/Presentation

Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests Tells user about data requests
Show previous research

InternetLab was chosen by the Electronic Frontier Foundation – EFF – to carry out “Who has your back?“, the Brazilian version of EFF’s project “Who has your back ?”, published in the United States since 2011.

“Who defends your data?” aims to promote transparency and best practices in the field of privacy and data protection by companies that provide Internet access in Brazil, making Internet users aware of policies that affect the protection of their privacy and personal data.

The evaluation will be carried out on an annual basis. In each and every edition, we will reassess the methodology and the results, to make sure that they reflect the best practices that are within reach of the evaluated companies to defend your data.

/Who we are

InternetLab is an independent research center that aims to foster academic debate around issues involving law and technology, especially internet policy. Our goal is to conduct interdisciplinary impactful research and promote dialogue among academics, professionals and policymakers. We follow an entrepreneurial nonprofit model, which embraces our pursuit of producing scholarly research in the manner and spirit of an academic think tank.

Founded in 1990, the Electronic Frontier Foundation is a leading international non-profit organization that defends digital rights. EFF uses the unique expertise of leading technologists, activists, and attorneys to defend free speech online, fight illegal surveillance, advocate for users and innovators, and support freedom-enhancing technologies.

/Our methodology

How were the evaluated companies chosen?

For this third edition, we chose the Internet Service Providers (ISPs) that, according to data released by the National Telecommunications Agency in May 2017, each held at least 1% of all accesses to the Internet in Brazil – either by fixed broadband infrastructure or by the mobile data infrastructure. In the previous editions, we only evaluated ISPs that held 10% of all accesses.

For broadband, the following companies fit this filter: NET, Oi, Vivo, Sky and Algar. For mobile Internet, we selected Claro, Oi, TIM, Vivo and Nextel. We inserted the results in the table to allow readers to compare performances in the fixed broadband and mobile Internet infrastructures. It is the first time that we evaluate Algar, Nextel, Sky and the third time with Claro, NET, Oi, Vivo and TIM.

How did we come up with the methodology?

Despite being inspired by the U.S. project “Who Has Your Back?”, “Quem Defende Seus Dados?” does not exactly replicate its methodology. That is because Brazil’s social (and legal!) reality is obviously different from the US. From that follows the development of Brazilian categories and parameters.

We prepared the evaluation categories and parameters based on the following perspectives:

  1. public commitment to compliance with the law;
  2. adoption of pro-user practices and policies;
  3. transparency about practices and policies.

We got to the final results as follows:

  1. We checked the first adapted version of the methodology and reapplied it (November and December 2017);
  2. With the preliminary results in hand, we contacted the companies, asking them to send us comments, criticisms or documents on the methods and results (December 2017);
  3. We engaged in dialogue with companies and from their comments, adjusted the methodology and their performance. In this re-evaluation period, categories and parameters were modified as good arguments or practices were exposed by the companies (January to March 2018);
  4. Publication of the results (April 2018).

CATEGORY: Information about data processing

WHAT WE WANT TO KNOW: Does the ISP provide clear and complete information about the collection, use, storage, processing, and protection of user’s data?

What does the Brazilian law say?

Brazilian law (Marco Civil da Internet, or Brazilian Internet Civil Rights Framework, Article 7, sections VI e VIII) establishes the rights of users to clear and complete information about the collection, use, storage, processing, and protection of their personal data, which can only be used for purposes specified in the contracts between companies and its clients, or in the terms of use of internet applications.

Beyond this, when it comes to data protection, article 16 of the n. 8.771/2016 Decree (which regulates some aspects of the Brazilian Internet Civil Rights Framework) also determines that information about security patterns should be released in a clear and accessible manner to anyone who is interested, preferably on their websites.

Thus, in face of these user’s rights, we analysed the contracts of the ISPs and other documents and information available to the public, especially those in the companies’ websites, to check in what level these legal demands are being complied.

It is important to emphasize that the term “data” is used here in a broad sense, encompassing both the subscriber data and records of each Internet connection provided.

What were the evaluation criteria?

(I) The company provides information and clear legal references about data collection, including what data is collected and in which situations the collection occurs;

(II) The company provides information and clear legal references about the use and / or processing of data, including the purposes for which they are used and how this occurs;

(III) The company provides information and clear legal references on storage of data, including how long data are stored, where it is stored and when / if they are deleted;

(IV) The company provides information and clear legal references about data protection, including which security practices are observed in data retention procedures, if there is data anonymization policy and who would have access to the database, also observing what is provisioned in article 16 of the n. 8.771/2016 Decree.

(V) The company provides information and clear legal references on the use of data by third parties, including information about the circumstances under which this would happen and / or the need for customer’s authorization to do so;

(VI) It is easy to access this information on the company’s website.

Performance standards

The ISP meets 5 to 6 parameters.

The ISP meets 3 to 4 parameters.

The ISP meets 2 parameters.

The ISP does not meet any or meets only one of the parameters.

CATEGORY: Information about data disclosure to government authorities

WHAT WE WANT TO KNOW: Does the ISP commit to disclose subscriber data and internet connection logs only upon a court order and, in the case of subscriber data, upon application by competent administrative authorities?

What does the Brazilian law say?

The Brazilian Internet Civil Rights Framework (Article 10, 1st paragraph) regulates when law enforcement authorities may have access to subscriber data and internet connection logs.

Internet connection logs can be made available only if the disclosure is authorized by a court order (art. 10, §1º) . Subscriber data can be disclosed directly to administrative authorities, without judicial review, if and when they have the legal competence to request it (art. 10, § 3º). Besides this, article 11 of the n. 8.771/2016 Decree, which regulates some aspects of the Brazilian Internet Civil Rights Framework, determines that the administrative authority should indicate on the requisition the legal grounds of express competence for the access and the motivation for the request to access the subscriber data.

Currently, law enforcement authorities have the right to request subscriber data within the scope of the Criminal Organizations Act and the Money Laundering Crimes Act. In this sense, the more protective interpretation for user privacy considers those as the only two administrative authorities with the legal competence for requesting subscriber data without a court order.  In other cases, a court order is still required for disclosure of subscriber data.

Despite this, some law enforcement authorities claim the power to request information, independently of the crime being investigated, under Law n. 12.830/2013 which has provisions on criminal investigations conducted by the Chief of Police (art. 2, §2º). This issue was taken to the Federal Supreme Court. Until this controversy is settled, InternetLab will demand transparency from the companies about which authorities are considered competent to request subscriber data and under which circumstances. This topic has even led to alterations on the evaluation parameters of this category, when compared to previous years.

Therefore, we evaluated whether the ISP, in its contract or any other official document available to the public, makes clear to users the circumstances under which judicial or administrative authorities can have access to their data.

What were the evaluation criteria?

(I) The company promises, in general terms, to comply with the current legislation in the disclosure of users data to public authorities.

(II) The company promises to disclose subscriber data by direct request (without court order) to competent administrative authorities.

(III) The company promises to disclose subscriber data by direct request (without court order) only to competent administrative authorities, while identifying them. In other cases, it demands a court order.

(IV) The company promises to disclose internet connection logs only by a court order.

Performance standards

The ISP meets all parameters.

The ISP meets three parameters.

The ISP meets two parameters

The ISP only meets one parameter.

The ISP does not meet any of the parameters.

CATEGORY: Defense of user’s privacy in the courts

WHAT WE WANT TO KNOW: Has the ISP judicially challenged abusive data requests or legislation that it considers harmful to user privacy?

The Judiciary is an arena where  Internet users’ rights are protected against abuses and illegal conducts. With this in mind, we evaluated the posture of companies in litigation concerning privacy and data protection.

What were the evaluation criteria?

(I) The company has legally challenged legislation that it considers harmful to Internet users privacy rights, disproportionate and / or not to establish a clear, precise and detailed list of cases and circumstances in which information must be delivered or adequate safeguards to prevent abuse (Example:. articles 15, 17 and 21 of the Criminal Organizations Act);

(II) The company has legally challenged abusive requests for access of user’s data that exceed the legal prerogatives of the authority making the request and/or are disproportionate because of its lack of clarity and precision of data required and motivation or for any other reason that compromise the privacy rights of users. The Executive Order 8.771/2016 establishes that administrative authorities should indicate the legal grounds of their competence, the motivation of the data request and that collective requests that are generic or unspecific are barred.

Performance standards

The ISP meets both parameters.

The ISP meets one of the parameters.

The ISP does not meet any of the parameters.

CATEGORY: Pro-user privacy public engagement

WHAT WE WANT TO KNOW: Has the ISP engaged in public debates about law bills and public policies that may affect user’s privacy, defending projects that aim to advance privacy?

It is very important to know the positions adopted by the companies regarding users’ privacy and data protection rights. This category aims to evaluate the participation of ISPs in public debates regarding bills and public policies that may impact those rights. This participation can occur both before state bodies and public events.

We only considered the contributions made by ISPs individually and not by associations that some ISPs may be a part of — such as the SindiTeleBrasil — as we believe that the company’s public institutional positioning is essential to generate a commitment with their users.

What were the evaluation criteria?

(I) The company has participated individually in any public debate in their own name that affects the right to privacy and data protection in Brazil.

(II) The company has participated individually in any public debate in their own name and argued for the enactment of a data protection framework in Brazil, enforceable both for the public and private sectors.

(III) The company has participated individually in any public debate cited above and argued for the adoption of data security techniques and the protection of communication secrecy (ex: the effective anonymization of collected data, encryption, privacy and security by design and default).

(IV) The company has argued for data protection principles that are well-established internationally (eg: prior consent, purpose limitation, necessity, etc.)

Performance standards

 The ISP meets  all parameters.

 The ISP meets 3 parameters.

 The ISP meets 2 parameters.

 The ISP  meets 1 parameter.

 The ISP does not meet any of the parameters.

CATEGORY: Transparency reports about data requests

WHAT WE WANT TO KNOW: Does the company publish transparency reports that contain information about how many times governments sought user data and how often the company provided user data to governments?

Transparency reports are statements issued by companies containing a variety of statistics related to data requests. Internet companies around the world have increasingly adopted the practice of publishing transparency reports to inform how and when the companies cooperate with the government, in general because compelled by law, by disclosing information that may be used as evidence in civil and criminal cases. It is already an established best practice among international Internet companies such as Google, Facebook, Twitter, and Microsoft and ISPs such as Vodafone and Verizon. In Brazil, this practice has not gained traction yet.

