There are no single, universally agreed definitions of digital and emerging technologies in law. Regulation generally refers to technologies used to create, store, process, and communicate information, including those expected to become mainstream within the next five to ten years. In this section we explore definitions and regulations of high-risk AI and digital rights.

Digital rights refer to the application of national and international human rights law in digital contexts. The concept has gained prominence due to rapid technological advancement, the increasing digitization of civic life and work – including the rise of the gig economy – and the erosion of offline freedoms. At the same time, the widening digital divide underscores how access to technology is closely tied to inequality and exclusion. In its 2022 Declaration on Digital Rights and Principles, the EU committed to a secure, safe and sustainable digital transformation that puts people at the centre.

The OECD defines AI systems as machine-based systems that, for “human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments” and notes that “AI systems are designed to operate with varying levels of autonomy”. 

• The definition of “AI” differs between jurisdictions and some have not defined AI comprehensively. The EU AI Act (Art. 3)’s definition is based on the OECD’s but they are not identical.

Many emerging regulations define high-risk AI systems as those involved in consequential decision-making or sensitive personal data processing. 

• The EU AI Act (Chapter 3, Art. 6) identifies high-risk AI through use cases that pose serious risks to health, safety, or fundamental rights, including applications in critical infrastructure, law enforcement, and democratic processes, and imposes strict pre-market obligations.
• Colorado’s SB 205 – the first comprehensive US AI legislation – characterizes high-risk AI as systems that substantially influence consequential decisions. 
• California defines high-risk automated decision systems (ADS) as those that assist or replace human discretion in decisions with significant legal or social impact – such as access to housing, education, employment, credit, healthcare, and justice.
• In contrast, Texas’s HB 149 adopts a narrower, intent-based approach, requiring proof of discriminatory intent for liability in AI deployment.

Governments are rapidly enacting AI-specific legislation. The EU AI Act imposes strict requirements on high-risk AI systems, including algorithmic transparency and human oversight, while Colorado’s AI Act requires deployers to prevent algorithmic discrimination. Other jurisdictions, such as Japan and ASEAN nations have adopted voluntary AI guidelines, promoting business-led initiatives. Singapore’s Model AI Governance Framework also emphasizes voluntary best practices.

The UN Working Group on Human Rights has highlighted that current AI legislation fails to adequately protect human rights under the UN Guiding Principles, especially concerning generative AI, which remains largely unregulated. This lack of specific regulations is particularly concerning for human rights advocates, as it leaves offline and digital rights unprotected and lacks mechanisms for remedies. The UN has also noted that the views of the Global South are insufficiently incorporated into both binding and voluntary frameworks.

Given this fast-evolving landscape, businesses must monitor developments in relevant jurisdictions. This list is not exhaustive.

The following legislation has been passed aimed at protecting human rights through imposing requirements on developers of technologies, as well as deployers, users, importers, distributors and supply chain participants.

EU AI Act

• Entered into force: August 2024
• Prohibited practices banned: February 2, 2025 (e.g., social scoring, manipulative AI).
• Transparency obligations for general-purpose AI: February 2026
• General provisions applicable: August 2026
• High-risk system obligations: August 2027 (e.g., conformity assessments, FRIA)
• Focus: harmonize EU regulatory approach to AI in order to protect against harmful effects and support innovation.

The EU AI Act is modelled on European product legislation, supplemented with a risk-based approach and explicit human rights safeguards. It is underpinned by principles of proportionality based on risk, transparency and accountability, fairness and non discrimination, prevention of harm, data privacy and security, safety and trustworthiness and the need for human oversight. It applies directly to all EU Member States, without the need for national legislation (in most cases). 

Council of Europe AI Framework Convention

• Opened for signature: September 5, 2024
• Focus: Ensure AI activities are consistent with human rights, democracy, and the rule of law.

The AI Framework Convention is the first-ever international legally binding treaty focused on AI and human rights. It aims to ensure that activities within the lifecycle of AI systems are fully consistent with human rights, democracy and the rule of law, while being conducive to technological progress and innovation. On 5 September 2024, the Convention was signed by Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the UK, the US, Israel and the EU. Following its entry into force the treaty is open for accession by other non-member States.

China’s Interim Measures for the Management of Generative Artificial Intelligence Services (“AI Measures”)

• Effective: 2023
• Focus: generative AI service providers and users in China

The AI Measures ^[1] apply to entities providing services in mainland China regardless of where they are incorporated. Chinese government agencies can take action against foreign companies if any Generative AI services offered within the country violate local regulations. The AI Measures do not categorize AI systems according to risk, although some will be subject to stricter scrutiny by authorities, such as service providers with “social mobilization capabilities” (Art. 17), offering AI products perceived as having the potential to support social movements challenging state power. 

Service providers must comply with requirements on data processing, data labelling, data training, content moderation and complaints and reporting mechanisms. Generative AI service providers must also “uphold the core socialist values ​​and refrain from generating content that incites the subversion of state power” (Art. 4(i)) and take steps to prevent discrimination and not infringe on privacy or personal information rights, or harm the physical or mental health of others.

China’s Measures for Identifying Artificial Intelligence-Generated and Synthetic Content

• Effective: 1 September 2025 

To complement the AI Measures and other fundamental laws on AI, the labeling law ^[2] imposes both implicit (i.e. in metadata not easily perceived by users) and explicit (i.e. text and images visible to users) identification requirements on service providers for AI-generated content.

China’s National Standards on Generative AI

• Effective: 1 November 2025.
• Focus: three national standards aimed at enhancing the security and governance of generative AI. 

1. Recommended national standard Generative Artificial Intelligence Data Annotation Security Specification ^[3] (2024) aims to improve safety and security of GenAI systems, defined as preventing disinformation but also censorship of content that criticizes Communist Party rule. The requirements state that training data should be diverse, but this isn’t defined.
2. Recommended national standard Security Specification for Generative Artificial Intelligence Pre-training and Fine-tuning Data^[4] (2024) aims to establish safety rules for developers of GenAI models, including not only the protection of individual safety and preventing disinformation but censorship of content that criticizes Communist Party rule.
3. Technical Documentation of National Technical Committee 260 on Cybersecurity of Standardization Administration of China: Basic Security Requirements for Generative Artificial Intelligence Service ^[5] (2024) – establishes specific oversight processes for Chinese AI companies, focusing on safety risks, which include algorithmic bias and disclosure of personal information and censorship. 

