Private Actors, State Responsibility

Defining State Responsibility for PMSCs

In 2008, “The Montreux Document on pertinent international legal obligations and good practices for States related to operations of private military and security companies (PMSCs) during armed conflict” (hereafter the Montreux Document) was adopted. It was the fruit of collaborative efforts by Switzerland and the International Committee of the Red Cross (ICRC), following years of expert dialogue, multi-stakeholder consultations, and international negotiations. The resulting document identified pertinent existing legal obligations for states under international humanitarian law (IHL), or the law of armed conflict, vis-à-vis PMSCs and established human rights respecting practices for states to hire and employ private security companies in accordance with international law.¹Federal Department of Foreign Affairs (FDFA), “THE MONTREUX DOCUMENT: On pertinent international legal obligations and good practices for States related to operations of private military and security companies during armed conflict,” August 2009, https://www.montreuxdocument.org/pdf/document/en.pdf. It has since gained the support and participation of 59 states, including the United States (U.S.), France, the United Kingdom (U.K.), and China, as well as organizations like the North Atlantic Treaty Organization (NATO) and the European Union (EU).²“Independent Research Confirms the Positive Impact of the Montreux Document on the Reduction of PMSC’s Violence against Civilians,” Montreux Document Forum, accessed October 2, 2023, https://www.montreuxdocument.org/news/impactoncivilians.html.

While the Montreux Document is a normative instrument, rather than a legally binding treaty, the Document reaffirms the legal obligations of states under existing international law and restates those that are pertinent with regards to PMSCs. As such, it seeks to reinforce common understandings around key legal obligations and consider them through the lens of private military and security actors that operate within the context of an armed conflict. “It addresses substantive legal concerns, such as the status of PMSC personnel under the 1949 Geneva Conventions, individual accountability for misconduct in different jurisdictions, and the authorities’ duty to oversee and screen the actions of firms for potential misconduct.”³Federal Department of Foreign Affairs (FDFA), “THE MONTREUX DOCUMENT: On pertinent international legal obligations and good practices for States related to operations of private military and security companies during armed conflict,” August 2009, https://www.montreuxdocument.org/pdf/document/en.pdf.

In so doing, the document articulates that state responsibility for the actions of PMSCs lies with their countries of residence, the governments that contract them, and the governments on whose territory they are operating. By endorsing the Montreux Document, states effectively publicly confirm that they understand their existing legal obligations under the Geneva Conventions to be interpreted in the same manner as they are restated in the Montreux Document.

The Montreux Document is a groundbreaking document, and one that is particularly relevant for the current geopolitical situation in which broad agreement on international conventions has proven elusive. It represents an alternative approach to launching a lengthy process to develop a new convention on PMSCs, which would likely lack the support of states that would be important for its implementation, and furthermore might weaken existing international obligations.⁴This is a concern voiced by legal experts and civil society organizations, such as ICT4Peace Foundation.The Montreux Document provides an example of updating existing legal obligations to respond to new challenges without a drawn-out and politically risky or difficult process.

A cautionary counterexample is the International Convention against the Recruitment, Use, Financing, and Training of Mercenaries, commonly known as the UN Mercenary Convention. Negotiations for the Convention began in the late 1970s led by Nigeria, following concerns about the impact of mercenaries in armed conflicts particularly in Africa. After nearly two decades of negotiations and several sessions, marked by complexities and delays, the Convention was adopted on December 4, 1989, and only entered into force on October 20, 2001, after securing the necessary ratifications. Currently, the treaty has been ratified by 37 states, with enforcement of treaty being little to non-existent.⁵Anne-Marie Buzatu, “Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process,” DCAF, SSR Paper 12, p. 17 (2015).

