Human Rights Due Diligences and Impact Assessment for Tech Companies

The third article in our series on technology businesses and human rights explains human rights due diligences and impact assessments. Other articles can be read here and here.

As technology leaves its indelible marks on human lives, it impacts human rights as well. Therefore, it is not surprising that tech companies are realising the meaning of the popular phrase, “with great power comes great responsibility”. 

On the one hand, tech companies can play a crucial role in protecting human rights. For instance, identifying the need to protect human rights, Vodafone’s Human Rights Policy Statement adopts a “Human Rights by Design” approach to minimise risks to human rights from their products, traditional telecommunication services and emerging technologies like Artificial Intelligence (AI) and Internet of Things (IoT).[1] But on the other hand, technology can also pose risks to human rights. Facebook’s Human Rights Impact Assessment (HRIA) report of Sri Lanka notes rampant incidents of gender-based hate speech, cyber-bullying, and fake news on the platform. The HRIA investigation revealed that the incidents may have been fostered by Facebook’s former algorithms that were designed to drive engagement, without analysing veracity or intention.[2] In this way, human rights violations can pose business, financial, legal and reputational risks for tech companies.

Respecting human rights is an essential component of the OECD’s Responsible Business Conduct that enables building a healthy business environment.[3] The United Nations Guiding Principles on Business and Human Rights (UNGPs) are a good starting point for tech companies to assess and mitigate their human rights impact.[4] The UN Global Compact is another set of principles that call upon businesses to respect human rights.[5] A crucial component of realising respect for human rights requires conducting due diligence by companies and is recommended by both the UNGPs[6] and the UN Global Compact.[7]

Source: OECD Due Diligence Guidance for Responsible Business Conduct, 2018

What is Human Rights Due Diligence?

In general business parlance, a due diligence exercise is conducted by a company to assess the risks and liabilities of a project, transaction, or a general ongoing process. For instance, prior to a merger, a company will assess risks that may exist or prospectively arise upon the merger with the intent of identifying business risks as a preventive exercise. With a slight difference, Human Rights Due Diligences (HRDD) focuses on risks to people. The Danish Institute for Human Rights, Denmark’s human rights institution,[8] equates risk to human rights arising from business conduct as a risk to business.[9] Mitigation of a technology company’s adverse impact on human rights mitigates risks to its business.

UNGPs encourage businesses to identify, prevent, mitigate and communicate how they address human rights impacts. HRDDs identify and assess the impact of the company’s own activities or its business relationships on human rights.

Over the last decade, many tech companies have undertaken HRDDs to assess human rights impact and integrate human rights into their policies. Vodafone instituted human rights-oriented policies and conducted HRIAs as part of its due diligence.[10] A survey by S&P Global, a financial and business analytics company, found a steady rise in Information Technology (IT) companies undertaking HRDDs. From 54% IT companies in 2017, the survey reports 79% IT companies had HRDDs in place in 2020.[11]

By integrating HRDD into company policies, tech companies can go a long way in working towards having dynamic human rights frameworks.

What is an HRIA?

An HRIA is an evidence-based process that analyses how businesses affect the local community, workers and consumers. It can bring to light less obvious situations of human rights impact that a company may have had.[12] A prime example of this is Facebook’s recent HRIAs in Indonesia, Sri Lanka, Cambodia and Myanmar undertaken to better understand the platform’s influence and role in these societies.[13] The studies aimed to identify whether the company incentivized or facilitated any harm and failed to conduct human rights due diligence.[14] Similarly, Vodafone’s HRIA identified areas of human rights “hot spots” that the company should be vigilant about.[15] These “hot-spots” marked the risks and opportunities in various areas of human rights- such as labour rights, civil and political rights, cultural rights etc- that are relevant to Vodafone’s business.[16]

HRIAs help businesses review their approach to human rights and refresh corporate governance systems.[17] For instance, following the Sri Lankan HRIA, Facebook implemented a slew of measures, such as appointing a policy manager in Sri Lanka, to improve its corporate accountability on human rights.[18] Vodafone’s HRIA prompted it to strengthen its HRDDs for entering new markets, whether by itself or through business partners.[19]

