Lieber Studies Big Data Volume – Corporate Data Responsibility

Editors’ note: This post is based on the authors’ chapter in Big Data and Armed Conflict (Laura Dickinson and Ed Berg eds. 2024), the ninth volume of the Lieber Studies series published with Oxford University Press.

Big data is playing an important role in the global economy, with corporations commonly using data analytics to forecast customer preferences, identify trends, innovate new business models, boost productivity, minimize risks, and improve decision making. The term commonly refers to new technologies and software tools used to create, aggregate, and analyze large datasets. While big data is used in areas regulated by a variety of legal regimes, its application to armed conflict and international human rights law is relatively new. Data analytics tools are being mobilized to filter large amounts of data to identify signals of potential atrocities and provide humanitarian aid. Such data includes data exhaust (e.g., cell phone records), online activity (e.g., social media), sensing technologies (e.g., satellite data), and crowdsourced information.

Current Uses of Big Data in Humanitarian Crises

The predictive power of big data can potentially facilitate early warning systems and provide real-time awareness of human rights violations and emerging humanitarian crises that arise out of armed conflicts. One noteworthy project is Syria Tracker, a crisis-mapping system that has used crowdsourced text, photo and video reports, and data-mining techniques to form a live map of the Syrian conflict since March 2011. Syria Tracker is able to collate data and illustrate trends in violence, which helps relief teams and citizens address human rights abuses and emerging humanitarian crises. It shows where human rights abuses are happening in Syria, including exactly when and where violence such as murders, rapes, and chemical attacks have taken place, as well as instances where food and water supplies have been tampered with. The crisis map also provides the rest of the world with otherwise non-existent, accurate, and up-to-date information.

Big data is particularly useful for addressing refugee crises related to armed conflict.  International organizations use analytical tools in different phases of these crises: identifying potential refugee/migration exoduses; tracking refugee/migrant movements; and resettling or integrating refugees/migrants. For instance, the International Organization for Migration has developed the Displacement Tracking Matrix, which uses big data to track and monitor population mobility and displacement to target assistance. Many of the locations of interest, such as Libya and the Democratic Republic of Congo, have experienced armed conflict.  Most recently, the Displacement Tracking Matrix has been used in Ukraine to gain insights into internal displacement and mobility flows. Several nongovernmental organizations are also focused on the harnessing of analytic technologies to address data gaps in the migration aid context. For example, the Humanitarian OpenStreetMap Team has used crowdsourced data mined from mobile phones to map the expanding refugee influx in East Africa as well as improve aid delivery in South Sudan and Syria.

The Role of the Private Sector

Yet a major risk in “digital humanitarianism” (the mobilization of data in pursuit of humanitarian goals) is the extent to which the global community is reliant on the cooperation of companies. While the use of big data is facilitating the mapping of conflict and the delivery of humanitarian aid, it is also transforming the corporation into a primary gatekeeper of rights protection. The private sector is playing a critical role as the mediator of information by exerting control over access to and analysis of big data. Large companies are providing data donations and leading the way in the Data for Good movement. Big data projects that rely on such data as cell phone logs, online content, and satellite images would not be possible without the participation of companies who voluntarily share the data for the public good—thus engaging in “data philanthropy.” However, some companies may be reluctant to share data even in situations of mass atrocities and humanitarian crises, whether inside or outside armed conflict. Furthermore, they may be complicit in human rights abuses committed by authoritarian regimes when they engage in digital surveillance and other forms of data manipulation.

Due to the central role the private sector plays in global data governance and digital humanitarianism that arises out of situations of armed conflict, it is critical to ensure corporate data responsibility and provide accountability to vulnerable populations. Corporate data responsibility arises out of the corporate responsibility to respect human rights, enshrined in the UN Guiding Principles on Business and Human Rights, the internationally-accepted framework for preventing and addressing the risk of adverse impacts on human rights linked to business activity. The UN Human Rights Council unanimously endorsed the Guiding Principles on Business and Human Rights in 2011. The Guiding Principles include the “Protect, Respect, and Remedy Framework,” which is grounded on three pillars:

(1) States’ existing obligations to respect, protect, and fulfil human rights and fundamental freedoms; (2) The role of business enterprises as specialized organs of society performing specialized functions, required to comply with all applicable laws and to respect human rights; and (3) The need for human rights and obligations to be matched to appropriate and effective remedies when breached.

The Guiding Principles are not limited to peacetime operations, and govern corporate conduct within, or linked to, armed conflict.

The second pillar of the Guiding Principles is the global standard for expected conduct for all business enterprises wherever they operate. It includes principles relevant to the private sector’s responsible use of data. It is thus applicable to companies in the communications and information technology sector that provide metadata or supply the technology and equipment that make digital communications possible. It also applies to companies that supply data to authoritarian regimes and armed groups, which they use to commit gross human rights abuses, war crimes, and other atrocities.

