For this study, we identified and selected the most popular digital platforms in Kazakhstan. We considered not only the companies themselves, but also their individual products and services, including in the sphere of mobile ecosystems.
A digital platform is an integrated software and hardware solution that provides digital infrastructure and functionality for the interaction of various actors, applications and data in a digital ecosystem.
To investigate public standpoints and policies of the companies on human rights compliance, we used their official websites as well as web resources of parent companies/corporate groups.
The issues under research were grouped according to three indicators.
Corporate Governance
The indicators in this category are intended to demonstrate that the company has governance processes in place that honor human rights to freedom of expression and privacy. For a company to perform well in this category, its business disclosures should, as a minimum, reflect and preferably exceed the UN Guiding Principles on Business and Human Rights and other human rights standards on freedom of expression and privacy adopted by the Global Network Initiative.
G-indicators
F. Freedom of Expression and Information
Indicators in this category help in determining if the company has demonstrated respect for the rights
to freedom of expression and information in accordance with international human rights standards. The company's published policies and practices clearly demonstrate what actions are taken to address human
rights abuses, unless such actions are lawful, proportionate and for a justifiable purpose. Companies that perform well on this indicator show their commitment to the principle of openness not only in how they respond to demands from the government and other stakeholders, but also in how they establish, explain and comply with their own business rules and principles that affect users' fundamental right to freedom of expression and information.
F-indicators
P. Privacy
Indicators in this category reflect that companies strive to communicate their commitment to users' right
to privacy in an accessible way, through examples of their policies and practices, in line with international
human rights standards. Open corporate policies and practices demonstrate how companies are careful
not to facilitate actions that may violate users' privacy, unless such actions are lawful, proportionate and for
a justifiable purpose. They also demonstrate their strong dedication to protecting and safeguarding users'
digital security. Companies that perform well on these indicators demonstrate their steadfast commitment
to transparency not only in how they respond to the needs of the state authorities and other players, but
also in how they define, communicate, and enforce their own policies and industry practices that affect
user privacy.
P-indicators
The research process consisted of the following stages:
1. Compiling an inventory of publicly available documents of each service by the first expert;
2. Scoring each indicator by the first expert;
3. Validating obtained results by the second and third experts;
4. The process of interaction with the companies under consideration and their digital platforms, called “Company Engagement”;
5. Performing the "horizontal verification": comparing the companies' results with each other in order to maintain a unified and objective approach and coordinating the final scores with the Ranking Digital Rights team.
Each indicator has a list of parameters, and companies receive a score (full, partial or zero) for each parameter met. The score takes into account the degree of disclosure for each indicator parameter based on one of the following possible answers:
"Yes" (full disclosure): the information disclosure complies with the indicator requirements.
"Partial": the company has disclosed some but not all aspects of the indicator, or the disclosure is not complete enough to meet all the requirements of the indicator.
"No data on disclosure": researchers could not find information on the company's website that answers the element's question.
"No": information exists, but it does not specifically disclose the subject matter of the query on the parameter. This option is different from "No disclosure found," although both do not score favorably.
"Not Applicable": the element is not relevant to the company or service. Items marked as "Not Applicable" will not be counted in the scoring for or against the parameter.
Points
Yes/full disclosure = 100
• Partial disclosure = 50
• No disclosure = 0
• No data on the disclosure = 0
• Not applicable - data are not included in scoring and averaging.
Detailed disclosure of research indicators:
G1. Policy Commitment
Elements:
- Does the company make an explicit, clearly articulated policy commitment to human rights, including to freedom of expression and information?
- Does the company make an explicit, clearly articulated policy commitment to human rights, including to privacy?
- Does the company disclose an explicit, clearly articulated policy commitment to human rights in its development and use of algorithmic systems?
G2. Governance and management oversight
Elements:
- Does the company clearly disclose that the board of directors exercises formal oversight over how company practices affect freedom of expression and information?
- Does the company clearly disclose that the board of directors exercises formal oversight over how company practices affect privacy?
- Does the company clearly disclose that an executive-level committee, team, program or officer oversees how company practices affect freedom of expression and information?
- Does the company clearly disclose that an executive-level committee, team, program or officer oversees how company practices affect privacy?
- Does the company clearly disclose that a management-level committee, team, program or officer oversees how company practices affect freedom of expression and information?
- Does the company clearly disclose that a management-level committee, team, program or officer oversees how company practices affect privacy?
G3. Internal implementation
Elements:
- Does the company clearly disclose that it provides employee training on freedom of expression and information issues?
- Does the company clearly disclose that it provides employee training on privacy issues?
- Does the company clearly disclose that it maintains an employee whistleblower program through which employees can report concerns related to how the company treats its users’ freedom of expression and information rights?
