Five years have passed since InternetLab published “Quem Defende Seus Dados?" (“Who defends your data?"), a report that holds ISPs accountable for their privacy and data protection policies in Brazil. Since then, major Brazilian telecom companies have provided more transparency about their data protection and privacy policies, a shift primarily fueled by Brazil’s new data protection law.
InternetLab’s fifth annual report launches today, identifies steps companies should take to protect Brazil’s telecom privacy and data protection. This edition, featuring eight telecom providers for mobile and broadband services, shows Brazil telecom provider TIM leading the way, followed by Vivo and Oi right behind. TIM scored high marks for defending privacy in public policy debates and the judiciary, publishing transparency reports, and transparent data protection policies. In contrast, Nextel scored in the last place as it did in 2019, very far away from the rest of its competitors. Nextel did take a step forward in defending privacy in the judiciary, in contrast to 2019, when it received no stars in any category.
In stark contrast to InternetLab’s first report in 2016, half of the covered providers (Claro, NET, TIM, and Algar) have made significant progress in the data protection category. After being poorly rated in 2019, Algar obtained a full star this year in this category, a positive change as Brazil starts embracing its new GDPR-inspired data protection law.
This year’s report also assessed which companies stood out in publicly defending privacy against unprecedented government pressure to access telecom data during the COVID-19 pandemic. For context, Brazil’s Supreme Court suspended the government's provisional measure 954/2020 that ordered telecom providers to disclose their customers' data with the Brazilian Institute of Geography and Statistics (IBGE) during the health emergency situation. The court ruled the measure as overbroad and failing to clarify the purpose of the request. Oi called upon IBGE to sign a term of responsibility before disclosing the data.
Unfortunately, telecom providers also signed non-transparent data-sharing agreements with states and municipalities to help public authorities fight the COVID-19 pandemic. Here, Vivo and Tim publicly committed in the media that only anonymous and aggregated data, via heat maps and pivot tables, would be shared with the government. In São Paulo, for example, the deal allows public authorities access to a data visualization tool that includes anonymous and aggregated location data to measure social distancing orders' effectiveness. After a São Paulo court ruled the agreement should be public, many telecom providers have published the relevant policies on their sites, including TIM, Vivo Claro, NET, and OI. The companies' policies, however, did not specify the security practices and techniques adopted to ensure the shared data's anonymity. In the future, companies should publish their policies proactively and immediately, and not after public pressure.
Most providers continue to seriously lag on notifying users when the government requests their data. As we’ve explained, no Brazilian law compels either the State or companies to notify targets of surveillance. Judges may require notice, and companies are not prevented from notifying users when secrecy is not legally or judicially required. Prior user notice is essential to restrict improper government data requests of service providers. It is usually impossible for the user to know that the government demanded their data unless it leads to criminal charges. As a result, the innocent are least likely to discover the violation of their privacy rights.
The report also evaluates for the first time if the companies publish their own Data Protection Impact Assessment; unfortunately, none did so. In the face of controversy on the interpretation of laws compelling companies to disclose data to the government, this year's report, for the first time, looks at companies’ transparency regarding their legal understanding of such laws.
Overall, this year's report evaluates providers in six criteria: data protection policies, law enforcement guidelines, defending users in the judiciary, defending privacy in policy debates or the media, transparency reports and data protection impact assessment, and user notification. The full report is available in Portuguese and English. These are the main results:
Data protection policies
Some providers are now telling users about what data they collect about them, how long the information is kept, and whom they share with (although frequently in an overly generic way). In some cases, providers notify users about changes in their privacy policy. Nathalie Fragoso, InternetLab’s Head of Research on Privacy and Surveillance, told EFF.
In contrast to 2016, there has been a significant advance in the content and form of privacy and data protection policies. They are now complete and accessible. However, information on data deletion is often missing, and changes in their privacy policies are rarely proactively reported. While Claro and TIM send messages to their users about their privacy policy changes, Oi only tells users that any change will be available on their website. Far behind is Vivo, which reserves the right to change its policy at any time and does not commit to notifying users of such updates.
The report also sheds light on how providers respond to users’ requests to access their data, and it evaluates the effectiveness of such responses. Nathalie Fragoso told EFF:
We sent requests for our personal data to all the providers surveyed in this report, and gave them one month to respond. Our requests included any information relating to us. All providers, however, comply by disclosing only our subscriber information, except Claro and Oi, who fail to do so. We also learned that Algar and Tim took additional steps to certify the requestor's identity before disclosing the data, a good practice that deserves to be highlighted.
