/Presentation

Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests BONUS - Tells user about data requests
Information on data protection policy Law enforcement guidelines Defence of users in the Judiciary Public position in favor of privacy Transparency reports and Data Protection Impact Assessments User notification
Information on data protection policy Law enforcement guidelines Defence of users in the Judiciary Public position in favor of privacy Transparency reports and Data Protection Impact Assessments User notification
Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests Tells user about data requests
Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests Tells user about data requests
Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests Tells user about data requests
Informa sobre tratamento de dados Informa sobre condições de entrega de dados a agentes do Estado Defende a privacidade de usuários no Judiciário Adota posicionamento público pró privacidade Publica relatório de transparência sobre pedidos de dados BÔNUS - Notifica usuários sobre pedidos de dados
Informações sobre a política de proteção de dados Protocolos de entrega de dados para investigações Defesa dos usuários no Judiciário Postura pública pró-privacidade Relatórios de transparência e de impacto à proteção de dados Notificação do usuário
Informações sobre a política de proteção de dados Protocolos de entrega de dados para investigações Defesa dos usuários no Judiciário Postura pública pró-privacidade Relatórios de transparência e de impacto à proteção de dados Notificação do usuário
Informações sobre a política de proteção de dados Protocolos de entrega de dados para investigações Defesa dos usuários no Judiciário Postura pública pró-privacidade Relatórios de transparência e de impacto à proteção de dados Notificação do usuário
Informa sobre tratamento de dados Informa sobre condições de entrega de dados a agentes do Estado Defende a privacidade de usuários no Judiciário Adota posicionamento público pró privacidade Publica relatório de transparência sobre pedidos de dados Notifica usuários sobre pedidos de dados
Informa sobre tratamento de dados Informa sobre condições de entrega de dados a agentes do Estado Defende a privacidade de usuários no Judiciário Adota posicionamento público pró privacidade Publica relatório de transparência sobre pedidos de dados Notifica usuários sobre pedidos de dados
Informa sobre tratamento de dados Informa sobre condições de entrega de dados a agentes do Estado Defende a privacidade de usuários no Judiciário Adota posicionamento público pró privacidade Publica relatório de transparência sobre pedidos de dados Notifica usuários sobre pedidos de dados
Informações sobre a política de proteção de dados Protocolos de entrega de dados para investigações Defesa dos usuários no Judiciário Postura pública pró-privacidade Relatórios de transparência e de impacto à proteção de dados Notificação do usuário
Show previous research

InternetLab was chosen by the Electronic Frontier Foundation – EFF (USA) to develop the project “Who Defends Your Data?” (in Portuguese, “Quem Defende Seus Dados” – QDSD), the Brazilian version of “Who has your back?”.

“Who Defends Your Data?” aims to promote transparency and best practices in terms of privacy and data protection by companies providing Internet connection (ISPs) in Brazil. Every year, we review the methodology to include legislative changes, innovations and controversies in jurisprudence and updated best practices in terms of protection of privacy and personal data.

/About us

InternetLab is an independent interdisciplinary research center that promotes academic debate and the production of knowledge in the areas of law and technology, especially in the field of the Internet. We are a non-profit entity that acts as a point of articulation between academics and representatives of the public, private and civil society sectors.

The Electronic Frontier Foundation – EFF is a non-governmental organization pioneering the defence of digital rights. The organization works with technologists, activists and lawyers to defend free speech online, fight illegal surveillance and advocate on behalf of users and innovation.

In 2015, the “Who Has Your Back?” project, developed by EFF nine years ago in the United States, expanded to other countries around the world, especially those in Latin America. The Latin American editions have adopted the evaluation of Internet Service Providers (ISPs) as their objective, especially regarding transparency, privacy and personal data protection policies. In the case of Brazil, the evaluation methodology was elaborated based on the principles and guarantees established by the Federal Constitution, the Internet Civil Framework (in Portuguese, the Marco Civil da Internet), the Brazilian General Law of Data Protection (LGPD), and other current laws, and seeks to evaluate the company’s public commitment to privacy and data protection of its users. By awarding companies with zero to six stars, our goal is to encourage the adoption of best practices and the development of policies that make a public commitment to the protection of users’ privacy and personal data.

 

This year we continue to refine our evaluation parameters in view of the approval of the Brazilian General Law of Data Protection, of new modifications in the understandings and practices about privacy and data protection, and of news regarding the use of facial recognition by telecom operators. The ISPs evaluated remain the same as in 2021: Algar, Brisanet, Claro, Oi, TIM and Vivo. 

 

We try to value not only the companies’ commitment expressed in their contracts and policies, but also their commitment and dedication to the implementation of important privacy and data protection best practices. We value, for example, the existence and accessibility of information about privacy on specific pages on the companies’ websites (such as “privacy portals”), the accessibility and availability – in Portuguese – of their transparency reports, the provision of means to exercise the rights of data subjects (such as the rights of access and erasure of data), as well as the respect for such requests, the existence of specific protocols of data delivery to state agents, among others. 

It is worth noting that the results are widely reported in the national and international press.

/Our method

Companies Evaluated

Each company was evaluated based on 6 categories, taking into account the requirements of current legislation and good international practices regarding privacy protection. For this evaluation, we analyzed service contracts, sustainability reports, and other documents that were available on the companies’ websites up to October 14th, 2022.  For this version of Who Defends Your Data, we considered documents, actions, positions, etc. publicized between June 2021 and October 2022.

Based on the answers obtained, we assigned the following grades: A. 1 full star; B. ¾ of a star; C. ½ star; D. ¼ of a star; E. No star. A full star means that the company meets all the parameters in a given category, while the assignment of no star means that the company did not meet any parameter.

We point out that, in order to encourage companies with evaluations that raise their overall score, partially met parameters and sub-parameters were always rounded up when summing up and ascertaining compliance with a category or parameter. For example, if the company complies fully with one parameter and partially with another, and the compliance with two parameters is necessary for the awarding of a full star in the category, the compliance, in this case,   corresponding to “1.5” parameter was considered sufficient to obtain the full star. The same occurs between sub-parameters and parameters: if half or more than half of the sub-parameters are met, the corresponding parameter was considered to be fully met.

CATEGORY 1. Information on data protection policy

Does the company provide clear and complete information about its data protection practices?

What were the parameters for evaluation?

(I) [Data Collection Information] The company provides clear and complete information on: (a) what kind of data is collected; (b) in what situations the collection occurs; (c) whether they collect publicly available data; (d)  categories of third parties who provide data to the company (including public data providers); and (e) whether there is an assessment of third parties’ legal compliance with the LGPD.

(II) [Information on Processing Purposes] The company provides clear and complete information on: (a) the purposes of the company’s data processing activities; and (b) the ways in which processing takes place.

(III) [Information on storage, security and sharing] The company provides clear and complete information on how it protects personal data, i.e. : (a) for how long and where it is stored; (b) under what circumstances it is deleted; (c) whether and under what circumstances it is retained/kept; (d) what administrative and technical security practices the company observes; (e) whether there is a published Cybersecurity / IT Policy with information on specific protections employed against malware, ransomware, worms and other viruses; (f) which categories of employees have clearance to access data (which access controls are employed); (g) with which third parties, if so, the company shares the data (after collection); (h) for what purposes the data is shared (including when using software, online platforms, networks or clouds for internal company use); (i) what are the hypotheses for international data transfers; 

(IV) [Information on LGPD Rights] (a) Inform data subjects about what are the means (e.g. emails or links) for exercising their rights under the LGPD; (b) inform data subjects of their rights.

(V) [Responses to Rights Requests] (a) The company has provided confirmation of the existence of or access to personal data at the request of the data subjects, members of InternetLab, through a clear and complete statement indicating the origin of the data, the existence or non-existence of a record, the criteria used and the purpose of the processing, within 15 (fifteen) days; or in simplified format, immediately (b) the company responded to requests regarding the rights of data subjects, members of InternetLab, within one month;

(VI) [Privacy Policy Update] The company promises to send notifications (e.g. by e-mail or SMS) to the user in the event of modifications to its data processing practices.

(VII) [Accessibility] Company presents clear and comprehensive privacy and data protection information in an accessible manner on its website (e.g., on a “privacy portal” or similar), provided that such information is also available in applicable membership agreements or privacy policies.

Performance standards

The ISP meets from 6 to 7 parameters.

The ISP meets from 4 to 5 parameters.

The ISP meets from  2 to 3 parameters.

The ISP meets only one of the parameters.

The ISP does not meet any of the parameters.

 

CATEGORY 2. Law enforcement guidelines

Does the company undertake to follow the interpretation of the most protective law on the right to privacy when personal data are requested by law enforcement agents, and do they have clear guidelines for these cases?

What were the parameters for evaluation?

(I) [Subscriber data: identified competent authorities] The company promises to provide subscriber data by request (without a court order) only to competent administrative authorities, in addition to identifying them. In other cases, it requires a court order.

(II) [Subscriber data: identified authorities and crimes] The company promises to provide subscriber data by request (without a court order) only to competent administrative authorities, identifying them, and only within the scope of investigating the crimes referred to in Law 12.850 / 13, and of Law 9,613 / 98 and article 13-A of the criminal procedure code (CPP). In other cases, it requires a court order.

 (III) [Geolocation data] The company (a) provides clear information on the circumstances in which it provides geolocation data, identifying whether it provides real-time or past data, and (b) promises to deliver geolocation data to the victim or suspect only by court order, when necessary for the prevention and repression of crimes related to human trafficking or, (c) even in these cases, promises to deliver the data upon request from the competent authority, only in the absence of a judicial manifestation within 12 (twelve) hours. 

(IV) [Connection records] The company promises to provide connection records only by court order, strictly under the terms defined in the legal regulatory use of the internet (art. 5, item VI).

(V) [Specific guidelines] The company publishes a protocol for responding to requests for the delivery of personal data to public authorities.

Performance standards

The ISP meets four or five parameters.

The ISP meets 3 parameters.

The ISP meets 2 parameters.

The ISP meets only one parameter.

The ISP does not meet any of the parameters.

 

CATEGORY 3: Defence of users in the Judiciary

Has the company challenged administrative or judicial abusive requests for data, or legislation that it considers violating users’ privacy?

What were the evaluation parameters?

(I) [Contestation of legislation] The company has legally challenged legislation, or an interpretation of legislation, which it considers to be in violation of the privacy of Internet users, for being disproportionate and / or for not establishing a clear, precise and detailed manner the hypotheses and circumstances in which data should be transfered (or the appropriate safeguards to prevent abuses).

(II) [Contestation of abusive requests] The company contested, judicially or administratively, at least once within the analyzed period, abusive requests for access to user data that exceeded the legal prerogatives of the requesting authority and / or were disproportionate due to its lack of clarity or precision about  which data was required or what was the motivation, or for any other reason that compromises users’ right to privacy.

Performance standards

The ISP meets 2 parameters.

The ISP meets only one parameter.

The SP does not meet any of the parameters.

 

CATEGORY 4: Pro-privacy public standing

Has the company publicly positioned itself in defense of privacy and data protection, strengthening the culture of protection of this right in Brazil?

What were the parameters for evaluation?

(I) [General stance] Did the company take a stance in its own name, in any public consultations, debates or in the media to specifically defend the approval of rules or adoption of techniques that would increase the protection of data conferred to the users of its services?

(II) [Stance on facial recognition] Has the company taken a stance on its own behalf, in public consultations, debates, or in the media, specialized or not, against making facial recognition procedures mandatory for registration or access to mobile phone services?

Performance standards

The ISP meets 2 parameters.

The ISP meets only one parameter.

The ISP does not meet any of the parameters.

 

CATEGORY 5: Transparency reports and Data Protection Impact Assessment

Does the company periodically publish transparency reports, in Portuguese and which are easily accessible, with basic information on data requests by public authorities? Does the company prepare and publish Data Protection Impact Assessment?

 What were the parameters for evaluation?

(I) [Report publication] Publishes transparency reports in Portuguese on privacy and data protection.

(II) [Report accessibility] It has a transparency report that is easily accessible to the general public.

(III) [Periodicity of the report] Publishes a transparency report at least annually.

(IV) [Information on data access requests] Displays, in the transparency report, information on requests of access to data which they received, complied with or rejected.

(V) [Data Protection Impact Assessment] Prepares and publishes personal Data Protection Impact Assessments.

Performance standards

The ISP meets all parameters.

The ISP meets four parameters.

The ISP meets 2 or 3 parameters.

The ISP meets only one parameter.

The ISP does not meet any of the parameters.

 

CATEGORY 6: User notification

Does the company notify users when it receives data requests?

What was the evaluation parameter?

(I) [Notification] It promises to notify the user before the trnasfer of subscriber data and internet connectiviy records, whenever the secrecy of the transfer is not imposed by law or determined in a court decision, or as soon as that notification is allowed.

Performance standards

The ISP meets the parameter.

The ISP does not meet the parameter.

/Our sources

We consulted contracts, templates and privacy policies available on the ISP’s websites, as well as press conferences and other official manifestations of the evaluated companies. We considered documents publicly accessible until 10/14/2022 (final date for the preliminary phase). 

Terms of use or privacy policies related to the use of the companies’ websites were not considered. Moreover, as several lawsuits were informed to us by the companies with labeled identifiers, because they are under secrecy of the courts, it was not possible to point out the numbering of all the lawsuits considered. The receipt of such lawsuits by us, however, was reported during the individual results of this report.


Claro/NET

Portal de Privacidade Claro

Código de Ética América Móvil

Sustainability Report 2021 América Móvil

Sumário e Termos e Condições de Uso do “Plano nº 150 Claro-NET Internet Pós-pago”

Contrato de Prestação do Serviço Móvel Pessoal Pós-Pago

Contrato de Prestação do Serviço Móvel Pessoal Pré-Pago

Contrato de Prestação do Serviço de Comunicação Multimídia (SCM)

Vivo

Centro de Privacidade Vivo

Regulamento Promoção Vivo Internet Móvel II;

Regulamento Promoção “Pacote Adicional Recorrente Pós Pago e Internet Móvel”;

Regulamento Promoção Vivo Internet Móvel;

Relatório de Sustentabilidade da Vivo (2021);

Informe de Transparência nas Comunicações da Telefônica (2021);

Política de Privacidade e Proteção de Dados de Clientes e Titulares da Vivo (2022);

Política Global de Privacidade Telefônica (2022)

Política Global de Segurança da Telefônica (2022)

Tim

Contrato de Prestação de Serviços Live TIM (07/10/2020)

Contrato STFC Local – TIM FIXO RESIDENCIAL (07/10/2020)

Contrato de Prestação de Serviço SMP Corporativo LA (07/10/2020); 

Contrato de prestação de Serviço SMP Corporativo (07/10/2020); 

Contrato de Prestação do Serviço Móvel Pessoal Pós-Pago (07/10/2020);

Contrato de Prestação de Serviço Móvel Pessoal Pré-Pago (07/10/2020)

Política de Privacidade, atualizada em 14/06/2022

Relatório de Transparência 2021

Informativos de Privacidade;

Como é realizado o compartilhamento de dados pessoais em caso de investigação?

Relatório de Transparência 2020.

Oi

Relatório de Sustentabilidade 2021.

Portal de Privacidade, acessado em 11/10/2022

Aviso de Privacidade

Aviso de Cookies   

Programa Oi de Privacidade

Política de Privacidade

Contrato de Adesão ao Serviço de Acesso Banda Larga com Fibra

Algar

Política de Privacidade

Privacidade de Dados Pessoais (17.05.2020)

Termos de Uso

Segurança da Informação (19.10.2021)

Governança de Dados Pessoais (17.05.2020)

Relatório Integrado 2021

Contrato de Prestação de Serviço Banda Larga

Contrato de Prestação de Serviço Ultra Banda Larga

Contrato de Prestação do Serviço Banda Larga Minas

Contrato de Prestação do Serviço Net Super Simples

Termo de Adesão Serviço de Dados

BRISANET

Política de Privacidade Brisanet

Central de Privacidade da Brisanet

Contrato de Adesão ao Serviço Internet Móvel Pré-Pago Brisanet

Relatório de Sustentabilidade 2021 da Brisanet

Contrato de Adesão ao Serviço Internet Móvel Pré-Pago da Brisanet

Contrato de Prestação de Serviços de Banda Larga da Brisanet

/Results

Information on data protection policy Law enforcement guidelines Defence of users in the Judiciary Public position in favor of privacy Transparency reports and Data Protection Impact Assessments User notification
Show previous research

CLARO

CATEGORY 1: Information on data protection policy

Result:

In this category, Claro-NET got a full star, having met parameters I, II, III, IV, V, VI and VII.

Claro-NET fully meets parameter I, having provided clear and complete information on the 5 sub-parameters.

Sub-parameter (a): fully met. In its Privacy Portal, the company extensively lists the data collected (see excerpt below):

What personal data does Claro-NET collect and for what purposes is it used? 

– Registration Data:

  – Which Data: name, e-mail, address, telephone, CPF, RG, date of birth and gender.

  – Purposes: they are important for some actions, such as filling out your service contract, issuing invoices, and also for us to communicate with you.

– Navigation Data and Use of Claro’s Products and Services:

  – What Data: information about browsers and devices including IP address, error reports, system activity, date, time and URL, data about calls and telephony including destination, duration and sending SMS messages. In addition, information about calls made and received, SMS sending, data volume used, and the antennas that serve you.

  – Purposes: to measure the quality of our services so that you can understand your bills, have your own control and so that Claro-NET can comply with the determinations foreseen by our regulatory agency and legislation. 

(…)

InternetLab also praises Claro’s conduct in clarifying what data it collects from people who are not even customers, as can be seen in its Privacy Portal:

If you contacted our Sales Center seeking to contract a product or service, but discontinued the contracting, your contact is recorded and we can contact you to better understand how we can help.

Similarly, if you enter one of our sites and choose some products, but abandon the cart, we will remind you about this purchase intention to confirm if you are stillinterested.

We obtain information from companies with legitimate and properly sourced databases in order to seek to bring new customers to Claro.

