ICANN: one year on from its first human rights impact assessment

ICANN: one year on from its first human rights impact assessment - Digital

On 10 July 2020, ARTICLE 19 received ICANN’s responses to two Documentary Information Disclosure Policy (DIDP) requests, which we filed in June. Specifically, we requested an update on ICANN’s progress toward implementation of the recommendations from its first internal human rights impact assessment (HRIA) report, which was published on 15 May 2019.

A HRIA is a process to identify and prioritize the human rights impacts of an organization, analyze how effectively these impacts are managed by the organization and develop actions for improvement.

ICANN’s HRIA, conducted externally by a consultancy firm, identified 13 intersection points at ICANN that could potentially raise human rights concerns. These include processes to foster equal and fair treatment of staff, internal grievance mechanisms to raise and investigate complaints, management of human rights risks in the supply chain and effective management of human rights considerations while running ICANN Public Meetings.

With about 60% of the world’s population being daily active users of the Internet, it’s of fundamental importance that ICANN, the custodian of the Domain Name System (DNS), prioritizes its adherence to strong human rights commitments and considerations in the management of this invaluable global resource. But to what extent has ICANN actually implemented the HRIA report recommendations over the past year?

Tracking Implementation

The 2019 HRIA report identified four major areas where ICANN should improve:

  1. Effective Human Rights Governance. ICANN was advised to identify a relevant department to oversee the implementation of human rights recommendations and further due diligence processes, supported by a cross functional human rights committee composed of members of other relevant departments.
  2. Continuous due diligence and expansion processes of the HRIA methodology. The report recommended regular HRIAs with a specific follow-up HRIA to this first assessment after one year of implementation, evaluating if impacts have been improved and risks have been mitigated. The report also recommended subsequent HRIAs to cover new areas and operational activities such as global stakeholder engagement, governmental engagement, and policy development support.
  3. Proactive management of potential human rights risks in the supply chain. The report recommended that ICANN should proactively manage potential human rights risks in the supply chain and procurement of goods and services by third party vendors by training and providing guidelines for ICANN staff involved in procurement practices, such as on the handling of personal information that could be subject to abuse.
  4. Data Privacy. The report found that there were no written terms on the right to privacy of employees when adopting physical security measures. For instance, there were no clear terms on when employees are monitored, what may be monitored or whether monitoring practices apply at any given time.

Prior to the DIDP requests filed by ARTICLE 19, ICANN did not have any publicly available information on the status of its implementation of the HRIA recommendations. Coincidentally, while responding to our requests, ICANN published a blogpost disclosing its progress. In it, ICANN states that it has implemented nearly half of all the HRIA recommendations, with a focus on improving relevant processes, practices and policies that may impact human rights concerns within the areas under review.

The relevance and impact of some of these efforts remains in question. ICANN claims that it has implemented the ISO 3100-based framework for managing risks at each meeting location; however, this standard provides for generic risk management and does not set out a rights-based approach or considerations. ICANN claims to have enhanced pre-meeting training for staff; however, the specific subject and purpose of this training are still unclear.

From the disclosures, it appears that ICANN has only reached for the low hanging fruit in its efforts so far. Most notably, the first recommendation of the HRIA report remains unmet. Without an effective human rights governance structure in place, it is unclear how ICANN intends to take a systematic, prioritised, and comprehensive approach to implementing these and other recommended changes. The absence of fundamental structural change calls into question whether ICANN’s existing efforts reflect a long-term commitment or function as a short-term Band-Aid. We do not even know the status of the first recommendation, as the ICANN blogpost and DIDP responses fail to clarify which of the outstanding recommendations are currently under consideration or in the process of being implemented.

Recommendations for next steps

While ICANN’s completion of a HRIA and progress towards implementing its recommendations are welcome first steps, the process and substance reflect certain limitations that should be addressed in the following ways:

  • Considering that it has been over a year since the May 2019 HRIA, ICANN should urgently undertake a second HRIA to evaluate whether the identified shortcomings have been remedied and risks have been mitigated.
  • ICANN should plan for the next HRIA to involve both the ICANN contracted parties and suppliers to ICANN to provide a more comprehensive view of ICANN’s human rights impacts, as the inaugural methodology and scope were limited in this way. This improvement in methodology will hopefully contribute to a more comprehensive second HRIA report.
  • ICANN should improve its transparency by having a publicly available information sharing tool that proactively discloses the implementation of all ICANN HRIA recommendations, including details of their consideration and progress.