/Presentation

Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests Tells user about data requests
Show previous researsh result

InternetLab was chosen by the Electronic Frontier Foundation – EFF – to carry out the first edition of  “Who defends your data?”, the Brazilian version of EFF’s project “Who has your back ?”, published in the United States since 2011.

“Who defends your data?” aims to promote transparency and best practices in the field of privacy and data protection by companies that provide Internet access in Brazil, making Internet users aware of policies that affect the protection of their privacy and personal data.  

The evaluation will be carried out on an annual basis. In each and every edition, we will reassess the methodology and the results, to make sure that they reflect the best practices that are within reach of the evaluated companies to defend your data.

/Who we are

InternetLab is an independent research center that aims to foster academic debate around issues involving law and technology, especially internet policy. Our goal is to conduct interdisciplinary impactful research and promote dialogue among academics, professionals and policymakers. We follow an entrepreneurial nonprofit model, which embraces our pursuit of producing scholarly research in the manner and spirit of an academic think tank.

Founded in 1990, the Electronic Frontier Foundation is a leading international non-profit organization that defends digital rights. EFF uses the unique expertise of leading technologists, activists, and attorneys to defend free speech online, fight illegal surveillance, advocate for users and innovators, and support freedom-enhancing technologies.

/Our methodology

How were the evaluated companies chosen?

We chose the Internet Service Providers (ISPs) that, according to data released by the National Telecommunications Agency in October 2016, each held at least 10% of all accesses to the Internet in Brazil – either by fixed broadband infrastructure or by the mobile data infrastructure. This threshold ensured the assessment of companies that account for about 90% of the Internet  connections in Brazil in both types of access.

For  broadband, the following companies fit this filter: NET, Oi and Vivo. For mobile Internet, we selected Claro, Oi, TIM and Vivo. We inserted the results in the table to allow readers to compare performances in the fixed broadband and mobile Internet infrastructures.

How did we come up with the methodology?

Despite being inspired by the U.S. project “Who Has Your Back?”, “Quem Defende Seus Dados?” does not exactly replicate its methodology. That is because Brazil’s social (and legal!) reality is obviously different from the US. From that follows the development of Brazilian categories and parameters.

We prepared the evaluation categories and parameters based on the following perspectives:

  1. public commitment to compliance with the law;
  2. adoption of pro-user practices and policies;
  3. transparency about practices and policies.

We got to the final results as follows:

  1. We checked the first adapted version of the methodology and reapplied it (October and November 2016);
  2. With the preliminary results in hand, we contacted the companies, asking them to send us comments, criticisms or documents on the methods and results (December 2016);
  3. We engaged in dialogue with companies and from their comments, adjusted the methodology and their performance. In this re-evaluation period, categories and parameters were modified as good arguments or practices were exposed by the companies (January to March 2017);
  4. Publication of the results (April 2017).

CATEGORY: Information about data processing

WHAT WE WANT TO KNOW: Does the ISP provide clear and complete information about the collection, use, storage, processing, and protection of user’s data?

What does the Brazilian law say?

Brazilian law (Brazilian Internet Civil Rights Framework, Article 7, sections VI e VIII) establishes the rights of users to clear and complete information about the collection, use, storage, processing, and protection of their personal data, which can only be used for purposes specified in the contracts between companies and its clients, or in the terms of use of internet applications.

Beyond this, when it comes to data protection, article 16 of the n. 8.771/2016 Decree (which regulates some aspects of the Brazilian Internet Civil Rights Framework) also determines that information about security patterns should be released in a clear and accessible manner to anyone who is interested, preferably on their websites.

Thus, in face of these user’s rights, we analysed the contracts of the ISPs and other documents and information available to the public, especially those in the companies’ websites, to check in what level these legal demands are being complied.

It is important to emphasize that the term “data” is used here in a broad sense, encompassing both the account information and records of each Internet connection provided.

What were the evaluation criteria?

(I) The company provides information and clear legal references about data collection, including what data is collected and in which situations the collection occurs;

(II) The company provides information and clear legal references about the use and / or processing of data, including the purposes for which they are used and how this occurs;

(III) The company provides information and clear legal references on storage of data, including how long data are stored, where it is stored and when / if they are deleted;

(IV) The company provides information and clear legal references about data protection, including which security practices are observed in data retention procedures, if there is data anonymization policy and who would have access to the database, also observing what is provisioned in article 16 of the n. 8.771/2016 Decree.

(V) The company provides information and clear legal references on the use of data by third parties, including information about the circumstances under which this would happen and / or the need for customer’s authorization to do so;

(VI) It is easy to access this information on the company’s website.

Performance standards

estrela_4_verde The ISP meets 5 to 6 parameters.

estrela_2_verde The ISP meets 3 to 4 parameters.

estrela_1_verde The ISP meets 2 parameters.

estrela_0_verde The ISP does not meet any or meets only one of the parameters.

CATEGORY: Information about data disclosure to government authorities

WHAT WE WANT TO KNOW: Does the ISP commit to disclose account information and connection logs only upon a court order and, in the case of account information, upon application by competent administrative authorities?

What does the Brazilian law say?

The Brazilian Internet Civil Rights Framework (Article 10, 1st paragraph) regulates when law enforcement authorities may have access to account information and connection logs.

Connection logs can be made available only if the disclosure is authorized by a court order (art. 10, §1º) . Account information can be disclosed directly to administrative authorities, without judicial review, if and when they have the legal competence to request it (art. 10, § 3º). Besides this, article 11 of the n. 8.771/2016 Decree, which regulates some aspects of the Brazilian Internet Civil Rights Framework, determines that the administrative authority should indicate on the requisition the legal grounds of express competence for the access and the motivation for the request to access the account information.

Currently, law enforcement authorities have the right to request account information within the scope of the Criminal Organizations Act and the Money Laundering Crimes Act. In this sense, the more protective interpretation for user privacy considers those as the only two administrative authorities with the legal competence for requesting account information without a court order.  In other cases, a court order is still required for disclosure of account information.

We evaluated whether the ISP, in its contract or any other official document available to the public, makes clear to users the circumstances under which judicial or administrative authorities can have access to their data.

What were the evaluation criteria?

(I) The company promises to disclose account information by direct request only to competent administrative authorities, within the scope of the law that creates their competence.

(II) The company promises to disclose account information, when not excepted, and connection logs, only pursuant to a court order.

Performance standards

estrela_4_verde The ISP meets both parameters

estrela_2_verde The ISP partially meets both parameters.

estrela_1_verde The ISP meets one of the parameters.

estrela_0_verde The ISP does not meet any of the parameters.

CATEGORY: Defense of user’s privacy in the courts

WHAT WE WANT TO KNOW: Has the ISP judicially challenged abusive data requests or legislation that it considers harmful to user privacy?

The Judiciary is an arena where  Internet users’ rights are protected against abuses and illegal conducts. With this in mind, we evaluated the posture of companies in litigation concerning privacy and data protection.

What were the evaluation criteria?

(I) The company has legally challenged legislation that it considers harmful to Internet users privacy rights, disproportionate and / or not to establish a clear, precise and detailed list of cases and circumstances in which information must be delivered or adequate safeguards to prevent abuse (Example:. articles 15, 17 and 21 of the Criminal Organizations Act);

(II) The company has legally challenged abusive requests for access of user’s data who exceed the legal prerogatives of the authority making the request, that are disproportionate because of its lack of clarity and precision of data required and motivation or for any other reason that compromise the privacy rights of users.

Performance standards

estrela_4_verde The ISP meets both parameters. 

estrela_2_verde The ISP meets one of the parameters.

estrela_0_verde The ISP does not meet any of the parameters.