We have authorized agents who sell Claro’s products and services and provide customer service as required by regulation. They also prospect customers and are oriented to follow the related good practices, including consulting the Do Not Disturb and Do Not Disturb Me registers. 

Sub-parameter (b): referring to the situations in which data collection occurs, was considered to be fully met. This is because, even though there is no specific wording in this sense, the same passages pointed out above inform  in which situations collection occurs (e.g. when navigating and using products, when filling out the service contract, etc.) This information was considered to be  sufficient detailing of the situations in which collection occurs.

Sub-parameter (c): referring to the collection of publicly available data, was considered to be fully met. In the same section pointed out in Sub-parameter (a) above, there is the report that publicly available data is collected by the company.

Sub-parameter (d): regarding the listing of third party categories which supply data to the company, the parameter was considered to be fulfilled. The company discloses this information on its Privacy Portal.

Sub-parameter (e): concerning the assessment on the legal compliance of third parties with the LGPD, it was considered fulfilled. This is because Claro-NET stipulates a specific clause on privacy and data protection in which full care and guarantees of data treatment are required from third parties

As for parameter II, regarding the provision of clear and complete information about the purpose of data use, it was considered fulfilled, since both sub-parameters (a) and (b) were met.

Sub-parameter (a): referring to the purpose of the data processing, is fully met. In its Privacy Portal, in the section “What personal data does Claro-NET collect and for what purposes are they used?”, the company explains, in detail, what are the functions for each kind of data collected. As in the case of Registration Data:

– Which Data: name, e-mail, address, telephone, CPF, RG, date of birth and gender.

– Purposes: important for some actions, such as filling out your service contract, issuing invoices, registering and accessing Claro’s applications and internet support, and also for communicating with you.

Sub-parameter (b): referring to how the use or type of processing is carried out, was considered to be fully met. In the excerpt “Stay informed about data processing done by Claro”, from its Privacy Policy, the company indirectly clarifies the ways in which the personal data collected is used. In addition, it points out at the beginning section of its Privacy Portal:

Here, you learn about data processing done by Claro-NET in:

 - Mobility, such as prepaid, control and postpaid plans;

 - Entertainment, such as NOW and TV (DTH and cable);

 - Connectivity, such as Vírtua broadband and Wi-Fi;

 - Business, solutions such as Claro-NET and Embratel.

As for parameter III, referring to the provision of clear and complete information about personal data protection, it was considered to be fully met, since sub-parameters (a), (b), (c), (d), (e), (f), (g), (h), and (i) were met. 

Sub-parameter (a): referring to the time and place of data storage was considered to be fully met. In its Privacy Portal, in the section “For how long does Claro-NET process your data and where does it store it?”, the company informs the detailed storage conditions for each type of data collected and their storage locations. It is noteworthy that the company is categorical about the retention periods, communicating that these are strict deadlines – neither maximum nor minimum – and also about the location, not affirming that there is storage in third parties or servers in undefined locations.

“Claro-NET treats your data for the duration of your service, but it must also keep your data after your relationship with Claro-NET ends in order to comply with the law, such as in cases where it is necessary to provide data to public authorities or to defend itself in legal proceedings.

Some examples of retention periods by Claro-NET are:

– six months – records of access to Internet Features in Claro’s own applications;

– one year – records of internet connection; it will not retain records of access to internet functionalities;

– one year and three months – recording of the interaction between consumer and attendant at the Customer Care Center;

– six years – fiscal documents that include data on outgoing and incoming calls, date and time of duration and value of the call.

– ten years – registration and billing data;

Claro-NET stores the data securely and with strict access control. This data is stored on its servers in data centers located in the cities of São Paulo, Campinas and Rio de Janeiro.”

Subparameter (b): referring to when/if the data are deleted, it was considered to be fully met. This is because, in the same passage pointed out above, it is implicit that the data are deleted after the expiration of the indicated retention period. 

Subparameter (c): concerning the circumstances of data retention, it has been met. In the Privacy Portal, in the same item referenced above, the hypotheses of data retention are described.

Subparameter (d): concerning the company’s security practices, it was considered to be fully met. In the Privacy Portal, the company commits to follow security and control standards, without specifying in this document, however, which practices are adopted. 

“Claro-NET uses

– technical security solutions and measures, aiming to preserve the inviolability of data compatible with international standards and good industry practices;

– appropriate security measures to protect against the risks of accidental or illegal loss, alteration, disclosure, or unauthorized access.”

Despite the generic information on the Privacy Portal, the company presents more information about the security practices adopted in the Sustainability Report 2021 (p. 48) of the América Móvil group. According to the report, the system adopted in Brazil is the Security Operation Center with ISO 27001 Safety Management Systems certification.  

Sub-parameter (e): referring to the existence or not of an IT/Cyber Security Policy, was considered to be fully met. In the same part of the document, the reference to the ISO 27001 Safety Management Systems certificate demonstrates the company’s concern with a specific policy on the subject.

Sub parameter (f): regarding which categories of employees can have access to the data, it was considered to be fully met. This is because the company discloses this information in its Privacy Portal, in the item “Who has access to your data at Claro?”, through an “Information Access Policy”. 

Sub-parameter (g): concerning which third parties the company shares the data with after collection, the subparameter was considered to be fully met. In the item “With whom does Claro-NET share data?”, the company exposes general categories of companies with which data may be shared:

“Claro-NET is considered the controller of personal data, as are each of the companies in the group. They are:

– Claro S/A – provider of mobile telephony services, fixed telephony, national long distance, cable pay television, fixed and mobile internet and value-added services;

– Embratel TVSAT Telecomunicações – Provider of subscription television services using DTH technology;

– Claro-NET Nxt – provider of mobile telephony and national long distance services.

In order to carry out all of its activities, Claro-NET needs to share its data with some third parties. After all, they are the ones who will provide services for you and should observe certain precautions, such as the security of your data. See who these third parties are:

  1. Call center companies – Performing customer service to customers and prospective customers.
  2. Technical Service Companies – Installing and maintaining Claro’s services, such as TV and Internet.
  3. Companies that commercialize content via Claro-NET – Commercialization of third-party content on Claro’s sales channels and that need some information to activate content and subscriptions.
  4. Credit and Collection Companies – Collection of outstanding invoices.
  5. Credit Solutions Companies – Providing inputs for the development of products focused on credit analysis and concession and anti-fraud solutions.
  6. Authorized Agents – Sale of products and services with the Claro-NET brand, which are often the gateway for customers.”

Furthermore, in its prepaid SMP Service Agreement, it states:

“15.6 All the information from the Subscriber’s registration is confidential and may only be provided: a) to the Subscriber; b) to the representative with specific power of attorney; c) to judicial authority; and d) to other Telecommunications Service Providers, for the specific purpose of providing these services.”

Sub-parameter (h): concerning the purposes of sharing data with third parties, it was considered to be fully met, in view of the details of each sharing as per the excerpt from the Privacy Portal pointed out above.

Sub-parameter (i): concerning the international transfer of data, was considered to  be fully met. In its Privacy Portal, Claro-NET has an item dedicated to the international transfer of data:

“Claro-NET also contracts cloud storage from suppliers and partners located in other countries, which is a common and safe market practice. This type of processing is essential for the provision of the services contracted with Claro-NET and may be performed outside the national territory, for example, on servers located in other countries with a level of protection of personal data adequate to the provisions of the Law. Even so, Claro-NET is still attentive to the orientations of the ANPD, which will regulate this type of treatment in the future.”

Parameter IV, which assesses whether the company makes available clear and complete information about the data subject rights, was considered to be fulfilled. Sub-parameters (a) and (b) were fully met.

Sub-parameter (a): related to what are the means for exercising the rights of the data subjects regarding their data, was considered to be fulfilled. In the Privacy Portal, there is the section “What are your rights in relation to your personal data?”, in which the company informs about the existence of the data subject’s rights foreseen in the General Law of Data Protection. The company also informs, in each case, the means to exercise these rights – either through the Privacy Portal itself, or by e-mail to Claro’s DPO.

Sub-parameter (b): related to the information on what are the data subject rights , was considered to be fully met, according to the same item exposed above.

Parameter V, which assesses whether the company responded in a timely manner to requests for access to data, was considered to be fully met. The company has an portal for access to the rights of the owners with extracts of the data used. Although a team member had technical problems accessing the portal, the situation was resolved by the company. 

Parameter VI, which evaluates if the company promises to send notifications to the user when updating its privacy policies, was considered to be fully met. Claro-NET does communication campaigns to update its Privacy Policy.

Finally, parameter VII, referring to the accessibility of information on privacy and data protection, was considered fulfilled. At the bottom of the homepage of Claro’s website there is a link to the Privacy Policy. By accessing this link, the user is redirected to the Claro’s Privacy Portal, which contains the “Privacy Policy”, “Cookies Policy” and “Privacy Rights”. The information in the Privacy Portal is very clear and easily accessible to customers. 

Also, the information in the Privacy Policy is presented in Claro’s contracts.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Claro-NET got a full star, having met parameters I to IV and partially complied with parameter V.

Parameter I, referring to the identification of the competent authorities to request data, was considered fulfilled. In its Privacy Portal, the company informs about the situations in which it shares data with the Public Sector:

  1. Public Sector – Claro-NET also shares personal data with our regulatory agency – ANATEL -, upon requests from competent administrative authorities, such as Civil Police, Federal Police, Military Police, Legislative Police, in compliance with specific legislation*; State Public Prosecutor’s Office, Federal Public Prosecutor’s Office, Military Public Prosecutor’s Office.  

In other situations, through compliance with judicial decisions.

*Law 12.830 of June 20, 2013 (Law of Delegates); Art. 15 of Law 12.850 of August 2, 2013 (Organized Crime Law) and Art. 17-B of Law 9613 of March 03, 2018 (Money Laundering) which the Police Marshal and the Public Prosecutor’s Office will have access, regardless of judicial authorization, only to the registered data of the investigated that exclusively informs the personal qualification, affiliation and address maintained by the Electoral Justice, telephone companies, financial institutions, internet providers and credit card administrators; Art. 13-A of Decree-Law 3689 of October 3, 1941, which authorizes the Public Prosecutor’s Office and the Police Chief to request data and registration information of the victim or suspects and the requests can be addressed to any public agency or private company and art. 269 of the Internal Rules of the House and Resolution 18 of the House of Representatives of December 18, 2003.

Also in this aspect, it is worth noting that the company makes reference in the contract to ANATEL’s provisions that contain rights and establish duties:

Multimedia Communication Service Contract (SCM)

35.02 The rights and duties of the subscribers of the multimedia communication service are provided for in articles 56, 57 and 58 of Resolution 614/2013 of ANATEL. The rights and obligations of the PROVIDER are set forth in articles 41 to 55 of the same Resolution. 

Contract for the provision of prepaid SMP services:

“16.6 All information of the Subscriber’s registration is confidential and may only be provided: a) to the Subscriber; b) to the representative with specific power of attorney; c) to the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes for the provision of such services.”

Parameter II, referring to the identification of the competent authorities and the crimes under which the request will occur, was considered to be fully met. In the same passage pointed out in its Privacy Portal above, the company points out the laws under which the authorities pointed out (Military Police, Legislative, etc.) may request data. In addition, it briefly mentions the crimes referred to in Art. 13-A of the Code of Criminal Procedure in the section on location data, as transcribed below.

Parameter III, referring to the provision of information about geolocation data, was considered to be fully met. The company provides the information in its Privacy Portal, pointing “What personal data Claro-NET collects and for what purposes they are used”:

“- Location Data:

  – What Data: geolocation data.

  – Purposes:

    – creation of products and services not related to advertising, such as Claro-NET Valida-explained further below;

    – to measure and improve the quality of Claro’s services in your locality and to comply with determinations foreseen by the regulatory agency and legislation. When necessary for the prevention and repression of crimes related to human trafficking, we provide access to such data in compliance with court orders or, in the absence of a court order within 12 (twelve) hours, upon request by the competent authorities.”

Parameter IV, referring to the promise to provide connection logs only upon court order strictly under the terms of the Marco Civil, was considered to be fully met. In Claro’s Privacy Portal, connection logs are defined and promised to be delivered only upon court order:

“- Internet Connection Logs:

  – What Data: information regarding the start and end date and time of an internet connection, its duration, and the IP address used by the terminal for sending and receiving data packets.

  – Purposes: Compliance with regulatory obligations under Law 13,965/14, the Marco Civil da Internet (MCI). Requests for access to connection logs are only granted under the terms of the Marco Civil da Internet (MCI), always through a court order.”

Finally, parameter V, related to the existence of specific protocols on data transfers to the State, was considered partially met. This is because it is possible to find, on page 51 of the AMX Sustainability Report, the numbers of data delivery to the State, however, the report is only in Spanish, without a Portuguese version.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Claro-NET got a full star, since it met both parameters analyzed.

As for parameter I, referring to the contestation of legislation, we conducted exploratory searches on the websites of the Supreme Federal Court and the Superior Court of Justice for cases in which the company was a party.We emphasize that our search, for reasons of scope and time, did not look for actions of this type in state courts, concerning legislation or interpretation of state-level legislation. Companies have the possibility, during the discussion of the parameters and exchange of documents phase, to prove their actions in this regard.

On 03/29/2022, the Federal Supreme Court published the judgment of the Direct Unconstitutionality Action number 4924/DF, in which the National Association of Cellular Operators – ACEL, of which Claro-NET is a member, requested the declaration of unconstitutionality of Law 17.107/12, from the State of Paraná, which provides for penalties to the person responsible for improperly calling the emergency telephone services involving removal or rescue, firefighting, police occurrences or attending disasters (telephone prank calling). The law aimed to establish an obligation for telephone companies to provide data on the owners of telephone lines that improperly call the emergency services after a mere official request by any public agency or institution involved. The ACEL argued in favor of the inviolability of intimacy, private life, honor, and the secrecy of telephone communications (as established in article 5, items X and XII of the Federal Constitution), mentioning the unavailability of the right to the protection of personal data in its argumentation.

In addition, the ACEL had filed ADI 5040/PI, published in 2021 (not included in our previous report), in which it questioned the legality of Law No. 6.336/2013 of the State of Piauí, which required companies providing personal mobile telephony service to provide, to public security agencies, data regarding the location of cell phones and “SIM” cards that had been the object of theft, robbery and burglary or used in the commission of crimes. Among its arguments, ACEL also alleged a serious offense to its customers’ privacy in the event of disclosure of personal information, citing the Constitution and the fundamental right to privacy, in addition to the inviolability of the secrecy of telephone communications.

Finally, to investigate parameter II, which refers to the challenge of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases with the terms “Claro-NET And secrecy And breach” and rulings published between 06/21/2021 and 10/19/2022. We found several actions in which Claro-NET contested requests for data from its customers due to the lack of a court order determining the transfer of data.

For example, we found, in the report of the judgment regarding Case 1042581-72.2021.8.26.0100: 

“Summoned, the defendant Claro S/A presented its answer on pages 72/80. In preliminary, raised lack of interest in action by the loss of object of the action, since the author requested IPs from March 2020 and prior to this date. That, the art. 13 of the Marco Civil determines the obligation of the connection provider companies in maintaining custody for a period of up to one year. If you analyze the oldest access, from March 2020, the duty of safekeeping ceased in March 2021, in addition to the Marco Civil determines the exclusion of access after the safekeeping period. The order was received in June 2021. On the merits, he claimed that he does not refuse to provide the information requested, provided that preceded by a court order, since the provision of such information involves breach of confidentiality, whose protection of registration data is ensured by the Federal Constitution.

Also, in the judgment of this year’s Case, 1058034-44.2020.8.26.0100, we find:

“The defendant Claro S/A requests the reform of the sentence. It alleges, in brief summary, that, in the case in question, the Plaintiff lacks interest in acting, as well as that the request is impossible, since the alleged access to the telecommunications system by the offenders occurred in a period prior to the period of 1 (one) year of data protection determined by art. 13 of Law. 12.965/14 (Internet Civil Framework), making the obligation to provide such access information, unenforceable.”

Actions considered in previous versions of Who Defends Your Data, the Direct Action of Unconstitutionality (ADI) 5642, of the ACEL, were not considered, since they did not register relevant developments in view of the suspension of the trial and request for examination by Minister Nunes Marques (on 06/17/2021).

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Claro-NET got a full star, since it met both parameters.

Parameter I, related to the company’s positioning in general, was considered to be fully met. In some opportunities throughout the year, the Internet service providers had the opportunity to manifest themselves about public policies and bills that affect users’ privacy

In addition, Claro-NET participated, through Conexis, in the launching of the Code of Best Practices on Data Protection for the Telecommunications Sector, presented to the National Data Protection Authority.

We consider that parameter II is met. The company has manifested itself publicly in the following cases:

– 09/2021 Contributions to the draft resolution regulating the application of Law No. 13,709, for small treatment agents, submitted to Public Consultation;

– 01/11/2022 Workshop on the Code of Good Practice on Data Protection for the Telecommunications Sector (https://www.youtube.com/watch?v=pVdc7lfioIE)(1:03:41);

– Conexis discusses data protection code of good practices for telecom https://teletime.com.br/01/11/2022/conexis-debatecodigo-de-boas-praticas-de-protecao-de-dados-para-telecom/

– It is impossible to delegate to the ANPD all data protection in Brazil https://www.convergenciadigital.com.br/Telecom/E-impossiveldelegar-a-ANPD-toda-a-protecao-de-dados-no-Brasil-61845.html

– Brazil | Claro-NET celebrates telecom sector initiative for data protection https://dplnews.com/brasil-claro-celebra-iniciativa-dosetor-telecom-para-definicao-de-boas-praticas-para-protecao-dedados/ 

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Claro-NET got ¾ star, as it fully met 3 parameters, I, II and III, and partially met parameter IV. 

Parameter I was considered to be fully met. The company published a Transparency/Social Report on its website.

Parameter II was considered as fulfilled. The Report can be easily accessed on the Privacy Portal on the icon “Transparency Report”, being directed to the 2021 Report, published in 2022.

Parameter III was considered to be fully met. The company published Transparency Reports for two consecutive years, in 2021 and 2022.