ISPs  are not under any obligation to produce transparency reports in Brazil, but the publication of statistics, aggregated data about requests and disclosures, is not forbidden either. Therefore, there is a window of opportunity for showing that ISPs are concerned about building trust in their relationships with customers, based on transparency, and contribute to the public debate about the prerogatives of accessing user data by public authorities.

Article 12 of the n. 8.771/2016 Decree  creates an obligation of publicizing statistics similar to those quoted above (number of requests by requesting authorities, etc.) to agencies of the federal public administration, which stresses the importance of developing a culture of transparency on data requests in the country. We believe that the private sector can voluntarily undertake this agenda. In testimonies to Parliamentary Committees, companies have already mentioned the greatness of the number of requests they receive, and the National Association of Cell Phone Operators (ACEL), manifesting itself on the Direct Action of Unconstitutionality 5063, affirmed that there are abuses by public authorities, like unfounded requests. Within this context, the creation of periodic monitoring channels disclosing this information to users, such as through transparency reports, becomes all the more important.

What were the evaluation criteria?

(I) The company publishes transparency reports informing about the collaboration with public authorities, stating informations such as the quantity of requests and disclosures classified by data type; the quantity of requests and disclosures classified by which governmental authority made the request; the quantity of requests and disclosures classified by the motivation alleged by the governmental authority (production of evidence in civil, criminal, or administrative cases etc).

Performance standards

The ISP meets the parameter.

The ISP does not meet the parameter.

CATEGORY: User notification

WHAT WE WANT TO KNOW: Does the company notify the user about data requests by the government?  

When users are told that their subscriber data or internet connection logs records were demanded by administrative or judicial authorities, there is an expansion of opportunities to effectively exercise their rights of defense against abuse and irregularities.

The powerful impact of notifications to guarantee an effective defense in the rule of law is not a new idea. In light of the constitutional principle of due process, many laws establish the obligation to notify persons about measures that affect their rights. Pursuant to the Brazilian Code of Criminal Procedure, for example, when the judge receives a request for injunctive enforcement against anyone, she must warn the affected party about the request, so he presents his arguments (art. 282, § 3).

In the context of data requests, Internet providers gain an essential role in protecting procedural safeguards of the affected users. That is because the notification by the company enables the user to challenge illegal requests – both unsubstantiated court orders, and requests from administrative authorities without competence and justification. As it is now, the user depends on the challenges made by the companies themselves against requests that they consider abusive. If notified by companies, users gain, at the earliest opportunity, the ability to defend themselves against potential violations of their privacy.

With this in mind, we think it is important to encourage the practice of user notification through the QDSD project. In cases of data requests not accompanied by obligation of confidentiality, notification is, given the absence of legal prescription to the contrary, permitted by Brazilian law.

The possibility of user notification can be glimpsed, for example, not only in cases of requests for data in civil procedures, but also in connection with requests made by other government agencies, such as the Brazilian IRS or ANATEL. Even in the context of criminal proceedings, notification prior to the data disclosure can be seen as permitted as a rule, provided there is no confidentiality requirement, in respect to the constitutional principles of legal defense and contradictory. It strengthens the possibility of legal challenge to the production of evidence irrelevant to the facts of the case.

The notification is neither a legal duty imposed to companies nor a widespread practice in the country. It is a measure seen as groundbreaking and, because it requires a staff dedicated to the notifications, costly for companies. The user notification, at the first legally possible opportunity, and preferably prior to the disclosure of data, collaborates with the principles of legal defense, and fosters a culture of privacy protection.

Some ISP, such as Twitter and Microsoft, have already committed to this measure in their operations in Brazil.

What were the evaluation criteria?

(I) The company promises to notify the users before complying with requests for subscriber data data and internet connection logs in the cases not prohibited by legal confidentiality, or to issue a notification as soon as legally possible.

Performance standards

The ISP meets the parameter.

The ISP does not meet the parameter.

/Our sources

When applying the methodology, we looked at model contracts (available on the companies’ websites), press releases (also available on websites), and official public statements, in written form, of the evaluated companies. They were the only material evidence available to assess the terms according to which their Internet service is offered to their customers. No relevant information was found in terms of use or pages called “Privacy Policy”, which refer to the use of their websites.

VIVO

Contrato de Prestação de Serviços – Banda Larga
Contrato de Prestação de Serviços – Móvel (pós-pago)
Relatório de Sustentabilidade
Informe de Transparencia en las Comunicaciones 2017
Centro de Privacidade
Política de Privacidade

TIM

Regulamento Tim Live (Banda Larga)
Contrato Tim Live (Banda Larga)
Contrato Móvel (pós-pago)
Contrato Móvel (pré-pago)
Relatório de Sustentabilidade

CLARO

Móvel (pós-pago)
Móvel (pré-pago)
Apelação no. 0003082-21.2014.8.26.0205
Relatório de Sustentabilidade 2016

NET

Banda Larga

OI

Contrato Banda Larga
Contrato Móvel (pós-pago)
Contrato Móvel (pré-pago)
Política de Segurança da Informação Interna
Relatório de Sustentabilidade
Habeas Corpus nº 2022284-75.2017.8.26.0000

ALGAR

Política de uso aceitável
Contrato de Prestação de Serviços
Contrato de Prestação de Serviços – Multimídia
Relatório de Sustentabilidade

NEXTEL

Contrato de serviço móvel pessoal

SKY

Política de ética e proteção da informação
Contrato Banda Larga
Sumário contratos

/Results

Informs about data processing Informs about terms of compliance with data requests from the government Fights for user privacy in the courts Fights for user privacy in public debates Publishes transparency reports about data requests Tells user about data requests
Show previous research

CLARO

CATEGORY: Information about data processing

Result:

Claro got ½ star, as it fulfilled three parameters: partially to parameters I and IV and fully to parameters V and VI.

Regarding parameter I, it is important to highlight that the information provisioned in the contract are explicitly only about subscriber data in the context of number portability. In item 14.7 of the service contract on the “prepaid mode” (same terms in clause 14.6 of the “postpaid mode”), the company affirms that upon hiring the service and receiving the access code, the customer would authorize the disclosure of their subscriber data to the administrative entity, without mentioning the eventual collection of other types of data.

Clause 14.7 prepaid and 14.6 postpaid: Once requested by the SUBSCRIBER the Portability Access Code and met the requirements and commercial terms established for such, the SUBSCRIBER authorizes in advance the disclosure of his or hers registration information to the “Managing Entity” and the “Provider Giver”, as defined by ANATEL, in order to allow completion or not of their portability request.

Regarding parameter IV, in its website Claro informs customers about information security issues and fraud prevention. InternetLab considers the wording generic and, as there is room for improvement, the company only partially meets the parameter.

As for parameter V, item 17.5 of the service contract on the “prepaid mode” (same terms in clause 16.6 of the “postpaid mode”) affirms that all customer information are confidential and can only be disclosed to (i) the subscriber; (ii) the representative with specific power of attorney; (iii) the attorney or specialized agency for collection purposes; (iv) due to determination of public authority; (v) the other Providers of Telecommunications Services for specific purposes of providing these services.

Clause 16.6 prepaid and 17.5 postpaid: All information regarding the SUBSCRIBER which are part of the CLARO registration are confidential and will only be provided to these people and in these situations: a) the SUBSCRIBER; b) the SUBSCRIBER’S legal representative with specific power of attorney; c) attorney or specialized agency, hired by CLARO for collection purposes; d) due to determination of a public authority; e) other telecommunications service providers for the specific purpose of providing these services.

As for parameter VI, it is easy to find the contract in the company’s website, on the bottom of the site’s homepage.

CATEGORY: Information about data disclosure to government authorities

Result: 

Claro got ¼ star, because it only fulfilled parameter II.

In contracts, and others materials consulted, Claro is not clear when differentiating the processing of subscriber  data and internet connection logs, dealing only with “the subscriber registration information” that can be provided to “public authorities”. Until last edition, in the service contract on the “prepaid mode”, the company explicit referred to “judicial authority”. However, this year, the wording adopted became even more generic, because this term was replaced by “public authorities”, in line with the writing of the service contract on the “postpaid mode”.

Clause 16.6 postpaid and 17.5 prepaid: All information regarding the SUBSCRIBER which are part of the CLARO registration are confidential and will only be provided to these people and in these situations: a) the SUBSCRIBER; b) the SUBSCRIBER’S legal representative with specific power of attorney; c) attorney or specialized agency, hired by CLARO for collection purposes; d) due to determination of a public authority; e) other telecommunications service providers for the specific purpose of providing these services.

This writing does not clarify for the user the fact that  subscriber data and internet connection logs have a different juridical treatment. In this sense, it is important that the company clearly states that internet connection logs can only be delivered before a court order, according to the Marco Civil. Regarding subscriber data, this same law authorizes their requirement without a court order by the competent administrative authorities. Currently, however, in face of the controversy about who are the so-called “competent administrative authorities”, it is crucial for the company to be transparent about its own interpretation of the law it enforces when receiving requests for breach of secrecy.

As we have warned since the first edition of this report, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in the law, making their procedures and interpretations public. Thus, it is important for Claro to inform its customers in the most clarified manner about which kinds of data it disclosures and under which circumstances, like other big companies in the sector already do.

CATEGORY: Defense of users’ privacy in the courts

Result: 

Claro got a full star, as it fulfilled both parameters.

As for parameter I, Claro was rewarded because in 2017 it filed the Direct Action of Unconstitutionality (ADI) 5642, along with other companies, through the National Association of Mobile Operators (Acel) at the Federal Supreme Court (STF), contesting a provision from Law 13.344/2016, which grants to chiefs of police and members of the Public Prosecutor’s Office the prerogative of requesting information and data necessary for a criminal investigation in the cases of human trafficking independently of a court order. Acel requests a preliminary injunction so that the STF interprets Law 13.344/2016 according to the Federal Constitution, in a way to hinder the understanding that leads to measures like telematic and voice interceptions, localization of device or IMEI (International Mobile Equipment Identity) of a citizen in real time through RBS (Radio Base Station), RBS logs, subscriber data of IP users, call and SMS logs, among other confidential data. In the merit, it asks for a declaration of partial unconstitutionality of the questioned provision.

We have also found in the databank of the São Paulo Court of Justice’s website the decision of a case in which Claro filed a Writ of Mandamus against the request of a police authority for subscriber data of users whose chips were allegedly being used in stolen mobile phones. This is the Appeal no. 0003082-21.2014.8.26.0205, reported by Rapporteur Judge Maria Tereza do Amaral and assessed by the 11th Criminal Law Chamber on March 15th 2017. The company refused to disclose this data under the argument that the release of this information would violate individual rights and guarantees. With this, it met parameter II.