- Does the company clearly disclose that it maintains an employee whistleblower program through which employees can report concerns related to how the company treats its users’ privacy rights?
G4(b). Impact assessment: Processes for policy enforcement
Elements:
- Does the company assess freedom of expression and information risks of enforcing its terms of service?
- Does the company conduct risk assessments of its enforcement of its privacy policies?
- Does the company assess discrimination risks associated with its processes for enforcing its terms of service?
- Does the company assess discrimination risks associated with its processes for enforcing its privacy policies?
- Does the company conduct additional evaluation whenever the company’s risk assessments identify concerns?
- Do senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in their decision-making?
- Does the company conduct assessments on a regular schedule?
- Are the company’s assessments assured by an external third party?
- Is the external third party that assures the assessments accredited to a relevant and reputable human rights standard by a credible organization?
G4(c) Impact assessment: Targeted advertising
Elements:
- Does the company assess freedom of expression and information risks associated with its targeted advertising policies and practices?
- Does the company assess privacy risks associated with its targeted advertising policies and practices?
- Does the company assess discrimination risks associated with its targeted advertisingpolicies and practices?
- Does the company conduct additional evaluation whenever the company’s risk assessments identify concerns?
- Do senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in their decision-making?
- Does the company conduct an assessments on a regular schedule?
- Are the company’s assessments assured by an external third party?
- Is the external third party that assures the assessment accredited to a relevant and reputable human rights standard by a credible organization?
G4(d). Impact assessment: Algorithmic systems
Elements:
- Does the company assess freedom of expression and information risks associated with its development and use of algorithmic systems?
- Does the company assess privacy risks associated with its development and use of algorithmic systems?
- Does the company assess discrimination risks associated with its development and use of algorithmic systems?
- Does the company conduct additional evaluation whenever the company’s risk assessments identify concerns?
- Do senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in their decision-making?
- Does the company conduct assessments on a regular schedule?
- Are the company’s assessments assured by an external third party?
- Is the external third party that assures the assessment accredited to a relevant and reputable human rights standard by a credible organization?
G4(a). Impact assessment: Governments and regulations
Elements:
- Does the company assess how laws affect freedom of expression and information in jurisdictions where it operates?
- Does the company assess how laws affect privacy in jurisdictions where it operates?
- Does the company assess freedom of expression and information risks associated with existing products and services in jurisdictions where it operates?
- Does the company assess privacy risks associated with existing products and services in jurisdictions where it operates?
- Does the company assess freedom of expression and information risks associated with a new activity, including the launch and/or acquisition of new products, services, or companies, or entry into new markets or jurisdictions?
- Does the company assess privacy risks associated with a new activity, including the launch and/or acquisition of new products, services, or companies, or entry into new markets or jurisdictions?
- Does the company conduct additional evaluation whenever the company’s risk assessments identify concerns?
- Do senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in their decision-making?
- Does the company conduct assessments on a regular schedule?
- Are the company’s assessments assured by an external third party?
- Is the independent third-party organization providing the assessment a credible organization accredited to an appropriate authoritative human rights standard?
F1(a). Access to terms of service
Elements:
- Are the company’s terms of service easy to find?
- Are the terms of service available in the primary language(s) spoken by users in the company’s home jurisdiction?
- Are the terms of service presented in an understandable manner?
F1(b). Access to advertising content policies
Elements:
- Are the company’s advertising content policies easy to find?
- Are the company’s advertising content policies available in the primary language(s) spoken by users in the company’s home jurisdiction?
- Are the company’s advertising content policies presented in an understandable manner?
- (For mobile ecosystems): Does the company clearly disclose that it requires apps made available through its app store to provide users with an advertising content policy?
- (For personal digital assistant ecosystems): Does the company clearly disclose that it requires skills made available through its skill store to provide users with an advertising content policy?
F1(c). Access to advertising targeting policies
Elements:
- Are the company’s advertising targeting policies easy to find?
- Are the advertising targeting policies available in the primary language(s) spoken by users in the company’s home jurisdiction?
- Are the advertising targeting policies presented in an understandable manner?
- (For mobile ecosystems): Does the company clearly disclose that it requires apps made available through its app store to provide users with an advertising targeting policy?
- (For personal digital assistant ecosystems): Does the company clearly disclose that it requires skills made available through its skill store to provide users with an advertising targeting policy?
F1(d). Access to algorithmic system use policies
Elements:
- Are the company’s algorithmic system use policies easy to find?
- Are the algorithmic system use policies available in the primary language(s) spoken by users in the company’s home jurisdiction?
- Are the algorithmic system use policies presented in an understandable manner?
F3(a). Process for terms of service enforcement
Elements:
- Does the company clearly disclose what types of content or activities it does not permit?
- Does the company clearly disclose why it may restrict a user’s account?