Parameter IV was considered to be partially achieved. The company published, in the Transparency Report, that in 2021 there were 32,949 requests for breach of confidentiality. However, it did not publish how many of these requests were granted and how many were rejected.

Parameter V, in turn, related to the publication of Data Protection Impact Reports, was not considered to be fully met either. No such documents were located in our search.

CATEGORY 6: User notification

Result:

Claro-NET did not get a star, as there is no mention of the possibility of user notification in any of the documents reviewed.

OI

CATEGORY 1: Information on data protection policy

Result:

In Category 1, Oi got a full star, as it fully met parameters I, II, IV, VI and VII and partially met parameters III and V.

Regarding parameter I, related to personal data collection procedures, we consider the following: 

Sub-parameter (a): fully met, through the provision, in Oi’s Privacy Notice, section 3 (“What data is collected?”) of a description of all types of personal data collected broken down by category of data subject (“Customers and Former Customers” or “Non-Customers”); With respect to Customers, Oi claims to collect:

  • Registration Data: Name, CPF, RG, date of birth, nationality, filiation, E-mail, Home and mobile phone numbers, Home and work address, Profession and/or occupation; 
  • Financial data: Credit or payment history, Payment dates, Open amounts or payments received, Invoice information, Credit or debit card and bank account information, Use data of Oi products and services, Traffic data: Record of calls made and received through the fixed telephone service (STFC) and duration, Navigation data: date and time of beginning and end of an internet connection; connection duration; IP address and cookies; 
  • Profile data: information on consumption/use of services, product contracted, region of contracting, age group, preferences informed in surveys.

With respect to Non-Customers (according to the Flow, referring to prospects, third parties and employees), Oi claims to collect:

  • Registration Data: Name, CPF, RG, date of birth, E-mail, Home and/or mobile phone, Home and/or business address;
  • Financial data: Credit or debit card and bank account information, Credit Score; 
  • Navigation data: IP address, Connection site, Cookies.

Sub-parameter (b): Fully met, by means of the Data Flow made available in the Oi Privacy Program (also accessible through the Privacy Notice, section 2), detailing the situations in which collection occurs (both directly and indirectly);

Item 5 of the Privacy Notice “How data is collected” also provides a detail of the different forms of collection employed by Oi. Automatic collection through websites and applications is done through cookies, for which the Cookie Notice made available by Oi provides further information, such as (i) types of cookies and (ii) how to manage cookie preferences. There is no specification, however, of what purposes are assigned to each type of data collected by cookies. It does not specify what data is automatically collected when you use Oi’s services or the purposes for which it is processed.

“Directly with you

When purchasing services and products in our stores, websites and partners

When updating data on our sites, apps and other service channels

By answering our satisfaction surveys

Automatically

When you browse our sites and applications (through cookies) or use our services.

Indirectly

Through partner companies with whom you have a link/registration”.

Sub parameter (c): Fully met. There is the possibility of collecting public data through websites – as presented in the Data Flow made available in the Oi Privacy Program.

Subparameter (d): Fully met. The information in the Privacy Notice and Privacy Program lists the categories of third parties that provide data to Oi. The Flowchart presents a general description of the categories of third parties that receive data from Oi, after collection independent of the operator. 

Sub-parameter (e): fully met. In the Privacy Program, Oi states that it assesses the legal compliance of third parties with the LGPD in aspects of “security, access controls, clauses and management and monitoring procedures that ensure data protection. We are not informed, however, about what specific procedures Oi employs to ensure that third parties maintain an adequate level of personal data protection (e.g., inspections and audits, following specific security protocols, adherence to clauses specified by Oi and made publicly available, etc.). In the Privacy Program, we find:

“[…] We must ensure in each of the interactions performed in our data environment:

[…]

With our third parties: (i) the existence of access controls of the data made available or accessed; (ii) that only the data necessary for the purposes of the sharing are in fact made available; (iii) that the transfers of information are carried out in a secure manner; (iv) the existence of contractual clauses that support the relationship; (v) the existence of due diligence according to the criticality of the relationship; (vi) the due management and monitoring of the third party.”

Oi’s 2021 Sustainability Report also states that:

“Through the rights channel, in particular the requests for not receiving offers, the Company was able to improve the enforcement of the performance of business partners (third-party risks) against privacy violations, such as disrespect of restrictive contact lists and Do Not Disturb Me, which even culminated in the application of penalties such as disqualification of partners.”

We understand, therefore, that Oi has procedures for monitoring and managing third parties with whom it shares personal data.

With respect to parameter II, related to respect for the purpose of processing personal data, we consider the following: 

Sub-parameter (a): fully met. There is a description of the purposes of processing in item “4. For what purposes is my data processed?” of the Privacy Notice, which provides a generic indication of the types of data used for each purpose. However, this information does not enable Oi’s users to identify whether each type of data collected is used for a legitimate purpose, in accordance with the principles of necessity and minimization. A more detailed description of what types of data are used for what purpose would allow the data subject to understand his or her rights more clearly.

Sub parameter (b): Fully complied with. Item “4. For what purposes is my data processed?” in the Privacy Notice also provides general notions on how Oi uses and processes data according to their macro-category (e.g., “financial data”) and purpose.

With regard to parameter III, related to respect for the purpose of processing personal data, we consider the following: 

Sub-parameter (a): partially met. Item “7. For how long is my data stored?” indicates some of the legal time limits used by Oi for retention based on compliance with legal or regulatory obligation (provided for in Resolution 632/2014 of the General Regulation on Consumer Rights of Telecommunications Services, Resolution 632/2014 of the General Regulation on Consumer Rights of Telecommunications Services and Marco Civil da Internet). There is no further detail, however, regarding the time limits regularly observed by Oi for data retention based on other legal grounds (e.g., legitimate interest, for exercising a right, etc.). We do not know whether Oi retains personal data indefinitely in such cases. Regarding the location of data, please see “8. Where is my data saved?” tells us that, “as a rule,” data is stored in the European Union and the United States. 

Sub-parameter (b): not fulfilled. The items of the Privacy Notice that refer to retention do not specify the chances of data deletion by Oi. However, there is an opt-out option available throughout the document via the “Do Not Disturb Me” page.

Sub-parameter (c): fully met. Item “7. For how long will my data be stored?” indicates, not exhaustively, some hypothesis of data retention.

Sub-parameter (d): partially met. Item “9. Is my data protected?” of the Privacy Notice provides general information on Oi’s digital security and legal compliance procedures.

Subparameter (e): Fully met. Oi makes its Information Security Policy available online, detailing the technical procedures used to ensure cybersecurity (e.g., security protocols and data access control). 

Subparameter (f): Not met. The information about access control does not appear in any public document.

Sub-parameter (g): Fully met. Item “6. Is my data shared?” presents general categories of third parties with whom Oi may share the subscriber’s data.

Sub parameter (h): Fully met. Item “6. Is my data shared?” sets forth the purposes for which the data may be shared with third parties, as specified under general categories of third parties.

Sub parameter (i): partially covered. Item “8. Where is my data saved?” informs us that there are international transfers for data retention purposes by Oi. There is no description of all the hypotheses of international transfers and their purposes in any public document. We also found no information about where this data is stored.

Regarding parameter IV, related to information about data subject rights, we consider the following: 

Sub-parameter (a): met. Oi has a Privacy Rights page with all the necessary contact information to exercise the rights.

The Contracts for subscribing to Oi’s Broadband plans also contain wording guaranteeing non-discrimination:

“Subscriber’s rights: […] 8.1 To receive non-discriminatory treatment as to the conditions of access to and enjoyment of Oi’s FIBER BROADBAND SERVICE;”

Sub-parameter (b): fully met. data subject rights are duly addressed in the Privacy Rights page, as above.

With respect to parameter IV, related to Oi’s responses regarding data subject rights, we consider the following: 

Sub-parameter (a): partially met. Oi has a Rights Form page where Customers and Former Customers can request the rights of (i) not receiving offers; (ii) right to opt-out/anonymization; or (iii) right of access. However, non-customers may only exercise the right to opt-out of receiving offers – without the ability to exercise their other rights under the LGPD. 

Although Oi’s Privacy Notice redirects the user to the Form for exercising the rights of confirmation of the existence of treatment and access (art. 18, I of LGPD) and data portability (art. 18, V) it is not possible to exercise these rights through the indicated page. 

The request made through the chatbot “Joice” (via Whatsapp) (on October 13, 2022) only results in redirection to the Privacy Portal, without the possibility of the effective exercise of the right of the data subject to confirm the existence of treatment or access.  We tried to contact Oi’s Data Officer by email (pp-privacidade@oi.net.br) but, again, we were redirected to the Privacy Portal – with no satisfaction of the request for information.

Sub-parameter (b): Fully met. The Privacy Rights page clearly provides a description of the data subject’s rights.

Regarding parameter VI, related to updating the privacy policy, we consider the following: fully met. Oi’s Privacy Notice states that Oi’s customers will be informed of any changes to the page.

In addition, the Subscription Agreements for Oi’s Broadband plans contain the following wording:

“Subscriber’s rights: […] 8.3 To be aware of any change in the conditions of provision of the OI FIBER BROADBAND SERVICE that directly or indirectly affects you, by accessing the website www.oi.com.br.”

Regarding parameter VII, related to accessibility, we consider the following: fully met. The Privacy Portal has various documents in clear and accessible language for the understanding of the data subject regarding the treatment of their data and their rights.  The Offering Regulations that are part of Oi’s Broadband Subscription Agreement contain a clause on the protection of personal data, defining responsibilities for Oi as the data controller and referring to the Privacy and Data Protection Policies available on Oi’s website.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Oi got a full star, as it met four of the possible five parameters established by Category 2.

With regard to parameter I, we consider the following: partially met. Oi’s Protocol for Delivery of Data to Public Authorities specifies the procedure for receiving requests for access to data, analysis of the requester’s competence, and fulfillment of the request or contestation of the request. In it, we can see that the company provides registration data without the need for a court order to Police Stations, Public Prosecutor’s Offices, Attorney General’s Offices and Municipalities (the so-called “Public Authorities”) “as authorized by law. However, there is no description of the specific legal hypotheses that allow the sharing of registration data with each of the authorities mentioned (i.e., there is no way to assess the legality of the hypotheses in which Oi shares data without a court order). 

Regarding parameter II, we consider the following: not met. The company describes the possibility of providing registration data without a court order to the Public Authorities, not exclusively in response to demands related to the crimes described in the provisions of Law 12.850/13, Law 9.613/98 and article 13-B of the CPP. 

Regarding parameter III, we consider the following: 

Sub-parameter (a): partially met. There is no information about the disclosure of geolocation data in real time to the Authorities. 

Sub-parameter (b): fully met. Oi’s Protocol for Delivery of Data to Public Authorities specifies that geolocation data (“Coordinates per Radio Base Station”) are only sent to the Public Authorities in response to demands related to the crimes described in Article 13-B of the CPP. 

Subparameter (c): Fully met. Although the Protocol does not make explicit reference to the minimum 12-hour delay in the absence of a judicial manifestation for the disclosure of geolocation data to Public Authorities, it cites article 13-B of the CPP, which establishes the deadline in its paragraph 4. 

Regarding parameter IV, we consider the following: fully met. According to Oi’s Protocol for Delivery of Data to Public Authorities, connection logs are only provided upon court order, pursuant to the Marco Civil da Internet. 

With regard to parameter V, we consider the following: fully complied with. Oi’s Protocol for Delivery of Data to Public Authorities specifies in a clear and accessible manner the procedure for receiving requests for access to data, analysis of the requester’s competence and fulfillment of the request or denial of the request.

CATEGORY 3: Defense of users in the Judiciary

Result:

Oi got a full star in this category, since it met both parameters we analyzed.

As for parameter I, referring to the challenge of legislation, we conducted exploratory searches on the websites of the Federal Supreme Court and the Superior Court of Justice for cases in which the company was a party. 

On 03/29/2022, the Federal Supreme Court published the judgment of the Direct Unconstitutionality Action number 4924/DF, where the National Association of Cellular Operators – ACEL, to which Oi belongs, requested the declaration of unconstitutionality of Law 17.107/12, from the State of Paraná, which provides for penalties for the person responsible for improperly calling the emergency telephone services involving removals or rescues, firefighting, police occurrences or disaster response (telephone prank calling). The law aimed to establish an obligation for telephone companies to provide data on the owners of telephone lines that improperly call the emergency services after a mere official request by any public agency or institution involved. The ACEL argued in favor of the inviolability of intimacy, private life, honor, and the secrecy of telephone communications (as established in article 5, items X and XII of the Federal Constitution), mentioning the unavailability of the right to the protection of personal data in its argumentation.

In addition, the ACEL had filed ADI 5040/PI, published in 2021 (not included in our previous report), where it questioned the legality of Law Nº 6.336/2013 of the State of Piauí, which required companies providing personal mobile telephony service to provide, to public security agencies, data regarding the location of cell phones and “SIM” cards that had been the object of theft, robbery and burglary or used in the commission of crimes. Among its arguments, ACEL also alleged a serious offense to its customers’ privacy in the event of disclosure of personal information, citing the Constitution and the fundamental right to privacy, in addition to the inviolability of the secrecy of telephone communications.

Finally, to investigate parameter II, concerning the challenge of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the portal “Jusbrasil”, in both cases for the terms “Oi And secrecy And breach” and judgments published between 06/21/2021 and 10/19/2022. We found several actions where Oi contested requests for data from its customers due to the lack of a court order determining the transfer of data.

For example, we found, in the report of the judgment regarding Case 1058034-44.2020.8.26.0100:

“The defendant OI Movel S.A. qualified in the records and brought documents (pages 370/417). It presented contestation (pages 430/440) alleging that it does not refuse to provide information, observing the necessary judicial determination for the breach of data secrecy, constitutionally guaranteed, for which it pleads for the removal of the condemnation of defeat”.

Actions considered in previous versions of Who Defends Your Data, the Direct Action of Unconstitutionality (ADI) 5642, of the ACEL, were not considered, since they did not register relevant developments in view of the suspension of the trial and request for examination by Minister Nunes Marques (on 06/17/2021).

In addition, Oi has provided us with further lawsuits where it is challenging requests for access to data by legal authorities in the discussion phase of the preliminary reports of this project.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Oi got a full star, as it met both parameters under analysis.

Parameter I, related to the company’s positioning in general, was considered to be fully met. 

We identified some public actions by Oi to promote the protection of personal data in Brazil. For example, Oi launched Oi Soluções, which provides LGPD compliance consulting services to companies.

Oi launched its Privacy Program and Compliance Program in 2021, which, according to the Sustainability Report, resulted in at least four events for leadership and 15 pieces of communication for the company, “impacting more than 10,000 employees in order to further disseminate the topic of privacy.

In addition, Oi participated, through Conexis, in the launch of the Data Protection Best Practices Code for the Telecommunications Sector, presented to the National Data Protection Authority.

As part of the Education and Communication Program “People come before data”, Oi’s Privacy team, in partnership with Oi Futuro, also held 3 Privacy workshops for young people from Pernambuco’s State Public Network, around 200 students from the State Technical Schools Cícero Dias, Nave Recife, and Porto Digital. 

In addition, the Data Officer and Oi’s privacy team held an event with students from the NAVE school to discuss personal data protection topics.

We consider parameter II to be fully met. 

According to several reports, Oi has been active in promoting facial recognition technology in recent years. In 2018, for example, Oi formed a partnership with Huawei aimed at commercializing facial recognition cameras. In 2019, Oi announced its smart video surveillance technology applied to the prevention of bank fraud and “risky situations.” According to the story, the tool against bank fraud “uses an image bank with tens of millions of unique users to ensure that the same person does not have more than one account or CPF. The feature can be used by banks when opening accounts, completing transactions and authorizing payments. In the same year, Oi, in partnership with the Public Security Secretariat of the State of Rio de Janeiro, announced the expansion of urban video surveillance with facial recognition, tested during Carnival, to the Jornalista Mário Filho stadium, known as Maracanã.

More recently, in 2022, Oi Soluções delivered to the Bahia Secretary of Public Safety (SSP-BA) an intelligent video surveillance project (again with the possibility of facial recognition), aimed at transmitting images in real time between the integrated centers, police officers, and vehicles.

However, in the discussion phase of the draft reports, Oi informed us that it does not perform facial recognition for purposes of registration or access to mobile telephony services-which we consider a differentiator. It also pointed out that its role in providing technologies related to facial recognition was limited to providing internet connectivity, and technologies for biometric tracking were provided by partner companies. 

Oi also sent some examples of public statements related to the importance of Impact Reporting by public entities contracting facial recognition services – which, however, were not identified in publicly accessible internet processes.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Oi got half a star because it met three of the five parameters analyzed. 

Regarding parameters I, II and III, we consider the following: fully met. Oi has a Transparency Channel in Privacy easily accessible and in clear language, where it details the journey of adaptation to LGPD and the steps taken to guarantee the rights of data subjects. The Sustainability Report provides the information that:

“With regard to the rights of data subjects, in 2021, Oi received and answered more than 500 requests, highlighting: request not to receive offers (37%), request to delete data (33%), confirmation of treatment (14%), as well as access and portability (8%).”

The Report also provides information about the number of requests related to rights violations:

“In addition to the Oi Privacy Program, with respect to the receipt of official letters, administrative and judicial proceedings, in 2021 we observed a significant drop (26%) in the number of complaints through Anatel’s channels regarding the improper use of registration data compared to 2020, reducing from 2,438 to 1,804, as detailed in the table below.

“Regarding letters, Oi received a total of 8 procedures in 2021 from public authorities, two of which are now filed, the main questionings being: -Supposed sharing of data to other companies; -supposed leakage of customer data; -clarification on measures/recommendation to contain data leakage and compliance with LGPD; and -clarification on request for personal data to verify service feasibility.”  

Parameter III was considered to be fully met. 

