SaaS Provider Two: A government entity may use a software development tool to develop spyware that is used for the surveillance of activists, journalists, and political opponents. SaaS Provider Three: Companies may use plant operations management software to collect data on worker performance, which may then be used to discriminate against certain groups of employees or violate employees’ rights to free association. Cumulative Impacts • The general increase in the use of SaaS services and the digitization of business processes may lead companies and government entities to collect more data than they otherwise would. The increased collection of data may lead to heightened privacy and cybersecurity risks, both for SaaS providers and their customers. Relevant Human Rights Instruments Relevant human rights for this impact area include, but are not limited to: • Right to privacy: Article 12 of the UDHR states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” As privacy is an enabling right, the violation of privacy may have secondary impacts on other rights, including the right to life, liberty, and security, and freedom from arbitrary arrest. • Right to non-discrimination: Article 2 of the UDHR states that “Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.” • Right to freedom of expression and to seek information: Article 19 of the UDHR states that “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” • Right to life, liberty, and security: Article 3 of the UDHR states that “Everyone has the right to life, liberty and security of person.” • Right to freedom of association: Article 20 of the UDHR states that “Everyone has the right to freedom of peaceful assembly and association.” Assessment of Severity and Management Factors Severity: Privacy and data governance is an impact area relevant to all SaaS providers. There- fore, the scope of impact includes all SaaS end-users, and the scale of impact can be very high, depending on how data is handled. A potential violation of privacy may lead to secondary impacts that might not be remediable. Likelihood and Management Factors: The likelihood of impacts related to privacy and data 23 governance, and their management may change based on different characteristics , such as: • Volume and sensitivity of data processed: The likelihood of human rights harm related to privacy and data governance rises as the volume and sensitivity of the data processed by 23 Human Rights Assessment of the Software-as-a-Service Sector
Human Rights Assessment of the Software-as-a-Service Sector Page 23 Page 25