DNV GL has been commissioned by Telenor to carry out a claims check of Telenor’s status on alignment with the Industry Dialogue Guiding Principles for 2014. The engagement has been undertaken in accordance with a procedure based on DNV GL’s general method for assessments of sustainability reporting, which has been tailored to specific Telenor requirements.
1. Create relevant policies, with Board oversight or equivalent, outlining commitment to prevent, assess, and mitigate to the best of their ability the risks to freedom of expression and privacy associated with designing, selling, and operating telecommunications technology and telecommunications services.
Respect for the rights to privacy and freedom of expression is important for how we run our business. While telecommunications generally contributes to freedom of expression, on some occasions authorities may have a legitimate need to require telecommunications companies to comply with requests that limit privacy or free communication. Strict policies govern Telenor’s approach in responding to such requests, whereby we seek to limit the risk of illegitimate restrictions on privacy or freedom of expression imposed by way of our networks.
Telenor is committed to respecting human rights. This is reflected in our Code of Conduct, approved by the Board of Directors, and our Supplier Conduct Principles. More detailed requirements are set out in policies approved by the Group CEO and manuals approved at CxO-level. These governing documents are adopted and implemented in all subsidiaries where Telenor has operational control.
Privacy and freedom of expression are covered in Group policies and manuals. They outline requirements to respect human rights, conduct regular human rights due diligence, ensure privacy of customer data and appropriate handling of authority requests for access to data.
In 2015 we revised and strengthened our Group-wide requirements related to authority requests. The requirements cover authority requests for access to personal data, network shutdowns, distribution of authority information, and censorship, as our previous manuals. However, requirements have been strengthened to improve:
- Process for evaluation of requests – clearer requirements for assessing legality and human rights aspects of requests
- Organisational responsibility – overall responsibility clearly identified at CxO-level
- More efficient and timely escalation
These and other updates to our requirements were based on the extensive engagement and consultation with BUs during 2014, experiences with challenging requests, and informed by conversations with stakeholders e.g. through the Industry Dialogue (ID). The requirements are mandatory across Telenor Group, and the relevant manual is approved at CxO-level and part of our portfolio of Group governance documents.
Throughout 2015 we have continued this engagement with the BUs, conducted workshops an training sessions. This work will continue in 2016.
2. Conduct regular human rights impact assessments and use due diligence processes, as appropriate to the company, to identify, mitigate and manage risks to freedom of expression and privacy – whether in relation to particular technologies, products, services, or countries – in accordance with the Guiding Principles for the Implementation of the UN ‘Protect, Respect and Remedy’ framework.
Requirements for regular human rights due diligence, based on the UN Guiding Principles on Business and Human Rights, are included in our sustainability policy. This policy also includes privacy & freedom of expression.
We have worked with all our BUs to implement human rights due diligence. During 2015 the final BUs completed their first round and we worked with them to discuss findings and lessons learnt. With respect to authority requests we strengthened, as mentioned in our response to Principle 1, the requirements to assess the potential human rights impacts. Such assessments typically happen when a request is received, and if a particular request is found to be challenging or ‘uncommon’ we integrate human rights considerations throughout the process of handling the request.
During 2015 we experienced several challenging requests where human rights assessments were done.
Case example – service restrictions:
Grameenphone, a majority-owned subsidiary of Telenor Group, on November 18, 2015, received a written and verbal instruction from the Government of Bangladesh through the Bangladesh Telecommunication Regulatory Commission (BTRC) to restrict access to the following messaging and social media services: Viber, WhatsApp, Facebook, Line, Tango, Hangout, Comoyo and ustream.tv. BTRC’s correspondence asked for the services restriction to start immediately and did not specify a timeline. Grameenphone executed the order in accordance with internal procedures, including a legal review and human rights impact assessment. Grameenphone also informed Telenor Groupthe same day. Furthermore, Grameenphone engaged in industry dialogue before executing on the instruction.
Immediate steps were taken to limit the overall impact of the restrictions. As a key measure, Grameenphone sought to establish the duration of the restriction through engagement with relevant authorities. Grameenphone was also transparent about the instruction by providing information through the company’s website.
The restriction on Facebook was finally lifted by the authorities on December 10, 2015, and the rest of the services were restored on December 14.