In relation to parameter IV we consider the following: 

Sub-parameter (a): partially met. Oi only published, in the Sustainability Report 2021, that it received 216,785 requests from public authorities for access to data, having refused 1% of the requests, or around 21 thousand requests:

“In order to respect the privacy of our clients and preserve the secrecy of communications, the company has protocols for the analysis of requests for access to data, which include evaluation of the requesting authority, type of request, jurisdiction of the court in cases of a court order, date of issue, and compliance with legal requirements, with about 1% of the requests being contested. Specifically in relation to interception requests, in 2021, 18 Habeas Corpus were filed in 2021 due to the maintenance of requests considered illegal, among which 06 orders were granted, 10 denied and 02 are pending trial.”

Sub-parameter (b): not met. There is no information on the types of data affected by court-ordered access requests.

Sub-parameter (c): not met. There is no information on the number of accounts affected by access requests by court order.

In relation to parameter V we consider the following: not fulfilled. We did not obtain access to the Impact Reports produced by Oi. The Sustainability Report, however, provides information that Oi has already formalized a RIPD model with which it works for internal data protection risk assessments.

 

“It should be noted that in 2021 our first Impact Report on the Protection of Personal Data was formalized, through which risks were identified in relation to the rights of the data subjects linked to the principles of the LGPD (purpose, adequacy and retention) and the fundamental right to privacy. After the risks were assessed, several mitigating measures were proposed and implemented aiming at compliance and greater control of data subjects over their data. By considering privacy aspects since the design of new products, more than complying with the legislation, Oi seeks to contribute to the awakening of society to the care of personal data, as well as to the empowerment of people.”

CATEGORY 6: User notification

Result:

Oi did not get a star, as there is no mention of the possibility of user notification in any of the documents reviewed.

TIM

CATEGORY 1: Information on data protection policy

Result:

TIM fully meets parameter I:

Sub-parameter (a): met. In its Privacy Policy, in the section “What kind of data and for what purpose does TIM process”, the company presents a table specifying the origin, the type of data collected, the purpose and the legal basis of treatment of several personal data it processes

Among others, the company informs, in the table, that it collects:

Browsing Data (IP, date and time) and Access Device Data (e.g. IMEI, device model, etc); Registration Data: email, name, phone number and model of the mobile device; Navigation Data and Access Device Data; facial biometrics data (such as the photograph provided by the user and his/her document photo); Locational Data (country, city and state) of where the access took place or where the call is taking place; telephony and SMS and MMS sending records; network and telecommunication infrastructure performance; Payment Data: credit card numbers and data, recharge transactions, bank information required to provide services; credit information for billing and billing systems. Information about customer service at the call center, customer service chat, or other service channels; Profile data (such as gender, age, approximate geolocation, contracted plan, recharges made, if applicable, use of applications (via SDK), handset model); Registration data (such as name, telephone number, date of birth, e-mail, mother’s name, CPF, gender, identification documents, contact phone number, and address).

Sub-parameter (b): fulfilled. In the same item mentioned above, the company specifies the origin of the data collected. It points out, for example, which data is collected in the “Browsing on the Website and in the Meu TIM app”, in the “Forms on the Website and in the Meu TIM apps”, in the “Use of the Services and in the Meu TIM app”, in the “Point of Sale registration forms”, among others.

Sub-parameter (c): fulfilled. In its Privacy Policy, in the item “How TIM collects your Personal Data”, the company informs that the data can be publicly collected through the Site.

Sub-parameter (d): met. The company discloses in its Privacy Policy, as well as in its informative “How TIM shares personal data with third parties”, some categories of third parties that share data with the company, which was considered enough to meet the sub-parameter.

Sub-parameter (e): fulfilled. The company informs in the document “Who has access to your personal data” that:

our partners and suppliers sign contracts with

clauses of confidentiality and of Privacy and Protection of the Personal

Personal Data to which they may have access, in addition to participating

together with TIM’s employees, participate in training to raise their

about the General Law of Data Protection.

In addition, the company also informs, in the document “How TIM shares its personal data with third parties”, in a detailed manner the requirements to third parties regarding the processing of personal data.

As for parameter II, referring to information on purpose, it was considered fulfilled:

Sub-parameter (a): met. In the item “What kind of data and for what purpose does TIM process”, the company schedules that it specifies the purposes for the data processing it carries out.

Sub-parameter (b): met. In the same item mentioned above, there is a detailed explanation about how the data is used, as in the item about register data, in which it is explained how this data is used, for example, to “recover My TIM Empresas password”.

As for parameter III, related to the provision of clear and complete information about the protection of personal data, it was considered fulfilled. In this parameter, sub-parameters (a), (b), (c), (d), (e), (f), (g), (h) and (i) were considered to be fully met.

Sub-parameter (a): fulfilled. In its Privacy Policy, in the item “For how long will the Data be stored”, the company states:

We will retain your Personal Data only for as long as is necessary to fulfill the purposes for which we collected it, including for the purpose of complying with any legal, contractual, accountability or competent authority obligations. 

In determining the appropriate retention period for Personal Data, in addition to the statute of limitations, we consider the amount, nature and sensitivity of such Data, the potential risk of damage from unauthorized use or disclosure of your Personal Data, the purpose for which we process such Data and whether we can achieve such purposes by other means, and applicable legal requirements. For example, due to an obligation imposed by the Marco Civil da Internet, the data regarding the IP address, date and time of your internet connections, when TIM is responsible for providing such access, will be kept for at least 12 months, and regarding the applications created by TIM, for at least 6 months.

In this document, the company establishes minimum and maximum storage times for data, as well as further clarification as to the need to store personal data to comply with legal, regulatory, contractual, accountability obligations, requests from competent authorities or others foreseen in the legislation in force, including concrete examples of storage periods and their respective legal obligations.

Regarding the storage location, the company informs in its Privacy Policy, in the document “Where and for how long TIM stores your data”, where the data is stored: (i) TIM’s datacenters located in São Paulo and Rio de Janeiro; (ii) storage by third parties, with security measures for such. The company, finally, indicates that in case of international transfer, the data will be stored in the EEA (European Economic Area) and in California (USA).

Sub-parameter (b): met. In the section “Where and for how long TIM stores your Data”, the company informs that it keeps the data for a maximum period of 11 years, as of the end of the contractual relationship between the company and the data subject.

Sub-parameter (c): met. In the document “Where and for how long TIM stores its data”, the company indicates, not exhaustively, some hypotheses for data retention.

Sub-parameter (d): fulfilled. In the Agreement for the Provision of Live TIM Services, the company undertakes to observe security practices:

19.2 TIM guarantees that the information handled under the Agreement, especially the personal data, will be stored in a secure environment, in servers located in Brazil or abroad, observing the state of the art, using security policies and technologies such as encryption, access controls and specific security certifications, and may only be accessed by persons qualified and authorized by TIM.

In addition, in the Contract for Postpaid Personal Mobile Service, the company also undertakes to observe security practices:

11.2 TIM guarantees that the information handled under the Agreement, especially the personal data, will be stored in a secure environment, in servers located in Brazil or abroad, observing the state of the art, using security policies and technologies such as encryption, access controls and specific security certifications, and may only be accessed by people qualified and authorized by TIM.

By providing some information regarding employees and suppliers who have access to the data, it was considered that the information given was sufficient.

Sub-parameter (e): fulfilled. In its Sustainability Report 2021, p. 316, the company clarifies:

TIM has also improved governance in this process, with new procedures, controls and investments in prevention and dealing with incidents. The Company conducts its activities based on ISO 27001 – an international standard that describes best practices for information security management – and NIST (Cyber Security Framework) that supports the management and reduction of cyber security risk. An evaluation of the certification requirements was conducted in 2020, identifying a compliance level of over 90% of the requirements, and the necessary adjustments to achieve certification will be made by 2022. 

Sub-parameter (f): fully met, as the company states that only authorized persons, and suppliers under confidentiality clauses, can have access to the data. Even though more detailed information on which employees can access the data could have been provided, the specific mention of registration information and communication data, and the mention of suppliers, indicate the existence of clearer standards regarding such accesses, which is why the sub-parameter was considered fulfilled.

Sub-parameter (g): fully met. In its Privacy Policy, in the item “With whom TIM shares your data”, the company specifies with which third parties it will share its data, pointing out, for example, “technology services”, “performance analysis”  and “market research” companies, among others.

In its Transparency Portal, the company provides a document entitled “How does TIM use personal data to target third-party advertising materials?” the company informs that it only shares anonymized information with business partners:

In some cases, TIM may use certain information related to your preferences and habits with TIM in order to understand what kind of product or service from our business partners may be of most interest to you. When we do this, we seek to understand your tastes and profile and thereby select products and services from some of our business partners that we think may be of interest to you in order to target certain advertising materials.

Also, in the document “How does TIM share personal data with third parties?”, TIM informs, in general, the procedures adopted in data sharing:

The advertising materials may refer to products and/or services offered by the partners together with TIM, or even the partners’ own products and/or services, of the partners’ own products and/or services. In the first case

we do not need to reveal your identity to our partners, that is, as a rule, we do not share your data with them in these situations. In the second case, we may need to to share your personal data; however, in this case, where required by required by applicable law, we will collect your consent.

We always limit ourselves to using as little information as possible and we want, above all, to keep you informed about the best products best products and services that may be useful to you. Even so, if you do not want to receive this kind of communication advertising communication, please go to our Privacy Center to request to request that we discontinue this service.

Such information was considered sufficient to inform about the sharing.

Sub-parameter (h): fully met. This is because, in the same part of the Privacy Policy, in the item “With whom TIM shares your data”, the company specifies the purposes of sharing, pointing out, among others:

“Technology Services: We have a number of vendors that we need to engage to operate the Products and offer the Services, and some of them may handle on our behalf the Personal Data we collect. For example, we use data hosting services to store our database, we also use payment media services to be able to process the billing data for our Services. 

(…)

Performance Analysis: The data stored by TIM may be collected by third party technology and used for statistical (analytics) purposes in order for TIM to understand who are the people using its Services, visiting its Website and My TIM App or otherwise interacting with TIM. 

(…)

Market Research: If you respond to a market research survey sent to you by TIM, the results may be shared with our research partner.

Sub-parameter (i): fully met. In the document “Where and for how long TIM stores its data”, the company dedicates an item, “International transfers”, in which it explains the hypotheses of international transfer:

– For the provision of international roaming services;

– For the use of vendor-owned and managed

tools, in activities such as corporate execution or investor

or investor relations, for example;

– When you contract hosting services, where the contracted

the contracted supplier’s servers are located

abroad; and

– When TIM hires a supplier that is relevant to the provision

services, which needs to treat your personal data abroad.

Parameter IV, which evaluates if the company discloses information about the rights of the data subjects, was considered fulfilled.

Sub-parameter (a): fulfilled. The company provides e-mails, in its Privacy Policy, so that the data subjects may exercise their rights.

Sub parameter (b): fulfilled. The company dedicates an item in its Privacy Policy, “What are the rights of the data subjects”, in which it explains, in the form of a table, what the data subject’s rights are. In this table there is a column explaining the concept behind each right.

Parameter V, which assesses whether the company responded in a timely manner to requests for data access by InternetLab members, was not considered to be fully met. The company did not respond in time to the request made by the data subject. 

Parameter VI, which assesses whether the company promises to send notifications to the user when updating its privacy policies, was considered to be fully met. In its Privacy Policy, the company states:

“10. How and When This Policy May Change

As we are always striving to improve our Services and offer new features, this Privacy Policy may be updated. Please rest assured that if material changes are made, we will notify you, provided that You should check our Site for the most current version.”

Finally, parameter VII, referring to the accessibility of information on privacy and data protection, was considered to be fully met. The company has a Privacy Portal with the main information on privacy and data protection.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, TIM got a full star, as it met all the parameters. 

As for parameter I, referring to the identification of the competent authorities to request data, it was considered fulfilled. In the document “How does TIM share personal data with third parties?”.

“In addition, TIM is subject to various legal and regulatory obligations that make certain data sharing with third parties, including authorities, necessary. In many cases, TIM is also required to comply with orders from authorities to provide certain data, particularly in investigations. We will always protect your rights and only provide data that is legally required on valid legal grounds.”

The document “How is personal data shared in the case of an investigation?”, available on the company’s Privacy Portal, offers a list of examples of administrative authorities that can request data, in addition to the cases based on court orders:

“One of the possibilities of this sharing is for compliance with a court order, compliance with an extrajudicial request (forwarded by the judicial police or the Public Prosecutor’s Office) and a request from a competent administrative authority (for example, a police station or a government agency), directed to TIM, requesting the provision of TIM’s customer’s personal data, in compliance with the specific and current legislation. 

(…)

Some examples of administrative authorities with the power to make requests include Military, State and Federal Public Prosecutors; Civil, Federal and Legislative Police stations, presidency of CPI (Parliamentary Investigation Committee), besides the hypotheses based on judicial orders.”

The information contained in the aforementioned was considered sufficient to inform users of the hypotheses of data sharing with the State; therefore, the parameter was considered to be fully met. 

Parameter II, referring to the identification of the competent authorities and the crimes in the scope of which the request occurs, was considered to be fully met. The document “How is the sharing of personal data done in case of investigation?” informs the criteria analyzed to meet the request for access to data; the most common cases of data request; and presents a list of examples of legal hypotheses in the scope of which the request may occur:

“an analysis is made of the proportionality of that request, that is, whether the decision is within the criteria of proportionality and reasonableness required by Brazilian law, especially the Code of Civil Procedure (art. 8) and the Federal Constitution. (…) It is not possible to present all the hypotheses that may ground a judicial order, extrajudicial request or request, as well as the competent authorities that may require such personal data, since such orders must be grounded on laws that establish this possibility.

Some of the most common examples we observe here at the company include:

  1. Request for telephone number data for criminal investigations and civil actions;
  2. Request for registration data, by judicial order or administrative authority, or police authorities and Public Prosecutor’s Office;

III. Request for connection records, by judicial order;

  1. Location of Radio Base Station (telephone antenna), by judicial order;
  2. Content of private communications, by court order.

We emphasize, however, that the sharing of data and the purposes exemplified are not an exhaustive list, and that each concrete request will be analyzed, following the procedures mentioned in this Informative Note.

Also by way of example, we present some of the most common legal grounds:

– Brazilian Federal Constitution, especially its Article 5, X to XII.

– Law 9296/1996 – Law that regulates legal interception

– Law nº 9472/1997 – General Telecommunications Law

– Resolution No. 477/2007 – Regulation of the Personal Mobile Service – SMP

– Law No. 12,830/2013 – On criminal investigation by police delegate

– Law No. 12,850/2013 – Law of Criminal Organizations

– Law No. 12,965/2014 – Marco Civil da Internet

– Decree No. 8,771/2016 – Regulator of the Marco Civil da Internet

– Law No. 12,683/2012 – Money Laundering Law

– Law nº 13.344/2016 – Human Trafficking

– Law nº 15.292/2014 – Law for Searching for Missing Persons”

Such information was considered sufficient to clarify the relevant information to subscribers.

Also, in the Services Agreement, the company informs that in cases of crimes against children and adolescents, provided for in the ECA, TIM may offer all the customer’s registration data to the judicial authorities, under the terms of the Internet Civil Framework. The company therefore identifies both the crime and the competent authority. This information was considered sufficient for our purposes. 

Services Contract 

  1. 1 (g) Unilaterally by TIM, if the use of the service is found to be for the practice of criminal acts, notably crimes against children and adolescents provided for in the Statute of Children and Adolescents and other applicable laws, TIM reserves the right to seek eventual compensation for losses and damages against the CLIENT in case it has been sued by injured third parties, in the context of civil or criminal lawsuits that raise responsibility for the practice of such offensive acts, through TIM LIVE, and TIM is also allowed to provide all the registration data of the CLIENT to the judicial authorities in the form of law 12. 965/2014 to investigate the offense and proper accountability of the author of the offenses.

Parameter III, referring to the provision of information on geolocation data, was considered to be fully met. In the document “How is the sharing of personal data done in case of investigation?”, the company informs that, as a rule, geolocation data can only be requested by means of a court order and clarifies the restricted hypotheses in which the Public Prosecutor’s Office and the police officer can make the request.

Parameter IV, referring to the promise to provide connection records only upon court order strictly in terms of the Internet Civil Framework, was considered to be fully met. The company informs, in the document “How is the sharing of personal data done in case of investigation?”, that the request for connection records only occurs upon court order (see excerpt above).  

Finally, parameter V, related to the existence of specific protocols on data delivery to the state, was considered to be fully met. This year, the company included in its Privacy Portal the document entitled “How is personal data shared in case of investigation?”, which provides information about the protocols, requirements, and hypotheses for data delivery for investigations.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, TIM received a full star, as it met both parameters analyzed.

As for parameter I, referring to the challenge of legislation, we conducted exploratory searches on the websites of the Supreme Court and the Superior Court of Justice for cases in which the company was a party. We emphasize that our search, for reasons of scope and time, did not look for actions of this type in state courts, thus concerning legislation or interpretation of state-level legislation. The companies have the possibility, during the discussion of parameters and exchange of documents phase, to prove their performance in this sense.

On 03/29/2022, the STF published the judgment of the Direct Unconstitutionality Action number 4924/DF, where the National Association of Cellular Operators – ACEL, of which TIM is a member, asked for the declaration of unconstitutionality of Law 17.107/12, of the State of Paraná, which provides for penalties for the person responsible for improperly calling the emergency services telephone services involving removals or rescues, firefighting, police occurrences or disaster assistance (telephone prank calling). The law aimed to establish an obligation for telephone operators to provide data on the owners of telephone lines that improperly call the emergency response services after a mere official request by any public agency or institution involved. The ACEL argued in favor of the inviolability of intimacy, private life, honor and the secrecy of telephone communications (as established in article 5, items X and XII of the Federal Constitution), mentioning the unavailability of the right to the protection of personal data in its argumentation.

In addition, ACEL had filed ADI 5040/PI, published in 2021 (not included in our previous report), where it challenged the legality of Law No. 6.336/2013 of the State of Piauí, which required companies providing personal mobile telephony services to provide, to public security agencies, data relating to the location of cell phones and “SIM” cards that had been the object of theft, robbery and burglary or used in the commission of crimes. Among its arguments, ACEL also alleged a serious offense to its customers’ privacy in the event of disclosure of personal information, citing the Constitution and the fundamental right to privacy, in addition to the inviolability of the secrecy of telephone communications.