There are other laws and regulations in China that do not directly seek to regulate AI, but that may affect the development or use of AI.

UK Online Safety Act

• Effective: 2023
• Focus: Protecting children and adults online, managing risks from harmful content.

Instead of regulating AI directly, the UK has tasked sector-specific regulators to interpret and apply a “principles-based framework” to their development and use of AI. One such legislation is the UK Online Safety Act (2023) which aims to protect children and adults online by requiring providers to identify, mitigate and manage the risks of harm from illegal and harmful content and activity, while protecting users’ rights to freedom of expression and privacy, and ensuring transparency and accountability are provided.

No federal law on AI exists as of October 2025. Many states are in the process of developing their own AI regulations, with some already in force:

Colorado AI Act (CAIA)

• Effective: May 2024
• Focus: Duties for developers and deployers of high-risk AI systems, compliance starting 1 February 2026.

Colorado enacted the first AI legislation in the US SB 205 Colorado AI Act (CAIA) in May 2024. The Act creates duties for all developers and deployers of high-risk AI systems in Colorado, with compliance starting from 1 February 2026. The act takes a risk focused approach, particularly on bias and discrimination. The CAIA is both the first and most far-reaching legislation in the US, requiring deployers of all AI systems to notify consumers that they are interacting with AI. The Act also imposes obligations relating to transparency, disclosures, risk assessment and mitigation, governance and impact assessment for developers and deployers of high-risk AI systems. The Colorado AI Act may emerge as a template for other states regulation – some are already considering bills that would impose safeguards against bias by AI systems.

California has also passed several other AI-related laws focused on transparency and consumer protection:

California AB 2013 (Generative AI Training Data Transparency Act)

• Effective: 1 January 2026
• Focus: Documentation and disclosures by developers of generative AI systems.

In September 2024, California enacted AB 2013 ‘Generative AI Training Data Transparency Act’, which requires documentation and disclosures by developers of generative AI systems, including detailed information on the data used to train models. These requirements take effect on 1 January 2026, but the Act applies retroactively to some systems from 1 January 2022, creating obligations for most AI systems.

California SB 942 (AI Transparency Act)

• Effective: 1 January 2026
• Focus: Transparency measures and licensing practices for commonly used AI systems.

SB 942 California AI Transparency Act (effective 1 January 2026) mandates transparency measures and licensing practices for commonly used AI systems, with penalties including fines.

California AB 3030 (Health Care Services; AI Act)

• Effective: 1 January 2025
• Focus: Transparency and disclosure requirements for health care providers using generative AI.

AB 3030 Health Care Services; AI Act (already in effect) targets health care providers using generative AI, emphasizing transparency and disclosure requirements.

California AB 2355 (Political Reform Act of 1974)

• Effective: 1 January 2025
• Focus: Disclaimers for AI-generated political ads.

AB 2355 Political Reform Act of 1974: Political Advertisements: Artificial Intelligence requires disclaimers for AI-generated political ads created by political committees.^[6]

California Automated Decision-Making Technologies (ADMT) Rules

• Effective: 1 January 2026
• Focus: Consumer rights to opt out of automated decision-making in housing, employment, and healthcare.

In July 2025, California adopted rules on automated decision-making technologies (ADMT), under the California Consumer Privacy Act (CCPA) effective 1 January 2026.  These rules grant consumers the right to opt out of automated decision-making in areas such as housing, employment, and healthcare. Businesses must provide pre-use notices, ensure transparency about the data used, and conduct risk assessments. Full compliance is required by 1 January  2027.

Texas Responsible AI Governance Act (TRAIGA)

• Effective: 1 January 2026
• Focus: Preventing discrimination and behavioural manipulation in AI systems.

In June 2025, Texas passed the Texas Responsible AI Governance Act (TRAIGA) (HB149) which takes effect 1 January 2026. While initially a broad attempt to prevent discrimination, the final version significantly narrowed its scope and has limited obligations for the private sector. While TRAIGA prohibits AI systems used for behavioural manipulation and unlawful discrimination, it adopts a narrower, intent-based approach and thereby offers lower protections for individuals than Colorado.

United States Uyghur Forced Labor Prevention Act (UFLPA)

• Effective: June 2022
• Focus: prohibiting import of goods made with forced labour into the US

United States Uyghur Forced Labor Prevention Act (UFLPA) (2022) requires importers to provide evidence that goods have not been made using forced labour. The legislation targets goods produced or manufactured wholly or partly in the Xinjiang region of China, products made by entities on the UFLPA entity list, or goods made with raw materials sourced through forced labour. The vast majority of the value of shipments detained under UFLPA have been linked to electronics (more than $3.1 billion).

Existing data protection frameworks like EU General Data Protection Regulation (GDPR), regulation of platforms such as the EU Digital Services Act (DSA) and reporting requirements under EU Non-Financial Reporting Directive (2018) and EU Corporate Sustainability Reporting Directive (2024) also apply to AI systems. 

• OECD AI Principles, the first intergovernmental standard on AI, was initially adopted in 2019 and updated in May 2024. The Principles guide AI actors in their efforts to develop trustworthy AI and provide policymakers with recommendations for effective AI policies. The EU, the Council of Europe, the United States and the United Nations and other jurisdictions have made this political commitment to adhere to the Principles. These adherents use the OECD’s definition of an AI system and lifecycle.
• The UN’s Global Digital Compact, introduced in response to Member States’ Declaration A/RES/75/1, aims to advance an open, secure and human centred digital future. Its AI Panel and Dialogue is an intergovernmental initiative to foster a Global Dialogue on AI Governance, centering on international human rights frameworks and the UN SDGs, to address risks and power imbalances associated with AI.
• The UN’s Charter of Human Rights and Principles for the Internet (2022) from the Internet Rights and Principles Dynamic Coalition connects human rights law and norms with rights-based aspirations for the online environment. It has applications for different stakeholders including businesses interested in digital rights and governance.
• The International Principles on the Application of Human Rights to Communications Surveillance (the “Necessary and Proportionate Principles” or “13 Principles”), from the Electronic Frontier Foundation and a coalition of NGOs, show how existing human rights law applies to modern digital surveillance; the 13 Principles have been endorsed by over 600 organizations since 2013.
• Others relevant frameworks include:
  • The EU European Declaration on Digital Rights and Principles (2022) presents the EU’s vision for digital transformation, providing a reference framework for citizens and guides the EU and Member States.
  • The European Commission’s High-Level Expert Group on AI’s Ethics Guidelines for Trustworthy AI (updated 2021).
  • The EU EOM Guidelines for Observing Online Election-Related Content (Updated, March 2025).

