensitive involving the of details design, is by confidential process The assessment information company conduct. about available supplements other publicly presented inthis report commitmenton their to publictransparency. The information have companies continuouslyGNI innovated andimproved privacy andfreedom of expression.” to ourcommongoalof promoting around digitalrights, thuscontributing the governance andinternal awareness Principles hashelpedusto strengthen face in protecting userfree expression challenges that ourcompany members investors engagewiththethorniest organizations andsocially responsible like myself aswell ascivilsociety GNI. Duringassessments, academics collaborative environment withinthe acompletelyon —supports uniqueand process —andthemutualtrustitisbuilt GEERT PAEMENGEERT , Telefónica 8 Introduction human rights.” preparedness to defend itsusers’ onthetechhas areal sector’s impact but over timeIthinkthisengagement challenging, even exhausting, work, GNI Implementation Guidelines.It’s face, andprovide inputinlinewiththe pressures that tech andtelco companies situations, understand thecompeting toopportunities digdeepinto particular of theAssessment Toolkit gives us and privacy. The casestudy section JESSICA FJELD, Center Berkman for Klein Internet & Society at Harvard University Internet &Society may at placed risk.” be who personnel company of will always andliberty Principles, to ensurethese seek the safety and confidentiality. compromising without security to learning provide key points anddata andrecommendationsanonymized, are aggregated the case of studies are The majority all11 of companies. ments the assess independent of asummary provides This report 8 rights, as illustrated by this cycle of company assessments. as illustratedrights, companyassessments. of this by cycle as awhole andprivacy inrelation expression to of freedom sector the ICT orimpacting that are influencing developments onkey andsomereflections also aims to provide anoverview The report companies. havecases attributed been to specific

For example, the GNI Principles state: “Participating companies, when implementing companies, “Participating Principles state: the GNI example, For 8 Where and appropriate, someexamples - 2) 2018/2019 2 Assessments 2) 2018/2019 Assessments

ASSESSED COMPANIES ASSESSORS The following GNI member companies were independently assessed From the pool of accredited assessors, during the 2018/2019 assessment cycle: the following organizations were selected by the 11 companies to conduct the assessments described COMPANY TYPE ASSESSMENTS CASES COMPLETED REVIEWED in this report: ‘18/’19

Facebook Internet 2 8 Deloitte Denmark10 Google Internet 3 9

Microsoft Internet 3 9 DNV GL

Millicom Telecommunications Operator 1 6 Foley Hoag LLP

Nokia Equipment Vendor 1 7 KPMG Asesores SL

Orange Telecommunications Operator 1 8 KPMG AG (Switzerland)

Telefónica Telecommunications Operator 1 8 Osborne Clarke Telenor Group Telecommunications Operator 1 7 SSP Blue Telia Company Telecommunications Operator 1 8

Verizon Media9 Internet 3 8

Vodafone Group Telecommunications Operator 1 8 10 10 Deloitte Denmark worked with teams from Deloitte Spain and Deloitte Sweden to conduct the 9 In June 2017, Yahoo, a founding member of GNI, was acquired by Verizon and joined with AOL to assessments. form Oath. In January 2019, Oath re-branded as Verizon Media. 11 2018/2019 Assessments much specificity as is practicable.”much specificity to information, any, if limitations on access with as to the assessor will required be to identify with antitrust including to reasons, comply laws. company Each orforcompetitive ments, to contractual maintain user privacy, attorney-clientprotect its commit privilege, to fulfill may that ableto other relevant information notbe disclose companies recognizes to further GNI information from disclosing nies that process. is relevant otherwise to the assessment 11 “As anassessor, we were ableto really and interviews. includingdocuments the information to had which access, they onthe details nature andprovided the assessment conduct of to information access hadto whether sufficient they report their Toolkit, stated in the required Assessment by eachassessor As Assessor AccesstoInformation company responses. andoutgoing governmentdocumentation incoming requests of andexamining company personnel, onscreens of documents reading secure questions, ing written to specific responses review with senior management andother relevant employees, information. interviews included approaches These necessary alternativeuse of that approaches were to acquire sufficient the wereinformation they ondisclosure, ableto make dueto limits certain oraccess documents were specific unable to review When they the assessment. conduct information to effectively to Board access that informed hadsors the sufficient GNI they

in implementing theGNIPrinciples.” sound basisfor assessingtheirprogress management processes. This gave usa handles humanrights issuesin theirrisk dive into how acompany analyzes and Per the Assessment Toolkit, “GNI recognizes that Toolkit, may requirements legal barcompa Per recognizes “GNI the Assessment 11 For all of the assessed companies, the asses companies, the assessed allof For HELENA BARTON, Deloitte - - - - bution to Board. theGNI bution alaw by prior to- firm theirdistri reports ontheassessment completed review is antitrust An laws. andcompetition applicable antitrust with such as otherconcerns, compliance of orout tradeer to secrets, protect wheth process, the assessment information from confidential withhold may Companies membercompanies. otherGNI representatives from which includes Board, theGNI are by reviewed reports assessment GNI InformationCompany Confidential /Trade Secrets such attorney. from disclosure boththisinformation received for advice andthelegal on andthere advice, legal are limits an attorney seeking of inthecourse where internal areThese instances company information to isprovided Attorney-client Privilege public reporting. that of a case, if even case known iswell andhas thesubject been informationto disclose about company’s ability a This canaffect Service. intheirprivacypersonal andTerms information out policies as set of haveCompanies obligations legal to maintain theprivacy users’ of User Privacy orders. (FISA) Act Intelligence Foreign Surveillance States United and Letters obligations National non-disclosure covering face Security somecompanies States, intheUnited example, information.closing For dis- There from are prohibited where situations are legally companies Prohibitions Legal include thefollowing: ondisclosure reasons limits theformation for theGNI.Specific of of time atthe were recognized limits ondisclosure. These are limits additional there company of employees, regarding above noted thepersonal safety theinformation to available Inlimit theconcerns addition to assessors. andprivacy.expression andinternal company external constraints Both of freedom implicating companyof responsesto government requests assessors are independentthird-party areview by The assessments GNI LIMITS DISCLOSURE ON - 12 2018/2019 Assessments each report independently.each report quality, length andthe board considered anddetail, varying of were the reports are to reports, many those elements common Board. presented to the While GNI there reports assessment country. also by and insomecases Itdraws from directly that company, cases by individual have of anonymized set been a also This includes to Principles. section implementing the GNI andapproaches aspects notingcommon reports, assessment the from company findings across key presents This section Assessor Findings role of the board is provided in Section 4 of the Assessment Toolkit. the Assessment 4of role the board inSection is of provided Board to ableto be makefor the GNI adetermination.” More information onthe andrecommendationswill conclusions, adequate provide information, analysis, template, inaformat which inthe reporting to Board as GNI’s detailed reporting to to This commit will require work. assessors the assessors’ independent of the results This by determination willheavily influenced the be assessment. by Principles with timeduring improvementment over covered the the period GNI to imple Board to determine whether is efforts acompany good-faith making Toolkit. Assessment inthe GNI Itis the role the out GNI as of set Guidelines the against company of Principles GNI’s andImplementationthe performance on Board. to This substantive provide commentary will require the assessors the inimplementing Principles company GNI’s to of GNI’s on the performance is to information provide role the assessors of animportant assessment, pendent 12 this determination. Principles period theGNI onimplementing makes asassessment it determination. The board record during thecompany’s the considers to make thisis to needs theinformation provide theboard it with period.during The theassessment role theindependentassessor of improvement to time over Principles implementtheGNI with efforts acompany —to ismaking whether determine good-faithassessor theindependent istherole BoardIt theGNI —andnotof of

AND THE GNI BOARD THE GNI AND THE ROLE THE OF ASSESSOR According to the GNI Independence and Competency Criteria: inde “For andCompetency Independence toAccording the GNI 12 - - of thisof wide variationcontexts. different across with which the case studies, aimtoconjunction provide asense should read be in review from the process elements common of situations. The summary andsensitive below complex highly from matters routine to are inawide range applied contexts, of process during the assessment examined andprocesses policies andthat exercise, the Principles is notaone-size-fits-all GNI to note that Itis the important implementation the of reports. approach inthe assessment as detailed eachcompany’s of provide more aspects information uniqueandnoteworthy about review.in the process company determinations The individual from the covered categories eachof companies the 11 assessed to common onfindings we Below report Principles. ment the GNI that use to and procedures imple companies policies, systems, the about questions of consisted aseries of review The process Process Review “As aninvestor that hasworked withthe and trust. Companiesspend substantial It isbuilt on afoundation of good faith process depends uponconfidentiality. to understand why theintegrity of the we’ll continue to doso. Butit isimportant the process to theoutsideworld, and We’ve madereal stridesinopeningup and theconfidentiality of ourprocess. external stakeholders’ needto know painfully aware of thetension between since itsinception, Ihave always been GNI independent assessment process - 13 2018/2019 Assessments These structures significantly,These allincluded: vary but governance structures Principles. forimplementing the GNI the company’s described reports the assessment of Each Governance discuss thehardest challenges.” over time’ mustprovide asafe spaceto that seeks to promote ‘improvement environment. Any evaluation process maintain thisdegree of trustinanopen board. Itwould simply beimpossibleto guidance from theGNI’s multistakeholder the process andwant feedback and difficult decisionsbecausethey respect in it. They share thedetails of some very voluntary process becausethey see value time andresources to undergo this ● ● ● ●

and Major Events Policy. lation form andMillicom’s Law Enforcement Assistance in the company. Telia see example, For esca Company’s to issues higherlevels andprivacy expression of freedom to evaluateProcesses and,where appropriate, escalate this of report). Section Opportunities and the Lessons (see approaches with varying risks, Personnel andprivacy training expression of onfreedom andprivacy. expression of includingfreedom issues, rights from seniormanagement onhumanevaluating reports and receiving subcommittees The its board oroneof company. A senior-directed within human the function rights ADAM Paribas BNP Management KANZER, Asset - According to the reports, these processes call for: for: call processes these toAccording the reports, Determination in this report for more about this issue. formoreDetermination about inthis report government orders to restrict content andturn user over data. the Nokia Company See 13 government restrictions anddemands foruser information. to andrespond howthat the companywill out assess set andprocedures the policies described report assessment Each andPrivacy inPractice Expression Freedom of nothaveand does operational control. approaches with differing companywhen the does processes, duediligence to by ormitigate prevent risks identified cesses had pro the. In companies allof addition, approach to HRIAs Verizon see example, For Media’s (HRIAs). assessments impact human rights specific to performing processes due diligence human of risks rights intothe assessment broader company ineachcompanydetermination frombelow integrating andvary are discussedingreater detail processes or advanced. Specific may jeopardized andprivacy be expression when of freedom circumstances when identifies duediligence impacts rights relationships. company had human Each mechanisms to assess andother business andpartnerships, acquisitions markets, to operations, their includingproducts, connected and privacy potential expression risks to of freedom mechanisms to identify and company processes described report assessment Each andRiskDue Diligence Management

One exception to this section is Nokia, which as a vendor company does not receive is to Nokia,One exception this notreceive which section as does avendorcompany ● ● ●

minimize impacts onusers. impacts minimize regarding government’s the jurisdiction, to requesting Narrow interpretation including government of requests, information.personal restrictions andgovernment demands forservice that explain the basis legal forgovernment-mandated Clear, written communications from the government information. personal or access to restrict are when communications seeking they cesses to pro legal followGovernments establisheddomestic 13

- - 14 2018/2019 Assessments 16 15 14 or demands that overbroad, appear a company has inplace to to respond government restrictions andprocedures the policies described report assessment Each or adhere to procedure. legal whenrespond agovernment fails to provide awritten directive how the company would also addressed The processes part of alarger of trend.”part the case and whether the of case is the representativeness cost, the case, of the severity andprivacy, success, expression of of the likelihood onfreedom impact potential beneficial basedonarange criteria cases of mayRather, such select companies as the participating to challenge inallcases. companies practical nordesirable is forparticipating neither it rather than written.” law when verbaldemands situations, communications andinemergency willoral permits be such as where circumstances, that the there is recognized it are although certain preferable, policies and procedures enabled them to: enabled them to: andprocedures policies or privacy. In appropriate company andcircumstances, cases human laws rights andstandards expression of onfreedom inconsistent law with domestic orinternational orprocedures based on the asserted purpose of the request.” of purpose based onthe asserted where more informationmean, forexample, is restricted than would reasonably be expected

Per application guidance in the GNI Implementation Guidelines: “It is recognized that is “It recognized Per Implementation application guidance inthe Guidelines: GNI ● ● ● ● Per application guidance in the GNI Implementation Guidelines: “Written demands “Written arePer Implementation application guidance inthe Guidelines: GNI Per application guidance in the GNI Implementation Guidelines: “Overbroad could could “Overbroad Per Implementation application guidance inthe Guidelines: GNI

Challenge such demands courts. indomestic organizations when with such and/or faced demands; international ornon-governmental human bodies, rights from assistance relevant governmentSeek authorities, or international law; tions ordemands that inconsistent appear with domestic government of restric ormodification clarification Seek are law permitted by situations. inemergency jurisdictions, which,records verbaldemands, incertain of ating the basis legal forarestriction ordemand, including substanti government allincoming requests of keeping record permitted, detailed andlegally Where possible 15 unlawful, orotherwise 16 14 - - Examples included: included: Examples are respected. andprivacy expression of freedom with humanconsistency norms rights andthat the to rights legislators, andgovernment regulators, to encourage officials teams to interactpolicy orpublic affairs, with regulatory company, forgovernment relations, includeresponsibilities but variedlaw from company to andstandards. processes These anddemandsrestrictions, that are consistent with international engage with to governments encourage laws, regulations and to company processes also described report assessment Each ● ● ● ●

private sector, society. andcivil to high-ranking the representatives from government, whichlization, has presented invarious been countries to promote Deal” ahuman-centricNew Digital digita Telefónica’s “Manifesto work around for a its advocacy privacy.and surveillance transparency to expression inform of onfreedom debates aimto provide andunconventionalinitiatives requests, as well as Telia onlegislative articles of series Company’s Telia Law Enforcement Company’s Disclosure Reporting, and human issues. rights andother business products, priordiligence to its selling human due out rights to carry andprocedures policies its Principles, implementation theregarding GNI of its several Finnish with briefings government agencies controls. Nokia has to provided formalsubject export are products whether these of regardless even cases insome countries, to certain products certain of export with regards to human considerations rights around the Nokia’s engagement with the Finnish ForeignMinistry and regulation government of . facial use of recognition agreements to govern law to data enforcement access for international for principles Microsoft’s advocacy - 15 2018/2019 Assessments Each assessment report described how companies: described report assessment Each Transparency andEngagement among others. Coalition, (RGS) Governmentand the Surveillance Reform European Telecommunications Operators Network (ETNO), (GSMA), the Association the GSM Network, Advisory Coalition include the aside Freedom from Onlinesuch GNI, initiatives, of Examples andmultistakeholderthrough initiatives. industry company engagement also described reports The assessment “With ourDigitalManifesto, we are this process, itiskey for ourwork.” GNI´s assessment hashelpedusalot in values. Improving accountability through defend people’s rights andourshared of ourpoliciesandwiththeaimto better digitalization through amodernization advocating for ahuman-centric ●

which companies disclose this disclose information,which companies including: andother ways in websites, availableto publicly reports, forlinks thisCompany Determinations of report Section to the shareholdersand privacy See andstakeholders. inrelation expression human to of impacts freedom rights Communicated general their approach to addressing ▶ ▶

ing to government restrictions anddemands. forrespond andprocedures policies The company’s to government authorities. communications information orprovide personal that require the to company restrict content or The generally laws applicable andpolicies CHRISTOPH Telefónica STECK, - recommendations from previous assessment cycles. recommendations cycles. from assessment previous afteras well taken as companies actions by considering recommendationsof to presented consider, to companies overview forananonymized this of report Time Section with improvement time.” over the Improvement See Over to implement GNI making “good-faiththe Principles efforts Board’sThe GNI is standard whether acompany is review of Follow Up andImprovement 17 nation in this report for more about this issue. formore about nation inthis report orders to restrict content andturn user over data. the Determi Nokia Company the See See

● ● ● One exception is Nokia, which as a vendor company does not receive government isOne exception Nokia, notreceive which as does avendor company

shown in select case examples inthis report. shown case examples inselect as means, of through andprivacy avariety expression that andpractices infringe of onfreedom policies, Engaged on withof governmentreforms laws, officials andprivacy,expression Principles. includingthe GNI to of freedom commitments their about employees their means to of communicateUsed internally avariety to companies receive from governments. receive companies anddemands that the requests about Published reports 17 - 16 2018/2019 Assessments of each company’s processes, in practice, andto highlight inpractice, processes, eachcompany’s of caseThese studies are intended to illustrate various aspects 18 Toolkit. in the Assessment described toaccording aprocess assessed, the company being andby non-company members GNI both by from proposed cases those select Assessors cases. asmall these of sample review only can assessor independent orprivacy. expression to of freedom Board andthe The GNI relating government thousands individual requests of receive company may anindividual period, the assessment Over company and/or as necessary. country by anonymized cases, of in aggregate, as well as examples from findings the case presents studies Thispractice. section are Principles implementing in and how the companies GNI Case of awindow StudiesThe review provides into whether theassessment“Throughout process, we Case Studies non-company constituencies in case selection, see Section 3.2 of the Assessment Toolkit. the Assessment of 3.2 Section see incase selection, non-company constituencies

laws inplacemay limittransparency.” in different even jurisdictions, whenthe about theapplication of GNIPrinciples offered learning opportunities important access to userdata. The casesalso orprovidecommunications services, to censorcontent, accessto restrict respond to requests from governments companies apply theGNIPrinciples to examined casestudiesdiscussinghow GNI Case Selection Guidance Summary Case Selection the GNI See KYUNG SIN PARK Law School , Korea University . For more. For on the role the of 18

during the reporting period. during the reporting any company by received the total population requests about of company, agiven by drawn be andtherefore can noinferences handled allcases of sample represent astatistically significant faced. The challenges case donot studies reviewed particular “While examining various cases,we were recommended areas of improvement.” allowed usto identify successesand privacy intheonlineenvironment. Italso the right to freedom of expression and a company may face whenprotecting delve deeply into themultiplechallenges the GNIassessment process helpedus and thedepth of review inspired by of analysis. The breadth of thecases those asassessors we thought worthy byselected ourassessedcompany, and non-company aswell participants those sure to includecasesrecommended by HEMANSHU Blue SSP NIGAM, 17 2018/2019 Assessments ENVIRONMENT OPERATING CASES BY BY CASES BY CASES TYPE and companies used this guidance as part of the case selection process. selection case the of part as guidance this used companies and and operatingoperating environments environments. assessors generally The These as semi-restrictive, highly permissive. are restrictive, classified different across privacy and expression of to freedom threats highlighted members non-company GNI by provided Guidance Selection Case The BY ENVIRONMENT OPERATING CASES 19 19 30 OPERATIONS: COMPANY OF CONTEXT RELATED TO THE BROADER CASES INVOLVINGCASES REQUEST: GOVERNMENT ASPECIFIC 56 p.7 Toolkit, Assessment See request. government to aspecific responded it how than rather environment, in aparticular operates acompany how represent also could Acase incidents. similar of sets multiple or instance asingle of may consist acase Similarly, users. company’s a of rights privacy and expression free the both may impact demand government aparticular example, For topics. multiple may cover case A single OVERVIEW OF CASES due diligence processes work in practice, company interactions with governments outside of responding to specific requests and demands, grievance mechanisms, or other topics. orother mechanisms, topics. grievance anddemands, requests to responding specific of interactions company outside work with governments inpractice, processes due diligence

Cases about the broader context of company operations are about implementing the GNI Principles but are not about specific government requests and demands. They may at They anddemands. how look government requests specific are Principles notabout operations company but of implementing the GNI are about the broader context about Cases 4

26 16

4 27

freedom offreedom expression concerning cases Broader context freedom offreedom expression concerning cases Broader context concerning cases context Broader

36

3 Specific cases concerning cases of freedom Specific expression Specific cases concerning cases privacySpecific

Highly Highly restrictive 34 privacy

and and

Specific cases concerning cases of freedom Specific expression semi-restrictive

26

and

operating environments Semi-restrictive

privacy 16

operating environments Generally permissive operating environments 11 operating environments

Other cases 10 11 9

and broader context cases context broader Other types due diligence in practice concerning cases Broader context Broader context cases concerning cases Broader context governments outside responding to specific requests

privacy TOTAL NUMBER OF CASES REVIEWED: REVIEWED: CASES OF NUMBER TOTAL (e.g., those that are global or regional in scope) scope) in regional or global are that those (e.g., of of

interactions with interactions 86 of broader context cases: Examples of other types • • • • • expression andexpression privacy Litigation related to of freedom assessments impact rights Human Updating policies and procedures government and restrictions demands Transparency about reporting Grievance mechanisms 19

18 2018/2019 Assessments 20 COUNTRIES disclosed to the GNI Board on account of such concerns, or because the was orbecause company such of concerns, Board onaccount obligation under alegal to the to GNI disclosed refrain from such making disclosure.

