I have argued elsewhere that the GPs recognize the essentially polycentric nature of governance of enterprise governance at the national, international and transnational levels (Backer, Larry Catá, From Institutional Misalignment to Socially Sustainable Governance: The Guiding Principles for the Implementation of the United Nation’s 'Protect, Respect and Remedy' and the Construction of Inter-Systemic Global Governance, Pacific McGeorge Global Business & Development Law Journal, 2011). When the substantive provisions of the three systems are consistent, operation within each of these autonomous systems is relatively seamless. But when one of more conflict, or are in tension, then the enterprise faces difficult choices. The Guiding Principles offers some guidance to enterprises in cases where their social norm governance systems and their obligations derived from international law and norm principles may be in tension with the law (or enforcement practices) of states in which enterprises operate. GP 23. Some enterprises have begun to operationalize this most difficult of the Guiding Principles.
In many cases, the governance regimes of the state (expressed through law), international organizations (expressed through law directed at states and norms directed at individuals and organizations), and non-state actors (expressed through governance systems sometimes evidenced through contract or other binding arrangements) either are relatively coherent and may be reasonably cobbled together. In other cases, one or another of these autonomous governance frameworks serve as a baseline above which the other systems may build (for example national minimum wages do not prevent multinational corporations from insisting on the payment of higher wages down the supply chain through their own governance mechanisms). But in some cases the systems are out of alignment. In those cases, especially where national security may be involved, or where there are differences in the approach to fundamental constitutional arrangements, multinational corporations retain both their responsibility to obey local law and their responsibility to respect human rights, the later responsibility existing autonomously of local and national obligation in places where enterprises may have operations. GP 11.
Where such misalignment exists, the GPs seek to provide a mechanism for enterprises to mediate the incoherence to the extent possible. Guiding Principle 23 provides:
In all contexts, business enterprises should:
(a) Comply with all applicable laws and respect internationally recognized human rights, wherever they operate;
(b) Seek ways to honour the principles of internationally recognized human rights when faced with conflicting requirements;
(c) Treat the risk of causing or contributing to gross human rights abuses as a legal compliance issue wherever they operate.
Although particular country and local contexts may affect the human rights risks of an enterprise’s activities and business relationships, all business enterprises have the same responsibility to respect human rights wherever they operate. Where the domestic context renders it impossible to meet this responsibility fully, business enterprises are expected to respect the principles of internationally recognized human rights to the greatest extent possible in the circumstances, and to be able to demonstrate their efforts in this regard. (Guiding Principle 23 Commentary).
Some operating environments, such as conflict-affected areas, may increase the risks of enterprises being complicit in gross human rights abuses committed by other actors (security forces, for example). Business enterprises should treat this risk as a legal compliance issue, given the expanding web of potential corporate legal liability arising from extraterritorial civil claims, and from the incorporation of the provisions of the Rome Statute of the International Criminal Court in jurisdictions that provide for corporatecriminal responsibility. In addition, corporate directors, officers and employees may be subject to individual liability for acts that amount togross human rights abuses.
In complex contexts such as these, business enterprises should ensure that they do not exacerbate the situation. In assessing how best to respond, they will often be well advised to draw on not only expertise and cross-functional consultation within the enterprise, but also to consult externally with credible, independent experts, including from Governments, civil society, national human rights institutions and relevant multi-stakeholder initiatives. (Guiding Principle 23 Commentary).
Beyond the balancing, in these cases enterprises face a human rights related risk. The first is direct--the consequences of compliance with national requirements that may produce detrimental human rights effects. The second is indirect, and focuses on the risk to the enterprise's employees, operations, and customers, where the enterprise seeks to change or interpret its way around human rights detrimental domestic legal regimens in ways that may produce conflict with national authorities.