In the rapidly evolving landscape of technology and human rights, companies must understand their responsibilities under the UN Guiding Principles on Business and Human Rights (UNGPs), including in the realm of digital rights and business. Companies must understand risk factors that increase the likelihood of human rights impacts from technology development, deployment and end-use. To address these risks, businesses should adapt responsible business conduct to include HRDD of AI and emerging technologies, in accordance with UNGPs.

• Degree of automated decision-making: How often AI systems act autonomously and what kinds of decisions they make shapes the level of human rights risk an organization must manage. For example, algorithmic management systems that determine gig workers’ wages may create power structures with limited oversight, restricting workers’ access to remedy and grievance mechanisms. The OECD AI Principles emphasize human-centered values and fairness in AI systems, while the EU AI Act classifies AI systems by risk level, requiring human oversight, transparency and accuracy safeguards.

• Existing governance mechanisms: Companies with strong existing human rights due diligence (HRDD) processes and governance will be better positioned to prevent and address technology-related human rights risks. Businesses should adapt HRDD strategies and activities to ensure responsible business conduct of emerging technologies and ethical use of AI.

• Underlying data architectures: The code and source data used to programme AI systems can significantly influence human rights risks. For example, hiring algorithms trained on historical employment data may perpetuate past discrimination by learning patterns that favoured certain demographics, discriminating against qualified candidates from underrepresented groups.

• Extent to which new technologies can change business models: Across industries, businesses are adapting their strategic frameworks to leverage emerging technologies, transforming the risks that various sectors face. The OECD AI Principles emphasize inclusive growth and sustainable development in AI deployment, recognizing these transformative impacts. For example, an e-commerce retail company may not employ workers within physical store locations, but instead have the majority of their employees working in warehouse or delivery roles, changing the human rights and occupational risks that workers are exposed to.

Human rights impacts from digital technologies extend far beyond the companies that design and deploy them, creating interconnected risks across the entire value chain, from mineral extraction to end-user applications. The globalized and fragmented nature of technology development and deployment creates shared responsibility among stakeholders – for both the risks and opportunities of technology for human rights. The below analysis focuses on some key sectors across the technology value chain, highlighting sector-specific human rights risk factors from technology. (Cross-sector opportunities are explored in the Positive Impacts section in the Overview; the focus of this guidance is on the prevention of human rights risks by business).

While not exhaustive, the following summary demonstrates the breadth and severity of human rights risks associated with technology raw materials, manufacturing, financing, and digital services. This should help businesses to start to understand the nature of risks it could be associated with, from its operations and business relationships. 

Mining sector-specific human rights risk factors include the following:

• Conflict affected areas: In conflict-affected and high-risk areas (CAHRAs), there is an elevated risk for environmental and human rights harms in the mining and extractive industry. In CAHRAs there are risks of violence linked to resource extraction, minerals funding armed conflict, and community unrest near mining sites. The main challenge is the supply chain risk since companies throughout the value chain can be associated with materials from CAHRAs.  
• Weak governance: poor regulatory oversight, weak rule of law and limited institutional capacity in mining jurisdictions can increase the risk of labour exploitation and community displacement. The UN Guiding Principles on Business and Human Rights (UNGPs) recognize that some of the worst human rights abuses involving business occur in regions where there is competition for resources, high levels of corruption, and weak corporate accountability.
• Occupational health and safety, poor working conditions: People working in the mining and extractive industry face significant risks including environmental, chemical, and physical risks stemming from respiratory hazards, unsafe equipment, explosions, and fires.  
• Complexity of supply – brokers and artisanal mining: Many minerals necessary for emerging technologies including cobalt and tantalum are mined through complex critical mineral supply chains. Informal artisanal and small-scale mining (ASM) operations can evade government regulations and leave workers vulnerable to exploitation, unfair pay, dangerous working conditions, abuse, and child labour. 
• Environmental destruction: The UN Environmental Programme emphasizes that natural resource extraction has serious impacts on the environment and human health. Environmental damages may result in violations of the right to a Clean, Healthy, and Sustainable Environment. Notable challenges include climate change, biodiversity loss, and pollution. For example, copper is often extracted through open-pit mining that can devastate ecosystems, contaminate water sources, and leave lasting scars on landscapes. 
• Indigenous Peoples: Indigenous Peoples are vulnerable to the impacts of land dispossession, particularly when there is a lack of Free, Prior, and Informed Consent (FPIC) in mining projects (UNDRIP,  Article  32). 
• Forced displacement and land grabbing: In mineral-rich regions, there is a risk of forced displacement and land grabbing due to the mining and extractive industry. Indigenous Peoples are especially vulnerable to being victims of land grabbing. 
• Child labour: According to the ILO, approximately 1 million children are affected by child labour in the mining and extractive sector, primarily in artisanal and small-scale mining (ASM). Cobalt, a key resource for the green transition and rechargeable batteries, is often sourced from the Democratic Republic of the Congo where tens of thousands of children work at mine sites. In the mining sector, most work performed by children is hazardous and categorized as the worst form of child labour. Risks include unstable tunnels collapsing, exposure to toxic gases, psychosocial risks, sexual assault, and physical assault. 

Software sector-specific human rights risk factors from technology are distinct, and may be overlooked in traditional frameworks. Unlike hardware manufacturers, they must account for how products are used, misused or weaponized across diverse contexts – including enabling surveillance, reinforcing algorithmic bias or facilitating online harm. Software developers (who design AI systems, apps, and algorithms) may directly cause or contribute to harms through design choices, while platform providers (who host third-party content and services) may be linked to harms through how others use their infrastructure.

