Governance, Oversight and Leadership
2.1 The Board of Directors of a participating company is responsible for the strategic oversight of the company’s human rights practices, including with respect to all company activities and operations affecting freedom of expression and privacy.
Application Guidance: A standing committee of the Board or subset of the entire Board may help the full Board of Directors in fulfilling its board responsibilities of strategic oversight. Where companies are subject to a two-tier board structure, the definition of the Board of Directors includes the “Executive Board”, sometimes also called “Management Board”.
2.2 The Board will receive and evaluate regular human rights reporting from management including on how the commitments laid out in the Principles are being implemented.
Application Guidance: The Board may assign responsibility for addressing freedom of expression and privacy risks to senior level management with appropriate functions, within the company.
2.3 The Board or Senior Management will:
a. Review freedom of expression and privacy risks related to the company’s operations in a manner consistent with the company’s overall approach to risk management.
Application Guidance: freedom of expression and privacy risks refer to risks to individuals, including in unparticularized groups or communities, throughout this document.
b. Carry out the company’s implementation of the Principles in a manner consistent with the safety and liberty of company personnel, including both employees and other persons working for a participating company.
c. Participate in appropriate freedom of expression and privacy risk training.
Application Guidance: To ensure that training is meaningful and relevant, participating companies should take into account, the role and responsibilities of the Board member and / or senior management recipients when designing and implementing the training.
d. Establish clear instructions for when and how issues or problems affecting freedom of expression and privacy must be escalated to higher levels of the company.
Risk Management, Human Rights Impact Assessments and other Human Rights Due Diligence processes related to Freedom of Expression and Privacy
2.4 Consistent with the UN Guiding Principles on Business and Human rights, and considering international human rights standards, participating companies will carry out human rights due diligence to identify, prevent, evaluate, mitigate and account for risks to the freedom of expression and privacy rights that are implicated by the company’s products, services, activities and operations. The process includes assessing actual and potential human rights impacts on individuals, integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed as set forth in this section 2 of the Implementation Guidelines. In assessing actual and potential human rights impacts, companies should draw on a range of sources, including voices from inside relevant countries, human rights groups, government bodies, and international organizations. Companies should also evaluate whether relevant local laws and practices are consistent with rule of law requirements and international and regional human rights norms.
2.5 Human rights impact assessments and other due diligence processes should be ongoing, recognizing that the nature of the issues concerning freedom of expression and privacy may change over time as the company’s operations and operating context evolve and as the human rights landscape changes in any particular jurisdiction.
2.6 If human rights due diligence as described in Section 2.4 above identifies circumstances when freedom of expression and privacy may be jeopardized or advanced, participating companies will employ human rights impact assessments and develop effective risk mitigation strategies as appropriate. The following are situations where human rights due diligence has revealed the need for human rights impact assessments:
a. Reviewing and revising internal procedures for responding to government demands for user data or content restrictions in existing markets.
b. Entering new markets, particularly those where freedom of expression and privacy are not well protected.
c. Leaving markets, particularly those where freedom of expression and privacy are not well protected.
d. Reviewing the policies, procedures, and activities of potential partners, investments suppliers and other relevant related parties for protecting freedom of expression and privacy as part of its corporate due diligence process.
e. Designing and introducing new technologies, products and services, and their use.
f. Acquiring other companies or forming operational partnerships (e.g., joint ventures).
2.7 The human rights impact assessments should be initiated early enough to inform the development of a new activity or relationship. They will be undertaken to different levels of detail and scope depending on the purpose of the impact assessment. However, participating companies should:
a. Prioritize the use of human rights impact assessments for markets, business partners and other relationships, technologies (products / services) where the risk of adverse human rights impacts to freedom of expression and privacy is most salient or where the potential to advance human rights is at its greatest.
b. Draw upon inputs from a variety of sources, including, for example, voices from inside the geography in question, human rights groups, government bodies, international organizations and materials developed as part of this multi-stakeholder process.
c. Review the human rights risks and effects of not having operational control before entering or exiting joint ventures.
d. Include a review of relevant domestic laws, legal systems, and practices in each market and evaluate their conformity to rule of law requirements and international and regional human rights norms especially articles 19 and 12 of the Universal Declaration of Human Rights and articles 19 and 17 of the International Covenant on Civil and Political Rights.