CATEGORY: Pro-user privacy public engagement

Result:  

Claro did not get a star, because it did not meet any of the parameters.

In several opportunities during the year, ISPs had the opportunity to manifest themselves about public policies and draft bills that affect the users’ privacy and data protection. After conducting searches on official government websites, the specialized press, traditional media and the companies’ press rooms, we did not find any material in this sense signed by Claro. Therefore it did not meet parameters I and II.

In the engagement phase, Claro did not send us any material in this sense, because it did not collaborate with the project.

CATEGORY: Transparency reports about data requests

Result: 

Claro did not get a star, because it did not meet any of the parameters.

The América Móvil group, from which Claro is a part of, publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

CATEGORY: User notification

Result: 

Claro did not get a star, because we did not find in the materials consulted any mentions about user notification mechanisms in cases of requests by State authorities in which there are no confidentiality requirements by law.

Scroll to table

NET

CATEGORY: Information about data processing

Result: 

NET did not get a star, because it only met one parameter (VI). On the contrary of what happened in the first edition, the contract does not have any information about the processing of customer’s personal data and it was not possible to find any other kind of information on the website that could replace those suppressed from the contracts.

In the contract, the company refers to ANATEL provisions that have rights and establish duties:

Clause 35.02. The rights and duties of the multimedia communication service subscribers are provisioned in articles 56, 57 and 58 of ANATEL’s 614/2013 Resolution. The rights and obligations of the PROVIDER are provisioned in articles 41 to 55 of the same Resolution.

Several of these provisions have implications for the companies’ privacy policies. In this sense, InternetLab understands that the company may prefer to not include extensive legal provisions in contracts. At the same time, however, we understand that the company cannot omit itself from informing customers about their policies on collection, use, storage, security and sharing of personal data, which can be more detailed and extensive. For instance, the company could display its policies and efforts for protecting the users’ privacy. in its website.

The sole parameter that the company reached was the one of ease of access to the contract on their website (IV), whose reference is at the bottom of NET’s homepage (http://www.netcombo.com.br), on the item about contracts and regulations. In this way, customers should not have many difficulties to find this kind of information. But reaching one parameter is not enough to earn an award.

CATEGORY: Information about data disclosure to government authorities

Result:

NET got ¼  star, because it only fulfilled parameter I, by doing generic references to regulations and hypothesis of providing data to authorities.

In clause 28.01 of the contract, it affirms that, in the hypothesis of harmful practises mentioned in this same document, it can make any and every information about the subscriber available at anytime to the competent authorities, as well as cancelling their account automatically, without previous warning.

Clause 28.01. Without damage to other unmentioned practises, these are considered harmful practices to the NET VÍRTUA service and/or to other SUBSCRIBERS, subjecting the infractor to all legal sanctions that may occur, including contract rescission:

a) The SUBSCRIBER will be responsible for maintaining the configurations of the machine for accessing the services here hired, being forbidden to alter these configurations in attempt to responsibilize third parties or hide the identity or authorship. In the hypothesis of occurrence of the cases here mentioned, the PROVIDER can make any and every information about the subscriber available at anytime to the competent authorities, as well as cancelling their account automatically, without previous warning, as the SUBSCRIBER will be civil and criminally liable for the acts practised;

The writing of the provision makes it seem as if there is only the disclosure of data to authorities when the user incurs in harmful activities to the company, which is not the case in reality. Thus, there is space for improvement.

Still on this aspect, it is worth mentioning that the company refers to ANATEL provisions that have rights and establish duties:

Clause 35.02. The rights and duties of the multimedia communication service subscribers are provisioned in articles 56, 57 and 58 of ANATEL’s 614/2013 Resolution. The rights and obligations of the PROVIDER are provisioned in articles 41 to 55 of the same Resolution.

Among the companies’ duties imposed by ANATEL’s resolutions, is the one of safeguarding the confidentiality of customer’s information and collaborating with authorities in the form of law. However, NET does not inform their customers in a clear manner of what types of data it delivers and in which circumstances.

InternetLab considers the wording adopted generic, with room for improvement.

The writing does not clarify for the user the fact that subscriber data and internet connection logs have a different juridical treatment. In this sense, it is important that the company states clearly that internet connection logs can only be delivered before a court order, according to the Marco Civil. Regarding subscriber data, this same law authorizes their requirement without a court order by the competent administrative authorities. Currently, however, in face of the controversy about who are the so-called “competent administrative authorities”, it is crucial for the company to be transparent about its own interpretation of the law it enforces when receiving requests for breach of secrecy.

As we have warned since the first edition of this report, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in the law, making their procedures and interpretations public. Thus, it is important for NET to inform its customers in the most clarified manner about which kinds of data it reveals and under which circumstances, like other big companies in the sector already do.

CATEGORY: Defense of users’ privacy in the courts

Result:

NET did not get a star, because it did not fulfill any of the parameters.

We did not find any legal case in which NET challenges legislation. Nor did we find cases in which it defends users from abusive data demands.

It is worth mentioning that, unlike the other analyzed companies that received credit for fulfilling parameter I for filing, through the National Association of Mobile Operators (Acel), the Direct Action of Unconstitutionality (ADI) 5642, at the Federal Supreme Court (STF) contesting a provision of Law 13.344/2016, NET is a broadband Internet provider. The constitutional complaint in question was brought by a collective of mobile operators, which are also mobile Internet providers. NET is, however, also affected by the obligations of this law, fact that could have given it reason to challenge it.

During the engagement phase, we asked all companies to send us examples of legal actions in which they challenged abusive data requests by authorities. NET, however, did not collaborate with the project.

CATEGORY: Pro-user privacy public engagement

Result: 

NET did not get a star, as it did not meet any parameter.

In several opportunities during the year, ISPs had the opportunity to manifest themselves about public policies and draft bills that affect the users’ privacy and data protection. After conducting searches on the specialized press, traditional media and the companies’ press rooms, we did not find any material in this sense signed by NET.

In the phase of engagement with the companies, we asked that, in case they had participated in events or public debates about these topics and, in them, manifested themselves in favor of the users’ privacy, to inform us with the indication of the respective documents and/or public records of the referred participation, so that we could consider this fact in our evaluation. NET, however, did not collaborate with the project.

CATEGORY: Transparency reports about data requests

Result: 

NET did not get a star, because it did not meet the parameter.

The América Móvil group, from which NET is a part of, publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

CATEGORY: User notification

Result: 

NET did not get a star, because we did not find in the materials consulted any mentions about user notification mechanisms in cases of requests by State authorities in which there are no confidentiality requirements by law.

Scroll to table

OI

CATEGORY: Information about data processing

Oi – Fixed broadband

Result:

Oi Broadband did not get a star, since it only partially fulfilled parameter IV and fully parameter VI, totalling less than 2 parameters, which is the minimum to get ¼ star.

The contract does not offer much information about the data collected. Some general  information could be found on their Sustainability Report.

Regarding parameter IV, the company states on their Sustainability Report (p. 5 and 26) that data protection is one of their axes of interest and that they do take security measures. Furthermore, on their internal security policies (a document with guidelines for employees and interns), it is mentioned that employees should be careful when using or accessing this data. However, the terms used are always generic, which makes the company only partially meet the parameter. It is important to mention that, during the engagement phase, the company did share information about their guidelines on how employees should deal with their customers personal data. However, as this document is not available to the public, it was not considered in this evaluation. InternetLab advises the company to publish it in an accessible manner for their customers and to the public in general.

As for parameter IV, it is possible to easily find the contracts at the end of each plan’s page, along with the item “Legal Information”.

It is important to highlight that the company, during the engagement phase, pointed to the fact that they would implement changes in the contracts, by the end of April 2018, which would bring more information to users about the processing of their data. This will be considered for next year’s edition.

Oi – Mobile

Result: 

Oi Mobile did not get a star, since it only partially fulfilled parameter VI and fully parameter VI, totalling less than 2 parameters, the minimum to get ¼ star.

The justifications for parameters IV and VI are the same for Oi Broadband.

CATEGORY: Information about data disclosure to government authorities

Result: 

Oi got ¼ star, because it fulfilled parameter I.

Regarding parameter I, Oi’s Sustainability Report (p. 29) states that privacy and data will be respected, except in the constitutional and legal cases of breach of confidentiality.

The subscriber data and other telephone communication information of customers are only revealed to public authorities in the constitutional and legal cases of breach of telecommunication secrecy.

In Oi Broadband contract, there is a provision in the same sense:

Clause 8.9. To receive a billing document with the discrimination of the charged values for the providing of OI BROADBAND SERVICES, as well as the respect to their privacy in these documents and in the use of their personal data by Oi, except in the legal cases of breach of confidentiality established by constitutional law.

However, in the evaluated company materials there is no distinction between cases and kinds of data which require a court order or a request by a competent authority, therefore it does not meet the other parameters.

The writing does not clarify for the user the fact that subscriber data and internet connection logs have a different juridical treatment. In this sense, it is important that the company states clearly that internet connection logs can only be delivered before a court order, according to the Marco Civil. Regarding subscriber data, this same law authorizes their requirement without a court order by the competent administrative authorities. Currently, however, in face of the controversy about who are the so-called “competent administrative authorities”, it is crucial for the company to be transparent on its own interpretation of the law it enforces when receiving requests for breach of secrecy.

As we have warned since the first edition of this report, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in the law, making their procedures and interpretations public. Thus, it is important for OI to inform its customers in the most clarified manner about which kinds of data it reveals and under which circumstances, like other big companies in the sector.

It is important to highlight that the company, during the engagement phase, pointed to the fact that they would implement changes in the contracts, by the end of April 2018, which would bring more information to users about the processing of their data. This will be considered for next year’s edition.

CATEGORY: Defense of users’ privacy in the courts

Result: 

Oi got a full star, as it fulfilled both parameters.

As for parameter I, OI was rewarded because in 2017 it filed the Direct Action of Unconstitutionality (ADI) 5642, along with other companies, through the National Association of Mobile Operators (Acel) at the Federal Supreme Court (STF), contesting a provision from Law 13.344/2016, which grants to chiefs of police and members of the Public Prosecutor’s Office the prerogative of requesting information and data necessary for a criminal investigation in the cases of human trafficking independently of a court order. Acel requests a preliminary injunction so that the STF interprets Law 13.344/2016 according to the Federal Constitution, in a way to hinder the understanding that leads to measures like telematic and voice interceptions, localization of device or IMEI (International Mobile Equipment Identity) of a citizen in real time through RBS (Radio Base Station), RBS logs, subscriber data of IP users, call and SMS logs, among other confidential data. In the merit, it asks for a declaration of partial unconstitutionality of the questioned provision.