Isn’t an HRIA the same as an HRDD, you may ask. Notably, an HRIA is a subset of an HRDD. Only upon conducting an HRDD can a company identify the situations that warrant undertaking an HRIA. While an HRIA will touch upon all steps of an HRDD process, it remains a separate activity- from an HRDD- with a clearly defined scope. An HRDD is an ongoing activity that concerns all levels of business operations in a company.[20] A company can also choose to further investigate a specific issue as part of its due diligence. In 2018, following up on its 2016’s HRIA results, Intel conducted an AI and Autonomous Driving HRIA to assess product misuse, algorithmic bias, health and safety, among other things.[21]

Conducting Human Rights Impact Assessments

Changing circumstances in the lifecycle of a product, such as a new market, new features of a product, or new legal or regulatory compliances may require a fresh HRIA exercise. International human rights principles, embodied in the Universal Declaration of Human Rights or the International Covenant on Civil and Political Rights, guide HRIAs and HRDDs. The following ideas may help a tech company formulate its HRIA exercise.

1. When should one conduct an HRIA?

Ideally, an HRIA should be conducted early in the project cycle or development phase of a product or service.[22] However, changing socio-political scenarios, new laws or new features of a product may also require conducting an HRIA. Realising that prevailing policies may not be able to comprehensively assess the impact of innovations like 5G, Ericsson undertook an HRIA before their 5G rollout to identify risks of misuse and infringements on human rights and mitigate them.[23]Ericsson also shared that as an industry leader, one objective of the HRIA was to set global best practices in telecom industry through knowledge sharing.[24] Moreover, companies should conduct their HRIAs in the context of a country’s laws and policies for a more wholistic insight on their human rights impact. For instance, when China imposed a National Security Law that required companies to comply with data requests from the police in Hong Kong, Facebook, Google and Twitter suspended compliance temporarily to assess the human rights impact of compliance.[25]

To help identify relevant digital projects and situations for HRIAs, a company can develop an internal guidebook of circumstances. For instance, the introduction of a product that requires data collection in a country having limited or no data protection legislation, may require an HRIA.

2. What is the scale of conducting an HRIA?

 The Business for Social Responsibility, a network of organisations for sustainable businesses, recommends conducting assessments at company, country, site and product levels.[26] For instance, Ericsson conducted its HRIA with a broad scope examining the various echelons of the telecommunications ecosystem and relevant stakeholders at every level including the end user.[27] HRIA’s can also be topic specific. For instance, Vodafone conducted an HRIA to understand the impact on child rights, specifically child sexual abuse.[28]

Alternatively, companies can bring human rights risk under the umbrella of risk management systems. France based telecommunications company Orange S.A has included risk of breaching human rights and fundamental freedom under its risk management and internal control system.[29]

3. When is HRIA a priority?

A tech company can have a wide-ranging impact on human rights. Given the large scale of impact, a company can decide to focus on a particular impact or set of impacts. This can be decided based on severity and likelihood of impact.[30]For example, Facebook decided to focus its HRIA on a few “at risk” countries, given the situation in these countries.

4. How to make HRIAs a dynamic and responsive process

Reassessment of HRIAs is a critical component of ongoing HRDDs. Article One, a strategy and management consultancy, in its HRIA of Intel, emphasises the need for flexibility to assess other salient risks that are discovered during the assessment.[31] Thus, HRIAs must have feedback loops to ensure regular reassessment of methodologies.[32] This promotes progressive improvement in company systems and processes.