Some countries that were addressed in case studies are not listed here due to concerns about the safety of company personnel. In three cases, the country involvedinacase study was the country not In personnel. company three countries of that cases, Some incase studies were are not listed addressed here the safety dueto concerns about CASES BYCASES GEOGRAPHY AFRICA SUB-SAHARAN SOUTH ASIA AMERICA NORTH AFRICA NORTH & EAST MIDDLE CARIBBEAN &LATIN AMERICA CENTRAL ASIA & EUROPE PACIFIC EAST ASIA & REGION 20

Honduras Guinea Cameroon Arabia Saudi Egypt Kazakhstan France Belarus China Myanmar Turkey Brazil Canada India Indonesia Paraguay Colombia Denmark Germany Thailand Russia Spain COUNTRIES United Arab United Emirates United States of America of States United 20 Pakistan United Kingdom United Niger Chad El SalvadorEl Venezuela Palestine Vietnam Sweden Finland Italy

NUMBER OFCASES 10 31 13 4 4 8 6 Case Examples This section provides a summary of selected anonymized and non-anonymized cases from the 11 company assessment reports.

19 20

Case Study 1) railway enablement. city communications, andsmart standard to governmental capabilities networking customers such as for purposes publicsafety, It illustrated process. the sales of how the companymay provide communication systems and beginningThis at case showed the HRDD very the advantages andthe limitations undertaking of the network. of and purpose from would the obtained confirming the nature procuring be agency certification signed a specific recommendation to move forward for engaging onthis acondition inthe potential project, As sale. considerations, onthese Based Nokia’s issued a“go process HRDD with conditions” internal to open the to public. communication any networks andwould connected notbe supplied national would exclusively used by for be their andunits security-related agencies regard inthe country. to existing commercial networks to requested network be The closed or items that withproducts would capabilities provide any additional surveillance orenhanced would notincludeanythe scope sensitive human the rights project risk the country), of profile (potentially would network domesticintelligence agencies be raisingpublic safety concerns given investigationThe HRDD determined that while the endusers theandsome of procuring entity human rights. law that as ahighrisk Nokia enforcement inacountry classifies for andintelligence agencies to provide aprivate 4G/LTEopportunity for network government includingby use, publicsafety which to led anThe origins activities, this development of case business lieinongoing an LTE Nokia’sThis case examined surrounding theof humanprocesses sale rights (HRDD) duediligence Use inaHigh-risk Country A 4G/LTE Public Safety Network for Government based communications‑based to system agovernment inahigh-risk entity country. 21

Case Study 2) stakeholders regarding direct access to identify best practices inthe practices field. best to identify stakeholders regarding access direct Telia companywebsite. onits through anarticle Company engaged has with other also actively For transparency, Telia onthe Company legislative inMay initiative reported position 2018 andits initiative, promoting the rule law, of through formal written 2015. since positions Telia Finland has also encouraged the Finnish Government to transparent be the legislative about (FiCom) and the Confederation Finnish of Industries (EK). through groups such as industry the Finnish Federation for Communications andTeleinformatics Transport andCommunications onthe andthespring andworked Committee 2018 Defence of of privacy. Telia Finland has hearings also presented the this Committee of inparliamentary point of to consistent be with international laws andstandards andsurveillance expression of onfreedom Telia Defence. of Ministry Finland encouraged the lawmakers andtransparent to specific be and advocated this through point meetings andinteractions the Interior of with the Ministry and The companyshouldand systems. retain operational andtechnical control.” The companyhas that “governments policy company’s networks to should acompany’s nothave access direct with astatementBeginning onthe legislative in2015, Telia process Finland has advocated the legislative was proposal published. Group initiatives to analyze from the Constitution In a 2018, andhuman January rights perspective. andonefor anExpert intelligence, laws onefor military intelligence, onefor civilian for Finland: in2015, the FinnishStarting Government launched three legislative initiatives to draft intelligence purposes. for surveillance government access direct inrelation legality, toof alegislative necessity, andproportionality initiative inFinland to introduce This advocating for case andpromoting is about the rule law, of transparency, andthe principles Advocating Against inFinland Access Direct 22

Case Study 3)

Authority Requests inMyanmarAuthority country further develops its legislative its framework. develops further country channels communications of also allow Telenor to communicate international as practices the best enabling to it maintainpolicy,authorities, its robust which These Principles. builds onthe GNI Telenor established andmaintained robust has successfully channels communication of with the until an appropriate framework legal is inplace. In addition,Telenor Myanmar has not turned network Interception in its onthe Lawful (LI) capacity which demonstratesIncident Report that the case has registered been with aMagistrate. release this is the of the information assessment requested First document Akey as part ornot. approval from the regulator, Telenor to own deciding eachcase its before of assessment performs obligations documentation. the independent of underthe together with license supporting Second, to regulatorthe police telecom for theirconsent andmust includeanexplanation Telenor’s of to release allrequests confidential customer First, informationrequirements: shall sent from be aninterim clearerAs pending arrangement, legislation onthis area, Telenor established the following order for the company to to respond for arequest confidential information. andwas andpolice requirements ableto of that agreesecurity onaset to inplace wouldin be need relationship with the government inMyanmar. The companyengaged with responsible authorities for confidential informationorder. requires acourt In order tothis Telenor address issue, Myanmar a built while protecting basic Myanmar, the rightsof citizens of is it notclearonwhether the release of Although Myanmar’s Telecom Lawthe government gives the right to confidential request information, highlighted. The Telenor operations to applied TML Group Manual from Requests day onAuthority one. were related challenges requests expression inwhichof to andfreedom privacy authority due diligence, prior to enteringIn the Myanmar Telenor 2012, market, sustainability to BSR conduct Group commissioned expression. of freedom This case at looked how Telenor to and privacy with respect requests authority handles Myanmar (TML) 23

Case Study 4)

was still pending. instance first and of the sent case period backto the had the assessment the endof been of court As to request. Appeal comment onthe of blocking to andasked the decision theobjected Court The company, however, the to request block. about partially therefore, didnotsay anything court, declared as null the contraventionThe court documentagainst andsanctions the company. The government launched initially acase against with the request. the companyfor notcomplying The companyalso broughtsites. the matter to the attention Internal of the Ministry of Affairs. The that illegal.order ajudicial and requested The were to companyrefused the block allegedly towebsites of anumber to access block authority from arequest apolice The companyreceived Blocking Websites inEastern Europe 24

Case Study 5)

successful outcome. successful with other operators to to respond jointly the government demand contributed clearly to the to change apolicy. The international assistance by provided to andthe work decision NGOs sectoralThis andmultistakeholder of case is anexample collaboration to agovernment lobby the case was that the government made apubliccommitment to fundamental freedoms. to pay alarge Orangefrom for notcomplying. outcome fine to paidthe endthe fine Apositive case. Prime Minister. In the end,the Government withdrew the demand, while the regulator asked Orange media andvia the aletter demand this onsocial denounced issue. NGOs toabout the country’s organizations society with the totheir refusal demand.civil comply Orange At alerted this point, The government increasing by responded the taxburden for the operators, for addingpenalties was inviolation provisions privacy of innational andinternational human rights law. regulator inresponse that noted the grounds lacklegal of for the demand, andthat the demand resistor otherwise the demand more efficiently. sent ajoint letter The recipients request to the response was to pursue response to from the acommon government lobby the recipients request the inasingleletter request to that allfour operators addressed it inthe country. Orange’s first and control the taxdeclaration alltelecommunications of operators. network The regulator sent The regulator asked the companyto provide to Records allCall(CDRs) review Detail inaneffort customercontains data important onroaming calls. Africa. The was request to Orange’s to provide access roaming management platform, which Orange demands from received the national telecommunicationinWest regulator acountry of Call Data Records inAfrica Request 25

Case Study 6)

Censorship inMalaysia transparency. acompanycanstill work promoting by to requests, minimizenegative impacts with authority weresites censored. This case demonstrates that where to incases obliged comply is it legally Torequest. the companytookto actions transparent be which minimizethe impact, about wasThe resultthe assessments of that the government to make had the this authority legal escalated with theundertaken: following assessments thatnews sites were covered requests ascandal orwere These critical government’s of policies. were the of requests that assessments The related many company’s the requests of to caught scandal. upinthe “1MDB” This was challenge inMalaysia aparticular underformer Prime who Minister was , raise requests These challengingare questions expression. around credible news of sites. freedom area oris undernational legal law that the sites but are tofor requested censored, example, be The children challengeof gamblingarises andillegal when is sites. arequest inthe grey legal tocontent illegal regarding block are inparticular Requests sexual notuncommon, abuse imagery This case at looked government to onlinecontent censor requests inMalaysia. ● ● ●

Security assessment — no significant risk. risk. —no significant assessment Security the the sites. challenge blocked forsomeof to free speech Human —identifying assessment rights make the request. powers legal to was —the assessment assessment thatLegal had the the authorities necessary 26

Case Study 7)

courts and its approach members. to andits engaging includingGNI stakeholders, with external courts broad to overly to be indomestic challenge demands believes it efforts including the company’s This case illustrates several issuesrelevant to Facebook’s implementation Principles, the GNI of members. andnon-company company including GNI stakeholders, amicus Facebook alsocuriae solicited from interested briefs this of process, external part As the affected holders.government account withdrew themto the andagreed companynotify let In response to Appeals. Facebook’s of challenge legal gag the to orders, its Columbia Court of the case at Facebook appealed the District Facebook’s denied request, and, when that court Amendment to the U.S. Constitution. Facebook challengedthe the lower before court, Facebook challengedthe gag orders as violating right underthe its toFirst free speech when would notice counterproductive. be orfrom orinexceptional such emergencies, so doing as circumstances, childexploitation cases, for theirinformation requests of prior to Facebook is disclosurelaw prohibited by service unless Information for Law Enforcement who to notice Facebook use provides people its Authorities, In Principles linewith the inFacebook’s andImplementation GNI andas disclosed Guidelines, from protests with associated the presidential inauguration 20, onJanuary 2017. arising who were people by held involvement criminal suspected of accounts activity inalleged from three the existenceof search disclosing warrants information seeking received regarding it This case asituation explored inwhich Facebook challengedgag orders prohibiting the company Challenging aGag Order inthe United States 27

Case Study 8)

Content Removal from Request Russia expression for its users. for its expression can take andto steps to attempt follow established policies to free to minimize impacts This case demonstrates that when with even faced pressure operations, to its acompany after requests reply. sent its nofurther it received had investigated the case andtaken any appropriate and consistent action policies with its was taken. The companysent astandard stating response to the that requesting agency it childsexual abuse materialand didnotdepict noaction orviolate policies, the company’s the content Since at againsteach request issue relevant was its policies. image anartistic Taking the mightblocked, companyassessed be the potential of account that services its was action would if limited be nottaken. service to the company’s access Roskomnadzor image within warning 24 the requested removal hours, the specific of that content at issue was what contained alleged they childsexual time, abuse Each content. a singleuser. that explained Allthree requests Roskomnadzor had determined that the to to acompany requests remove content related content by of to posted thepiece same Communications, of Informationfor Supervision Technology andMass Media, issued three In 2017, the Russian “Roskomnadzor,” government authority the Russian Federal Service 28

Case Study 9)

Internet Referral Unit (“EU IRU”) Content from Request Europol’s EU This case demonstrates how work escalation procedures inpractice inside acompany. then informed Europol that appropriate was action taken consistent policies. with the company’s and Syria The (ISIS). company onthe The content companytook action consistent policies. with its contentdepicted that was orcelebrating aterrorist supporting organization, Islamic State of that the content unambiguously available it violatedpublicly because the company’s policies content at appropriate issue by andreviewed within the company. personnel It was determined The was request resourcelocators universal (URLs). escalated giventhe naturespecific the of potentiallycould violate terms alist The included the request of company’s andconditions. terrorist of pieces stating content platform that onthe company’s specific had it detected that In May from arequest the European acompanyreceived 2018, Internet Referral Unit (“Europol”) 29

Case Study 10)

Data Retention inSweden impacts on the surveillance privacy of the company’s users. the company’s of privacy onthe surveillance impacts wasproposal inTelia logged list unconventional of Company’s with potentially requests serious again, overruled. be Telia asked consequently to reworked. for the be proposal This legislative data retention should transparent; be and,finally, the clearrisk that law new the proposed will, law enforcement anddata retention that for law for commercial use; costs enforcement including data adistinction retention between for andnecessity; for proportionality transparency; the need legislative arguing proposal, that there should nobroadening data be of retention; for the need law following the ECJ ruling. 30, OnJanuary 2019, Telia Sweden onthe new comments provided the Swedish period, the the assessment endof of As legislature was preparing innational changes is available to law rule law, of enforcement to according due process, necessity,andproportionality. toaccording general provisions limited but inthe telecommunications legislation, that so such data Data The Retention statement Directive. also noted that Telia however, Sweden does, retain data continue to retain data to according the provisions inthe Swedish law implementing the EU 30,On December Telia 2016, Sweden published astatement that not the said company could retention provisions. Teliameetings, notto retain data position inrelation its Company voiced to Sweden’s data specific withheld the Minister Internal of Affairs In with andanotherrelevant meeting these authorities. demanded operators publicly to Afollow-up basis. retainpolice, data was onavoluntary meeting agovernment In response, Directive. minister, as well andrepresentatives as prosecutors the of had therefore retaining stopped data to according national Swedish legislation onthe based Telianot proportionate. Company informed the Swedish that National Authority it Regulatory human didnotmeet rights requirementsDirective andthat requiring general data retention is Justice 21, of the 2016, EuropeanOn December (ECJ) Court ruled that the EUData Retention 30

Case Study 11)

presidential veto onthis legislation, includingthe following actions: to the President for his signature. Amulti-pronged strategy was andsecure a to try deployed In August the rapidly andtransmitted 2016, Billadvanced through Congress of chambers both andcontinued to championwere the inCongress. bill efforts apparently these by unmoved Mobile Operators to the coordinate bill. Representatives to oppose anindustry-wide effort legislation.concerns with the proposed Millicomalso worked through Chamber the of local Millicom’s team with representatives met to significant in-country highlight the company’s with the law.comply on companyofficials provisions for any the failure wouldOther bill of liability place personal to the bill’stheof operator to that enactment, would requiredcustomer. to off be cut service an operator fail for any fingerprints reason from to anexisting customer collect within ayear fingerprintsoperators of from andexisting afullset customers. theirnew Should to collect “regulate the activation telephony mobile of services.” The would bill require network mobile In November 2015, was abill introduced inthe lower the house Paraguayan of to Congress them withphoneservice. mobile Paraguay fingerprints from andexisting to customers new collect providing as of acondition enactment alaw of that would have required telecommunications operators network in Millicom’sThis amultistakeholder of case examined to coalition the defeat as part efforts Digital Fingerprint Bill inParaguay ● ● dent and members of both Houses of Congress. Congress. of Houses both of dent andmembers of theregardingOffice BilltoPresi different government including the proposed stakeholders, Millicom’s explain concerns Corporate and to brief in-country effort Affairs an began team the publicto the this dangers of legislation. ill-considered to campaign alert apublicity ed Tigo (Millicom) Mobile Operators inthe andthe Chamber of other member-companies mount Blue BackgroundsBlue Application Primary Logo to an brand image Conteiner Application Backgrounds White ApplicationSecondary Blue BackgroundsBlue Application Primary - - 31

Case Study Paraguayan legislation. the by to inresponding the challenge andcorporate-levelpersonnel posed in-country its of in practice.The case showed how Millicomleveraged the different relationships andskillsets and dissuade legislators from advancinglaws are that yet flawed onpaper might good sound This case demonstrated Millicom’s incountries such as Paraguay efforts ongoing to engage law is it the reintroduced. Billnow of becoming unless possibility aveto overrideseek within the six-month timeframe the Constitution, by provided there is no 25, onSeptember success 2017, when the President didnot Congress the Bill. vetoed As with met law” the “fingerprint numerous to oppose Millicomandits of partners The efforts ● ●

vince the Presidentvince to vetothe bill. Paraguay’sTEDIC, NGO, rights leadingdigital work to could to explore together how con they Millicom’s of Members to team globalcorporate representatives of reached out responsibility Paraguayan measure. ternational to focus the spotlight globalattention human of community rights onthis proposed Millicom’s affairs globalexternal of team leveraged the in their relationships members with key - - 32

Case Study 12)

appropriate misuse. of safeguard against the possibility amount responsive data of that to is the reasonably an government’s provides connected objective situations that the stringent donotmeet criteria Providing for such emergencies. the minimal that governments may to misuse obtaindata requests in emergency from these companies with the least amountdata of required to to respond the emergency. There is always aconcern to responding of suchfrom requests It governments. shows acompanypolicy of the functioning This casefor torequests responding illustrates andprocedures emergency policies acompany’s law enforcement agency. to account the regarding the basic the disclosing specified by subscriberinformation possessed it the responded company life, of involving theto emergency potential loss abonafide significant of wasrequest Findingthat pursuant reviewed the pertained request procedures. to the company’s information as account well for as aparticular information additional contact The logs. andIP anEnglish by language translation.local accompanied The sought request basic subscriber official letterhead anappropriate by andsigned agency’s official. It was transmitted original inits an imminent terrorist attack inthat country. The was request inwriting onthe law enforcement inorder account to to planning locatebe andarrest to believed aspecific anindividual pertaining inwesternhas Europe. jurisdiction over major inacity crimes The sought request information from request In alaw anemergency the 2018, companyreceived that enforcement agency planning suspected of animminentindividual terrorist attack. anemailof user inawestern European country. to locate Thisandarrest aneffort wasof an part government handlinganemergency of for request information acompany’s This case examined a Western European Country for Request UserEmergency Data from 33

Case Study 13)

