93.The UN Guiding Principles on Business and Human Rights were endorsed by the UN Human Rights Council in 2011. They are a set of guidelines for States and companies to prevent, address and remedy human rights abuses committed in business operations. A report by the UN High Commissioner for Human Rights, published in 2014, set out how these Principles apply to digital communication and the use of personal data. The Commissioner states:
“Enterprises that provide content or Internet services, or supply the technology and equipment that make digital communications possible, for example, should adopt an explicit policy statement outlining their commitment to respect human rights throughout the company’s activities. They should also have in place appropriate due diligence policies to identify, assess, prevent and mitigate any adverse impact. Companies should assess whether and how their terms of service, or their policies for gathering and sharing customer data, may result in an adverse impact on the human rights of their users.”
94.The Commissioner also states:
“In the context of information and communications technology companies, this [due diligence] also includes ensuring that users have meaningful transparency about how their data are being gathered, stored, used and potentially shared with others, so that they are able to raise concerns and make informed decisions. The Guiding Principles clarify that, where enterprises identify that they have caused or contributed to an adverse human rights impact, they have a responsibility to ensure remediation by providing [a] remedy directly or cooperating with legitimate remedy processes.”
95.The Northumbria Internet and Society Research Group explained how the Principles had the potential to help address privacy concerns in relation to how private companies use our data. They told us that adhering to the Principles “requires that a corporation knows the risks that big data and algorithmic decision making pose to privacy and is able to show that the collection, storage and processing of data is compliant with human rights.” But Dr Nora Ni Loidean and Dr Rachel Adams from the Information Law and Policy Centre at the Institute for Advanced Legal Studies told us that “the Principles have not been widely implemented in practice.” They explained that the Principles “constitute a soft law mechanism in international law” and said that the Principles “are not binding on state parties or private companies.”
96.Horizon, a Research Institute at the University of Nottingham, suggested that the requirement for human rights impact assessments advocated by the Principles should be translated “into national requirements that are more specific and enforceable”, including integrating them “into existing impact assessment schemes, such as the data protection impact assessment (DPIA), which are mandated by the GDPR.” The Northumbria Internet and Society Research Group were also keen to see “further initiatives for the promotion and the implementation of the Guiding Principles”, along with an “effective enforcement mechanism.”
97.We looked at in detail at the Guiding Principles as part of our 2017 inquiry into human rights and business. In our report, we noted that the UK was the first state to implement the Principles, by publishing a National Action Plan in 2013, but concluded that we shared “the disappointment of many of our witnesses over its [the National Action Plan’s] modest scope and lack of new commitments.” We also recommended that the Government bring forward legislative proposals to make reporting on due diligence in relation to human rights compulsory for large businesses.
98.The UN Guiding Principles on Business and Human Rights, if fully implemented, would address many of the concerns raised in this report by requiring companies to both make users aware of how their data is used and proactively identify and mitigate any adverse impact their activities may have on people’s human rights.
99.The Government should consider how it could mandate internet companies to adhere to the Guiding Principles, and how it could effectively enforce such a requirement. We restate the recommendation from our 2017 report on business and human rights that reporting on due diligence in human rights should be compulsory for large businesses.
100.The Government should also update its National Action Plan for implementing the Guiding Principles to include specific consideration of the impact of internet and social media companies on human rights.
101.Some of our witnesses argued that the current risks arising from the mass processing of personal data by private companies were not due to the lack of protection within existing legislation but rather due to the lack of enforcement of the law. The Law Society of Scotland told us: “we consider that the existing legislation offers a good level of protection in principle but in practical terms, enforcement is the deciding factor as to whether it proves effective.” Similarly, Ailidh Callander from Privacy International said: “We really need implementation and enforcement. That is where the gap is at the moment and where the effort should be: on proactive implementation and enforcement where there is blatant noncompliance.”