5. What happens after an HRIA?

An HRIA is not an isolated event. It must translate into systemic changes in the company’s human rights policies through the implementation of the HRIA’s recommendations. Facebook HRIA reports in the Indonesia[33] and Sri Lanka[34] found and called out the rampant dissemination of misinformation, fake news and hate-speech on the platform. In response to this, Facebook adopted a policy to remove verified misinformation that carries the risk of imminent physical harm, including unverifiable rumours.[35] It also updated its policies to protect vulnerable groups such as women and LGBTQ+ individuals from doxing.[36]

An HRIA can also improve functioning for a firm’s own employees and value chains. When Deutsche Telecom conducted their HRIA in India, they identified concerns related to working conditions, discriminatory wage practices, and data leaks in the local supply chain. After the assessment, they formulated an action plan that specifically improved time management, and cooperation between central offices and local supply chains.[37] 

Understanding human rights implications of technology helps reimagine technology and foster innovation to, in turn, serve human rights. For instance, Facebook developed machine learning capabilities in the Sinhala and Bahasa languages, and engaged technology to detect hate speech, after its HRIA.[38]

The primary goal of UNGPs is to embed human rights into the body and soul of a company. To avoid making HRIA a box-ticking exercise, the Danish Institute of Human Rights recommends close engagement with key stakeholders.[39] Intel engaged a third party to conduct an HRIA that confirmed its most salient human rights impact and the risks of emerging technologies like autonomous driving and drones. To address these risks, Intel formed an internal AI Ethics and Human Rights team and collaborated with other tech companies to improve their operations.[40] [41]

Stakeholder engagement extends to remedying human rights implications. The UNGPs envisage access to remedies as an important limb of respecting human rights. Constructing grievance redressal mechanisms will not only provide remedies to aggrieved parties but also keep the doors open for critical feedback and learnings for tech companies. Additionally, the State can also institute access to remedy structures. The Zero Draft of India’s National Action Plan, formulated to bring UNGPs into effect, also addresses access to remedy structures. In the next piece we shall examine the different types of grievance redressal mechanisms, both State and non-State based, available to those impacted by human rights at the intersection of tech businesses.

This piece has been authored by Megha Katheria, Consultant, Ikigai Law with inputs and editorial assistance from Rutuja Pol, Senior Associate, and Nehaa Chaudhari, Partner.

Image credits: Shutterstock


[1] “Vodafone Group Human Rights Policy Statement.” Accessed September 30, 2021. https://www.vodafone.com/content/dam/vodcom/sustainability/pdfs/vodafone-group-human-rights-policy-statement-december-2019.pdf.

[2] Article One, “Assessing the Human Rights Impact of Facebook’s Platform in Sri Lanka” (2018) https://static1.squarespace.com/static/53bdabe6e4b0b43ac59a9b44/t/5eb97cbe9f56f9201f233649/1589214398996/Sri+Lanka+HRIA_+Executive+Summary_FINAL.pdf

[3] OECD, “Due Diligence Guidance for Responsible Business Conduct” (2018)  http://mneguidelines.oecd.org/OECD-Due-Diligence-Guidance-for-Responsible-Business-Conduct.pdf

[4] United National Guiding Principles on Business and Human Rights  https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf  

[5] UN Global Compact, “Principle One: Human Rights”  https://www.unglobalcompact.org/what-is-gc/mission/principles/principle-1

[6] Principle 17, United National Guiding Principles on Business and Human Rights  https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf 

[7] UN Global Compact, “Principle One: Human Rights”  https://www.unglobalcompact.org/what-is-gc/mission/principles/principle-1>

[8] The Danish Institute for Human Rights, “About Us” < https://www.humanrights.dk/about-us>

[9] The Danish Institute for Human Rights, “Guidance on Human Rights Impact Assessment of Digital Activities: Introduction” (2020, p.18) https://www.humanrights.dk/sites/humanrights.dk/files/media/document/A%20HRIA%20of%20Digital%20Activities%20-%20Introduction_ENG_accessible.pdf

[10] Vodafone, “Assessing our Impact”  https://www.vodafone.com/sustainable-business/operating-responsibly/human-rights/managing-human-rights#Assessing-our-impact

[11] Rodriguez &Wild, “Business and Human Rights: Towards a Decade of Global Implementation”, (S&P Global, 2021)  https://www.spglobal.com/esg/csa/insights/sp-global-february-2021-submission-ungps10-.pdf