(example: Colombia) Grievance Mechanism at Level Global andLocal to any complaint made. from various coming complaints these channels toarapid with aview giving and diligent response basis, in2017, the andresolving astreamlined processing, was procedure for receiving, designed potentially made could complaints be andwhat were procedures followed Onthis ineachcase. channels the companyhad with customers how inorder human toout rights-related find reputation. allthe touch- was Aninitial points/communication stocktaking carriedto identify out to and human the environment, respect rights, stakeholders local about by complaints of the filing mechanism grievance andremedy was level A local Telef upby also set ChannelBusiness was updated to reinforce allmarkets. auniform across handlingcomplaints of Management Reports Telef and Human In Channel theBusiness 2016, Responsible was Rights. launched. officially Ever since, Channel with inaccordance requirements laid down intheGuidingPrinciples UN onBusiness to consult ormake attention onhuman complaints Special rights issues. was the paidto design for stakeholders ChannelThe Business globalResponsible was as aone-stop-shop designed through any companychannels. humanremedy local rights reported andcomplaints queries complementing the of mechanism globalwith alocal wasThe objective to identify, and manage, to better level captureat the country realities—implemented as local first inColombia. apilot Channel Business Responsible was complemented mechanism with agrievance andremedy mechanismremedy inlinewith theGuidingPrinciples UN andHuman onBusiness The Rights. Telef expression. of and freedom regarding including those stakeholders, by privacy torespond human rightsreported grievances This case illustrated how Telef nica has publicly reported the number and types of complaints it receives in its Consolidated inits receives it complaints of the andtypes number onica has reported publicly grievance and Channelonica createdBusiness anexternal Responsible in2016, its . In 2019, the aGroup Management Regulation about Responsible of onica has upmechanisms set to at level the globalandlocal onica Colombia to facilitate

34

Case Study expression. However, yearwas inneither there acomplaint inmatters relating of to orfreedom privacy were complaints onhuman215 (of rights received issuesin2018 which 30had highpriority). While (of were 182complaints onhuman which rights received 29had issuesin2017 highpriority), In sum: ● ● ●

for in Colombian law: a prejudicial conciliation, before considering to recourse the before judiciary. conciliation, law:for inColombian aprejudicial may use amechanism provided the fails, parties In negotiation with the case direct interested party the case. thus closing agreement, andremedy with anegotiated resolution andconcluded interested party is communicated the to solution the the complaint, In resolves case the corresponding department inadatabase. them accordingly andclassifies relevantturn grievances identifies which in Department, to andcomplaints the queries Sustainability allnon-service-related base of sends the complete andcomplaints, queries of Area, alltypes The which Customer receives Service 35

Case Study 14)

Human Rights byDesign After these pilots, the final questionnaire includes three types of impacts on: impacts of After the questionnaire final three types includes pilots, these managers. at product specifically tool wasassessment made available the companyvia of the intranet to allemployees aimed but areasenvironment. were aself- with Several business the pilots companyandfinally of conducted onthe orservice the product of intelligence andthe impact well as the artificial use ethical of that questions related included process” as to the expression, rights of to andfreedom privacy a“self-assessment the companydeveloped exercise, Following astocktaking of the completion rights that of mightaffected. be well as the types humanhow rights andat considerations what processes inthese incorporated, stages be could as to identify andservices andmarketing the for the differentreviewed design products of processes the In company response, andservices. products whenordeveloping designing rights aspects and services. products andprivacy, expression of includingfreedom and/or designing of at the outset impact, marketing This case showed how Telefónica incorporated the evaluation any potential of human rights In its 2017/2018 human rights impact assessment the company noted a need to theconsiderhuman human companynoted aneed assessment rights impact 2017/2018 In its 3. 2. 1. service incorporates artificial intelligence. incorporates artificial service andother that issues may expression dom of have when and/or the impact anegative product onvulnerable diversity, human impact privacy, of rights, groups, aspects free Assessing Society: are considered. mental impacts environ energy andpositive saving, recycling, waste, of eco-design, Aspects The environment: offered. products/services to of simplicity, transparency WithThe respect customer: andintegrity - - 36

Case Study 15)

Implementing Germany’s Network Enforcement Act whether it clearly violateswhether law, clearly it alocal andwhether the content is related to amatter public of considers whether the content Google governments. violates guidelines, Google’s community Content removal removal the were complaints way from analyzes requests examined Google for removal wasreported illegal. infact whether of the content assessment ameaningful to support around reviews provided the clock, internal interpretive to the guidelines removals hired numerous Google teams. reviewers and andproviding additional content policy tothe risk address clarifying designed by overblocking of After the law animplementation built was program Google andwent that enacted into was effect, requirement as proactive filtering, well of as other some requirements. lawproposed have. could Together, human inturning rights stakeholders succeeded backa stakeholdersengaged the withexternal key to expression make of onfreedom clearthe impact duetofrom the overblocking, potential The company for failure penalties timelines. to meet against the legislation, advocated extensively risk publicly citing expression toGoogle of freedom security, government affairs andpublicpolicy, counsel). teams counsel andlegal (includingoutside fromworking the group personnel policy, included removals, law enforcement andinformation When the law with amulti-pronged responded was approach. Google proposed, Google’s internal thepotential legislation. of chillingeffects large mediaplatforms, social andthe expression also raises it of freedom critical questions about underdomesticlaw.illegal andtransparency has from While encouraged accountability NetzDG state mediaplatforms social toby actions mandate to deemed remove specific onlinespeech went into1, onJanuary NetzDG effect 2018.It is arguably theambitious most attempt aWestern by content within 24 andother notification, content hoursof within 7days. to which remove requires onlinecompanies certain orNetzDG), (Netzwerkdurchsetzungsgesetz This case concerns Google’s implementation Germany’sNetwork Enforcement of Act 37

Case Study All removalsinGoogle’s transparency are reflected reports. that complaints that didnotinvolve speech was identify efficiently oragainst illegal guidelines. its trained to team more toallowed handle Google with complaints, aspecifically coupled process, Creatingintakeappropriately concerns. expression of defined tofreedom aclearly address substantial training that so reviewed removal andresources be individual could requests also devoted violations the to Google law of possible andconnected orguidelines. conduct that thenamechanism built to were encourageGoogle reports more with onpoint the actual guidelines. own violates clearly its it content community jurisdiction, inthe unless local only such If as speech. theinterest, political content is marked for takedown, removes the Google 38

Case Study 16)

Certain early priorities early were including: identified, Certain ensure transition. asuccessful the company, with whom the &Human Business GlobalHead of consulted Rights onhow to Verizon allof across the BHRP Media’s brands was forleaderswithin senior priority akey of expression. The build-out of to andfreedom privacy protect efforts to leadthe company’s managing human rights risk was Verizon adopted by Media was andthe BHRP empowered brands. The mediaandtechnology strategichouse of approach that Yahoo established to Yahoo’s was BHRP immediatelyProgram tasked its with buildingout Verizon across Media’s after Yahoo’s acquisition,Yahoo was with AOL joined to form Verizon Media Oath). (formerly the andprivacy. area human includingfree of expression rights, later Nearly adecade in2017, was to make in created decisions responsible business efforts to leadthe (“BHRP”) company’s onhuman The &Human Business impact rights. business Program Rights examining In spring Yahoo 2008, launched the dedicated team first focusedon within the industry acquisition. This Principles case how explores the were GNI adopted within Verizon Media after Yahoo’s Implementing the GNIPrinciples within Verizon Media 3. 2. 1. the GNI; and the GNI; Education andAwareness: andalso issues about Internal andits the BHRP about education member; aGNI had been notpreviously and the integration Verizon Principles across the GNI of which Media, includingwithin AOL, The transfer Yahoo’s Commitments: of GNI to membership Oath GNI (now Verizon Media) atissues Verizon Media; Establishment governance forhuman of andoversight rights Governance andOversight: 39

Case Study company demonstrates the continued andgrowing strategic work. givento its priority taken Verizon The decision by Media business. to the whole establish across parent the BHRP the entire to Verizon support expanded while the Verizon also continuing business, to support After Verizon ended, period the assessment that team announced the would BHRP further be 5. 4. existed previously.existed webpage. new published its In the BHRP addition, that disclosures tracked transparencycombined of the different to across level reports the highest Verizon of standardize the reports Media’s Yahoo, brands AOL, andTumblr andto ensure the new, as well as Tumblr’s &Trademark Copyright was The BHRP enlisted to onways advise to report. foruser data ongovernment requests andcontent removal, Hub reports containing Reporting Transparency: Verizon acquisition, Within months its of Transparency anew Media produced andsystems. cesses, within Verizon Media, includingrelated pro to the integration policies, andalignment of making processes into decision assessments ing human andimpact duediligence rights Internal Attention Decision-Making: conduct practice of to integrating andits the BHRP - - 40

Case Study 21 17)

Although written prior to the reporting period for this assessment, the study provides important background shutdown how forunderstanding TPhandles important requests. the study provides writtenAlthough for this period assessment, prior to the reporting

Network Shutdowns inPakistan Telenor shutdowns. of impacts Pakistan the socio-economic out to the and sets challenges address by made The Institute the Dangers for efforts Human Study Digital outlines (IHRB) andBusiness Rights However,the authorities. the challenge shutdowns of continues to exist. dueto the dialoguethat ongoing TPhas to inpart be This with etc. is believed time periods, areas, shorter TPhas that haveyears, experienced the more requests targeted andsurgical, become covering smaller whilst towith the prevent authorities, also or seeking mitigate the Over any human adverse rights impacts. to acknowledge dialogue this concerns has important inthe andit are company’s been legitimate security to smaller cover to requests withdiscussed, aview get areas There andlast time. periodsof for shorter limitationsproportionate to human rights). Topics andduration like the scope have arequest of been lawsuch inline with local requests andTelenor’s risk significant non- requirements of (to notimpose worked over the yearsto for receiving engage with the relevant inplace processes to authorities put In Pakistan, shutdowns have occurred fairly for Telenor regularly many years. has Pakistan (TP) illustrates how this is handledinPakistan, where happens it fairly regularly. This case orthe operators network entireSome of to shut down requests network. mobile receive parts the potential impact. engaged with the relevant to authorities ensure anarrower interpretation reducing such of requests, Telenor with shutdown compliance Nevertheless, necessitating requests. mount, has successfully In the Pakistan, case of Telenor has demonstrated is para that safety the employee protection of that dialogue is constructive andcollaborative, andnotconfrontational, as this may hinderprogress. ment with Pakistani over This authorities time. challenge will notgoaway any time soon. Also, is it important With regardsheard the learned, Supreme by Telenor to lessons Court. for continued engage aneed sees which has suspended the order the Appeal. It until of is known notyet disposal final when the case will be that shutting down is illegal. against The order networks appealed has inthe Supreme been since Court, ruled 2018 which inFebruary study Islamabad to the was petition the of 27 as High also included part Court, 21 - This - 41

Case Study 18)

Prison “Signal Blocking” Laws inLatin America term providing promoting long-term means telecommunications of of its services objective initial measures The company’s personnel. with the to law comply were areasonable short- equipmentand of law facewith pressureslocal to risks to companies comply of inview safety inagiven area, required to presence provide services on-the-ground the significant Given following measures to minimizetheirimpact: Following initial measures that laws, with these took to the it the comply companyreported that the application the law of would onthe wider minimizeany effect population. adverse for operators penalties severe that fail to comply. strive In companies suchto ensure cases, within prisons, imposing accessed from being steps to prevent theirservices necessary governmentsyears, have laws passed mandating operators network mobile to take all gangsleaders of have continued operating criminal fromIn empires within jailrecent cells. Organized crime is aserious concerninseveral Latin American In countries. cases, some ● ● ● ●

the development of a policy statement onthe issue. apolicy of the development to associations engagePartnerships with legislators industry including andregulators, directions. in certain andadjusting antennas communities to transmitpowered certain base stations to serve ways to mitigate the disruptions. measures These identify installing included lower- to members organizationscommunity andaffected Collaboration society with civil basemeasures, includingconstruction new stations. of around meters 500 the prison. implementing these The of company bore the fullcost mandate. measures These the200 and areas reduced to a affected between of radius Work approach with regulators to implementing to its the signal fine-tune blocking on the overall population. measures that taken be to could effectuate the laws’ aims the impact while minimizing population; and on the the nearby with the laws effect complying someadverse without of strictly Engagement with different ministries explain impossibility to the physical 42

Case Study and minimize adverse impacts on its customers. onits impacts and minimizeadverse services to its commitment to speak to the access the maximize depthpersonnel, company’s of with the law. measures, which These have expendituresinequipmentand required significant tobegan take measures to mitigate the unintended initial to disruptive actions its comply of impact the caused laws. by disruptions More importantly, inservice theimmediately companyalmost suggest to could the the minimize didallit company short-term the assessor by conducted countriesin these inarights-respecting manner. The materials andthe interviews reviewed 43

Case Study 19) information from the government that would warrant removal. thatapps further were pending while violating leaving infact own upthe the rest, company’s policies, thatraid removed process abalanced those pressures the from companyidentified the government, where favored decisions available. keeping the apps In company shut down despite this case, and restrictive the most company took abalanced, response approach andassociate, to connect community In to responding what that apps of the have allowed LGBT of could members amass blockage been company sought clarification from the government onthe for request the remainder the apps. of laws were they corrected, notbe removed andcould from the appplatform. obscenity local of The company asked for the removal such of Where content. as the awhole apps were inviolation clearly laws. The application orthe obscenity non-discriminatory the local own of the company’s of policies, andassociation as issuesat key expression stake.content contained Several apps that was inviolation were the LGBT apps these onconnecting focused Since community, of freedom the companyidentified removal have could onhuman rights. issues were the appdeveloper. by correctable the companyconsidered what the Fourth, impact laws. Third, the such companyconsidered whether as any obscenity identified was about, concerned whether violated content laws any directly examined thelocal inany apps of that the government the orterms company violated content Second, use. any policies of individually developer apps consideredon eachappthat whether first the any They of the government had about. complained decisionThe companybroke making anindividual response into before review its categories of appplatformits would blocked. be sought away to navigate at risk this putting employees without local andavoiding asituation where onthe andpotential actions companyfrom operatingpolice blocks inthe country. The company that identified the to request review removeThe company’s the LGBT camewith athreat apps of application from platform. its and transgender applications, includingdating (LBGT)-related services, This case government’s concerns anAsian to request acompanyto remove lesbian, gay, 65 bisexual, Request toRequest Remove LBGT Applications inAsia 44

Case Study 20)

notice andtransparencynotice to users. informed sites thatblocked restricted. were they This categorized with as provides access “harmful” Visitors with the to request. complied the to relevantdrug Orange be sales andproportionate. partly forproportionate the relevant purpose.” In fighting the this companyfoundof the purpose case, consistent with international human rights laws orstandards, the rule law, of and necessary andbe Orange evaluation Principle the onthe request its of GNI based that “restrictions should be was but request the to blocking open interpretation the company. by This case involvedenforcement several laws local agencies. which grounds legal some provided for state the obligation anoperator to from oninquiries of based web law resources to access block that Theirexamination concluded law local didnotexpressly andGroupand local departments. legal This was request CEOinlate the local by received 2017, manager the CSR for who Europe notified thatwebsites to drugs. used sell were allegedly In 2017, list Orange’s of to adefined from to arequest access theblock police CEOreceived local Responding to Blocking Orders inEastern Europe 45

Case Study 21) with this particular set of solutions at solutions this of time. with set this particular the potentialnotified customer for this transaction that notprovide could it it Nokia concluded recommendationunilaterally with regard a“NO GO” to concluded this potential transaction. Nokia storagewith the information, phonegeolocation indefinite cell of Nokia’s internal process HRDD the human of rights giventhe scope risks associated andespecially findings, these In of view intended technology, use of instead monitoring items. of singleproduct the “dual of case anexcellent example to focus dilemma, use” onthe highlighting the importance standard database creation with normal systems integration creation andinterface —making this end-user use of data. nostandard Furthermore, authority LI would solutions have only used, been in the target country, on thus necessity,proportionality, negating of the orlegality principles governmental of scope agencies to subscriberdata with anundefined access enabled unlimited The creation ahistorical of database with anintegrated to would authorities interface have &implementationdevelopment the historical of application. to database aLI authority with access on user information The use. investigation for authority focusedonthe onthe request nonstandard athird by provided system party, andto provide with asurveillance historicalsolution database with noreal-timeadvertising, user information storage. was request The authority to integrate this ortargeted such asThe disaster 3GPP compliant use case alerts, is related toservices, emergency geography. to subscribersinacertain allmobile alert emergency number, wheneither an the user access callsout emergency sending the local of orfor purposes locate auser emergencies, incase precisely of standards, suchmay to used asolution very be riskoperating Nokia considers to an extreme for be human Under inacountry rights. 3GPP anongovernmental issued by (RFP) for arequest proposals of This private case out arose entity riskprivate inanextreme country. entity (3GPP) standards-compliant equipmentto users to geolocate cellphone anongovernmental This case evaluated Nokia’s handlingapotential of 3rd of Generation sale Partnership Project Standard Location Tracking Risk Country inanExtreme 46

Case Study a particular proposed transaction proposed poses. a particular international human rights standards andnorms indetermininghuman of rights the level risk that wasIt also shows whether the inagivencountry regime legal consistent how Nokia assessed with are functions rather to used, be public safety than focusing onthe nature itself. the technology of use to the which particular by standards-compliant communications with important technologies This case illustrated how Nokia’s the risks to focusedonexamining human rights processes HRDD 47

Case Study 22)

evaluating human of the rightspotential the by level risk sale. posed emphasis in ondetermining the put company places will be theto product uses which aparticular This case illustrated Nokia’s of the functioning regarding the particularly internal processes, HRDD to proceed. company declined Throughitems. Nokia’s Nokia unilaterally this process, was concluded andthe HRDD a“NO GO” to focus onthe intended technology, use of importance instead monitoring of singleproduct again would standardsolutions highlighting only have the broadband but used, products, been ensure any transparency intercepted use of data. onthe authority nostandard Furthermore, LI orlegality, at allto norhave ensure possible necessity, proportionality of been the principles subscriberdata, would to it access not authority the forandundefined request unlimited Given push allaggregated Internet traffic data onto lawful the interception local server. around the world. that revealed Due diligence the switch would as function adata aggregator to that telecommunications to sells Nokia its customers routinely the sort equipmentof networking platform of piece (LAN) network switch. access Thishigh-capacity local is ahigh-speed, from arequest of anon-governmentalThe case out private arose to purchase entity astandard misused governments by to engage inunlawful surveillance. susceptible are to nonetheless being capacities whose communications but interception purposes, — evaluatingfor the designed human rights that risks from products are notspecifically human The case illustrated rights. approach inthe to “dual the company’s HRDD context use” riska non-governmental Nokia considersto anextreme private for be inacountry entity This case showed how Nokia’s evaluated human from arequest rights process duediligence Switch in an Extreme Risk Country Switch inanExtreme Whether to Provide aStandard Platform Company Determinations After a detailed review of the confidential assessment reports and discussions with the companies and assessors, the multistakeholder GNI Board made its determination for each company. A finding of compliance indicates that the GNI Board determined that during the assessment period, the company made good-faith efforts to implement the GNI Principles with improvement over time.