102.The GDPR does, on paper, appear to offer many of the protections that this inquiry has found to be necessary. It “requires organisations to be clear about what they do with individuals’ personal data, how they do it, on what basis they do it, what data they hold, how long they will hold it for and who they will share it with.” And yet the evidence to this inquiry strongly suggests that internet companies are not adequately complying with these requirements.
103.The Law Society of Scotland raised concerns about the remit and the resources of the ICO:
“We understand that the ICO will investigate breaches or concerns but this does not mean it is actively policing the conduct of companies where no such concerns have been raised. Furthermore, enforcement may increasingly require the regulator to be able to develop their own technology and have teams able to understand technological developments if abuses are to be identified and effectively prosecuted.”
104.The resources of the ICO are dwarfed by the companies that they are expected to regulate. In 2018, the ICO had a budget of just over £40 million. In comparison, Google UK’s 2018 revenue totalled £1.4 billion.
105.The GDPR should offer a substantial level of protection for people’s personal data, but this does not seem to have materialised in practice. The Government should review whether there are adequate measures in place to enforce the GDPR and DPA in relation to how internet companies are using personal data, including consideration of whether the ICO has the resources necessary to act as an effective regulator.
106.The Government’s Online Harms White Paper, published in April 2019, outlined plans for a new system of oversight for internet companies, with a new regulatory framework and an independent regulator. While the Government does not consider the protection of personal data to be in scope of the White Paper (indeed, they explicitly rule it out, stating that the UK “already enjoys high standards of data protection law”), their proposals have the potential to help mitigate some of the concerns raised in this inquiry. The proposals include:
107.On 14 October, as part of the Queen’s Speech, the Government announced its intention to analyse the responses it received to its consultation on the White Paper, and then publish draft legislation for pre-legislative scrutiny.
108.While we welcome the publication of the Government’s Online Harms White Paper, it was disappointing that violation of people’s right to privacy and freedom from discrimination were not included in their list of online harmful activity that they consider to be in scope of the White Paper. We do not agree with the Government that the existing legal framework provides adequate protection against the misuse of people’s data by internet companies and would urge them to reconsider the scope of their proposals.
109.The Government’s proposals to create a new statutory duty of care to make companies take more responsibility for the safety of their users, enforced by an independent regulator, could provide a valuable framework for ensuring that internet companies uphold people’s human rights. We urge the Government to include in its proposed “duty of care” a requirement for companies to adhere to robust standards on how people’s data is processed.
73 United Nations Human Rights. Office of the High Commissioner, , 2011
74 Human Rights Council, , 30 June 2014
75 Human Rights Council, , 30 June 2014
76 Human Rights Council, , 30 June 2014
78 Information Law and Policy Centre, Institute of Advanced Legal Studies ()
79 Information Law and Policy Centre, Institute of Advanced Legal Studies ()
80 Horizon Digital Economy Research, University of Nottingham ()
81 NINSO Northumbria Internet & Society Research Group ()
82 Joint Committee on Human Rights, Sixth Repot of Session 2016–17, , HC 443 / HL Paper 153
83 Joint Committee on Human Rights, Sixth Repot of Session 2016–17, , HC 443 / HL Paper 153
84 Joint Committee on Human Rights, Sixth Repot of Session 2016–17, , HC 443 / HL Paper 153
85 The Law Society of Scotland ()
86 [Ailidh Callander]
87 Written evidence from the Information Commissioner’s Office provided to the House of Lords’ Select Committee on Communications ()
88 The Law Society of Scotland ()
89 Information Commissioner’s Office, , September 2018
90 , The Register, 3 April 2019
91 Department for Digital, Culture, Media and Sport, and Home Office, , Updated June 2019
92 Department for Digital, Culture, Media and Sport, and Home Office, , Updated June 2019
93 Department for Digital, Culture, Media and Sport, and Home Office, , Updated June 2019
94 Prime Minister’s Office,
Published: 3 November 2019