Regarding parameter II, InternetLab conducted independent searches on the São Paulo Court Of Justice’s website with the key-word “Oi SA” combined with other terms, such as “breach + secrecy”, “breach + secrecy + investigation” or “investigation + Marco Civil da Internet”. We found lawsuits by natural persons who requested other people’s data. We also found Habeas Corpus nº 2022284-75.2017.8.26.0000, whose arrestee is the manager of Oi SA’s breach of confidentiality. In it is reported a situation in which a police authority requested access to subscriber data, call logs, and localization of several individuals. The request by the police authority was granted by a court order. However, Oi SA challenged this request, claiming that it was generic and did not specify the individuals targeted by the measure, so that if the company were to comply with the court order, the police authority could have access to data from all of those who used the company’s antenna in the region. Thus, we considered that Oi challenged an abusive request, fulfilling this parameter.

CATEGORY: Pro-user privacy public engagement

Result:

Oi got ¼  star,  since it met parameter I.

During the engagement phase, the company sent us some items from their participation on the public consultation “The Brazilian Strategy for Digital Transformation”, promoted by the Ministry of Science, Technology, and Innovations, and Communications. Despite having defended other important point, like the strengthening of cybersecurity mechanisms and consumer rights on the Internet, the company did not take a stand regarding the topics assessed on this WDYD edition, which then makes it not meet the other parameters.

CATEGORY: Transparency reports about data requests

Result: 

Oi did not get a star, because it did not meet any of the parameters.

In the Sustainability Report, the company only informs that it delivers subscriber data and other data to public authorities in the cases provisioned in the current legislation. However, it did not present any statistics and neither identified who are these public authorities.

CATEGORY: User notification

Result: 

Oi did not get a star, because it did not meet the parameter.

We did not find in the materials consulted any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

Scroll to table

TIM

CATEGORY: Information about data processing

TIM Broadband

Result: 

TIM Broadband got ½ star, as it completely fulfilled the parameters about data security (IV) and of ease of access to the information (VI) and partially to the parameters about the use of data by the company (V) and by third parties (II), totalling the fulfilling of three parameters.

The company does not provide information or complete legal references about any collected data (I).

For parameter II (data processing and use), in Clause 3.1 (r) affirms that TIM’s obligation are to strictly zeal for the inherent confidentiality to the telecommunication services and for the subscriber’s data and information confidentiality, using all means and technology needed to assure this users’ right. Clause 4.2 (j) has provision on this same sense.

Clause 3.1 (r) : TIM’s obligation are to strictly zeal for the inherent confidentiality of the telecommunication services and for the subscriber’s data and information confidentiality, using all means and technology needed to assure this users’ right.

Clause 4.2 (j) the respect of the user’s privacy in the collecting documents and in the use of their personal data by the provider.

Beyond this, in the Sustainability Report, it is affirmed that the access to subscriber datas and communication data of users will be allowed only to collaborators who need to access these information for professional activities.

In spite of this, as there is no complete information on how the company uses and processes the collected data, the fulfilling of parameter II is only partial.

There is no information about data storage (parameter III).

Regarding parameter IV, the company partially fulfills it as it states in the Sustainability Report that, in the scope of security, it follows the best practises in the market, according to ISO 27001 (although they do not have the certification). InternetLab recommends that this information should be more visible and accessible to customers, considering that article 16 of the 8.771/2016 Decree speaks on “clear and accessible divulgation, preferably through their websites on the internet”.

Regarding parameter V (use of data by third-parties), clause 4.2 (e) affirms that inviolability and confidentiality of communication are customer’s rights, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and the activities of intermediation of communication of people with disabilities, in the terms of the regulamentation.

Clause 4.2 (e) the inviolability and confidentiality of communication are customer’s rights, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and the activities of intermediation of communication of people with disabilities, in the terms of the regulamentation; item;

However, the company does not inform if these are the only hypothesis in which third-parties have access and/or use customers’ data.

Lastly, regarding VI, there is an ease of access to information, since the website is concise and it is possible to access the contracts and terms of service at the bottom of each service option’s page.

During the engagement phase, TIM asserted that it should receive a full star on this category. This is because the absence of administrative procedures of the regulating authority against the company testify for its legal compliance situation. In this sense, TIM confirmed that article 72 of the General Telecommunications Law (no. 9.472/1997), to which the company is subdued as a telecommunication service provider, is enforced to the use of customer data – this information is not present in the contracts we analyzed, but TIM affirms that it provides the link for ANATEL’s website and telephone number on their website. As InternetLab requested, the link to access the company’s Privacy Policy was supplied.

Despite praising the company’s engagement with the project, InternetLab understands that the company did not present enough reasons to alter their evaluation in this category. We understand that QDSD is a project that commends companies that adopt the best practices in protecting their customer’s data when complying with legal obligations, as it is the case when they inform in an accessible, didactic and complete manner about how they process subscriber data. Besides, InternetLab highlights that the Privacy Policy indicated by the company deals with data generated in the navigation of TIM’s website, and not with the policy adopted for data processed in the provision of the internet access service offered to their clients.

TIM Mobile

Result: 

TIM Mobile also got ½ star, as it completely fulfilled the parameters about data security (IV) and of ease of access to the information (VI) and partially to the parameters about the use of data by the company (V) and by third parties (II), totalling the fulfilling of three parameters.

Regarding parameter II and V, it’s worth mentioning the clause 3.3G of the prepaid plan (same terms in clause 3.5F of the postpaid), in which rights as inviolability and confidentiality of communication are stated to the customer, if respected the legal hypothesis of breach of secrecy and safeguarded the hypothesis of availability of information, exclusively to statistical purposes.

Clause 3.3g prepaid and 3.5 postpaid: The rights established in the SMP Regulation are assured to the CUSTOMER, such as inviolability and confidentiality of communication, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and safeguarded the hypothesis of availability of information, exclusively to statistical purposes.

At the same time in which the company claims to process their customers’ ‘communications’ respecting confidentiality, TIM does not fully and clearly inform about how their clients’ data is used by the company and to what purposes. It is also not clear whether the provision of information for statistical purposes and in reason of breaches of secrecy are the only cases in which there is the provision of data to third-parties. For this reason, we considered TIM’s fulfillment of these parameters to be partial.

The previous observations made for TIM Broadband are also valid here.

CATEGORY: Information about data disclosure to government authorities

TIM Broadband

Result:

TIM Broadband got ¼ star, since it only fulfilled parameter I.

In clause 4.2 (e) of the contract, TIM affirms that inviolability and confidentiality of communication are customer’s rights, if respected the hypotheses and constitutional and legal conditions for breach of secrecy of telecommunications.

Clause 4.2 (e) the inviolability and confidentiality of communication are customer’s rights, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and the activities of intermediation of communication of people with disabilities, in the terms of the regulamentation; item;

In clause 14.01 (g) of the contract, TIM Broadband also affirms that it may provide to the competent authorities any and every information about the subscriber who engages in illicit activities:

Clause 14.1 (g) the contract can be unilaterally extinct by TIM in case the use of the service for the practise of criminal acts is proven, notably in crimes against children and adolescents provisioned in the Child and Adolescent Statute (ECA) and other applicable legislation, safeguarding TIM’s right to seek an eventual indemnity for losses and damages in face of the customer in case it is sued by harmed third-parties, in the scope of civil or criminal demands that evoke liability through the practice of such offensive acts, through LIVE TIM, including being available to TIM to provide all of the customer’s subscriber data to the judicial authorities in the form of the law 12.965/2014 for the ascertainment of the illicit and the due responsibilization of the author of the offenses. (our highlight)

In the sustainability report, the company states that the information on account data and telephonic communications are provided to the authorities permitted by law and in the cases of compliance with court orders for the interception of telephone calls.

Information on subscriber data and telephonic communications are provided to the authorities authorized by law and in the cases of compliance with court orders for the interception of telephone calls (p. 40)

InternetLab considers the wording adopted generic, with room for improvement.

The writing does not clarify for the user the fact that subscriber data and internet connection logs have a different juridical treatment. In this sense, it is important that the company states clearly that internet connection logs can only be delivered before a court order, according to the Marco Civil. Regarding subscriber data, this same law authorizes their requirement without a court order by the competent administrative authorities. Currently, however, in face of the controversy about who are the so-called “competent administrative authorities”, it is crucial for the company to be transparent on its own interpretation of the law it enforces when receiving requests for breach of secrecy.

As we have warned since the first edition of this report, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in the law, making their procedures and interpretations public. Thus, it is important for TIM to inform its customers in the most clarified manner about which kinds of data it reveals and under which circumstances, like other big companies in the sector already do.

In the engagement phase, TIM contested the evaluation, requesting a review of the score because there isn’t a distinct treatment for “connection logs” in the sectoral legislation. InternetLab, however, did not understand the need for reviewing the evaluation, as the company is, indeed, subdued to the Brazilian Internet Civil Rights Framework and the other aforementioned laws.

The company also makes sure to emphasize that the generic wording of the contract and of the sustainability report does not imply on their disrespect of the legal parameters when responding to requests for breach of confidentiality. InternetLab agrees that such assumption cannot be made, but clarifies that the goal of this category is to evaluate whether companies do provide clear and complete information about how they deal with these requests, which why TIM cannot be rewarded in this category.

TIM Mobile

Result: 

TIM Mobile got ¼ star, since it only fulfilled parameter I.

Regarding parameter I, it’s worth mentioning clause 3.3G of the prepaid plan (same terms in clause 3.5F of the postpaid), in which rights as inviolability and confidentiality of communication are stated to the customer, if respected the legal hypothesis of breach of secrecy.

Clause 3.3g prepaid and 3.5 postpaid: The rights established in the SMP Regulation are assured to the CUSTOMER, such as inviolability and confidentiality of communication, if respected the hypotheses and constitutional and legal conditions  for breach of secrecy of telecommunications and safeguarded the hypothesis of availability of information, exclusively to statistical purposes.

In clause 8.4 of the prepaid plan (same terms in clause 10.12 of the postpaid), the company affirms it will provide secret and confidential treatment to users’ data and communications, being allowed disclosure in case of demand of a competent authority.