Industry-led Accountability

The development of the International Code of Conduct for Private Security Service Providers (ICoC, or “the Code”) involved private actors, including security companies, and civil society actors to a greater degree than the Montreux Document. Mindful that the Montreux Document applies to states, and not directly to PMSCs themselves, the private security industry called on Switzerland to develop a mechanism that would hold them directly accountable. In response, the Swiss initiative to develop the ICoC began in January 2009, culminating in its finalization and adoption in November of 2010. The ICoC contains 70 provisions for private security companies grounded in international human rights law regarding the conduct of private security personnel, including standards for use of force and detention of persons as well as prohibitions of certain behaviors such as carrying out torture or gender-based violence. It also contains specific commitments by affiliated companies regarding management and governance of the private security company.

While the ICoC initially gained broad support from the private security industry, with more than 700 companies signing the document, it lacked any enforcement mechanism to oversee companies’ implementation of and adherence to the ICoC. In response, the International Code of Conduct Association (ICoCA) was established in 2013 with the goal of promoting responsible and ethical conduct among PMSCs. ICoCA is a multi-stakeholder initiative involving governments, PMSCs, civil society organizations, and other stakeholders working to encourage PMSCs to adhere to the common set of standards and principles, outlined in the ICoC.

The preamble of the ICoC not only references and endorses the principles of the Montreux Document but also sets forth a series of obligations for Member and Affiliate Companies. These companies are mandated to operate in strict compliance with both national and international laws and regulations, as well as to adhere to established corporate standards of business conduct. Fundamental to these obligations is the recognition and support of the rule of law, alongside a firm commitment to respecting human rights and safeguarding the interests of their clients. Additionally, the Code emphasizes the importance of establishing and maintaining robust internal governance frameworks.

These governance frameworks are essential for deterring, monitoring, reporting, and addressing any adverse impacts on human rights effectively. Moreover, the Code mandates that these companies provide mechanisms for addressing and resolving any allegations of activities that contravene applicable laws or the Code’s standards. This includes cooperation in good faith with both national and international authorities, particularly concerning investigations into violations of criminal law, international humanitarian law, or human rights abuses. Through these stipulations, the ICoC aims to foster a responsible, accountable, and ethical private security industry.

While the Montreux Document is not a mechanism per se, and therefore is not implemented as such, continued government engagement was supported through the Montreux Document Forum (MDF),⁶“Montreux Document Forum,” Montreux Document Forum, accessed February 9, 2024, https://www.montreuxdocument.org/. which held annual plenary meetings from 2014 until 2021. In addition to the annual plenary, the Montreux Document Forum hosted regular meetings of a Maritime Security Working Group, as well as an ICoCA Working Group. Since that time, the MDF has not held in-person meetings; nonetheless, it has continued to gain new members, with Slovakia joining in 2022 and Romania joining in 2023.

ICoCA, the oversight and governance mechanism for “the Code”, is supported by membership dues, as well as financial contributions by the governments of the U.S., UK, Sweden, and Switzerland. The membership of the ICoCA is made up of private security companies, governments, and civil society organizations, with each stakeholder pillar having an important function for implementing the Code. There are three member categories for private security companies: 1) “Certified” Member Companies, who have obtained approved third party certification that their policies and processes are in accordance with the code; 2) Member Companies, who have not yet obtained third-party certification, but who commit to doing so by December 31st of the third year after they have joined; and 3) Affiliate Companies, who are not seeking third-party certification, but who commit to continuous improvement in terms of implementing the Code. All companies commit to operating in accordance with the Code of Conduct, are subject to monitoring by ICoCA (both desk monitoring and in the field), submit an annual self-assessment, and pay a joining fee and annual dues.⁷International Code of Conduct Association (ICoCA), “About Us,” accessed September 8, 2023, https://icoca.ch/about; International Code of Conduct for Private Security Service Providers (ICoC), “International Code of Conduct for Private Security Service Providers,” accessed September 8, 2023, http://www.icoc-psp.org/the-code/; International Code of Conduct Association (ICoCA), “Our Standards,” accessed September 8, 2023, https://icoca.ch/our-standards/.