- Does the company clearly disclose information about the processes it uses to identify content or accounts that violate the company’s rules?
- Does the company clearly disclose how it uses algorithmic systems to flag content that might violate the company’s rules?
- Does the company clearly disclose whether any government authorities receive priority consideration when flagging content to be restricted for violating the company’s rules?
- Does the company clearly disclose whether any private entities receive priority consideration when flagging content to be restricted for violating the company’s rules?
- Does the company clearly disclose its process for enforcing its rules once violations are detected?
F6. Data about government demands to restrict for content and accounts
Elements:
- Does the company break out the number of government demands it receives by country?
- Does the company list the number of accounts affected?
- Does the company list the number of pieces of content or URLs affected?
- Does the company list the types of subject matter associated with the government demands it receives?
- Does the company list the number of government demands that come from different legal authorities?
- Does the company list the number of government demands it knowingly receives from government officials to restrict content or accounts through unofficial processes?
- Does the company list the number of government demands with which it complied?
- Does the company publish the original government demands or disclose that it provides copies to a public third-party archive?
- Does the company report this data at least once a year?
F7. Data about private requests for content or account restriction
Elements:
- Does the company break out the number of requests to restrict content or accounts that it receives through private processes?
- Does the company list the number of accounts affected?
- Does the company list the number of pieces of content or URLs affected?
- Does the company list the reasons for removal associated with the requests it receives?
- Does the company clearly disclose the private processes that made requests?
- Does the company list the number of requests it complied with?
- Does the company publish the original requests or disclose that it provides copies to a public third-party archive?
- Does the company report this data at least once a year?
- Can the data be exported as a structured data file?
- Does the company clearly disclose that its reporting covers all types of requests that it receives through private processes?
F11. Identity policy
- Does the company require users to verify their identity with their government-issued identification, or with other forms of identification that could be connected to their offline identity?
F12. Algorithmic content curation, recommendation, and/or ranking systems
Elements:
- Does the company clearly disclose whether it uses algorithmic systems to curate, recommend, and/or rank the content that users can access through its platform?
- Does the company clearly disclosee how the algorithmic systems are deployed to curate, recommend, and/or rank content, including the variables that influence these systems?
- Does the company clearly disclose what options users have to control the variables that the algorithmic content curation, recommendation, and/or ranking system takes into account?
- Does the company clearly disclose whether algorithmic systems are used to automatically curate, recommend, and/or rank content by default?
- Does the company clearly disclose that users can opt in to automated content curation, recommendation, and/or ranking systems?
P1(a). Access to privacy policies
Elements:
- Are the company’s privacy policies easy to find?
- Are the privacy policies available in the primary language(s) spoken by users in the company’s home jurisdiction?
- Are the policies presented in an understandable manner?
- (For mobile ecosystems): Does the company disclose that it requires apps made available through its app store to provide users with a privacy policy?
- (For personal digital assistant ecosystems): Does the company disclose that it requires skills made available through its skill store to provide users with a privacy policy?
P2(a). Changes to privacy policies
Elements:
- Does the company clearly disclose that it directly
- notifies users about all changes to its privacy policies?
- Does the company clearly disclose how it will directly notify users of changes?
- Does the company clearly disclose the timeframe within which it directly notifiesusers of changes prior to these changes coming into effect?
- Does the company maintain a public archive or change log?
- (For mobile ecosystems): Does the company clearly disclose that it requires apps sold through its app store to notify users when the app changes its privacy policy?
P3(a). Collection of user information
Elements:
- Does the company clearly disclose what types of user information it collects?
- For each type of user information the company collects, does the company clearly disclose how it collects that user information?
- Does the company clearly disclose that it limits collection of user information to what is directly relevant and necessary to accomplish the purpose of its service?
- (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party appsmade available through its app store disclose what user information the apps collect?
- (For mobile ecosystems): Does the company clearly disclose that it evaluates whether third-party apps made available through its app store limit collection of user information to what is directly relevant and necessary to accomplish the purpose of the app?
- (For personal digital assistant ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party skills made available through its skill store disclose what user information the skills collect?
- (For personal digital assistant ecosystems): Does the company clearly disclose that it evaluates whether third-party skills made available through its skill store limit collection of user information to what is directly relevant and necessary to accomplish the purpose of the skill?
P4. Sharing of user information
Elements:
- For each type of user information the company collects, does the company
- clearly disclose whether it shares that user information?
- For each type of user information the company shares, does the company clearly disclose the types of third parties with which it shares that user information?
- Does the company clearly disclose that it may share
- user information with government(s) or legal authorities?
- For each type of user information the company shares, does the company clearly disclose the names of all third parties with which it shares user information?
P5. Purpose for collecting, inferring, and sharing user information
Elements:
- For each type of user information the company collects, does the company clearly disclose
- its purpose for collection?