Finally, to investigate parameter II, concerning the challenge of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of São Paulo and in the “Jusbrasil” portal, in both cases with the terms “TIM AND secrecy AND breach” and rulings published between 06/21/2021 and 10/19/2022. We found several actions where TIM contested requests for data from its customers for lack of a court order determining the transfer of data.

For example, we find, in the report of the judgment regarding Case 1042581-72.2021.8.26.0100: 

“When summoned, the defendant TIM S/A presented its answer on pages 204/214. In merit, clarified that only by court order the defendant can break the secrecy of registration data of its users. Informed that is legally required to store information linked to records of connections for a period of 01 year from the date of use of the IP, as provided in art. 13 of Law No. 12,965/2014. […] Awaits the granting of the action in relation to it, to determine that it provides the registration data of users eventually identified as linked to the IP addresses of its responsibility, exempting it from any liability if it is not possible to identify the user, since the legal term of storage of the information claimed has elapsed. There was a reply (pages 300/301). This is the report”.

In Civil Appeal No. 1073466-74.2018.8.26.0100, we find the requirement that requests for information must be accompanied by the indication of the logical ports specific to the IPs requested:

“TIM S/A appeals. It claims to have provided the search results related to 03 connections, together with the registration data of the user identified, indicating that, in relation to one of the IP addresses, no record of use was found at the time indicated by the Appellant, page 1032. He states that, in relation to IP 189.40.70.118, the Appellant would only be able to identify the real user by providing the logical port of origin. It challenges the value of the daily fine. It seeks the reform of the sentence to recognize the compliance with the injunction and the exclusion of the daily fine or, alternatively, its reduction by the partial compliance of the injunction, with removal of the sucumbency”

“TIM S/A sustains the impossibility of complying with the decision in relation to IP 189.40.70.118 and Telefônica in relation to the IPs beginning with ‘177.79’, both under the allegation that they are nalteados IPs, i.e., shared by more than one user, for which reason it would be necessary for the author to indicate the respective logical port, information that according to the defendants would be known only to the application provider, in this case, Facebook.”

Actions considered in previous versions of Who Defends Your Data, the Direct Action of Unconstitutionality (ADI) 5642, of the ACEL, were not considered, since they did not register relevant developments in view of the suspension of the trial and request for examination by Minister Nunes Marques (on 06/17/2021).

CATEGORY 4: Pro-privacy public stance

Result:

In this category, TIM got a full star, as it met both parameters.

Parameter I, related to the company’s positioning in general, was considered to be fully met. In some opportunities throughout the year, the ISPs had the opportunity to manifest themselves about public policies and bills that affect users’ privacy. 

However, TIM participated, through Conexis, in the launch of the Code of Best Practices on Data Protection for the Telecommunications Sector, presented to the National Data Protection Authority.

We consider parameter II as fully met. In the interaction phase with the company, TIM informed us that facial recognition is used as a security measure by the company for fraud prevention purposes. However, the account data subject has the option to consent to the collection of facial biometrics, which is not mandatory for the creation of new accounts. 

Moreover, the company manifested itself in a contribution to the construction of the Substitutive Bill to the No. 21/2020, which concerns the principles, rules, guidelines and foundations to regulate the development and application of artificial intelligence in Brazil, in the sense that “We can identify some uses of AI that tend to carry more risk, and therefore should be subject to greater safeguards and restrictions. As examples, we have data analysis in the judicial sphere and facial recognition in public security actions, as well as others that do not necessarily permeate such risks such as, for example, technologies focused on agribusiness.”

CATEGORY 5: Data Protection Impact and Transparency Reports

Result:

In this category, TIM was awarded three quarters of a star, as it fully met parameters I, II, III and IV.

Parameter I, related to the publication of transparency reports in Portuguese, was considered to be fully met, as TIM published this year, in Portuguese, a Sustainability Report about its activities in Brazil. Although there is still room for improvement (see items below), the report contains information about the number of letters received from the judiciary and the number of lawsuits in which the company is involved, which is why the parameter was considered to be fully met.

Parameter II, related to the accessibility of the transparency report, was considered as met. This is because the Sustainability Report can be found in two clicks from TIM’s homepage, under “Sustainability” and then “Sustainability Report”.

Parameter III, regarding the periodicity of the report, was considered to be fully met. The versions published in previous years are available on the report access page. 

Parameter IV, concerning information on data access requests, was considered to be fully met. 

Sub-parameter (a): fully met. In its transparency report, the company informs (p. 46):

“In 2021, 718 legal actions related to data privacy were initiated; 718 were closed (including cases opened in previous years), 59% of them with decisions favorable to the Company. In the 294 lawsuits with unfavorable decisions, payments totaling about R$2.1 million were made. In the same interval, the company received 130 lawsuits related to the violation of telephone or telematics secrecy: 135 cases were closed.

More than 1.5 million requests for breach of privacy were made by the courts to TIM.

Requests for breach of privacy by type:

– Telephone interceptions: 325 thousand

– Registration data: 397 thousand

– Phone records: 839 thousand” 

Subparameter (b): fully met. The item above also brings the information of the types of data requested (telephone interceptions, registration data and telephone extracts).

Sub parameter (c): fully met. The company, in its Transparency Report, brings information about data considered sufficient to meet this subparameter.

Finally, parameter V, related to the publication of Data Protection Impact Reports, was not considered to be fully met. The company does have a document entitled “What is a Data Protection Impact Report”. While we acknowledge TIM’s attitude of elaborating a document explaining what an DPIA is, we do not consider that this is sufficient to meet the criterion – since, as good practice, we encourage companies to make the reports (or its templates) publicly available.

CATEGORY 6: User notification

Result:

TIM did not get a star, as there is no mention of the possibility of user notification in any of the documents reviewed.

VIVO

CATEGORY 1: Information on data protection policy

Result:

In this category, Vivo received three quarters of a star, having met parameters I, II, III, IV and VII.

While we were unable to locate the company’s mobile internet service contract on its website, most of the applicable information is available in Vivo’s Sustainability Report, Privacy Center and Privacy Policies. In the Privacy Center, users have easily accessible divisions on “Information Security”, “Exercise of Rights”, among others.

Vivo meets parameter I, providing clear and complete information on all sub-parameters.

Sub-parameter (a): fully met. In its Privacy Center, under “Data Treatment”, the company informs:

Vivo’s Local Privacy Policy expands the detail of the types of data collected by Vivo, for example, biometric data of facial recognition and voice recognition used for fraud control, IMEI, data on transactions in prepaid contracts, etc. 

Sub-parameter (b): partially met. In the sections “Nature of the information collected” (see part above) and “For what and how we collect” (see part below), it is informed that the data collected are the ones made available (i) during the contracting of the services and (ii) through the interaction with information channels. There is not, however, a description of all the possibilities of data collection practiced by Vivo, which prevents the user from understanding if there is public data collection, if there is data purchase through an intermediary third party, or if there are other hypotheses of data collection. Nor is it possible for the user to understand which of his/her data is collected in each hypothesis of collection.

Sub-parameter (c): Not met. There is no information about Vivo’s public data collection.

Sub-parameter (d): Partially met. Vivo’s Local Privacy Policy includes several hypotheses of data sharing with third parties, without determining, however, whether Vivo itself collects data from data subjects through these partners. In the discussion phase of the report with Vivo, it was pointed out that there is a nominal detailing of the third parties with which Vivo shares biometric data in the Terms of Adhesion of its plans.

Sub-parameter (e): fully met. Vivo’s Local Privacy Policy states that: “Vivo acts judiciously in the selection of its partners and suppliers. Moreover, it contractually requires that they act in a safe manner and adopt technical security measures to ensure compliance with applicable law. Not only that, we provide instructions and verify that the third party has implemented good practices, always with the purpose of keeping your personal data safe.” The Policy also reinforces Vivo’s commitment to the principle of minimization in its data sharing operations. We are not, however, informed about the specific procedures to control the level of data protection maintained by Vivo’s partners.

Regarding parameter II, we consider the following:

Sub-parameter (a): fully met. In the Privacy Center, under “What we collect it for”, the company describes some of the purposes given to the data collected by Vivo, as follows:

“In addition, in the Vivo Local Privacy Policy, section ‘7. How do we process your data and for what purpose?’ provides a more detailed list of purposes for which the various forms of data processing undertaken by Vivo are intended. The description, however, does not allow the data subject to identify which of his/her data is used for which purposes and on which legal basis. The analysis of the legitimacy of the legal bases employed by Vivo, therefore, is not facilitated by the current Policy.”

Sub-parameter (b): Fully met. Vivo provides information on how the data is used in the parts pointed out above (demonstrating the situations in which collection occurs and its purpose) and information on time and place of storage etc. 

Regarding parameter III, we consider the following:

Sub-parameter (a): fully met. In Vivo’s Local Privacy Policy, section “14. FOR HOW LONG WILL WE KEEP YOUR DATA?” describes the chances of data retention by the company, providing some of the retention periods adopted for cases of compliance with legal or regulatory obligation and exercise of rights. 

Regarding storage locations, the Policy merely reaffirms that: “Vivo undertakes to keep its data stored, adopting good practices and technical and administrative measures to prevent its loss, alteration and unauthorized access, as determined by the applicable legislation.”

Sub-parameter (b): not fulfilled. There is no clear description of the data deletion hypothesis adopted by Vivo.

Sub-parameter (c): fully met. As described in sub-parameter (a).

Sub-parameter (d): Partially met. Vivo is committed to complying with the Telefônica Global Security Policy, which defines administrative and organizational security parameters, including cyber security, for the Telefônica Group as a whole. However, we are not informed about Vivo’s specific organizational structure to deal with data protection threats.

Sub-parameter (e): Fully met. Telefônica’s Global Security Policy is available, although it does not have information about the follow-up of international protection protocols (e.g. ISO 27001) or software used for the technical structure of data protection. However, in the Sustainability Report, we found some additional information about Vivo’s Information Security procedures. The Report informs that Vivo has information policies published on the intranet, as well as an Incident Response Plan and procedures for the elaboration of Impact Analysis and Business Continuity Plans (PGC, PGI, PRD and PCO) tested minimally every six months. In last year’s report (2020), Vivo also reported that it used security standards “based on company security requirements and market frameworks (ISO 27001 and ISO 22301, NIST, PCI/DSS etc.), especially related to secure systems and servers,” an “extensive list of protocols to be followed.” Moreover, in the Privacy Center, under “Security and Confidentiality”, the company informs some security standards that it uses, such as encryption in the transfer of personal data from users’ devices, it declares to allow access to the data only to authorized persons, according to the “principle of least privilege”, it claims to provide auditability of any activities taken with the data, among others.

Subparameter (f): not met. We have no information about the controls over access to data employed by Vivo for the treatment of personal data.

Sub-parameters (g) and (h): fully met. Vivo’s Local Privacy Policy includes several hypotheses of data sharing with third parties, grouped by category (e.g., “Sales Partners”, “Dealers”, etc.), with a brief description of the purposes of sharing with each partner category.

Sub-parameter (i): partially met. Vivo’s Local Privacy Policy includes, in section “10. THE INTERNATIONAL TRANSFER OF YOUR DATA”, some of the purposes and hypotheses of international transfer employed by the company. However, there is no correlation between the types of data and the purposes of international transfer, which would allow the data subject to analyze the legitimacy of such transfers.

As for parameter IV, we consider the following:

Sub parameter (a): fully met. Vivo’s Local Privacy Policy informs the data subject about the specific channel for complaints related to the protection of personal data in a clear and direct manner.

Sub parameter (b): fully met. In the Privacy Center, under “Exercise of Rights”, the company lists some of the rights of data subjects regarding their data. In addition, the same page offers portals, e-mails, or telephone and SMS numbers to exercise these rights, depending on the right to which it refers. Finally, the Vivo Local Privacy Policy has section 15. WHAT ARE YOUR RIGHTS AS A PLANNER AND HOW CAN YOU EXERCISE THEM?”, with a description of all the data guaranteed by article 18 of the LGPD. It is worth pointing out that the rights of informational provision to the data subject, laid out in articles 8 and 9 of the LGPD, are not explicitly mentioned. 

Parameter V, which assesses whether the company responded in a timely manner to requests for access to data by InternetLab members, was considered not met. InternetLab made a data access request on November 3, 2022 via email to the company’s DPO. The contact was returned the following day, when we received a message stating that the information on the types of data handled by Vivo could be found through the Privacy Center, in the area “Exercise of rights” and then “Access and consultation of personal data” (https://www.vivo.com.br/a-vivo/informacoes-aos-clientes/centro-de-privacidade/privacidade-e-seguranca/exercicio-dos-direitos). However, access to this page requires registration on the “App Vivo” platform, which was not possible since the CPF informed was not recognized on the Vivo website.

The inability to exercise the rights was considered a technical failure of responsibility of the operator.

It is worth mentioning that, as an alternative for non-customers, the Vivo Privacy Center provides a form that must be sen via post office. In addition, there is a requirement in the Form that the owner must send (i) an authenticated copy of an identification document (RG and CPF or CNH); and (ii) a notarized signature on the signature of the Form. While identity verification may be important for fraud prevention purposes, the requirement that the submission be made only by mail and with a notarized signature this requirement represents an unnecessary barrier to the exercise of the rights of the data subject of personal data. 

Parameter VI, which evaluates if the company promises to send notifications to the user when updating its privacy policies, was not considered to be fully met. No Vivo document mentioned such a possibility, and its own Local Privacy Policy states, in clause 17, that “this Privacy and Data Protection Policy may be revised at any time and without prior notice.” In the 2021 engagement phase, the company said that its local privacy policy would be updated to provide for user notification in the event of its change. However, as of the closing date of this report, the change had not yet been made, and the text mentioned here still appears in clause 17. 

Finally, parameter VII, regarding the accessibility of information on privacy and data protection, was considered partially met. This is because Vivo has a Privacy Center, mentioned several times above, with clear and generally complete information on the subject. In addition, the center is easily accessible from Vivo’s homepage:

However, Vivo’s mobile internet service contract or broadband internet contract could not be accessed online, and the provision of such information in the contract would be recommended so that it could be accessed by all customers, legally consented to by them, and detailed according to each type of contracted service.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Vivo got a full star, as it met four of the five parameters. 

As for parameter I, we consider the following: fully met. On page 22 of Telefónica’s Informe de Transparencia en las Comunicaciones 2021 (still in effect), there is a definition of which authorities would be competent for interceptions and metadata requests according to Brazilian law, besides mentioning the competence of “judges of any sphere”:

Interceptación legal: De acuerdo con el artículo 3o de la Ley Federal brasileña n. 9.296/1996 (ley de las interceptaciones), solamente el Juez (de la esfera criminal) puede determinar las interceptaciones (telefónicas y telemáticas), a petición de la Fiscalía (Ministério Público) o Comisario de Policía (Autoridade Policial). 

Metadatos asociados a las comunicaciones: Autoridades competentes » Fiscalía, Comisarios de Policía y Jueces de cualquier esfera, como también Presidentes de las Comisiones Parlamentarias de Investigación: el nombre y dirección del usuario registrado (datos de abonado), así como la identidad de los equipos de comunicación (incluyendo IMSI o IMEI).”

Jueces de cualquier esfera: los datos para identificar el origen y el destino de una comunicación (por ejemplo, números de teléfono, nombres de usuario para los servicios de Internet), la fecha, hora y duración de una comunicación y la localización del dispositivo.”

This means that Vivo delivers registration data upon request from representatives of the Public Prosecutor’s Office (“Fiscalía”), police authorities (“comisarios de policía”) and judges. Connection records and location data are made available only upon the order of a judge. 

As to parameter II we consider the following: fully met. In the Informe de Transparencia en las Comunicaciones, Art. 15 of Law 12.850/13 (Law of Criminal Organizations) is cited, alongside other pieces of legislation, as the “Legal Context” for the request for “metadata associated with communications”. In addition, in its Privacy Center, under “Protocol for Delivery of Data to Authorities”, Vivo Informs:

InternetLab praises the listing of the laws that allow the delivery of data to competent authorities in Vivo’s privacy center, in an easily accessible way for its users.

As to parameter III, we consider the following: not met. Even though the aforementioned Transparency Report includes “device location” among the data that may be requested by judicial order, and the Data Delivery Protocol mentions the possibility of “Location of Base Station” data, there is no detail about the circumstances in which it shares geolocation data and why, not providing the information required by the sub-parameters of this item.

As for parameter IV, we consider the following: partially met. On the one hand, the same passage pointed out above is clear-NET in defining that only judges will have access to data on the origin and destination of a communication, from which it is understood that such access will be by means of a court order. However, the passage is not strictly restricted to the terms of the Internet Civil Framework (i.e., it does not specify that only the date and time of the beginning and end of an Internet connection, its duration, and the IP address used will be shared).

Finally, parameter V, was considered partially met. This year, as in 2021, we located a specific section in the Vivo Privacy Center aimed at such requests, with the very title of “Data Delivery Protocol to Authorities”. 

InternetLab praises Telefónica Global’s conduct in making public various interpretations about the delivery of data, competent authorities, the number of requests rejected and answered, among others, in its transparency report. 

However, we reinforce that there is a need to present this information in Portuguese and on Vivo’s website in order for the information to be considered clear and easily accessible. 

In addition, the contracts for broadband and mobile internet services that expire in 2022 were not made available on Vivo’s website. The link to access Vivo’s Contracts returned only old documents, indicated by the site itself as past due (no results for selections with “Current Term”).

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Vivo got a full star, since it met both parameters analyzed.

Regarding parameter I, which refers to contesting legislation, we conducted exploratory searches on the websites of the Supreme Federal Court and the Superior Court of Justice for cases in which the company was a party, and did not find any actions where Vivo contests legislation related to the procedures for delivering data to the judiciary. We emphasize that our search, for reasons of scope and time, did not look for any such lawsuits in state courts, thus concerning legislation or interpretation of state-level legislation. The companies have the possibility, during the discussion of parameters and exchange of documents phase, to prove their performance in this sense.

