I ended my previous post with a breakdown of steps to start putting human rights compliance into practice. In this article, I will guide you through the basic human rights responsibilities of businesses developing and using AI — we already know why you need to make human rights a serious concern for your business, but what are you actually required to do?
I will first explain the legal position of businesses under international human rights law and then focus on what businesses are responsible for. TLDR: You need to respect human rights.
Under international human rights law, businesses do not have legally binding obligations. Although we are moving towards them within the European Union, businesses cannot currently have a legal human rights complaint brought against them at one of the international or regional human rights supervisory bodies or courts, for example, the European Court of Human Rights.
However, over the years significant legal developments have occurred, with a range of non-legally binding initiatives being adopted internationally. Although flawed, the most impactful of these initiatives is arguably the United Nations Guiding Principles on Business and Human Rights (UNGPs). The UNGPs were drafted by the UN special representative on business and human rights, John Ruggie, with input from a lot of different stakeholders. They were endorsed by the UN Human Rights Council in 2011. The UNGPs articulate the human rights responsibilities of all businesses (and the duties of states vis-à-vis businesses), including those working with AI. They have received support at all levels, including from businesses, and recently even formed the core of the District Court in the Hague’s reasoning in a landmark human rights and climate change case against Royal Dutch Shell. Therefore, while the UNGPs may not be legally binding, they have had a significant influence on the development of law that is binding, especially at the national and EU level.
The main tenet of the UNGPs applicable to businesses is a responsibility to respect human rights, or in other words, to refrain from negatively interfering with the enjoyment of human rights. Depending to some extent on the specific system developed/used by an AI business, this would mean, for instance, avoiding the use of discriminatory data and using data in a way that violates privacy, but would also require a business to use its leverage so that clients in B2B relationships do not use the system in a way that harms human rights.
The UNGPs follow a ‘know and show’ approach that requires businesses to know internally and show externally how well they are addressing risks to people. They emphasise that the responsibility to respect human rights applies throughout a business’ own operations and its business relationships throughout its value chain. The responsibility must be embedded throughout all business functions, essentially becoming “part of the DNA of doing business”.
Before going further, let’s look at the difference between corporate responsibility for human rights and corporate social responsibility (CSR). CSR is broader, encompassing issues relating to the environment, philanthropy, etc., and it allows businesses to decide what issues to address, to cherry-pick what ‘good’ they would like to do. On the other hand, corporate human rights responsibility is grounded in the core human rights standards found in international human rights law and places more emphasis on corporate accountability. Businesses cannot pick and choose which issues to address and cannot offset human rights interference by ‘doing good’ elsewhere.
The bottom line? Businesses have to respect human rights at all times and in all of their activities and relationships.
The UNGPs break down the responsibility to respect human rights into three components:
1. A policy commitment to respect human rights;
2. Due diligence processes to identify, prevent, mitigate and account for how they address their human rights impacts; and
3. The adoption of processes to enable the remediation of any adverse impacts they cause or to which they contribute.
1. Policy commitment
A policy commitment is essentially a ‘high level and public statement by an enterprise setting out its commitment to respect human rights’. This is typically relatively general or vague and often comprises a broad commitment to respect human rights, with some companies choosing to make specific reference to particularly salient human rights issues for them.
Once a policy commitment has been adopted, a business then needs to develop internal policies and processes to put the policy into practice. These will be much more detailed than the policy commitment itself and should include measures to remedy harm that they cause or to which they contribute.
Crucially, the policy commitment must be genuine and put into practice — it is not enough to use it as lip service to enhance the reputation of a business that does not go on to implement the commitment in reality.
2. Due diligence processes
Put simply, due diligence allows businesses to proactively manage potential and actual adverse human rights impacts with which they are involved, through the adoption of a series of ongoing processes. This includes, but is not limited to, human rights impact assessments. Due diligence lies at the heart of the responsibility to respect. It has been the subject of much discussion and in recent years has been increasingly incorporated into national legislation. Due diligence also forms the focus of the draft EU legislation on business and human rights. Because of this focus, due diligence (especially of AI businesses) will be the topic of my next post.
3. Remediation processes
Under the UNGPs, businesses should adopt processes to enable the remediation of any adverse impacts they cause or to which they contribute. The United Nations’ Interpretive Guide to the UNGPs explains that this relates to situations in which a business itself recognises that it has caused or contributed to harm, which could have come to light via its operational level grievance mechanism, impact assessment, or information provided by a third party, for example.
In such situations, the business should play a direct role in providing remediation, which could include, for example, an apology, compensation, cessation of activity or a relationship causing the harm, etc. Whatever is chosen it should be done after engagement with the affected persons, to make sure that it is also a remedy that they consider to be effective, not just the company. In some situations, for example, where a crime has been alleged, it may be more appropriate for remediation to be provided by an external entity, such as a court. For this reason, it is important that those affected understand their options and the best route for them to take.
In case this is quite a new topic for you, here is the Reader’s Digest version:
At the moment, the responsibility to respect human rights is not binding on businesses internationally, although elements of the responsibility are being incorporated into binding national law in several countries.
The responsibility to respect human rights requires businesses to adopt a policy commitment, human rights due diligence processes, and measures for the remediation of harm they cause or contribute to. This requires positive action from businesses and therefore various resources, but as I discussed in my last post, there are many important reasons for doing this.
You may be wondering what all this means for an AI business and how it can be operationalized. For now, I will leave you with these three tips from the Global Business Initiative on how to approach the drafting of a human rights commitment:
The next step will be to put this policy into practice. This will require a deeper understanding of the potential human rights risks posed by your technology — be sure to check out my next article where I will address human rights due diligence and what it means for businesses working with AI.
To learn more about Slimmer AI’s approach to ethical and responsible AI development please read here: https://www.slimmer.ai/innovation