/RESULTS

VIEW BY:

	Informs about data processing	Informs about terms of compliance with data requests from the government	Fights for user privacy in the courts	Fights for user privacy in public debates	Publishes transparency reports about data requests	Tells user about data requests

	Informs about data processing	Informs about terms of compliance with data requests from the government	Fights for user privacy in the courts	Fights for user privacy in public debates	Publishes transparency reports about data requests	Tells user about data requests

Show previous research

CLARO

CATEGORY: Information on data processing

Result:

Claro obtained a full star because it completely met parameters from I to V and partially met parameters VI and VII, which is equivalent to meeting 6 parameters.
With respect to parameter I, the company’s mobile service contracts cover the collection of registration and complementary data, informing about the collection of data on consumption profile, location, behavior and service usage, an information which is repeated in the Privacy Policy. While it informs about all the data collected, the company does not provide specific information regarding the scenarios in which data is collected, nor does it inform about connection records, thus there is room for improvement.
América Móvil’s Privacy Policy also provides guidelines for the protection of employee and customer data that must be followed by subsidiaries, including the collection of data upon consent and in accordance with applicable law.

Contrato de Serviço Móvel Pessoal Pós-Pago (“Contract for Postpaid Personal Mobile Service”)

13.7 Once Access Code Portability is requested by the SUBSCRIBER and the corresponding commercial requirements and conditions are met, the SUBSCRIBER authorizes, as of now, the handing over of their data to the “Administrative Entity” and to the “Donor Provider”, as defined by ANATEL, in order to allow the conclusion, or not, of its request for Portability.

15.1 The SUBSCRIBER is responsible, under the terms of the law, for the truthfulness of the information provided and undertakes to always keep her/his subscriber data updated, as well as to inform about any verified modification, especially correspondence address, so as not to cause any difficulty regarding the communication between the Parties. The lack of data update and the consequent impossibility to locate the SUBSCRIBER for contact may cause the suspension of the Contract and the services provided. Furthermore, the SUBSCRIBER recognizes CLARO’s right to obtain from third parties the references it considers necessary for the purposes of this Agreement, observing the pertinent rules.

15.12 CLARO may collect, use and store, at its own discretion, the information related to the consumption profile, location and service usage patterns of its Users, in an anonymous and aggregated manner, with the purpose of improving the performance of CLARO’s network and users’ experience, as well as for customizing the offers.

15.13. The SUBSCRIBER agrees with the collection of her/his subscription data under this Agreement, and of complementary personal data, as well as the use of such data, only by CLARO, in a way that her/his identification is not possible. The SUBSCRIBER may review the authorization granted, at any time, by contacting the CLARO Service Center.

Privacy Policy:

Claro may collect information from the consumption profile of its users, such as location, resources and equipment used, navigation, contracted or researched offers, information provided during the use, frequency and duration of its activities, as well as other information on usage patterns whilst the operation of Claro’s services.

Regarding parameter II, in the contract and in the Privacy Policy, the company presents information on the use of data and its purpose. As mentioned above, the América Móvil Privacy Policy provides guidelines for the protection of employee and customer data, which must be followed by subsidiaries, including purposes and uses of such data.

Contract for Postpaid Personal Mobile Service

CLARO may collect, use and store, at its own discretion, the information related to the profile of consumption, location and service usage patterns of its Users, in an anonymous and aggregated manner, with the purpose of improving the performance of CLARO’s network and users’ experience, as well as for customizing the offers.

Privacy Policy:

CLARO BRASIL will process and use data collected for internal use with the purpose of improving the User’s experience, promoting the improvement of the network’s performance, expanding the coverage area, customizing product and service offerings, sending alerts or notifications, among other benefits or commercial advantages that may be obtained. We may use personal data to identify and make relevant content available to Users, as well as to send, for example, information about accounts, consumption, packages, promotions, etc.

Regarding parameter III, Claro’s Privacy Policy provides detailed information on where the data is stored and for how long. In addition, consumption, location, behavior and service use data is anonymously stored and in an aggregate manner, according to the company. The company also provides for cases in which the user can request the exclusion of the data.
There is still room for improvement regarding the rules for data exclusion, in the absence of user request, for example, by extinction of the mandatory storage period. América Móvil’s Privacy Policy also provides guidelines for data exclusion. In this document, the exclusion is determined when the data is no longer necessary for the purposes that motivated the collection. It is worth mentioning, however, that this policy is not available on Claro’s website, not being easily accessible to customers.

Contract for Postpaid Personal Mobile Service

8.1 In addition to the rights already provided for in this Agreement, the SUBSCRIBERS rights established in the SMP Regulation and in Law No. 12.965/2014 are secured, such as: n) definitive exclusion of your personal data that you have provided to a certain internet application.

