Visiting Fellow, Global Governance Center
Graduate Institute of International and Development Studies
Synopsis: Sustainable investing cannot be treated as a static checklist or a corporate merit badge. The ever-evolving way of doing business and the adoption of data-driven technologies call for a shift of focus on human rights and specifically on the fundamental right to privacy. Given the magnitude of the task and the stakes involved, shouldn’t institutional investors be held liable for their internal operations and investment decisions?
Keywords: privacy; data protection; sustainable investing; environmental social and corporate governance (ESG); human rights
Last month, the Principles on Responsible Investing (PRI) published a milestone framework, which brings focus the duty of institutional investors to act upon human rights: “Why and how investors should act on human rights”. PRI, an United Nations (UN) backed organization with a mandate to promote environmental, social and corporate governance (ESG) standards for businesses and investors, has more than 3,000 signatories committed to sustainable investment.
The ESG investing framework is interlinked with the achievement of the Sustainable Development Goals (SDGs). Reaching the SDGs cannot solely depend on governments. As the principal wealth stakeholder, the private sector is equally responsible for determining how financial resources convert into business activities and holds an added responsibility for promoting sectors, businesses, and practices that advance the 2030 sustainability agenda.
The “S” in ESG investing
In the wake of the coronavirus pandemic, companies and investors have started paying more attention to the social “S” factors of their ESG operation and investment decisions. Yet, due to the limited corporate reporting and the non-quantitative reporting methods, defining and framing social factors is often challenging. In 2019, BNP Paribas published a Global ESG Survey, which showed that 46% of investors surveyed (including 347 institutions) said that “S” is the most difficult factor to analyze and include in investment strategies.
Among social issues, privacy has been lately under the spotlight. Similar to the Facebook-Cambridge Analytica or Target data breaches, companies with inadequate privacy safeguards have suffered significant financial and reputational damage. Naturally, as tech and retail companies become more reliant on data collection and processing, they are faced with increased scrutiny by consumers and with an escalation of their regulatory and litigation risks. Under the ESG framework, privacy is considered an indicator of a business’ ethical and social behavior. It is also a fundamental human right, based on international norms established by the United Nations, European Union (UN) charters, and national constitutions.
The latest PRI report reintroduces human rights in the ESG discussion by placing the focus on institutional investors. Multilateral Development Banks (MDBs) and International Financial Institutions (IFIs) are key institutional investors whose authority and mandates are defined in an international treaty, to which all their member states are parties. As international law subjects, MDBs and IFIs are bound by customary international law and general principles of law which address fundamental human rights issues.
Privacy and data protection: a crucial concern for MDBs and IFIs
Especially now, MDBs and IFIs collect and process an enormous volume of data and personal information, such as personal and corporate account details, research results, and staff information, compiled and transferred through various sources. This information is crucial for driving business decisions and forming accurate financial projections. Large datasets, directly or indirectly collected, bring institutions before the responsibility to ensure that their processing respects personal data.
The risk for privacy also lies in the genre of the data collected: As many MDBs expand their traditional financing role to consulting and research activities, they often collect and analyze sensitive personal information relating to health, education, gender and culture. The processing of this information needs to be based on the informed consent of the “data subject” and stored only for as long as it is necessary to fulfill a specific purpose. Thus, it is essential that institutions balance the protection of the right to privacy with their interest to preserve “institutional memory” and facilitate future activities.
The increasing concern around data protection drove the EU to create the General Data Protection Regulation (GDPR). Countries, including Canada, Argentina and Brazil, have enacted legislation – or enhanced existing ones- based on the model of the GDPR. Whether the GDPR’s scope covers MDBs and IFIs remains debatable. Nonetheless, the reputational and financial damage of a data breach would be equivalent to that of a corporation. In light of the above, MDBs have adopted policies and initiated efforts to address privacy in project planning, based on the principle “protection by design”. The EBRD and the ECB have been at the forefront of this trend, followed by the World Bank Group, the IMF, and others. Other international organizations and NGOs have also been following
With institutions broadening their work scope and adopting digital technologies at an increasing pace, the right to privacy has become more vulnerable and relevant than ever. More than an ethical barometer, data protection is a fundamental human right that allows institutions to adopt future oriented policies without compromising social sustainability.