Under the EU AI Act, developers^[1] bear primary responsibility for system design and compliance, while deployers (companies using AI systems) must ensure proper implementation and monitoring. However, software companies don’t just face legal compliance under the AI Act, they also have a human rights responsibility under the UNGPs to proactively assess and mitigate these risks, design for safety and remediate harm. Companies should tailor their due diligence processes to digital technologies and their specific role as developer, platform or deployer.

Software specific risk factors include the following:

• Discrimination and bias: Vulnerable groups, including children, elderly adults, ethnic minorities, gender minorities and sexual minorities, face additional risks for digital discrimination during software development. Specific risks include algorithmic bias in AI models, exclusion from technology design and discrimination in automated decision-making. Additionally, children are particularly at risk of AI exploitation.
• Digital autonomy, privacy and expression: Digital tools can create risks to both privacy and freedom of expression. Tracking features and analytics can become intrusive without adequate consent mechanisms. Surveillance-enabling tools, such as facial recognition modules or device-level monitoring, can be misused in ways that violate rights. Partnerships with government clients can introduce additional risks if safeguards are not built into the design.
• Exploitative business models: Software business models, whose incentives may conflict with human rights objectives, pose significant risks. Surveillance-based advertising models that micro-target vulnerable users can cause mental and physical health harms, while algorithms may amplify biased content, misinformation, online hate and child abuse material. However, alternative models are emerging – open-source software projects and subscription-based platforms demonstrate that human rights-centered approaches can be commercially viable.
• Right to life and personal security: Advances in weapons technology, including AI-enabled autonomous weapons capable of making targeting decisions, pose significant risks to the right to life and personal security.

Institutional investors, including asset owners and asset managers, have significant influence over how technology companies are run. They can encourage companies to build human rights protections into their operations, product design, raw-material sourcing and business relationships. As AI grows quickly, expectations for financial institutions to invest responsibly are rising.

The World Economic Forum notes that responsible AI governance supports long-term value, trust and stability. AI is now a major business risk: in 2025, 73% of S&P 500 companies reported at least one important AI-related risk, compared with only 12% in 2023. Reputational damage from bias, misinformation, and privacy lapses can significantly erode investor confidence and portfolio value. The investor community has called on tech companies to uphold digital rights, expressing concern over insufficient corporate accountability.

Investors throughout the technology lifecycle must ensure their investments do not cause, contribute to, or are linked to human rights harms by conducting risk-based due diligence under the UNGPs. 

Key finance sector-specific human rights risk factors include:

• Investment in discriminatory AI systems: Financing companies that develop or deploy AI perpetuating bias in lending, hiring, or service provision. Investors may be linked to algorithmic discrimination, creating regulatory liability under emerging AI laws and significant reputational risks.
• Financing surveillance technologies: Supporting companies whose products enable authoritarian governments or corporations to violate privacy rights and suppress civil liberties. Investors may contribute to human rights abuses through export of dual-use technologies.
• Funding job-displacing automation: Investing in AI development without ensuring adequate Just Transition measures, worker retraining programs or social safety nets. Investors may be linked to labor rights violations and community economic disruption.
• Enabling disinformation platforms: Supporting AI-powered platforms that amplify misinformation, threatening democratic processes and social cohesion. This creates both human rights concerns and systemic risks to market stability that can affect portfolio value.

Technology hardware manufacturing carries serious human rights risks at multiple points in the supply chain. Migrant workers in manufacturing hubs are more vulnerable to exploitation, including forced labour and unsafe working conditions. The sector’s reliance on high-risk raw materials also links manufacturers to impacts on Indigenous communities, exploitation of women and children and environmental degradation. Weak contractual oversight in globalized supply chains can further compound these risks where human rights controls are inadequate.

Technology hardware manufacturing sector-specific human rights risk factors include:

• Forced labour: is a significant risk in hardware manufacturing, occuring both in mineral extraction and component manufacturing, including debt bondage of migrant workers in electronics supply chains and forced labour in cobalt and lithium mining – minerals essential for renewable energy infrastructure that supports digital technology systems.
• Occupational health and safety: risks arise when workers are exposed to toxic chemicals in semiconductor production, given inadequate PPE, or suffer long-term health impacts from handling hazardous materials without proper safeguards.
• Indigenous lands rights violations occur when mining operations displace Indigenous communities without obtaining Free, Prior and Informed Consent, destroying traditional livelihoods and damaging cultural sites that are central to Indigenous identity.
• Gender based discrimination and harassment: can be common in manufacturing including severe human rights abuses such as pregnancy testing for female workers, unfair pay structures and workplace sexual harassment – which can all be made harder to prevent by complex and opaque supply chain practices.
• Freedom of Association and collective bargaining: is often restricted in electronics manufacturing, where fragmented contract labour systems leave temporary or agency workers unable to unionize or join workplace associations, undermining their ability to advocate for fair working conditions.

While developers bear primary responsibility for human rights impacts from system design, deployers (companies using AI systems) must ensure proper implementation and monitoring of systems to avoid and mitigate human rights impacts. The complexity and severity of human rights risks arising from the use of technology will depend on the company’s use cases, location and number of its users and the nature of its goods and services. Enterprises should conduct human rights due diligence (HRDD) that consider user behaviour and use cases across relevant sectors. State users and private-sector users each present distinct risk profiles and due-diligence expectations, including heightened risks where state use may affect civic freedoms or vulnerable groups.

Governments worldwide are rapidly integrating digital technologies, including artificial intelligence, across critical public sectors such as healthcare, education, social welfare, and law enforcement. While these tools promise greater efficiency and accessibility, their deployment often lacks adequate safeguards and human rights due diligence (HRDD). According to a 2025 report from the UN Working Group on Business and Human Rights, states are increasingly using AI systems without proper oversight, resulting in negative impacts across key sectors.