 

CATEGORY: Pro-user privacy public engagement

WHAT WE WANT TO KNOW: Has the ISP engaged in public debates about law bills and public policies that may affect user’s privacy, defending projects that aim to advance privacy?

It is very important to know the positions adopted by the companies regarding users’ privacy and data protection rights. This category aims to evaluate the participation of ISPs in public debates regarding bills and public policies that may impact those rights.

We only considered the contributions made by ISPs individually and not by associations that some ISPs may be a part of — such as the SindiTeleBrasil — as we believe that the company’s public institutional positioning is essential to generate a commitment with their users.

What were the evaluation criteria?

(I) The company has participated individually in any public debate that affects the right to privacy, such as in discussions about the n. 5276/2016 Draft Bill, n. 4060/2012 Draft Bill (and attachments, like the n. 5276/2016 Draft Bill), Draft Bill n. 1331/2015,  Senate Draft Bill n. 180, Draft Bill n. 6726/2010, Draft Bills n. 5074/2016, Draft Bill n. 3237/2015 and the National Plan for the Internet of Things.

(II) The company has participated individually in any public debate, such as in discussions about the n. 5276/2016 Draft Bill, n. 4060/2012 Draft Bill (and attachments, like the n. 5276/2016 Draft Bill), Draft Bill n. 1331/2015,  Senate Draft Bill n. 180, Draft Bill n. 6726/2010, Draft Bills n. 5074/2016, Draft Bill n. 3237/2015 and the National Plan for the Internet of Things, and argued for the enactment of a data protection framework.

(III) The company has participated individually in any public debate cited above and argued for the adoption of data security techniques (ex: anonymization, encryption, privacy and security by design).

(IV) The company has participated individually in any public debate cited above and argued for data protection principles that are well-established internationally (eg: prior consent, purpose limitation, necessity, etc.)

Performance standards

estrela_4_verde The ISP meets  all parameters.

estrela_3_verde The ISP meets 3 parameters.

estrela_2_verde The ISP meets 2 parameters.

estrela_1_verde The ISP  meets 1 parameter.

estrela_0_verde The ISP does not meet any of the parameters.

CATEGORY: Transparency reports about data requests

WHAT WE WANT TO KNOW: Does the company publish transparency reports that contain information about how many times governments sought user data and how often the company provided user data to governments?

Transparency reports are statements issued by companies containing a variety of statistics related to data requests. Internet companies around the world have increasingly adopted the practice of publishing transparency reports to inform how and when the companies cooperate with the government, in general because compelled by law, by disclosing information that may be used as evidence in civil and criminal cases. It is already an established best practice among international Internet companies such as Google, Facebook, Twitter, and Microsoft and ISPs such as Vodafone and Verizon. In Brazil, this practice has not gained traction yet.

ISPs  are not under any obligation to produce transparency reports in Brazil, but the publication of statistics, aggregated data about requests and disclosures, is not forbidden either. Therefore, there is a window of opportunity for showing that ISPs are concerned about building trust in their relationships with customers, based on transparency, and contribute to the public debate about the prerogatives of accessing user data by public authorities.

Article 12 of the n. 8.771/2016 Decree  creates an obligation of publicizing statistics similar to those quoted above (number of requests by requesting authorities, etc.) to agencies of the federal public administration, which stresses the importance of developing a culture of transparency on data requests in the country. We believe that the private sector can voluntarily undertake this agenda. In testimonies to Parliamentary Committees, companies have already mentioned the greatness of the number of requests they receive, and the National Association of Cell Phone Operators (ACEL), manifesting itself on the Direct Action of Unconstitutionality 5063, affirmed that there are abuses by public authorities, like unfounded requests. Within this context, the creation of periodic monitoring channels disclosing this information to users, such as through transparency reports, becomes all the more important.

What were the evaluation criteria?

(I) The company publishes transparency reports informing about the collaboration with governmental authorities;

(II) The company publishes transparency reports informing about the collaboration with governmental authorities, stating: (i) the quantity of requests and disclosures classified by data type (whether it concerns account information or connection logs); (ii) the quantity of requests and disclosures classified by which governmental authority made the request; (iii) the quantity of requests and disclosures classified by the motivation alleged by the governmental authority (production of evidence in civil, criminal, or administrative cases etc).

Performance standards

estrela_4_verde The ISP meets the second parameter.

estrela_2_verde The ISP meets the first parameter.

estrela_0_verde The ISP does not meet any of the parameters.

 

CATEGORY: User notification

WHAT WE WANT TO KNOW: Does the company notify the user about data requests by the government?  

When users are told that their account information or Internet connection records were demanded by administrative or judicial authorities, there is an expansion of opportunities to effectively exercise their rights of defense against abuse and irregularities.

The powerful impact of notifications to guarantee an effective defense in the rule of law is not a new idea. In light of the constitutional principle of due process, many laws establish the obligation to notify persons about measures that affect their rights. Pursuant to the Brazilian Code of Criminal Procedure, for example, when the judge receives a request for injunctive enforcement against anyone, she must warn the affected party about the request, so he presents his arguments (art. 282, § 3).

In the context of data requests, Internet providers gain an essential role in protecting procedural safeguards of the affected users. That is because the notification by the company enables the user to challenge illegal requests – both unsubstantiated court orders, and requests from administrative authorities without competence and justification. As it is now, the user depends on the challenges made by the companies themselves against requests that they consider abusive. If notified by companies, users gain, at the earliest opportunity, the ability to defend themselves against potential violations of their privacy.

With this in mind, we think it is important to encourage the practice of user notification through the QDSD project. In cases of data requests not accompanied by obligation of confidentiality, notification is, given the absence of legal prescription to the contrary, permitted by Brazilian law.

The possibility of user notification can be glimpsed, for example, not only in cases of requests for data in civil procedures, but also in connection with requests made by other government agencies, such as the Brazilian IRS or ANATEL. Even in the context of criminal proceedings, notification prior to the data disclosure can be seen as permitted as a rule, provided there is no confidentiality requirement, in respect to the constitutional principles of legal defense and contradictory. It strengthens the possibility of legal challenge to the production of evidence irrelevant to the facts of the case.

In this edition, we decided this category would be a “bonus” because the notification is neither a legal duty imposed to companies nor a widespread practice in the country. It is a measure seen as groundbreaking and, because it requires a staff dedicated to the notifications, costly for companies. For those reasons, its adoption would reveal a special commitment to advancing the protection of users rights, especially worthy of being noted. The user notification, at the first legally possible opportunity, and preferably prior to the disclosure of data, collaborates with the principles of legal defense, and fosters a culture of privacy protection.

What were the evaluation criteria?

(I) The company promises to notify the users before complying with requests for account information data and connection logs in the cases not prohibited by legal confidentiality, or to issue a notification as soon as legally possible.

Performance standards

estrela_4_verde The ISP meets the parameter.

estrela_0_verde  The ISP does not meet the parameter.

/Our Sources

When applying the methodology, we looked at model contracts (available on the companies’ websites), press releases (also available on websites), and official public statements, in written form, of the evaluated companies. They were the only material evidence available to assess the terms according to which their Internet service is offered to their customers. No relevant information was found in terms of use or pages called “Privacy Policy”, which refer to the use of their websites.

/Results 2017

Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests Tells user about data requests
Show previous researsh result

CLARO

CATEGORY: Information about data processing

Result: estrela_1_verde

Claro got ¼ star, as it fulfilled two parameters and a half: partially to parameter I and fully to parameters V and VI.

Regarding parameter I, it is important to highlight that the information provisioned in the contract are explicitly only about account information. In item 14.7 of the service contract on the “prepaid mode”, the company affirms that upon hiring the service and receiving the access code, the customer would authorize the disclosure of their account information to the administrative entity, without mentioning the eventual collection of other types of data.

