Adequate Procurement

States ought to adhere to certain formal processes for procuring and assessing the services of private companies for delivery of public duties. Through such processes, both the state and the company ought to perform due diligence on each other to ensure they comply with their respective human rights obligations, at every stage of a partnership's lifecycle.

States ought to adhere to certain formal processes for procuring and assessing the services of private companies for delivery of public duties. This is a fundamental principle of public procurement, essential for preserving the integrity of public spending and delivery of public functions. Through such procurement processes, both the state and the company ought to perform due diligence on each other to ensure they comply with their respective human rights obligations. Under the UN Guiding Principles on Business and Human Rights, companies are required to “avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved”, and to “know and show” that they do not infringe on human rights through their operations or business relationships.

In the context of PPPs for the deployment of technologies with potential impact on the enjoyment of human rights, procurement processes ought to be enhanced with certain safeguards and principles. These should ensure that proper assessments of impact have been performed, and that a certain technology isn’t being deployed for reasons other than its ability to fulfil the publicly approved and stated purpose (to prevent practices such as corruption, abusive lobbying, nepotism…). By requiring companies to adhere to human rights due diligence (‘HRDD’) obligations, states can also ensure that a technology has been properly assessed at its design and development stages, rather than solely at deployment stage. As to the post-deployment stage, the increasingly co-dependent, ongoing relationships between states and companies in the surveillance technology sphere call for similarly ongoing, accrued assessments and scrutiny throughout the partnership’s lifecycle.

Safeguard 6 - Adherence to public procurement processes

When awarding a contract to a company, public authorities must demonstrate adherence to formal public procurement processes, and must put in place formal documentation governing the partnership. Any exceptions to these formal processes (for national security or other reasons) should be strictly circumscribed, and should not be used to introduce a new technology to then repurpose it for non-excepted purposes without the required approval processes or documentation. The level of scrutiny required in a procurement process should not depend on the cost of the contract, but rather on the risks raised by the intended technology deployment.

Issue addressed

Lack of, or lack of adherence to, formal approval process; and/or exceptions from such formal processes for national security issues

Example(s) of abuse

Peru En Tus Manos: in Peru, a Covid-19 tracking app, was encouraged for use by the Peruvian government despite no formal approval process having been gone through.
Palantir and the NHS: Palantir’s original £1 contract with the NHS for the Covid datastore was struck without proper scrutiny and adherence to procurement processes.

Safeguard 7 - Human rights due diligence ('HRDD')

States, and contracting companies, should ensure that robust human rights due diligence processes are in place, that include into their scope the early stages of the design and development of a technology, as well as stages of deployment and use. Details of the processes in place should be made public and available for review. When a PPP is considered, HRIAs should be performed for any general or specific deployment of a technology. DPIAs should be performed for the deployment of any technology involving the processing of personal data, whether the processing is considered to be likely to result in a high risk to individuals or not. Where algorithms will be used to make automated decisions, AIAs ought to be performed as well.

Issue addressed

Lack of HRIAs or DPIAs, or those assessments not being conducted diligently

Example(s) of abuse

Facial recognition in Argentina: the UN SR on Privacy expressed concerns that two cities deployed facial recognition and other surveillance software without carrying out any PIAs, and no one was able to explain their necessity proportionality.
Huawei in Como: the DPIA performed by the municipality didn’t cover impact of facial recognition technology (‘FRT’) and didn’t assess the accuracy of FRT algorithms.

Safeguard 8 - Ex ante DPIAs

Individual DPIAs should be conducted during the procurement process when evaluating different technologies and companies’ ongoing services, and the results from those DPIAs should be taken into account in the decision to award a contract. Public authorities should award a PPP contract only after a DPIA has been conducted, published and made available for review by independent oversight bodies and the public for a specified amount of time.

Issue addressed

DPIAs conducted as post-award compliance checkbox rather than pre-award decision tools

Example(s) of abuse

Huawei in Como: DPIA conducted only after tender awarded to A2A Smart City.

Safeguard 9 - Commitments against assisting human rights abuses

Authorities should assess companies’ human rights policies and records, and should only grant PPP contracts to companies who, as part of their human rights policies or other codes of ethics, commit to refusing any requests by states to assist in unlawful surveillance efforts against specific groups or when there are salient human rights risks. Previous involvement of a tendering company in human rights abuses in other countries should be a factor leading to rejection of a bid.

Issue addressed

Companies might be contributing to a state’s mass surveillance and authoritarian practices, in exchange for the deployment of the company’s technology in the country

Example(s) of abuse

Huawei in Uganda: Huawei has reportedly delivered surveillance training to intelligence officials, which was later used to spy on the government’s opponents.
Gamma International was found by the UK NCP to have insufficient CSR policies and human rights due diligence practices.

Safeguard 10 - No general use of private surveillance systems

As a principle, public authorities should not systematically use surveillance and mass data processing systems deployed in private spaces and/or data derived from these systems. Any use of such systems should be on an ad hoc, strict necessity basis following the appropriate legal framework, and accompanied by the same transparency and due process standards required for any PPP. This means, for example, that authorities should not be granted general access to such systems or data, but should rather request specific information when they need it – following the appropriate legal framework and a prescribed procedure.

Issue addressed

Technologies deployed for private purposes are sometimes co-opted by public authorities for policing purposes, without required public procurement processes and safeguards

Example(s) of abuse

Amazon Ring has agreements with law enforcement agencies around the world granting them access to private surveillance networks
Facewatch systems deployed for retail surveillance offered for use by police forces
Facial recognition in London King’s Cross station – FRT installed for private security purposes, later used for policing