- For each type of user information the company infers, does the company clearly disclose its purpose for the inference?
- Does the company clearly disclose whether it combines user information from various company services and if so, why?
- For each type of user information the company shares, does the company clearly disclose its purpose for sharing?
- Does the company clearly disclose that it limits its use of user information to the purpose for which it was collected or inferred?
P6. Retention of user information
Elements:
- For each type of user information the company collects, does the company
- clearly disclose how long it retains that user information?
- Does the company clearly disclose what de-identified user information it retains?
- Does the company clearly disclose the process for de-identifying user information?
- Does the company clearly disclose that it deletes all user information after users terminate their account?
- Does the company clearly disclose the time frame in which it will delete
- user information after users terminate their account?
P7. Users’ control over their own user information
Elements:
- For each type of user information the company collects, does the company clearly disclose
- whether users can control the company’s collection of this user information?
- For each type of user information the company collects, does the company clearly disclose
- whether users can delete this user information?
- For each type of user information the company infers on the basis of collected information,
- does the company clearly disclose whether users can control if the company can attempt to infer this user information?
- For each type of user information the company infers on the basis of collected information,
- does the company clearly disclose whether users can delete this user information?
- Does the company clearly disclose that it provides users with options to control how their user information is used for targeted advertising?
P8. Users’ access to their own user information
Elements:
- Does the company clearly disclose that users can obtain a copy of their
- user information?
- Does the company clearly disclose what user information users can obtain?
- Does the company clearly disclose that users can obtain their user information in a structured data format?
- Does the company clearly disclose that users can obtain all public-facing and private user information a company holds about them?
- Does the company clearly disclose that users can access the list of advertising audience categories to which the company has assigned them?
- Does the company clearly disclose that users can obtain all the information that a company has inferred about them?
P9. Collection of user information from third parties
Elements:
- (For digital platforms) Does the company clearly disclose what user information it collects from third-party websites through technical means?
- (For digital platforms) Does the company clearly explain how it collects user information from third parties through technical means?
- (For digital platforms) Does the company clearly disclose its purpose for collecting user information from third parties through technical means?
- (For digital platforms) Does the company clearly disclose how long it retains the user information it collects from third parties through technical means?
- (For digital platforms) Does the company clearly disclose that it respects user-generated signals to opt out of data collection?
- Does the company clearly disclose what user information it collects from third parties through non-technical means?
- Does the company clearly disclose how it collects user information from third parties through non-technical means?
- Does the company clearly disclose its purpose for collecting user information from third parties through
- non-technical means?
- Does the company clearly disclose how long it retains the user information it collects from third parties through non-technical means?
P10(a). Process for responding to government demands for user information
Elements:
- Does the company clearly disclose its process for responding to non-judicial government demands?
- Does the company clearly disclose its process for responding to court orders?
- Does the company clearly disclose its process for responding to government demands from foreign jurisdictions?
- Do the company’s explanations clearly disclose the legal basis under which it may comply with government demands?
- Does the company clearly disclose that it carries out due diligence on government demands before deciding how to respond?
- Does the company commit to push back on inappropriate or overbroad government demands?
- Does the company provide clear guidance or examples of implementation of its process for government demands?
P10(b). Process for responding to private requests for user information
Elements:
- Does the company clearly disclose its process for responding to requests made through private processes?
- Do the company’s explanations clearly disclose the basis under which it may comply with requests made through private processes?
- Does the company clearly disclose that it carries out due diligence on requests made through private processes before deciding how to respond?
- Does the company commit to push back on inappropriate or overbroad requests made through private processes?
- Does the company provide clear guidance or examples of implementation of its process of responding to requests made through private processes?
P12. User notification about third-party requests for user information
Elements:
- Does the company clearly disclose that it notifies users when government entities (including courts or other judicial bodies) demand their user information?
- Does the company clearly disclose that it notifies users when they receive requests for their user information through private processes?
- Does the company clearly disclose situations when it might not notify users, including a description of the types of government demands it is prohibited by law from disclosing to users?
P15. Data breaches
Elements:
- Does the company clearly disclose that it will notify the relevant authorities without undue delay when a data breach occurs?
- Does the company clearly disclose its process for notifying data subjects who might be affected by a data breach?
- Does the company clearly disclose what kinds of steps it will take to address the impact of a data breach on its users?
P17. Account security (digital platforms)
Elements:
- Does the company clearly disclose that it deploys advanced authentication methods to prevent fraudulent access?
- Does the company clearly disclose that users can view their recent account activity?
- Does the company clearly disclose that it notifies users about unusual account activity and possible unauthorized access to their accounts?
P18. Inform and educate users about potential risks
Elements:
- Does the company publish practical materials that educate users on how to protect themselves from cybersecurity risks relevant to their products or services?