[12] B-Tech, “The UN Guiding Principles in the Age of Technology” (Foundational Paper, September 2020) https://www.ohchr.org/Documents/Issues/Business/B-Tech/introduction-ungp-age-technology.pdf

[13] Sissons and Warofka, “An Update on Facebook’s Human Rights Work in Asia and Around the World” (12 May 2020) < https://about.fb.com/news/2020/05/human-rights-work-in-asia/>

[14] Article One, “Assessing the Human Rights Impact of Facebook’s Platform in Sri Lanka” (2018) < https://static1.squarespace.com/static/53bdabe6e4b0b43ac59a9b44/t/5eb97cbe9f56f9201f233649/1589214398996/Sri+Lanka+HRIA_+Executive+Summary_FINAL.pdf>

[15] BSR, “Vodafone: Respecting Human Rights in the Digital World” (July 2013) < https://www.bsr.org/en/our-insights/case-study-view/vodafone-respecting-human-rights-in-the-digital-world>

[16]  BSR, “Vodafone: Respecting Human Rights in the Digital World” (July 2013) < https://www.bsr.org/en/our-insights/case-study-view/vodafone-respecting-human-rights-in-the-digital-world>

[17] The Danish Institute for Human Rights, “Human rights Impact Assessment and Legal Advisory: Frequently Asked Questions”, (2017, p 16) https://www.humanrights.dk/sites/humanrights.dk/files/media/migrated/dihr_dla_piper_note_2017.pdf  

[18] Article One, “Assessing the Human Rights Impact of Facebook’s Platform in Sri Lanka” (2018) < https://static1.squarespace.com/static/53bdabe6e4b0b43ac59a9b44/t/5eb97cbe9f56f9201f233649/1589214398996/Sri+Lanka+HRIA_+Executive+Summary_FINAL.pdf>

[19] BSR, “Vodafone: Respecting Human Rights in the Digital World” (July 2013) < https://www.bsr.org/en/our-insights/case-study-view/vodafone-respecting-human-rights-in-the-digital-world>

[20] The Danish Institute for Human Rights, “Guidance on Human Rights Impact Assessment of Digital Activities: Introduction” (2020, p.18) https://www.humanrights.dk/sites/humanrights.dk/files/media/document/A%20HRIA%20of%20Digital%20Activities%20-%20Introduction_ENG_accessible.pdf

[21] Article One, “Challenge: Intel is committed to maintaining and improving systems and processes to avoid complicity in human rights violations related to its own operations, supply chain, and products. In 2016, intel decided to undertake a Human Rights Impact Assessment (HRIA) to refresh its risk profile, identify potential gaps and strengthen its strategy” (2016) < https://www.articleoneadvisors.com/intel-hria>

[22] The Danish Institute for Human Rights, “Guidance on Human Rights Impact Assessment of Digital Activities: Introduction” (2020, p.21) https://www.humanrights.dk/sites/humanrights.dk/files/media/document/A%20HRIA%20of%20Digital%20Activities%20-%20Introduction_ENG_accessible.pdf

[23] “5G User Perspective and IMPLEMENTATION – WS 15 2021.” 5G User perspective and implementation – WS 15 2021 – EuroDIG Wiki. https://eurodigwiki.org/wiki/5G_User_perspective_and_implementation_%E2%80%93_WS_15_2021.

[24] “5G User Perspective and IMPLEMENTATION – WS 15 2021.” 5G User perspective and implementation – WS 15 2021 – EuroDIG Wiki. https://eurodigwiki.org/wiki/5G_User_perspective_and_implementation_%E2%80%93_WS_15_2021.

[25] Tue, Christopher Baugh –, and Christopher Baugh. “Apple ‘Assessing’ Human RIGHTS Impact of Hong Kong Security Law Imposed by Beijing.” iPhone in Canada Blog, July 7, 2020. https://www.iphoneincanada.ca/news/apple-hong-kong-law/.

