This briefing analyses responses to a survey conducted by the Business & Human Rights Resource Centre (the Resource Centre) on corporate transparency and the human rights due diligence processes of 23 companies that allegedly produce or provide surveillance technologies to governments in the MENA region. Since we surveyed the same companies two years ago, the human rights risks of operating in the region have only grown. Government crackdowns on protestors and women in Iran; the outbreak of Israel’s war on Gaza; devastating natural disasters in Morocco, Türkiye and Syria; acute economic pressures across North Africa; and shrinking civic space for political and human rights activists throughout the region are but a few hallmarks of the increasing complexity of operating in or providing products and services to MENA, where transparency and heightened attention to identifying and mitigating human rights risks is essential to any responsible business practice.

Despite this reality, the intervening period between the surveys yielded no significant improvements in the number of companies demonstrating transparency. As in 2022, only five of the companies approached – Airbus, G4S, Indra, Leonardo and Sony – responded to our 2024 survey. Eighteen companies did not. This demonstrates a damaging opacity towards the public, governments and investors regarding a fundamental tenet of human rights compliance for any company, and should send alarm bells ringing. In contrast, the responses from four of these companies – Airbus, G4S, Indra and Leonardo – included specific, detailed answers in examples of better practice, although there is still progress to be made.

Other key findings include:

• All responding companies report having human rights policies in place, but allegations of abuse against some of these firms and others in the sector highlight an implementation gap that needs to be closed as a matter of urgency.
• Commitment to human rights due diligence appears to be increasing, with Airbus, Sony, Indra, Leonardo and G4S indicating some heightened due diligence processes in place, which are essential in high-risk zones, such as MENA.
• Over half of responding companies include stakeholder engagement in their human rights due diligence processes, with greater commitment to systematic and meaningful engagement needed.
• Grievance mechanisms are essential to ensuring effective human rights due diligence. Four out of the five respondent companies confirmed the ability of stakeholders to raise grievances, but only Airbus and G4S publicly commit to non-retaliation principles where the mechanisms are actually used by stakeholders.

The general lack of transparency by the surveillance sector obstructs detailed assessment of the industry’s actual engagement with its human rights responsibilities at any scale, including the critical need for heightened human rights due diligence. This is a growing material risk to business. Governments around the world increasingly recognise corporate human rights due diligence and transparency as requirements of doing business, rather than optional considerations. It appears at least 30% of the companies surveyed here, for example, will fall within the ambit of the EU’s Corporate Sustainability Reporting Directive, and the newly-passed EU Corporate Sustainably Due Diligence Directive, including its civil liability provisions, which should fundamentally change the calculus of risk in the boardrooms of those firms, as space for these transparency and due diligence gaps across supply chains is closing rapidly.

At the same time, human rights risks of surveillance technology are increasingly in the spotlight. Countries around the world are deliberating legislation to limit the reach of artificial intelligence (AI) and biometric surveillance, data protection authorities are settling into their enforcement powers, and governments are re-assessing the risks associated with the proliferation of targeted surveillance tools, such as spyware. The efforts to ban live facial recognition in public spaces also continues – with real progress evident in the crucial jurisdictions of the US and the EU.

Companies, investors and governments should understand this evolving landscape will have serious implications for their respective roles in providing, funding and procuring surveillance tech in the MENA region. The former UN Special Rapporteur on the Promotion and Protection of the Rights to Freedom of Opinion and Expression, David Kaye, has previously called for a moratorium on the global sale and transfer of private surveillance tools until robust safeguards are put in place to ensure states use these tools appropriately. These safeguards simply do not exist in the MENA region.

At a minimum, and in light of the rising risks in the region, this means:

• Companies choosing to operate in the region have a responsibility to regularly undertake robust heightened human rights due diligence in respect of their operations and value chains there, and make public their approaches for those countries, findings and risk-mitigation efforts, in line with international standards.
• Investors should engage with companies to insist on risk mitigation through human rights transparency, heightened human rights due diligence and access to remedy. Time-bound demands for rapid changes in business models should be set, followed by disinvestment if international standards are not met. Investors should be more seriously scrutinising the surveillance tech companies in their portfolios and encouraging companies domiciled in democratic countries to ensure they are not powering authoritarianism abroad.
• Governments in exporting countries should urgently put in place regulations which insist on corporate compliance with international human rights standards; with a moratorium on licensing and export of invasive surveillance technologies and services until these are in place and enforced.