These are the issues that faced Vodafone in recent yesrs. Vodafone published tits Law Enforcement Disclosure Report to explain "the nature and extent of government powers to order our assistance, together with information about agency and authority demands in countries where statistical data can lawfully be disclosed." The Report suggests both the complexities and costs to enterprises of human rights polycentricity where issues of national security are involved. This complexity is deepened where the operationalization of human rights (in this case of privacy) are also fluid and impact areas of civil and political rights, the basis of which are still subject to great controversy among states.
But the Report also suggests the importance of disclosure as a means of engaging with states where the rules of domestic legal orders are inconsistent with or threaten internationally recognized norms of human rights behaviors and behavioral expectations of states. Iit is sometimes difficult for enterprises to undertake direct negotiation with states over contentious local rules, and where it might not be possible to invoke the local judicial system to attain a sounder interpretation of an ambiguous local law with potentially human rights detrimental impacts. However, it is sometimes possible to use disclosure as a means of provoking global discussion of issues and to induce states to reconsider the value of their internal positions, just as the process works for disciplining corporate behaviors (Larry Catá Backer, From Moral Obligation to International Law: Disclosure Systems, Markets and the Regulation of Multinational Corporations, 39 Georgetown Journal of International Law 591-653 (2008)). This can be done in a way that furthers the intent and gives effect to GP 23 without violating local law.
These insights are well in evidence with the Vodafone disclosure decision. "By publishing its report, and highlighting its efforts to seek explanations form governments, Vodafone is entering the international debate about balancing the rights of privacy against security. Rather than being stuck with responsibility and backlash when citizens realize their data has been scooped up without their permission, Vodafone is pushing for a debate." (Peter Svensson, Vodafone Report Sparks Surveillance Debate, AP June 9, 2014). Indeed some analysts are already using the language of the GP to structure the terms of the debate: "Cynthia Wong, a senior researcher at Human Rights Watch, said Vodafone experienced "a hard lesson" in Egypt. "Even if the government is the ultimate problem, they realized they needed to take steps to mitigate harm to their users," she said." (Id).
Agency and authority powers: The legal contextVodafone is headquartered in the UK; however, in legal terms, our business consists largely of separate subsidiary companies, each of which operates under the terms of a licence or authorisation issued by the government of the country in which that subsidiary is located. Whilst there are some laws which apply across some or all of our businesses (for example, our European operating companies are subject to EU law as well as local laws, and laws such as the UK Bribery Act apply to all our operations), it is important to note that each subsidiary is established in, and operated from, the local market it serves and is subject to the same domestic laws as any other local operator in that country.All countries have a wide range of domestic laws which govern how electronic communications networks must operate and which determine the extent to which law enforcement agencies and government authorities can intrude into or curtail privacy or freedom of expressionIn some countries those powers are contained within specialist statutes. In others, they may be set out in the terms of a communications company’s operating licence. They may also be distributed across a wide range of legislative orders, directives and other measures governing how agencies and authorities carry out their functions.However enacted, these powers are often complex, opaque and convoluted. A comprehensive catalogue of all applicable laws across all of our countries of operation would be so vast as to be inaccessible to all but the most determined of legal academics: for that reason, in our country-by-country law enforcement disclosure section we have focused on the most salient legislation only. Even with a focus on the most relevant legislative elements alone, the laws can be difficult for anyone other than a specialist lawyer to understand – and sometimes even the specialists can struggle. A summary of the relevant legislation, country by country, can be found in the Annexe (pdf, 1.76 MB).Despite this complexity, there are a number of areas which are common to many of the legislative frameworks in our countries of operation, the most significant of which we summarise below.