Application Guidance: Regional human rights norms refer to the norms included in the African Charter on Human and People’s Rights, the American Convention on Human Rights, and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Since there may be inconsistencies and gaps between the protections afforded by various human rights instruments, the individual should be entitled to the most protective provisions of applicable law.
e. Utilize learning from real-life cases and precedents.
f. Update human rights impact assessments over time, such as when there are material changes to laws, regulations, markets, products, technologies, or services.
g. Take appropriate action to avoid, mitigate or in other ways address potential negative human rights impacts on an ongoing basis. For example, in order to prevent and mitigate adverse human rights impacts, participating companies will incorporate the findings from human rights impact assessments into other company processes and practices for risk review and risk management, including those carried out in connection with a merger or acquisition.
h. Develop internal processes and mechanisms for using the results of impact assessments to inform company policy and practice.
i. Demonstrate to external stakeholders consulted in the course of risk assessments that the findings are considered by senior management.
Partners, Suppliers and Distributors
2.8 Participating companies will follow these Principles and Implementation Guidelines in all circumstances when they have operational control.
Application Guidance: “Operational control” means the power, directly or indirectly, to direct or cause the direction of the management and policies of the entity. This may be by contract, ownership of voting stock or representation on the Board of Directors or similar governing body.
2.9 When the participating company does not have operational control, it will use Best Efforts to ensure that business partners, investments, suppliers, distributors, and other relevant related parties follow the Principles.
Application Guidance: It is recognized that the influence of participating companies will vary across different relationships and contractual arrangements. “Best Efforts” means that the participating company will, in good faith, undertake reasonable steps to achieve the best result in the circumstances and carry the process to its logical conclusion.
2.10 With regards to third party relationships, participating companies should focus their efforts on those business partners, investments, suppliers, distributors and other relevant related parties that are involved in the participating company’s business in a manner that materially affects the company’s role in respecting and protecting freedom of expression and privacy. In doing so, the participating company should prioritize efforts on circumstances where the risks to freedom of expression and privacy are most salient.
2.11 Where participating companies may initially lack influence to prevent or mitigate adverse impact of business relationships, they should assess how they could increase their ability to address such adverse impacts over time.
Application Guidance: It is assumed that this approach will be taken in all relevant contracts signed after committing to the Principles and to all relevant pre-existing contracts.
Integration into Business Operations
2.12 Participating companies will develop appropriate internal structures and take steps throughout their business operations to ensure that the commitments laid out in the Principles are incorporated into company analysis, decision making and operations.
2.13 Over time this will include:
Structure
a. The creation of a senior-directed, human rights function, including the active participation of senior management, to design, coordinate and lead the implementation of the Principles.
Application Guidance: This function may be organized differently within companies; it may consist of a dedicated human rights team or the function may build on new or existing internal corporate structures, such as sustainability / corporate social responsibility, policy, privacy or compliance /business ethics roles or (virtual and / or cross-functional) teams.
b. Ensuring that the procedures related to government demands implicating users’ freedom of expression or privacy rights are overseen and signed-off by an appropriate and sufficiently senior member of the company’s management and are appropriately documented.
Procedures
c. Establishing written procedures that ensure consistent implementation of policies that protect freedom of expression and privacy and documenting implementation of these policies. Documentation of policies and their implementation should be sufficiently detailed as to enable later internal and external review.
d. Incorporating freedom of expression and privacy review into assurance processes to ensure implementation of the procedures laid out in the Principles.
e. Maintaining a record of requests and demands for government restrictions to freedom of expression and access to personal information.
Remedy / Grievance
f. Establishing grievance mechanisms for users to make it possible for grievances about issues related to freedom of expression and privacy to be communicated to the company for consideration and, if appropriate, direct remediation. If a participating company determines its business practices are inconsistent with the Principles or have caused or contributed to adverse impacts, it will establish by itself or in cooperation with other actors, a means of remediation, including meaningful steps to prevent recurrence of such inconsistency or impact.
Application Guidance: to ensure their effectiveness, the grievance mechanisms should be designed in accordance with the effectiveness criteria set out in principle 31 of the UN Guiding Principles on Business and Human Rights.
g. Providing whistleblowing mechanisms or other secure channels through which employees can confidentially or anonymously report violations of the Principles without fear of associated punishment or retribution.
Application Guidance: For example, each company might appoint or designate an internal ombudsman, auditor or compliance officer to monitor the company’s business practices which includes issues relating to freedom of expression and privacy.
Employees
h. Communicating the Principles and / or company policies that implement the Principles to all relevant employees through internal channels, such as through the company intranet, and integrate the company’s commitment to the Principles through employee training or orientation programs.
i. Providing more detailed training for those corporate employees who are most likely to face freedom of expression and privacy challenges, based on human rights impact assessments. This may include staff in audit, compliance, legal, marketing, sales, and business development areas. Where appropriate and feasible, the orientation and training programs should also be provided to employees of relevant related parties such as partners, suppliers, and distributors.
j. Developing escalation procedures for employees seeking guidance in implementing the Principles.