[26] BSR, “Conducting an Effective Human Rights Impact Assessment”, (March 2013, p 18) https://www.bsr.org/reports/BSR_Human_Rights_Impact_Assessments.pdf

[27] 5G User Perspective and IMPLEMENTATION – WS 15 2021.” 5G User perspective and implementation – WS 15 2021 – EuroDIG Wiki. https://eurodigwiki.org/wiki/5G_User_perspective_and_implementation_%E2%80%93_WS_15_2021.

[28] Vodafone, “Assessing our Impact” < https://www.vodafone.com/sustainable-business/operating-responsibly/human-rights/managing-human-rights#Assessing-our-impact

[29] Global Network Initiative, “The GNI Principles at Work” (2018/2019, p 71) < https://globalnetworkinitiative.org/wp-content/uploads/2020/04/2018-2019-PAR.pdf

[30] The Danish Institute for Human Rights, “Human rights Impact Assessment and Legal Advisory: Frequently Asked Questions”, (2017, p 28) https://www.humanrights.dk/sites/humanrights.dk/files/media/migrated/dihr_dla_piper_note_2017.pdf   

[31] Article One, “Challenge: Intel is committed to maintaining and improving systems and processes to avoid complicity in human rights violations related to its own operations, supply chain, and products. In 2016, intel decided to undertake a Human Rights Impact Assessment (HRIA) to refresh its risk profile, identify potential gaps and strengthen its strategy” (2016) < https://www.articleoneadvisors.com/intel-hria

[32] Article One, “Challenge: Intel is committed to maintaining and improving systems and processes to avoid complicity in human rights violations related to its own operations, supply chain, and products. In 2016, intel decided to undertake a Human Rights Impact Assessment (HRIA) to refresh its risk profile, identify potential gaps and strengthen its strategy” (2016) < https://www.articleoneadvisors.com/intel-hria

[33] Article One, “Assessing the Human Rights Impact of Facebook’s Platform in Indonesia” (2018) < https://static1.squarespace.com/static/53bdabe6e4b0b43ac59a9b44/t/5eb97ca9b2acbe6aa40cbf62/1589214377636/Indonesia+HRIA_+Executive+Summary_FINAL.pdf

[34] Article One, “Assessing the Human Rights Impact of Facebook’s Platform in Sri Lanka” (2018) < https://static1.squarespace.com/static/53bdabe6e4b0b43ac59a9b44/t/5eb97cbe9f56f9201f233649/1589214398996/Sri+Lanka+HRIA_+Executive+Summary_FINAL.pdf

[35] Sissons and Warofka, “An Update on Facebook’s Human Rights Work in Asia and Around the World” (12 May 2020) < https://about.fb.com/news/2020/05/human-rights-work-in-asia.

[36] Sissons and Warofka, “An Update on Facebook’s Human Rights Work in Asia and Around the World” (12 May 2020) < https://about.fb.com/news/2020/05/human-rights-work-in-asia

[37] AG, Deutsche Telekom. “Human Rights Risk Analysis Conducted at t-Systems in India.” Deutsche Telekom, May 29, 2020. https://www.telekom.com/en/corporate-responsibility/assume-responsibility/assume-responsibility/human-rights-risk-analysis-conducted-at-t-systems-in-india-600944.

[38] Sissons and Warofka, “An Update on Facebook’s Human Rights Work in Asia and Around the World” (12 May 2020)  https://about.fb.com/news/2020/05/human-rights-work-in-asia/

[39] The Danish Institute for Human Rights, “Guidance on Human Rights Impact Assessment of Digital Activities: Introduction” (2020, p.19)  https://www.humanrights.dk/sites/humanrights.dk/files/media/document/A%20HRIA%20of%20Digital%20Activities%20-%20Introduction_ENG_accessible.pdf

[40] “Intel HRIA.” Article One. https://www.articleoneadvisors.com/intel-hria

[41] Article One, “Assessing the Human Rights Impact of Facebook’s Platform in Sri Lanka” (2018) https://static1.squarespace.com/static/53bdabe6e4b0b43ac59a9b44/t/5eb97cbe9f56f9201f233649/1589214398996/Sri+Lanka+HRIA_+Executive+Summary_FINAL.pdf

Challenge
the status quo

Bringing what's next...