Earth Day 2023 fell on Saturday 22 April, capping off Earth Week, which had the theme ‘Invest In Our Planet’ and the tag line “Everyone accounted for, and everyone accountable”.

Environmental, Social and Governance, or ESG, non-financial performance measures are becoming increasingly important to institutional and retail investors and consumers alike, with a study by McKinsey revealing that both large and small brands saw products making ESG claims experience the strongest growth. It has been reported that, as the end of 2022, one in every eight US investor dollars was invested in a sustainable fund, i.e. a fund that exercises stewardship to actively invests having regard to ESG issues.

Whether driven by the potential for profit or the climate emergency, the drive toward sustainability cannot be ignored.

If sustainability is for every day, not merely Earth Day, how can data protection compliance contribute to a green, sustainable economy, and to the demonstration of operations in accordance with ESG principles?

The impact of data processing on the environment

By 2025, global data creation is projected to grow to more than 180 zettabytes (one zettabyte being equivalent to a trillion gigabytes), albeit that the percentage of data continuing to be stored year on year is a fraction of this.

Data centres, which provide network, compute and storage infrastructure, are estimated to account for around 1% of worldwide electricity use. Water consumption, both direct through cooling and indirect through electricity generation, attributable just to US data centres in 2014 was estimated as being some 626 billion litres, with one commercial data centre provider reporting that the majority of its water consumption was from potable water in each of the years 2017 – 2019. Technological developments, such as artificial intelligence (AI) and the advent of hyper-personalisation, will only exacerbate data usage even as efficiency improves.

In the updated 2020 edition of his book ‘How Bad are Bananas?’, Mike Berners-Lee calculated that the footprint of an email could range from 0.03g CO2e to 26g CO2e (depending on attachments), and estimated that emails accounted for 0.3% of the global carbon footprint in 2019.

A 2018 paper suggested that online advertising consumed between 20.38 to 282.75 TWh of energy and 11.53 – 159.93 million tons of CO2e was emitted to produce the electricity consumed. A recent report by Global Action Plan suggested that “an estimated 1% of total energy consumption on this planet is used in the process of serving online ads” and that “advertising now adds an estimated 32% to the carbon footprint of every person in the UK”. Scope 3, a public benefit corporation aiming to decarbonise media and advertising, published its ‘State of Sustainable Advertising Report’ for Q1 2023, which found that the “programmatic advertising industry produces more than 215,000 metric tons of carbon emissions in a single month across five leading economies [the USA, the UK, Australia, Germany and France], the equivalent to more than 24 million gallons of gasoline being consumed”, the majority of which arose from “ad selection emissions”, i.e. ad placement auctions. It was also reported that over 15% of advertising spend was wasted on inventory that generated no value. Building on Scope3’s research, Playground xyz published a white paper, ‘Sustainable Attention’, revealing that approximately 40% of online ads receive no “Attention Time” and that the removal of impressions that received less than 0.5 seconds of Attention Time resulted in a reduction in emissions in excess of 50%. The white paper also referenced academic research that placing an ad in a congruent context has a significant bearing on the Attention Time it receives, and therefore digital ad placement can be optimised by domain and wasteful advertising avoided without compromising results.

Existing data protection / data privacy compliance measures relating to data accuracy, data minimisation and data retention, privacy by design, age appropriate design/Children’s Code and wider online safety compliance, information security, and marketing can thus be re-purposed to demonstrate accountability with ESG principles and can also be revisited to have a positive influence on reducing the consumption of resources.

Environmental and sustainability reporting obligations

Company directors in the UK are bound by the statutory duty under s172(1) Companies Act 2006 to act in the way they consider to be “most likely to promote the success of the company for the benefit of its members as a whole” having regard to factors including “the impact of the company’s operations on the community and the environment”. Following amendments to the Act introduced by The Companies Act 2006 (Strategic Report and Directors' Report) Regulations 2013 (S.I. 2013/1970) and The Companies (Strategic Report) (Climate-related Financial Disclosure) Regulations 2022 (S.I. 2022/31), quoted companies in the UK are required by s414C(7) of that Act  to include in their strategic report, to the extent necessary to understand the development, performance or position of their business, information about “environmental matters (including the impact of the company’s business on the environment” and “social community and human rights issues”, including information about relevant policies and their effectiveness. Separate regulations impose similar requirements on partnerships. The strategic report of certain companies must also contain a “non-financial and sustainability information statement” detailing, among other things,  the “the climate-related financial disclosures of the company” in so far as these are material.

In the US, it is expected that in 2023 the Securities and Exchange Commission (SEC) will finalise the draft rules it issued in March 2022 to enhance and standardize climate-related disclosures for investors.

Environmental and sustainability standards

While there is currently no one internationally agreed standard or framework to be deployed to measure and report upon the impact of sustainability measures, at the 2021 United Nations Climate Change Conference, more commonly referred to as COP26, the International Sustainability Standards Board (ISSB) was announced to develop a comprehensive global baseline of sustainability disclosures for the capital markets that would build upon the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD) and incorporate industry-based requirements derived from the Sustainability Accounting Standards Board. The draft standards have been the subject of consultation with both IFRS S1 ‘General Requirements for Disclosure of Sustainability-related Financial Information’ and IFRS S2 ‘Climate-related Disclosures’ expected to be published in summer 2023.

In the meantime, organisations can look to the ISO 14001:2015 Environmental Management Systems standard as a starting point, to the UN Sustainable Development Goals, or to one or more of the existing frameworks, including those published by the Sustainability Accounting Standards Board, the Global Reporting Initiative and/or the World Economic Forum.   