Defending users’ privacy in the media or public policy debates
This year, Quem Defende Seus Dados? assesses if providers defended users’ privacy and data protection in public policy debates or the media. The first parameter evaluates the companies’ public contributions to congressional discussions and public policy consultations around data protection.
Even though Vivo wrote a public submission to the "National Strategy for Artificial Intelligence” consultation, it made no concrete, normative or technical proposals to protect its customers. On the other hand, InternetLab found that TIM's policy statements took a clear and robust pro-privacy stand on the same consultation. TIM calls for transparency and an explanation about AI systems. It also recommends providing sufficient information to those affected by an AI system to understand the reasons behind the results and allow those adversely affected to contest such results.
Law enforcement guidelines
Most providers seriously lag in publishing detailed guidelines for government data demands. Vivo Broadband and Mobile lead the way in this category; However, none obtained a full star. This category includes five parameters, which you can read in more detail in the report. Below we summarize two that deserve attention:
Identifying which competent authorities can demand subscriber data without a court order
Brazil's Civil Rights Framework generally requires a court order to access communications data, including location data and connection logs. It has an exception for when "competent administrative authorities" demand subscriber data when authorized by law. There is controversy about which government officials are included within the term “competent administrative authorities.” Thus, the report focuses closely on whether each company publicly explains its interpretations of this legal term, and if so, how it does. The report also focuses on whether the companies publicly explain which kinds of data they will disclose without a warrant and which they will only disclose with a warrant.
Vivo Broadband and Mobile are far ahead of the other companies. According to its policies, Vivo discloses subscriber data only upon request from representatives of the Public Prosecutor's Office, police authorities (police commissioners), and judges. Its policies say it makes connection logs and location data available only by court order.
Claro and TIM have mixed results. Claro tells users that it discloses subscriber data to competent authorities--but fails to identify them. Likewise, TIM does not pinpoint the competent authorities that it believes can request subscriber data without a court order. However, TIM promises to comply with legislation in making “data and communications” available to “competent authorities.”
InternetLab recommends that TIM expressly identify these authorities. Oi tells users that it shares data with competent authorities and names them. However, the report shows that the company fails to clarify which of the cited competent authorities do not require a court order and which need one. Algar and Nextel scored zero stars for their law enforcement guidelines. There is still much more that all companies can do in this category.
Identifying which crimes justify disclosure of subscriber data without a warrant
As we explained in our legal FAQs for Brazil, authorizes prosecutors and police officers (usually the Chief of the Civil Police) to access subscriber data without a warrant to investigate money laundering and criminal organizations. The Criminal Procedure Code allows equal access for human trafficking, kidnapping, organ trafficking, and sexual exploitation crimes. Unfortunately, police authorities have claimed the power to access subscriber data without a warrant during the investigation of other crimes. As we’ve explained, they improperly assert a general authorization that regulates criminal investigation by the Civil Police Chief.
We are happy that InternetLab challenges erroneous legal interpretation regarding police power by assessing companies’ responses to such requests. Here again, in the face of controversy on the interpretation of the law, InternetLab calls for corporate transparency about the law's interpretations.
InternetLab results show that NET, OI Mobile, TIM Broadband, Tim Mobile, Nextel, Algar, and Sky failed to identify the crimes for which competent authorities may obtain subscriber records without a warrant.
Conclusion
Given this year's results, InternetLab encourages companies to improve their channels for data access requests to facilitate full access to ones' data. It recommends companies to adopt proactive user notification practices when changing their privacy policies. It also encourages them to publish law enforcement guidelines disclosing all the possibilities when disclosing subscriber data, location logs, and connection records, and for which crimes. Companies should ensure transparency regarding their legal interpretation of laws compelling them to disclose data to the government. Companies should be clear and precise when dealing with judicial orders vs. administrative requests for data demands. In the face of exceptional circumstances, such as the COVID-19 pandemic, InternetLab calls upon companies to take an active transparency approach regarding possible collaboration and data sharing agreements with the State, and ensure that such exceptional measure is carried out in the public interest, limited in time and proportional.
Finally, InternetLab encourages companies to publish comprehensive transparency reports and notify users when disclosing their customers' data upon law enforcement demands. Through ¿Quien Defiende Tus Datos? reports, a project coordinated by EFF, local organizations have been comparing companies' commitments to transparency and user privacy in different Latin American countries and Spain. Today’s InternetLab report on Brazil joins similar reports earlier this year from= Fundación Karisma in Colombia, ADC in Argentina, Hiperderecho in Peru, ETICAS in Spain, IPANDETEC in Panama, and TEDIC in Paraguay. New editions in Nicaragua are on their way. All of these critical reports spot which companies stand with their users and which fall short.