This article examines consumer data protection within the “S” (Social) pillar of ESG, with a particular focus on human rights in the expanding digital domain. It explores how companies should handle personal data in a context where privacy regulations established by governments and international bodies coexist with rapid digital transformation. The discussion links corporate information governance with broader ESG considerations, highlighting the delicate balance required between innovation and rights protection. 

What Are Digital Rights 

As digitalization advances across society, “Digital Rights” have gained increasing attention.  
In a broad sense, digital rights refer to the legal rights related to access to and use of digital media, including the internet. In recent years, however, the concept has expanded beyond personal data and biometric data protection. It now encompasses digital ethics as a whole, including the prevention of discrimination caused by AI and algorithms, data sovereignty, and transparency. These issues have become core themes within the “S” pillar of ESG. 
 

 This article focuses primarily on human rights issues related to digital rights. 

With the progression of digitalization, information is now handled as digital data in nearly all aspects of daily life and business. This includes highly sensitive personal information. Digitized personal data is stored on various corporate platforms and is often used for data analysis aimed at increasing website traffic or generating profits. As a result, personal data is frequently reused in unintended ways without individuals being aware of it. In response, many companies have established personal data protection policies. While companies emphasize compliance with these policies, the volume and scope of digital personal data usage continue to expand. 

The following sections examine recent trends and regulatory developments surrounding digital rights from the perspective of corporate ESG management. 

Lagging Government Regulation and Company-Led Self-Regulation 

Although governments around the world are accelerating legislative efforts, gaps remain between regulatory frameworks and corporate practices. This gap is particularly evident in rapidly evolving areas such as AI and biometric authentication, where regulatory requirements differ across jurisdictions and are becoming increasingly complex. For global companies, ensuring regulatory consistency has become a key challenge. 

In response to rapid digitalization, companies are often compelled to establish their own internal rules. However, the degree of such self-regulation varies widely across companies. 
Because these initiatives are often based on ambiguous guidelines, digital rights protection tends not to be prioritized by profit-oriented organizations. As a result, corporate responses frequently lag behind technological developments. 

For example, Amazon.com, Inc. introduced “Amazon One,” a palm-print scanning system that allows customers to enter stores and complete payments, at Amazon Go locations in the United States (*1). While this contactless service appeared convenient during the COVID-19 pandemic, concerns were raised due to the lack of transparency regarding how palm-print data is scanned, collected, and subsequently used. Several U.S. senators formally requested disclosures from Amazon. This situation largely stems from the absence of comprehensive regulations governing palm-print authentication in the United States (*2). 

In 2019, several UK politicians sent a letter to the UK Foreign Secretary raising concerns that Huawei Technologies Co., Ltd. had engaged in serious human rights violations in China (*3). These concerns arose when the UK government considered using Huawei’s services for its 5G infrastructure. In both the UK and China, insufficient regulatory frameworks addressing 5G-related human rights issues were cited as contributing factors. 

Governments are generally expected to establish privacy policies that citizens can accept and to protect digital rights. However, there are cases in which governments themselves infringe upon these rights. In Russia, for example, plans were announced in 2020 to expand police use of city surveillance cameras equipped with facial recognition technology (*4). This prompted criticism from human rights activists, lawyers, and NGOs both domestically and internationally. 

These challenges are also linked to the absence of international standards. 
The United Nations has played a leading role in establishing human rights frameworks, such as the Universal Declaration of Human Rights and the Convention on the Rights of the Child. However, no UN treaty specifically addresses digital rights. Responses to digitalization have therefore been limited to expanded interpretations or minor amendments of existing agreements. 

In June 2021, the United Nations High Commissioner for Refugees (UNHCR) was strongly criticized for providing the Myanmar government with biometric data, including fingerprints, used to manage personal information of Rohingya refugees who had fled to Bangladesh (*5). This incident also reflects the lack of an international treaty governing biometric authentication. 

Due to the absence of international standards , governments have been slow to issue guidelines. This, in turn, has led companies to develop their own internal standards. The UN has stated only that “the same rights people have offline must also be protected online” in a 2016 resolution (*6). 