Government-specific human rights risk factors include the following: 

• Surveillance and privacy: Governments risk violating human rights to privacy when using technology to conduct actions including phone-tapping and government surveillance systems. 
• Freedom of expression: The human right to freedom of expression and speech can be violated by governments using technology to conduct censorship and suppress dissent through actions including suppression of dissent, algorithmic repression on social media, internet blackouts, and other censorship technology. 
• Conflict-affected areas: In regions impacted by conflict (CAHRAs), governments may pose significant human rights risks through the use of technology to enable repression, enforce mass surveillance, and impose internet shutdowns that silence dissent and restrict access to information.

• Law enforcement & counter-terrorism: Governments risk serious human rights violations through the deployment of spyware, excessive surveillance technologies, and predictive policing systems that reinforce systemic discrimination, racial profiling and harmful stereotypes.
• Algorithm-bias: Algorithmic bias in government systems, amplified by flawed human oversight and weak institutional accountability, can lead to discriminatory outcomes that disproportionately impact marginalized communities.

With the growing use of digital platforms to deliver essential services, the healthcare sector must recognize and address additional human rights risks, including safeguarding patient privacy, ensuring equitable access to digital services and preventing algorithmic bias in medical decision-making tools.

Healthcare sector-specific human rights risk factors include the following: 

• Human autonomy: Digital health systems may pose risks to patient autonomy, particularly where informed digital consent mechanisms are unclear or inconsistently applied. 

• Privacy: The use of health apps and digital platforms increases exposure to privacy violations, including data breaches and misuse of sensitive health information, with implications for regulatory compliance and reputational harm. 

• Discrimination & inequality: Algorithmic decision-making in healthcare risks reinforcing existing health disparities, raising concerns around digital health equity and potential discriminatory outcomes. 

• Access to healthcare: Limited connectivity and digital infrastructure contribute to a digital access divide, with broadband inequality and telehealth exclusion affecting equitable access to health services.

The World Health Organization (WHO) released guidance in 2024 that addresses the risks and benefits of AI in the healthcare sector and advises organizations developing, deploying or using AI in a healthcare setting to introduce mandatory post-release auditing and impact assessments, including for data protection and human rights.

The education sector is being profoundly impacted by emerging technologies such as artificial intelligence, posing both risks and benefits for the accessibility and quality of education. The European Commission has classified all AI systems intended to be used in assessing students and that may impact children’s personalized education or cognitive and emotional development as high-risk and subject to compliance. 

Education sector-specific human rights risk factors include: 

• Equitable access to education: As of 2024, nearly one-third of the world’s population lacks internet access, deepening the digital divide and increasing risks of inequality where technology is used in education. Vulnerable groups, including girls, people with disabilities, rural populations and marginalized communities are especially impacted. 
• Privacy: Constantly and continuously collecting, aggregating and analyzing data is at the core of machine learning and AI, which can pose serious data privacy risks for users, particularly children. Additionally, the use of AI-driven tools to determine a learner’s emotional state can help a teacher manage their classroom, however it also creates privacy concerns especially when the analysis takes place in proprietary systems. 
• Discrimination and inequality: AI-driven tools can create learner profiles to predict academic performance and identify students for early interventions, however this approach can lead to discrimination in underrepresented populations as AI often infers from features including gender, ethnic or cultural background and socio-economic status. Using AI in this way can introduce and reaffirm biases which may widen existing equity gaps. 

However, emerging technologies can also be used to increase access to education for those with access to the internet and smart devices, personalize learning and assist educators with management and organization. Educational product and service providers should consider evaluating the specific human rights risks they may pose through their use of emerging technologies. The University of Waterloo in Canada has created a free AI Human Rights Impact Assessment tool designed for educators wishing to assess an AI application for use in educational settings, which may also be helpful to developers and deployers seeking to assess their risks. 

As demand for digital financial services grows, new human rights risks are emerging in the FinTech sector, including weak data protections, algorithmic discrimination in credit and insurance decisions and predatory digital lending practices that disproportionately impact vulnerable users.

FinTech sector-specific human rights risk factors include the following: 

• Data collection: FinTech platforms increasingly rely on intrusive financial profiling and consumer data surveillance, often sharing sensitive information with financial data brokers without user awareness of control. AI may also lead to incremental disclosure of protected data that could breach agreed usage terms, such as algorithms reading facial features during video calls. 
• Discrimination: Algorithmic bias in lending can lead to credit score discrimination where exclusionary fintech models deny access to financial services for marginalized groups based on biased or flawed data.  

• Privacy: Many FinTech apps and platforms risk engaging in data-sharing without consent. Weak encryption in payment apps exposes users to identity theft, fraud and unauthorized access to financial records. 

• Illicit activities: Without robust oversight, FinTech systems risk being exploited for money laundering or used to bypass regulations, creating terrorist and financing loopholes that threaten global security. 

The FinTech industry can also provide opportunities to address the SDGs through digital financial inclusion, for instance through increased access to mobile banking or microcredit. In Kenya, the spread of mobile money lifted 1 million households out of extreme poverty from 2008 to 2014, the equivalent of 2% of the population. 

This section outlines practical steps for human rights due diligence in technology to assist technology companies and companies using technology with identifying, preventing, and addressing human rights risks in their operations, products, and value chains. These steps are aligned with the UN Guiding Principles on Business and Human Rights (UNGPs) and tailored to the technology sector’s specific context, including risks linked to product misuse, algorithmic bias, surveillance and labour rights in hardware supply chains. Further information on the UNGPs is provided in the ‘Key Human Rights Due Diligence Frameworks’ section below.

Each step is detailed below, with guidance tailored to the technology sector’s operating realities and risk profile. In the identification of risks, impacts, and appropriate actions (including remedy), meaningful stakeholder engagement is a core element of human rights due diligence.

Due diligence should be integrated throughout the lifecycle of technology, taking place early and often throughout the ideation phase, product design, development, deployment, and decommissioning. This includes Minimum Viable Products. Due diligence is not a one-off exercise and should be ongoing. Companies should demonstrate the ability to learn iteratively through due diligence activities.

Businesses must establish a clear and public policy commitment to respecting human rights in all technology-related activities. This commitment should be embedded across governance structures and operational processes, serving as the foundation for responsible innovation and ethical digital transformation. Companies should ensure that human rights are embedded into AI policies, integrating human rights principles in procurement, deployment and decision making.

