Parties affected by a public-private partnership's technology must have avenues for redress. Redress mechanisms must assign responsibility between the state and the company involved in a partnership, and provide both non-judicial and judicial avenues to raise and resolve adverse human rights impacts.
Many things can go wrong with the deployment of a private technology for performing state functions, potentially leading to severe impacts on individuals’ human rights. If such things happen, international human rights law provides that states have an obligation to ensure an “effective remedy” for individuals whose rights they have violated. States have a legal obligation to provide effective remedies for “business-related human rights harms, including human rights harms associated with the development and use of digital technologies by companies” (B-Tech Foundational Paper).
In the context of surveillance or processing of personal data, the secrecy around technologies used renders such redress particularly difficult to obtain. While recognising that “advance or concurrent notification might jeopardize the effectiveness of the surveillance”, the UN Special Rapporteur on Freedom of Expression has emphasized that “individuals should nevertheless be notified once surveillance has been completed and have the possibility to seek redress in respect of the use of communications surveillance measures in their aftermath”.
In the context of PPPs, the common lack of information due to confidentiality restrictions can affect redress. Redress needs to be justified, designed and assigned in a way that corresponds to the way a technology functions and is used – hence the need for other principles to have been properly upheld, in particular transparency, accountability and oversight.
Equally, states ought to have recourse against companies that violate any conditions of their agreement with the state or that ought to be held responsible for facilitating abuses of human rights. This is essential for states to be able to uphold their obligations towards citizens when fault is attributable in whole or in part to the company they contract with.
Safeguard 22 - Redress provisions
Having recourse to courts or other senior judicial systems is often not a viable option for individuals affected by isolated uses of a technology, especially considering that abuse can be difficult to establish through traditional justice mechanisms.
The technology use policy recommended by safeguard 13 should include redress provisions by pointing to existing, or establishing new, mechanisms and entities for complaints handling and enforcement of sanctions for violations of the policy (including pointing to an appropriate independent oversight body able to investigate and provide redress). These redress mechanisms and responsible entities should be suited to the nature of the technology, its intended purpose and identified impacts. They should assign responsibilities and redress obligations to both the state and the company involved, and ought to adhere to the eight “effectiveness criteria” set out in UN Guiding Principle 31.
The state should also ensure that the company they contract with has a grievance mechanism in place, through which potential adverse human rights impacts can be flagged and remedied early.
Lack of avenues for redress when a technology is abused
Example(s) of abuse
NSO malware used to target lawyers of victims in Mexico – once discovered, NSO did not cooperate with efforts to obtain accountability and redress.
Safeguard 23 - Termination, interoperability and transfer clauses
PPP contracts should include termination clauses allowing (1) the company to terminate the contract should it become aware that its technology has been used or is intended to be used for activities which do not comply with the governing human rights framework, and (2) the state to terminate the contract should it become aware that any of the company’s products has been used for human rights abuses by other states (regardless of whether the product in question is the one contracted for), or if it becomes apparent that certain terms of the contract prevent the state from acting in the public interest.
PPP contracts should also include strict interoperability and transferability clauses. Interoperability and transferability are essential in the realm of public procurement, as a state is bound to procure services that comply with certain requirements and to do so in a prescribed way. If a company previously contracted with changes the way its service(s) work, or its policies, making them incompatible with the state’s obligations, the state should be entirely free to exit this partnership and enter another, without any hoarding of data or information by the company nor any “punitive” or otherwise undue costs of switching, which put pressure on public funds.
PPP contracts tend to lock public authorities and companies in the partnership through onerous switching or termination clauses
Example(s) of abuse
- UK Border Agency sued by Raytheon Systems Limited for wrongful termination of immigration computer system provision contract.
- Palantir and the NYPD: at the end of the contract, Palantir refused to produce the analysis generated by Palantir’s software for it to be transferred to a new non-Palantir system.