Clause 8.4 prepaid mode and 10.12 postpaid mode: TIM will provide secret and confidential treatment to CLIENT’s data and communications, being allowed disclosure in case of demand of a competent authority.

In the sustainability report, the company states that the information on account data and telephonic communications are provided to the authorities permitted by law and in the cases of compliance with court orders for the interception of telephone calls.

Information on subscriber data and telephonic communications are provided to the authorities authorized by law and in the cases of compliance with court orders for the interception of telephone calls (p. 40)

InternetLab considers the wording adopted generic, with room for improvement. About this, the considerations made for TIM Broadband are also valid here.

CATEGORY: Defense of users’ privacy in the courts

Resultado:

TIM got ½ star, because it only fulfilled parameter I.

Regarding parameter I, TIM was rewarded because in 2017 it filed the Direct Action of Unconstitutionality (ADI) 5642, along with other companies, through the National Association of Mobile Operators (Acel) at the Federal Supreme Court (STF), contesting a provision from Law 13.344/2016, which grants to chiefs of police and members of the Public Prosecutor’s Office the prerogative of requesting information and data necessary for a criminal investigation in the cases of human trafficking independently of a court order. Acel requests a preliminary injunction so that the STF interprets Law 13.344/2016 according to the Federal Constitution, in a way to hinder the understanding that leads to measures like telematic and voice interceptions, localization of device or IMEI (International Mobile Equipment Identity) of a citizen in real time through RBS (Radio Base Station), RBS logs, subscriber data of IP users, call and SMS logs, among other confidential data. In the merit, it asks for a declaration of partial unconstitutionality of the questioned provision.

Regarding parameter II, we made searches on the website of the São Paulo Court of Justice with the key-word “TIM” combined with other terms such as “breach AND confidentiality” or “breach AND confidentiality AND internet”. We found two relevant results, but of civil character, which is outside of the scope of parameter II. In the Motion for Clarification no. 0054386-98.2012.8.26.0053/50000, TIM witholded the decision that authorized the breach of confidentiality, claiming that it could not obey the order since the customers’ authorization for the provision of data were not part of the records. In the Appeal no. 1013983-74.2016.8.26.0071, TIM had denied, on the administrative level, the request from a user who received “anonymous” calls and wanted to know their origin number and the Individual Taxpayer Identification Number (CPF) of the line owner, under the argument that this information would be confidential. The decision, however, favored the provision of this data by the company. For having challenged these requests in the civil level which aimed to surpass the legal limitations of privacy protection, InternetLab praises the company; nevertheless, TIM cannot be rewarded for them, since the category only contemplates cases in which the requests come from state authorities before the judiciary (and not by natural persons or in merely administrative levels).

During the engagement phase, we asked all companies to send us examples of legal actions in which they challenged abusive data requests by authorities, so that they could be considered on the final evaluation. Despite the company’s engagement, it did not send us any material in this sense, so it did not fulfill parameter II.

CATEGORY: Pro-user privacy public engagement

Result: 

TIM got ¾ star, because it met parameters I, III and IV.

In the engagement phase, TIM informed InternetLab that it participated in the Public Consultation for the “Brazilian Strategy for the Digital Transformation” of the Ministry of Science, Technology, Innovation and Communications. In it, the company raised questions about consumer privacy and data protection. Regarding this topic, we considered parameter I fulfilled.

In their contribution filed to the Consultation, the company signed as a priority action the definition of a regulatory framework that secures the informational autonomy of the consumers. However, TIM does not mention the necessity of an specific legislation for data protection — even denying its priority in the section “Trust in the digital environment” of the Digital Strategy. Before this, we considered that parameter II was not met.

Regarding parameter III, TIM defended the usage of privacy and security solutions “by default” and of “privacy since the conception” as security techniques. It also affirmed that they should be well characterized.

  • To create patterns and a privacy by design and default and security by design and default certification for the national production and acquisitions on the ICTs sector.
  • The requirements for the security of access to public devices and transmission and data storage also have to be well characterized by the responsible company in order to safeguard the network against attacks and unauthorized access.

Concluding, TIM also met parameter IV since it stood for the adoption of internationally consolidated practices on the matter:

It is necessary to establish a regulatory approach that is flexible enough for the market to generate business models that are attractive for their target audience without compromising the rights and guarantees of users and to create different levels of security and cybernetic defense that secure the adequate protection to the privacy of all data that will be generated by new devices. It is worth noting that this should also means the creation of simplified business models for cases in which the data transferred do not contain critical information to the user’s privacy or to industrial secrets. TIM believes that data protection rules should be in conformity to the international standard on the matter.

CATEGORY: Transparency reports about data requests

Result: 

TIM did not get a star, because it did not meet the parameter.

TIM publishes a sustainability report about its activities in Brazil. However, this report does not have any information about received and attended data requests. Even in the “transparency” section, the company does not provide any information in this sense.

At the stage of engagement with companies, TIM reiterated to InternetLab that it is not legally required to disclose statistics, that the Brazilian Internet Civil Rights Framework imposes obligations to the authorities and that, for security reasons, it considers the disclosure by the company not recommendable. It stressed, however, that, when requested in a motivated manner, it inform aggregate data on demands to authorities of the Judiciary Branch or Public Security.

The company asked for this category to be reviewed in light of its considerations. InternetLab understands the company’s concerns, emphasize the importance of the transparency for the refinement of liability of the State mechanisms and the fact that this practise is more and more diffused in diverse countries in the world, including among many telecommunications companies.

CATEGORY: User notification

Result: 

TIM did not get a star, because it did not meet the parameter.

TIM did not get a star, because it did not apply user notification mechanisms in cases of requests by State authorities in which there are no confidentiality requirements by law.

Scroll to table

VIVO

CATEGORY: Information about data processing

Vivo – Fixed Broadband  

Result: 

Vivo got a full star, because it met all parameters.

Regarding parameter I, there is a new clause in its fixed Broadband contract: “13. Uses of Client’s Personal Data”. In this clause, as its names suggests, there is important information about data processing. In addition, in the newly opened Privacy Center section on Vivo’s website, there is an educational video about the main points concerning data protection and a FAQ in which they can detailed information.

In the description of the results of Vivo – Fixed Broadband, the focus will be on the contracts, but the Privacy Center information – included in the description in the Vivo Mobile section – is also valid here.

Regarding parameters I and II, the clause 13.1 informs which data is collected during the provision of service, how it is done and for what means it is used.

13. Uses of Customer’s Personal Data
13.1. The CLIENT’s personal data collected by VIVO under this Contract will be treated in accordance with the current legislation and applicable regulations, exclusively for the purpose of providing the telecommunication service(s), object of this Contract, as well as for profile analysis of the CLIENT, or for marketing purposes, in order to (i) guarantee the suitability of the best offers according to the CLIENT’s needs; and (ii) to improve the performance of the services rendered, and this data may be treated by VIVO, its partners or third parties contracted by VIVO. There will be processes to ensure the anonymization of this data  in order to allow analysis and construction of standards, behaviors, choices and consumptions for the purposes here described.

As for the parameter III, in the clauses 13.2 and 13.3, the company describes for how long and by whom the personal data and connection records of the customer will be stored.

13.2 The CLIENT’s personal data collected by VIVO under this Contract shall be stored by VIVO or by a third party subcontracted by VIVO for a term of 5 (five) years, and the Contracts signed with the CLIENTS are stored for  period of 10 (ten) years, in order to guarantee the fulfillment of the applicable legal obligations, It is guaranteed to the CLIENTS that during the storage of their personal data by VIVO or by subcontracted third parties measures of security and physical and logical protection of the information will be adopted.

13.3. By legal provision, VIVO will store the records of its connection to the Internet for a period of one (1) year, and those records will be protected by the adoption of physical and logical security measures and that allow to safeguard the security, confidentiality and confidentiality of connection records, so that after the expiration of one (1) year, VIVO will delete all connection records. The police or administrative authority or the Public Prosecutor’s Office may request the temporary storage of the connection records for an additional period of time, as well as the physical and logical protection of information.

Regarding parameter IV, in the Sustainability Report (page 47), the company informs some of the security standards used to ensure the protection of users, such as certified datacenters according to the standards ISO 27000 and 27001. Furthermore, in clause 13.1, the company states that personal data are treated anonymously.

In Brazil, in order to reinforce our commitment to digital trust, we have datacenters certified according to ISO 27000 and 27001 standards, an international benchmark for information security management. We also have regulations, internal procedures and awareness actions that ensure the privacy of information and restricted access to such data, as stipulated by the Global Privacy Policy.

Regarding parameter V, in the clause 13.1, the company exemplifies under which circumstances it will share data with third parties contracted by Vivo or partners. In addition, clause 13.6 states that by signing the agreement, the client authorizes Vivo to disclose its name as part of the Customer Relationship in Brazil, and the customer may cancel such authorization as soon as it sends a written notice to the company. In clause 13.7, it states that, other than the provisions in the previous items, other personal data, subscriber data and internet connection logs  will not be shared with third parties except by free, express and informed consent or in the cases provided by law.

13.6 The CLIENT hereby authorizes VIVO to disclose its name as part of the Customer Relationship in Brazil. The CLIENT may cancel the authorization provided in this item, at any time, without justification, by prior written notice to VIVO.

13.7 With the exception of what was  described in the previous items, other personal data, including internet connection logs, shall not be provided to third parties, except by free, express and informed consent or in the cases provided for by law identified in clause 13.4 and 13.5 of this Contract.

Regarding parameter VI, all the contracts are available on the company website by clicking the option to search more information about the plans. To read more about the information available in the Privacy Center, see comments on the evaluation of Vivo Mobile.

Vivo – Mobile

Result: 

Vivo got a full a star, because it met all parameters.

It is important to point that mobile phone contracts in the post and prepaid modalities offer almost no information on data collection. Some general information could be found in the Sustainability Report and others in the recently inaugurated Privacy Center page on Vivo’s website. In that page, there is a brief video about the main points of data protection by the company and then through the menu and a FAQ section the users can find more detailed information.

