This week the European Commission’s Directorate-General for Enterprise and Industry announced that the ICT sector would be one of three business sectors that would be the focus of a year-long project to develop sector-specific guidance on corporate responsibility and human rights. In case anyone is curious the other two are employment and recruitment, and oil and gas.

The selection of the ICT sector comes as no surprise given the events of the last few years. Technology and its capacity to be a tool of democratisation and repression , and the role and responsibility of businesses to take a stand (or not) has dominated the news and policy debates. To me as the CSR/HR/ICT person, this is all fascinating and more than anything, welcome attention to an issue I was yammering on about five years ago to a sea of largely uninterested faces.  It is also a natural extension of the European Commission’s recent commitment to develop sector-specific guidance in its communication on corporate social responsibility.

The project seeks to take the former UN Special Representative John Ruggie’s Protect, Respect and Remedy Framework and his Guiding Principles on its implementation and figure out how it should work in the ICT sector. For more on these documents see here. What, for example, should Vodafone have done when the Egyptian Government ordered it to turn off mobile phone networks? Resist the order? Immediately cease work in Egypt? Comply? In the end Vodafone did comply.  For more on this see Salil Tripathi’s excellent commentary. But the next question is whether a corporate governance framework would have helped Vodafone navigate these issues. Vodafone had been one of the key drafters of the Global Network Initiative, one of the leading CSR frameworks for technology companies concerning human rights, but it pulled out at the last minute. Would being a member of the GNI have made a difference? As we go forward with this project to provide guidance to the ICT sector, we should remember this scenario and ask – what guidance would help a company in the position of Vodafone? If it has not provided any, then this will have all been a theoretical exercise. More fundamental, we need to ask: when is guidance not enough? When do we need the rule of law?

Over the next year I suspect I will talk quite a bit about this project, but let me offer some preliminary thoughts. We need to be clear about what we are asking of this guidance. One of the most difficult issues here is teasing out what the difference is between what I call pure-CSR, or voluntary responsibilities undertaken by businesses, and legal obligation, and when the two overlap. The waters are far from clear here. For example, when a business voluntarily commits to human rights responsibility (in whatever form), this can eventually take the form of legal obligation by actions for breach of contract (i.e. employment situation) or tort (i.e. falling below a standard of care undertaken by the company). Further voluntary principles can sometimes inform legislation (in Canada a voluntary code on hockey helmets later became the basis of legislation on same).  Putting all of that aside, much work is needed to determine what we are asking of the ICT sector – voluntary commitment, regulation, legal obligation.

The second issue, is whose responsibility is this? This is a critical issue to human rights law, which is only binding on states. Where the line between voluntariness and the law is so hazy, we must be even more mindful on whom we are imposing obligations. Are we asking the ICT sector to commit to human rights codes (not necessarily as a matter of law)? If not, and we want something more, which I suspect is the case, then this is a government responsibility. It might be that the rules are developed and debated in a multi-stakeholder form, but in the end this is a duty of the state to ensure that the human rights of its citizens are protected. The role of businesses here are the institutions through which the state’s human rights duties are realised, and since businesses are private, profit-making institutions it is no small matter to go this route. Businesses are not supposed to be moral arbiters of the world’s problems, but in the ICT sector the fact is they are forced to make moral decisions every day. This doe not necessitate top-down laws (though it might). It can also take quasi-regulatory form aka OFCOM (but let’s not go down that road of discussion for now shall we…). The important thing to take away, for the moment, is on whom the responsibility lies matters because that determines the enforceability of the rules.