The Transparency Reporting Landscape

During the event, panelists discussed a range of issues that companies and entities across different industries are currently reporting on through their transparency reports. While this report focuses on the types of transparency reporting discussed during the panel event, it should not be considered a comprehensive overview of all existing forms of transparency reporting. This section of the report offers a high-level, background overview of these types of transparency reports, and highlights some of the types of organizations that have issued these reports. The following section will feature substantive comments from the panelists themselves.

Today, companies across several industries are increasingly collecting, storing, and managing their customers’ personal data. Numerous countries and governments, often through intelligence and law enforcement agencies have long sought data directly from companies. As data collection and storage practices have expanded, the number of requests for this data from these agencies has increased.¹ Although law enforcement and intelligence agencies must meet applicable legal standards before seeking electronic communications and other user data, it is now common investigatory practice for these entities to request data from the companies and services that a target may have used.

Transparency reporting on government requests for user data first emerged in the internet industry. In April 2010, Google became the first internet company to publish a transparency report covering government requests for user data. The company stated that it published the report in order to uphold its obligations to the Global Network Initiative’s Principles of Freedom of Expression and Privacy.²

Then, in 2013, the Snowden disclosures revealed the names of companies who were aiding government surveillance efforts in response to government demands, sparking a crisis in consumer confidence around how companies were handling user data. Thereafter, many internet and telecommunications companies pushed for legislative change so that they could report data on requests from intelligence agencies. In 2015, Congress enacted the USA FREEDOM Act, which included authorization for such reporting. After this, almost all of the major online service providers, as well as some phone and cable companies, began voluntarily publishing transparency reports on government requests for user data.³ Now, these reports also often include information on how the company processes incoming requests, and if and how they notify impacted users.⁴ OTI has been a longstanding advocate for companies to provide greater transparency and accountability around how they are safeguarding user data. In 2016, OTI published its first transparency reporting toolkit which surveys how U.S. technology and telecommunications companies are reporting on government requests for user data. The toolkit also offers best practices for future reporting.⁵ OTI published a second transparency reporting toolkit focused on content takedowns in 2018.

Today, transparency reporting on government requests for user data is considered an industry wide best practice for demonstrating accountability around the management of user data in the U.S. internet and telecommunications industries. Over 50 companies in the United States now issue such reports.⁶ The reports help the public understand the scope of government surveillance practices and hold the government accountable. Over the past few years, some international companies started reporting on such requests, and U.S.-based companies that operate globally have also started publishing data on government requests they receive in their other countries of operation, such as Germany, India, South Korea, and Brazil.

This practice has also expanded into other industries. For example, in 2015, the University of California, Berkeley became the first higher education institution to publish a transparency report on government requests for data regarding its personnel. The university’s transparency report, known as the Electronic Communications Transparency Report, provides data disclosures around government requests for access to student, faculty, and staff electronic communications (including email, calendar, and online document collaboration and storage, as well as individual computing devices).⁷ The university also later began issuing a separate transparency report that covers government requests for access to student, faculty, and staff bConnected data. bConnected is a series of online services such as G Suite for Education, Box, and CalShare that the university provides to its students, faculty, and staff members.⁸

In addition, government watchdog initiatives such as the Journalism and Media Studies Centre at the University of Hong Kong have also begun publishing transparency reports that are focused on other organizations. In 2014, the centre first published its Hong Kong Transparency Report, in order to track the extent to which the Hong Kong government submits requests for user data to Internet Service Providers (ISPs).⁹ The centre has also expanded its efforts to include data on the extent to which the Hong Kong government has been submitting requests for content removal to internet platforms and ISPs.¹⁰ Further, the centre has developed a corporate transparency report, which highlights when major internet and telecommunications companies begin reporting on Hong Kong-based government requests for user data in their own transparency reports.¹¹

The internet is an increasingly important tool for free expression around the world, as it has significantly lowered the costs and barriers to communicating, thus democratizing speech online. However, in enabling user-content production and dissemination, online platforms have also opened themselves up to unwanted forms of content, including hate speech, terror propaganda, harassment, and graphic violence. As a result, these platforms have had to create and implement content policies and content-moderation processes that aim to remove these forms of content, as well as accounts responsible for sharing this content, from their products and services. However, platforms also face increasing pressure to safeguard user expression and speech on their services. Today, platforms and networks that carry user expression have assumed the role of speech gatekeepers, often removing or blocking users’ content for various legal or policy reasons.¹² This is especially true in the United States, as the First Amendment limits the extent to which the government can direct platforms to moderate and remove speech.

As these content moderation efforts expand, companies are facing greater pressure to demonstrate transparency and accountability around how they are managing user expression. Today, over 60 global internet and telecommunications companies issue transparency reports on this subject. Such transparency reports cover a wide variety of requests and incidents, including government and other legal requests for content removal, requests for content removal based on copyright claims, requests for content removal based on trademark claims, requests for URL delisting based on the right to be forgotten, content removals based on the platform's own content policies, and instances of network shutdowns and service interruptions.¹³

Many internet platforms have also begun publishing detailed information regarding their content policies and content-moderation guidelines. Furthermore, following significant pressure from civil society and free expression advocates, a number of internet platforms have begun introducing notice and appeals procedures, so that users impacted by content moderation efforts are aware they have been impacted, and have a method of redress available to them.¹⁴

One of the most basic expectations that consumers have for organizations, institutions, and services they engage with is that they will protect consumers’ safety. When companies fail to protect safety, the harm suffered by particular consumers isn’t the only outcome. The failure often undermines trust among the general public. Given the very real implications of safety incidents online and offline, there has been a strong push for entities to demonstrate greater transparency and accountability around the companies’ safety incidents and prevention efforts. Today, a number of organizations such as universities and cruise ship lines are required by law to publish safety transparency reports. More recently, however, several companies have begun to voluntarily publish safety data.