Introduction

The use of surveillance technologies by governments in the MENA region, often justified in the pursuit of national security and counter-terrorism measures, is not a new story. The staggering scale of their use to silence human rights defenders, journalists, activists and opposition leaders is well documented, calling into question any legitimate or legal reasons for states to use these technologies given their poor human rights records.

However, information on the role and responsibility of private tech companies – integral in facilitating the sale, transfer and use of invasive surveillance technologies by MENA governments – remains scarce due to the opacity of the surveillance industry itself. Findings from the Resource Centre’s 2022 briefing on tech companies’ provision of surveillance technology to aid in migration and border control across MENA, as well as its 2024 briefing on the role of tech companies in facilitating Israel’s war on Gaza, are testament to this lack of transparency. This is despite governments around the world increasingly recognising transparency and corporate human rights due diligence commitment are requirements for doing business, rather than optional considerations.

The Resource Centre has been anaylsing publicly available information related to allegations of human rights abuse and civil society reports related to the involvement of private tech companies in the expansion and intensification of surveillance measures in the MENA region to monitor and control their populations. These include the alleged extensive use of facial recognition and movement tracking of Palestinians in the West Bank and Gaza; the potential violations of the rights to privacy, freedom of expression and association, as a result of a cloud data centre in Saudi Arabia; the use of Deep Packet Inspection (DPI) technology in mass web-monitoring and censorship to block news as well as target political actors and human rights activists in Egypt; the use of CCTV cameras in Iran to crack down on women who remove their headscarves in public; and the use of drones and CCTV cameras armed with a facial recognition technology in the Qatar World Cup. These examples – merely the tip of the iceberg – demonstrate how big-name tech companies around the world reap profits from contributing to oppressive efforts by MENA states, at great cost to the human rights of many who live there.

In May 2024, the Resource Centre sought to highlight progress in corporate transparency commitments and accountability of these companies since our last assessment in 2022, which painted a bleak picture of the sector’s operations in the region despite these risks: a concerning lack of transparency, gaps in human rights policies and human rights due diligence efforts, limited evidence of stakeholder engagement, and under-performance on ensuring accessible grievance and remedy mechanisms. We re-invited the 23 companies profiled in our 2022 briefing (one company, Evron Systems Ltd, could not be contacted and is therefore excluded from the list) to respond to questions about their provision or deployment of surveillance technology in the MENA region, as well as their human rights due diligence processes to identify and mitigate related risks.

The 2024 survey also included specific focus on heightened human rights due diligence (hHRDD), in recognition of the growing risks of operating in the MENA region, as well as invitations to the companies to respond to specific allegations of human rights abuse taking place over the same period and associated with their services or operations.

Analysis of company responses

The 23 companies profiled in this analysis had three weeks to respond to the survey and allegations.

As in 2022, responses were received from just five companies: Airbus, G4S, Indra, Leonardo and Sony, two of which also responded to our 2022 survey (Airbus and G4S). Three companies provided specific responses to questions: Airbus, Indra and Leonardo. The responses submitted by Airbus and G4S contain similar information to their 2022 responses, but are helpfully supplemented with new detail on how their subcontractors and other entities in their supply chains comply with their human rights and other rights-related policies and procedures. Sony only provided information on its policies.

Two companies declined to engage with the survey. Cellebrite, which responded to our 2022 survey, stated “it is not a surveillance or offensive cyber-technology company; nor does it produce technology solutions that support surveillance or monitoring efforts. Completion of this survey would incorrectly categorise our business”. Our data points and Cellebrite’s website suggest otherwise, as the company develops the Universal Forensics Extraction Device (UFED) and Inseyets and facilitates extraction from digital devices. Nexa also responded, stating it “discontinued and stopped its activities in 2022”. On its website, it states “after more than 10 years serving the fight against crime in France and around the world, Nexa Technologies and its shareholders have decided to refocus the company's activity by devoting itself exclusively to cyber defense”.

