Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »

Our OECD complaint against Gamma International and Trovicor

On 1st February 2013 Privacy International, together with the European Centre for Constitutional and Human Rights (ECCHR), the Bahrain Center for Human Rights, Bahrain Watch and Reporters without Borders, filed complaints with the Organisation for Economic Cooperation and Development (OECD) against Gamma International, a company that exports “FinFisher” (or “FinSpy”) intrusive surveillance software, and Trovicor GmbH, a German company (formerly a business unit of Siemens) which also sells internet monitoring and mass surveillance products. The complaints ask the UK and German National Contact Points (NCPs), to ascertain whether the technology companies have breached the OECD Guidelines for Multinational Enterprises by exporting surveillance products to Bahrain, where the authorities use such products in human rights abuses.

The OECD Guidelines is a key international instrument for promoting corporate social responsibility. The Guidelines are addressed by governments of adhering countries to enterprises that operate from or in those countries, and contain broad, non-binding recommendations for responsible business conduct, covering a range of issues such as labour, human rights, bribery, corruption and the environment.

The Guidelines are supported by a well-defined implementation mechanism centred around National Contact Points, agencies established by the governments of adhering countries. The role of these NCPs is to promote and implement the Guidelines, and, accordingly, they investigate complaints and provide a mediation and conciliation platform for resolving issues concerning the implementation of the Guidelines. When dealing with a complaint against a company, the NCP will make an initial assessment of whether the issues raised merit further examination, and will then help the parties concerned to resolve the issues.

Privacy International and fellow complainants are arguing that Gamma and Trovicor have breached no fewer than 11 of the OECD Guidelines, all of which concern human rights. The complaints are founded on evidence that Gamma’s and Trovicor’s spyware is being used by Bahraini government authorities to target political activists and dissidents. The spyware works by being sent to target individuals disguised as an email or link (concerning a topic that is known to be of interest to the recipient) or software update, which then installs itself on the target’s computer or phone device and begins to relay information back to the sender, including the contents of all emails and Skype conversations, as well as other data stored on the devices. Such software is incredibly sophisticated and very difficult to detect, and thus an extremely potent weapon in the hands of oppressive regimes. Those targeted by the software have been subject to arbitrary arrest and torture, perhaps even execution.

The complaints contend that, if it is confirmed that the companies have supplied spyware to Bahrain, then they may be guilty of complicity in (“aiding and abetting”) human rights abuses perpetrated by Bahraini authorities. The right to privacy, and freedom from torture and arbitrary arrest find recognition in several international human rights instruments, including the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, all of which are ratified by Bahrain. In addition, these rights are recognised in the Constitution of Bahrain.

Specifically, it is argued that Gamma and Trovicor have

  • failed to respect the internationally recognised human rights of those affected by their activities;
  • caused and contributed to adverse human rights impacts in the course of their business activities;
  • failed to prevent and mitigate adverse human rights impacts linked to their activities and products, and failed to address such impacts where they have occurred;
  • failed to carry out adequate due diligence (including human rights due diligence); and
  • failed to implement a policy commitment to respect human rights.

The complaints also set out Privacy International and fellow complainants’ expectations towards the companies: these include expectations that Gamma and Trovicor should cease relations with Bahrain, implement a human rights policy and incorporate human rights due diligence into their operations, disclose contracts selling surveillance products to foreign governments, and disable products where there is reason to suspect they are being used to commit human rights violations.

Observance of the OECD Guidelines is voluntary and compliance cannot be enforced by law. This is an important feature of the system and essential for its practicability, including its acceptance and support by adhering countries. If the UK and German NCPs at the end of their investigations find that Gamma and Trovicor have failed to comply with the Guidelines, they do not have the power to fine the companies or sanction them in another way. Importantly, however, they will issue concluding statements that will be available to the public. A company’s reputation is one of its most valuable assets, and so a statement that denounces it for breaching human rights is in itself a strong sanction. Such an outcome is no replacement for having tighter export controls for surveillance equipment, which Privacy International regards as urgently needed, yet this is an important step in PI’s efforts to urge companies that export surveillance technologies to address the human rights consequences of their actions.