Regarding parameter I, Vivo discriminates in both video and text which data is and is not collected (for example, it states that it does not collect what the user does in social networks, what type of content he prefers):

Vivo collects your information according to the service you use. Learn what this information consists of:

subscriber data: What you have made available when contracting our services.
Data volumes transported over the internet via 2F, 3G and / or 4G network.
History of uses of the products and services contracted: it is exactly what the name says, but it is important to know that this history does not involve registration of access to apps used on your mobile phone or what you did on social networks or sites. That’s only true for Vivo apps! Then, the this data is collected in order to make the app better and better.
SMS events inside and outside the national Vivo network: This collection includes international Vivo events and international roaming operators.
Private individuals and legal entities  telephone records.
– Information on charging systems, issuance of telephone bills, generation of fiscal books and accounting records.
– Transactions of recharges and concession of quotas plans regarding the navigation volume of prepaid clients.
– Customer service data in stores and call center.

Regarding parameter II, in the subsection “For which means and how do we collect information?”, the company describes some of the purposes of data collection, such as improving the network service, customizing the service etc.

(…) Therefore, let us explain here the reasons for collecting all this information:

– To recharge transactions and granting quotas of prepaid customers’ navigation plans.
– To improve network performance and increase the quality of our services.
– To fix failures in mobile, fixed network and TV services even faster.
– To make the processes for the preparation of plans, services and other personalized offers even closer to your profile.
– To assess the demand by geographic region.
– To assist in the making of strategic decisions by VIVO, such as redistributing the signal or redirecting the portfolio of personalized services and offers.
– To improve the relationship experience between you and Vivo.

In another subsection of the, “How long do we store data?”, the company informs the minimum data storage time.

According to the Brazilian Civil Rights Framework, Vivo stores for at least 1 year its internet connection logs  records, which is the information about the time of its internet connections and the IP used for sending and receiving data.
Your subscriber data (such as full name, address and CPF) and billing data (such as tax documents) are stored for at least 5 years for legal and administrative proceedings.
We do not record content from app providers other than the ones we created. So, in this particular case, according to the Brazilian Civil Rights Framework, we keep the registry for up to 6 months, under secrecy, in a controlled and secure environment.

Despite meeting parameter III, at this point, there is room for improvement of the text, it could indicate when the company will effectively delete the data.

As for parameter IV, in the Sustainability Report (page 47), the company informs some of the safety standards that it uses to ensure the protection of its users.

In Brazil, in order to reinforce our commitment to digital trust, we have datacenters certified according to ISO 27000 and 27001 standards, an international benchmark for information security management. We also have regulations, internal procedures and awareness actions that ensure the privacy of information and restricted access to such data, as stipulated by the Global Privacy Policy.

In addition, in the “Privacy Center”, the company also informs the security standards that it uses, that partners have signed a security policy and that they have a Corporate Information Security Policy, which establishes mandatory guidelines for all employees. Regarding anonymization, in the subsection “Where do we share this data?”, the company states that when Vivo conducts behavioral studies at events that provoke public displacement, it is not possible to individualize this information – they affirm that individualized information is shared only with authorization by the client.

To ensure that all your data is protected both internally at Vivo and with our partners, all our employees sign a renewed agreement every year, committing themselves to maintaining the privacy of data and information.
We also have the Corporate Information Security Policy, which establishes mandatory security guidelines for all employees. This policy aims to implement actions targeted to comply with the basic controls of information security.

Confidentiality: We allow access to data and our systems only to authorized persons, according to the “principle of minimum privilege”.
Integrity: We maintain the reliability of data and information against any kind of alteration, either accidentally or fraudulently.
Availability: We have established the necessary controls so that the information is available to be accessed when necessary.
Auditability: We allow any action or transaction to be univocally related, ensuring compliance with the fundamental controls established in the respective standards and norms.

Should any security incidents occur, we are committed to acting promptly and responsibly in order to minimize impacts and possible damages. We also maintain a business continuity plan to reduce potential impacts to you that may affect service delivery.
Vivo uses resources to investigate security vulnerabilities that put your privacy at risk by ensuring that the right fix measures are implemented.
You will only be informed of relevant cases where the loss, misuse or disclosure of information has occurred due to a breach of the security of the company’s systems and networks, or that are related to an internal technical decision or action. In these cases, you will be informed about the corrective actions to be taken and recommendations to protect your interests. In our relationship with legal authorities, we respect local laws and regulations.

As for parameter V, in the informational video, they state that the data is only seen by authorized persons and that employees must sign confidentiality terms. In the subsection “Where do we share this data?”, they inform that individualized data are only disclosed to the partners if authorized by the client.

Eventually, Vivo may support a behavioral study at events that promote the displacement of an audience in a given location. It is important to note that, however, in this case, no form of individualization of information is possible. Individual information will only be shared with partners if you authorize it.

About parameter VI, on the company website, all contracts are available by clicking the option to seek more information about the plans, fulfilling it. However, since most of the information relevant to the fulfillment of the parameters can not be found in the contracts, but in the “Privacy Center” and Sustainability Report, their accessibility is as important as the contracts. When accessing the homepage of Vivo, we are taken to the “Para Você” tab, which deals with the various plans and services offered by the operator. In order to find the “Privacy Center”, it is necessary to change the tab within the site, as can be demonstrated by the images below:

Captura de Tela 2018-04-03 às 20.01.48Captura de Tela 2018-04-03 às 20.02.17

Fig.1 To the left of the screen, the home page of Vivo and, on the right, the “A Vivo” tab, where you can find the “Privacy Center” in the “A Marca” submenu.

It is true that the “Privacy Center” page is more accessible and easily found on the website than the Sustainability Report and that the initiative is very innovative within the Brazilian panorama, showing Vivo’s commitment to privacy and access to information, something that InternetLab exalts. However, we recommend that this type of information becomes more easily accessible to customers and that the company strives to publicize it. For example, the video that explains and presents the “Privacy Center” was published on January 8 and by the end of February it had only approximately 3,500 accesses, a figure that is far below the number of clients of the company.

Moreover, although all information is publicly available, there is a large difference in the information available in mobile and broadband contracts, which we recommend that it be adjusted. In addition, we suggest that contracts should refer to the “Privacy Center”.

CATEGORY: Information about data disclosure to government authorities

Result:

Vivo got a full star, since it met parameters I, III and IV.

Regarding parameter I, in the Sustainability Report (page 13) the company affirms that it seeks to comply with the legislation and regulatory frameworks at the national level.

We seek to ensure compliance with legislation and regulatory frameworks at the international, national and regional levels to anticipate trends and changes in regulation that may influence our business.

Also in the “Privacy Center”, subsection “Break of Secrecy”, the company affirms that there are some situations in which they can share information, according to the legislation in force in Brazil:

There may be some situation in which we will have to share your information, as in the case of court orders and requests from competent authorities, in accordance with current Brazilian legislation. Thus, internet connection logs, voice and data records may be made disclosed without your knowledge.

Regarding parameters II, III and IV, in the Communication Transparency Report 2017 the company informs in which hypothesis it discloses subscriber data and internet connection logs to authorities, defining which are the competent ones,  according to the listed Brazilian legislation, to determine interception and to request metadata.

[Interceptions] Competent authorities

  • According to article 3 of the Brazilian Federal Law n. 9.296/1996 (Law of Interceptions), only the judge (of the criminal sphere) can determine the interceptions (telephonic or telematic), by request of the Prosecutor’s Office or the Police Authority.

[Metadata] Competente authorities

  • Prosecutor’s Office, Police Authority and judges of any sphere: the name and address of the registered user (subscriber data), as well as the identity of the communication devices (including IMSI or IMEI).

  • Judges of any sphere: the data for identification of the origin and destination of a communication (for example, telephone numbers, user names for Internet services), data, time and duration of a communication and device localization. (p. 11-12)

This means that Vivo delivers subscriber data before requisitions of Prosecutor’s Office representatives, police authorities and judges. Internet connection logs, however, are made available only before a court order, as also mentioned in the contracts.

InternetLab praises the conduct of Telefónica Global of making public their interpretations on which are the competent authorities for requesting users’ data and in which circumstances public. However, we emphasize that there is a need to present such information in Portuguese so that the company continues to be fully scored in the next editions, whether in contracts, in Sustainability Report, or other materials.

CATEGORY: Defense of users’ privacy in the courts

Result: 

Vivo got ½ star, as it fulfilled parameter I.

Regarding parameter I, VIVO was rewarded because in 2017 it filed the Direct Action of Unconstitutionality (ADI) 5642, along with other companies, through the National Association of Mobile Operators (Acel) at the Federal Supreme Court (STF), contesting a provision from Law 13.344/2016, which grants to chiefs of police and members of the Public Prosecutor’s Office the prerogative of requesting information and data necessary for a criminal investigation in the cases of human trafficking independently of a court order. Acel requests a preliminary injuction so that the STF interprets Law 13.344/2016 according to the Federal Constitution, in a way to hinder the understanding that leads to measures like telematic and voice interceptions, localization of device or IMEI (International Mobile Equipment Identity) of a citizen in real time through RBS (Radio Base Station), RBS logs, subscriber data of IP users, call and SMS logs, among other confidential data. In the merit, it asks for a declaration of partial unconstitutionality of the questioned provision.

As for parameter II, InternetLab conducted independent and exploratory searches on the São Paulo Court of Justice (Tribunal de Justiça de São Paulo) website using the following keywords: “telefônica brasil” or “Vivo” combined with other terms, such as “break + secrecy”, “break + secrecy + investigation” or “investigation + Marco Civil da Internet”. However, we were unable to find results in which the company contested abusive requests from government authorities in the judiciary. What could be found were civil actions involving private individuals, which is outside of parameter II. For example, there was the Appeal No. 1009410-37.2015.8.26.0100, in which a person requests a breach of confidentiality of data in order to reveal the name of the responsible of a telephone line that was used to prank the plaintiff. The company refused the request since it did not contain prior specific judicial authorization, as it would be outside the scope of constitutional breach of secrecy.

Despite praising Vivo’s engagement in the project and their affirmation of indeed contesting abusive requests, the company did not send us evidences about judicial challenges before potentially unlawful government authorities requests to InternetLab. The company only provided information regarding a request of a regulatory authority in an administrative procedure.  Although we praise the conduct, it is beyond the scope of this category.

CATEGORY: Pro-user privacy public engagement

Result:

Vivo got ½ star, as it met parameters I and III.

During the engagement phase, the company sent us its participation in the public consultation “Brazilian Strategy for Digital Transformation”, promoted by the Ministry of Science, Technology and Innovation and Communications, which made it comply with parameter I.

Regarding parameter II, the company does not explicitly advocate the creation of a specific law for data protection, but that regulation should be made for the use of data by the public administration. Thus, it only partially fulfills this parameter.

Do you consider that the set of strategic actions listed above is enough to achieve the goals of the Brazilian Strategy for Digital Transformation?

