We entrust our most sensitive, private, and personal information to the companies which provide us access to the Internet. Collectively, these companies are privy to the online conversations, behavior, and even the location of almost every Internet user. As this reality increasingly penetrates the Brazilian public consciousness, Brazilian Internet users are justifiably concerned about which companies are willing to take a stand for their privacy and protection of personal data. That is why InternetLab, one of the leading independent research centers on Internet policy in Brazil, has evaluated key Brazilian telecommunications companies’ policies to assess their commitment to user privacy when the government comes calling for their users' personal data.
Their report, “Quem defende seus dados?" ("Who Defends Your Data?"), seeks to create a “race to the top” by encouraging companies to compete for users on the basis of their willingness to stand up for their users’ privacy and data protection whenever possible. Launched today in São Paulo, Brazil, “Quem defende seus dados? is modeled after EFF's US project "Who Has Your Back," created in collaboration with our team. InternetLab has developed its own Brazilian methodology to address the social and legal realities in Brazil. The report promotes transparency and best practices in the field of privacy and data protection, empowering Internet users by educating them about their consumer choices.
“Quem defende seus dados?" assessed the practices and public commitments of the eight largest Brazilian telecommunication and mobile Internet companies: Claro, Net, Oi-Banda Larga Fixa, Oi móvel, TIM, Vivo-Banda Larga Fixa, Vivo Móvel, GVT. InternetLab selected companies that, according to data released by the Brazilian National Telecommunications Agency, each held at least 10% of all Internet access in Brazil—either by fixed broadband or mobile infrastructure. This threshold ensured that the report covered over 90% of mobile and broadband Internet connections in Brazil.
The Methodology
“Quem defende seus dados?" is designed to incentivize companies to adopt best practices by awarding stars for compliance with specific user privacy criteria. InternetLab prepared the evaluation categories and parameters based on the following:
- public commitment to compliance with the law;
- adoption of pro-user practices and policies, and
- transparency about practices and policies.
- Information about data processing: Does the ISP provide clear and complete information about data protection practices?
- Information about data disclosure to government authorities: Does the ISP commit to disclosing account information only to competent administrative authorities? Does it commit to provide connection logs only upon a court order?
- Defense of users’ privacy in the courts: Has the ISP judicially challenged abusive data requests or legislation that it considers harmful to user privacy?
- Pro-user privacy public engagement: Has the ISP engaged in public debates about bills and public policies that may affect user privacy and defended projects that aim to advance privacy?
- Transparency reports about data requests: Does the company publish transparency reports containing the quantity of government user data requests and the frequency of company compliance with these requests?
- BONUS CATEGORY - User notification: Does the company notify the user about data requests by the government?
You can read the full explanation of each category on InternetLab's site: http://quemdefendeseusdados.org.br/
The companies were given the opportunity to answer a questionnaire, to take part in a private interview, and to send any additional information they felt appropriate, all of which was incorporated into the final report. This approach is based on EFF’s earlier work with "Who Has Your Back?" in the US, although the specific questions in InternetLab’s study were adapted to match Brazil’s legal environment.
The Results
The results show that there is still a lot of room for improvement when it comes to ISPs standing up for user's privacy in Brazil. In general, the contracts and documents which are available to the users are generic and do not provide clear information about practices and circumstances under which user data may be turned over to law enforcement. When it comes to defending user's privacy in court, most of the ISPs seem to have taken steps to challenge laws or question law enforcement practices but there is still much more to be done: TIM was the only company providing evidence that they have challenged abusive requests in court. In terms of taking pro-user privacy public stances, particularly in the recent public consultations regarding the Data Protection Draft Bill and Marco Civil da Internet, companies like GVT and Oi seem to have completely missed the opportunity to stand up for user privacy. The results also indicate a need to work on transparency: none of the ISPs publish transparency reports providing information about data requests or adopt notification policies, giving the user an opportunity to defend the privacy of his/her data. Notification is essential for users to challenge data requests or seek other remedies. Out of the six evaluation categories, TIM earned the most stars (2 and 3/4) and Oi the least (half a star).
For subsequent years and evaluations, InternetLab urges the ISPs to do a better job at communicating their practices and policies, providing users with clear information about the treatment given to personal data and connection logs, as requested by the Marco Civil da Internet, and the ways they deal with court orders and requests from administrative authorities. We also encourage ISPs to be more vocal about their work in standing up for privacy, publishing press releases and other materials about lawsuits challenging laws and abusive requests. Finally, we hope ISPs make a stronger commitment to transparency and include information about data requests in transparency reports.
Moving Forward in Brazil and Abroad
InternetLab expects to release this report annually to incentivize companies to improve transparency and protect users' personal data. This way, all Brazilians will have access to information about how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions. We hope the report will shine with more stars next year.
In 2015, EFF joined forces with digital rights groups in Latin America to provide support to each country in releasing its own reports on telecommunication companies' practices. Those reports have now been published by Karisma Foundation in Colombia, Hiperderecho in Peru, and Red en Defensa de los Derechos Digitales in Mexico. Derechos Digitales in Chile and TEDIC in Paraguay are preparing reports for publication. Each digital rights organization also expects to release a report annually.
In general, Latin American telecommunications companies have a long way to go in protecting customers’ personal data and being transparent about who has access to the data. Some multi-national companies provide different protections in different jurisdictions. For example, America Movil’s Mexican subsidiary Telmex published a privacy policy however the language used in the privacy policies is too vague and unclear to earn a star. In Colombia, Claro did publish a privacy policy, but it was hard to find and mostly quoted the law. In Mexico, four telecommunication companies have each earned half a star by publishing a transparency report through ANATEL (Asociación Nacional de Telecomunicaciones). This is an important beginning step. However, America Movil’s Mexican subsidiary Telmex did not. In contrast, none of the Colombian companies published transparency reports.