Clause 14.7. Once requested by the SUBSCRIBER the Portability Access Code and met the requirements and commercial terms established for such, SUBSCRIBER authorizes in advance, providing your registration information to the “Managing Entity” and the “Provider Giver” thus defined by ANATEL in order to allow completion or not of their portability request.

We did not find the information evaluated in parameters II, III and IV (use, storage and data security).

As for parameter V, item 15.6 affirms that all customer information are confidential and can only be disclosed (i) to the subscriber; (ii) to the representative with specific power of attorney; c) the judicial authority; and d) the other Providers of Telecommunications Services for specific purposes of providing these services.

Clause 15.6. All SUBSCRIBER’s registration information is confidential and may only be provided to: a) the SUBSCRIBER; b) the representative with specific power of attorney; c) the judicial authority; and d) the other Providers of Telecommunications Services for specific purposes of providing these services.

As for parameter VI, it is easy to find the contract in the company’s website, on the bottom of the site’s homepage.

For future editions, it is worth emphasizing that despite the primary research source being the contracts, any public source of information is considered for evaluating the compliance with the parameters. For example, on this address http://www.claro.com.br/segurancadainformacao the company has a section in which it informs customers about information security issues and fraud prevention. In the same sense, the company could spread their policies and efforts for protecting their users’ privacy.

CATEGORY: Information about data disclosure to government authorities

Result: estrela_1_verde

Claro got ¼ star, as it minimally met parameters (I and II).

In contracts, Claro is not clear when differentiating the processing of account information and connection logs, dealing only with “the subscriber registration information” that, in the prepaid mode, can be provided to judicial authorities and, in the postpaid mode, to “public authorities”.

Prepaid mode:

Clause 15.6. All SUBSCRIBER’s registration information is confidential and may only be provided to: a) the SUBSCRIBER; b) the representative with specific power of attorney; c) the judicial authority; and d) the other Providers of Telecommunications Services for the specific purpose of providing these services.

Postpaid mode:

Clause 15.6 All information regarding the SUBSCRIBER which are part of the CLARO registration are confidential and will only be provided to these people and in these situations: a) the SUBSCRIBER; b) the SUBSCRIBER’S legal representative with specific power of attorney; c) attorney or specialized agency, hired by CLARO for collection purposes; d) due to determination of a public authority; e) other telecommunications service providers for the specific purpose of providing these services.

The contract language reveals that there is a certain transparency to the customer about the deliver of data to government authorities. For not clarifying the adopted interpretation on the extension of the account information disclosure without judicial order, nor clarifying the processing of connection logs, it was considered that the company partially complies with two parameters.

For future editions, it is worth emphasizing that despite the primary research source being the contracts, any public source of information is considered for evaluating the compliance with the parameters. For example, on this address http://www.claro.com.br/segurancadainformacao the company has a section in which it informs customers about information security issues and fraud prevention. In the same sense, the company could publicize their adopted procedures and interpretations when evaluating the legality of requests for internet users’ data.

The legislation grant a differentiated juridical treatment to account information and connection logs. Account information can be requested without judicial order to the competent administrative authority. Nowadays, these are the police authorities and agents of the Public Prosecutor Office in the scope of the laws of Criminal Organizations (Law 12.850/13, arts. 15 e 17) and Money Laundry (Law 9.613/99, art. 17-B, added by Law 12.683/12). Connection logs, however, can only be delivered before a court order: they cannot be delivered to administrative authorities before a mere requisition.

The customer without technical knowledge doesn’t know which are the “competent authorities” (Judiciary? Police? ANATEL? Federal Revenue? Public Prosecutor Office?) nor the conditions (Judicial order? Mere request?) in which they can access their data. The juridical language is difficult and the Brazilian Internet Civil Rights Framework itself indicates that the companies should provide clear information to their customers.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_4_verde

Claro got a full star, as it fulfilled parameters I and II.

Last year, Claro achieved ½ star, as it challenged though a direct action of unconstitutionality (ADI 5063), together with other ISPs, via the ACEL (National Association of Mobile Operators), articles of the Criminal Organizations Act (Law n. 12.850/13) in the Supreme Court. The action proposed by ACEL was considered as, according to constitutional rules, it is not possible to file this kind of measure individually.

In September 2016, ACEL once again petitioned the Supreme Court to reaffirm the need of granting a preliminary injunction to suspend the juridical effects provisioned in article 15, 17 and 21 of the Criminal Organizations Act until the trial of the merit, since, according to the Association, this law has encouraged several abuses by public authorities. In the complaint, it denounces that beyond the emptying of the constitutional protection to the confidentiality of the communications and the privacy of all Brazilian citizens,  this scenario has seen several repressive actions (administrative authorities who want to criminally prosecute employees of the companies responsible for denying data requests), diverse undiscriminated requests, etc.

We also found in a news article that Claro would have denied, in a judicial action, to deliver the account information from users whose chip were seized during arrests and house searches made by the Federal Police. According to the article, the company would have filed an action in the judiciary, arguing that in that episode there wasn’t a judicial determination and, thus, it had the duty to protect its users’ privacy. A decision of the 3rd Federal Regional Court verifies that the company effectively acted in this sense. With this, it got the full star.

CATEGORY: Pro-user privacy public engagement

Result: estrela_2_verde

Claro got ½ star, as it fulfilled parameters I and III.

We found contributions to the public consultation about the National Plan for the Internet of Things.

The company stood by the importance of information security techniques in item 11 (Security and Privacy), but also argued about the lack of necessity for more rules about privacy and personal data protection:

  • “The risks associated with the use of IoT are not restricted only to the Internet connection, although the probability is considerably potentialized by its capillarity and geographic dispersion. The cybernetic risks associated to the IoT are also extended to private networks due to the existence of countless access vectors that can be used as entrance point in an invasion. In this context, it is really important that the security is enforced in diverse layers, through the combination of the diverse tools available (data cryptography, software update, antivirus update, access authentication and others.”
  • “We verified that such processing limitations happen majoritarily in low-cost devices, whose processors tend to be less potent. This scenario becomes quite different when we analyse more advanced devices that support cryptographic algorithms without major issues. In any way, it is important to keep in mind that not every data is confidential and needs to be encrypted. The security model should consider the data’s nature and the necessary degree of confidentiality necessary for each information. In this context, other protection techniques can also be adopted, such as: masking and toking data. In short, each project should balance the more adequate solution in function of the information’s risk degree and the life-span of the devices.”
  • “The sector’s standpoint is that there are already effective rules in the Brazilian law to guarantee the security and privacy of the M2M/IoT service users. The users of the M2M/IoT ecosystem are protected by the whole Brazilian system of law, which has effective rules when it comes to security and privacy. Nowadays, the current Brazilian legislation is going through a reviewing, analysis and perfectioning period in a way that the whole M2M/IoT has its privacy, viability and juridical security safeguarded. In this way, there will be the need to follow some initiatives in the Congress that deal with the treatment to be enforced to personal data, aiming to avoid that these legislations turn the development of M2M/IoT applications/solutions unviable.”

CATEGORY: Transparency reports about data requests

Result: estrela_0_verde

Claro did not get a star, because it did not meet any of the parameters.

The América Móvil group, of which Claro is a part, publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

CATEGORY: User notification

Result: estrela_0_verde

Claro did not earn a star, because it did not meet the parameter.

We did not any mentions about user notification mechanisms in the materials consulted in cases of requests by government authorities in which the confidentiality is not imposed by law.


NET

CATEGORY: Information about data processing

Result: estrela_0_verde

NET did not get a star, because it did not meet any of the parameters. On the contrary of what happened last year, the contract does not have any information about the processing of customer’s personal data and it was not possible to find any other kind of information on the website that could replace those suppressed from the contracts.