48 49 2018/2019 Assessments assessment is recused from thevote. from isrecused assessment The company undergoing cycle. This during didnotoccur thisassessment non-compliance. of finding in theinvestor oracademicconstituency, in a constituency, theNGO votes negative of orthree results votes negative as few two board group.thirds As thefull andatleast each of 50percent of constituent Voting The as board’s two- Process: to vote, asuper-majority which isdefined determination issubject andanswerperiod attheboard meeting. question during the were addressed Many questions these of review each meeting. assessment before shortly that thecompany, wereand prepared shared questions with assessor, Board theGNI of andtherest inadvance thereview meeting groups met of Study to each theirreview focus of company assessment. groups study Board theGNI formed of constituencies The Groups non-company andQuestions: Study Board theGNI andthecompany. between discussion onehour. aminimumof Q&Afor by were followed This separate was by followed Q&Aand additional each review, For andQ&A: Presentation andcompany to presentations Board theGNI assessor review, assessment 2019March, for June, aday of andOctober inNovember. as as well aportion day in afull ateach board three Board of theGNI dedicated meetings during onemeeting, assessments than Review Meetings: Rather attempting to thecompany Assessment of reviewMultiple all as manageable include: Highlights as andas possible. meaningful toensure was aimed cycle, theGNIBoard thatprevious thereview assessment both process as manyIn preparation thereview 11 morethan as of inany twice for company assessments, REVIEW AND DETERMINATION REVIEW AND BOARD THE GNI UNDERSTANDING

50 2018/2019 Assessments made public from the company’s assessment report. For report. assessment made publicfrom the company’s informationcompany as of well as asummary that be can the determination provides The following section foreach non-company“The members of the agendas moving forward.” ofwhich form GNI’s part animportant GNI Learning andPolicy committees, improvement, aswell asprioritiesfor the members surfacerecommendations for board session,thenon-company board review session.Duringtheformal assessors duringtheformal board engagement withcompaniesandtheir which helpto focus andframe our review company assessment reports, members meet instudy sessionsto board session,thenon-company board GNI commitments. Prior to ourformal company progress inimplementing highlight key challengesandilluminate identify specificcasesfor review that the non-company board members global network of memberorganizations, assessment process. Working withour the integrity of theregular company GNI play acriticalrole inensuring MEG ROGGENSACKMEG , Georgetown Law Center University exceptions. would draft the with certain initial response to the questions, orthe assessor whether they company decided assessed Toolkit,company. inthe Assessment each described As is provided bythe Company” “The under and services each company, the description its operations, of products, 22 requesting additional verifications. additionalverifications. requesting asking and by additional questions answers, forexample these wasthe andverify role the assessor to of review Comments) should drafted be Comments) the assessor. by mustand Improvement) drafted be 4(Assessor the assessor. by Section the For case studies,

METHODOLOGY FRAMEWORK Assessment Q&A Assessment Report Public2015/2016 Assessment Implementation Guidelines Mapping Principles the to GNI Learning Framework andAccountability,Charter Policy and from GovernanceRelevant Excerpts Case Study Template QuestionsProcess Review ToolkitAssessment Implementation Guidelines Principles GNI For the Process Review, Section 1 (Context of Assessment) and Section 6(Follow Up and Section Assessment) of 1(Context Review, theFor Process Section 22 When companies drafted When companies the initial responses,

Facebook

The GNI Board conducted its second assessment review of Facebook and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Facebook, incorporated in 2004, is a global technology company with a mission to give people the power to build community and bring the world closer together. Building on the social network platform of the same name, Facebook has acquired other companies in the past and offers now also web and mobile-based messaging services and a dedicated image/vid- eo-sharing platform. Total revenues amounted to $55.838 billion for the financial year ending in December 2018 (“FY 2018”).

As described in Facebook’s annual report, Facebook currently offers services to users through five brands with relevance to the scope of this assessment: Facebook, the company’s namesake social media platform; Messenger, a messaging platform fully integrated with the Facebook graph; WhatsApp, an end-to-end encrypted messaging service; Instagram, a photo and video-centric social media platform; and Oculus, a virtual reality company.

51 Facebook’s products are generally available worldwide unless a government actively blocks the service. Governance On a day-to-day basis, implementation of the GNI Principles at Facebook is primarily the responsibility of a dedicated Human Rights team. Since Facebook’s last GNI assessment cycle in 2015/2016, Facebook’s corporate structure has fully integrated Instagram and WhatsApp, with the same structure exercising primary oversight of the Facebook implementation of the GNI Principles across the company’s products.

Due Diligence and Risk Management All new or substantial changes to product features or proposed uses of user data must go through a systematic review for potential privacy impacts. Similarly, the Content Policy team evaluates changes to policies that may implicate freedom of expression. The Human Rights team is involved in both of these processes, which serve as formal mechanisms for conducting human rights due diligence in line with the GNI Principles and Implementation Guidelines and the UN Guiding Principles on Business and Human Rights.

Where this initial due diligence raises significant new human rights concerns, Facebook’s Human Rights team may conduct a more in-depth human rights impact assessment (HRIA). The company noted that this most often occurs in the case of creating a physical presence in a new country, launching a major new product or service, substantially modifying policies or practices related to freedom of expression or privacy, or when it becomes aware of information suggesting that Facebook’s platform is posing novel human rights impacts in a specific country.

Facebook conducted a number of HRIAs during the assessment period, including an independent HRIA on its impacts in Myanmar, which it published in full.

Freedom of Expression and Privacy in Practice Facebook has detailed policies and procedures — informed by the GNI Principles — for responding to government requests related to both disclosure of user data and content restrictions.

The company publishes key elements of their process for responding to government requests for user data in the Information for Law Enforcement page on its website. Instagram and WhatsApp offer similar information with differences arising from the characteristics of each product and the types of information they collect, use, and store.

Transparency and Engagement Facebook informs its community of stakeholders of its approach to human rights issues, via a dedicated Stakeholder 52 Engagement team, regular updates on the Facebook Newsroom covering relevant freedom of expression and privacy issues, publicly available policy documents such as the Community Standards, and a biannual Transparency Report, detailing its process for responding to government requests to remove or restrict content. Additional information on applicable policies, procedures, and legal obligations related to freedom of expression and privacy is disclosed in the Community Standards and Instagram Community Guidelines; in the Information for Law Enforcement Authorities for Facebook, Instagram, and WhatsApp; and in the information accompanying Facebook’s biannual Transparency Report. Facebook As specified in the company’s Law Enforcement Guidelines, Facebook’s policy is to “notify people who use Facebook’s service of requests for their information prior to disclosure, unless Facebook is prohibited by law from doing so or in exceptional circumstances, such as child exploitation cases, emergencies or when notice would be counterproductive.” Facebook will also provide delayed notice upon expiration of a specific non-disclosure period in a court order and where they have a good-faith belief that exceptional circumstances no longer exist, and the company is not otherwise prohibited by law from doing so.

As stated in the company’s Transparency Report, Facebook also provides notice to users whose content is restricted on the basis of local law in response to government requests, as well as to users who attempt to view such content, except where such notice is legally prohibited or where technical constraints prevent it from doing so.

For general privacy-related grievances, privacy policies for Facebook, Instagram, and WhatsApp provide information on how to directly contact Facebook’s Global Privacy Team, and, if applicable in a user’s jurisdiction, Facebook’s designated Data Protection Officer and the relevant Data Protection Authority.

For decisions made to remove content under Facebook’s Community Standards, including actions that are taken on the basis of reports made by governments, Facebook offers an in-product appeals process.23

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. Since the last assessment, the assessor reported that Facebook has strengthened its systematic review of both privacy and freedom of expression.

During the previous assessment, the assessor made recommendations in nine areas for Facebook to consider. The assessor noted that actions taken by the company have fully addressed three of these areas. In the case of five recom- mendations, Facebook has taken actions to address the recommendation and the assessor has recommended

53

23 At the time of writing Facebook was in the process of launching an Oversight Board to provide for further independent review and serve as a remedy mechanism for user grievances related to content removal. additional follow up in specific areas. In one recommendation, Facebook has made a number of changes based on the recommendation but has chosen not to implement one aspect due to a difference of views regarding the impact that adopting the recommendation could have on user rights.

Facebook See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement. One example of an assessor recommendation to Facebook is to take additional steps to specifically address the way safeguards for privacy and are implemented with regards to third party relationships.

54 Google

The GNI Board conducted its third assessment of Google and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Google’s mission is to organize the world’s information and make it universally accessible and useful. Google’s goal to “develop services that significantly improve the lives of as many people as possible,” is guided by internationally recognized human rights standards.

Google’s core products and platforms such as Android, Chrome, Gmail, Google Drive, Google Maps, Google Play, Search, and YouTube each have over one billion monthly active users. In addition to consumer software products and platforms, Google has an enterprise-oriented cloud business, and a hardware devices business. As of September 30, 2019, Google had 114,096 employees. A global company, Google’s headquarters is located in Mountain View, Cal- ifornia, and it has 70 offices around the world, including in Africa, Asia, Europe, North America, and South America.

Google is a subsidiary of Alphabet Inc. 55 Governance Senior management oversees the implementation of the GNI Principles at Google and provides quarterly updates to the Board of Directors on relevant issues. The company has implemented an intricate network of personnel designed around product, jurisdiction, and functional areas who are responsible for the day-to-day operations of protecting user Google rights of freedom of expression and privacy. This network is best described as a matrix that has direct oversight by senior personnel and is supported by a global human rights policy lead. The matrix includes: dedicated teams, to review and process government requests for user data and content removal or restrictions; counsel, who are assigned to specific products and regions and provide support on legal and policy issues; and policy experts, assigned to products, countries, and functional areas, who identify and address implications and risks to freedom of expression and privacy of Google operations.

Due Diligence and Risk Management Google has product-specific counsel embedded with product teams who are part of the development of any new products or features. These product counsel serve as the initial eyes and ears for raising potential risks to freedom of expression or privacy. Product and regional counsel, in coordination with subject-matter and regional experts among the policy staff, assess jurisdiction-based risks to freedom of expression and privacy. This includes review with local outside counsel who are experts in the applicable law in a jurisdiction, including the strength of the domestic legal system with regard to addressing user privacy and freedom of expression.

Google takes a multi-pronged approach to mitigate risks that are identified during any due diligence on an ongoing basis, for example balancing jurisdiction-specific restrictions and global availability. Google uses multiple teams from policy, law enforcement, content removal, government affairs, public policy, outside counsel, and centers of excellence when making mitigation decisions on matters impacting privacy and freedom of expression.

Freedom of Expression and Privacy in Practice At Google, a dedicated team designs, implements, oversees, and revises the policies for responding to government requests for user information. Other dedicated teams have the same role for removals from YouTube, and products other than YouTube.

Governments are required to follow established legal processes in their home jurisdictions. Google assesses the legal validity of the request, both in terms of the authority of the issuing entity, and the application of the relevant local law. It is Google’s policy to object or return the request if these requirements are not met. 56 Google evaluates requests against human rights standards, and takes several measures to narrow requests, consistent with the GNI Principles. First, it carefully examines the domestic law cited to assess its specific requirements and appli- cation to the particular data access or removal requested. If the law is ambiguous, Google may interpret it in a narrow manner to avoid or restrict the government request. Next, its practice is to apply domestic law only to content and data within the scope of the issuing jurisdiction.

At the granular level, when provided unclear government removal requests, where possible, Google reaches out to the Google relevant government entity to seek clarification on how the content is violating local laws, where the content is exactly located (i.e., specific URLs), and exactly which portion of the content in question is alleged to be infringing the relevant regulations/restrictions. Similarly, for data access requests, Google may reach out to a government submitter to see if an overbroad or vague request can be cured by narrowing and focusing the request to enable compliance under Google standards.

The company assesses the risks of individual jurisdictions in determining where data is physically collected, stored, and retained. Related to this, Google considers similar risks in determining the jurisdictional footprint of particular products. The company may vary the nature of data collected or processed in particular jurisdictions based on these risks. The company also uses encryption, and limits on internal access, to mitigate risks to data that is collected and stored.

Transparency and Engagement The Google Transparency Report outlines the company’s approach to government removal and user data requests and discloses the company’s response to requests. The report covers numerous areas where government conduct may impact freedom of expression or privacy that contain significant amounts of information deserving of a careful review by the public, policy makers, and civil society. In addition, company executives and staff issue public blog posts and testify on freedom of expression and privacy issues globally. Individual products provide their own statements of values (e.g., YouTube four freedoms; Blogger content policy). The company has a page dedicated to its human rights commitment as part of its “About” page. Finally, company representatives also meet regularly with regulators and NGOs on these issues, and conduct ESG investor calls.

Google’s Privacy Policy clearly delineates what information is collected and how it is used, shared, or disclosed. The Privacy Policy covers all products and where specific changes exist, the policies make note of that for the user. In addition, the Data Transparency project provides detailed information on data collected.

Google provides information on laws and policies that may require the company to restrict or disclose content or communications through multiple channels such as the Google Transparency Report, Community Guidelines, Privacy Policy, Terms of Service and legal removals page. 57 Google makes its Privacy Policy, Community Guidelines, and Data Transparency pages publicly available. In addition, the Google Transparency Report provides further information on its policies and procedures.

Google’s practice is to notify users when content is removed due to a government request by emailing the user and by Google placing a notice where the content used to be, informing any visitors of the same. Google will send these removal notices to Lumen, a content removal transparency project of the Berkman Klein Center at Harvard University.

Where data is disclosed to a government agency pursuant to legal process, Google will notify the user whose data was disclosed, unless it is specifically and clearly restricted by law from doing so. For requests from governments outside the U.S., this is generally limited to civil/administrative requests, due to secrecy laws.

Users are provided the ability to appeal removal of their content; see, e.g. Blogger removals, YouTube removals. Google keeps internal records of each appeal and the decision made. These notes are also used to better inform future decisions and retrain removal teams where needed.

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles as well as recommended areas of improvement. A strength for Google is that the company has a creative and fluid approach to promoting the protection of freedom of expression and privacy, with multi-disciplinary, cross-func- tional teams considering human rights from local and global perspectives.

See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement.

58 Microsoft

The GNI Board conducted its third assessment review of Microsoft and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Microsoft is a global company that provides software, hardware, and cloud products and ser- vices to both enterprise and consumer customers. Its mission is to empower every person and organization on the planet to achieve more. The company employs some 135,000 personnel worldwide and operates subsidiaries in 131 countries. Its products and services range from the Windows operating system to the Azure cloud computing platform to the Surface line of tablet, laptop, and desktop computers.

This assessment focuses primarily on the impacts of Microsoft’s consumer cloud services on the rights to freedom of expression and privacy. Examples of such services include Microsoft’s Bing search engine, its LinkedIn professional social networking service, its Skype VOIP communications platform, its free Outlook.com webmail service, and its Windows Store, among others.

59 Governance Microsoft’s Board of Directors provides strategic oversight of the company’s commitments, including to respect human rights, and the Regulatory and Public Policy Committee has primary oversight over GNI implementation. Day-to-day oversight of implementation of the GNI Principles is the responsibility of the VP and Deputy General Counsel who leads Microsoft the human rights team within the Corporate, External and Legal Affairs (CELA) Department.

Microsoft’s policy commitment to GNI is embodied in its public facing Global Human Rights Statement. Each business group is supported by a dedicated CELA team that provides frontline support on the full range of legal and public policy issues encountered in the development and delivery of products and services.

Due Diligence and Risk Management Microsoft has due diligence processes to identify potential risks to the rights to privacy and freedom of expression that might arise from its business activities. The relationship between the company’s business groups and the frontline CELA team that provides legal and public policy support is key to this process. Frontline personnel within each of its business groups who are most likely to encounter such issues identify and promptly report them to the CELA frontline team supporting them. Microsoft prioritizes among freedom of expression and privacy issues identified via due diligence based on salience, or in the case of positive impacts, its evaluation of where the potential to advance human rights is at its greatest.

Microsoft decides whether an HRIA is required based on the nature of the identified risks. These include the nature of the product or service under development, categories and quantities of data the service would require or generate, as well as the legal frameworks and human rights practices of the jurisdiction in question. Microsoft conducts HRIAs in-house, and also engages external experts to assist as warranted by the nature of the exercise.

Microsoft mitigates freedom of expression and privacy risks through a variety of means. This could involve design or other mitigation measures in the features or capabilities of a product, or in other cases adjusting or adapting the services or features offered in a given geography.

Freedom of Expression and Privacy in Practice For government demands to restrict content, Microsoft requires a lawfully authorized legal order in writing (unless the applicable law allows oral orders) that is legally binding on Microsoft and complies with the rule of law. Microsoft attempts to comply with orders in a way that minimizes the impact on freedom of expression and provides information to 60 users regarding generally applicable laws or legal demands requiring restrictions on content, and on Microsoft policies for responding to such demands. The CELA law enforcement and national security team, and an analogous team at LinkedIn, is responsible for govern- ment requests for user data. Under the policy for handling such requests, Microsoft does not provide governments with direct and unfettered access to customer’ data. Microsoft only pulls and then provides the specific data mandated by the relevant legal demand. Requests are reviewed to ensure they are valid, to reject those that are not, and to ensure only the Microsoft data specified is provided.

Microsoft engages extensively with governments to advocate for the rule of law and the appropriate protection of all human rights.

To minimize and mitigate the risks associated with the collection, storage, and retention of personal information in the jurisdictions where it operates, Microsoft considers the nature of the services, the types of user data or content required to provide them, and the laws and human rights practices of each jurisdiction. Microsoft may adjust, adapt, limit, or avoid the operation of some types of services or features in certain jurisdictions. Microsoft requires third parties with whom it partners to provide its services to comply with the company’s policies when it has operational control over them. This includes compliance with the company’s policies and procedures to implement the GNI Principles.

Transparency and Engagement Microsoft conveys its overall commitment to respect human rights through its Global Human Rights Statement and communicates its approach to emerging privacy and freedom of expression challenges through the “Microsoft on the Issues” blog. Microsoft communicates its GNI commitments to employees via internal policies, systems and procedures, and the provision of appropriate training.

Transparency reports, listed below, provide an overview of the company’s policies and generally applicable laws and policies: • Law Enforcement Requests Report • U.S. National Security Orders Report • Content Removal Requests Report • LinkedIn’s Transparency Report

The company’s general practice is to provide users with notice if specific content has been blocked or removed in response to a government order unless prohibited by law. 61 Regarding government orders for content removal or user data, Microsoft is of the view that it is the role and responsi- bility of governments via judicial or other independent authorities to provide processes for appeals or other grievance mechanisms. Microsoft does provide its users with mechanisms to ask the company to reconsider content removal decisions pursuant to its Terms of Service. Microsoft also announced in May 2018 it would extend certain GDPR data Microsoft subject rights to all customers worldwide.

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. The main strengths include the degree of commitment at the highest levels of the company to implement the GNI Principles and the manner in which the company has integrated the GNI Principles into its operations, including the due diligence supported by frontline CELA teams.

See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement.

62 Logo

Primary Application SecondaryPrimary Application Application Blue Backgrounds WhiteBlue Backgrounds

Conteiner Application Millicom to brand an image

The GNI Board conducted its first assessment review of Millicom and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Millicom International Cellular S.A. (“Millicom”) is a provider of cable, fixed and mobile commu- nications services that, during the assessment period, operated under the Tigo, Tigo Business, AirtelTigo, and Zantel brands in 11 countries across Africa and Latin America. The company is incorporated in Luxembourg, but the majority of its executive team is based in its U.S. office outside Miami, Florida. The company’s shares are listed on the Nasdaq and Nasdaq Stockholm exchanges. Millicom offers a wide range of mobile and fixed services including mobile voice, data, and SMS; mobile financial services; high-speed wired Internet and cable TV; and an array of business solutions.

63 Governance Ultimate responsibility for Millicom’s implementation of the GNI Principles rests with the company’s General Counsel and its Chief External Affairs Officer. Operational responsibility for the development, implementation, and execution of poli- cies and procedures rests with the company’s legal team for the right to privacy, and with the Corporate Responsibility Millicom function of its External Affairs team for the right to freedom of expression. Millicom's Board of Directors receives updates on the company’s implementation of the GNI Principles and its management of risks relating to the privacy and freedom of expression rights of its users at its quarterly meetings.