On 03/29/2022, the STF published the judgment of the Direct Unconstitutionality Action number 4924/DF, where the National Association of Cellular Operators – ACEL, of which Vivo is a member, asked for the declaration of unconstitutionality of Law 17,107/12, of the State of Paraná, which provides for penalties for the person responsible for improperly calling the emergency telephone answering services involving removals or rescues, firefighting, police occurrences or disaster response (telephone prank calling). The law aimed to establish an obligation for telephone companies to provide data on the owners of telephone lines that improperly call the emergency services after a mere official request by any public agency or institution involved. The ACEL argued in defense of the inviolability of intimacy, private horna life and the secrecy of telephone communications (as established in article 5, items X and XII of the Federal Constitution), mentioning the unavailability of the right to the protection of personal data in its argumentation.

In addition, the ACEL had filed ADI 5040/PI, published in 2021 (not included in our previous report), where it questioned the legality of Law Nº 6,336/2013 of the State of Piauí, which required companies providing personal mobile telephony services to provide, to public security agencies, data regarding the location of cell phones and “SIM” cards that had been the object of theft, robbery and burglary or used in the commission of crimes. Among its arguments, ACEL also alleged a serious offense to its customers’ privacy in the event of disclosure of personal information, citing the Constitution and the fundamental right to privacy, in addition to the inviolability of the secrecy of telephone communications.

Finally, to investigate parameter II, which refers to the contestation of abusive requests, we conducted exploratory searches in the database of the São Paulo State Court of Justice and the “Jusbrasil” portal, in both cases with the terms “Vivo E sigilo E quebra” and rulings published between 06/21/2021 and 10/19/2022. We found several actions where Vivo contested requests for data from its customers, either by the lack of a court order determining the transfer of data  or insufficient legal reasoning of the claims.

For example, we find, in the report of the judgment regarding Case 1058034-44.2020.8.26.0100: 

“The defendant Telefônica Brasil SA presented its answer (pages 315/323). It argues that there is no legal obligation of the telephone company to provide part of the requested data related to the connections made more than one year before the date of the defendant’s summons, which was done in order to cooperate with the plaintiff’s plea. It alleges that it does not refuse to provide information, observing the judicial determination necessary for the breach of data secrecy, constitutionally guaranteed, for which it pleads for the removal of the condemnation for defeat.”

Also in this year’s Case 1042581-72.2021.8.26.0100:

“Summoned, the defendant Telefônica Brasil S.A. answered on pages 120/132. From the provision of information by Facebook, the author identified those responsible for the IP addresses. Among the IP addresses identified by the author, the defendant found that only 01 IP is its responsibility (fl. 121). He said he does not oppose the conduct of research and provision of data available, provided that available, in view of the research after the statute of limitations of one year; be provided all the parameters of research and be issued an express and specific court order to that effect. Clarified that, as a connection provider, it has a legal obligation to store connection access records for a period of one year (art. 13 of the Internet Civil Frameqork). It also clarified that, by legal prohibition of art. 14 of the Marco Civil da Internet, it does not store records of access to the application, which is why the request to provide those responsible for the publications of the false profiles and their URLs should be denied. He stressed that the provision of information will only be possible by express court order of the court.”

In Civil Appeal No. 1073466-74.2018.8.26.0100, we find the requirement that requests for information must be accompanied by the indication of the logical ports specific to the IPs requested:

“Telefônica Brasil S/A appeals. It claims to have complied with the injunction and submitted all the numbers of the telephone lines used simultaneously by the IPs with the “range” “177.79”, in accordance with paragraphs 1 and 2 of article 10, of Law 12,965/20145, supported by a specific court order. Informs that the sentence disregarded the provision of all data immediately available by the Appellant and, therefore, fixed the increase of the daily fine in R$ 5,000.00 (five thousand reais). He asserts that, with regard to the information on users of shared IPs, the Appellant clarified the need for prior indication of the logical ports of origin. Without this data it would be impossible to comply, emphasizing that it is the plaintiff’s burden. Complains against the value of the daily fine set in the large amount of R$ 5,000.00 per day. Pretends the reform of the sentence or the reduction of conviction.”

Actions considered in previous versions of Who Defends Your Data, the Direct Unconstitutionality Action (ADI) 5642, of the MERL, were not considered, since they did not register relevant developments in view of the suspension of the judgment and request for examination by Minister Nunes Marques (on 06/17/2021).

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Vivo got half a star, since it met one of the parameters analyzed.

Parameter I, related to the company’s positioning in general, was considered fully met. In some opportunities throughout the year, the Internet service providers had the opportunity to manifest themselves about public policies and bills that affect users’ privacy. 

Vivo, for example, participated, through Conexis, in the launching of the Code of Best Practices on Data Protection for the Telecommunications Sector, presented to the National Data Protection Authority.

The company also informs in its Sustainability Report that it holds an annual Cyber War Games event, where a team carries out simulated cyber attack scenarios for another team to identify and perform all necessary defenses, in order to assess the maturity of Digital Security, test established processes, strengthen incident detection and response procedures and protect Vivo’s environment. We identify this event as a promotion of ethical hacking and procedures to raise the awareness of the company and the general public about the possibilities of security flaws and exploits, a technique employed by the largest American technology companies (who generally offer high values for the effective detection of exploits with the potential to harm their users and customers).

Vivo also held the Compliance Day, an event in which discussions about Data Protection were stimulated in recent years.  

During the discussion phase of the preliminary reports with the companies, Vivo clarified that between 2021 and 2022, they offered contributions and comments to the themes proposed in the ANPD’s (the national indepent agency for data protection) Regulatory Agenda, together with business associations (for example, Brasscom and Conexis) and on their own behalf and through the Participa + Brasil Platform. We were also informed that Vivo participated in two Public Consultations and one Tapping of Subsidies promoted by ANPD in the period.

For example, between 08/30/2022 and 10/14/2022, Vivo sent its suggestions and comments to the rule of application of the LGPD for micro and small enterprises. Between 05/18/2022 and 06/30/2022, Vivo participated in and submitted contributions to various inquiries promoted by the ANPD on the topic of international data transfers. Between 08/16/2022 and 09/15/2022, Vivo participated in the public consultation on the draft Resolution that regulates the application of sanctions by the ANPD, in accordance with articles 52 and 53 of the LGPD and complementing the CD/ANPD Resolution 01 of 2021, which specifies the general guidelines on the administrative process that will be conducted by the authority. 

Vivo also made a formal statement opposing ANATEL’s Offices 256, 399 and process 53500.056673/2020-00, which determined that the “consumer data collected and made available by ANATEL to operators via API to handle complaints [would] be changed as of May 1, 2022”. 

As of March 2021, on a weekly or bi-weekly basis, Vivo also participated in meetings promoted by ANATEL’s Technical Group for Cyber Security and Critical Infrastructure Risk Management (GT – Cyber), a working group of the agency created by the Regulation of Cyber Security applied to the Telecommunications Sector (approved by Resolution no. 740/202 and designated by ANATEL Ordinance no. 1,878 of December 30, 2020)

We consider parameter II as not met. We did not find any public position from Vivo regarding the protection of personal data related to facial recognition technologies. Nor did we identify any participation, in public consultations or as amicus curiae, in ANATEL or STF proceedings. 

However, according to several reports, Vivo has been using facial recognition technology to enroll its subscribers since 2018.

In the discussion phase of the preliminary reports, Vivo clarified that it informs data subjects about the collection of their biometric data in its Privacy Policy and in the Terms of Membership of its telephony plans. We do not consider, however, these actions as sufficient to achieve compliance with the parameter in question, as they are merely a consequence of the company’s compliance with legal obligations related to the provision of information to the data subject as a controller of personal data.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Vivo got half a star, as it met parameters I, II and III.

Parameter I was considered fully met. 

During the discussion phase of the preliminary report with Vivo, the company provided us with the link to a Telefonica Communications Transparency Report in Portuguese (published at the Vivo Transparency Center), with data related to Vivo specifically in the body of the document.

Parameter II, regarding the accessibility of the transparency report, was considered fully met. Both the Sustainability Report and the Vivo Transparency Report can be easily found at the Vivo Privacy Center.

Parameter III, concerning the periodicity of the report, was fulfilled. Telefônica publishes regularly its annual transparency reports. 

Parameter IV, regarding information about data access requests, was considered not fulfilled.

Sub-parameter (a): partially covered. Although there is relevant information about the requests received in the Telefonica Transparency Report, Vivo clarified, in the discussion phase of the report, that it does not account for the number of rejected requests (i.e., the number of occasions in which it rejects or presents a counter-argument to the data request by a legal authority). 

Sub-parameters (b) and (c) were not met. No public document from Vivo includes information about the types of data requested by public authorities or the number of accounts affected by the requests made. 

Finally, parameter V, concerning the publication of Data Protection Impact Reports, was not found to be fully met. No such documents were located in our search.

CATEGORY 6: User notification

Result:

Vivo did not get a star, as there is no mention of the possibility of user notification in any of the documents analyzed.

ALGAR

CATEGORY 1: Information on data protection policy

Result:

In this category, Algar got a full star, because it fully met parameters II, III, IV, VI and VII. It also partially meets parameter I.

Algar partially meets parameter I. The company offers clear and complete information about the Sub-parameter (b); and partially fulfills the Sub-parameter (a).

Sub-parameter (a), referring to the collected data, was considered partially covered. In the “Privacy of Personal Data” section of its Data Policy, the company presents a table that affirms that it collects cadastral data and what would be this data (name, date of birth, bank data, etc). The table also informs the purpose of the data use: 

Although it is positive that the company discriminates which registration data is collected, this information was considered insufficient for this edition of the report because the company informs only one type of data collected. The company does not inform other types of data it collects, such as, for example, location data, traffic data (such as connection duration, consumption profile), among others. Therefore, the sub-parameter was considered partially satisfied. 

Sub-parameter (b): referring to the situations in which collection occurs, was considered to be fully met. In the section “Privacy of Personal Data”, the company informs in clause 4.1.3 of some situations in which collection occurs, such as, for example, when filling out the contract, when hiring other services, etc. It was considered that such information is capable of detailing the situations in which the collection occurs.

“4.1.3 – Collection of personal data

4.1.3.1 – Data is collected from the filling of the contract for service provision, contracting other services or from information inserted in terms, form or physical or digital forms, when the processing is according to our legitimate interests and does not disregard your interests related to data protection or fundamental rights and freedoms;

4.1.3.2 – If necessary, Algar Telecom may receive your personal data or usage data from third parties. For example, if you are in another site and choose to be contacted by Algar Telecom, this site will transmit your email address and other personal data to us, so we can contact you as requested.” 

Sub-parameter (c): referring to the possibility of collecting publicly available data, was considered to be not met. There is no mention of public data collection.

Sub-parameter (d): concerning the listing by name of which third parties supply data to the company, was considered to be not met. There is no listing of the third party data providers.

Sub-parameter (e): concerning the legal compliance of third parties with the LGPD, was considered to be not met. This is because this compliance requirement was not found in any public documents of the company.

Parameter II, regarding the provision of information about the purpose of the collected data, was considered, on average, met, as the company met Sub-parameter (a) partially and (b) fully.

Sub-parameter (a): concerning the purpose of data processing, was considered to be partially met. In its Personal Data Privacy Policy (see table reproduced in Sub-parameter (a)), the company reports four purposes of data processing: (i) to identify the customer; (ii) to comply with legal obligation; (iii) credit protection and collection procedures; and (iv) to ensure customer security. Indirectly, clause 4.1.5.1 (see excerpt below) lists commercial purposes as the purpose of data processing. Such information was considered excessively generic and not very enlightening. However, since there was a concern to list at least 5 distinct hypotheses, the parameter was considered to be partially complied with.

Sub-parameter (b): referring to how the use is made, was considered to be fully met. In the same section “Privacy of Personal Data”, of its Data Policy, the company informs nine hypotheses of use of the data collected as, for example, to communicate the customer about his account or to provide access to certain areas and features of the sites:

“4.1.5 – Type of Data

4.1.5.1 – Algar Telecom uses usage data collected through sites for commercial purposes, including:

  • Answer the questions and requests of its customers;
  • To provide access to certain areas and resources of the sites;
  • Verifying the user’s identity;
  • Communicating with the customer about their account and activities on service channels;
  • Adjust content, advertisements, and offers provided;
  • Process payments for products or services;
  • Improve the website and other service channels;
  • Develop new products and services;
  • Process applications and transactions.”

Parameter III, referring to the provision of clear and complete information on personal data protection, was considered, on average, met, as the company provides clear and complete information on sub-parameters (a), (b), (c) and (i); and partially meets sub-parameters (e), (g) and (h).  

Sub-parameter (a): referring to the time and place of data storage was considered to be fully met. Regarding the storage location, the company informs, in its Personal Data Privacy Policy and Data Governance Policy, that it stores the data in Algar’s own servers in Brazil and also in cloud servers. 

“4.1.9 – Storage Servers

The collected data will be stored in Algar Telecom’s own servers located in Brazil, as well as in an environment of resource use or servers in the cloud (cloud computing), which implies, in the latter case, data transfer or processing outside Brazil, complying with provisions on international data transfer, according to Article 33 of the General Law of Data Protection or other applicable rules.

Data Governance:

4.5.1 The storage of personal data can be done in a physical way (keeping badges, cards, tokens, papers with handwritten notes, forms, invoices, contracts and other paper documents, for example) or digital (in media such as CD, DVD, Blu-Ray, external HD, pendrive, SD memory card, in the digital platforms of Algar Telecom or in a service hired for this purpose);

4.5.2 – In case of storage outside Brazil, the data protection management must be aware of the country where the hardware is located and, if it is located abroad, Algar Telecom’s legal department must be contacted to check if there is legal and contractual support for the personal data to be stored in that country;

4.5.3 – The physical and digital storage media of personal data shall ensure its quality, and should be kept accurate and updated, according to the need to fulfill the purpose of treatment;

4.5.4 – When the personal data subject requests the correction or updating of his/her personal data, the person in charge of personal data processing, after analyzing the request, shall activate the responsible areas to ensure that the physical and digital media where such personal data has been replicated and stored are also updated”.

Such information about the storage of personal data was considered satisfactory.  

As for the storage time, in the same document, the company informs that it keeps registration and identification data for up to 5 years after the end of the relationship. As for the “other data”, the company claims to store it “as long as the relationship lasts and there is no request for erasure or revoking of consent”:

Sub-parameter (b): referring to when/if the data is deleted, it is considered to have been met. This is because the company undertakes to delete the data “after the expiration of the time limit and legal necessity” and having fulfilled the purpose of the processing:

“Personal Data Privacy Policy

4.2.2 – Deletion of Data

4.2.2.1 – Data may be deleted before this period if requested by the customer/user. However, it may occur that the data needs to be kept for a longer period, under the terms of article 16 of the General Data Protection Law, in order to comply with a legal or regulatory obligation, to comply with a contract, or to transfer the data to a third party (in compliance with the data processing requirements set forth in the same law);

4.2.2.2 – Upon expiration of the term and legal necessity, the data will be deleted using secure disposal methods or used in an anonymized form for statistical purposes.

Data Governance

Deletion of personal data

4.9.1 – Personal data shall be stored for a limited period, taking into account the specific purpose of the processing;

4.9.2 – After the purpose of the treatment has been fulfilled, and the storage period determined by the temporal table has expired, the data may be securely deleted, whether recorded on physical or digital media;

4.9.3 – The elimination of personal data may also be carried out at the request of the data subject or the National Data Protection Authority;

4.9.4 – For the elimination of data, the definitions indicated in the secure data elimination procedure must be followed;

4.9.5 – The conservation of personal data after its purpose has been achieved will only be possible in case of fulfillment of legal or regulatory obligation by Algar Telecom;

4.9.6 – The request for elimination of personal data by the owner will not be possible when the data has already been anonymized;

4.9.7 – The request also cannot be made in case of fulfillment of legal obligation regarding the storage of this data for regulatory purposes, as long as the temporality table is respected.”

Sub-parameter (c): concerning which circumstances the data is retained was considered not to be fully met. The company only mentions, in its “Data Governance” document, that the processing of personal data should be carried out considering the retention time of personal data (item 4.2.2 (a)), but does not specify the circumstances of retention.

Sub parameter (d): concerning the company’s security practices, was considered to be fully met. In its Personal Data Privacy Policy the company commits itself, generically, in the application of security measures:

“4.1.8 – Data Security

Algar Telecom will make its best efforts to protect information, especially personal data, applying the administrative and technical protection measures needed and available at the time, requiring from its suppliers the same acceptable level of Information Security, based on best market practices, from contractual clauses”

Such efforts mentioned in the Privacy Policy are outlined in Algar’s Information Security Policy. In the document, the company informs it commits itself to “ensure the availability, integrity and confidentiality of personal data, throughout its life cycle” and establishes a structure for information security, with information about who are the people who may have access to the systems of Algar Telecom, the available assets and procedures to be adopted in the systems and applications of the company.

“PROTECTION OF PERSONAL DATA

10.1 Algar Telecom respects privacy. Thus, it must ensure the availability, integrity and confidentiality of personal data throughout its life cycle, in any storage format or support, through:

10.1.1. authorized treatment in the terms of the current personal data protection legislation;

10.1.2. adoption of security measures to protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, improper or unlawful communication or processing;

10.1.3. storage in a safe, controlled and secure manner;

10.1.4. anonymization and pseudonymization processes, whenever necessary;

10.1.5. encryption protocols in transmission and storage, whenever necessary

10.1.6. 10.1.6. logical record of processing operations

10.1.7. safe disposal of personal data at the end of its purpose, or when requested by the owner of the personal data, and its conservation in accordance with legal and regulatory assumptions;

10.1.8. Transfer to third parties in a secure and contractually provided manner;

10.1.9. impact and systematic assessment of the privacy of data subjects;

10.1.10. Management and proper handling of incidents involving personal data;

10.1.11. Periodic testing, monitoring and evaluation of its effectiveness”

In its Data Governance Policy, the company informs, in more detail, the security practices adopted:

4.17.1 – During the entire life cycle of personal data the security guidelines in Algar Telecom’s Information Security Policy and Policy – Data Privacy available in Algar Telecom’s document library and Algar Telecom’s internet portal shall be observed;

4.17.2 – The information security management area shall ensure confidentiality, integrity and availability of personal data in all storage and transmission media of personal data, considering

(a) technical security controls involved, such as, but not limited to:

  • Firewall;
  • Encryption;
  • Use of VPN to access data outside the premises of Algar Telecom;
  • Physical and logical access controls;
  • Two-factor authentication;

Secure storage of physical documents;

Password managers.

