Companies Can Still Do More to Protect Privacy in Brazil: Internet Lab Releases Fourth "Who Defends Your Data" Report
Internet Lab, the Brazilian independent research center, has published their fourth annual report of “Quem Defende Seus Dados?" (“Who defends your data?"), comparing policies of their local Internet Service Providers (ISPs) and how they treat users’ data after receiving government requests. Vivo (Telefónica) still takes the lead, but Tim is not far behind. Claro/NET (América Móvil), SKY (DirectTV/AT&T), and Oi also show progress compared to 2018’s report.
In this year’s report, all companies, except Nextel, received at least a partial star for providing information on data disclosure to the government. Most of the ISPs have published details on how their users’ data is collected and processed. While Net joined the list in the new report, Algar lost the partial star earned in 2018. Vivo is still the only company to provide a comprehensive transparency report, but SKY and Tim scored partially this time. Brazilian ISPs could certainly do more with regard to transparency reports as well as law enforcement guidelines and user’s notification.
Data processing: Does the ISP provide clear and complete information about the collection, use, storage, processing, and protection of users’ personal data, including how users can exercise their rights (eg: data rectification)? Does the company do it in a user-friendly way?
Data disclosure to the government: Does the ISP clearly inform the rules law enforcement must comply with to access users’ data? Do they publicly commit to disclose subscriber data and internet connection logs only upon a court order or, in the case of subscriber data, upon application by competent administrative authorities? Does the ISP provide information on how it discloses geolocation data?
Defense of user privacy in the courts: Has the ISP judicially challenged abusive data requests and legislation or interpretation that it considers harmful to user privacy?
Pro-user privacy public engagement: Has the ISP engaged in public debates about law bills and public policies that may affect user's privacy, defending projects that aim to advance privacy?
Transparency reports: Does the company publish transparency reports that contain information about how many times governments sought user data and how often the company provided user data to governments?
User notification: Does the company notify the user about data requests by the government?
This year’s report expanded some categories to tighten up the evaluation or to shed light on important information. In addition to comprehensive details about data processing, companies’ policies and contracts should specify how users can exercise their rights, such as to access and rectify their personal data. It also considered whether ISPs provide such information on a specific website section or another user-friendly way. Vivo fully met the new standards, Claro and Net did it partially but still had a high enough score to receive a full star.
Similarly, the report required greater specification for companies’ public guidelines and commitments regarding data disclosure to the government. Vivo was the only one to receive a full star both for strictly identifying the competent authorities allowed to have direct access to subscriber data and requiring a judicial order before handing geolocation data. No other company has specified the grounds under which geolocation data is disclosed to law enforcement authorities. Oi, however, joined Vivo in publicly committing to demand a previous judicial order to hand over connection logs.
Tim was the only ISP to defend pro-user privacy policies in public debates, specially about data protection regulation in Brazil. Yet, in courts, companies’ engagement prevailed. In 2019’s edition, eight out of eleven companies challenged unlawful or disproportionate measures putting their users’ privacy first. This is a steady commitment of Brazilian ISPs that stand out in Internet Lab’s reports. Sadly, the same is not true for transparency reports and user’s notification. Both remain categories that ISPs are reluctant to comply with, despite progress in other countries of the region.
This project is part of a larger initiative across Latin America and Spain. EFF’s Who Has Your Back? has held U.S. internet companies accountable for their privacy policies and practices. Since 2015, EFF’s partners around the world are doing the same and we’ve seen great achievements so far. We’ll keep the pressure on.