The below is an overview of Telenor Group’s activities during 2017 seeking to implement the ten Guiding Principles of the Telecommunication Industry Dialogue on Freedom of Expression and Privacy (ID). For further information on our approach to authority requests, our 2017 Authority Request Access Report and an updated Legal Overview please see here.
Note that as of March 28, 2017 Telenor Group joined peers in the ID and became a member of the Global Network Initiative (GNI). You can read more about the two initiatives joining forces here. As company members of GNI are independently assessed every two years, and Telenor Group has not yet undergone the first round of GNI assessments, this report will use the ID principles as the basis for the disclosure of below.
As set out in the ID Guiding Principles; Telecommunications companies should, to the fullest extent that does not place them in violation of domestic laws and regulations, including license requirements and legal restrictions on disclosure:
1. Create relevant policies, with Board oversight or equivalent, outlining commitment to prevent, assess, and mitigate to the best of their ability the risks to freedom of expression and privacy associated with designing, selling, and operating telecommunications technology and telecommunications services.
Respect for the rights to privacy and freedom of expression is important for how we run our business. While telecommunications generally contributes to freedom of expression, on some occasions authorities may have a legitimate need to require telecommunications companies to comply with requests that limit privacy or free communication. Strict policies govern Telenor’s approach in responding to such requests, whereby we seek to limit the risk of illegitimate restrictions on privacy or freedom of expression imposed by way of our networks.
Telenor is committed to respecting human rights. This is reflected in our Code of Conduct, approved by the Telenor ASA Board of Directors, and our Supplier Conduct Principles. More detailed requirements are set out in policies approved by the Group CEO and manuals approved at CxO-level. These governing documents are adopted and implemented in all subsidiaries where Telenor has operational control.
Privacy and freedom of expression are covered in Group policies and manuals, which outline e.g. requirements to respect human rights, conduct regular human rights due diligence, ensure privacy of customer data and appropriate handling of authority requests for access to data.
In our Group Manual Authority Requests we outline our requirements handling and escalating requests from authorities for access to personal data, network shutdowns, distribution of authority information, and censorship, as our previous manuals. Late 2016 and early 2017 we updated our Group-wide requirements The update included the strengthening of escalation processes, and the addition of a new category to cover ‘other requests’ from authorities not neatly fitting into the four categories described above.
As in previous years the update was based on experiences with challenging requests, and informed by conversations with stakeholders e.g. through the ID and the GNI.
2. Conduct regular human rights impact assessments and use due diligence processes, as appropriate to the company, to identify, mitigate and manage risks to freedom of expression and privacy – whether in relation to particular technologies, products, services, or countries – in accordance with the Guiding Principles for the Implementation of the UN ‘Protect, Respect and Remedy’ framework.
As reported previously, we have worked with all our BUs to implement human rights due diligence. Since the completion of first round of BU-level due diligence, we have drawn on the experiences and challenges faced. Based on this, we initiated in 2016 an update of the Group-level due diligence, and in 2017 started updating our tools for conducting a human rights due diligence. A pilot was initiated with four BUs, and based on experiences from this work we will roll out updated tools to all BUs in 2018.
Privacy impact assessments are regularly conducted on any activities that may present high risks to the privacy of our customers, at both BU and Group Level. With the introduction of the General Data Protection Regulation Data Protection Impact Assessment requirement, we are also working on the process to strengthen the understanding of the threshold for ‘high risk processing’ for conducting a privacy risk assessment.
As mentioned in our response to Principle 1, the Group Manual Authority Requests outlines our requirements to assess incoming requests. Such assessments typically happen when a request is received, and if a particular request is found to be challenging or ‘uncommon’ we integrate human rights considerations throughout the process of handling the request. This is sometimes referred to as ‘non-regular events’, or in the ID context as ‘major events’.
Case example – ‘other requests’:
In our work to continuously improve how we handle requests from authorities with a potential impact on privacy and freedom of expression, we saw in 2017 a need to ensure our requirements also cover requests which do not neatly fit the traditional types of requests. We therefore included a new category, called ‘other requests’.