No, we consider that it would be important to include strategic actions in order to create a structure and procedures that involve a definition of procedures and limits to the use of personal data by state entities, in order to avoid the circulation of information without specific control. Currently, although issues involving the use of personal data are discussed at the level of the personal data protection draft bill, this discussion excludes data processing by the state entities, as observed in Draft Bill nº 5.276 / 2016. We understand that it would be extremely important to have a standard that regulates the use of personal data by the Public Administration, since its use is currently decentralized and uncontrolled, which generates great insecurity and risk of information leakage.

As for parameter III, the company stated that there must be technological resources that effectively protect users’ data, especially concerning Big Data services. However, the company did not mention specific measures to be taken.

Data Security and Protection: As services and processes are digitalized, more personal information will be stored and manipulated in the various instances of Big Data services. It is necessary that the custody and access to this asset be disciplined by technological resources and conditions that effectively ensure its protection.

The company also stated that the principles of privacy by design and privacy by default would be implicitly backed by Brazilian law, but it did not advocate that the adoption of these techniques be strengthened.

Telefonica understands that, although not explicitly envisaged by Brazilian law, privacy by design and privacy by default involve principles and concepts established in the Brazilian Civil Rights Framework, which is why they are in accordance with the country’s legal system.

CATEGORY: Transparency reports about data requests

Result: 

Vivo got a full star, since is met all parameters.

Despite the lack of information about data protection in the Sustainability Report produced by Telefônica Brasil (in Portuguese), when compared with the previous years, for the consecutive second year we found the publication Informe de Transparencia en las Comunicaciones de 2017, made by the Telefônica Group (document in Spanish) containing details about the regulatory set to which they are subdued in each country the group operates, the number of requests for data that they received in each country between 2013 and 2016 and, especially in the case of Brazil, what are the authorities considered competent for this.

In Brazil in 2016, there were over 398 thousand requests for interceptions and more than 1,5 million metadata requests. For including statistics on the realization of telephonic and telematic interceptions and metadata deliver, the company fulfills the parameter.

InternetLab reinforces the importance of publishing this document in Portuguese, as we have stated in last year’s report. For the continuation of the complete rewarding in this category in future editions of the project, Vivo should produce this material in Portuguese and make it available on their Brazilian website.

CATEGORY: User notification

Result: 

Vivo did not get a star, because it did not meet the parameter.

In the “Privacy Center” on Vivo’s website there is the subsection “Breach of Confidentiality”, which has the following question “Is the customer notified in the case of breach of confidentiality?”. The company replies:

There might be a situation in which we have to share your information, like in the case of court orders and requests by competent authorities, accordingly to the current legislation in Brazil. Thus, subscriber data, internet connection, voice, and data logs can be made available without your knowledge.

Therefore, the company informs customers that data might be made available without their knowledge but does not promise to notify them.

Scroll to table

ALGAR

CATEGORY: Information about data processing

Result: 

Algar got ¼ star, because it partially fulfilled parameters IV and V and fully parameter VI, totalling two parameters.

Regarding parameter IV, in the Acceptable Use Policy, the company states that it respects the customers’ and user’s privacy, keeping the collected data under strict security and confidentiality standards. InternetLab considers the wording generic, with room for improvement. Thus, the company only partially fulfilled the parameter.

Regarding parameter V, in the Services Agreement, clause 4.2.6 (same terms in clause 4.2.11 of the Multimedia Communication Services Agreement) affirms the customers’ right to privacy regarding the collection documents and the usage of personal data by Algar. The examined contracts do not have more information about customers’ personal data processing and, in the company’s website, it was not possible to find any other information that could supply the absent ones. The company states that in certain points the website’s Privacy Policy also applies to its customers, however, due to the lack of distinction between “customers” and “users”, the wording adopted does not clarify which are these points.

Clause 4.2.6 of the Services Agreement and Clause 4.2.11 of the Multimedia Communication Services Agreement: Without prejudice to the obligations undertaken on the other clauses of this contract and of the applicable legislation, the subscriber has a right to: the respect of their privacy regarding the collection documents and the usage of their personal data by the ISP.

InternetLab considers the wording generic, with room for improvement. Thus, the company only partially fulfilled the parameter.

The sole parameter that the fully fulfilled was the one of ease of access to the contract on their website (IV), whose reference is at the bottom of Algar’s homepage.

CATEGORY: Information about data disclosure to government authorities

Result:

Algar got ¼  star, because it only fulfilled parameter I.

In the Multimedia Communication Services Agreement, clause 5.2.15 states that the company may disclose data pertaining to the breach of secrecy of telecommunications to the judicial authority or to the authority with legal competence to determine the breach of secrecy.

Clause 5.2.15. Algar Telecom will observe the duty to strictly zeal for the inherent secrecy of telecommunications and for the subscribers’ data and information confidentiality, using all means and technology necessary to guarantee this right of the subscriber and its respective users, disclosing eventual data pertaining to the breach of secrecy of telecommunications to the judicial authority or to the authority with legal competence to determine the breach of secrecy.

This writing does not clarify for the user the fact that subscriber data and internet connection logs have a different juridical treatment. In this sense, it is important that the company states clearly that internet connection logs can only be delivered before a court order, according to the Marco Civil. Regarding subscriber data, this same law authorizes their requirement without a court order by the competent administrative authorities. Currently, however, in face of the controversy about who are the so-called “competent administrative authorities”, it is crucial for the company to be transparent on its own interpretation of the law it enforces when receiving requests for breach of secrecy.

As we have warned since the first edition of this report, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in the law, making their procedures and interpretations public. Thus, it is important for Algar to inform its customers in the most clarified manner about which kinds of data it reveals and under which circumstances.

CATEGORY: Defense of users’ privacy in the courts

Result: 

Algar got ½ star, because it met parameter I.

Regarding parameter I, Algar was rewarded because in 2017 it filed the Direct Action of Unconstitutionality (ADI) 5642, along with other companies, through the National Association of Mobile Operators (Acel) at the Federal Supreme Court (STF), contesting a provision from Law 13.344/2016, which grants to chiefs of police and members of the Public Prosecutor’s Office the prerogative of requesting information and data necessary for a criminal investigation in the cases of human trafficking independently of a court order. Acel requests a preliminary injunction so that the STF interprets Law 13.344/2016 according to the Federal Constitution, in a way to hinder the understanding that leads to measures like telematic and voice interceptions, localization of device or IMEI (International Mobile Equipment Identity) of a citizen in real time through RBS (Radio Base Station), RBS logs, subscriber data of IP users, call and SMS logs, among other confidential data. In the merit, it asks for a declaration of partial unconstitutionality of the questioned provision.

Regarding parameter II, we did not find any legal case in which Algar defends users from abusive data demands. In the engagement phase, the company did not send us any material evidences that could ensure the fulfillment of the parameter.

CATEGORY: Pro-user privacy public engagement

Result: 

Algar did not get a star, as it did not meet any parameter.

In several opportunities during the year, ISPs had the opportunity to manifest themselves about public policies and draft bills that affect the users’ privacy and data protection. After conducting searches on the specialized press, traditional media and the companies’ press rooms, we did not find any material in this sense signed by Algar.

In the phase of engagement with the companies, we asked that, in case they had participated in events or public debates about these topics and, in them, manifested themselves in favor of the users’ privacy (data storage, access to data, etc), to inform us with the indication of the respective documents and/or public records of the referred participation, so that we could consider this fact in our evaluation. Despite the company’s engagement, it did not send us any material evidence in this sense.

CATEGORY: Transparency reports about data requests

Result: 

Algar did not get a star, because it did not meet the parameter.

Algar publishes a sustainability report about its activities in Brazil. However, this report does not have any information about government data requests.

CATEGORY: User notification

Result: 

Oi did not get a star, because it did not meet the parameter.

We did not find in the materials consulted any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

In the engagement phase, we asked the company to send us material evidence of the existence of such practices or mechanisms. Algar, however, did not send us any materials in this sense.

Scroll to table

NEXTEL

CATEGORY: Information about data processing

Result: 

Nextel did not get a star, since it only fully met one parameter (V), not reaching the minimum two points for achieving ¼ of a star.

The contract does not provide almost any information about the data collected. Regarding parameter V, the company provides information about the possibility of third-parties accessing the data.

MOBILE SERVICE AGREEMENT: 7.1 In addition to the rights provisioned on the other clauses of this contract and in the applicable legislation, the subscriber can: a. have the information related to themselves that are part of NEXTEL’s subscriber data on the subscriber, including the Code of Access, kept confidential, which can only be disclosed in the following cases: (i) to the subscriber themselves or attorney-in-fact with specific powers to access such information; (ii) for promotion purposes in mailing lists in print or digital media, services of list support and similar, since the subscriber authorized for the disclosure of their name and Code and Access; (iii) for a specialized agency or databank before the non compliance with contractual obligations; (iv) due to administrative or judicial determination.

Regarding parameter VI, we had much difficulty in finding the contract on NEXTEL’s website, having to resort to external search engines to find it.

During the engagement phase, the company claimed that the lack of administrative procedures from the regulatory authority would attest its legal compliance situation. It also stated that from the isolated analysis of clause 7.1 of NEXTEL’s MSA one cannot conclude that the company would not be giving the consumer the information in a correct manner.

Despite praising the company for its engagement with the project, InternetLab understands that the company did not present enough grounding to alter its evaluation in this category. We understand that WDYD is a project that praises companies that adopt good customer data protection practices by complying with legal obligations, as it is the case when they inform in a complete, accessible, and didact way about how they process their customer’s personal data. In addition, InternetLab agrees that one cannot come to the conclusion that the company does not provide information to their clients, when requested, but clarifies that the purpose of this category is also to encourage transparency, clarity, and ease of access to complete information, that is the reason why NEXTEL cannot be rewarded in this topic.

CATEGORY: Information about data disclosure to government authorities

Result:

NEXTEL got ¼  star, because it only fulfilled parameter (II) by stating in its contract, in general lines, that subscriber data can be made available to third-parties due to administrative or judicial determinations.

MOBILE SERVICE AGREEMENT: 7.1 In addition to the rights provisioned on the other clauses of this contract and in the applicable legislation, the subscriber can: a. have the information related to themselves that are part of NEXTEL’s account information on the subscriber (subscriber data), including the Code of Access, kept confidential, which can only be disclosed in the following cases: (…) (iv) due to administrative or judicial determination.

