Panamá’s mobile internet service providers have improved their commitments to transparency and user privacy, according to the new edition of IPANDETEC’s ¿Quien Defiende Tus Datos? (“Who Defends Your Data?”) report. The third edition, published today shows general progress in companies’ data protection policies and their public commitment to assess the legal grounds of law enforcement requests before handing over user data to the authorities. As in the last edition, IPANDETEC evaluated Claro (América Móvil), Tigo (Millicom), Digicel, and Más Móvil in their privacy policies and practices.
Claro made strides compared to previous reports thanks to its parent company, America Móvil’s publication of a global transparency report in 2021. This year, the provider finally received scores for publishing this type of report and for providing some insight about the procedure and legal framework the ISP follows when responding to government requests for user data.
Still, Tigo is once again the best ranked company. It was the only provider receiving full marks in two out of the seven of the report’s categories: judicial authorization and digital security. This year's edition added two new parameters related to digital security. This time, the report checked whether companies have a protocol to inform their customers about data breaches and whether they make available digital security-related content to their users. Only Tigo scored well in these new parameters.
IPANDETEC has also made its evaluation of ISP data protection policies more strict. Now, to earn a full star, companies must provide information on data protection-related rights—known as “ARCO” rights (access, rectification, cancellation, and opposition to data processing)—and how users can exercise them. In this case, Tigo fell short along with Digicel.
All in all, IPANDETEC’s third edition shows a higher level of commitment to user privacy, but the companies’ scores still leave plenty of room for improvement. In fact, we can see Claro and Tigo already performing better elsewhere compared to some of their shortcomings in Panamá's report. For example, while none of them discloses specific numbers for Panamá regarding government requests for user data, Tigo makes this information available in Colombia, as does Claro in Perú and Chile. IPANDETEC’s Quien Defiende Tus Datos series of reports is part of a region-wide initiative, akin to EFF’s Who Has Your Back project, which tracks and rates ISPs’ privacy policies and commitments in Latin America and Spain.
New Report's Highlights
Except for Tigo, all featured companies earned higher scores than in the past for their data protection policies. Now Digicel and Más Móvil publish data protection policies they apply to their telecommunication services in general. Both companies failed in this category in the previous edition since their privacy policies related only to the ISPs’ communication channels (e.g. website and apps). Digicel and Más Móvil disclose the kind of data they collect, but are not specific about how long they keep the data stored. Digicel also fails to provide information about users’ ARCO rights. Finally, IPANDETEC’s report notes that both Digicel’s and Más Móvil’s data protection policies should be easier to find on their websites.
In turn, Claro’s data protection policy is easily accessible, but confusing in its scope. IPANDETEC’s researchers understood it also applies to the company’s services, but this is not as clear as in Más Móvil policy, for example. While Claro already has comprehensive “Privacy/Data Protection Portals” in countries like Brazil and Chile, Panamanian users are still left with an ambiguous privacy policy. Tigo dropped in score from the last edition because its publicly available data protection policy relates only to the ISP’s communication channels.
Claro and Tigo improved their scores for publishing transparency reports through their parent companies, América Móvil and Millicom, respectively. Unfortunately, users can only get access to the reports on the parent companies’ websites, with no link or reference to them in Claro Panamá’s or Tigo Panamá’s sites. Both transparency reports only disclose statistical data on government requests for user information per region, so it is not possible to ascertain the number of requests received in Panamá. IPANDETEC’s study checked whether companies disclose the number of requests received, the number of those that ISPs complied with and the type of requests (interception, access to metadata, etc.). América Móvil publishes the number of data requests received and satisfied for Central America, but the ISP does not provide details about the type of request. Millicom discloses the number and type of government requests received in Central America, but not how many requests the ISP complied with.
As for publishing the procedure and the legal framework the company follows when responding to government requests—their law enforcement guidelines—only Claro earned a partial score in this year's edition for the information provided in América Móvil’s transparency report. Tigo lost the partial star received in Panamá’s previous edition since the company did not go beyond the English-only and non-country specific document already considered in the last report. Nevertheless, Tigo was the only company earning a full star for both publicly asserting that the company requires a judicial authorization before complying with communications interception requests, and for committing to assess requests received vis-à-vis legal safeguards. In general, the report found only the latter commitment in other featured ISPs’ policies.
For the first time, a company opened up to the possibility of notifying its users about government requests seeking their personal information. Más Móvil included a generic statement in its data protection policy saying the company can disclose user data “with or without” notice. This is, however, very far from any real commitment. Claro has already gone further in Chile, reserving the right to notify users about requests from government authorities and developing a notification process for data requests in civil, family, and labor cases. IPANDETEC’s report refutes Claro’s argument that user notification is not allowed as per Panamá’s Law 51/2009.
Finally, all companies earned at least partial scores for their practices in the defense of human rights. The biggest gap in this category is ISPs’ engagement in strategic litigation or the discussion of legislative or policy proposals defending user privacy. Sadly, none has received scores for this parameter.
IPANDETEC’s Quién Defiende Tus Datos series of reports sets the direction of telecommunications privacy in Panamá. A lot of progress has been achieved, but there is still a lot left to improve. This third edition shows paths companies should follow to better protect their users’ rights.