The 2019 Ranking Digital Rights Corporate Accountability Index
The 2019 Ranking Digital Rights Corporate Accountability Index evaluated 24 of the world’s most powerful internet, mobile ecosystem, and telecommunications companies on their publicly disclosed commitments and policies affecting freedom of expression and privacy. These companies held a combined market capitalization of nearly USD 5 trillion. Their products and services are used by a majority of the world’s 4.3 billion internet users.
New leaders for 2019
Microsoft earned first place in this year’s ranking, mainly due to strong governance and consistent application of policies across all services. Google and Verizon Media (formerly Oath and originally Yahoo) are now tied for second place among internet and mobile ecosystem companies - as well as in the RDR Index overall.
Telefónica shot ahead of all other telecommunications companies in 2019, disclosing significantly more than its peers about policies affecting freedom of expression and privacy. The Madrid-based multinational with operations across Latin America and Europe also made more improvements than all other companies in the RDR Index by a wide margin. Vodafone, which led in 2018, is now in second place, ahead of AT&T, which fell to third.
People have a right to know. Companies have a responsibility to show. The 2019 RDR Index evaluated 24 companies on 35 indicators examining disclosed commitments, policies, and practices affecting freedom of expression and privacy, including corporate governance and accountability mechanisms. RDR Index scores represent the extent to which companies are meeting minimum standards. Yet few companies scored above 50 percent. While the results reveal some progress, many problems have persisted since the first RDR Index was launched in 2015.
Progress: Most companies have made meaningful efforts to improve. Of the 22 companies evaluated in the previous RDR Index, 19 companies disclosed more about their commitments, policies, and practices affecting users’ freedom of expression and privacy.
Many companies improved their privacy-related policies. New privacy regulations in the European Union and elsewhere drove many companies to improve disclosures about their handling of user information.
Some companies improved their governance and oversight of risks to users.More companies improved their public commitment to respect users’ human rights, and took steps to demonstrate oversight and accountability around risks to freedom of expression and privacy.
Persistent problems: People around the world still lack basic information about who controls their ability to connect, speak online, or access information, or who has the ability to access their personal information under what circumstances. Governments are responding to serious threats perpetrated through networked communications technologies. While some regulations have improved company disclosures, policies, and practices, other regulations have made it harder for companies to meet global human rights standards for transparency, responsible practice, and accountability in relation to freedom of expression and privacy. Even when faced with challenging regulatory environments in many countries, companies must take more affirmative steps to respect users’ rights.
PRIVACY: Most companies still fail to disclose important aspects of how they handle and secure personal data. Despite new regulations in the EU and elsewhere, most of the world’s internet users are still deprived of basic facts about who can access their personal information under what circumstances, and how to control its collection and use. Few companies were found to disclose more than required by law.
GOVERNANCE: Threats to users caused or exacerbated by companies’ business models and deployment of new technologies are not well understood or managed. Most companies are not prepared to identify and mitigate risks such as those associated with targeted advertising and automated decision-making. Nor do companies offer adequate grievance and remedy mechanisms to ensure that harms can be reported and rectified.
EXPRESSION: Transparency about the policing of online speech remains inadequate. As companies struggle to address the harms caused by hate speech and disinformation, they are not sufficiently transparent about who is able to restrict or manipulate content appearing on or transmitted through their platforms and services, how, and under what authority. Insufficient transparency makes it easier for private parties, governments, and companies themselves to abuse their power over online speech and avoid accountability.
GOVERNMENT DEMANDS: Transparency about demands that governments make of companies is also uneven and inadequate. Companies disclosed insufficient information about how they handle government demands for access to user data, and to restrict speech. As a result, in most countries, government censorship and surveillance powers are not subject to adequate oversight to prevent abuse or maintain public accountability.
If the internet is to be designed, operated, and governed in a way that protects and respects human rights, everyone must take responsibility: companies, governments, investors, civil society organizations, and individuals - as employees of companies, as citizens of nations, as consumers of products, and as users of a global communications network.
Below are our top-line recommendations for companies and governments. More detailed recommendations can be found at the end of Chapters 3, 4, and 5. Chapter 6 proposes questions for investors to ask companies.
Recommendations for companies
Regardless of the legal environment, companies are responsible for the impact of their products, services, and business operations on human rights. All companies evaluated in the RDR Index can make many improvements immediately, even in the absence of legal and policy reform.
1. Go beyond legal compliance: No legal regime covered by the RDR Index enables or requires the full range of actions companies should take to respect and protect users’ human rights. For companies that are committed to respecting freedom of expression and privacy as human rights, the RDR Index indicators offer clear standards to follow.
2. Be transparent: Companies should disclose comprehensive and systematic data and other information that enables users to have a clear understanding of how online speech can be restricted or manipulated, and how personal information can be accessed and used - by whom and under what authority.
3. Get serious about oversight and due diligence: Board oversight and comprehensive due diligence mechanisms are necessary to identify how freedom of expression and privacy may be affected by the company’s business, and to ensure that the company works to maximize the protection of users’ human rights.
4. Offer effective grievance and remedy mechanisms: Users need to be able to report harms and seek remediation when their freedom of expression or privacy rights are violated in connection with using the company’s platform, service, or device.
5. Innovate for better governance of data and speech: Work with civil society, investors, and governments to create new approaches for addressing threats to individuals and societies while also protecting users’ rights.
Recommendations for governments
Governments should uphold their duty to protect human rights if companies are to fully respect human rights, consistent with the U.N. Guiding Principles on Business and Human Rights. Citizens must be able to hold government accountable for how it exercises power over online speech and personal data.
1. Uphold human rights standards: Strong data protection law is essential for protecting privacy. Government also has a duty to protect people from violence and crime. At the same time, all laws affecting online speech, or the use and sharing of personal data by any entity, must uphold human rights standards. Governments should not enact laws that compel companies to violate, or facilitate the violation of, users’ rights to freedom of expression or privacy. Any restriction of the right to freedom of expression and opinion or the right to privacy must be prescribed by law, necessary to achieve a legitimate aim (consistent with human rights standards), and proportionate to the aim pursued.
2. Commit to robust oversight: Ensure that government power to restrict online speech or access personal data is subject to meaningful oversight against abuse of censorship and surveillance power. Without credible oversight, government measures to address harmful and malicious activities via private platforms and services, or to address other social, economic, and security challenges, will be plagued by public and industry mistrust.
3. Implement and require transparency: Publish regular and accessible data disclosing the volume, nature, and purpose of all government requests made to companies affecting users’ freedom of expression and privacy. Companies should also be required by law to disclose meaningful and comprehensive information about the full range of actions companies take that may affect users’ freedom of expression or privacy.
4. Require strong corporate governance: Companies should be required by law to implement board oversight, systematic internal and external reporting, and impact assessments to identify, evaluate, and mitigate potential human rights harms, including violations of users’ freedom of expression and privacy.
5. Ensure adequate access to remedy: People have a right to meaningful and effective remedy, including legal recourse, when their privacy or freedom of expression rights are violated. Companies should also be required by law to provide accessible and effective grievance and remedy mechanisms.