In the contract, the company refers to the ANATEL provisions that have rights and establish duties:

Clause 35.02. The rights and duties of the multimedia communication service subscribers are provisioned in articles 56, 57 and 58 of ANATEL’s 614/2013 Resolution. The rights and obligations of the PROVIDER are provisioned in articles 41 to 55 of the same Resolution.

Several of these provisions have implications for the companies’ privacy policies. In this sense, InternetLab understands that the company may prefer to not include extensive legal provisions in contracts. At the same time, however, we understand that the company cannot omit itself form informing customers about their policies on collection, use, storage, security and sharing of personal data, which can be more detailed and extensive.

The sole parameter that the company reached was the one of ease of access to the contract on their website (IV), whose reference is at the bottom of NET’s homepage (http://www.netcombo.com.br), on the item about contracts and regulations. In this way, customers should not have many difficulties to find this kind of information. But reaching one parameter is not enough to earn an award.

CATEGORY: Information about data disclosure to government authorities

Result: estrela_1_verde

NET got ¼  star, because it partially fulfilled parameter (I). In clause 28.01 of the contract, it affirms that, in the hypothesis of harmful practises mentioned in this same document, it can make any and every information about the subscriber available at anytime to the competent authorities, as well as cancelling their account automatically, without previous warning.

Clause 28.01. Without damage to other unmentioned practises, these are considered harmful practices to the NET VÍRTUA service and/or to other SUBSCRIBERS, subjecting the infractor to all legal sanctions that may occur, including contract rescission:

The SUBSCRIBER will be responsible for maintaining the configurations of the machine for accessing the services here hired, being forbidden to alter these configurations in attempt to responsibilize third parties or hide the identity or authorship. In the hypothesis of occurrence of the cases here mentioned, the PROVIDER can make any and every information about the subscriber available at anytime to the competent authorities, as well as cancelling their account automatically, without previous warning, as the SUBSCRIBER will be civil and criminally liable for the acts practised;

The writing of the provision makes it seem as if there is only the deliver of data to authorities when the user incurs in harmful activities to the company, which is not the case in reality. Thus, there is space for improvement.

Still on this aspect, it is worth mentioning that the company refers to ANATEL provisions that have rights and establish duties:

Clause 35.02. The rights and duties of the multimedia communication service subscribers are provisioned in articles 56, 57 and 58 of ANATEL’s 614/2013 Resolution. The rights and obligations of the PROVIDER are provisioned in articles 41 to 55 of the same Resolution.

Among the companies’ duties imposed by ANATEL’s resolutions, is the one of safeguarding the confidentiality of customer’s information and collaborating with authorities in the form of law.

However, NET does not inform their customers in a clear manner of what types of data it delivers and in which circumstances. There are diverse legal nuances on this topic and the transparency about the procedures and interpretations adopted by the company is important.

Information and connection logs are treated differently by the law. Account information can be demanded without a court order by competent administrative authorities. Currently, those are Police agents and Prosecutors under the laws of the Criminal Organizations (Law 12.850/13, arts. 15 and 17) and Money Laundering (Law 9.613/99, art. 17b, added by Law 12.683/12). Connection logs, however, can only be disclosed pursuant a court order. They can not be directly disclosed to administrative authorities upon mere request.

A client without technical knowledge neither knows who the “competent authorities” (Judiciary? Police? ANATEL? IRS? Prosecutor?) are nor the conditions (court order? mere request?) that afford access their data. The legal language is arid and the Marco Civil sets forth that companies should provide clear information to their customers.

In future editions of the project, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the existing legal nuances. It will be necessary to make clear what types of data NET discloses under what circumstances.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_0_verde

NET did not get a star, because it did not fulfill any of the parameters.

We did not find any legal case in which NET challenges legislation. Nor did we find cases in which it defends users from abusive data demands. InternetLab was also not provided with information of this nature when it engaged with the company. So, for lack of material evidence, it was considered that NET does not meet the parameters.

It is worth mentioning that, unlike the other analyzed companies that received credit for fulfilling parameter (I) for challenging articles of the Criminal Organizations Law (Law No. 12.850 / 13), NET is a broadband Internet provider. The constitutional complaint in question was brought by a collective of mobile operators, which are also mobile Internet providers. NET is, however, also affected by the obligations of this law, fact that could have given it reason to challenge it.

CATEGORY: Pro-user privacy public engagement

Result: estrela_0_verde

NET did not get a star, as it did not meet any parameter.

In several opportunities during the year, ISPs had the opportunity to manifest themselves about public policies and draft bills that affect the users’ privacy and data protection. After conducting searches on the specialized press, traditional media and the companies’ press rooms, we did not find any material in this sense signed by NET. In the phase of engaging with the companies, we asked that, in case they had participated in events or public debates about these topics and, in them, manifested themselves in favor of the users’ privacy (data storage, access to data, etc), to inform us with the indication of the respective documents and/or public records of the referred participation, so that we could consider this fact in our evaluation. NET, however, did not collaborate with the project.

It’s important to mention that we are aware of the fact that NET has Claro S.A as its merger, which was awarded in this category for the participation in the consultation for the National Plan for the Internet of Things. However, we do not consider Claro S.A’s contributions as representatives of NET in this category because, in the public presentation, the companies disassociate their images and activities.

CATEGORY: Transparency reports about data requests

Result: estrela_0_verde

NET did not get a star, because it did not meet any of the parameters.

The América Móvil group, of which NET is a part, publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

CATEGORY: User notification

Result: estrela_0_verde

NET did not get a star, because it did not meet the parameter.

We did not find any mentions in the consulted material about user notification mechanisms in cases of demands by government authorities in which the confidentiality is not enforced by law. 


Oi

CATEGORY: Information about data processing

Oi – Fixed broadband

Result: estrela_1_verde

Oi got ¼ star, since it partially fulfilled parameters (II) and (IV) and fully parameter (VI), totalling 2 parameters.

Regarding parameter II, in the contract, the company states that the client’s is entitled to the respect of their privacy and the use of their personal data, except in the legal cases of breach of confidentiality. InternetLab did not consider this information complete enough to meet any parameter:

Clause 8.9. (…) as well as the respect to their privacy in these documents and in the use of their personal data by Oi, except in the legal cases of breach of confidentiality established by constitutional law.

Regarding parameter IV, in the Information Security Policy, in the Code of Ethics and Acceptable Use, Oi gives some brief information about the company’s and employees’ security protocols to deal with data.

Lastly,, the access to the contracts in Oi website (http://www.oi.com.br/) is easy, which fulfills the parameter (VI).

Oi – Mobile

Result: estrela_0_verde

Oi Mobile did not get a star, since it only partially fulfilled parameter (VI) and fully parameter (VI), totalling ½ parameter.

The justifications for parameters IV and VI are the same for Oi Broadband. The difference is that it did not fulfil parameter II, since in the analysed contract it was not possible to find information about data processing.

CATEGORY: Information about data disclosure to government authorities

Result: estrela_0_verde

Oi did not get a star, since it did not fulfil any of the parameters.

In the engaging phase, the company explained to us a little bit more about their process of analysing data requests by government agents, even though we could not find public references about it, which prevents us from giving Oi a positive evaluation in this category. InternetLab thanks the engaged participation of Oi and encourages the company to publicize the procedures and interpretations that it adopts when assessing the legality of internet users’ data requests.

Information and connection logs are treated differently by the law. Account information can be demanded without a court order by competent administrative authorities. Currently, those are Police agents and Prosecutors under the laws of the Criminal Organizations (Law 12.850/13, arts. 15 and 17) and Money Laundering (Law 9.613/99, art. 17b, added by Law 12.683/12). Connection logs, however, can only be disclosed pursuant a court order. They can not be directly disclosed to administrative authorities upon mere request.