Potentially relevant UN Sustainable Development Goals include ‘Goal 5: Gender Equality’, ‘Goal 6: Clean Water and Sanitation’, ‘Goal 7: Affordable and Clean Energy’, ‘Goal 9: Industry, Innovation and Infrastructure’, ‘Goal 10: Reduced Inequalities’, ‘Goal 12: Responsible Consumption and Production’, ‘Goal 13: Climate Action’, and ‘Goal 16: Peace, Justice and Strong Institutions’.

The proposed IFRS standard for industry-based disclosure requirement for internet media and services, drawn from the Sustainability Accounting Standards Board, suggests that relevant metrics include the environmental footprint of hardware infrastructure, reflecting energy consumption and source, water consumption and evidence of incorporating environmental considerations into the strategic planning of data centre requirements, as well as data processing capacity and data storage requirements.

The Global Reporting initiative has published the GRI Universal Standards, together with sector and topic standards. GRI 418 on ‘Customer Privacy’ indicates that where this is a material topic disclosures should include information regarding “substantiated complaints concerning breaches of customer privacy and losses of customer data”, in addition to the foundation and general disclosure requirements.

The World Economic Forum (WEF) launched its Stakeholder Capitalism Metrics initiative in 2020 at Davos, and in January 2023 the WEF reported that 137 companies had utilised the metrics in their reporting. The WEF metrics comprise sets of core and expanded metrics organized under four (4) pillars of governance, planet, people and prosperity. Under the governance pillar, data protection / data privacy compliance could be relevant to the core metrics of “material issues impacting stakeholders”, “protected ethics advice and reporting mechanisms” and “integrating risk and opportunity into business process”. Under the planet pillar, applying the principles derived from data protection legislation such as data minimisation could be relevant to the core metrics of “greenhouse gas (GHC) emissions” and “Water consumption and withdrawal in water-stressed areas”. Compliant processing of special category personal data will support the calculations for the core metrics of diversity and inclusion and pay equality under the people pillar.

Looking to the social and governance pillars, existing data protection compliance obligations, such as fair and transparent processing, privacy by design, and the conduct of a data protection impact assessment to record the identification and mitigation of risks and the consultation of affected individuals or their representatives, can support ethical data use and the avoidance of bias. The protection of personal data may, depending on the nature of the data, be recognised as a human right. The United National Universal Declaration of Human Rights provides, at Article 12, that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”. The EU Charter of Fundamental Rights recognises both the right to respect for private and family life, but also a distinct right to the protection of personal data under Article 8 of the Charter.  The Article 8 right to respect for private and family life under the European Convention on Human Rights has been held to extend to processing activities in so far as the relevant personal data relates to the private life of the individual.

Adopting and adapting data protection compliance to support the achievement of ESG principles

Whichever set of standards or framework your organisation chooses to adopt, we have identified some practical measures to align data protection compliance with wider ESG accountability measures:

• Engage your organisation’s Data Protection Officer (DPO) or data protection lead in ESG working groups. 

• Identify the existing data protection compliance reporting and governance mechanisms that can also support ESG accountability under the relevant framework.

• Consider whether, and to what extent, existing data protection compliance reporting and governance mechanisms can be adapted or augmented to supplement ESG accountability.

• Identify existing or develop data protection metrics that could be gathered and reported, whether internally or externally, to support ESG accountability, for example in relation to data protection complaints and/or monetary losses, including legal and other fees, damages and fines, arising from breaching data protection legislation.

• Brief the C-Suite on the benefits that data protection and information security compliance present to the delivery of the ESG agenda, and obtain agreement for proposals to explore and implement opportunities to augment and adapt governance and reporting.

• Build ESG considerations into your assessment of the suitability of data processors, to address their efficiency, energy and water consumption and carbon emissions, as well as data protection and information security compliance.

• Understand your organisation’s carbon impact from data processing, using tools such as Microsoft’s Emissions Impact Dashboard, Scope3’s tools, the Media Carbon Calculator available to IPA Media Climate Charter subscribers, other emissions management software or by estimation.

• Identify further opportunities to implement data minimisation and secure data deletion across your organisation and follow this up – consider whether Earth Day could provide an opportunity to ask staff to revisit their data requirements.

• Review your data retention policies and determine whether data can be transferred from the cloud to cold data storage solutions.

• Consider revisiting your information security and data protection arrangements in relation to emails and encourage users to share links to documents rather than attachments, which can also promote data security in the event that an email is mis-directed or access needs to be withdrawn as well as reducing energy usage.

• Reflect the outcomes and recommendations of data protection impact assessments (DPIA) and transfer impact assessments in wider human rights reviews.

• Review the transparency of your data protection compliance regime and determine whether you could publish further information to increase trust.

• Consider implementing ratings, such as a RAG status, for data protection, human rights and wider ESG risks, to support the identification of disclosable material risks.

• Consider incorporating the consideration of wider ESG factors into privacy by design processes and data protection impact assessments (DPIA), particularly those deemed to present a high risk to individuals, such as profiling and other automated decision making or the use of artificial intelligence (AI).

• Implement periodic data cleansing of customer records and monitoring of marketing engagement to inform data retention policies.

• Conduct a review of digital advertising and marketing to determine whether this could be optimised to improve engagement and reduce waste.

• Ensure that any ESG claims you propose to make can be supported and aren’t merely ‘greenwashing’.

Should your organisation wish to review or to implement an ESG approach to data protection compliance, please contact Handley Gill’s specialist consultants.

Find out more about our data protection and data privacy services.

Find out more about our ESG and human rights services.