The country's new data protection law grants broad access to personal data by government agencies, says HRW.
This statement was originally published on hrw.org on 13 April 2023.
Regional cloud expansion risks furthering privacy rights abuses
Microsoft should suspend its investment in a new cloud data center region in Saudi Arabia until it can clearly demonstrate how it will mitigate the risk of facilitating serious human rights violations, Human Rights Watch said today.
In February 2023, Microsoft announced its intention to invest in a cloud data center in Saudi Arabia to offer enterprise cloud services, despite the government’s well-established record of infiltrating technology platforms and ongoing domestic repression. Saudi Arabia’s anti-cybercrime and data protection laws severely undermine the right to privacy, enable unchecked state surveillance, and allow Saudi state agencies to access data using overly broad and ill-defined “security reasons,” raising serious concerns about Microsoft’s ability to uphold its human rights responsibilities while operating in the country.
“Saudi authorities have grievously violated their own citizens’ right to privacy by hacking phones, infiltrating major tech companies, and passing laws granting sweeping surveillance powers to government entities,” said Arvind Ganesan, economic justice and human rights director at Human Rights Watch. “Microsoft should not shut its eyes to Saudi Arabia’s abuses and should halt its investment until the company can meaningfully explain how it will mitigate human rights risks.”
Establishing a cloud data center in Saudi Arabia poses unique and direct risks to human rights because the government may get access to that user data. The Saudi government has already shown it will violate privacy, freedom of expression, association, nondiscrimination, and due process rights. Human Rights Watch wrote to Microsoft in February 2023 highlighting these concerns. Microsoft responded to questions from Human Rights Watch and noted Microsoft’s commitment to the Trusted Cloud Principles and its approach for operating datacenters in countries or regions with human rights challenges, but requested its responses remain off-the-record.
Saudi Arabia authorities’ egregious record on human rights, including their infiltration of Twitter to spy on dissidents and targeting of human rights activists and political dissidents with sophisticated digital surveillance technology poses problems for companies committing to protect users’ privacy rights, Human Rights Watch said.
Systemic abuses in the Saudi justice system, lack of due process, and wholesale repression of political dissidents and independent civil society raises serious concerns about Microsoft’s ability to adhere to its stated human rights commitments or to effectively contest problematic requests for data by the Saudi government in the country’s courts.
The country’s new data protection law and executive regulations grant sweeping powers to government agencies to access personal data. The entities that control data are permitted to disclose data to state agencies based on vague and overbroad “security reasons,” which are not defined in the law. The law does not appear to provide for any independent oversight of these government powers.
Saudi Arabia’s 2007 anti-cybercrime law criminalizes the “production, preparation, transmission, or storage of material impinging on public order, religious values, public morals, or privacy,” which could be used by Saudi authorities to force Microsoft to hand over user data on people accused of such broad, ill-defined, and abusive charges.
Microsoft has publicly committed to ensuring that the laws and policies are substantially in line with the Trusted Cloud Principles in the countries where the company operates. The Trusted Cloud Principles, an initiative by global tech giants expressing a commitment to protect the rights of customers, states that cloud service providers “support laws that allow governments to request data through a transparent process that abides by international recognized rule of law and human rights standards.”
Saudi Arabia’s laws and practices fall far below international human rights standards and the standards outlined in Microsoft’s own Trusted Cloud Principles, Human Rights Watch said.
Prime Minister and Crown Prince Mohammed bin Salman, Saudi Arabia’s de facto ruler, has sharply escalated domestic repression, overseeing an intense crackdown on dissent coupled with a significant deterioration in due process rights in a country where the rule of law was already lacking.
In 2017, the country’s prosecution service and security apparatus were placed directly under the oversight of the royal court, putting the primary tools of Saudi repression in the sole hands of the king and crown prince. In August 2022, Saudi authorities sentenced Salma al-Shehab, a Saudi doctoral student, to decades in prison based solely on her Twitter activity.
Saudi Arabia has allegedly infiltrated Twitter and unlawfully accessed personal information of Saudi citizens within that company, the US Department of Justice reported. In 2019, two Twitter employees were charged with spying for Saudi Arabia. Both were accused of accessing the private information of Saudi dissidents who utilized the platform to discuss current issues. This enabled the Saudi authorities to uncover information that is not available elsewhere and to unmask the identities of anonymous critics.
Saudi authorities also spied on their own citizens through targeted digital attacks. Citizen Lab, a Canadian academic research center, concluded with “high confidence” that in 2018, the mobile phone of a prominent Saudi activist based in Canada was infected with spyware, which allowed full access to the victim’s personal files, such as chats, emails, and photos, as well as the ability to surreptitiously use the phone’s microphones and cameras to view and eavesdrop. In July 2021, the Pegasus Project also found that Saudi Arabia was a client of the NSO Group’s Pegasus spyware. NSO group has categorically denied that their technology was used to spy on Jamal Khasshogi, a dissident who was killed in a Saudi consulate in Turkey.
Given this reality, Microsoft’s intention to invest raises serious concerns about how it can uphold its human rights responsibilities under the United Nations Guiding Principles to prevent or mitigate the potential adverse human rights impacts associated with locating a cloud data center in Saudi Arabia.
Microsoft has a responsibility to respect human rights that exists independent of a country’s willingness to fulfil its human rights obligations. The company’s own statement on human rights asserts its commitment to “[o]perationalize human rights in our business and technologies.” Microsoft’s global human rights statement says that the company “commits to respecting the United Nations Guiding Principles on Business and Human Rights (UNGPs). We work every day to implement the UNGPs throughout Microsoft, both at headquarters and offices in approximately 200 countries and territories, and throughout our global supply chains.”
Human Rights Watch previously urged Google to reverse its decision to establish a cloud data center in Saudi Arabia because of the risk of serious adverse human rights impacts.
“Microsoft should put rights first and not become a tool for Saudi authorities to further spy on people whose data is in Saudi Arabia,” Ganesan said.