A client without technical knowledge neither knows who the “competent authorities” (Judiciary? Police? ANATEL? IRS? Prosecutor?) are nor the conditions (court order? mere request?) that afford access their data. The legal language is arid and the Marco Civil sets forth that companies should provide clear information to their customers.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_4_verde

Oi got a full star, as it fulfilled both parameters.

Last year, Oi got ½ star in this item as it fulfilled parameter I, since it challenged by direct action of unconstitutionality (ADI 5063), together with other ISPs through the ACEL (Nacional Association of Mobile Operators), articles in the Criminal Organizations Act (Law 12.850/13) in the Brazilian Supreme Court. We considered this collective contribution through ACEL because, under the terms of the Brazilian Constitution, the ISP could not individually go to the Supreme Court to contest the constitutionality of a law.

In September 2016, ACEL once again petitioned the Supreme Court to reaffirm the need of granting a preliminary injunction to suspend the juridical effects provisioned in article 15, 17 and 21 of the Criminal Organizations Act until the trial of the merit, since, according to the Association, this law has encouraged several abuses by public authorities. In the complaint, it denounces that beyond the emptying of the constitutional protection to the confidentiality of the communications and the privacy of all Brazilian citizens,  this scenario has seen several repressive actions (administrative authorities who want to criminally prosecute employees of the companies responsible for denying data requests), diverse undiscriminated requests, etc. Thus, it continues to fulfill this parameter in this edition.

Regarding parameter II, in the engaging phase, Oi presented to InternetLab material evidences of cases it defended users from requests that it considered abusive.

CATEGORY: Pro-user privacy public engagement

Result: estrela_2_verde

Oi got ½  star,  since it met parameters I and III.

We found positionings of the company in the public consultation about the National Plan for the Internet of Things.

The company stood by the importance of information security techniques on item 11 (Security and Privacy) and defended the importance of having robust provisions that can support forms of  complex cryptography and the indispensability of this mechanism for the defense of the users’ privacy, but it also argued for the lack of necessity for more rules on the protection of privacy and personal data:

  • Cryptography is really fundamental and indispensable for the privacy of data sent through IoT devices. Many of these devices are built aiming aiming a low energy consumption with the purpose to increase their batteries lifespan and, with that, end being too “compact” to the point of making the use of robust cryptographic solutions difficult. We understand that, during the phase of designing the solution, the computational power necessary to support safe and current cryptography protocols should be guaranteed, as well as the capacity of updating and especially of randomizing keys. (p.29)
  • To protect the user’s intimacy, in any of the mentioned profiles, the current law system should be used, which protects the individual in all forms, including in what refers to intimacy, privacy and security. (p. 30)
  • Therefore, the currently existing normative framework already contemplates provisions that assure in a balanced and efficient manner the security of the citizens in digital environments. The existence of an excessive numbers of rules and norms that guide the relations in this ecosystem can represent a limitation of the evolutive process of the digital economy and of the innovations that can bring benefits to all society, at the same time that they don’t mean a better protection to the right of individuals. (…) eventual abusive use of IoT will be naturally eliminated, whether by users, by the Judiciary or by the companies themselves, with self-regulamentation. (p. 31)
  • Any additional law or regulation that appears should have in sight that the creation of limiting rules may hurt one of the main values fostered by the digital economy which is freedom, and for this it should adopt a more principiological character. (p. 31)

CATEGORY: Transparency reports about data requests

Result: estrela_0_verde

Oi did not get a star, because it did not meet any of the parameters.

Oi publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

CATEGORY: User notification

Result: estrela_0_verde

Oi did not get a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.


TIM

CATEGORY: Information about data processing

Result: estrela_2_verde

TIM Broadband

TIM Broadband got ½ star, as it fulfilled the parameters of providing information about the purpose of using data (V) and of ease of access to the information (VI) and partially to the parameters about information of usage (II) and data security (IV), totalling the fulfilling of three parameters.

The company does not provide information or complete legal references about any collected data (I).

For parameter II (data processing and use), in Clause 3.1 (r) affirms that TIM’s obligation are strictly to zeal for the inherent confidentiality to the telecommunication services and for the subscriber’s data and information confidentiality, using all means and technology needed to assure this users’ right. Clause 4.2 (e) affirms that inviolability and confidentiality of communication are customer’s rights, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and the activities of intermediation of communication of people with disabilities, in the terms of the regulamentation; item (j) highlights that the company respects the user’s privacy in the collecting documents and in the use of their personal data by the provider.

Clause 3.1 (r) : TIM’s obligation are strictly to zeal for the inherent confidentiality to the telecommunication services and for the subscriber’s data and information confidentiality, using all means and technology needed to assure this users’ right.

Clause 4.2 (e) the inviolability and confidentiality of communication are customer’s rights, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and the activities of intermediation of communication of people with disabilities, in the terms of the regulamentation; item (j) the respect of the user’s privacy in the collecting documents and in the use of their personal data by the provider.

Beyond this, in the Sustainability Report, it is affirmed that the access to account informations and communication data of users will be allowed only to collaborators who need to access these information for professional activities.

In spite of this, as there is no complete information on how the company uses and processes the collected data, the fulfilling of parameter II is only partial.

There is no information about data storage (parameter III).

Regarding parameter IV, the company partially fulfills it as it states in the Sustainability Report that, in the scope of security, it follows the best practises in the market, according to ISSO 27001 (although they do not have the certification). As the customer needs to find the sustainability report, read it and understand the mentioned certification, the fulfillment was considered partial. Article 16 of the 8.771/2016 Decree speaks on “clear and accessible divulgation, preferably through their websites on the internet”.

Lastly, regarding VI, there is an ease of access to information, since the website is concise and it is possible to access the contracts and terms of service at the bottom of each service option’s page.

TIM Mobile

TIM Mobile also got ½ star, as it fulfilled the parameters of providing information about the purpose of using data (V) and of ease of access to the information (VI) and partially to the parameters about information of usage (II) and data security (IV), totalling the fulfilling of three parameters. The previous observations are also valid here.

For parameter II, it’s worth mentioning the Clause 3.3G of the prepaid plan (same terms in clause 3.5F of the postpaid), in which rights as inviolability and confidentiality of communication are stated to the customer, if respected the legal hypothesis of breach of secrecy and safeguarded the hypothesis of availability of information, exclusively to statistical purposes, supplying information and legal references about the use of the data.

Clause 3.3g prepaid and 3.5 postpaid: The rights established in the SMP Regulation are assured to the CUSTOMER, such as inviolability and confidentiality of communication, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and safeguarded the hypothesis of availability of information, exclusively to statistical purposes.

Like in the previous item, this information about data use is not considered complete and for this the fulfillment of parameter II is only partial.In the company engaging phase, TIM asserted that it should receive a full star on this category. This is because the absence of administrative procedures of the regulating authority against the company testify for its legal compliance situation. As InternetLab requested, the link to access the company’s Privacy Policy was supplied.

Despite praising the company’s engagement with the project, InternetLab understands that the company did not present enough reasons to alter their evaluation in this category. We understand that QDSD is a project that commends companies that adopt the best practices in protecting their customer’s data when complying with legal obligations, as it is the case when they inform in an accessible, didactic and complete manner  about how they process account information. Besides, InternetLab highlights that the Privacy Policy indicated by the company deals with data generated in the navigation of TIM’s website, and not with the policy adopted for data processed in the provision of the internet access service offered to their clients.

CATEGORY: Information about data disclosure to government authorities

TIM Broadband

Result: estrela_1_verde

TIM Broadband got ¼ star, since it minimally fulfilled parameter I.