The ICoCA also has a complaints process to receive complaints about ICoCA members and affiliate companies. Complaints may be submitted by anybody who has been harmed or has reason to believe that a violation of the Code occurred or is about to occur. The complaints process is overseen by a complaints committee, made up of Board Members from all three stakeholder pillars. For complaints alleging criminal activity, due diligence is conducted to determine jurisdiction, and the matter may be reported to competent authorities. These complaints are not processed further until after review and decision by the Board.

To complement ICoCA’s oversight, several governments and companies have either enacted laws or policies that require membership in ICoCA of certain private security companies they contract with. This “coregulation”⁸Buzatu, “Towards an International Code of Conduct,” 32. further hardens the soft human-rights protecting regulation through contractual requirements and financial incentives: in order to obtain and/or keep contracts, companies must comply with the requirements of the ICoC/A.

For example, in its “Private Security Services Abroad” laws of 2015 and 2020, Switzerland requires mandatory reporting and ICoCA membership for certain private security services provided abroad in “complex environments.”⁹“RS 935.411:Ordonnance sur les prestations de sécurité privées fournies à l’étranger,” The Swiss Federal Council, June 2015, https://www.fedlex.admin.ch/filestore/fedlex.data.admin.ch/eli/cc/2015/451/20230901/fr/pdf-a/fedlex-data-admin-ch-eli-cc-2015-451-20230901-fr-pdf-a.pdf; and “RO 2020 5323: Ordonnance sur les prestations de sécurité privées fournies à l’étranger,” The Swiss Federal Council, November 2020, https://www.fedlex.admin.ch/eli/oc/2020/921/fr. This is actively overseen by its Export Controls and Private Security Services Section.¹⁰See, e.g., Federal Department of Foreign Affairs (FDFA), “Federal Act on Private Security Services Provided Abroad (PSSA),”https://www.eda.admin.ch/eda/en/home/aussenpolitik/sicherheitspolitik/bundesgesetz-ueber-die-im-ausland-erbrachten-privaten-sicherheit.html. The UN and other governments, including Australia, Canada, U.S., and the UK have adopted policies that require ICoCA membership in good standing for private security contractors providing particular services. Finally, some private clients have also introduced IcoC/A adherence in the contracts of their private security companies.¹¹Buzatu, Towards an international Code of Conduct, 60-63.

This “mosaic” approach of reinforcing multistakeholder governance through national laws and contracting policies that reaffirm the same standards helps to fill in the governance gaps of traditional regulatory frameworks and give more teeth to cross-border oversight and accountability, improving governance effectiveness and reducing impunity.

In addition to its certification, monitoring, and complaints functions, ICoCA provides guidance to its members and affiliates through advisory services and capacity-building. For example, the ICoCA provides tailored feedback to its member and affiliate companies on the companies’ annual reports of their compliance with the code and helps them develop workplans that focus on areas that need to improve. It has also developed guidance documents on developing and operating fair and accessible company grievance mechanisms that offer effective remedies, as well as on preventing and addressing sexual exploitation and abuse. The ICoCA conducts research, with two projects currently looking at workplace conditions of private security companies, as well as the use of advanced technologies in the private security sector. Finally, the ICoCA offers capacity-building courses “to build the capacity and ability [of Member and Affiliate Companies] to fully meet the international human rights and humanitarian law principles articulated in the International Code of Conduct.”¹²Buzatu, Towards an international Code of Conduct, 45-63.

The Montreux Document has the support and participation of 59 states, including China, France, U.K., and the U.S. as well as organizations like NATO and the EU.¹³“Independent Research Confirms the Positive Impact of the Montreux Document on the Reduction of PMSC’s Violence against Civilians,” Montreux Document Forum, accessed October 2, 2023, https://www.montreuxdocument.org/news/impactoncivilians.html. Despite the lack of a formal implementation mechanism, there is evidence suggesting the Montreux Document is having a positive impact on the ground. Independent research conducted by Charlotte Penel and Ulrich Petersohn presents compelling evidence that the implementation of the Montreux Document has contributed to a decrease in violence against civilians during and after hostilities.¹⁴Charlotte Penel and Ulrich Petersohn, “Commercial Military Actors and Civilian Victimization in Africa” Journal of Global Security Studies, Volume 7, Issue 1, (March 2022), accessed February 9, 2024, https://doi.org/10.1093/jogss/ogab029.