One of the most notable categories in safety transparency reports is the incidence of sexual violence and sexual assault. In the United States, the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (also known as the Clery Act) requires all college and university campuses that receive federal funding to publish an annual security report (ASR) that provides statistics on campus crime and highlights efforts the institution has taken to improve campus safety.¹⁵ ASRs must include statistics on crimes such as murder, sex offenses (e.g. domestic violence, dating violence, stalking, etc.), robbery, motor vehicle theft, arson, liquor law violations, drug-related violations, weapons possession, and crimes or bodily harm related to or caused by hate crimes.¹⁶ Today, hundreds of colleges in the United States publish such reports.¹⁷

In addition, under the U.S. Campus Fire Safety Right-to-Know Act, which became law with the passage of the Higher Education Opportunity Act of 2008, U.S. universities with on-campus housing are required to publish an annual fire safety report. The reports are intended to help campus fire officials understand how fire affects campuses across the country.¹⁸

Other entities are also required to issue similar reports. For example, the Cruise Vessel Security and Safety Act of 2010 outlines security and safety requirements for most cruise lines that have ships embarking and disembarking in the United States. The act requires these cruise lines to report criminal activity to the Federal Bureau of Investigation.¹⁹ The U.S. Department of Transportation compiles these statistics and releases an annual Cruise Line Incident Report.²⁰ The most recent report features statistics on crimes such as homicide, kidnapping, and sexual assault on 12 cruise lines.²¹

In addition, U.S. legislation requires the Department of Defense (DoD) to issue an annual report on sexual assaults involving members of the U.S. Armed Forces.²² Currently the DoD’s Sexual Assault Prevention and Response Program issues reports on incidents of sexual assault in the military, the DoD, and the military services.²³

Over the past few years, the issue of personal safety has also become a prominent topic for technology companies, as platforms, especially those that facilitate offline interactions for their users, are being pushed to demonstrate greater transparency and accountability around safety incidents. In May 2018, ride-hailing service Uber publicly committed to publishing a safety transparency report that would include data on sexual assaults and other safety incidents that have taken place on, or related to use of, the Uber platform.²⁴ The commitment came following criticism around how the company handled instances of sexual violence.²⁵ In December 2019, Uber released its report, making it the first internet platform to publish a safety transparency report. The report covers three categories of critical safety incidents—motor vehicle fatalities, fatal physical assaults, and sexual assaults—that took place during an active Uber-facilitated trip, or between parties who were paired by the Uber app within 48 hours of a completed ride in the United States. The report also highlights the various safety investments the company has made in order to prevent future safety incidents, such as instituting thorough background checks and screenings and introducing new safety technology.²⁶

Along with concerns regarding safety, consumers have increasingly demonstrated concerns regarding the quality and impact of the services and products they are using. One industry in which transparency around quality is a primary concern is healthcare. Currently, the Centre for Medicare and Medicaid Systems (CMS) requires some hospitals to submit data on process and outcome measures related to topics such as heart attack care, pneumonia care, and overall patient experience. In addition, there is a strong push and desire for hospitals to publicly report data on the number of mistakes they make, as well as the subsequent outcomes. John Hopkins Medicine is an example of an institution that is pushing for greater transparency in this regard. Such data can help consumers understand the quality of the institutions and services they are using, and thus make more informed decisions regarding their medical care.²⁷ In addition, publishing such data has been found to enable and create strong incentives for institutions to learn from their mistakes and improve quality in the future.

Sustainability reporting is another key form of reporting that has emerged based on concerns regarding quality and impact. Today, companies across dozens of industries including retail, telecommunications, consumer goods, financial services, technology, and natural resources publish sustainability reports. Although the content of these reports varies based on the company, many provide qualitative and quantitative information on how the company has impacted the environment through its operations and what strategic steps they are taking to mitigate harm going forward. Reports often include data on issues such as greenhouse gas emissions,²⁸ water stewardship, chemicals management, and waste management.²⁹ Some of these reports, such as Gap Inc.’s sustainability report, also touch on safety- and labor-related concerns such as gender-based discrimination and harassment incidents, and child and forced labor.³⁰ In addition, some companies issue broader reports that outline the company’s general social impact efforts. For example, Starbucks publishes a Global Social Impact Report that includes data on how the company invests in communities they work with and promotes sustainable development efforts.³¹ Verizon publishes a Corporate Responsibility Report that touches on issues including disaster response, accessibility, and anti-corruption efforts, in addition to sustainability-related issues. ³²

Pharmaceutical companies such as Janssen have also begun publishing pharmaceutical transparency reports that provide qualitative and quantitative information related to the company’s investment into research & development, patient and pricing costs, and requests for clinical trial data. The company’s most recent report outlines how the company publicly discloses information about its clinical trials, publishes the results of company-sponsored trials and studies, and shares pharmaceutical, device, and consumer product clinical data through the Yale Open Data Access (YODA) Project. The YODA Project serves as an independent review panel that evaluates researcher requests for access to participant-level trial data.