  1. b) Ensure that only authorized persons and treatment agents have access to personal data in compliance with the need and relevance of granting access;
  2. c) Adoption of information security measures to ensure that personal data remains complete, accurate, complete, and up-to-date without undue changes;
  3. d) Guarantee that personal data is accessible and usable by authorized persons and entities whenever necessary;
  4. e) Registering logs and audit trails of the life cycle of the personal data;
  5. f) Encrypting, pseudonymizing and anonymizing personal data when applicable;
  6. g) Training in personal data protection and supervision of the adoption of the practices taught.

The information in the four documents was considered sufficient for the sub-parameter.

Sub-parameter (e): concerning whether there is a published Cybersecurity/IT Policy with information on specific protections against malware, ransomware, worms and other viruses, it was considered partially met. This is because in its “Information Security” document, the company cites, in item 17, “Change History”, the general revision from the requirements of ISO 27001:2013 on 10/21/2019. However, there is no further explanation of the application of the standard or the cyber security policy.

Sub-parameter (f): regarding which categories of employees can have access to data, was considered not met. Although access controls are cited in the Personal Data Governance document, as well as in the Information Security document, there is no explanation as to which categories of employees.

Sub parameter (g): referring to third parties with whom the data is shared, it was considered partially met. In its Data Privacy Policy and in its Governance Policy, the company informs that it “shares personal data with authorized partners and suppliers” and that for the data to be shared it is necessary that the parties “have signed a contract with clauses referring to the protection of personal data”, but does not determine which third parties can receive them. The information offered by the company was considered unsatisfactory. However, because there was concern in pointing out information on the theme, with a minimum of detail, the sub-parameter was considered partially met.

Privacy Policy

4.1.6 – Sharing

Algar Telecom only shares personal data with partners and suppliers authorized to fulfill the purposes informed in this policy, having yet to share with third parties and authorities in the hypotheses of compliance with legal or regulatory obligations, public administration, contract compliance, studies by research agencies, credit protection or security of the client/user. In these cases, Algar Telecom will share the minimum information necessary to achieve its purpose, ensuring, whenever possible, the anonymization of personal data.

Data Governance

4.7.1 – The sharing of personal data or documents/files with personal data in national territory may be done for authorized treatment agents, with the security measures indicated by the information security management area from the personal data protection impact report (DPIA/RIPD), when the case and only for the purposes of use or treatment previously and duly informed and legitimated to the owner of the personal data;

4.7.2 – The sharing of personal data with other agents of treatment, except the sharing made to comply with legal obligations, may only occur if they have signed a contract with clauses relating to the protection of personal data, as provided in section 4.21 of this document; 4.7.3 – In case of impossibility of signing a contract or amendment with the party in question, a personal data protection impact report (DPIA/RIPD) must be prepared and from this report mitigating controls must be adopted in relation to security and protection of the treatment of personal data;

4.7.4 – The sharing of personal data whose processing is based on the legal assumption of consent may only occur with the consent of the owner of the personal data, being aware of this sharing, and this consent must be collected before the beginning of the treatment of personal data;

4.7.5 – Anonymized personal data may be transferred to third parties, provided the processing requirements set forth in the applicable legislation and in this document are respected;

4.7.6 – The sharing of personal data should only occur through channels with security measures in place

Sub parameter (h): related to the purposes of sharing data with third parties, it was also considered to be partially met. This is because the information provided on the subject is unclear and states only that it is carried out to “fulfill the purposes informed in this policy”. No clearer information is given about the hypotheses of sharing and its purposes. However, because there is concern in pointing out information about the theme, with a minimum of detail, the sub-parameter was considered partially met.

As for sub parameter (i), related to the hypotheses of international data transfer, it was considered to be fulfilled. In its Data Governance, the company informs, in a very complete way, about the conditions and the purposes for the international transfer of data:

4.8.1 – If the personal data is expected to be transferred to another country, the possibility of sharing with another controller shall be submitted to the analysis of the person in charge of personal data processing (DPO), by the information security management area, and the legal area, so that they can evaluate if the destination country has a degree of data protection that is adequate to the Brazilian legal system;

4.8.2 – If the receiving controller offers and proves guarantees of compliance with the data subject’s rights, the international transfer of data may also be possible in the form of

(i) specific contractual clauses for a given transfer

(ii) standard contractual clauses

(iii) global corporate standards; and

(iv) seals, certificates, and codes of conduct issued by the National Data Protection Authority;

4.8.3 – The international transfer of personal data may also occur for the purposes listed below

(a) when the transfer is necessary for the protection of the life of the data subject or of third parties;

  1. b) When the National Authority authorizes the transfer;
  2. c) When the transfer results from a commitment assumed in an international cooperation agreement;
  3. d) When the data subject has provided his specific and outstanding consent to the transfer, with prior information on the international character of the operation, clearly distinguishing it from other purposes;
  4. e) To fulfill a legal or regulatory obligation by Algar Telecom;
  5. f) When necessary for contract execution and preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject.

Parameter IV, which assesses whether the company provides clear and complete information about the data subject’s rights, was considered fully met. Both sub-parameters, (a) and (b), were fully met.

Sub-parameter (a), referring to information on what are and means for the data subject to exercise their rights over their data, was considered to be fully met. This is because the company informs, in its Privacy of Personal Data, the e-mail and the name of the data controller (DPO).

Sub-parameter (b), referring to information to data subjects about their rights under the LGPD, was considered to be fully met. The company, in its Privacy of Personal Data, reserves an item to inform about the rights of the data subjects:

4.3 – Rights of the Data Subject

4.3.1 – Basic Rights

The customer/user may request our Personal Data Controller to confirm the existence of Personal Data processing, in addition to the display or rectification of his/her Personal Data, through our Customer Service Channel.

4.3.2 – Limitation, Objection and Deletion of data

Through the Service Channels, the customer/user may also request:

  • The limitation or anonymization of the use of his/her Personal Data;
  • Express their opposition and/or revoke consent as to the use of their Personal Data;

Request the exclusion of your Personal Data that have been collected and recorded by Algar Telecom, as long as the minimum legal term related to data storage has elapsed; or

  • The portability of data to another telecommunication service provider, upon express request, according to national authority regulations;
  • Cancel the marketing communications we send when you wish.

The information was considered satisfactory for the sub-parameter.

Parameter V, which evaluates if the company responded in a timely manner to requests for access to data by InternetLab members, was considered partially fulfilled. Although the company responded within the deadline, it stated that it does not process personal data for the indicated account, which has a plan with the operator, without further explanation. Thus, we consider the answer insufficient. 

Parameter VI, which evaluates if the company promises to send notifications to the user when updating its privacy policies, was considered to be fully met. The company includes the following notice on its website: 

Algar Telecom reserves the right to change the contents of this Policy at any time, according to the purpose or need, such as for adequacy and legal conformity of the law or norm that has equivalent legal force, being up to the customer/user to verify it with Algar Telecom through the site www.algartelecom.com.br. If it is necessary to change the Policy, the client/user will be informed via e-mail.

Finally, parameter VII, referring to the accessibility of information on privacy and data protection, was considered to be fully met. The company has a section entitled “Privacy and Information Security”, which can be accessed at the bottom of its website, where the Policies of Data Privacy, Service Management, Information Security, Personal Data Governance, Use of Cookies, Terms of Use of Services and Site Terms of Use are contained. The information contained in the documents is clear and easily accessible to the client.

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Algar got a full star, because it met parameters I, II, IV and V 

Parameter I, referring to the identification of the competent authorities to request data, was considered fulfilled. In the document Sharing Personal Data with Authorities, the company informs that it only provides registration data to administrative authorities by force of law or by court order. The competent authorities to which the company provides data are Public Ministries, Police Authorities, Internal Revenue Service, and the Presidency of Parliamentary Investigation Commissions, in accordance with the applicable legal provisions authorizing the breach of secrecy. Such information was considered sufficient for the purposes of this evaluation.

Parameter II, referring to the identification of the competent authorities and the crimes in the scope of which the request occurs, was considered to be fully met. Besides mentioning the competent authorities (see parameter above), the company informs which are the legal hypotheses in which the company provides registration data to legal authorities:

Federal Constitution of 1988 – article 5. Item XII and article 58, par. 3º.;

– Law 9296/1996 – article 1, sole paragraph – Telephone Interception Law;

– Law 9472/1997 – article 3. – General Telecommunications Law;

– Law 12,683/2012 – article 7, “B” – Money Laundering

– Law 12.830/2013 – article 2. – Criminal Investigation conducted by Police Chief

– Law 12850/2012 – article 15 – Criminal Organization

– Law 12,695/2014 – article 7. and 10 – Marco Civil da Internet

– Law 13.344/2016 – article 13-B – Search for a Missing Person

– Anatel Resolution 632/2014 – article 3. V – General Regulation of Telecommunications Consumer Rights.

Parameter III, referring to the provision of information on geolocation data, was not considered to be fully met either. No mention of the theme was found in Algar’s analyzed documents.

Parameter IV, referring to the promise to provide connection records only upon court order strictly in terms of the Marco Civil, was considered to be fully met. In the document Sharing Personal Data with Authorities, the company differentiates between registration data and connection records, as well as its hypotheses for data provision:

Regarding the availability of register data for the investigation of crimes, Algar Telecom provides register data related to personal qualification, filiation and address upon judicial order. Algar Telecom will make available cadastral data to Police Marshals or Public Prosecutors when related to personal qualification, filiation and address, upon request, without judicial order, in accordance with article 15, of Section IV of Law 12.850/2013, of Law 9.613/98 (article 17-B, Chapter X) and article 13-A of the Code of Criminal Procedure.

Connection records, as such understood as the set of information regarding the date and time of the beginning and end of an Internet connection, its duration and the IP address used by the terminal for sending and receiving data packets will be informed by Algar Telecom upon presentation of a court order or, upon request of the Police Department or Public Prosecutor, in accordance with Article 15, Section IV of Law 12.850/2013, Law 9.613/98 (Article 17-B, Chapter X) and Article 13-A of the Code of Criminal Procedure. 

Algar makes available real or past information, only by court order.

Finally, parameter V, concerning the existence of specific protocols on data delivery to the State, was considered to be fully met. The company makes available in its Data Policy a document called “Sharing of Personal Data with Authorities”, in which the company informs specific hypotheses of data delivery to the State. This document was considered sufficient for the purposes of this evaluation.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Algar got half a star, because it did not meet one of the parameters.

As for parameter I, referring to the contestation of legislation, we conducted exploratory searches on the websites of the Supreme Court and the Superior Court of Justice for cases in which the company was a party.

On 03/29/2022, the STF published the judgment of the Direct Unconstitutionality Action number 4924/DF, in which the National Association of Cellular Operators – ACEL, of which Algar is a member, requested the declaration of unconstitutionality of Law 17.107/12, of the State of Paraná, which provides for penalties for the person responsible for improperly calling the emergency telephone answering services involving removals or rescues, firefighting, police occurrences or disaster response (telephone prank calling). The law aimed to establish an obligation for telephone companies to provide data on the owners of telephone lines that improperly call the emergency services after a mere official request by any public agency or institution involved. The ACEL argued in favor of the inviolability of intimacy, private horna life and the secrecy of telephone communications (as established in Article 5, Items X and XII of the Federal Constitution), mentioning the unavailability of the right to the protection of personal data in its argumentation.

In addition, the ACEL had filed ADI 5040/PI, published in 2021 (not included in our previous report), questioning the legality of Law No. 6.336/2013 of the State of Piauí, which required companies providing personal mobile telephony services to provide public security agencies with data on the location of cell phones and “SIM” cards that had been the subject of theft, robbery and burglary or used in the commission of crimes. Among its arguments, ACEL also alleged a serious offense to its customers’ privacy in the event of disclosure of personal information, citing the Constitution and the fundamental right to privacy, in addition to the inviolability of the secrecy of telephone communications.

Also, on 08/30/2019, the STF judged the Direct Unconstitutionality Action number 4401/MG, in which the Brazilian Association of Competitive Telecommunications Service Providers – TELCOMP, of which Algar is a member, requested the declaration of unconstitutionality of articles 1 to 4 of Law 18.721/10, of the State of Minas Gerais, which provides for the provision of information by fixed and mobile telephony concessionaires for public security purposes. The law aimed to make it mandatory for the companies “to provide information about the location of customers’ handsets to the state judicial police, upon request, safeguarding the confidentiality of the content of telephone calls.” (art. 1, caput). TELCOMP argued for the unconstitutionality of the state rules due to the usurpation of legislative competence, since the legislation on telecommunications would be the exclusive competence of the Union. 

Finally, to investigate parameter II, referring to the challenge of abusive requests, we conducted exploratory searches in the database of the São Paulo State Court of Justice and the “Jusbrasil” portal, in both cases with the terms “Algar Telecom And secrecy And breach” and rulings published between 08/01/2020 and 06/21/2021. In the search, no actions were found in this regard. We emphasize that the choice of Jusbrasil as a secondary source is due to the fact that it aggregates judgments from all Brazilian state courts, rather than searching in all courts individually.
Actions considered in previous versions of Who Defends Your Data, the Direct Unconstitutionality Action (ADI) 5642, of the ACEL, were not considered, since they did not register movements.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Algar got half a star, because it met one parameter.

It was not found any participation of the company in any public consultations or as amicus curiae in processes related to the approval of standards or adoption of techniques that increase the protection conferred to users of its services.

Parameter I, concerning the company’s positioning in general, was considered to be fully met. In some opportunities throughout the year, Internet service providers had the opportunity to manifest themselves on public policies and bills that affect users’ privacy.

Algar participated, through Conexis, in the launch of the Code of Best Practices on Data Protection for the Telecommunications Sector, presented to the National Data Protection Authority

We consider parameter II not met. We did not find any public position of Algar regarding the protection of personal data related to facial recognition technologies. Nor did we identify any participation, in public consultations or as amicus curiae, in ANATEL or STF proceedings. The company, in the engagement phase with us, also showed no evidence that it does not use the technology in its hiring.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Algar got half a star, because it met parameters I, II and III. 

Parameter I was considered to be fully met. The company publishes a Transparency Report, in Portuguese.

Parameter II was considered fulfilled. Since the company publishes the Report on its website, with a page dedicated to the Report.

Parameter III was considered as met. The company has a Report published in 2021 and in previous years.

Parameter IV was considered not to be fulfilled. There is no information, in the Transparency Report, about requests for access to data.

Finally, parameter V, related to the publication of Data Protection Impact Reports, was not considered to be fully met. No documents to this effect were located in our search.

CATEGORY 6: User notification

Result:

Algar did not get a star, as there is no mention of the possibility of user notification in any of the documents reviewed.

BRISANET

CATEGORY 1: Information on data protection policy

Result:

In this category, Brisanet got three quarters of a star, having met 4 of the seven parameters analyzed. 

As for parameter I, we consider the following:

Sub-parameter (a): partially met. In its Privacy Policy, in the item “About the data we collect”, the company informs several types of data, cadastral (full name, CPF, RG, email, home phone, cell phone, address, type of residence, date of birth, marital status, type of public) and digital identification (IP address and logical port of origin, version of the device’s operating system, geolocation, date and time stamp of actions performed, screens accessed, session ID, cookies) collected. However, there is no complete breakdown of all data collected. We do not know, for example, what data is collected via cookies when browsing Brisanet’s website. 

Sub-parameter (b): partially met. The Policy only mentions that data “may be collected when you submit them or interact with our Site and services”. However, the wording is excessively generic, not being exhaustive in relation to which data is collected in each situation, how the data is collected during the actual provision of Brisanet’s services, what are the hypotheses indicated in the “among others” in the wording of the company’s policy, etc.

Sub parameter (c): not met. Brisanet’s Privacy Policy makes no reference to the collection of public data from data subjects.

Sub parameter (d): not met. Brisanet’s Privacy Policy makes no mention of data collection through third parties, nor does it list the categories or, nominally, the organizations involved in this type of collection.

Sub-parameter (e): Partially met. Brisanet’s Privacy Policy states that the treatment of data by third parties on its behalf will respect “the conditions stipulated [in the Policy] and the information security standards, mandatorily”. However, there is no listing of the forms of third-party assessment employed by the operator.

As for parameter II, we consider the following:

Sub-parameter (a): partially met. In its Privacy Policy, in the item “About the data we collect”, the company informs the purposes associated with the types of data (registration or digital identification), but there is no strict correlation of which data is used for each purpose. Thus, data subjects cannot be sure that the processing of all their data is taking place for legitimate legal purposes and bases.

In the Brisanet Broadband Services Agreement, we find the following:

“12.1. Locaweb agrees to use the Customer’s personal data and other information collected for the following purposes, with which the Customer expressly declares to have full knowledge and agreement by signing this Agreement, either through the TERM OF CONTRACT (in person or electronically) or other forms of membership provided for in this Agreement: (i) for compliance with legal or regulatory obligations, including but not limited to the maintenance of registration data and the Customer’s Connection Records for a minimum period of 01 (one) year, under Law No. 12. 965/2014 (Marco Civil da Internet); and the maintenance of the recordings of the CLIENT’s calls to the Customer Care Center provided by the SERVICE PROVIDER; (ii) for the treatment and shared use of data necessary for the execution of public policies provided for in laws, decrees and regulations of the Public Authorities, ANATEL, or any other public organ, autarchy or Federal, State or Municipal authority; (iii) for the faithful fulfillment or execution of any rights or duties inherent to this contract, or preliminary procedures related to this contract; (iv) for the regular exercise of rights in judicial, administrative or arbitration proceedings;(v) for the protection of credit (including judicial or extrajudicial collection measures); (vi) to ensure compliance with this contract, including combating fraud or the practice of any illicit acts; (vii) to send the CLIENT any communication or notification provided for in this contract; (viii) and for its legitimate interest. “

Although there is a more detailed description of purposes , the data subject still does not have the tools to understand which of their data will be used in each process carried out by Brisanet, especially in cases of legitimate interest.