In Clause 14.01 (g) of the contract, TIM Broadband affirms that it may provide to the competent authorities any and every information about the subscriber who engages in illicit activities:

Clause 14.1 (g) the contract can be unilaterally extinct by TIM in case the use of the service for the practise of criminal acts is proven, notably in crimes against children and adolescents provisioned in the Child and Adolescent Statute (ECA) and other applicable legislation, safeguarding TIM’s right to seek an eventual indemnity for losses and damages in face of the customer in case it is sued by harmed third-parties, in the scope of civil or criminal demands that evoke liability through the practice of such offensive acts, including being available to TIM to provide all of the customer’s account information to the judicial authorities in the form of the law 12.965/2014 for the ascertainment of the illicit and the due responsibilization of the author of the offenses. (our highlight)

In the sustainability report, there is a similar indication:

The information on account data and telephonic communications are provided to the authorities exclusively in the cases provisioned in the current legislation (p. 30).

However, what kinds of data and in which circumstances the delivery happens are not clear, that is, what are the procedures and interpretations adopted by the company. About this, the same consideration made for TIM Mobile is fitting.

TIM Mobile

Result: estrela_3_verde

TIM Mobile got ¾ star, since it partially fulfilled two parameters.

The contracts analyzed adopt the following language:

Postpaid mode:

Clause 10.12. TIM will provide secret and confidential treatment to CLIENT’s data and communications, being allowed disclosure in case of demand of a competent authority.

Prepaid mode:

Clause 10.4 TIM will provide secret and confidential treatment to CLIENT’s data and communications, being allowed disclosure in case of demand of a competent authority.

In the sustainability report, there is a similar indication:

The information on account data and telephonic communications are provided to the authorities exclusively in the cases provisioned in the current legislation (p. 30).

Despite affirming that it only surrenders “data” in case of demand from the competent authority, the company omits itself from precisely indicating what the category aims to evaluate: if the company is compromised to deliver connection logs and account information before a court order, exceptionally without court order, only for the competent authorities. For this criterion, it is important that the company assumes a public commitment with the protection that it grants these different kind of dta. For this, it did not get a full star.

In this first edition of QDSD, InternetLab considered that the term used (“competent authority”) is generic enough to indicate that data may be disclosed both to judicial authorities and administrative authorities, when they are competent to make the request.

However, we emphasize that the wording adopted does not make clear the fact that account information and connection logs are treated differently by the law. Account information can be demanded without a court order by competent administrative authorities. Currently, those are Police agents and Prosecutors under the laws of the Criminal Organizations (Law 12.850/13, arts. 15 and 17) and Money Laundering (Law 9.613/99, art. 17b, added by Law 12.683/12). Connection logs, however, can only be disclosed pursuant a court order. They can not be directly disclosed to administrative authorities upon mere request.

A client without technical knowledge neither knows who the “competent authorities” (Judiciary? Police? ANATEL? IRS? Prosecutor?) are nor the conditions (court order? mere request?) that afford access their data. The legal language is arid and the Marco Civil sets forth that companies should provide clear information to their customers.

As we stated in the first edition, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the existing legal nuances. It will be necessary to make clear what types of data TIM discloses under what circumstances.

In the engaging phase, TIM contested the evaluation, requesting a review of the score because there isn’t a distinct treatment for “connection logs” in the sectoral legislation. InternetLab, however, did not understand the need for reviewing the evaluation, as the company is, indeed, subdued to the Brazilian Internet Civil Rights Framework and the other aforementioned laws.

CATEGORY: Defense of users’ privacy in the courts

Results: estrela_4_verde

TIM got a full star, since it fulfilled two parameters.

Last year, TIM got a full star, since it challenged by direct action of unconstitutionality (ADI 5063), together with other ISPs through the ACEL (National Association of Mobile Operators), articles in the Criminal Organizations Act (Law 12.850/13) in the Brazilian Supreme Court. We considered this collective contribution through ACEL because, under the terms of the Brazilian Constitution, the ISP could not individually go to the Supreme Court to contest the constitutionality of a law.

In September 2016, ACEL once again petitioned the Supreme Court to reaffirm the need of granting a preliminary injunction to suspend the juridical effects provisioned in article 15, 17 and 21 of the Criminal Organizations Act until the trial of the merit, since, according to the Association, this law has encouraged several abuses by public authorities. In the complaint, it denounces that beyond the emptying of the constitutional protection to the confidentiality of the communications and the privacy of all Brazilian citizens,  this scenario has seen several repressive actions (administrative authorities who want to criminally prosecute employees of the companies responsible for denying data requests), diverse undiscriminated requests, etc.

Regarding parameter II, in the engaging phase, TIM presented to InternetLab material evidences of cases it defended users from requests that it considered abusive, proving its acting in defense of their customer’s privacy.

With regard to parameter (II), TIM shared with InternetLab, in the phase of engagement with the companies, information about two court cases in which the company challenges abusive data demands from the government. For that reason, it fulfilled the parameter.

CATEGORY: Pro-user privacy public engagement

Result: estrela_4_verde

TIM got a full star, because it met all parameters.

In the engaging phase, TIM informed InternetLab that it participated in “the Public Consultation of the Ministry of Justice on the regulamentation of the Brazilian Internet Civil Rights Framework, the Public Consultation of the Ministry of Science, Technology, Innovation and Communications on the National Plan for the Internet of Things and in the Public Consultation of ANATEL on the review of the telecommunications sector”. The company stressed that it defended user rights in the Privacy and Security section of the National Plan for the Internet of Things. Indeed, as the document with the company contribution states, TIM defended the creation of a specific legislation for data protection in Brazil (parameter II), adoption of data security techniques and protection of communication confidentiality (parameter III) and also principles of personal data protection established in international practices (parameter IV), as it can be seen below:

  • Data protection: creation of different levels of cybernetic security and defense that assure the adequate protection to the privacy of all data that will be generated by the new devices. It’s worth noting that this should also mean the generation of simplified business models for cases in which the data in traffic does not have information critical to the users’ security, privacy or industrial secret. Lastly, TIM believes that the rules of data protection should be in conformity with the international standard on the matter. (p. 3)
  • As it is known, Brazil still does not have a General Law on Data Protection. We hope that a legislation in this sense is soon to be voted, from the draft bills that are going through the National Congress. The lack of an established normative framework does not preclude that sparse laws, like the General Law of the Telecommunications, have specific provisions related to the matter. It certainly should not be considered that the IoT system is at the margins of the legal system of personal data protection and privacy, above all because, as seen, such ecosystem is capable of potentializing risks to the users’ privacy. However, it is necessary that the discipline related to the matter is flexibilized, whenever fitting, considering the specificities of the IoT/M2M world. […] (p. 70)
  • In this sense, regarding the draft bills currently being discussed in Brazil, TIM understands that they should aim a better balance between technological development and personal data protection, in a way to guarantee the constant development of innovation in the M2M/IoT sector. (p. 72)
  • Regarding data collection from IoT sensors, in case the referred sensors are considered themselves devices related to a person (from the concept to be established, which should combine the expansionist logic with objective delimitation criteria, according to what was exposed in the previous topic), it is crucial to address in the legislation to be edited questions related to obtaining the data owner’s consent, as well as other legitimate hypotheses for the collection of these information, such as the legitimate commercial interest (institute that should have its study deepened in Brazil, to be adequately introduced in the national system of law).

The legitimate interest has grounds in Directive 95/46/CE of the European Parliament, which especifically deals with the protection of personal data.

According to the referred Directive, the consent, even if not the keypoint for personal data processing, is dismissed, among other circumstances, in case of processing data for pursuing legitimate interests of the responsible for the processing.