3. Create operational processes and routines to evaluate and handle government requests that may have an impact on freedom of expression and privacy.
As outlined in the response to Principles 1 & 2 above, the key requirements for professional handling of authority requests are included in manuals. The BUs develop local operational processes and routines to fulfil the Group requirements.
During 2015 we developed a comprehensive set of guidance materials and tools. In connection with the implementation of the new manual, described under Principle 1, we ran pilot projects to see how the requirements could best be implemented in practice. Further, we developed a local implementation ‘blueprint’. This guidance was applied by all BUs during 2015 to implement effective operational processes and routines for handling authority requests. For more on the training and awareness activities conducted, see our response to Principle 6.
To monitor the implementation of these routines we have also developed tools for reviewing BU performance against the manual requirements. This has been a helpful way of identifying areas for further improvement, and to engage with and train the BUs.
Case example – implementation and follow-up of requirements:
In early 2015 work started to update Telenor Group’s requirements for handling authority requests. Experiences and lessons learned from the various Business Units (BUs) in the previous year were integrated. The team updating the requirements ran pilots in a European and an Asian BU, allowing for further insight to be integrated in the final requirements. This resulted in two guidance documents, one on the handling of requests when received, and one on the technical aspects of responsible handling of requests. In the spring 2015 the updated requirements were shared with all BUs, together with the guidance materials, and implementation began.
The team worked closely with one BU on implementation, and the practical know-how and expertise gained was used to develop even more detailed guidance resulting in a ‘blueprint’ for local implementation that all BUs can use. It contains tools and suggestions for e.g. effective organisation, whom to involve when, and escalation to Group. During the fall workshops were held with all BUs to share experiences.
Throughout the second half of the year the Group team also visited every BU using a monitoring and assessment tool to take stock and identify areas for further improvement.
4. Adopt, where feasible, strategies to anticipate, respond and minimise the potential impact on freedom of expression and privacy in the event that a government demand or request is received that is unlawful or where governments are believed to be mis-using products or technology for illegitimate purposes.
Ref. our responses to principles 1, 2 & 3 above our Group-wide requirements outline some measures to anticipate, respond and minimise potential impact on freedom of expression and privacy. While the Group-wide manual requirements specify how to respond to a specific request, the context in which a request is made may significantly affect our ability to utilise the full range of tools to anticipate, respond and minimise potential impact.
We typically seek to be transparent when possible, and we communicate with customers and stakeholders e.g. through our customer service, notices on our website, and public statements. Transparency is not always easy, and in some instances may have unintended and negative effects on our efforts to minimise the impact on privacy and freedom of expression. However, our stance is to be transparent and this is communicated to relevant authorities. We also engage actively with relevant authorities, seeking clarification e.g. on legal basis and timelines. Further, we discuss with peers (both locally and within the Industry Dialogue), and have conversations with other stakeholders (locally and internationally). When needed, we also engage diplomatic channels and international organisations.
We recognise that we will not always succeed using these tools, and we may not be able to effectively impact the situation. There is a clear need to engage in longer-term dialogue, and not only when an incident occurs. We have seen that awareness, interest and understanding for the challenges arising from authority requests needs to be built amongst authorities, other companies, organisations and stakeholders. We believe the stakeholder conversations of the Industry Dialogue and GNI are important in this regard.
For an example of how a longer-term perspective may be constructive, please see the case study described under Principle 8.
Situations relating to national security concerns, political instability, and martial law or similar may be challenging to navigate. This may significantly reduce the range of strategies available. New laws may also be passed which further extend authority access and limit company leverage. In such situations principle 5 also comes into play and personnel risk may influence strategies adopted by the company.
5. Always seek to ensure the safety and liberty of company personnel who may be placed at risk.
Health, safety and employee security are fundamental principles included in our Code of Conduct. The safety of our staff is vital and may come into play when handling authority requests of various kinds. We have a fundamental responsibility for the safety of our staff.
Unfortunately, we have during 2015, experienced situations where we have had to carefully consider the security of our personnel. We conduct both internal and external personnel safety and security assessments when required, to ensure we have all relevant information and can apply appropriate mitigation measures.
6. Raise awareness and train relevant employees in related policies and processes.
We have general awareness activities connected with our Code of Conduct, and all employees have to sign this document.