ICoCA membership includes seven governments (Australia, Canada, Norway, Sweden, Switzerland, U.K., and the U.S.), as well as 142 private security companies, 55 civil society organizations, and 75 “observers” (often private researchers or insurance companies).¹⁵“Members,” International Code of Conduct Association, accessed October 2, 2023, https://icoca.ch/membership/. Since 2015, 33 complaints have been filed against ICoCA member companies, with six companies found to have committed violations. According to the ICoCA website, 22 incidents and 22 complaints have been reported in the last 12 months. This would seem to indicate an increase in awareness and use of the complaints function.¹⁶“Registering a Complaint,” International Code of Conduct Association, accessed February 9, 2024, https://icoca.ch/registering-a-complaint/.

From the beginning, private security companies, civil society organizations and governments were involved in the ICoC process, and the decision-making process required buy-in from all stakeholder

groups. While both the development of the ICoC and the ICoCA strove to take decisions by consensus, in the (very rare) case that consensus could not be achieved, significant support from each stakeholder group was required for a decision to be taken. For example, the ICoCA governance framework was composed of 12 members, four from each stakeholder group. In order for a decision to be approved, this required a minimum of eight votes, with a minimum of two from each stakeholder group. This decision-making formulation, with the possibility of a vote, drove consensus, and encouraged discussions that led to innovative and ultimately effective decisions. Clients of private security companies and subject-matter experts/academics were also included in discussions, particularly in the development of the ICoC, but were not part of the stakeholder pillar voting framework.¹⁷Buzatu, Towards and International Code of Conduct, 46, 55.

Key Takeaways and Recommendations

The successful implementation of the UN Framework for Responsible Behavior in Cyberspace can be significantly enhanced by adopting a model akin to the Montreux Document and ICoCA. This approach would necessitate a multi-stakeholder forum, fostering a collaborative environment for states, private sector entities, civil society, and international organizations. Clients, academics, and other subject-matter experts could also provide useful contributions. Such a platform would not only encourage dialogue but also facilitate the sharing of best practices and experiences. Drawing inspiration from the International Code of Conduct for Private Security Service Providers, a specialized code of conduct tailored for cyberspace actors could be developed. This code would outline responsible behavior and practices in line with international norms, emphasizing the need for a human rights-centric approach in the digital age. Regular review and adaptation of these norms would ensure their relevance in the face of evolving cyber threats and technological advancements.

Accountability and transparency are pivotal in the realm of cyberspace governance, much as they are in the regulation of private military and security companies. Robust mechanisms to monitor adherence to these norms, similar to the third-party audits and assessments used for private security companies under the ICoCA, would be instrumental. For instance, in cases of information communication technology (ICT) incidents, two of the voluntary and non-binding norms for responsible state behavior in the use of ICTs that have been adopted by the UN would benefit from these suggested accountability practices.¹⁸U. N. General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behavior in cyberspace. July 2021. (A/76/135). Official Record. Norms 13 (b) and 13 (h) encourage states to actively participate in information exchange and mutual assistance, in a process organized by a centralized platform with a multistakeholder oversight framework. Moreover, the implementation of the norm that calls to ensure the integrity of the ICT supply chain (which also relates to Norm 13 (i)) and the non-harming of other states’ emergency response teams (Norm 13 (k)) would greatly benefit from enhanced international cooperation and accountability measures that could be provided under such a platform.

Operationalization of the 11 norms for Responsible State Behavior in Cyberspace would be bolstered through a collaborative and multi-faceted, multistakeholder approach, underpinned by the principles of accountability, international cooperation, and human rights. The Montreux Document and ICoCA can serve as inspiration, demonstrating the effectiveness of meaningful multistakeholder engagement and the adoption of a code of conduct in addressing complex security issues. By drawing on these models, the implementation of the norms can be strengthened, ensuring a more secure, stable, and responsible cyberspace for all actors involved.