The Brisanet Prepaid Mobile Internet Service Subscription Contract, the only other contract available on Brisanet’s website, does not have similar provisions regarding privacy.

Sub-parameter (b): Fully met. As long as the forms of use listed in Brisanet’s Privacy Policy correspond to all of its forms of data processing, the listing found under “About the data we collect” will be considered sufficient. However, as stated above, the Policy does not link the forms of processing to the data specifically processed by Brisanet in each process, which is necessary for the data subject’s assessment of the legitimacy of the processing of his/her data. 

As for parameter III, we consider the following:

Sub-parameter (a): fully met. T Privacy Policy, in the item “How we store your personal data and the activity log”, brings a list of periods of data storage, informing, as well, the legal reasons for so. 

Sub-parameter (b): not fulfilled. The company does not inform on which occasions it deletes certain types of data (e.g., sensitive data), or if it does it regularly.

Sub-parameter (c): fully met. As above, the Privacy Policy cites some hypotheses of data retention.

Sub parameter (d): partially covered. In the item “How we protect your data and how you can also protect it”, the Privacy Policy exemplifies, in a generic way, some administrative and technical measures for data protection. We do not, however, have any indication of the procedures and technologies employed in line with these measures.

Sub parameter (e): not met. We did not identify information on the specific cyber security measures employed by the company. The Broadband Services Contract only states that, among Brisanet’s obligations is “3.2.4 […] care for the secrecy inherent to telecommunications services and the confidentiality of data, including connection records, and Subscriber information, employing all means and technology necessary for this”.

Sub-parameter (f): not fulfilled. We did not identify any information on the specific access control measures employed by the company.

Sub parameter (g): partially covered. In the item “How we share data and information”, Brisanet’s Privacy Policy mentions some hypotheses for sharing customer data with third parties. However, there is no specification of which specific third parties receive data from Brisanet.

In Brisanet’s Broadband Service Agreement, we find the following:

“12.3 BRISANET and companies of the same Economic Group may, at any time, consult your information – including your personal data, credit history, among others – at the Cadastro Positivo, Regulatory Bodies, Credit Bureaus or other entities that provide services for credit protection purposes. Thus, the SUBSCRIBER authorizes the whole BRISANET conglomerate to consult debits and responsibilities resulting from operations with credit characteristics.

12.4 The CLIENT recognizes and agrees that the PROVIDER is subject to the supervision of the authorities and regulatory entities of Brazil, and further authorizes that its information be disclosed to these authorities and regulatory entities.”

The data subject, however, is not provided with any information about the circumstances in which data is shared with such entities – nor is there any detail about what types of data may be disclosed (e.g., “among others”). The Brisanet Prepaid Mobile Internet Service Subscription Agreement, the only other agreement available on Brisanet’s website, does not have similar provisions regarding sharing with third parties.

Sub-parameter (h): partially met. In the item “How we share data and information”, Brisanet’s Privacy Policy indicates all the purposes of sharing with the third parties cited. However, some of the purposes are excessively generic and do not allow the user to assess the legitimacy of sharing (e.g., “with partner companies and service providers necessary for the execution of our services and functionalities”).

Sub-parameter (i): not met. Brisanet’s Privacy Policy only mentions that some data will be stored in clouds located outside Brazil, without, however, providing details on (i) the type of data stored in these circumstances; (ii) the countries in which the data may be stored; (iii) those responsible for providing the clouds used by the operator. 

As for parameter IV, we consider the following:

Sub parameter (a): fully met. In the Privacy Policy, in the item “Service channels”, the company informs the service channels, hours and addresses that may be activated by the data subject to claim their rights. There is even a specific channel to contact the company’s Data Officer. 

Sub parameter (b): not fulfilled. In the Privacy Policy, in the item “What are your rights and how to exercise them”, Brisanet informs data subjects about some of their rights. However, the website does not contain a clear and accessible description of all the data subject rights conferred by articles 8 and 9 of the LGPD, in addition to all the rights comprised in the subsections of article 18 of the same law. The rights cited only include, generically, “to limit the use of their personal data”, “to express their opposition or revoke consent as to the use [of the data]”. and “to request the deletion of their personal data”. 

In addition, Brisanet’s Broadband Services Contract reads as follows:

“12.6 Without prejudice to the provisions of the items above, privacy and confidentiality are no longer mandatory, if it is proven documentally that the information related to the CLIENT’s personal data and other information collected: (i) Were in the public domain on the date of execution of this Agreement; (ii) Became part of the public domain after the date of execution of this contract, for reasons not attributable to action or omission of the parties; (iii) Were disclosed due to any order, decree, order, decision or rule issued by any judicial, legislative or executive body imposing such disclosure; (iv) Were disclosed by reason of a request from the Agência Nacional de Telecomunicações – ANATEL, or any other authority vested with powers to do so.”

We emphasize that, as the Controller of Personal Data, Brisanet is obliged to comply with the data protection legislation, including when processing public data – as specified in paragraph 7 of Article 7 of the LGPD. To wit:

“§ 7 The further processing of the personal data referred to in §§ 3 and 4 [data made manifestly public by the titualr] of this article may be carried out for new purposes, provided that the legitimate and specific purposes for the new processing and the preservation of the rights of the data subject are observed, as well as the grounds and principles provided for in this Law.”

The inclusion of the clause, therefore, is inadequate in view of Brisanet’s obligations to comply with the data subject’s rights, misleading the data subject as to the possibility of claiming his rights.

As for parameter V, we consider the following: not met. In Brisanet’s Privacy Center, the company makes available a space named “Access your data”, where users can select the options to request data for “Brisanet Customers”, “Non-Customers or Former Customers” and “Employees and Former Employees”. While the information is supposedly made available to Customers through the “Brisacliente” application, the other categories of data subjects are redirected to fill out a Form, which must be sent via post to Brisanet’s headquarters in Ceará. The document informs that Brisanet will respond to the request within 15 (fifteen) days of receipt of the form. In addition, there is a requirement in the Form that the owner must send (i) a notarized copy of an identification document that has a photo; and (ii) a notarized signature on the signature of the Form, which is not supported by any data protection legislation, and represents an unnecessary barrier to the exercise of the rights of the owner of personal data. In addition, the attempt to contact the DPO via email to request confirmation of processing was not answered, neither within the legal deadline of 15 (fifteen) days nor within the extended period of 1 (one) month.

Parameter VI, which evaluates if the company promises to send notifications to the user when updating its privacy policies, was considered not met. In its Privacy Policy, the company explicitly states that “You acknowledge our right to change the content of this Policy at any time, according to the purpose or need, such as for adequacy and legal compliance of law provision or norm that has equivalent legal force, being up to You to check it every time You access our Site or use our services and functionalities.” The passage goes on to inform the data subject that a notification will only be sent when of “updates to this document and that require new consent collection” , through the “contact channels that You inform.”

Finally, parameter VII, referring to the accessibility of information on privacy and data protection, was considered partially met. In the footer of the home page of the Brisanet website, there is a link to the Company’s Privacy Center. The information on the Privacy Portal is quite clear and easily accessible to the client. 

However, there is no public availability of the contract for the provision of broadband internet services, and the provision of such information in the contract would be recommended so that it could be accessed by all customers, legally consented to by them, and detailed according to each type of contracted service. We only obtained access to Brisanet’s broadband services contract when directly requested by customer service (via WhatsApp).

CATEGORY 2: Data delivery protocols for investigations

Result:

In this category, Brisanet got an empty star, not having met any of the parameters.

Parameter I, referring to the identification of the competent authorities to request data, was considered not met. In its Privacy Policy, the company only generically mentions sharing with public authorities “whenever there is a legal determination, request, requisition or court order.” No other disclosed policy related to the delivery of data to authorities was identified in Brisanet’s Privacy Center.

In Brisanet’s Broadband Services Agreement, we find the following:

“Locaweb will only make available the registration data and connection records, incurring in the suspension of telecommunications secrecy, when formally requested by the judicial authority or other legally invested with such powers, and when the presentation of information relative to the CLIENT is clearly determined.”

Although the wording is intended to establish the hypotheses for sharing data with authorities, Brisanet makes no mention of the strict need for a court order for the breach of secrecy, nor does it describe the specific legal hypotheses that would authorize the sharing of data without a court order.

Parameter II, referring to the identification of the competent authorities and the crimes in the scope of which the request occurs, was also considered not to be fully met. We did not find this information in Brisanet’s contracts or documents. 

Parameter III, referring to the provision of information on geolocation data, was also considered to be not complied with. We did not find this information in Brisanet’s contracts or documents. 

Parameter IV, referring to the promise to provide connection records only upon court order strictly under the terms of the Marco Civil, was also considered to be not complied with. We did not find this information in Brisanet’s contracts or documents. 

Finally, parameter V, concerning the existence of specific protocols on data delivery to the State, was considered not met. No mention of the topic was found in the Brisanet documents analyzed.

CATEGORY 3: Defense of users in the Judiciary

Result:

In this category, Brisanet got a full star, since it met both parameters analyzed.

As for parameter I, referring to the contestation of legislation, we conducted exploratory searches on the websites of the Supreme Federal Court and the Superior Court of Justice for lawsuits in which the company was a party, looking for actions involving the contestation of legislation that violates privacy and data protection principles. The parameter was considered to be fully met.

On 08/30/2019, the Federal Supreme Court judged the Direct Unconstitutionality Action number 4401/MG, in which the Brazilian Association of Competitive Telecommunications Service Providers – TELCOMP, to which Brisanet belongs, requested the declaration of unconstitutionality of articles 1 to 4 of Law 18.721/10, of the State of Minas Gerais, which provides for the provision of information by landline and mobile telephone concessionaires for public security purposes. The law aimed to make it obligatory for the companies “to provide information about the location of customers’ handsets to the state judicial police, upon request, safeguarding the confidentiality of the content of telephone calls.” (art. 1, caput). TELCOMP argued for the unconstitutionality of the state rules due to the usurpation of legislative competence, since the legislation on telecommunications would be the exclusive competence of the Union. 

Finally, in order to verify parameter II, referring to the challenge of abusive requests, we conducted exploratory searches in the database of the Court of Justice of the State of Ceará by the name of the Party “Brisanet” and in the “Jusbrasil” portal, by the terms “Brisanet S/A” AND “secrecy” AND “breach” and by sentences or decisions with distribution date between 06/31/2021 and 10/19/2022. In the searches, no public access actions were located involving the request for breach of confidentiality of Brisanet customers.

We did find, however, at least one action in which Brisanet is subpoenaed to respond to the Public Prosecutor of the State of Ceará in a Criminal Precedence Letter and an action related to Personal Data Protection. However, none of the pleadings in both actions are publicly available.

By searching Jusbrasil, we identified at least one action in which Brisanet refuses a request for breach of confidentiality, based on the terms of the Marco Civil da Internet:

“The provider BRISANET SERVIÇOS DE TELECOMUNICAÇÕES S.A. responded to the letter issued by the Judge of the 10th Labor Court in the following terms:

‘Thus, Brisanet Serviços de Telecomunicações S/A, informs that it does not perform the guarding of the record of WI-FI connections of customers, based on Article 14 of Law 12,965.

[…]

Thus, we do not have the record of connections of who used or not the client’s WI-FI. Because as mentioned above, the connection provider (BRISANET) only performs searches by accessing a certain IP. Therefore, it is up to the application provider to store the access records to internet applications, which consist of the set of information regarding the date and time of use of a given internet application from a given IP address. With the information from the application provider, that is, the time, the second, the day and the IP that was used to access a certain site, the connection provider will be able to locate that certain user.”

We emphasize that the choice of Jusbrasil as a secondary source is due to the fact that it aggregates judgments from all Brazilian state courts, to the detriment of searching in all courts individually.

CATEGORY 4: Pro-privacy public stance

Result:

In this category, Brisanet got an empty star, because it did not meet the parameters.

Parameter I, related to the company’s positioning in general, was considered not met. On a few occasions during the year, Internet service providers had the opportunity to manifest themselves about public policies and bills that affect users’ privacy. After searching official government sites, specialized and traditional press, and company press rooms, we did not find any material in this direction. 

We also considered parameter II not met. We did not find any public position of Brisanet regarding the protection of personal data related to facial recognition technologies. Nor did we identify any participation, in public consultations or as amicus curiae, in ANATEL or STF proceedings. An article written by Idec, however, cites Brisanet as one of those responsible for installing facial recognition cameras in Paraíba in 2019:

“In Paraíba, there was a test during what is considered the “largest São João in the world”, in the city of Campina Grande. Medow Entertainment, the event’s organizing company, hired the digital platform Facewatch, which used facial recognition cameras at all entrances to Parque do Povo during the 31 days of the party. The operator Brisanet also participated in the operation. A total of 265 cameras capable of finding a person with a zoom of up to two kilometers away were installed, the Public Safety Secretariat reported. Jimmy Felipe, a soldier of the Military Police of Paraíba, also a Project Manager of the agency, told the report that more than 800 thousand faces were recorded. Of this total, “300 people were registered. Of them, 12 were arrested. Only one was the twin sister [of a wanted person], which shows that the system was sufficient. There was no storage of people who were not in this database or who had no involvement, no police search,” he says. Felipe adds that “the data that had no correlation to the wanted people were discarded after 24 hours”.

Also in this category, we invite companies, in this phase of sending and discussing the preliminary results of the report, to share with us legal actions or positions and actions reported in the media in which they have acted to promote the protection of personal data, including with respect to facial recognition.

CATEGORY 5: Transparency and Data Protection Impact Reports

Result:

In this category, Brisanet got an empty star, as it did not meet any of the parameters. 

Parameters I to IV, related to the Transparency Report, were not met. No documents of this nature were found from Brisanet, and Brisanet’s Sustainability Report does not contain relevant information about privacy and data protection or about requests from public authorities regarding personal data. In addition, the Sustainability Report has a link to company policies, listing the existence of an “Information Policy” that is not made available on the website.

Parameter V, on the other hand, concerning the publication of Data Protection Impact Reports, was also found not to be fully met. No such documents were located in our search.

CATEGORY 6: User notification

Result:

Brisanet did not get a star, as there is no mention of the possibility of user notification in any of the documents reviewed.

FAQ

How does InternetLab finance its activities?

InternetLab is a non-profit organization. We do not act as a consultancy or law firm and only provide services if they are in tune with our mission, i.e., the production of research in the area of law and technology for impact on public policies. In this way, foundations, third sector organizations, companies and individuals finance our activities. In all of these cases, two conditions apply independence in the design and execution of projects and the freedom to manifest any type of analysis and institutional posture.

[PRECISA ALTERAR] No ano de 2019, 70,8% dos nossos recursos vieram de fundações e organizações do terceiro setor internacionais, 23,6%, do setor privado e 5,6% de agências de fomento.

How was the “QDSD” project financed?

The project was financed with funds donated by the Ford Foundation.

Who worked on “QDSD”?

This is the InternetLab team involved in the 2021 edition of the QDSD: Francisco Brito Cruz (director), Bárbara Simão (head of research), Laura Matta (researcher) and Vitor Vilanova (intern).

From EFF, they worked on the project Veridiana Alimonti (Latin American Senior Policy Analyst) and Katitza Rodríguez (Policy Director for Global Privacy).

The website´s graphic design is by Maria Claudia Levy, from GOMA Oficina; development and design by Sergio and Bruno Berkenbrock, from MirrorLab.

Did the project end with the dissemination of results?

No. The QDSD proposes a periodic assessment, carried out annually. With each new version, we review the methodology and submit the companies practices and policies to a new evaluation, ensuring that they reflect the current

Recommendations for the next edition

[PRECISA ALTERAR]O InternetLab reconhece, como tendência, o aperfeiçoamento das políticas de proteção de dados e de privacidade das empresas. Indica, no entanto, a importância de que sejam claras, precisas, acessíveis e completas. Especificamente quanto ao compartilhamento, devem estar claras ao titular as hipóteses em que ocorrem e as medidas tomadas, nesses casos, para prevenir eventos danosos, tais como a comprovação de garantias de cumprimento dos direitos do titular pelo terceiro.

Diante dos resultados deste ano, o InternetLab incentiva ainda as empresas a aperfeiçoarem seus canais de exercício de direitos pelos titulares de dados, de maneira a facilitar acesso integral às informações pertinentes e a certificar a identidade do solicitante. É recomendável, além disso, que as empresas adotem práticas de notificação proativa do usuário diante de alterações das políticas de privacidade.

O InternetLab estimula as empresas a elaborarem protocolos de entrega de dados para investigações, que informem usuários sobre todas as hipóteses de compartilhamento de dados cadastrais, dados de localização e registros de conexão para esses fins, e a forma como lidam com ordens judiciais e requisições administrativas para entrega de dados.

O InternetLab também encoraja as empresas a utilizarem as ‘salas de imprensa’ em seus websites para elencarem suas ações em defesa da privacidade e proteção de dados no Judiciário e em debates públicos. Sobretudo em contextos de crise e diante de circunstâncias excepcionais, como o foi a pandemia de COVID-19, é fundamental que empresas assumam uma postura de transparência ativa em relação à colaboração e compartilhamento de dados com o governo, atuando para que o tratamento excepcional seja limitado no tempo, proporcional e efetivamente compatível com finalidades de interesse público.

Por fim, também incentiva as empresas a publicarem relatórios de transparência exaustivos e a adotarem práticas de notificação de usuário diante de solicitações de dados por autoridades de investigação.