In 2015, Telenor conducted extensive training and reviews of the privacy practices throughout Telenor Group. Training has focused on implementing the new and stronger processes for handling of requests from authorities, which includes clear escalation criteria. as described under Principles 1,2,3.
Awareness and training has been both at executive and operational levels. We have engaged directly with the BUs and conducted regional workshops and training sessions. Significant time has been spent on creating an understanding of the challenges and how to address them. We see a need to continue this in 2016.
7. Share knowledge and insights, where relevant, with all relevant and interested stakeholders to improve understanding of the applicable legal framework and the effectiveness of these principles in practice, and to provide support for the implementation and further development of the principles.
Telenor believes in increasing transparency and introducing safeguards against potential abuse and will continue to take an active part in the industry dialogue with the authorities on surveillance and access to our customers’ data.
In 2015, Telenor decided to contribute to transparency in the space of authority requests and the rights to privacy and freedom of expression. We published the ‘Authority Requests for Access to Electronic Communication – Legal Overview’ and the ‘Authority Requests for Access to Electronic Communication – Country Data’. These reports aim to give our stakeholders an overview of the laws which compel us to give government authorities access to customer communications, and where possible to disclose, the role we play in managing these requests. The legal overview complements the work already undertaken by Vodafone in 2014 and built on by the ID in 2015 to compile a database available for stakeholders. The reports are available here: https://www.telenor.com/wp-content/uploads/2015/05/Authority-requests-for-access-to-electronic-communication_04.pdf , https://www.telenor.com/wp-content/uploads/2015/05/GOVERNMENT-ACCESS-REPORT_05.pdf
Case example – transparency:
Telenor Groupcollaborated with the Institute for Business & Human Rights to publish a case study on mobile network shutdowns. The study examines the impact of shutdowns on human rights in Pakistan, focuses on the efforts of Telenor Pakistan to use dialogue as a tool for reducing shutdown frequency and scope, and presents recommendations for both operators and governments. For details and the full case study see http://www.ihrb.org/publications/reports/digital-dangers-case-study-pakistan.html
In 2015, periodic disclosure went hand in hand with stakeholder engagement initiatives. On May 12th, an Investor Relations Sustainability Seminar was organized in London where Telenor Group updated the audience on how sustainability guides its business practices across all markets. Investors and analysts as well as representatives from various organizations, such as NGOs, media, industry organizations and governmental bodies, attended the seminar. An interactive Q&A session followed presentations on Telenor’s operations in Myanmar and Bulgaria, new transparency reporting, and a special session on human rights, privacy and freedom of expression. The session webinar has been viewed many times since May. https://www.telenor.com/investors/presentations/2015/telenor-group-sustainability-seminar/
Throughout the year we have also been able to share experiences through our work in the Industry Dialogue (ID). Regular stakeholder events have been conducted in connection with our quarterly face-to-face meetings, and we have had good stakeholder conversations as part of the ID’s collaboration with Global Network Initiative (GNI).
We also seek to provide information on our website and through our annual sustainability reporting.
8. Report externally on an annual basis, and whenever circumstances make it relevant, on their progress in implementing the principles, and on major events occurring in this regard.
Telenor’s report on progress implementing the principles is included in this table.
With respect to major events we seek to be transparent, as explained under principle 4, and when we can we share information with customers, post notes on our website or issue public statements.
9. Help to inform the development of policy and regulations to support freedom of expression and privacy including, alone or in cooperation with other entities, using its leverage to seek to mitigate potential negative impacts from policies or regulations.
Telenor Group engages with a range of stakeholders, including government and civil society, on a bilateral basis as well as through the Industry Dialogue and the IDs collaboration with the GNI.
In our markets we seek to engage with the relevant authorities when a challenging request comes in, as well as in a longer-term dialogue when possible.
We also provide input to relevant legislative processes in our markets.
10. Examine, as a group, options for implementing relevant grievance mechanisms, as outlined in Principle 31 of the UN Guiding Principles for Business and Human Rights.
During 2015 grievance mechanisms have been discussed as part of the Industry Dialogue meetings, we have shared good practices and discussions will continue.
Telenor Group has a hotline to compliance, where breaches of our Code of Conduct can be reported.