Among the various forms of digital rights, the management of personal information using physical characteristics such as palm prints, facial data, and fingerprints is referred to as biometric authentication. Because of its convenience, biometric authentication is expected to become more widespread. However, unlike addresses or phone numbers, biometric data does not change over a lifetime. Once leaked, it cannot be recovered, which has led to significant caution. 

Potential Impacts of Self-Regulation on Businesses 

As these trends continue, governments in several countries have begun to establish digital rights regulations. This has led to friction with companies that previously relied on self-regulation. 

Case Study: United States 

A well-known case in the United States involves Facebook, Inc., which later became Meta (*7). In 2015, Facebook users in Illinois filed a class-action lawsuit after discovering that photos containing their faces had been automatically tagged without their consent. The plaintiffs argued that Facebook collected facial recognition data without disclosure. Although Facebook is headquartered in California, the court ruled that this practice violated Illinois’ Biometric Information Privacy Act (BIPA). In 2021, Facebook was ordered to pay USD 550 million,  

In addition, internal documents highlighting Facebook’s role in the spread of hate speech and misinformation were made public and widely reported (*8). Since 2021, Meta has completely discontinued its facial recognition features (*9). The company has since shifted its focus toward ethical design in generative AI, advertising optimization, and metaverse-related services, while increasing transparency in its AI governance framework (*10). Meanwhile, while Google is moving forward with the introduction of alternative technologies to tracking-based advertising (Privacy Sandbox), it has withdrawn its plan to phase out cookies in 2024 and is now exploring ways to balance convenience and privacy. （*11) 

Case Study: European Union 

In December 2020, the EU proposed legislation targeting major technology companies, commonly referred to as GAFA, that have more than 45 million users within the EU (*12). 
The legislation consists of the Digital Services Act (DSA) and the Digital Markets Act (DMA). 

The DSA focuses on protecting EU citizens’ digital rights by requiring transparency regarding how personalized tracking advertisements are created. The DMA aims to regulate designated companies by mandating, for example, the sharing of certain types of data with regulators and competitors (*13). Penalties for non-compliance include fines of up to 10 percent of global annual revenue. 

The speed of this regulatory process is noteworthy. Discussions and announcements took place in 2021, followed by negotiations with EU member states in early 2022. 
Both the DSA and DMA were formally enforced in 2024, with fines of up to 10 to 20 percent of global turnover for violations. In addition, the EU passed the AI Act in May 2024. This introduces a risk-based regulatory framework for AI, with phased implementation expected to begin by 2026 (*14). 

Case Study: Australia 

In November 2021, Australia’s privacy authority ordered Clearview AI, a U.S.-based company providing AI facial recognition services, to delete facial images and related data of Australian citizens due to privacy law violations (*15). Clearview AI automatically collects facial images from social media platforms such as Facebook, YouTube, Twitter, and Instagram. It provides facial recognition services to U.S. organizations, including over 600 law enforcement agencies including the FBI and the Department of Homeland Security. 

The Office of the Australian Information Commissioner (OAIC) concluded that Clearview AI’s mass collection of facial images violated Australian privacy law provisions prohibiting the collection of sensitive information without consent and through unfair means (*16). 
Clearview AI has appealed the decision, claiming that the OAIC lacks jurisdiction because the company does not conduct business or have customers in Australia (*17). 

However, Clearview AI was also  found in violation of the EU’s General Data Protection Regulation (GDPR) in Germany in January 2021 (*18). Similar violations were recognized in Canada under Quebec’s privacy law during the same period (*19). These cases demonstrate that even when companies operate the same business model across borders, regulatory requirements vary by country. Without adequate consideration of digital rights, a business model that works domestically may fail abroad. 

Implications for Japanese Companies 

Since 2023, discussions surrounding digital rights in Japan have intensified, particularly in relation to generative AI and the national digital ID system. In 2024, the government issued AI Business Guidelines and has promoted policy shifts emphasizing transparency and accountability in personal data and algorithms, led by the Digital Agency. For companies, responses to human capital management and human rights due diligence are becoming key factors in ESG evaluations. Digital rights are therefore likely to become a central issue in corporate decision-making. Neglecting digital rights can lower ESG “S” ratings, erode overall corporate value, or increase operational costs.