Provision of lawful interception assistanceIn most countries, governments have powers to order communications operators to allow the interception of customers’ communications. This is known as ‘lawful interception’ and was previously known as ‘wiretapping’ from a past era when agents would connect their recording equipment to a suspect’s telephone line. Lawful interception requires operators to implement capabilities in their networks to ensure they can deliver, in real time, the actual content of the communications (for example, what is being said in a phone call, or the text and attachments within an email) plus any associated data to the monitoring centre operated by an agency or authority.Lawful interception is one of the most intrusive forms of law enforcement assistance, and in a number of countries agencies and authorities must obtain a specific lawful interception warrant in order to demand assistance from an operator. In some countries and under specific circumstances, agencies and authorities may also invoke broader powers when seeking to intercept communications received from or sent to a destination outside the country in question. A number of governments have legal powers to order an operator to enable lawful interception of communications that leave or enter a country without targeting a specific individual or set of premises.
Technical implementation of lawful interception capabilitiesIn many countries, it is a condition of an operator’s licence that they implement a number of technical and operational measures to enable lawful interception access to their network and services quickly and effectively on receipt of a lawful demand from an agency or authority with the appropriate legal mandate.Wherever legally permitted to do so, we follow the lawful interception technical standards set down by the European Telecommunications Standards Institute (ETSI), which define the separation required between the agency or authority monitoring centre and the operator’s network. The ETSI standards are globally applicable across fixed-line, mobile, broadcast and internet technologies, and include a formal handover interface to ensure that agencies and authorities do not have direct or uncontrolled access to the operators’ networks as a whole. We continuously encourage agencies and authorities in our countries of operation to allow operators to conform to ETSI technical standards when mandating the implementation of lawful interception functionality within operators’ networks.In most countries, Vodafone maintains full operational control over the technical infrastructure used to enable lawful interception upon receipt of an agency or authority demand. However, in a small number of countries the law dictates that specific agencies and authorities must have direct access to an operator’s network, bypassing any form of operational control over lawful interception on the part of the operator. In those countries, Vodafone will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link. We describe above our views on those arrangements and explain the restrictions imposed on internal discussion of the technical and operational requirements here.Vodafone’s networks are designed and configured to ensure that agencies and authorities can only access customer communications within the boundaries of the country in question. They cannot access customer communications on other Vodafone networks in other countries.
Disclosure of communications-related data (‘metadata’)Whenever a device accesses a communications network, small packets of data related to that device’s activities are logged on the systems of the operator responsible for the network. This ‘metadata’ is necessary for the network to function effectively; for example, in order to route a call to a mobile phone, the network needs to know the mobile network cell site that the device is connected to. Operators also need to store metadata – such as information about call duration, location and destination – to ensure customers are billed correctly. This metadata can be thought of as the address on the outside of an envelope; the communications content (which can be accessed via a lawful interception demand, as explained above) can be thought of as the letter inside the envelope.It is possible to learn a great deal about an individual’s movements, interests and relationships from an analysis of metadata and other data associated with their use of a communications network, which we refer to in this report generally as ‘communications data’ – and without ever accessing the actual content of any communications. In many countries, agencies and authorities therefore have legal powers to order operators to disclose large volumes of this kind of communications data.Lawful demands for access to communications data can take many forms. For example, police investigating a murder could require the disclosure of all subscriber details for mobile phone numbers logged as having connected to a particular mobile network cell site over a particular time period, or an intelligence agency could demand details of all users visiting a particular website. Similarly, police dealing with a life-at-risk scenario, such as rescue missions or attempts to prevent suicide, require the ability to demand access to this real-time location information.In a small number of countries, agencies and authorities have direct access to communications data stored within an operator’s network. In those countries, Vodafone will not receive any form of demand for communications data access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.
Retention of communications dataCommunications operators need to retain certain communications data for operational reasons, as described above. Subject to any applicable privacy or data protection laws, operators may also use communications data for marketing and other business purposes, for example, to promote certain products or services likely to appeal to a particular customer based on their previous activity. Vodafone has developed strict rules governing the use of communications data for marketing purposes which we explain in detail in the Privacy and security section of our sustainability report.In some countries, operators are required by law to retain communications data for a specific period of time solely in order to fulfil the lawful demands of agencies and authorities who require access to this data for investigation purposes. For example, since 2006, EU legislation (the Data Retention Directive 2006/24/EC) has required Member States to implement laws that mandate the retention of certain communications data. However, a recent European Court of Justice ruling has found that the Data Retention Directive is incompatible with the Charter of Fundamental Rights of the European Union. The full implications of this ruling for Member States with data retention laws derived from the Directive are still being considered by governments at the time of the publication of this report.In addition, in many countries mobile operators are obliged to collect information to verify customers’ identities. This is primarily to counter the use of anonymous pre-paid mobile phone services where no identity information is otherwise needed to bill for the service.