Due Diligence and Risk Management Millicom incorporates human rights due diligence into its corporate due diligence and enterprise risk management processes. Millicom’s Law Enforcement Response and Major Events Policy (LEA-MEP). is the company’s key mechanism for empowering frontline personnel to escalate potential issues for due diligence, and ultimately, resolution. According to the policy, changes in a country’s operating environment that materially increase the risks posed by Millicom’s operations to the freedom of expression and privacy rights of its users are Major Events (see more below) that must immediately be reported to senior staff members. Under Millicom’s LEA-MEP, members of its in-country Legal and Corporate Affairs teams are required to escalate to the company’s senior-level executives proposed or actual changes in a country’s surveillance as “Major Events.”

Millicom prioritizes the human rights risks identified by its due diligence processes based on the severity and likelihood of impacts and its ability to mitigate those impacts, having due regard for the safety of its on-the-ground employees and the integrity and reliability of its operations. In 2017, Millicom engaged an external consultant to conduct an HRIA of Millicom’s global operations (see “human rights impact and risk” in the 2017 LED Report). This exercise identified Millicom’s most salient risks and laid out measures that the company could take across its operations to mitigate its potential adverse human rights impacts. Furthermore, the HRIA evaluated the legal and regulatory environment in each of the 11 countries in which Millicom operated at the time and identified future risk scenarios in those countries in the coming years.

The results of Millicom’s HRIAs are incorporated into the company’s business processes primarily through the work of its in-house Corporate Responsibility team. This team incorporates the learnings from HRIAs into the company’s operations. The most important way in which Millicom mitigates the human rights risks its diligence processes identify is by creating robust systems to help its frontline, in-country personnel respond to government requests and demands.

64 Freedom of Expression and Privacy in Practice Millicom’s assessment of and response to government restrictions and demands that impact the privacy and freedom of expression rights of its users is directed by its LEA-MEP. Millicom draws a distinction between two categories of requests. The first is government requests for user data, which are issued in writing by an entity authorized under local law to do so and appear on their face to be consistent with local law and international human rights standards. Such requests are logged in a database maintained by Millicom’s in-country, in-house legal team that is audited by Millicom’s corporate team on an annual basis. Millicom’s in-country lawyers scrutinize such requests to ensure that they comply with all applicable local legal requirements. If they do, Millicom will grant the request on the narrowest possible basis. If Millicom not, Millicom will reject the request and explain its reasons for doing so to the requesting government entity.

The second category comprises all government requests and demands that are not in writing, obviously inconsistent with local law and/or international human rights norms or the terms of Millicom’s operating license in that country or appear on their face to be politically motivated. These are considered “Major Events” that must be escalated to the com- pany’s executive-level personnel for review and decision. Once a Major Event is escalated to Millicom’s senior personnel for their review and decision, the company evaluates the full range of available options before formulating a response. In so doing, the company attempts to balance its responsibility to respect international human rights norms with the practical reality of having to follow the local law in the countries where it operates.

Millicom limits access to the personal information it collects and retains regarding its customers and employees to those members of its staff who have a legitimate business reason to access such information. The company has devised infor- mation security measures and internal controls to prevent unauthorized access to such data, including the maintenance of logs that catalog all attempts to access such data, combined with periodic audits of these logs to ensure compliance.

Transparency and Engagement Privacy and freedom of expression are together listed as Millicom’s most important Corporate Responsibility topic in its most recent annual report, which also provides an overview of the company’s approach and activities on these issues. More significantly, Millicom’s extensive annual Law Enforcement Disclosure Report (LED Report) details the company’s policies and procedures to protect the rights of its users in the face of specific government demands. In addition, a public version of the LEA-MEP was published in 2019.

In connection with the implementation of its Global Privacy Policy, Millicom is currently revamping its methods to notify customers’ regarding the personal information it collects, and how it processes customers personal information, and to obtain their consent to such collection when necessary. As things stand, Millicom’s local operations primarily inform their customers of their information collection practices through the contracts that are signed when they establish service. The websites of Millicom’s local operations also include applicable Privacy Notices that detail the type of information the local operation collects from its customers and how such information is processed. 65 Millicom’s LED Report also provides brief summaries of the legal frameworks of many of the countries under which it operates. The LED Report acknowledges that in several of these countries, “significant challenges exist with regards to the overall clarity of laws, legal oversight and separation of powers when it comes to laws around surveillance...” Millicom highlights the availability of the GNI’s Country Legal Frameworks Resource on its website and in its annual reporting, and commissioned the development of such reports for several of the countries where it operates.

Millicom has contracted an independent ethics hotline that is available to employees, customers, investors, and the Millicom public to report violations of the law or company policies, or to raise concerns about other forms of misconduct. Callers are afforded the opportunity to characterize their concerns as relating to “Data Privacy and Protection” or “Compliance with Laws and Regulations,” among other areas.

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. In particular, a main strength is that the LEA-MEP provides both specific and illustrative guidance as to the kinds of issues that local personnel must escalate to senior management, and provides a 24-hour “on call” system so that frontline employees know precisely to whom they should escalate a particular issue.

See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement.

66 Nokia

The GNI Board conducted its first assessment review of Nokia and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Nokia Corporation is one of the world’s leading providers of mobile, fixed, optical, and IP-routing network infrastructure, which includes software, services, and technology hardware. The company employs over 100,000 people around the world and serves telecommunication network operators and vertical enterprise customers in 130 countries. Nokia supports a single network for digital services, converging mobile and fixed broadband, IP routing, and optical networks.

In addition to its communications network equipment business, Nokia also operates a successful patent and licensing business and conducts research and development through its Nokia Bell Labs organization. As of January 2019, the company comprises seven business groups: Mobile Networks, Fixed Networks, IP & Optical Networks, Global Services, Nokia Software, Nokia Enterprise, and Nokia Technologies.

Nokia was previously known for its mobile phone business. This business was sold in 2014. Nokia-branded phones and tablets available on the market today are created, marketed, sold, 67 and supported by HMD Global Oy (HMD) — an independent company that is the exclusive global licensee of the Nokia brand for these purposes. Governance Nokia’s Board of Directors is responsible for overseeing the company’s performance across a range of environmental, social, and governance topics. This includes Nokia’s performance with regard to human rights issues — most notably in connection with the company’s implementation of the GNI Principles. Nokia Nokia’s Group Human Rights Policy and its Code of Conduct form the basic structure through which the company imple- ments the GNI Principles into its operations. The company has developed detailed internal Implementation Guidance to help operationalize the high-level commitments contained in the Group Human Rights Policy in specific circumstances. The Code of Conduct, meanwhile, summarizes the company’s key human rights commitments and requires all employ- ees to be on the lookout with regard to conducting business in high-risk countries, where the rule of law is weak. At an operational level, the most important way in which Nokia implements the GNI Principles is through its sales approval process. This is the process by which the company reviews all potential sales of its products and services against a wide range of considerations, including human rights risks.

Due Diligence and Risk Management Nokia employs distinct mechanisms to identify the risks to the rights to freedom of expression and privacy associated with the sales of its products and services, the most significant of which is the company’s sales approval process. This process includes a standard set of triggers to evaluate a potential transaction and various risk dimensions.

The main way in which Nokia mitigates risks related to freedom of expression or privacy identified by its due diligence processes is by unilaterally declining to sell certain of its products to customers located in countries where Nokia individually determines that its products are likely to be misused to interfere with these rights. Nokia uses an external risk rating company to assess country risks as one part of the input into this risk identification process. Given that for the most part Nokia does not sell individual pieces of equipment to its customers, but rather large packages of equipment required to enable a communications network, Nokia also considers whether it may supply its high-risk customers with certain network elements that pose a low risk of misuse, while withholding the sale of other network elements.

In other cases, Nokia considers whether its solutions can be customized to minimize the risk that its products will be misused to cause adverse human rights impacts. Minimization mechanisms that could be considered include limiting the personal information generated by or captured during the operation of a product and licensing the use of a software product as a separate item, as opposed to including it as a default feature.

68 Freedom of Expression and Privacy in Practice Nokia is an equipment vendor to providers of telecommunications services, rather than a service provider in its own right. Correspondingly, Nokia itself does not receive government requests to restrict content and turn over user data. Were Nokia to receive such requests from governments, it would be unable to fulfill them, as the company has neither Nokia the technical nor the legal ability to do so in view of the nature of its business.

At the time of the assessment, Nokia did not offer products or services for sale directly to individual end users. Correspondingly, Nokia does not collect or retain data about individuals in the manner that other companies must do in order to offer their products and services. Nonetheless, Nokia’s Group Privacy Principles and its Privacy Management Policy commits the company to incorporate privacy by design into its products, and to minimize the collection and use of personal data.

Transparency and Engagement Nokia communicates its general approach to addressing its human rights impacts in relation to freedom of expression and privacy by making its Group Human Rights Policy and Code of Conduct available online. In addition, the company publishes a People and Planet report every year that includes a section that details its approach to managing the privacy and freedom of expression-related risks of its business. Since 2017, the People and Planet report has included anonymized summaries of human rights due diligence cases reviewed by the company in the previous year. Nokia also reports on human rights issues in its annual Form 20F filed with the U.S. Securities and Exchange Commission. In addition, Nokia uses a variety of communication channels to communicate its approach to human rights to external and internal stakeholders — including blog posts, internal and external social media channels, and company participation in regional and global human rights gatherings and events.

Nokia does not have any “users” in the sense that this word is typically used in the GNI assessment context, as the company’s customers are overwhelmingly other businesses. That said, Nokia’s Privacy Statement governs the company’s collection, storage, and use of personal information for its business purposes (including employee-related information).

Nokia employees and external stakeholders alike can report violations of the Company’s Code of Conduct and related Group-level policies using Nokia’s dedicated 24-hour ethics hotline. Such reports can be filed anonymously. In addition, Nokia employees can report any concerns they may have to the company’s global Ombuds program.

Follow Up and Improvement 69 The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. Nokia is the first vendor whose compliance with the GNI Principles has been assessed. Because vendors typically do not have in their possession the type of content sought by law enforcement or government agencies, nor do they control the networks censored by governments, many of the mechanisms called for in the GNI Implementation Guidelines are simply inapplicable to Nokia’s operations. Nokia, its assessor, and the GNI Board, all recognized this. For Nokia, it was Nokia particularly important that human rights triggers were built into its sales approval process. The incorporation of human rights due diligence into this core business processes provides assurance that transactions which may pose significant human rights impacts are not escaping the attention of Nokia’s human rights team.

“Nokia sets great store by our commitment to human rights — throughout our entire operations, from supply chain and workplace, to ways in which our technology is used. So, we are proud to be the first communications equipment vendor to have joined GNI as a board member and to be assessed under its rigorous standards. We are pleased with the positive outcome and look forward to our continued engagement with the GNI community.”

FIONA CURA-PITRE, Nokia

See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement. For Nokia, one example of an assessor recommendation is to consider developing a formal business process for evaluating the human rights risks and opportunities presented by the innovative technologies it is developing, such as 5G and artificial intelligence, with a view of better informing the due diligence it will conduct prior to the sale of such technologies in the future.

70 Orange

The GNI Board conducted its first assessment review of Orange and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Orange is one of the world’s leading telecommunications operators with revenue of 41 billion euros and 151,000 employees worldwide, including 92,000 in France, by the end of 2018. The Group served 264 million customers in 2018 (204 million mobile customers and 20 million fixed broadband customers). With presence in 27 countries, Orange is also a leading provider of telecommunication services to multinational companies, under the brand Orange Business Services. Orange SA is the parent company of the Orange group and carries the bulk of the Group’s activities in France. Orange has been listed since 1997 on Euronext Paris and on the New York Stock Exchange (NYSE).

71 Governance In 2017, France passed legislation regarding “Le Devoir de Vigilance” or “Duty of Vigilance” for corporate actors to guard against negative human rights impacts of their business decisions. Orange Group was required by this law to develop and implement a vigilance plan, which includes reasonable oversight mechanisms to identify risks and prevent Orange serious abuses of human rights and fundamental freedoms derived from the company’s activities. It includes a risk map, procedures for evaluating the position of subsidiaries, subcontractors and suppliers, actions adapted to mitigating risks or the prevention of serious abuses, an alert mechanism (whistleblowing system), and a mechanism for the collection of reports, as well as a system for monitoring the measures taken.

“The GNI assessment has strengthened our Vigilance Plan to follow up on government demands.”

YVES NISSIM, Orange

The GNI Principles have been integrated into the Group policies via the Vigilance Plan, which compiles several processes that meet the requirements of a number of GNI Principles. The specific Human Rights and Fundamental Freedom risk as well as Health and Safety risk and Environmental risk have been raised to the highest level of Board oversight. Risk of breaching human rights and fundamental freedoms has thus been identified by Orange as a Group non-financial risk under its risk management and internal control system, which consists of an organizational struc- ture, procedures, and control systems implemented by senior management and all employees under the responsibility of the Board of Directors.

Due Diligence and Risk Management In addition to the Vigilance Plan described above, the Group’s management teams identify and assess, at least once a year, the risks falling within their remit. Risk mapping also includes a description of action plans designed to address these risks by strengthening internal control. The list of significant events, the changes to risk mapping, and the mon- itoring of action plans are scrutinized during internal control reviews. At Group level, risks are monitored by the Group Executive Committee’s Risk Committee. The overall Risk Management Report is reviewed at least once a year by the Risk Committee and presented to the Directors at a Joint Committee of Board Committees, during which major risks are dis- cussed in the presence of the directors concerned. Orange has recognized at Group level that the company is exposed to risks of disclosure or inappropriate modification of personal data, in particular customer data, affecting privacy. 72 Orange has identified the risk to privacy as a core risk, incorporating privacy in its Time to Market process linked to the development of new products or upgraded products. Moreover, Orange has defined the risk to freedom of expression and privacy in its risk assessment matrix as part of its Vigilance plan.

Orange Risk analysis is the major tool used to determine if a human rights impact assessment is necessary. Orange uses Verisk Maplecroft, a specialist external firm using a methodology based on UN and OECD standards, to carry out a customized assessment of the risks incurred in terms of compliance with human rights in each country where Orange operates, to assess and target its actions. On top of Verisk Maplecroft analysis, Orange tracks governmental requests or demands with potentially serious impacts on freedom of expression, and against an electoral calendar to anticipate possible concerns.

Freedom of Expression and Privacy in Practice Orange’s policies and procedures for responding to government restrictions and demands are captured in the document “Process to be followed in advent of a major infringement on freedom of expression,” which covers the specific compo- nents of the GNI Implementation Guidelines.

Monitoring the management of the Personal Data Protection governance program is undertaken by both the Group Security Department and the Personal Data and Security Department of the Group’s Legal Department. The approach taken by the Group Security Department is audited by a yearly assessment to check compliance with the Group’s Security Standard.

Transparency and Engagement Orange communicates its human rights impacts in relation to freedom of expression and privacy via various channels to shareholders and stakeholders: • Annual report on freedom of expression • Orange vigilance plan • Document on implementation of the GNI Principles • A booklet on Orange’s policies regarding human rights • A dedicated website on personal data protection

Orange offers grievance mechanisms to its customers. For example, in France, there is a link to a postal address and 73 a link to a downloadable form for enterprise customers, a postal address and an Internet access path for residential customers, and an external appeal to the authorities CNIL (French National Commission of Computing and Freedoms) at Group level. Orange also offers a whistleblowing mechanism for grievances, including related to personal data, via an email address. Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. One strength is the integration of freedom of expression and privacy into the company’s overall Vigilance Plan, with well-defined roles within the company and an internal Orange structure for risk management that involves local subsidiaries while requiring internal guidelines to be followed.

See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement. For Orange, an example of an assessor recommendation is to publish in its integrated annual report information on its fight for freedom of expression and the protection of personal data. Successful cases could illustrate this commitment, as long as employee safety is not put at risk.

74 Telefónica

The GNI Board conducted its first assessment review of Telefónica and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Telefónica’s business model is based on four platforms:

1. Physical assets from networks and base stations to stores or customer equipment.

2. IT & Systems that contain support and commercial systems.

3. Product and services such as video, cloud, big data and security as well as aggregate third party services.

4. Cognitive power that aims to help create better experiences for customers using artificial intelligence tools.

The company is organized across the following segments: Telefónica Spain, Telefónica United Kingdom, Telefónica Germany, Telefónica Brazil, Telefónica Hispam Norte (Central America, Colombia, Ecuador, Mexico, and Venezuela) and Telefónica Hispam Sur (Argentina, Chile, Peru, 75 and Uruguay). Telefónica also has Telxius, a telecommunications infrastructure company that manages more than 16,550 towers of high-capacity optic fiber cable network. Governance The GNI Principles are implemented at Telefónica via the Responsible Business Plan, which is approved by the Board of Directors and defines the company’s sustainability objectives, including commitments to privacy and freedom of expres- sion. The senior-directed human rights function is held by the Global Director of Corporate Ethics and Sustainability, who Telefónica designs, coordinates and leads the implementation of the GNI Principles. The Responsible Business Plan helps ensure that the commitments laid out in the GNI Principles are incorporated into routine business operations. The involvement of the department heads in the Responsible Business Office ensures that topics such as privacy and freedom of expres- sion are adequately communicated to employees working in the respective areas.

Due Diligence and Risk Management Telefónica has a human rights due diligence process in place to identify, prevent, mitigate and account for human rights risks in general and risks to privacy rights and freedom of expression in particular. An integral part of this process are human rights impact assessments, which are conducted every four years. The latest human rights impact assessment in 2017/2018 identified privacy and freedom of expression as one potential area of human rights impact. Telefónica also conducts more specialized human rights impact assessments, both on a product and market-level.

Telefónica evaluates possible human rights impacts of new products and services via a “human rights by-design-ap- proach,” which the company is currently implementing. In this approach, product managers conduct a self-assessment via an online tool in the design phase of new products and services with a view to identifying and addressing potential adverse effects already at this stage.

Once (actual or potential) risks to the freedom of expression and privacy rights are identified in the due diligence pro- cesses elaborated on above, Telefónica acts upon these findings and adapts internal policies and processes accordingly. For example, human rights were integrated as a specific risk in Enterprise Risk Management so that risks arising out of substantial changes in existing products and services are also raised and addressed.

Freedom of Expression and Privacy in Practice In 2016, Telefónica adopted a “Global Rule on Requests made by Competent Authorities” (hereafter “Global Rule”), which sets out how all companies within the Group are to assess and respond to requests made by competent authorities in relation to: 1. the lawful interception of communications, 2. the provision of metadata associated with communications, 76 3. blocking of websites, and/or restriction of certain content, and 4. suspension of networks or services. This Global Rule ensures compliance with legal obligations vis-á-vis the competent authorities in the respective coun- tries, while protecting at the same time the fundamental rights of the people affected. It was elaborated in accordance with the principles of the former Telecommunications Industry Dialogue and updated based on the GNI Principles and learnings within the GNI community. Telefónica The Global Privacy Policy of Telefónica, which was updated in 2018, establishes a set of mandatory rules that all companies within the Group are to follow to minimize and mitigate the risks associated with the collection, storage, and retention of personal information in the jurisdictions where they operate.