Historically, regulatory frameworks developed in Europe and the United States later became international standards, which Japan subsequently adopted. However, the world is now moving toward a more synchronized regulatory environment. While climate change initiatives have regained momentum after the COVID-19 pandemic, the “S” pillar has also gained importance through issues such as AI ethics, diversity, and human rights protection. 
Companies are now required to pursue ESG strategies that balance environmental and social considerations. (*20) 

Effectively Linking ESG Information to Corporate Value Enhancement 

As highlighted in this article, digitalization of personal information is advancing rapidly worldwide. Positioning digital rights as a core component of ESG management has become increasingly important. Many companies aim to increase corporate value through ESG management and investment, while reducing the risk of value erosion. The question is how to accurately identify these opportunities and risks. 

The first step is to assess these opportunities correctly. This requires comparative analysis of ESG data not only within a company, but also across industries and peers, from a long-term value perspective. 

From 2025 onward, ESG data analysis using generative AI has become increasingly standardized. Human rights due diligence, including compliance with the Corporate Sustainability Due Diligence Directive (CSDDD), and AI governance focused on algorithmic transparency are becoming core components of the “S” evaluation. 
At the same time, preventing data bias and ensuring explainability in AI systems have emerged as new compliance challenges. Companies that proactively protect digital rights are increasingly favored by investors. 

Conducting both broad and in-depth ESG analysis efficiently is difficult when handled individually by each company. Centralizing expertise within specialized teams reduces redundant processes and enables faster, more effective analysis. 

While this article has highlighted one ESG trend, “cuoncrop” provides services such as its “ESG/SDGs Management 360-Degree Assessment and Improvement Support.” These services leverage expert teams with backgrounds in global strategy consulting and proprietary AI-driven analytical methodologies to help companies identify and improve the level of ESG activity required to remain competitive. 

These services support not only large companies with established ESG teams, but also smaller organizations that are beginning to adopt ESG management. 
Companies interested in a scientific and efficient analytical approach to accelerating ESG management are encouraged to contact “cuoncrop”. 

cuoncrop ESG Global Trend Research Division 

References

*1 https://www.weforum.org/stories/2020/10/amazon-amazon-one-retail-technology/ 

 *2 https://techcrunch.com/2021/08/13/amazon-biometric-data-senate-letter/ 

*3 https://www.forbes.com/sites/ewelinaochab/2020/01/06/when-a-tech-company-engages-in-severe-human-rights-violations/?sh=3a8cb44e6943 

*4 https://www.hrw.org/news/2020/10/02/russia-expands-facial-recognition-despite-privacy-concerns# 

*5 https://www.thenewhumanitarian.org/opinion/2021/6/21/rohingya-data-protection-and-UN-betrayal 

*6 https://www.theverge.com/2016/7/4/12092740/un-resolution-condemns-disrupting-internet-access 

*7 https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/ 

*8 https://japan.cnet.com/article/35178549/ 

*9 https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/ 

*10 https://finance.yahoo.com/news/meta-expands-face-id-security-150650669.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cucGVycGxleGl0eS5haS8&guce_referrer_sig=AQAAABTIX6bnYg2TTfmP529-FnoKFU2b3-unI8-0FEuh8VtYmrUnNL6yAUiqAd6_h32tdR2rSFD0cYCuzu4FIiwHkkTq2gAE1HSOvx0Q_aZDto-RlWrxAZAg2JV8E9cuzYpipc_DEsTJdZ8hTWptGGAghckTSANk7LZnz8WykXPNC_w3 

*11https://www.nikkei.com/article/DGXZQOGN2305Y0T20C24A7000000/ 

*12 https://www.newsweekjapan.jp/takemura/2020/12/gafa.php 

*13 https://swapsss.com/dma-eu/  

*14 https://digital-markets-act.ec.europa.eu/about-dma_en  

*15 https://www.oaic.gov.au/updates/news-and-media/clearview-ai-breached-australians-privacy 

*16 https://www.reuters.com/business/cop/australia-says-us-facial-recognition-software-firm-clearview-breached-privacy-2021-11-03/ 

*17 https://noyb.eu/sites/default/files/2021-01/545_2020_Anh%C3%B6rung_CVAI_ENG_Redacted.PDF 

*18 https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2021/pipeda-2021-001/ 

*19 https://www.security.org/identity-theft/breach/equifax/ * 

*20https://iclg.com/practice-areas/environmental-social-and-governance-law/japan