Businesses should assess both potential and actual human rights impacts, factoring in the severity and likelihood of risks. For technology products and services, assessments should cover the full lifecycle, from production to end-use, to address upstream and downstream human rights implications.

A risk universe is the full spectrum of potential human rights risks a company could be connected to, directly or indirectly, through its operations, products, services, or business operations. A company should conduct a risk universe mapping exercise to identify all relevant risk areas before any prioritization or assessment takes place. In the context of technology, this means broadening the scope of your human rights risk assessment (HRIA) to include technology-related risks. When mapping their risk universe, a company should use a gender-lens and consider how vulnerable risks may be more significantly impacted.

To identify its risk universe, a company can take steps including: data collection, evaluating the context in which it uses technology, conducting meaningful stakeholder consultation (including with business partners), examining any recorded actual impacts and identifying its relationship to the risk. To understand its connection to a human rights impact, a company should ask whether it is directly causing or contributing to the impact, whether its business partners are involved, or whether the impact is external and beyond the control of both the company and its partners.

Enterprises should map risks to their value chains, either early in their risk universe assessment or in their value chain mapping. While companies should start by considering their direct impacts, they should also consider the downstream and end-use impacts. For example, the disposal of technology can impact human rights including privacy, health and safety, hazardous working conditions and clean, healthy, and sustainable environment. 

1.1 Companies developing or deploying technology at scale 

Companies that deploy and develop technology at scale may be contributing to or causing human rights impacts related to their direct actions and operations. 

For example, the risk universe of a phone manufacturer may include the conditions of workers in its factories and pollution of local communities near operations and shipping facilities. 

1.2 Companies using technology 

Companies using technology in their operations may be contributing to or causing human rights impacts through their usage of technology. 

For example, the risk universe of a clothing company that sells online and markets through social media may include risks like data privacy for customers and harmful marketing targeting vulnerable demographics including adolescents.

A potential impact assessment seeks to identify the extent of the adverse impact that a company may be having on rightsholders. A company should assess and prioritize its potential human rights impacts based on the severity and likelihood of each. Potential risks should be prevented through appropriate preventative measures. 

2.1. Companies developing or deploying technology at scale

Businesses that develop or deploy technology at scale, such as AI systems, cloud infrastructure, hardware manufacturing, or biometric tools, should proactively assess how their products and operations may detrimentally impact human rights. A company should evaluate risks related to privacy, surveillance, discrimination and misuse of technology by end-users. 

For example, a company developing facial recognition software should assess the risk of racial bias in its algorithms and consider restricting sales to clients with strong human rights protections.  

2.2. Companies using technology 

Enterprises using technology, whether for internal operations, customer engagement, or supply chain management, should assess how their technology and data practices may impact human rights. Related risks include surveillance, data privacy and digital exclusion.

For example, a company using employee tracking software should assess whether constant monitoring infringes on a worker’s privacy and dignity and adjust their practices accordingly.

An actual impact assessment analyses precisely what impacts a company is having on rightsholders. For example, a digital technology company may be violating human rights to privacy for its users. Unlike potential risks, actual risks have already arisen and should be ended or managed through corrected or remedial measures. 

A Human Rights Impact Assessment (HRIA) is an instrument for examining policies, legislation, projects and programs to identify and measure their potential and actual human rights impacts. The primary goal of an HRIA is to prevent harmful impacts and maximize positive impacts for a given project, program or policy. The Danish Institute for Human Rights has created a human rights impact assessment guidance for digital activities designed for businesses and other users of digital technologies.

3.1. Companies developing or deploying technology at scale

Companies that develop or deploy technology at scale should assess the actual human rights impacts their products and operations are having on individuals and communities. Key assessment actions include conducting HRIAs to identify and measure impacts and engage impacted stakeholders to understand their lived experiences. 

For example, a social media company whose algorithms amplify discriminatory content should revise its software and work with impacted parties to determine the extent of impacts and remediate harms. 

3.2. Companies using technology 

Enterprises using technology should regularly assess how their digital tools are affecting rights holders. Key assessment actions include monitoring how technology is used in practice, identifying consequences and taking action to mitigate harm. 

For example, a retail company using digital time-tracking for employees finds that the system is logging hours inaccurately, leading to underpayment. The company should assess the harm, correct the system and compensate impacted workers accordingly.

In their potential and actual risk assessments, a company should prioritise assessing and addressing human rights risks based on i) the likelihood they will occur, and ii) the severity of the impact. 

When prioritising where to start, a company should first assess risks within their own operations and use-cases, especially if that company operates in the tech sector. Then, a company can evaluate their upstream risks from suppliers and downstream risks from end-users. 

To assess their risks, a company can use internal sources of data, external sources of data, or some combination of both.

While technology raises human rights risks, it also provides opportunities for companies to improve their HRDD assessments and more easily identify potential and actual human rights impacts throughout their value chains. If your company is conducting a double materiality assessment while preparing for legal compliance, for example with the EU Corporate Sustainability Reporting Directive (CSRD), then technological developments including AI provide opportunities for positive impact in strengthening your HRDD assessment process. 

When used responsibly, digital qualitative tools can strengthen the rigour and responsiveness of Human Rights Impact Assessment (HRIA) processes. Companies can mobilize tools such as Self-Assessment Questionnaires (SAQs) and Natural Language Processing (NLP) programs to collect and analyse supplier data.

Taking action to address and correct human rights impacts is the most important step of any due diligence cycle. The actions a company should take will depend on the outcomes of its risk and impact assessments and stakeholder engagement exercises. Given the varied uses of technologies, companies should tailor their approaches to the specific risks, impacts, contexts and stakeholders involved. The UNGPs require that companies take appropriate action to address their impacts, with actions varying according to a company’s level of causation, the extent of its leverage and the likelihood and severity of the impact. 

Technology companies face unique and extensive human rights risks due to the nature and widespread availability of their products and services. Across their hardware and software development and deployment, technology companies should take action to ensure they are respecting human rights. Additionally, companies should look inward at human rights impacts on their employees due to technology, especially linked to privacy, security and discrimination risks. 