Transparency and Engagement Telefónica communicates its human rights impacts in relation to freedom of expression and privacy via various channels to shareholders and stakeholders: • The annual management report of Telefónica integrates relevant non-financial information. It contains a separate chapter on human rights and repeatedly stresses the company’s commitment to privacy rights and freedom of expression in general and the GNI Principles in particular. • The Consolidated Management Report is meant to reach not only company´s shareholders, but also its stakeholders in its entirety. For this purpose, the sections on human rights, privacy, freedom of expression, and the GNI Principles, respectively, are elaborated on in even greater detail. • Telefónica publishes a yearly Transparency Report related to requests from competent authorities regarding legal interceptions, access to metadata, blocking and filtering of contents as well as suspension for services. • The Telefónica website provides further information on the company’s approach to sustainability, in general, and human rights/privacy and freedom of expression, in particular, with a view to making this information publicly available to all interested stakeholders. Instrumental in this respect are Privacy Centers that serve as a one-stop- shop for stakeholders (particularly customers) interested in knowing more about Telefónica’s approach to privacy and freedom of expression. • Telefónica has an institutionalized dialogue with its stakeholders via the Telefónica Stakeholder Panel and proactively engages with investors/analysts on environmental, social and governance (ESG) topics. • Telefónica discloses what personal information it collects, via its Global Privacy Policy. Telefónica also has a Privacy and Security Centre, where customers can find relevant information on privacy and security matters. • The company’s policies and procedures for responding to restrictions and demands by competent authorities 77 are explained in Telefónica‘s Transparency Report. The relevant procedure in this respect is in the “Global Rule,” a summary of which is also publicly available. With its Responsible Business Channel, Telefónica has a mechanism in place that allows stakeholders, in general, and users, in particular, to make grievances about issues related to freedom of expression and privacy and, if appropriate, receive remediation. To be more precise, grievances can be made in relation to various categories, two of them being freedom of expression and privacy. The concrete procedure and the principles governing the processing of said Telefónica grievances are explained in detail in the publicly available Group Regulation about the Management of the Business Principles Channel.

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. A main strength is that the company had adopted poli- cies and procedures, which outline how they shall assess and respond to government demands in relation to restriction to communications, protect privacy, and allow freedom of expression.

See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement. For Telefónica, one example of an assessor recommendation is that the company consider providing specific training for those corporate employees who are most likely to have to address freedom of expression matters and providing a specific training for senior management and the board that facilitates deeper reflection on future challenges in the application of the GNI Principles.

78 Telenor Group

The GNI Board conducted its first assessment review of Telenor and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Telenor Group is an international provider of tele, data, and media communication services. In the assessment period, Telenor had mobile operations in the following markets:

WHOLLY OWNED WHOLLY-OWNED — SUBSIDIARY SHAREHOLDER

Norway Denmark dtac Sweden Thailand (minority) Pakistan DiGi Myanmar Malaysia (minority) Hungary Grameenphone Bulgaria Bangladesh (majority) Montenegro Serbia

79 Governance The assessment explored how Telenor’s Board of Directors approves the company’s human rights policies and exercises oversight with the support of its Sustainability and Compliance Committee. The GNI Principles are implemented through the Authority Requests Manual, which provides mandatory requirements for handling government requests across Tele- Telenor nor’s business units. At the business unit level, experts from privacy, legal, sustainability, security, communications, and Group public and regulatory affairs will assess challenging cases and escalate if needed to the business unit CEO. A point of contact at the Group level (Group Single Point of Contact — SPOC), responsible for privacy, engages with the business units on these issues, receives the escalations, and will summon a Group level team representing the same functions as the local escalation team as required.24 For any cases that are particularly challenging or of high risk, this team will escalate the request to a high-level steering committee to make a decision, in collaboration with the business unit CEO. If the request cannot be resolved at this level, Group CEO will decide on necessary actions. In addition, business units undergo periodic assessments of the authority request manual implementation.

Due Diligence and Risk Management Telenor employs an ongoing process of human rights due diligence to identify, prevent, mitigate, and account for human rights impacts, in alignment with the UNGPs. This is set out in the Group Sustainability Policy and is mandatory at Group and business unit level. Privacy and freedom of expression were identified as salient issues in a 2017 Group-level mapping exercise, and a Human Rights Due Diligence Toolkit provides guidance for implementation.

Due diligence is conducted regularly; the frequency is determined by the market and level of risk. When authority requests require rapid response, Telenor has developed a Rapid HRDD Template which was piloted in 2018/2019. Telenor has specific due diligence actions for different activities: • Products: Telenor takes a risk-based approach in any kind of data processing. • Markets: Prior to entering Myanmar, the company conducted a HRIA as part of due diligence and reports progress on key findings in annual sustainability briefings. • Acquisitions and partnerships: Due diligence is exercised before engaging with third parties, as outlined through a Group policy on third party risk. • Other business relationships: Respect for human rights and privacy is included in Supplier Conduct Principles.

Telenor’s human rights prioritization is based on the analysis of the severity of the risk to define group-wide salient issues. Such risks are also considered as part of a holistic assessment that includes legal and security risks. 80

24 To ensure Group involvement at an earlier stage of the escalation process, Telenor has since revised its AR Manual to require escalation to business unit CEO and Group SPOC simultaneously. Freedom of Expression and Privacy in Practice Telenor’s Authority Requests Manual was updated in the reporting period based on learnings, best practices identified from other companies, and the formulations found in the GNI Principles. Per the Authority Requests Manual, business units implement routines for checking that authority requests meet procedural and material requirements for a valid legal Telenor basis under local law. When requests lack a clear legal basis or pose a significant risk of serious human rights impact, Group business units shall inform the authority accordingly and refrain from executing the request, to the extent reasonably possible without risking disproportionate reprisals. The updated manual, which came into effect in August 2018, specifies that requests and legal basis shall be interpreted as narrowly as possible.

Business units are expected to engae with the authorities in accordance with guidelines and on a regular basis. A checklist was developed to help execute these responsibilities. In the Spring of 2018, a Checklist for Authority Request and Business Environment Management was developed to help business units execute on these responsibilities.25 The Public and Regulatory Affairs unit, at both Group and business unit levels, engages authorities regularly. Telenor may also submit input to proposed legislation, encourage legal frameworks that meet international standards, and engage in international policy discussions.

The company-wide Privacy Policy and Manual includes the following key principles: • Personal data should solely be used for the purposes for which it was collected, with a valid legal basis for processing • Each business unit has a designated Data Protection Officer • Each business unit is required to conduct Data Protection Impact Assessment (DPIA), and other measures to keep data secure

In addition, Telenor has a data breach manual.

Transparency and Engagement Telenor publishes an Annual Sustainability Report as well as information on its website including transparency reports, a legal frameworks overview, and historic reports on the Telecommunications Industry Dialogue. Group and business units engage with shareholders and stakeholders through regular meetings and events. For example, Telenor Myanmar hosts an annual Sustainability Forum, a multistakeholder gathering where they report on the progress related to a number of risks including freedom of expression and right to privacy. The Group CEO has also spoken publicly on these issues. GNI 81 commitments are communicated to employees through an intranet site.

25 This is now called the BU Authority Request Action Plan. Telenor discloses to users what personal information the company collects through the privacy notice for each company. For example, see Telenor Pakistan Privacy Notice. A dedicated “Handling Access Requests from Authorities” page and legal overviews of laws related to freedom of expression/privacy for all operating markets disclose both the generally applicable laws and policies, which require the company to restrict content or communications or provide personal infor- Telenor mation to government authorities, and the company’s policies and procedures for responding to government restrictions Group and demands.

The main mechanism for reporting grievances is the Integrity Hotline, which is available to anyone with the option to anonymously report suspected breaches of the company Code of Conduct, which includes grievances related to freedom of expression and privacy. In practice, more day-to-day questions about these issues come through customer service channels. During the reporting period, no grievances were reported that related to the GNI Principles.

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. The assessment showed that Telenor is evaluating and improving its efforts to implement the Principles. For example, Telenor has developed a set of continuously updated manuals for those engaged with authority requests, as well as tools for HRIA and HRDD.

See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement. For Telenor, an example of a recommendation to further optimize its systems is to consider centralizing its systems to track its policy implementation and understand the number of government requests it receives that fall outside acceptable standards.

82 Telia Company

The GNI Board conducted its first assessment review of Telia Company and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Telia Company provides:

• Mobile voice and data • IP capacity • Fixed voice and data • TV and media

Telia Company’s operations also include the following lines of business: Carrier, ‘Division X’, Analytics, and Cygate, which is a leading provider of integrated solutions to business custom- ers in the Nordics.26

Telia Company has its roots in Finland and Sweden. Home markets today are the Nordic and Baltic countries. During 2015, Telia Company announced the decision to exit Eurasia, enabling it to fully focus on the core markets and strategy as New Generation Telco. As of June 2018, Telia Company still owned operations in Kazakhstan (Kcell), Moldova (Moldcell), and Uzbekistan (Ucell), as well as a minority share in Turkcell (Turkey). Telia Company had divested its operations in Nepal (December 2015), Tajikistan (April 2017), Georgia (January 2018) and Azerbaijan (March 2018) as well as its minority ownership in MegaFon (Russia) (October 2017). Within Telia Company, each country organization is responsible for running the operations. 83 Telia Company’s backbone fiber, Telia Carrier, runs around the world and is the second largest in the world, with wholesale customers in more than 110 countries.

26 Since December 2019 Telia Company owns Bonnier Broadcasting and thus includes a Broadcasting unit. Governance At Telia Company, implementation of the GNI Principles primarily occurs via the company’s policy on freedom of expression & surveillance privacy. This policy is owned by a group function, with dedicated roles for other members of senior management, and is reapproved annually by Telia Company’s Board of Directors after a preparatory review Telia by the relevant board committee.27 Freedom of expression and surveillance privacy risks related to Telia Company’s Company operations are reviewed in a manner consistent with Telia Company’s overall approach to risk management through the Governance, Risk, Ethics, and Compliance (GREC) forum. GREC meetings are held at both the group and country levels. In addition, a Group Level Human Rights Virtual Team facilitates policy coordination, shared learning, analysis, business integration, and alignment on human rights.

Due Diligence and Risk Management Telia Company follows several processes to identify risks to freedom of expression and privacy. These include GREC, the company’s seven responsible business focus areas, its risk management process, and the HRIAs conducted for eight markets and performed by BSR, an independent nonprofit organization. The company is also committed to undertaking some form of HRIA, including on freedom of expression and surveillance privacy, as appropriate.

Where Telia Company does have operational control, the Policy and Instruction on Freedom of Expression & Surveillance Privacy applies fully. Where Telia Company does not have operational control, the policy states: “Telia Company works toward promoting and adopting this Policy’s principles and objectives in other associated companies where Telia Company does not have control but has significant influence.”

Telia Company’s responsible business focus areas, including the one on freedom of expression and surveillance privacy, provide a structure and governance for ongoing due diligence. The respective responsible business focus area owner provides group-level advice and support, based on the company’s policy and instruction.

The Telia Company Group Policy on Freedom of Expression & Surveillance Privacy establishes how local companies and other units assess and escalate unconventional government requests or demands. The policy, adhering Instruction, and guidance in the Form for assessments and escalation, provides the process for prevention and mitigation of freedom of expression and surveillance privacy risks in relation to unconventional requests. The definition of “requests” include significant or proposed changes in the law, or significant imposed or proposed operational changes, in this context.

Freedom of Expression and Privacy in Practice 84 The Telia Company Group Policy on Freedom of Expression & Surveillance Privacy describes how the company will assess and respond to government requests and demands. In addition to the publicly available policy, an instruction

27 Due to changes since the completion of the assessment this policy is now owned by Group People & Brand Group Sustainability. sets out how the policy is implemented, including steps requiring governments to follow established domestic legal processes, requesting clear written communications, and soliciting the narrow interpretation of government requests.

Telia Company has, in connection with the implementation of the privacy legislation GDPR in May 2018, thoroughly Telia assessed all collection, storage, and retention of personal information in Telia Company’s markets within the EU adding Company also operations in Norway. Telia Company has reviewed internal processes, privacy policies, and security measures, trained staff, and made necessary changes in IT-systems to enable customers to exercise their right to access data deriving from GDPR.

Transparency and Engagement Telia Company communicates its commitment to the GNI Principles through formal public reporting (including law enforcement disclosure reporting and annual and sustainability reporting), public communications (including statements, policies, and articles), and informal engagement through regulatory and public affairs activities.

Telia Company has drafted Privacy Policies for its different companies, products, and services that contain information about what personal data the company processes. The Privacy Policies are provided to customers at the time of onboarding and are publicly available on Telia Company websites. Surveillance laws are disclosed to users mainly through the Telia Company Law Enforcement Disclosure Reports (full reports are issued every March and statistics updates every October). The reports include context about surveillance legislation, a list and statistics on conventional as well as unconventional requests, and links to laws on direct access and on data retention. Regarding direct access, Telia Company also explicitly highlights that it does not know the amount of surveillance and cannot provide statistics. Telia Company has published its Policy and has a public version of the Form for assessments and escalation.

Telia Company has set up a whistle-blowing tool, the Speak-Up+ Line, which allows for human rights issues to be raised, including freedom of expression and surveillance privacy. The system is also available for external stakeholders.

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. Within the senior management team of Telia Company, the assessor observed that careful attention was paid to unconventional requests and demands from authorities in the countries where Telia Company operates.

85 See Section 3 for an overview of recommendations made by assessors to one or more companies for improvement. An example of an assessor recommendation for improvement was that Telia Company considers implementing a formalized process to identify potential risks related to freedom of expression and privacy that may be connected to its products. This may be usefully incorporated into the existing risk assessment processes for when new products are developed. Verizon Media

The GNI Board conducted its assessment review of Verizon Media and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time. This is the third GNI assessment of Verizon Media, previously Yahoo, a founding member of GNI.

The Company Verizon Media houses a dynamic set of global media and technology brands, including two of the Internet’s most recognized brands: Yahoo and AOL. Yahoo, a founding member and Board member of the GNI, was acquired by Verizon, Inc. (“Verizon”) and joined with AOL, Inc. (“AOL”) to form Verizon Media (formerly Oath) in 2017. Verizon Media provides consumers with owned and operated search properties and finance, news, sports and entertainment offerings; and provides digital advertising platforms.

86 Governance The Business and Human Rights Program (BHRP) is a team of senior human rights professionals within the company within the company responsible for leading efforts to make responsible decisions with respect to human rights, particu- larly freedom of expression and privacy. Verizon Media The BHRP, under the remit of the General Counsel, has primary responsibility for driving Verizon Media’s implementation of the GNI Principles. The BHRP works with a global virtual, cross-functional team consisting of senior employees and experts from across the company to integrate human rights considerations in business decision-making processes within Verizon Media. The Corporate Governance and Policy Committee of the Verizon Board of Directors receives periodic updates about global human rights risks and opportunities related to Verizon Media.

Due Diligence and Risk Management The BHRP designs and implements ongoing human rights due diligence policies and procedures to identify human rights risks and opportunities related to Verizon Media’s business decisions. This includes the preparation of human rights impact assessments (HRIAs) of decisions related to the company’s operations, products, or services. The BHRP has published information about its process for human rights due diligence on its website.

Freedom of Expression and Privacy in Practice Verizon Media has published Global Principles for Responding to Government Requests for content removal and for user data — informed by the GNI Principles. The cases reviewed by the assessors and considered by the GNI Board provided evidence that these Principles are followed in practice in Verizon Media’s process for responding to government requests. This includes showing that the company requires clarification of requests, demonstrates willingness to chal- lenge requests when necessary, and has developed escalation procedures for appropriate circumstances. In addition, Verizon Media considers risks associated with the collection, storage, and retention of personal information as part of assessing the human rights impacts of its business decisions.

Verizon Media’s Global Public Policy team, working in collaboration with the BHRP, leads engagement with governments around the world to advocate for the rule of law and respect for privacy and freedom of expression.

Transparency and Engagement The BHRP website is part of Verizon Media’s main corporate website and articulates the company’s approach to busi- ness and human rights, which builds on Yahoo’s pioneering programmatic work. The BHRP maintains a public-facing 87 blog on this website.

Verizon Media has also published a Transparency Reporting Hub that contains information about how the company puts its commitment to its users into action. It discusses the BHRP and Verizon Media’s membership in GNI, as well as Verizon Media’s Global Principles for Responding to Government Requests. It also contains a FAQ section that provides information on Verizon Media’s approach to responding to government demands.

Importantly, the Hub houses Verizon Media’s Government Requests Transparency Reports with information on govern- Verizon Media ment requests for user data, including national security requests for user information in the United States, to the extent allowed by U.S. law. The report also contains information on government requests for content removal. Verizon Media provides illustrative examples of the type of requests it receives and how it responds to those requests. This includes all requests it identifies as coming from a government agency, including government requests to remove content based on Verizon Media’s Terms of Service or Community Guidelines.

Verizon Media further communicates with users through its Terms of Service and Privacy Policy. The company has also developed a microsite that explains how and when user data is collected and used and provides users with a personal- ized privacy dashboard.

Verizon Media may notify users via email when user-generated content is removed or blocked. Verizon Media notifies users about third party requests for their information prior to disclosure. This provides users with an opportunity to challenge the request. There may be instances where notice would not be provided to a user. For instance, where the company is prohibited by law from providing such notice, or where there is an imminent threat of physical harm to a person in an emergency situation. Steps are taken to provide delayed notice to the affected user when possible.

Information about Verizon Media’s whistleblower channel, including a link to make reports via “The Network,” a third-party compliance reporting website, is provided in the company’s Standards of Business Conduct, which states that the company considers human rights in its business actions and decisions. The BHRP also makes its email address publicly available so that anyone can contact the BHRP about issues related to Verizon Media’s global human rights commitments.

Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. Following Yahoo’s acquisition and the formation of Verizon Media encompassing Yahoo and AOL, the BHRP was charged with leading efforts to inform responsible decision-making on important human rights issues of freedom of expression and privacy across the entire company. This demonstrated the importance that Verizon Media’s leadership attaches to human rights issues. The assessor reported on Verizon Media’s progress against recommendations made from the prior 2015/2016 assessment and noted that 88 significant progress was made.

See Section 3 for an overview of recommendations made in the 2018/2019 assessment cycle by assessors to one or more companies. Vodafone Group

The GNI Board conducted its first assessment review of Vodafone Group and determined the company is making good-faith efforts to implement the GNI Principles with improvement over time.

The Company Vodafone Group is one of the world’s leading telecoms and technology service providers. Vodafone Group has extensive experience in connectivity, convergence and the Internet of Things, as well as championing mobile financial services and digital transformation in emerg- ing markets.

Vodafone Group has mobile operations in 24 countries, partners with mobile networks in 41 more, and fixed broadband operations in 19 markets. As of September 30th, 2019, Vodafone Group had approximately 625 million mobile customers, 27 million fixed broadband customers and 22 million TV customers, including all of the customers in Vodafone Group’s joint ventures and associates.

Vodafone Group offers a wide range of products and services and aims to provide a unified experience to its customers combining mobile, fixed voice, broadband, TV and other services. 89 Vodafone Group also offers mobile, fixed and a suite of converged communication services to support the needs of its Enterprise customers, who range from small businesses to large multinational companies. Governance The Vodafone Group External Affairs Director is the most senior representative with responsibility for the GNI Principles and is a member of the Vodafone Group Executive Committee.28 The Executive Committee exercises oversight of the implementation of the GNI Principles through sponsorship of policies, receiving reports, the use of subcommittees as Vodafone part of overall company due diligence and governance activities, and consultation and sign off on external stakeholder Group engagement and GNI engagement on human rights issues. Within senior management, the sustainable business team has lead responsibility for implementation of the GNI Principles with other teams, including, but not limited to, security, privacy, and policy. These teams work closely with their local market counterparts. The GNI Principles are integrated into routine business operations, through Group policies and implementation guidelines, risk mitigation processes, governance, ongoing monitoring, and reporting and transparency.

Due Diligence and Risk Management Vodafone Group’s approach is to embed a human rights risk assessment into the due diligence investigation for new and upcoming products and markets. This is achieved by ensuring each step of the risk assessment process is contained within the due diligence investigation.

