OECD complaint against Gamma International accepted for further investigation

In an encouraging first response to our complaint against surveillance company Gamma International (Gamma), the UK National Contact Point (NCP) of the Organisation for Economic Cooperation and Development (OECD) announced that it will further investigate our claim against Gamma, as the evidence submitted appears to substantiate our allegations.

In February 2013, Privacy International, together with the European Center for Constitutional and Human Rights, Bahrain Watch, the Bahrain Center for Human Rights and Reporters without Borders filed a complaint against Gamma for breaching no less than eleven of the OECD guidelines by exporting its surveillance technology to Bahrain, where this technology was allegedly used to target human rights activists. The OECD guidelines promote responsible business conduct, and cover a range of issues including the impact a company's business in a certain country has on human rights. They apply to all multinationals including those whose products, business partners or countries carry a higher risk of abuse.

The NCP stated that the evidence that we submitted supports our allegations about human rights risks in Bahrain, that these risks are likely to have been known to Gamma, and that Gamma's product may have been used to target Bahraini activists. According to the NCP, this substantiates the issues in respect of the company’s obligations to do appropriate due diligence and to address adverse impacts to human rights.

What Gamma said

The initial response of the NCP gives an interesting insight in the way Gamma conducts its business, for instance how it selects its customers.

The NCP confirmed Gamma only supplies its spyware to police and security forces of sovereign states. However, sovereign states can still have dismal human rights records, and use Gamma's spyware to target activists, journalists and political opposition. The OECD guidelines require a company to carry out human rights due diligence, and to prevent and mitigate adverse human rights impacts linked to their activities and products.

The OECD guidelines also prescribe companies to have a policy commitment to respect human rights.  The NCP stated in its Initial Assessment that Gamma says that it is has been considering publishing a civil rights policy, but that is not yet certain that it could successfully implement such a policy. Gamma also considers that a wider policy preventing sales to any country whose human rights record has been criticised would not be practicable. Practicable in view of sales results or not, the OECD guidelines explicitly require multinational companies to have a human rights policy in place.

Gamma further announced that, although it did not have a human rights policy in place at the time the malware was allegedly sold to Bahrain, it would not supply its product in a situation where it believed it would be used for the purpose of repressing civil rights. This is an interesting choice of words, because a situation in which its product would be used for the purpose of repressing civil rights - for instance a civil war - is obviously a much narrower concept than a country where it is likely to be used for repressing civil rights. According to the OECD guidelines, enterprises should carry out human rights due diligence, and prevent and mitigate actual and potential adverse impacts of their business on human rights, which relates to all countries in which they conduct business.

As far as addressing adverse impacts of its products on human rights are concerned, Gamma indicated towards the NCP that it would not be practical to enable a surveillance system to be remotely and unilaterally closed down by the supplier should human rights concerns arise, as no customer would purchase a system so enabled.

Next steps

The next step will most likely be a mediation process, in which the NCP has formally asked Gamma and Privacy International to take part. If a mutually acceptable solution is reached, the NCP will reflect the outcome of the mediation in a Final Statement without making a determination as to whether the company acted inconsistently with the Guidelines. If mediation fails, the NCP will make an assessment of the alleged violations of the Guidelines and will reflect its findings in a Final Statement as well.

This procedure is separate from a complaint that was simultaneously filed against German company Trovicor GmbH, which also sells internet monitoring and mass surveillance products. This complaint is still under review of the German NCP of the OECD.

This procedure is also separate from Privacy International's filing for judicial review of the HM Revenue and Customs decision not to disclose information on a possible investigation into the potential unlawful export by Gamma of surveillance technology to Bahrain. The UK NCP noted that it does not consider that these parallel proceedings affect its ability to make its Initial Assessment or its decision to accept the complaint for further examination.