• Strategy: Technology driven business models may be reliant on advertising revenue, which could heighten human rights risks by incentivizing practices that prioritize engagement or profit over user wellbeing. Companies should critically assess their business models, incentive systems and KPIs to ensure they are consistent with respect for human rights and do not put stakeholders at risk. 

• Algorithms: A Council of Europe study highlighted that algorithms and automated data processing techniques can adversely impact a range of human rights, including: privacy and data protection, fair trial and due process, freedom of expression, freedom of assembly and association, prohibition of discrimination and free elections. Technology service providers should take action to monitor the adverse social and human rights impacts that their algorithms may be having. Actions may include: increasing human oversight in automated processing, providing users with reporting mechanisms for harmful content and rewriting code to reduce discriminatory and biased outcomes. 

• Privacy and Security: Technology companies may be at risk of impacting human rights to privacy and security, particularly as software services increasingly manage sensitive personal and financial information for their users. Companies should take action on privacy and security risks by improving their data protection measures, providing users with accessible information about how their data will be processed, stored, used, and shared and managing their business partnerships to maintain data privacy in line with legal requirements. For example, Microsoft provides a privacy statement accessible online that is easy to read and details what personal data is collected, how it is used and how it is shared.

• Data centres: According to a 2025 Verisk Maplecroft analysis, the majority of the world’s top data centre hubs are facing an array of heat related risks. Data centres are vital for many technology companies’ operations; however they are also detrimentally impacting water and energy access in many areas. Technology companies can take action by ‘greening’ their data centres to improve efficiency and reduce operational expenditures. Bahnhof, a Swedish Internet service provider, pumps excess heat from their data centres to nearby buildings, thereby reducing energy waste. Technology companies can also take action to mitigate environmental impacts from their data centres, such as Google’s water project that replenished 64% of their 2024 freshwater consumption.

Tracking performance is critical for effective human rights due diligence, as stated by the OECD Guidelines for Multinational Enterprises, which guides companies to implement the UNGPs. Recent analyses suggest many large EU firms still lack robust tracking of human-rights action effectiveness.

In the technology context, monitoring progress against KPIs on human rights helps companies understand the impacts of their digital products, services and procurement decisions on rightsholders. 

This includes risks such as:

• Digital surveillance
• Algorithmic bias
• Online harm

Tracking performance enables companies to:

• Identify strengths, weaknesses and unintended consequences
• Highlight systemic issues requiring policy or process changes
• Share best practices across the enterprise

As the UNDP notes: “what gets measured gets managed.” Tracking is essential for improving outcomes and ensuring accountability.

Companies can use a range of methods to track their performance on technology and human rights, including:

Transparent communication on your management of technology-related human rights risks builds trust with stakeholders, demonstrates accountability and supports continuous improvement. Clear reporting helps users, workers, investors and communities understand how their rights might be impacted and what your business is doing about it. It also enables meaningful feedback and dialogue, allowing you to identify blind spots and benchmark progress. Silence or vague statements increase reputational risk and can erode stakeholder confidence, while proactive communication – even about the challenges you face – shows commitment to responsible technology use.

Test

Further guidance on technology and human rights includes:

Overview: 

• OECD, AI Principles: These principles provide the first intergovernmental standard on AI and emphasize innovation, trustworthiness and respect for human rights and democratic values. 
• UN B-Tech, The practical application of the UN Guiding Principles on Business and Human Rights to the activities of technology companies including activities related to AI: This report analyses the application of the UNGPs to the activities of business activities. 

Industry-Specific Risk Factors: 

• Mining and Extractive Industry

• BSR, AI and Human Rights in Extractives: This resource contains a recommendations section (p.11-12) that provides businesses with actions they can take to mitigate human rights harms related to AI usage in the extractives sector. 
• OECD, How to address bribery and corruption risks in mineral supply chains: This resource answers frequently asked questions and explains in simple language what actions companies should take to address human rights risks in their minerals value chains. 
• OECD, Handbook on Environmental Due Diligence in Mineral Supply Chains: This handbook supports businesses in the extractives sector with the implementation of their human rights and environmental principles in line with OECD standards. 
• OECD, Practical actions for companies to identify and address the worst forms of child labour in mineral supply chains: Practical guidance for companies to help them identify, mitigate and account for the risks of child labour in their mineral supply chains, developed to build on the due diligence framework of the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High Risk Areas.
• OECD, 2025, Human Rights Due Diligence for Digital Technology Use: Artificial Intelligence  

• Software Development

• The Danish Institute for Human Rights and the German Society for International Cooperation, The Digital Rights Check, A web-based tool that is designed to help staff working on development projects to assess the potential human rights impacts of their digital projects or project components. 
• UN B-Tech, The practical application of the UN Guiding Principles on Business and Human Rights to the activities of technology companies including activities related to AI: This report analyses the application of the UNGPs to the activities of business activities. 

• Financial Institutions

• Business and Human Rights Resource Centre, Navigating the surveillance technology ecosystem: A human rights due diligence guide for investors: This guide assists investors of all sizes, types and geographies  to navigate the surveillance technology ecosystem and strengthen their human rights due diligence.
• UK Government, The Mitigating ‘Hidden’ AI Risks Toolkit: This toolkit is designed for individuals and teams responsible for implementing AI tools and services and those involved in AI governance. 
• UN B-Tech, Human Rights Risks In Tech: Engaging And Assessing Human Rights Risks Arising From Technology Company Business Models: This tool aims to equip investors to (1) accurately assess technology companies’ policies and procedures for addressing business model-related human rights risks; and (2) encourage technology companies to adopt approaches to such human rights risks that align with their responsibility to respect human rights.
• UN Global Compact, Responsible Investing into AI: This webinar will explore how investment in AI can enable human rights harms, the responsibility of investors to conduct HRDD, and how HRDD can benefit investors while contributing to human rights protections. 

• Technology Hardware Manufacturers

• ILO, ILO Helpdesk for business on international labour standards: The ILO Helpdesk assists company managers and workers who want to align their policies and practices of international labour standards and build good industrial relations. 