Notes

• 1
  Federal Department of Foreign Affairs (FDFA), “THE MONTREUX DOCUMENT: On pertinent international legal obligations and good practices for States related to operations of private military and security companies during armed conflict,” August 2009, https://www.montreuxdocument.org/pdf/document/en.pdf.
• 2
  “Independent Research Confirms the Positive Impact of the Montreux Document on the Reduction of PMSC’s Violence against Civilians,” Montreux Document Forum, accessed October 2, 2023, https://www.montreuxdocument.org/news/impactoncivilians.html.
• 3
  Federal Department of Foreign Affairs (FDFA), “THE MONTREUX DOCUMENT: On pertinent international legal obligations and good practices for States related to operations of private military and security companies during armed conflict,” August 2009, https://www.montreuxdocument.org/pdf/document/en.pdf.
• 4
  This is a concern voiced by legal experts and civil society organizations, such as ICT4Peace Foundation.
• 5
  Anne-Marie Buzatu, “Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process,” DCAF, SSR Paper 12, p. 17 (2015).
• 6
  “Montreux Document Forum,” Montreux Document Forum, accessed February 9, 2024, https://www.montreuxdocument.org/.
• 7
  International Code of Conduct Association (ICoCA), “About Us,” accessed September 8, 2023, https://icoca.ch/about; International Code of Conduct for Private Security Service Providers (ICoC), “International Code of Conduct for Private Security Service Providers,” accessed September 8, 2023, http://www.icoc-psp.org/the-code/; International Code of Conduct Association (ICoCA), “Our Standards,” accessed September 8, 2023, https://icoca.ch/our-standards/.
• 8
  Buzatu, “Towards an International Code of Conduct,” 32.
• 9
  “RS 935.411:Ordonnance sur les prestations de sécurité privées fournies à l’étranger,” The Swiss Federal Council, June 2015, https://www.fedlex.admin.ch/filestore/fedlex.data.admin.ch/eli/cc/2015/451/20230901/fr/pdf-a/fedlex-data-admin-ch-eli-cc-2015-451-20230901-fr-pdf-a.pdf; and “RO 2020 5323: Ordonnance sur les prestations de sécurité privées fournies à l’étranger,” The Swiss Federal Council, November 2020, https://www.fedlex.admin.ch/eli/oc/2020/921/fr.
• 10
  See, e.g., Federal Department of Foreign Affairs (FDFA), “Federal Act on Private Security Services Provided Abroad (PSSA),”https://www.eda.admin.ch/eda/en/home/aussenpolitik/sicherheitspolitik/bundesgesetz-ueber-die-im-ausland-erbrachten-privaten-sicherheit.html.
• 11
  Buzatu, Towards an international Code of Conduct, 60-63.
• 12
  Buzatu, Towards an international Code of Conduct, 45-63.
• 13
  “Independent Research Confirms the Positive Impact of the Montreux Document on the Reduction of PMSC’s Violence against Civilians,” Montreux Document Forum, accessed October 2, 2023, https://www.montreuxdocument.org/news/impactoncivilians.html.
• 14
  Charlotte Penel and Ulrich Petersohn, “Commercial Military Actors and Civilian Victimization in Africa” Journal of Global Security Studies, Volume 7, Issue 1, (March 2022), accessed February 9, 2024, https://doi.org/10.1093/jogss/ogab029.
• 15
  “Members,” International Code of Conduct Association, accessed October 2, 2023, https://icoca.ch/membership/.
• 16
  “Registering a Complaint,” International Code of Conduct Association, accessed February 9, 2024, https://icoca.ch/registering-a-complaint/.
• 17
  Buzatu, Towards and International Code of Conduct, 46, 55.
• 18
  U. N. General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behavior in cyberspace. July 2021. (A/76/135). Official Record.