To ensure accountability to vulnerable populations, I argue for the promotion of corporate data responsibility in the name of the corporate responsibility to respect human rights. Corporate data responsibility includes two components. The first is a negative responsibility to do no harm by not assisting States that use data to commit human rights violations or atrocities within armed conflict. The second is a positive responsibility to respect human rights by making available data that could prevent gross human rights abuses or humanitarian crises.

Mitigating Corporate Complicity

As part of the principle of corporate data responsibility and consistent with the UN Guiding Principles, companies should avoid infringing on the human rights of others and ensure that they address adverse potential human rights impacts associated with their business operations. In many ongoing humanitarian and conflict situations, the State has a notable role to play in managing who, how, and when the public can access data (e.g., States can hinder access to the Internet). Companies may be complicit when States manipulate data in ways that violate civilians’ human rights. States can use technology managed by data companies as tools of harassment and surveillance that can infringe on the freedoms and privacy rights of citizens.

Yet complicity in surveillance-based repression by States is but one risk facing the information and communications technology sector. There is also a risk that big data can be used to target specific individuals in armed conflict. Authoritarian regimes and armed groups can weaponize big data by building databases of potential opponents’ militaries that includes profiles of individual members identified through facial recognition software. Companies can also be complicit in States’ human rights abuses when big data is used in the migration context, including migration spawned by armed conflict. Authoritarian regimes may use personal data gathered from technology companies to track civilians’ locations when they are fleeing conflict.  When doing so, they may misuse migrants’ data by usurping their right to privacy and data protection.

Given the risk of corporate complicity in States’ human rights abuses involving big data, including in situations linked to armed conflict, companies must ensure that they identify and address potential adverse human rights impacts associated with their business operations. The responsibility to do no harm means that companies should conduct human rights due diligence to assess whether their data policies or terms of service may adversely impact users’ human rights. Impact assessments must occur before new technology is deployed to limit the risks of harm to vulnerable populations. Meaningful consultation with affected stakeholders would ensure transparency to potentially affected individuals and communities about how their data is being gathered, stored, used, and potentially shared with others. Consultation should be conducted with a view to enabling potential data subjects to make informed decisions about the collection and use of data pertaining to them.

Beyond Data Philanthropy

Corporate data responsibility means that corporations have a proactive responsibility to provide access to data when there is an impending humanitarian crisis. While the responsibility to respect human rights under the UN Guiding Principles is primarily focused on the negative responsibility to avoid contributing to adverse human rights impacts, there is also a positive ethical duty on corporations to facilitate the fulfillment of human rights through their own activities. Positive corporate duties are especially triggered when the primary duty-bearers (i.e., States) fail to protect the rights of citizens and yield political power to the companies that operate within those States. As quasi-governmental institutions, corporations have an ethical duty to protect, promote, and fulfill human rights. In the context of big data and development, this means that companies should make available data that could prevent humanitarian crises, gross human rights abuses, war crimes, and other atrocities. They should take active steps to increase the amount and detail of the data they collect, and to seek ways to render the data they collect more amenable to preventing human rights abuses.

Currently, select corporations are engaging in data philanthropy by voluntarily sharing data for the public good (e.g., to prevent human rights abuses and war crimes) rather than keeping data “locked up” as proprietary information. While data philanthropy is becoming more of a priority for the private sector, it is still limited in scope. I argue that companies should go beyond data philanthropy and provide access to data. There is a positive responsibility to share data when there is a threat of mass atrocities, whether inside or outside armed conflict, and a need for assistance in providing humanitarian aid.

In promoting corporate data responsibility, it is of course important to protect the privacy of the individual emitters of the data and balance those concerns against the benefits of using the data for the public good. States and international agencies should develop specific criteria for evaluating the benefits and risks to determine how and in which specific circumstances data should be shared to decrease the risks of inappropriate use of the data. For companies, this may mean obtaining prior informed consent from individuals or providing an opt-in or opt-out decision regarding the use of data. At the same time, there might also be a risk that such data might be misappropriated by those who seek to commit war crimes or atrocities. It is essential that companies conduct due diligence to ensure that their data is not misused and weaponized for digital surveillance and targeting operations during armed conflicts.

Conclusion

As big data is mobilized to pursue development goals, corporations are playing a key role in the mapping of conflict, the identification of potential atrocities, and the delivery of humanitarian aid. Private actors operate in the shadows of digital infrastructures yet nevertheless wield significant control over access to and analysis of big data and have become a primary gatekeeper of rights protection. It is therefore critical to promote corporate data responsibility, including a negative responsibility to do no harm by not assisting States that use data to commit human rights violations, and a positive responsibility to respect human rights by making available data that could prevent gross human rights abuses or humanitarian crises. Moreover, big data should supplement, but not replace, existing tools and approaches to human rights and needs to be analyzed in the context of other data sources such as field-based research and qualitative knowledge. By doing so, we can maximize the benefits and minimize the risks of adopting a data-driven approach to humanitarianism.

***

Galit Sarfaty is an Associate Professor of Law with tenure at the University of Toronto.

Photo credit: Unsplash