For example, in one of our markets we received a request from the authorities for the telecoms industry to and send a joint appeal to a social media platform to remove illegal content from their site. A court order had been issued to the social media platform to remove the content, however it was not removed. The request was assessed along the same criteria as for other authority requests, including a human rights assessment. This kind of requests represents new challenges and demonstrates the importance of having company requirements also covering previously unforeseen scenarios.
3. Create operational processes and routines to evaluate and handle government requests that may have an impact on freedom of expression and privacy.
As outlined in the response to Principles 1 & 2 above, the key requirements for professional handling of authority requests are included in manuals. The BUs develop local operational processes and routines to fulfil the Group requirements. This practice has been adopted based on learning that due to local regulation, a common operational process and routine is unsuitable for authority requests. However, at Group Level, potential best practice use cases and tools have been aggregated in the form of a ‘blueprint’ to be leveraged and modified as per local requirements. During 2017, we further strengthened our guidance material, implementing escalation. An authority request community has also been established, encompassing relevant personnel from all BUs to identify centre of excellence and share operational good practices. In 2017 the Local Privacy Officers became the main responsible at BU level for implementing our authority request requirements. For more on the training and awareness activities conducted, see our response to Principle 6
To monitor the implementation of these routines we have also developed tools for reviewing BU performance against the manual requirements. This has been a helpful way of identifying areas for further improvement, and to engage with and train the BUs.
4. Adopt, where feasible, strategies to anticipate, respond and minimise the potential impact on freedom of expression and privacy in the event that a government demand or request is received that is unlawful or where governments are believed to be mis-using products or technology for illegitimate purposes.
Ref. our responses to principles 1, 2 & 3 above our Group-wide requirements outline some measures to anticipate, respond and minimise potential impact on freedom of expression and privacy. While the Group-wide manual requirements specify how to respond to a specific request, the context in which a request is made may significantly affect our ability to utilise the full range of tools to anticipate, respond and minimise potential impact.
We typically seek to be transparent when possible, and we communicate with customers and stakeholders e.g. through our customer service, notices on our website, and public statements. Transparency is not always easy, and in some instances may have unintended and negative effects on our efforts to minimise the impact on privacy and freedom of expression. However, our stance is to be transparent and this is communicated to relevant authorities. We also engage actively with relevant authorities, seeking clarification e.g. on legal basis and timelines. Further, we discuss with peers (both locally and within the ID and GNI), and have conversations with other stakeholders (locally and internationally). When needed, we also engage diplomatic channels and international organisations.
We recognise that we will not always succeed using these tools, and we may not be able to effectively impact the situation. There is a clear need to engage in longer-term dialogue, and not only when an incident occurs. We have seen that awareness, interest and understanding for the challenges arising from authority requests needs to be built amongst authorities, other companies, organisations and stakeholders.
Situations relating to national security concerns, political instability, and martial law or similar may be challenging to navigate. This may significantly reduce the range of strategies available. New laws may also be passed which further extend authority access and limit company leverage. In such situations principle 5 also comes into play and personnel risk may influence strategies adopted by the company.
5. Always seek to ensure the safety and liberty of company personnel who may be placed at risk.
As communicated in our previous reports, health, safety and employee security are fundamental principles included in our Code of Conduct. The safety of our staff is vital and may come into play when handling authority requests of various kinds. We have a fundamental responsibility for the safety of our staff. Also in 2017, we have experienced situations where we have had to carefully consider the security of our personnel. We conduct both internal and external personnel safety and security assessments when required, to ensure we have all relevant information and can apply appropriate mitigation measures.
Recognising this responsibility, the safety of our personnel has been included as one of the assessment criteria when conducting the human rights due diligence assessment for authority requests. This inclusion makes consideration of the safety of our staff members as one of the key factors in the process.