Decryption of protected dataElectronic communications may be encrypted in some form. This can prevent agencies and authorities from reading the data disclosed to them under applicable legal powers. Encryption can be applied by the operator of the communications network, or it can be applied by the many devices, services and applications used by customers to encrypt data that is transmitted and stored. Several countries empower agencies and authorities to require the disclosure of the encryption ‘keys’ needed to decrypt data. Non-compliance is a criminal offence. It is important to note that an operator typically does not hold the key for data that has been encrypted by devices, services and applications which the operator does not control: furthermore there is no legal basis under which the operator could seek to gain access to those keys.
Search and seizure powersIn most countries, the courts have the power to issue a variety of search and seizure orders in the context of legal proceedings or investigations. Those orders can extend to various forms of customer data, including a company’s business records. The relevant legal powers may be available to members of the public in the course of civil or criminal legal proceedings as well as to a wide range of agencies and authorities.
National security ordersThe protection of national security is a priority for all governments. This is reflected in legislative frameworks which grant additional powers to agencies and authorities engaged in national security matters which typically exceed those powers available for domestic law enforcement activities.For example, in many countries, domestic law enforcement legislation seeks to achieve some form of balance between the individual’s right to privacy and society’s need to prevent and investigate crime. Those considerations have much less weight in the context of threats to the state as a whole, particularly when those threats are linked to foreign nationals in foreign jurisdictions.
Powers to block or restrict access to communicationsIP/URL content blocking and filteringSome forms of internet content may infringe a country’s laws or social norms. Consequently, many countries have laws which enable agencies and authorities to mandate a block on access to content on certain sites (identified by their IP address ranges or URLs), typically by ordering communications providers to apply a filter on their networks. Child abuse content is widely blocked – including on a voluntary basis under the system administered by the Internet Watch Foundation – but other content may be filtered according to a ‘block list’ maintained by the relevant agencies or authorities.Take-down of particular servicesMany countries empower agencies and authorities to order the take-down of specific electronic communications services for reasons such as a government’s desire to restrict access to information it considers harmful to social order. Messaging services and social networks are familiar targets for these take-down actions, although short of a complete network shutdown (addressed below) these measures rarely prove effective over the long-term given the ease with which internet traffic can be re-routed dynamically.A number of countries also retain legal powers requiring mobile operators to prioritise communications from designated SIMs in mobile phones used by the emergency services at the scene of a major incident where networks can become congested. Whilst such powers are relatively commonplace, in reality they are rarely used and are only effective if the emergency services have supplied operators with an up-to-date list of the SIMs to be prioritised.
Emergency or crisis powersMany countries have special legal powers that can be invoked at a time of national crisis or emergency, such as a major natural disaster or outbreak of violent civil unrest. The use of those powers typically requires formal approval from the country’s parliament (or legislative equivalent). Once invoked, agencies and authorities are empowered to take direct control of a wide range of activities in order to respond to the crisis or emergency.Whilst emergency or crisis powers are intended to be used for a limited period of time, their effects can be significant. These laws can be used to restrict or block all forms of electronic communication, either in a specific location or across the country as a whole. In January 2011, the Egyptian government ordered all operators – including Vodafone – to shut down their networks entirely. An overview of these events and Vodafone’s response can be found here.Further details about the legal powers available to agencies and authorities in each of our countries of operation are set out in our country-by-country law enforcement disclosure section, together with statistical information about the number of demands received.