Despite nearly two years between them, the 2024 survey process revealed similar findings to that of 2022 – highlighting a concerning lack of material progress in respect of human rights due diligence efforts by surveillance companies in the MENA region over time, despite rising risks of operating there.

TRANSPARENCY

The sector continues to demonstrate limited commitment to transparency, despite rising human rights risks in the region

HUMAN RIGHTS POLICY COMMITMENTS

Human rights policies exist for all responding companies, but persistent allegations of abuse highlight an implementation gap

The UNGPs set out a principled approach to human rights due diligence for all companies, requiring in the first instance the adoption and publication of a human rights policy. A paper published by the UN B-Tech Project, as well as reports prepared by the UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism and the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression explain and clarify the implications of the UNGPs and its policy recommendations for tech companies, in particular.

Reflecting important progress in respect of this cornerstone of responsible business operations, all responding companies (Airbus, G4S, Indra, Leonardo and Sony) reported having a publicly available human rights policy in place that includes reference to ongoing human rights due diligence. Importantly, Leonardo in particular listed violations of international humanitarian law as an indicator in its Human Rights Impact Assessment (HRIA) at the “country-risk” level.

All responding companies also extend human rights due diligence to the rest of their value chains, affecting suppliers, contractors, and other business partners – another strong indicator of policy commitment to respect for human rights. In 2023, Indra performed human rights risk evaluations for 80% of its critical suppliers, requesting additional action in cases where inconsistencies were detected.

Despite this important progress, however, the existence of human rights policies alone does not necessarily mean these companies are not implicated in human rights violations perpetrated by state authorities. Allegations of human rights abuse linked to some of the profiled companies have been documented:

The existence of these allegations highlights that implementation of policy commitments is critical, particularly in more complex operational jurisdictions. More is required of surveillance companies operating or supplying to MENA - a high-risk sector for human rights violations, in a high-risk region where situations of armed conflict, violent extremism, shrinking civic space and repression of civil society are common challenges.

PROPORTIONAL HUMAN RIGHTS DUE DILIGENCE 

Commitment to basic human rights diligence exists, but there is critical need to ensure heightened due diligence efforts in the MENA region

Human rights due diligence is integral to responsible business operations the world over, involving identifying, preventing, mitigating and accounting for adverse human rights impacts caused by business activities. Such efforts are built on a concept of proportionality: the higher the risk and complexity of the operational jurisdiction, the more detailed the due diligence processes that are required to mitigate the scale and severity of the human rights risks to people. In other words, the corporate responsibility is augmented to conduct a heightened form of due diligence in these contexts, defined in the OECD Due Diligence Guidance, the European Commission recommendations on the identification of conflict-affected and high-risk areas, and the UN Working Group on Business and Human Rights report on business in conflict. These include situations of armed conflict or fragile post-conflict as well as areas of political instability or repression, institutional weakness, insecurity, collapse of civil infrastructure and widespread violence, weak or non-existing governance and security, such as failed states, and widespread and systematic violations of international law, including human rights abuses.

STAKEHOLDER ENGAGEMENT

Over half of responding companies include stakeholder engagement in their HRDD process, with more commitment to meaningful engagement needed

Meaningful stakeholder engagement is critical to achieving accurate assessments of human rights risks and effective safeguards, particularly in high-risk sectors such as surveillance. This is crucial because human rights risks must be understood from the perspective of those who are or may be affected.

Indra, Leonardo and Sony confirmed they engage stakeholders in their human rights due diligence process. Referring to its human rights policy, Sony commits to being “actively informed by relevant internal and/or external expertise and will engage in dialogue with relevant stakeholders”. Indra and Leonardo engage with government bodies and the UN, but do not include vulnerable or at-risk communities and groups that are recognised as legitimate representatives of affected stakeholders in their stakeholder engagement.

GRIEVANCE MECHANISMS

Grievance mechanisms are essential to ensuring effective human rights due diligence; the surveillance sector must commit to non-retaliation principles where these are used

*27/06/24 Minor updates made to the grievance mechanism section following contact from G4S