It’s important to point that the Article 29 Data Protection Working Party (“Working Party”), work group responsible for interpreting the Data Protection directive, already manifest itself on the concept of legitimate interest for the Directive purposes. According to the Working Party, the legitimate interest should be understood as the one that allows the responsible for the data processing to pursue their interest in a way to respect the data protection provisions and other laws, that is, the legitimate interest, for Directive purposes, should be “acceptable according to the law”. In this way for the interest to be considered legitimate, it should be: (i) licit; (ii) specific enough to allow the “balancing test”; and (iii) non-speculative. (p. 71)

CATEGORY: Transparency reports about data requests

Resultado: estrela_2_verde

TIM got ½  a star, because it met parameter I.

TIM publishes a sustainability report about its activities in Brazil. However, this report does not have any information about received and attended data requests. Even in the “transparency” section, the company does not provide any information in this sense. There is, however, the indication that ir collaborates with authorities.

The information on account data and telephonic communications are delivered to the authorities exclusively in the cases provisioned in the current legislation (p. 30).

For this edition, due to this, parameter I was considered fulfilled. InternetLab highlight that, however, the information is quite distant from users, hidden within information for investors inside the sustainability report. For future editions, InternetLab will consider the accessibility of this information, along with the quality of this information (presentation of statistics that inform the size of the user data disclosure to public authorities).

At the stage of engagement with companies, TIM reiterated to InternetLab that it is not legally required to disclose statistics, that the Brazilian Internet Civil Rights Framework imposes obligations to the authorities and that, for security reasons, it considers the disclosure by the company not recommendable. It stressed, however, that, when requested in a motivated manner, it inform aggregate data on demands to authorities of the Judiciary Branch or Public Security.

The company asked for this category to be reviewed in light of its considerations. InternetLab understands the company’s concerns, emphasize the importance of the transparency for the refinement of liability of the State mechanisms and the fact that this practise is more and more diffused in diverse countries in the world, including among many telecommunications companies.

CATEGORY: User notification

Result: estrela_0_verde

TIM did not get a star, because it did not meet the parameter.

We did not find in the contracts or elsewhere any mentions about user notification mechanisms in cases of requests by State authorities in which there are no confidentiality requirements by law.


VIVO

CATEGORY: Information about data processing

Result: estrela_4_verde

Vivo – Fixed Broadband

Vivo got a full star, since it fully met parameters I to IV and partially V and VI, resulting in five parameters.

Regarding parameter I, according to Telefônica’s Sustainability Report and its Global Privacy Policy, the company states that it collects data from those who hire Telefônica’s services, who use their website and that they process the necessary data in order to provide their services, such as the ones about use and location when it is allowed by legislation.

Regarding parameter II, still in the Sustainability Report and the Global Privacy Policy, the company affirms that it uses data to promote and provide the services hired by the customer, innovate and improve the products that it offers and that, when the information is used for other purposes, the customer will be informed and will have the option to contest this usage.

Regarding parameter III, the company informs in its report that it “holds information during the time allowed by law or if it is necessary for the execution of a legitimate goal of its business”. There is no information about the place of storage. In the contract, the company quotes the ANATEL legislation that determines, among others, that the provider should keep account information and connection logs of its subscribers for at least one year.

Clause 5.2.8 To provide explanations to the CONTRACTOR, promptly and free of onus, before complaints related to the fruition of the service.

To strictly zeal for the inherent confidentiality of the telecommunication services and for the confidentiality of the CONTRACTOR’s data and information, using all means and technology necessary to assure this right.

Clause 5.2.9 Comply with the other obligations provisioned in Chapter III, of Title IV, of Attachment I of the n. 614 Resolution, of May 28th 2013, by ANATEL. (our highlight)

The company could be clearer in this item, instead of only referring to an external juridic document, in a way to ease the comprehension by the Brazilian user.

In the engaging phase, Vivo clarifies that it has the duty to inform its customers on a series of rights and obligations, existing a fine line between informing the users in a clear and effective manner and giving them an excessive detailing of information. This could help to explain the company’s option for writing the contract in such manner. However, it’s worth stressing that any public source of information is taken into consideration for the evaluation of parameter fulfillment. The company could display this information as an infographic in its website, for example. Therefore, there is space for improvement, which will be assessed by InternetLab in the next editions.

Regarding parameter IV, in the same documents, the company informs some of the security standards it follows and some of the measures it takes in order to guarantee the users’ security. For example, the existence of functions like Chief Privacy Officer and Chief Data Officer, beyond informing that they have formal procedures for assisting requests received by legal authorities and that it is of responsibility of the General Secretariat and Security areas. In the Global Privacy Policy, it also indicates the principles that guide the processing of data in a way to ensure the integrity, confidentiality and security of data.

Regarding parameter V, the company informs in its report that data may be internationally transferred for companies of the Telefônica Group and given to third-party companies, but it does not clarify in which circumstances the last case would happen. Thus, there is space for improvement, which will be evaluated by InternetLab in the next editions.

Regarding parameter VI, there is difficulty for finding the contracts on the website. The Sustainability Report is only in the Telefônica website. Besides, the Global Privacy Policy is only available in Spanish, which constitutes an obstacle in terms of user accessibility. The company can act to repair these obstacles and thus expressively improve its performance in this criterion. InternetLab strongly encourages the company to make this information available in Portuguese, which will be evaluated in the next editions.

Anyhow, for this year’s edition, InternetLab recognizes that the company included general information on collection, processing and security of data and mentioned the possibility that data is required by government in its sustainability report, aside from linking to its global privacy policy

Vivo – Mobile

Vivo got a full a star, since it fully met parameters I, II and IV and partially II, V and VI, resulting in four parameters and a half.

Thus, every observation made in the case of Vivo Broadband can be replicated here with the exception of the one corresponding to parameter III. Here, the fact that the company states in their report that it holds information during the time allowed by law or by the time it is necessary for the legitimate execution of its business is still valid. In the mobile contracts, though, there is no additional data, which makes the information not so complete and, consequently, in this aspect, Vivo Mobile does not fully fulfill this parameters.

However, as the total of parameters still surpasses four, the full star is kept.

CATEGORY: Information about data disclosure to government authorities

Result: estrela_3_verde

In this category, Vivo got ¾ star, since it almost fully meets parameters (I and II).

In the Sustainability Report, the company admits that there is a possibility of the government requesting certain data and it states that it has procedures to assess such requests:

Creating and/or maintaining processes and operational procedures to assess the government requests that may have an impact on freedom of speech and privacy. We have formal procedures to assist the requests received by local/government authorities. These are of responsibility of the General Secretariat and Security areas. In 2015, the Procedure Guide for government and application requests for all companies which are part of the Telefônica Group was presented. (p. 53)

On this point, InternetLab encourages the company to publicize the mentioned “Procedure Guide”. During the engaging phase, the company told us a little bit more about how it happens. As the category evaluates if such information is given to the public, especially to its customers, InternetLab encourages the company to do so.

In the Communication Transparency Report 2016, the company informs which are the authorities that, according to the listed Brazilian legislation, it considers competent to request data. The company divides between “interceptions of [content of] communications” and “metadata”:

Interception of Communications

According to article 3 of the Brazilian Federal Law n. 9.296/1996 (Law of Interceptions), only the judge (of the criminal sphere) can determine the interceptions (telephonic or telematic), by request of the Prosecutor’s Office or the Police Authority.

Metadata:

Prosecutor’s Office, Police Authority and judges of any sphere: the name and address of the registered user (account information), as well as the identity of the communication devices (including IMSI or IMEI).

Judges of any sphere: the data for identification of the origin and destination of a communication (for example, telephone numbers, user names for Internet services), data, time and duration of a communication and device localization. (p. 11-12)

This means that Vivo delivers account information before requisitions of Prosecutor’s Office representatives, police authorities and judges. Connection logs, however, are made available only before a court order.

InternetLab praises the conduct of Telefônica Brasil of making their interpretations on which are the competent authorities for requesting users’ data and in which circumstances public.