Freedom of Expression and Privacy in Practice Vodafone Group has a law enforcement assistance policy, which outlines the governance and safeguards the company has in place to ensure it balances respect for its customers’ rights to privacy and freedom of expression with its legal obligations to support a free and secure society.

Vodafone’s Customer Privacy Portal and Report explains how the company’s privacy policies and a framework governs the collection, use, and management of customer information. Protection of personal data is central to the Vodafone Code of Conduct. In some instances, Vodafone has taken steps beyond what is required for legal compliance, to minimize and mitigate the risks associated with the collection, storage, and retention of personal information wherever they operate.

Transparency and Engagement Vodafone Group publicly reports its freedom of expression and privacy impacts through several means, including the Digital Rights and Freedoms Portal, the Annual Sustainable Business Report, and the Vodafone Group Annual Report.

The Digital Rights and Freedom Portal includes the Law Enforcement Assistance Disclosure Statement and the Legal 90 Annex (with overviews of powers in each market). The company also publishes a country-by-country disclosure of demands made on the company.

28 Vodafone Group’s operational leadership team is referred to as an “Executive Committee” instead of “Board.” Freedom of expression and privacy complaints can be made via Vodafone Group’s normal customer service channels, from where they are then routed to the responsible organizations and teams. Privacy queries can be submitted to a ded- icated site for specific local markets. General enquiries from external stakeholders on freedom of expression and privacy are made through media lines or directly to the sustainability team. Customers can use Vodafone Group’s customer Vodafone service channels. Group Follow Up and Improvement The GNI Board took note of the assessors’ views on the company’s main strengths and successes in implementing the GNI Principles, as well as recommended areas of improvement. For Vodafone Group, the assessor noted that the GNI Principles are also well understood and embraced by senior leaders in a number of key areas of the business and that the company uses technology and existing compliance systems to embed human rights into everyday company procedures and processes.

See Section 3 for an overview of recommendations made in the 2018/2019 assessment cycle by assessors to one or more companies.

91 3) Improvement 3 Over Time 3) Improvement Over Time

Continuous improvement is a critical component of GNI’s another way.29 The GNI Board considers these explanations in approach to freedom of expression and privacy. As the GNI the context of its good-faith determination.30 Principles state, “while infringement on freedom of expression and privacy are not new concerns, the violation of these rights Based on a review of the assessment materials, the GNI Board in the context of the growing use of ICT is new, global, complex may make recommendations to a company regarding alterna- and constantly evolving.” This is why the GNI Board focuses on tive approaches to the implementation of the GNI Principles. If whether a company is making good-faith efforts to implement the company modifies (i.e., takes steps to address the concern the GNI Principles with improvement over time. Each compa- that prompted the recommendation that differ from the actions ny’s assessment report, including the process review and case the board recommended) or rejects a recommendation, it will studies, is designed to show how companies have evolved explain its decision to the GNI Board in its next assessment. their policies and procedures and their approach to freedom of Board recommendations are approved by a majority vote of the expression and privacy rights during the assessment period. board other than board members representing the company being assessed. Recommendations from individual board Assessor recommendations to companies are also an avenue members constitute “informal feedback” to the company and do for improvement over time. Companies are not required to not trigger a mandatory response from the company.31 adopt the assessor’s recommendations. Rather, each recom- mendation provides the company an opportunity to review During this assessment cycle, the GNI Board made a total of the issues or questions underlying the recommendation and five recommendations to four companies. determine what actions or changes (if any) to undertake (which 29 See Question 6.4 in the Process Review Questions in Appendix I of the Assess- may be different from the assessor’s recommendations). In each ment Toolkit.

subsequent assessment, the GNI Board reviews recommenda- 30 According to Appendix V of the Assessment Toolkit, Process Description for Board tions made during the prior assessment of each company and Review Meeting: “Engagement with recommended steps in a prior assessment shall be con- sidered as an important factor by the Board in concluding whether the GNI member company the actions or changes undertaken (if any) by the company. is making good-faith efforts to implement the Principles with improvement over time.”

Assessors are asked to explain whether a company has imple- 31 The focus of the board review is to assess company members processes. The GNI mented a recommendation, is in the process of implementing Board does not comment on or make recommendations regarding a company’s business decisions, its specific business criteria, or its business terms of dealing. Companies always 93 it, or has decided not to implement the recommendation as remain free to conduct business unilaterally, as they determine what is in their individual suggested, but has chosen to address the specific issue in best interest. The focus of the board’s formal and informal recommendations, and other engagement, is on the assessed company members’ processes and do not comment on or intend to comment on members’ business decisions or terms of dealing. 94 Improvement Over Time Assessment Toolkit:Assessment to according the from made categories the 70recommendations forimprovement companies, to the 11 assessed Assessors Recommendations to Companies Internal Communications Grievance Mechanisms Rightsholders Engagement with Governments Engagement with Users with Communication Transparency Reporting Transparency andEngagement User DataRequests Assistance Seeking Policies and Procedures andPrivacy inPractice Expression Freedom of Risk management Suppliers Business Relationships Other Human Assessments Impact Rights Due Diligence Divestment andRiskDue Diligence Management ManagementSenior Training Internal Structures Escalation Board Oversight Governance Assessment of Context OFASSESSMENT ASPECT NUMBER OFRECOMMENDATIONS 4 1 1 4 1 2 13 3 1 4 8 3 1 2 4 5 2 17 4 13 10 1 1 29 3 95 Improvement Over Time Recommendations to consider under governance, include: Recommendations to undergovernance, consider Governance Context Assessment of dations are generalized. recommen Some fromfindings the current cycle. assessment to consider, forcompanies assessors independent based on recommendations of The the made following by are examples “GNI assessments provide aunique improving theirperformanceover time.” putting GNIPrinciples into practice and to assesswhether companiesare censorship andsurveillancedemands companies have to government examine thepoliciesandprocedures mechanism for humanrights groups to ● ● ●

companies. acquired includingrecently units, orbusiness products Principles are all company consistently across applied relatingEnsuring andprocedures to the GNI policies Principles. implementing the GNI related to senior management oncompany efforts and/or Officers other Executive Chief fornew reports or Preparing sessions briefing dedicated andfacilitating future assessments. toto prepare better company practices forand enable Several recommendations suggested concerned changes Human GANESAN, Watch Rights ARVIND - management, include: management, Recommendations to andrisk underduediligence consider andRiskDue Diligence Management ● ● ● ● ●

learning within the company. teams who may encounter similar andfacilitate issues tosystems share information with other internal company formonitoring andfollow up. This include could cesses to whom, as well as who formalizingover reports pro andprivacy, expression of freedom to avoid confusion relating onissues to processes Formalizing reporting and privacy. with regardthe company faces expression to of freedom determinations salient ormaterial the most about risks This and include risk could assessments and guidelines. company humanPeriodically policies rights reassessing asinterest well as from the public. employees of increasing in the resilient face company sufficiently the of to issues higherlevels andprivacy expression of freedom forescalationof Making processes government requests. responsible for directly including those employees, onboarding programs orenhancing fornewdeveloping Consider rights. andprivacy expression of freedom considerations that roles engage forthose with directly withas acompanyvalue within the hiring process, staff,onboarding of such as including human rights Integrating into to the GNI hiring commitments and orchange.growth place to improve implementation during periodsof Principles andensurethe GNI that structures are in to implementthe companyto enhance current activity Creating acentralized human program rights within - 96 Improvement Over Time and privacy in practice, include: inpractice, and privacy expression Recommendations to of underfreedom consider andPrivacy inPractice Expression Freedom of ● ● ● ● ● ● across company business units. companybusiness across relevant Principles to andprocedures the GNI policies of Considering acentralized to track system implementation countries. different thatchallenges arise inimplementing the Principles in the of inview to Principles, implement the GNI policies inoperationalizing personnel company-wideassist local to andprocedures policies country-specific Developing issues. andprivacy expression of freedom company risk tools andensuring usedfor are being they This entail providing could guidance onthe use of into overall companyrisk andHRIAs reporting. (HRDD) Integrating human of duediligence rights the results when divesting. assessments human and/orto duediligence rights conduct impact andimplementing appropriate Developing processes performance. strengthendetermine how supplier to of further oversight chain, —engage legal This with suppliers. would help company within different functions the —security, supply risks from how and privacy suppliers mapping out by to mitigateexpression of freedom Enhancing efforts communities. to Internet andpartners company developer agents, relationships range from operator network site leases, relationships. Such third-party with third-party privacy and expression of safeguards forfreedom to address stepsother than This extra suppliers. includetaking could relationships around duediligence business perform to with resources, dedicated Implementing aprocess, engagement, include: engagement, Recommendations to undertransparency consider and Transparency andEngagement ● ● ● ● ● ●

freedom of expression orprivacy. expression of freedom with international human laws rights andstandards on broad, unlawful, overly inconsistent orotherwise appears with agovernmentfaced restriction ordemand that ornon-governmental organizations bodies rights when international relevant governmentof authorities, human as needed, the to seek assistance, Strengthening efforts andprocedures. consistent policies application of enforcement to ensure response functions help the internal periodic company law of Conducting audits operations in specific geographic areas. operations inspecific company of to understand the better impact level local toand work facilitate engagement with GNI at the Encouraging more frequent multistakeholder gatherings interests. national security with government anongoing interfere investigation or such provided disclosures donot government request, customersto a that its of have the they subject been reforms that would enable the company to disclose to engage with to governments encourage legal organizations, andothers, society civil companies, Working with multistakeholder comprising coalitions activities. consideration inthe rights company’s these of andprivacy,expression to raise awareness andenhance withinPromoting the of company onfreedom curiosity the company. by retained are information inthe governments request, by provided includingpersonal how longgovernment requests, about Increasing transparency when to law, permitted users, by 97 Improvement Over Time being assessed in 2015/2016 as well as some examples to illustrate as well as some examples in2015/2016 have them. how upon they to assessed act chosen being 33 time.”ment over improve GNI with to implement the Principles is efforts Company good-faith making the whether boardthe inconcluding GNI by factor shall considered asprior be animportant assessment issue inanother way. Toolkit the specific has totion as address suggested chosen but the Assessment Vof Also, noted, “Engagement as Appendix previously in a steps with recommended states: notto implement the orhas recommenda decided Please explain whether the implementing has company it, of implemented arecommendation, process. is in the process assessment previous 32 recommendations are for the company to consider. The companies. presented recommendations to the the assessed assessors fourpreviously assessments, In the 2015/16 Recommendation to Assessment Companies Cycle During the 2015/2016 HRDD as well.HRDD times are to thisname). notreferred by times focus andduration inscope, andsome significantly candiffer companies by in internal conducted to avoid company (HRIAs processes potential confusion for HRIAs of scopes onthevarying ways to andinformemployees educate Identify Implementing Human Assessments Impact Rights Principles andbeupdated as necessary. the GNI with consistency for shouldbereviewed data andcontent restriction user for handling for government requests andprocedures policies company’s When theoperations company anacquired are of notintegrated, theacquired arewhich policies nowapplicable. to are users communicated updated andthat are users informed clearly sure that terms privacy use,andotherrelevant of policies, that policies are When integrating company anacquired into operations, acompany’s en companies. andnewly acquired partners Implementation inregard tobusiness theGNIPrinciples of OR MORECOMPANIES IN2015/2016 OFRECOMMENDATIONSEXAMPLES MADE TO ONE

Process Review Question 6.4 asks the assessor to “Please evaluate and board recommendations whether andhow 6.4 the the has company Question assessor that asks implemented the were assessor made Review intheProcess The GNI Principles and Implementation Guidelines originally referred only to HRIAs. Updates to these documents published in 2017 fully aligned them with aligned theand referred UNGPs to fully published Updates in2017 documents to these Principles andImplementation originally toThe referred HRIAs. GNI only Guidelines 33 32 Below are some examples of recommendations of made to are one Below or more some examples companies - - THAT RECEIVED RECOMMENDATION THIS BY ONEORMORECOMPANIESBY ASSESSORS, THE OFFOLLOW UP AND IMPROVEMENTS, NOTEDEXAMPLES tation Guidelines. tation andhuman conversation Principles andtheGNI rights business andImplemen thebroader theterms theuseof of HRDDandHRIAto with Evolution conform processes. business from back into human duediligence findings rights integrationof More effective Principles. theGNI with consistency to ensure is necessary when human duediligence additional rights establish to mergers for andacquisitions formal guidelines duediligence Established andteams. ing human frameworks rights - underexist andbrought companies andprocedures acquired policies Aligned - - - 98 Improvement Over Time country. by theU.S., sion outside - Provide expres of more information onlaws freedom andregulations that impact law. by isprohibited notification unless request, to alawful pursuant data (content provide agovernmentcompany with ornon-content) will when the onlineservices of users notifying where for relevant, options, Examine are content takedowns to.for responded howgovernment This requests includes to content. access to restrict requests theirdata orgovernment for channels)tions handle requests onhowcompanies communica different across moreProvide consistency to (with users more detail Improve users Communications with company,the acquiring partners. newbusiness as as well when selecting that are new to orproducts that services when newcompanies offer acquiring undertaken formalize HRIAprocesses to formalize whether orfurther Consider OR MORECOMPANIES IN2015/2016 OFRECOMMENDATIONSEXAMPLES MADE TO ONE - THAT RECEIVED RECOMMENDATION THIS BY ONE ORMORECOMPANIESBY ASSESSORS, THE OFFOLLOW UP AND IMPROVEMENTS, NOTEDEXAMPLES complaints. Such complaints are also shared with theLumenproject are Such alsoshared with complaints complaints. alinkto learn includes legal moreas agovernment of request about aresult country aparticular within to when content users isblocked The notification as government of requests. aresult restricted orhave content to to who wish access users posted Improved notification company. bythe same offered services different across policies of Unification data andcontent removal. user for responding to about government requests and otherpublicdocuments that andhelpcenters hubs housetransparency reports Creation reporting of newtechnologies. for particularly Increased formal useof HRIAs, . 99 Improvement Over Time 34 Assessor RecommendationsAssessor to GNIfrom Assessment Cycle the 2015/2016 recommendations from to the current GNI cycle. inresponse to them. taken GNI andactions by Itthen summarizes assessor assessments recommendations of from the cycle previous assessor presents first This II). section Appendix (see cycle assessment after the 2015/2016 that of shortly the completion began review of is the culmination to is aprocess committed cycle improvement Thisof time. over assessment members, like its GNI, the Assessment Process Recommendations to GNIto Improve ment with the assessment methodology. theassessment ment with aligningthisdocu- andfurther process thecase of selection asmembers part non-company theGNI by provided Guidance Improving Selection theCase manage thedetermination alarger of assessments. numberof newandsmaller-sized andto of inthefuture theassessment companies for especially to makemore process efficient, streamline it theassessment Further andTransparency.Improvement, upand Implementation, Follow Governance,RiskManagement, themes: Framework andReporting Guidance newAssessment andalignmentof Clarification RECOMMENDATION

The Assessment Guidance and Reporting Framework were the guidance documents used in the previous assessment cycle. These have been replaced with the Assessment Toolkit. have These replaced with Framework the Assessment been cycle. were used assessment inthe previous Guidance andReporting the guidance documents The Assessment 34 to reduce inconsistencies and align the content of themain andalignthecontent of inconsistencies to reduce

assessment methodology in a comprehensive one-stop document. inacomprehensive one-stop methodology assessment Toolkit theAssessment andpublished developed inorderGNI to streamline the STEPS TAKENSTEPS BY GNI • • • • • • • • • investor representatives) are aligned with Section 3.2. of the Assessment Toolkit. theAssessment of 3.2. Section investor representatives) with are aligned and (civil members non-company society, GNI by academics, proposed Cases Toolkit. theAssessment of 3.2 Section criteria inlinewith selection and case topics, focus background includes information,members specific non-company theGNI by document Guidance provided The Selection Case aswell theirprioritization. to thenumber, casesas of andtopics respect and criteria, includingwith types process thecase selection Toolkit refines theAssessment of further 3.2 Section basis heldonastaggered throughout theyear. review meetings Assessment comparable. manageable review and to make intheprocess reports wordSuggested counts more consistent. reports Toolkit, to make theAssessment IandIIof templates, includingAppendix Use of cycle. andreporting assessment sustainability membercompanies’ with isaligned assessment GNI Timing of to assessors. providing clarification Implementation Guidelines, Toolkit theAssessment of IV mapsPrinciples theGNI toAppendix the to reference theapplicableguidelines. area with main providingorganized onwhat guidance themes inthefive to includeineach Toolkit questions theAssessment review Iof theprocess offers Appendix 100 Improvement Over Time demands and requests. demands andrequests. government of inthe context companies ICT around by challenges the andremedy grievance provision of thein light specific of mechanisms the ongrievance andapplication guideline of the scope suggested that clarify GNI Assessors Grievance andRemedy: formore onthis topic). Section the Learning (see scenarios andOpportunities inspecific the HRIAs use of for practices orgood expectations to of consideration inaddition the nature articulation to the such sometimes-fluid of assessments, This from includegiving additional focus. could noted that benefit adjustments could to GNI’s approach to Assessors HRIAs HRIAs: identified. andtargeted inrelation questions to the case forthe objective to specific case andrespond inclusion; state anumber of the objective that includearationalerecommended the non-companies forcase inclusion, with anexplanation as to why acase was suggested; the to see which made difficult rationale case it behind the and to severalremain sub-cases, covered within They the set wordcount. GNI’sImprovements by non-company constituencies noted that proposed the cases someof to the Case Assessors Studies: insomesections. responses of adjustments to improve the quality andsuggested other forpotential andredundancies questionnaire reviewed repetitions be review thatrecommended the process engagement They with governments. concerning acompany’s those particularly related forassessment, topics orclosely same similar wording the noted that andaddressed very Improvements contained somequestions to Assessors the Process Review: RecommendationsAssessor to GNIfrom Assessment Cycle the 2018/2019 4) Lessons & 4 Opportunities 4) Lessons and Opportunities

