What We Look For
The ¿Quién defiende tus datos? reports in Latin America and Spain mainly focus on local and regional Internet Service Providers (ISPs) located in specific countries. However, the reports often include a few bigger, regional players such as Telefónica (Movistar), Millicom, and América Móvil (Claro). These international ISPs hold huge sway and are often subject to different regulatory and structural pressures than their local counterparts.
A lot goes into releasing a ¿Quién defiende tus datos? report. First, experts from local organizations identify key regional ISPs and then sift through their terms of service, privacy policies, transparency reports, and law enforcement guidelines—if they exist. In addition, their experts engage with the companies directly in order to garner more details and feedback related to their policies. This engagement also allows experts to keep tabs on whether companies are fighting for their users in court, Congress, and in public policy debates.
Evaluation criteria are adapted to fit local laws and realities, and companies are granted stars for their best practices. Stars are given based only upon publicly available information that any Internet user can verify.
The evaluation criteria often changes from one country to another. Nonetheless, three main issues dictate the criteria setting: public commitment to comply with privacy guarantees; the adoption of pro-user practices and policies; and transparency. Overall, the criteria evaluates:
- Data Protection: Does the company have a copy of its internet service contract and its data protection policy published on its website?
- Transparency: Does the company have a transparency report?
- User Notification: Does the company notify users about government requests for information?
- Law Enforcement Guidelines: Does the company publish the procedure, requirements and legal obligations that the government must comply with when requesting personal information from its users?
- Commitment to Privacy: Has the company defended privacy and actively protected users' data, either in court or as part of a legislative discussion in Congress?