• Sectors deploying emerging technologies 

• European Parliament, Addressing AI Risks in the Workplace: Workers and Algorithms. This guidance provides perspectives from both employers and trade unions about AI and evaluates how emerging AI technologies fit into existing EU laws. 
• OECD, Guidance for Multinational Enterprises: Chapter 9 (p.46-p.48) “Science, Technology and Innovation” provides guidelines for enterprises to conduct human rights due diligence related to emerging technologies.
• Partnership on AI, Data Enrichment Sourcing Guidelines: This guidance lists five key, worker-centric guidelines that AI practitioners should follow when setting up a project involving data enrichment. 
• UK Government, The Mitigating ‘Hidden’ AI Risks Toolkit: This toolkit is designed for individuals and teams responsible for implementing AI tools and services and those involved in AI governance. 
• UN Working Group on Business and Human Rights, Artificial Intelligence Procurement and Deployment: ensuring alignment with the Guiding Principles on Business and Human Rights: Report provides clear guidance regarding implementation of the UNGPs and Human Rights in the procurement and deployment of AI systems
• UN B-Tech Project, Advancing Responsible Development and Deployment of Generative AI: This resource provides practical recommendations for how lawmakers, businesses and civil society can leverage the UNGPs to foster practices capable of addressing human rights risks and impacts from AI.  
• UN B-Tech (Business and Human Rights in Technology), Identifying and Assessing Human Rights Risks related to End Use: This tool provides guidance for enterprises working to embed respect for human rights in the business of technology. It includes guidance for enterprises to conduct HRDD for related end users and end-use scenarios. 
• UN Working Group on Business and Human Rights, Artificial Intelligence Procurement and Deployment: ensuring alignment with the Guiding Principles on Business and Human Rights: Report provides clear guidance regarding implementation of the UNGPs and Human Rights in the procurement and deployment of AI systems

Due Diligence Considerations: 

General due diligence guidance: 

• OECD, Guidance for Multinational Enterprises: Chapter 9 (p.46-p.48) “Science, Technology and Innovation” provides guidelines for enterprises to conduct human rights due diligence related to emerging technologies. 
• SME Compass, Due Diligence Implementation Made Easy: The SME compass offers guidance on the overall due diligence process by taking business through five key due diligence phases. It is available in both English and German. 
• UN, Human Rights Due Diligence: An Interpretive Guide: This guide provides an overview of the UNGPs and due diligence stages, including aspects such as leverage and stakeholder engagement.
• UN, Human Rights Due Diligence for Digital Technology Use: This guidance provides a practical introduction to HRDD to assist in the design, development, and implementation of human rights due diligence for digital technology use. 
• UNDP, Human Rights Due Diligence Handbook for Small and Medium-Sized Enterprises: This guidance provides clarity on the various requirements of human rights due diligence, with a focus on SMEs.  

Step 1: Develop a Policy Commitment 

• United Nations, Human Rights Due Diligence: An Interpretive Guide: This guide provides an overview of the UNGPs and due diligence stages, including aspects such as leverage and stakeholder engagement.
• United Nations, Human Rights Due Diligence for Digital Technology Use: This guidance provides a practical introduction to HRDD to assist in the design, development, and implementation of human rights due diligence for digital technology use.
• United Nations, The Feasibility of Mandating Downstream Human Rights Due Diligence: Reflections from Technology Company Policies 
• Herbert Smith Freehills Kramer, Business Human Rights in the Tech Sector 
• Deloitte, Human Rights Due Diligence in the Modern Era 
• UNDP, Human Rights Due Diligence Handbook for Small and Medium-Sized Enterprises: This guidance provides clarity on the various requirements of human rights due diligence, with a focus on SMEs.  

Step 2: Assess Actual and Potential Impacts

• The Danish Institute for Human Rights, Human rights impact assessment of digital activities. Practical guidance for businesses on how to conduct human rights impact assessment of digital activities.
• The Danish Institute for Human Rights, Key Principles for Human Rights Impact Assessment of Digital Business Activities: This guidance outlines key criteria for human rights impact assessments of digital projects, products and services. 
• Ontario Human Rights Commission, Human Rights AI Impact Assessment, 2024
• The Alan Turing Institute, Human Rights, Democracy, and the Rule of Law Impact Assessment for AI Systems (HUDERIA): A risk-based approach to assessing and mitigating adverse impacts developed for the Council of Europe’s Framework Convention
• The Digital Rights Check, A web-based tool that is designed to help staff working on development projects to assess the potential human rights impacts of their digital projects or project components. 
• UN, Identifying and Assessing Human Rights Risks related to End Use: This tool provides guidance for enterprises working to embed respect for human rights in the business of technology. 
• UN B-Tech, Identifying and Assessing Human Rights Risks related to End Use: This tool provides guidance for enterprises working to embed respect for human rights in the business of technology. It includes guidance for enterprises to conduct HRDD for related end users and end-use scenarios. 
• UN B-Tech, Human Rights Risks In Tech: Engaging And Assessing Human Rights Risks Arising From Technology Company Business Models: This tool aims to equip investors to (1) accurately assess technology companies’ policies and procedures for addressing business model-related human rights risks; and (2) encourage technology companies to adopt approaches to such human rights risks that align with their responsibility to respect human rights.

Step 3: Integrate and Take Action to Address Impacts 

• BSR, Sales Partners and Human Rights Due Diligence in the Technology Sector, 2022
• European Parliament, Addressing AI Risks in the Workplace: Workers and Algorithms. This guidance provides perspectives from both employers and trade unions about AI and evaluates how emerging AI technologies fit into existing EU laws. 
• UN OHCHR B-Tech, Taking Action to Address Human Rights Related to End-Use, 2020

Step 4: Track Performance 

• The Danish Institute for Human Rights, Human Rights Indicators for Business 

Step 5: Communicate Performance

• United Nations, The UN Guiding Principles Reporting Framework

• BSR, Aligning Transparency and Disclosure Practices with Human Rights Responsibilities

Step 6: Remedy and Grievance Mechanisms

• UN OHCHR B-Tech, Access to remedy and the technology sector: basic concepts and principles
• UN OHCHR B-Tech, Designing and implementing effective company-based grievance mechanisms: This guidance
• UN Environment Programme, Remedy: This resource includes information about types of remedy and provides guidance about the role of financial institutions in remedy