“The GNI multistakeholder model of expression and privacy rights do not exist in a vacuum, but provides a unique platform for civil depend upon the actions of external actors, from the govern- society, academia, companies, and ments that determine legal frameworks and make requests and demands, to other actors in industry, as well as civil society, investors to come together and weigh academia, and other experts and affected groups. out their respective priorities toward This section summarizes key lessons from across all 11 company a consensus. This process is full of assessments from which good practices may be developed and critical learning for all stakeholders; identified and which may benefit from a collaborative approach. something that the world can do GNI and its membership will consider ways to integrate these issues into its private and public learning agenda, developing with more of! Ultimately, none of the tools and guidance to improve knowledge sharing and our stakeholders have their agenda agreed overall framework. upon completely, but there is a lot more understanding, empathy, and impact on Internal Challenges and Opportunities future course of policy for all.” Integrating Freedom of Expression and Privacy into USAMA KHILJI, Bolo Bhi Business Operations The GNI Principles and Implementation Guidelines provide The assessment reports, as well as discussions between the a flexible approach to integrating freedom of expression and GNI Board and each company and its assessors, illustrated privacy into company operations. The assessments illustrate important points of progress as well as new and ongoing the different approaches taken by companies, with varying challenges and opportunities for companies across a variety of advantages and constraints. For example, companies may operating environments. There is no one-size-fits-all approach choose to centralize GNI functions within a dedicated human 102 to implementing the GNI Principles, and the assessments show rights team, which empowers highly trained internal champions how different types of companies adopt policies and practices within the company. This is considered good practice, and when appropriate to their business models and global presence. companies take this approach, they should ensure attention is They also show that companies’ responsibilities for freedom paid to integrating human rights awareness and responsibilities 103 Lessons and Opportunities is top-down to andbottom-up combine to approaches training, evaluatebetter efficacy. their potential Another practice good monitoring training andevaluation of to ableto be initiatives to the enhancements recommended several assessments made be tocould company implementation. In particular, noted training asassessments anarea where improvements of The majority distributedand globally company workforces. growing,oftentrainof appropriate vast, to effectively parts is how during assessments these challenge identified A key Training inresponse laws. to local policies granular staff guidance onhow forlocal companyto implement that such is complement can the provision procedures of staff Another are practice call on to deal seriouswith requests. whereby onecompany had headquarters asystem example, For companypractice inthis the area assessments. good across Board of noted several The instances Principles. GNI the GNI of appropriate to seniormanagement requests component is akey escalate effectively and and demands are ableto efficiently Ensuring that frontline staff government who requests receive Escalation value the chain. fullICT across rights andprivacy expression of freedom address can for improvement how andconsider GNI that arise from different operating structures andopportunities the consider tradeoffs may further Future learning activities GNI structurehow they Principles. implementation their the GNI of which challenges — face distinct will also have on animpact operators, telecommunications vendors andequipment network —Internet inGNI companies, participating companies of types The different appropriate from headquarters. support of the can learnworld from each other,in different parts with well to as teams, ensure functional that frontline teams based learn how to from manage eachother about geographical as culture. also may the entire Companies across company’s companies operate.companies varies onthe frameworks legal depending under which tion to users when data their governments is by requested Board noted thatThe GNI providing notifica the practice of User Notification onemerginginform HRDD issues. to members work GNI as by well design, as collective product and onresearch and development forHRDD practices good of areas forfutureOther includethe learning identification within GNI deployment. are for fit-for-purposerapid and efficient and designed having illustrated that of procedures assessments the importance Relatedly, decisions. orbusiness some issues, countries, specific to on focused those from HRIAs globalcompany levels, at varying standalone of HRIAs noted the importance Several assessments risks. of andtypes andother topics markets, regard to products, from company to company, with within companies, andeven which vary into widersystems, assessment duediligence impact integrating by approaches show their that are evolving companies to forconstant account change. The designed assessments be must as well environment as andHRIAs the regulatory —HRDD anduses, interms —both technologies sector the underlying of sector. the ICT of nature the dynamic the context Given the ICT of andinteract in distinct function be can processes complementary However,and human rights. the way of inwhich sets two these business of the wider ecosystem across but not just within GNI is anarea focus of (HRIAs) assessments and human impact rights The relationship human (HRDD) duediligence rights between andHRIA HRDD company training programs. intothrough trainings, existing GNI addvalue could to existing orthe integrationals, material collaboratively of developed training materi GNI-specific is of whether the development GNI within acompany. topic forfuture learning Apossible within to generate awareness andabroader culture human of rights - - 104 Lessons and Opportunities issue is direct access regimes, where national regimes, lawsissue access require is direct to transparent. challenging be for companies A particularly againstadvocating laws that would make more it difficult and challenging gagtransparency orders incourt, reporting, to company includeenhancements These challenges. these havepanies taken to increase transparency notwithstanding steps com addressed includingseveral case studies, ments, The toassess transparent be requests. these ability about continue to to alegitimate obstacle companies’ be personnel local of andconcerns forsafety requests to national security prohibitions ontheLegal disclosure information of related Regimes Including Access Direct Ongoing Challenges Around State Surveillance, national orregional level. multistakeholder at the coalitions to support opportunities of explorethe globe to indifferent membership parts with its will collaborate ahead,GNI explored. Looking should further be issue onaparticular aligned be could but viewpoints opposing mayhow engage companies who with actors may often have human institutions). rights In considerations addition, around (such as relevant national, regional, orglobal experts external for when anissue warrant could outreach to higherlevel criteria anddeveloping networks the formation advisory of include practice could good of Possible elements stakeholders. andother key society civil andlocal companies between to improve practices collaboration good to develop within GNI there but is anopportunity context, onthe local depending vary can and should laws andregulations. Such efforts on specific andto rights with advocate governments jointly and privacy expression of freedom multistakeholder to coalitions support showcase inengaging with the role companies of this report, including the ParaguaySeveral cases, case summarized in Multistakeholder Engagement Challenges andOpportunities External - - able to mitigate some negative impacts of network disruptions: network of able to mitigate impacts somenegative constraints, the case studies didshow that were companies these Despite with compliance requests. often necessitated showed risks to that companypersonnel credible security In the fornon-compliance. cases addition, penalties projected duration the required of disruption, also at stipulating times the Instead, the state ordersthe requests. simply the and location the government’s theory, legal out orexplain the rationale for the disruption, authorization, set donotincludejudicial but toreference that the law authorizes the government asserts that theIn operators requests provide many cases, receive challenge government demands disruptions. fornetwork operators network of to andrestrict the ability clarity legal obligationsand license fail to provide appropriate of levels caseThese studies showed that national frameworks legal restrictions. disruptions network of instances andservice countries around specific the seven covering world examined caseincreased studies period. during Six the assessment government-orderedInstances of disruptions network Network Disruption Orders room formaneuver isenvironments, limited. transparency of some degree around them. In more restrictive to against advocate such andprovide practices opportunities andother stakeholders may companies havements, greater user In notification. more operating permissive environ with regard challenges to particular transparencyposing and implementing regulations and/or orders are confidential, Many laws these to of the companies. andtheirrequests obtainusercan data having without to make individualized sothat government actors to networks, company authorities by to facilitate unmediatedcompanies access technical engaging in dialogue with government authorities, severalengaging indialogue with government authorities, disruptions By were via verbal requests. primarily conveyed Documentation andEscalation: network In somecases, - 105 Lessons and Opportunities as law enforcement and security agencies pushas forfaster law agencies enforcement andsecurity companies, for to difficulties continues present new and it content challenge, as akey or“terrorist” “extremist” identified forcontent removal.requests cycle The assessment previous at issues the playexplored increasingly complex ingovernment cycle this of assessment as part Multiple examined cases Content Challenges government-ordered disruption, such as problem. atechnical to issue publicstatements that provide afalse reason fora orresisted government users, requests toprohibition notify have taken advantage the lack any of affirmative of adisruption. users about companies In somecases, notify Transparency: to ability may intheir limited be Companies infrastructure, from such adisruption. as hospitals, measures Ortechnical ableto might be exempt key impact. geographic as feasible to its limit the order as specifically anorder of andimplement geographic scope the specific engage to can disruptions. with clarify authorities Companies rather than mandating orservices wholesale websites specific anorder might specify example, For the impact. negative narrow interpretation adisruption of order that minimize could a other achieving means of engage oridentify with authorities able to be maydisruption nonetheless companies orders, may require with compliance overbroad safety employee of Narrow Interpretation andApplication: protection Although awareness headquarters. of to adisruption accede order the companies without local measures These orders. also situations prevent help where contributed to securing level such writtenthe headquarters that escalated to be seniormanagement such requests at provisionslegal that authorize them. Companyrequirements thatgovernments are dated, signed, andstate the specific insecuring written succeeded companies orders from these instances. instances. these using to Principlesbeen implement are the in GNI also applied that have andprocedures companies that the policies same The illustrate orappstores. cases distribution digital services from were to services remove these requests forcompanies such In applications. several cases, messaging particularly to applications andservices, to orrestrict access block requests are also receiving companies removal of requests, subjects continue andsearch to results be websites, URLs, Although content. of removal types andcomplicated requesting new of are also dealingwith companies governmentremoved, requests to the increasing reasons number of why content should be from hate tochallenges, disinformation. speech In addition as well as other that content issues “abhorrent” of pose acts, streaming, includingthe live cerns, andamplification targeting, have issues New risen to the forefront globalcontent of con to appropriately andrespond scrutinize to such demands. to enable better them as wellprocedures as company policies, mature to governments to follow systems own direct their legal removals. Theshow cases that have companies robust and - 5 5) Looking Ahead 5) Looking Ahead

This cycle of assessments shows the different ways that a new laws and regulations, and by finding clear, creative means growing number of companies from across the ICT sector are to address legitimate challenges with narrowly tailored, appro- exercising their responsibility to respect the freedom of expres- priate, and accountable measures. GNI urges the members of sion and privacy rights of users and customers in different the Freedom Online Coalition to recall their commitment as jurisdictions around the world. They also show the increasingly part of the 2014 Tallinn Agenda for Freedom Online to “Call sophisticated measures that governments are employing to upon governments worldwide to promote transparency and assert control over online content and digital communications. independent, effective domestic oversight related to electronic surveillance, use of content take-down notices, limitations or The 86 case studies reviewed by the GNI Board make clear the restrictions on online content or user access and other similar stark challenges for freedom of expression and privacy rights measures, while committing ourselves to do the same.” now and in the near future. Whether it is governments who are genuinely committed to human rights but facing vexing Second, companies across the ICT sector should embrace challenges around disinformation, cybercrime, hate crimes, or their responsibilities under the UN Guiding Principles on terrorism, or governments who are actively seeking to suppress Business and Human Rights and use the GNI Principles and their citizens’ rights, the operating environment for rights-re- Implementation Guidelines to integrate freedom of expression specting ICT companies is getting more complex. and privacy rights into their operations. The experiences and insights presented in this report offer guidance to companies No single company or constituency can turn this tide on their on how to apply these standards in a flexible manner across own. Creating an enabling environment for freedom of expres- different segments of the ICT sector, from Internet platforms to sion and privacy rights will require the efforts of governments, telecommunications operators and equipment vendors. GNI companies, and other key actors including investors, academ- will continue to reach out to companies across the industry ics, and civil society organizations inside and outside GNI. and around the globe to share more about the forum it offers. Moreover, the challenges GNI seeks to address are not limited First, states committed to human rights must lead by example to tech and telecommunications companies, as a wider range of to craft clear laws and regulations to confront contemporary ICT industries employ ICT innovations and collect personal data of 107 sector challenges while protecting freedom of expression and interest to governments. GNI encourages companies in indus- privacy. Democratic, rule-of-law abiding states can demonstrate tries ranging from automotive to finance to explore and consider good practice both by implementing transparent, multistake- committing to implement the GNI Principles. GNI welcomes holder consultative, empirically informed processes to develop interest from these companies and should be considered a 108 Looking Ahead products and services, and the protection of their freedom freedom their and the of protection and services, products It is imperative that work the ICT allactors to users of put that undergirdstrust GNI’s participants wider efforts. between have contribute to describes helped the this report assessments andprivacy. expression of freedom of advance principles The on variouspositions differentcan nonetheless starkly issues that human organizations rights that andcompanies take shows GNI everything. to agreeall stakeholders about need the dilemmas sector. intheabout ICT notmeanthat This does to decision-making transparency, andlegitimacy expertise, organizations brings much-needed society andcivil academics, increase. and privacy The involvement investors, expression of risks to of freedom doors, closed behind confront companies when own. ontheir and challenges governments In fact, threatsThird, and states these should notaddress companies “Trust iscore from theuserperspective. rights. and privacy operating inamanner consistent expression of with freedom strategies their interestedresource forthose for indeveloping government requests for userdata.” the ICT now sector increasingly receiving robust modelalsofor companiesoutside multistakeholder process, provides a principles. The GNIassessment, a is more consistent withhumanrights ensure that government accessto data Transparency andaccountability help PATRIK HISELIUS, Telia Company themselves from violationsthemselves rights. their of whoand those forthem advocate must continue to protect At users from thetime, same andcompanies. governments is that also demand vital such users themselves protection deploy, to develop, It and regulate new technologies. efforts at the forefront their rights, of andprivacy expression of “The active participation of participation civilsociety active “The GNI haspromoted over thelast10 years.” companies themselves, andthetrustthat and commitment of civilsociety andthe right thanks direction to thehard work assessment process isevolving inthe box’ by external stakeholders. ButGNI’s sometimes beperceived as ‘a black work inprogress. We realize that itcan time’ to implement theprinciplesisa are making ‘good-faith effortsover independently whether companies Initiative. The process of assessing oflie at theGlobalNetwork theheart of expression andprivacy onlinethat commitment to theprinciplesof freedom whether companiesare livingupto their organizations iscrucial inassessing ROBERT MAHONEY,ROBERT Committee to Protect Journalists 109 Looking Ahead 35 learnedto from evaluated the andthe cases lessons inresponse companyandnon-companymembers its of insights will draw recommendations andthe from to the GNI assessor In order to strengthen this ourstandards review andpractices, the process. the of third will conduct review GNI ment process, to enhance the assess Consistent Review: GNI with ourefforts assessment. their will communicate of the outcome toment the cycle publicabout inthis the included 11 assess eachof companies this report, months Within the six publication of of Company Reporting: multistakeholder collaboration. fortransparency,additional opportunities accountability, and will provide the following activities thispublication of report, shared After engagement. learning andcollaborative the policy buildtrust within GNI’s that membership Assessments supports sector. inthe ICT andprivacy promote expression of freedom and to protect into ourwider efforts cycle this assessment will work ahead,GNI to integrateLooking from insights StepsNext second assessment cycle. assessment second broader Strategic 2014 asimilar exercise after completed its Review.of the GNI Later in2016

Following the first assessment cycle, GNI undertook a review of the process as part as part the process of areview undertook GNI cycle, assessment Following the first - 35 -

assertions and limits. andlimits. assertions andcontent regulation, andjurisdictional liability intermediary disruptions, onnetwork surveillance, andactivities priorities Public will Insights inform Policy: from assessment GNI’s policy due diligence. such onissues asand guidance human forcompanies rights ing the Annual tools Learning of Forum andthe development includ as well as publicactivities formembers, opportunities learninginto agenda. its This will learning includeconfidential to membership integrate its from insights the assessments key with together will implement aprocess Shared GNI Learning: andstakeholder outreach. advocacy policy external-facing internal anddevelop practices and learning best of to its scale eachcompany. of review the process will allow The GNI review - Appendices

110 Appendices 4G FiCom 5G FAQ EU ETNO ESG EMEA EK ECJ DPIA CDRs CNIL CEO CELA BSR BHRP APAC AOL AI Appendix I:AcronymsandAbbreviations

communications generation cellular of fourth Teleinformatics Communications and Finnish Federation for communications generationfifth cellular of frequently asked questions European Union OperatorsNetwork European Telecommunications governance environmental, and social, region Europe, Middle East andAfrica Industries Confederation Finnish of Justice of European Court Assessment Data Protection Impact Records Call Detail andFreedoms) Computing (National of Commission libertés des et l’informatique nationaleCommission de officer executive chief Corporate Affairs andLegal Responsibility forSocial Business Program andHumanBusiness Rights region Pacific Asia Inc. America Online, intelligence artificial Association orGSM GSMA GDPR FY LI LGBT LEA-MEP LED ISP ISIS IP IoT ICESCR ICT ICCPR IHRB HRIA HRDD HMD GRI GREC GNI

Communications Association Global System for Mobile Regulation General Data Protection year fiscal Lawful InterceptLawful transgender lesbian, gay, bisexual, and Major Policy Events Law Enforcement and Response Law Enforcement Disclosure provider Internet service Islamic State Iraq of andSyria Internet Protocol Internet things of Rights andCultural Social Economic, International Covenant on Technology Information andCommunications and Political Rights International Covenant onCivil Business Institute forHuman and Rights Assessment Human Impact Rights Human Due Diligence Rights MobileHello Devices Initiative Global Reporting Compliance and Ethics, Risk, Governance, InitiativeGlobal Network

VR VOIP URL U.S. UNGPs UN UDHR TP TML 3GPP SPOC SL RFP RDR Q&A 1MDB OECD NYSE NGO NetzDG LLP

virtual reality virtual Internet over voice protocol resource locator universal United States Human Rights and Principles onBusiness United Nations Guiding United Nations Rights Universal Declaration Human of Telenor Pakistan Telenor Myanmar Project 3rd Generation Partnership contact of single point society) limitada (limited sociedad forproposal request Rights Digital Ranking andanswersquestions 1Malaysia Berhad Development andDevelopment Co-operation Organization forEconomic YorkNew Stock Exchange non-governmental organization Enforcement Act) (Germany’s Network Netzwerkdurchsetzungsgesetz Partnership Liability Limited 111 Appendices of actions taken actions inresponse to recommendationsof these includethe following: Examples inpreparation cycle. to process Board, who improve decisions forthe the 2018/2019 the took anumber of assessment GNI theto recommendations oneof ensure Allbut were are evaluations. targeted resources meaningful the adopted at by most producing and process, of the Professorour membership, assessment Samway presented to recommendations enhance the efficiency designed andacross with the assessors After consulting extensively assessments. of raised issues of during cycle the review hensive second consultant Michael independent Board Board appointed Samway member andformer TheIn GNI GNI 2016, acompre to conduct Appendix II:AssessmentReview Recommendations andResponses points across each across assessment. points learning captureatically andcollect system to efforts Enhance existing information website: ontheGNI documentation and lishing additional Increase transparency through pub gy theassessment. of andmethodolo to onthescope focus training andrevise theassessor sors - Increase asses accredited thepoolof RECOMMENDATIONS OFEXAMPLES • • assessment process process assessment Publish thorough Q&Aonthe documentation Publish updated assessment - - - ing among members and with the public on issues such as HRDD and HRIAs. such thepublic on issues as HRDDand HRIAs. andwith ing amongmembers wider learn its from to inform assessment to useinsights opportunities explore will GNI of thisprocess, As part learning efforts. to uponprevious has build developed to been theassessments theboard from onthelearning points reporting of A process to during discuss theboard themes review meetings. each groups for company study to formed identify members Non-company process. the assessment agendas learning advocacy throughout andpolicy its for andtopics practices best andidentify lessons to distill continues GNI of the assessment. explanations to key aspects useful Q&Aoffers Assessment The to ondisclosure, information includingattorney-client andlimitations privilege. access The training around issues assessor alsocovered somecompanies. of relates reporting toprocess theassurance sustainability of Toolkit,sessment howGNI’s about andadiscussion Principles theGNI areview of andImplementation assessment Guidelines, In 2018, September assessors delivered atraining GNI to theaccredited all thiswork. out criteria to carry andcompetency theindependence with comply assessments organizations conducting that individualsand which verifies to process, atotal 12 of through assessors theaccreditation five poolof its extended GNI STEPS TAKENSTEPS BY GNI on the GNI website has page website ontheGNI relevant all andthe current information about andpast assessments Company Assessments - to theAs . The training anintroduction included - - 112 Appendices 36 any agreements with respect to a member’s business terms, customers, territories, or other competitively sensitive issues. sensitive terms, territories, customers, orother competitively business to amember’s with respect any agreements

RECOMMENDATIONS OFEXAMPLES over time. over improvement PrinciplesGNI with to implementthe good-faith efforts acompany ismaking whether of intheboardtions determination therole recommenda of Clarify For the avoidance of doubt, GNI is mindful of the antitrust/competition laws. GNI does not dictate the business decisions that its members must to reach members members take that the orencourage antitrust/competition of decisions its its is mindful the notdictate business GNI does laws. GNI theFor avoidance doubt, of - STEPS TAKENSTEPS BY GNI accept and begin to implementrecommendations. andbegin accept or modify andboard andmay recommendations assessor all consider reject, that must The board companies decided over time. over improvement GNI with to implementthe Principles membercompany theGNI ismaking good-faithcluding whether efforts theboard by incon factor shall as inaprior beconsidered assessment animportant steps recommended Engagement with andnotboard recommendations. individualboard are from members informal feedback, Recommendations board members. vote the)board, includingcompany of to Board. are the(majority explanation theGNI Board by recommendations approved 36 If the company modifies or rejects a recommendation, it will provide an will it arecommendation, orrejects Ifthecompany modifies -