The wording of clause 7.1 does not clarify to the user the fact that subscriber information and connection logs have a differentiated judicial treatment; other publicly available material made by the company also do not make this clarification. In this sense, it is important that the company clearly informs that connection logs can only be disclosed before a court order, according to the Brazilian Internet Civil Rights Framework. Regarding subscriber data, this same law authorizes its request without a court order by competent administrative authorities. Currently, however, in face of the controversy about who are the “competent administrative authorities”, it is crucial for the company to be transparent about their own interpretation of the law which is enforced to breach of confidentiality requests.

As we have always stated, and have emphasized to the company during the engagement phase, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the nuances that exist in the law, making their procedures and interpretations public. It is important that Nextel informs their clients in the clearest manner about which data it discloses and under which circumstances, like other big companies in the sector.

CATEGORY: Defense of users’ privacy in the courts

Result: 

Nextel did not get a star, because it did not fulfill any of the parameters.

We did not find any lawsuits in which the company challenges aspects that it considers harmful to privacy, making it not fulfill parameter I.

Regarding parameter II, we made searches on the website of the São Paulo Court of Justice with the key-word “Nextel”, combined with other terms like “breach + confidentiality + investigation” or “investigation + Marco Civil da Internet”. We did not find lawsuits in which Nextel questioned abusive data requests.

During the engagement phase, we did not receive any material or information which attested the fulfillment of any parameter.

CATEGORY: Pro-user privacy public engagement

Result:

Nextel did not get a star, as it did not meet the parameter.

In several opportunities during the year, ISPs had the opportunity to manifest themselves about public policies and draft bills that affect the users’ privacy and data protection. After conducting searches on the specialized press, traditional media and the companies’ press rooms, we did not find any material in this sense signed by Nextel.

In the phase of engagement with the companies, we asked that, in case they had participated in events or public debates about these topics and, in them, manifested themselves in favor of the users’ privacy (data storage, access to data, etc), to inform us with the indication of the respective documents and/or public records of the referred participation, so that we could consider this fact in our evaluation. Despite the company’s engagement, it did not send us any material evidence in this sense.

CATEGORY: Transparency reports about data requests

Result: 

Nextel did not get a star, because it did not meet the parameter.

In the company’s website, the last report available dates from 2013 and, even so, it was not possible to access it.

In the engagement phase, the company asserted that the only justification to make such transparency reports available would be due to statistical purposes, which is the responsibility of the federal public administration, according to the applicable law.

Despite praising the company’s engagement with the project,  InternetLab understands that the company did not present enough reasons to alter their evaluation in this category. We understand that QDSD is a project that commends companies that adopt the best practices in protecting their customer’s data. Although ISPs are not legally obliged to produce transparency reports in Brazil, we believe that it constitutes an opportunity to companies to build trust in their relationship with customers, based on transparency, and to contribute to the public debate about the prerogatives of accessing user data by public authorities.

CATEGORY: User notification

Result: 

Nextel did not get a star, because it did not meet the parameter.

We did not find in the materials consulted any mentions about user notification mechanisms in cases in which there are no confidentiality requirements.

In the engagement phase, the company asserted that there is no legal requirement in this sense.

Despite praising the company’s engagement, considering the project’s goal to encourage the adoption of best practices in the field of privacy and transparency, InternetLab understands that the company did not present enough reasons to alter their evaluation in this category.

Scroll to table

SKY

CATEGORY: Information about data processing

Result: 

SKY got ¼ star, since it fully met parameter V and partially met parameters III and IV, resulting in two parameters.

Regarding parameter III, the company states in its contract that it keeps the subscriber data and internet connection logs of its subscribers for at least three years but as it doesn’t clarify when and if this information will be deleted, the fulfilling of the parameter is only partial.

Clause 8.1 – XV – To keep subscriber data and internet connection logs of its SUBSCRIBERS for the minimum period of three years.

Regarding parameter IV, in the same document the company affirms that it will respect the inherent secrecy of telecommunications services by using all means and technology necessary to assure it. However, as there is no mention to data anonymization procedures and other security protocols, it only partially fulfills the parameter.

Clause 8.1 – XIV – To zeal for the inherent secrecy of telecommunications services  and for the SUBSCRIBER’s data and information confidentiality, using all means and technology necessary to assure it.

Regarding parameter V, the company states in the contract that subscriber data is available to third-parties, such as companies from its economic group, for the purposes advertising material and the creation of a client register.

Clause 15.5 – The SUBSCRIBER freely gives its subscriber data to the PROVIDER and to the companies from its economic group, in order to be used in materials intended for advertising and for the elaboration of its CLIENTS register, with regard to the secrecy guaranteed by the law.

Finally, regarding parameter VI, it was not easy to find the contracts on the website. In order to do so, an external search engine was necessary.

CATEGORY: Information about data disclosure to government authorities

Result: 

Sky got ¼  star since it meets parameters I by affirming in its contract that the hypotheses and constitutional and legal conditions for the breach of telecommunications secrecy will be respect.

GENERAL CONDITIONS FOR PROVIDING THE SERVICE OF MULTIMEDIA COMMUNICATION – BROADBAND: 7.2 In addition to the other rights provisioned in the current contract and in the applicable legislation and regulamentation, the CLIENT has the right: V- to the inviolability and the the secrecy of their communications, respecting the hypotheses and constitutional and legal conditions for the breach of telecommunications secrecy.

This writing does not clarify for the user the fact that subscriber data and internet connection logs have a different juridical treatment. In this sense, it is important that the company states clearly that internet connection logs can only be delivered before a court order, according to the Marco Civil. Regarding subscriber data, this same law authorizes their requirement without a court order by the competent administrative authorities. Currently, however, in face of the controversy about who are the so-called “competent administrative authorities”, it is crucial for the company to be transparent on its own interpretation of the law it enforces when receiving requests for breach of secrecy.

As we have warned since the first edition of this report, our intention is to take into account the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in the law, making their procedures and interpretations public. Thus, it is important for Sky to inform its customers in the most clarified manner about which kinds of data it reveals and under which circumstances, like other big companies in the sector.

CATEGORY: Defense of users’ privacy in the courts

Result:

Sky did not get a star, because it did not fulfill any of the parameters.

It was not possible to find lawsuits in which the company challenges aspects that it considers harmful to privacy, thus it does not meet parameter I.

It is worth mentioning that, unlike the other analyzed companies that received credit for fulfilling parameter I for filing, through the National Association of Mobile Operators (Acel), the Direct Action of Unconstitutionality (ADI) 5642, at the Federal Supreme Court (STF) contesting a provision of Law 13.344/2016, Sky is a broadband Internet provider. The constitutional complaint in question was brought by a collective of mobile operators, which are also mobile Internet providers. Sky is, however, also affected by the obligations of this law, fact that could have given it reason to challenge it.

As for parameter II, we did searches on the website of the São Paylo Court of Justice with the key-word “Sky” matched with other terms, such as “breach + secrecy”, “breach + secrecy + investigation” or “investigation + Marco Civil da Internet”. We did not find lawsuits in which Sky challenged abusive data requests.

During the engagement phase, we asked all companies to send us examples of legal actions in which they challenged abusive data requests by authorities or other violations of user privacy, so that they could be considered on the final evaluation. Sky, however, did not collaborate with the project.

CATEGORY: Pro-user privacy public engagement

Result: 

Sky did not get a star, as it did not meet any parameter.

In several opportunities during the year, ISPs had the opportunity to manifest themselves about public policies and draft bills that affect the users’ privacy and data protection. After conducting searches on the specialized press, traditional media and the companies’ press rooms, we did not find any material in this sense signed by Sky.

In the phase of engagement with the companies, we asked that, in case they had participated in events or public debates about these topics and, in them, manifested themselves in favor of the users’ privacy (data storage, access to data, etc), to inform us with the indication of the respective documents and/or public records of the referred participation, so that we could consider this fact in our evaluation. Sky, however, did not collaborate with the project.

CATEGORY: Transparency reports about data requests

Result: 

Sky did not get a star, because it did not meet the parameter.

In the engagement phase, we asked for the company to send us documents that could prove the existence of practices in this sense. Sky, however, did not collaborate with the project.

CATEGORY: User notification

Result: 

Sky did not get a star, because it did not meet the parameter.

In the analyzed materials, there is not any mention about user notification mechanisms in cases of requests by State authorities in which the secrecy is not imposed by law.

In the engagement phase, we asked for the company to send us documents that could prove the existence of practices in this sense. Sky, however, did not collaborate with the project.

Scroll to table

FAQ

How does InternetLab fund its activities?

InternetLab is a non-profit entity. We do not act as a consulting or a law firm and we only provide services if they are in tune with our goals, which are mainly related to do research in the area of law and technology, specially with subjects concerned with the impact of public policies. The financing of our activities comes from foundations, nonprofit organizations, companies and individuals. In all these cases we have two conditions for accepting contributions: independence in the development and implementation of projects and the freedom to express any kind of analysis and institutional stance. In the year 2017, our funding came 71% from foundations and international third sector organizations, 28% of companies and 1% of individual donations.

How was "QDSD?" funded?

The project was funded by donations from Ford Foundation and individual donors.

Who worked in "QDSD"?

The InternetLab team that worked on this project was: Dennys Antonialli (executive director), Francisco Brito Cruz (director), Jacqueline Abreu (researcher and coordinator), Juliana Ruiz (researcher), Maria Luciano (researcher) and Ana Luiza Araujo (translations intern). The team had collaborations from Heloisa Massaro (research intern). In EFF,  Katitza Rodríguez (international rights director) and Kurt Opsahl (Deputy Executive Director and General Counsel) worked on the project. The communication part of the project was conducted by Maria Claudia Levy, from GOMA Oficina, and Sergio and Bruno Berkenbrock, from MirrorLab.

Does the project end with the announcement of the results?

No, the project continues. The frequency of the evaluation in the project is annual. In each version, InternetLab will re-evaluate the methodology and the results, ensuring that they reflect what are the possibilities within the reach of companies so they can defend your data.

Recommendations for the next edition

For the next few years and evaluations, InternetLab invites the companies to develop privacy policies in order to inform users about the treatment given to personal data and connection logs, as requested by the Marco Civil da Internet (Brazilian Civil Rights Framework for the Internet), and the ways they deal with court orders and requests from administrative authorities. It is also encouraged that the companies use their ‘press rooms’ on their websites to list their actions in defense of privacy and data protection in the judiciary and in public debates. Finally, InternetLab also encourages companies to publish transparency reports and to adopt user notification practices.