6. Raise awareness and train relevant employees in related policies and processes.
We have general awareness activities connected with our Code of Conduct, and all employees have to sign this document.
In 2017 we continued our practice of active engagement with BUs and using meetings and workshops as venues for training and awareness. A key focus was to train Local Privacy Officers, and we also conducted training for specialists handling requests. Typically, we have focused on the experiences of implementing our requirements, drawing lessons from challenges faced, and discussing suggested updates to our requirements.
We have also focused on awareness at executive levels Continuous focus on the issue is important as we go forward.
Case example – human rights training for staff handling authority requests:
In one of our BUs we ran in-depth sessions on human rights for staff handling requests from authorities. The sessions included an introduction to human rights in general, and the specific requirements related to human rights, as well as in-depth discussions of potential dilemmas and real-life cases. The sessions highlighted the challenge faced by staff handling requests given that they often have very little information to make a human rights assessment on. The training focused on discussing ways to address challenging requests, ranging from engaging with the requesting authority, to escalation of unusual requests.
7. Share knowledge and insights, where relevant, with all relevant and interested stakeholders to improve understanding of the applicable legal framework and the effectiveness of these principles in practice, and to provide support for the implementation and further development of the principles.
Telenor believes in increasing transparency and introducing safeguards against potential abuse and will continue to take an active part in the industry dialogue with the authorities on surveillance and access to our customers’ data.
In 2015, Telenor decided to contribute to transparency in the space of authority requests and the rights to privacy and freedom of expression, publishing our first transparency report, complemented by a legal overview. With these reports we aim to give our stakeholders an overview of the laws which compel us to give government authorities access to customer communications, and where possible to disclose, the role we play in managing these requests.
The legal overview complements the work already undertaken by Vodafone and built on by the ID to compile a legal frameworks resource available for stakeholders.
In March 2017 we published our third transparency report. We also published an updated legal overview, and have included information on cybersecurity and cybercrime laws where relevant. The GNI has also made available the legal frameworks here.
Case example – share knowledge and insights:
In March 2018 Telenor Group along with peers from the Telecommunications Industry Dialogue (ID) joined the Global Network Initiative (GNI). As a multi-stakeholder platform, the GNI offers an opportunity to share and learn with civil society, academics, investors and other ICT companies. The GNI also hosts annual learning forums which are open to the public, and Telenor Group joined the 2017 event in Washington DC, sharing our experiences working with authority requests. Read more.
Another example of transparency is how Telenor Myanmar has annual stakeholder updates, including information on how they handle authority requests
Throughout the year we have also been able to share experiences through our work in the ID and GNI. Regular stakeholder events have been conducted in with face-to-face meetings. For more information please see the ID annual report for 2016-17 and GNI website.
8. Report externally on an annual basis, and whenever circumstances make it relevant, on their progress in implementing the principles, and on major events occurring in this regard.
Telenor’s report on progress implementing the principles is included in this table.
With respect to major events we seek to be transparent, as explained under principle 4, and when we can we share information with customers, post notes on our website or issue public statements.
9. Help to inform the development of policy and regulations to support freedom of expression and privacy including, alone or in cooperation with other entities, using its leverage to seek to mitigate potential negative impacts from policies or regulations.
Telenor Group engages with a range of stakeholders, including government and civil society, on a bilateral basis as well as through the ID and the GNI.
In our markets we seek to engage with the relevant authorities when a challenging request comes in, as well as in a longer-term dialogue when possible.
We also seek to provide input to relevant legislative processes in our markets.
10. Examine, as a group, options for implementing relevant grievance mechanisms, as outlined in Principle 31 of the UN Guiding Principles for Business and Human Rights.
In 2017 we have continued sharing good practices and discussing grievance mechanisms as part of the ID and GNI meetings.
Telenor Group has a hotline to compliance, where questions can be asked and concerns raised about potential breaches of the Telenor Code of Conduct. We are also looking at how to approach grievances from an authority request point of view.