Indeed, the Brazilian legislation grants a different juridical treatment to account information and connection logs. Account information can be requested without a court order to the competent administrative authorities, according to the Brazilian Internet Civil Rights Framework. Account information can be demanded without a court order by competent administrative authorities. Currently, those are Police agents and Prosecutors under the laws of the Criminal Organizations (Law 12.850/13, arts. 15 and 17) and Money Laundering (Law 9.613/99, art. 17b, added by Law 12.683/12). Connection logs, however, can only be disclosed pursuant a court order. They can not be directly disclosed to administrative authorities upon mere request.

The parameters, however, demand that the company is compromised to delivering account information without a court order to the competent authorities only in the scope of the law in which the prerogative was instituted, that is, in cases of investigations of crimes by criminal and money laundering organizations. For this reason, the company got a ¾ star.

Lastly, InternetLab encourages Vivo to translate to Portuguese and facilitate the access in its website to this information about its acting before requests from state agents. For next edition, this will be considered and taken into account in our evaluation.

CATEGORY: Defense of users’ privacy in the courts

Result: estrela_2_verde 

Vivo got ½ star, as it fulfilled one parameter (I).

Last year, Vivo achieved ½ star, as it challenged though a direct action of unconstitutionality (ADI 5063), together with other ISPs, via the ACEL (National Association of Mobile Operators), articles of the Criminal Organizations Act (Law n. 12.850/13) in the Supreme Court. The action proposed by ACEL was considered as, according to constitutional rules, it is not possible to file this kind of measure individually.

In September 2016, ACEL once again petitioned the Supreme Court to reaffirm the need of granting a preliminary injunction to suspend the juridical effects provisioned in article 15, 17 and 21 of the Criminal Organizations Act until the trial of the merit, since, according to the Association, this law has encouraged several abuses by public authorities. In the complaint, it denounces that beyond the emptying of the constitutional protection to the confidentiality of the communications and the privacy of all Brazilian citizens,  this scenario has seen several repressive actions (administrative authorities who want to criminally prosecute employees of the companies responsible for denying data requests), diverse undiscriminated requests, etc. So, it fulfilled parameter I.

In the engaging phase, Vivo presented other examples in which it also got together with other companies to contest legislations that it considered harmful to the right to privacy, quoting, aside from the aforementioned ADI, the n. 5.642 ADI (via Sinditelebrasil), the n. 5059 ADI (via ACEL and the n. 4.906 ADI (via ABRAFIX).

Regarding parameter II, in the engaging phase, we asked all companies to send us examples of judicial actions in which they challanges abusive requests for users’ data by authorities or other users’ privacy violation. Despite praising Vivo’s engagement in the project and their affirmation of indeed contesting abusive requests, the company did not send material evidences to InternetLab, nor could we find something similar in an independent research, which makes it not fulfill the current parameter.

CATEGORY: Pro-user privacy public engagement

Result: estrela_2_verde

Vivo got ½ star, as it met parameters I and III.

We found positioning by the company in the public consultation about the National Plan for the Internet of Things, meeting parameter I.

In item 11 (Security and Privacy), the company argued that the current national legislation would be more than enough to fully protect privacy and personal data, not defending any other provision that would expand the privacy protection mechanisms, which makes it not meet parameter II. Still in this item, it defended the use of cryptography for communications and more sensitive transactions, meeting parameter III:

  • The option or not of using and/or type of cryptography to keep the security and privacy of data inserted in M2M/IoT devices should have a relation to the application and the form of communication. This is because, more sensitive communication should have a better security. Communications or applications that do not require protection can be explored without the use of cryptographic techniques.
  • Therefore, the currently existing normative framework already contemplates provisions that assure in a balanced and efficient manner the security of the citizens in digital environments. The existence of an excessive numbers of rules and norms that guide the relations in this ecosystem can represent a limitation of the evolutive process of the digital economy and of the innovations that can bring benefits to all society, at the same time that they do not mean a better protection to the right of individuals.
  • Telefônica understands that the current normative framework meets the individual security necessity, at the same time that it assures the possibility of innovation and development of new businesses and products. Any additional law or regulation that appears should have in sight that the creation of limiting rules may hurt one of the main values fostered by the digital economy which is freedom, and for this it should adopt a more principiological character. (our highlight)

CATEGORY: Transparency reports about data requests

Results: estrela_4_verde

Vivo got a full star, since is met all parameters.

In the Sustainability Report, the company admits that there is the possibility of requests of certain data by the government and it affirms having procedures to assess such requests, which meets parameter I:

Creating and/or maintaining processes and operational procedures to assess the government requests that may have an impact on freedom of speech and privacy. We have formal procedures to assist the requests received by local/government authorities. These are of responsibility of the General Secretariat and Security areas. In 2015, the Procedure Guide for government and application requests for all companies which are part of the Telefônica Group was presented. (p. 53)

Beyond this, Telefônica, the global economic group of which Vivo is part, for the first time published a Communication Transparency Report 2016. The report has separate parts dedicated to each country in which Telefônica operates, clarifying what is the regulatory set to which they are subdued in each country and presenting the number of data requirements that they receive from state authorities in each country between 2013 and 2015.

In Brazil in 2015, there were over 326 thousand requests for interceptions and more than 1,2 million metadata requests. For including statistics on the realization of telephonic and telematic interceptions and metadata deliver, the company fulfills parameter II.

InternetLab praises Vivo’s posture, since the document is unprecedented in Brazil and represents a huge step for having a better transparency in relation to the supplying of clear information about the contribution of companies with public authorities. At the same time, we encourage the company to publish the transparency report in Portuguese and to make it more accessible to the Brazilian customer in its website, which will be evaluated in the next editions.

CATEGORY: User notification

Result: estrela_0_verde

Vivo did not get a star, because it did not meet the parameter.

We did not any mentions about user notification mechanisms in the materials consulted in cases of requests by government authorities in which the confidentiality is not imposed by law.

FAQ

How does InternetLab funds its activities?

InternetLab is a non-profit entity. We do not act as a consulting or a law firm and we only provide services if they are in tune with our goals, which are mainly related to do research in the area of law and technology, specially with subjects concerned with the impact of public policies.

The financing of our activities comes from foundations, nonprofit organizations, companies and individuals. In all these cases we have two conditions for accepting contributions: independence in the development and implementation of projects and the freedom to express any kind of analysis and institutional stance.

In the year 2015, our funding came 71% from foundations and international third sector organizations, 28% of companies and 1% of individual donations.

How was the project "QDSD?" funded?

The project was funded with grants from international foundations.

Who worked in the "QDSD"?

The InternetLab team that worked on this project was: Dennys Antonialli (executive director), Francisco Brito Cruz (director), Jacqueline Abreu (researcher and coordinator), Juliana Ruiz (researcher), and Ana Luiza Araujo (translations intern).

In EFF,  Katitza Rodríguez (international rights director) and Kurt Opsahl (Deputy Executive Director and General Counsel) worked on the project.

The communication part of the project was conducted by Maria Claudia Levy, from GOMA Oficina, and Sergio and Bruno Berkenbrock, from MirrorLab.

The project ends with the dissemination of the results?

No, the project continues. The frequency of the evaluation in the project is annual. In each version, InternetLab will re-evaluate the methodology and the results, ensuring that they reflect what are the possibilities within the reach of companies so they can defend your data.

Recommendations for the next edition

For the next few years and evaluations, InternetLab invites the companies to develop privacy policies in oder to inform users about the treatment given to personal data and connection logs, as requested by the Marco Civil da Internet, and the ways they deal with court orders and requests from administrative authorities. It is also encouraged that the companies use their ‘press rooms’ on their websites to list their actions in defense of privacy and data protection in the judiciary and in public debates. Finally, InternetLab also encourages companies to publish transparency reports and to adopt user notification practices.