Privacy Policy

The User may request the exclusion of his/her Personal Data and CLARO will adopt, through possible and reasonable time and efforts, the applicable measures to meet the request. Storage of connection and application records. By virtue of the contract signed and in accordance with the service(s) hired by the Subscriber, CLARO will store the subscription data and records of services usage, as required by current legislation, including the limitations applicable to each mode of service. In the provision of Internet connection, Claro will store the connection records for a period of 01 (one) year, and will not keep the records of access to Internet applications that allow the identification, in an individualized manner, of the accessed content. In the provision of Internet application, in the own applications (of Claro) the respective records of access to applications will be stored for 06 months (only Claro’s App). Registration and billing data will be stored for at least 5 years. Most of the information is processed in the Datacenters of CLARO BRASIL, in accordance to current legislation. Specific cases may be processed externally and/or stored in a foreign country that offers the same level of protection and security as CLARO BRASIL.

About parameter IV, in its Privacy Policy, Claro informs the standards, practices and security measures adopted, including hypotheses of anonymization that are also brought forth in the contracts. In the América Móvil Code of Ethics (p. 17-19), there is information on data protection, such as principles, parameters and guidelines to be followed by the company’s employees for the security and protection of customer data and for the privacy of their communications. The Company also has a section on its information security website (https://www.claro.com.br/celular/seguranca-da-informacao).
Also in the América Móvil Sustainability Report, there is information on data security and data protection and privacy (p. 29-34 of the 2017 report, and p. 52-58 of the 2018 report). América Móvil’s Privacy Policy provides guidelines for data protection. It is worth mentioning, however, that this policy is not available at Claro’s website, and can only be found through América Móvil’s website or in its sustainability report, which is not completely accessible and clear to customers.

15.12 CLARO may collect, use and store, at its own discretion, the information related to the consumption profile, location and service usage patterns of its Users, in an anonymous and aggregated manner, with the purpose of improving the performance of CLARO’s network and users’ experience, as well as for customizing the offers.

Privacy Policy: Data sharing with third parties occurs only in an anonymous and aggregated manner, thus preserving the identity and privacy of users. Claro does not share individualized or pseudo-anonymized information (which allows, through processing, the identification of the user), except for the exclusive purposes of customer service, support and other services necessary for the performance of CLARO’s activity, always backed by appropriate security and confidentiality measures. Storage of connection and application records. Most of the data is processed in the Datacenters of CLARO BRASIL, in accordance with current legislation. Specific cases may be processed externally and/or stored in a foreign country that offers the same level of protection and security as CLARO BRASIL. Security in data access and storage. Claro uses appropriate solutions and technical security measures to guarantee the inviolability of data, such as encryption or equivalent protection measures, compatible with international standards and the use of good practices. It also uses security measures appropriate to the risks, such as against accidental or illegal destruction or accidental loss, alteration, disclosure or unauthorized access. Only authorized persons have access to the stored information. Permission and exclusive access privileges are defined by Claro according to the responsibilities involved. The information is grouped into clusters and segments, without allowing unique, individual user association.

Regarding parameter V, that is, regarding transparency related to the communication, transfer, transmission, distribution or dissemination of data to third parties, the contract and the company’s privacy policy provide information on the cases and ways in which it shares customer data, as well as the specific purposes of each type of sharing. The company also has a section on data security on its website, in which it states that personal data is not shared without authorization. América Móvil’s Privacy Policy also provides guidelines for the transfer and sharing of personal data. The item was therefore considered met.

Contract for Postpaid Personal Mobile Service

8.1 In addition to the rights already provided for in this Agreement, the SUBSCRIBERS’ rights established in the SMP Regulation and in Law No. 12.965/2014 are secured, such as: n) definitive exclusion of personal data that you have provided to a certain internet application.

15.6 All information related to the SUBSCRIBER contained in CLARO’s registration is confidential and can only be provided to people and situations as follows: a) to the SUBSCRIBER; b) to the legal representative of the SUBSCRIBER provided with a specific Power of Attorney allowing access to such information; c) to a lawyer or specialized agency, hired by CLARO, for the exclusive purposes of collection; d) as a result of determination by public authority; and e) to other providers of telecommunications services, for specific purposes of providing such services.

Contrato de Serviço Móvel Pessoal Pré-pago (“Prepaid Personal Mobile Service Contract”)

15.6 All the information of the register of the SUBSCRIBER are confidential and can only be provided: a) to the SUBSCRIBER; b) to a representative with specific power of attorney; c) to the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes for the rendering of these services.

Privacy Policy:

Data sharing with third parties occurs only in an anonymous and aggregated manner, thus preserving the identity and privacy of users. Claro does not share individualized or pseudo-anonymized information (which allows, through processing, the identification of the user), except for the exclusive purposes of customer service, support and other services necessary for the performance of CLARO’s activity, always backed by appropriate security and confidentiality measures. CLARO BRASIL has the obligation to suspend the secrecy and make the data available to the authorities that, in accordance with the law, have the competence to request this information. Individualized information will only be shared by law, court order or when previously authorized by the user. Consent to the sharing of individualized information may be reviewed at any time through the “Minha Claro” self-service application or website by using a personal, non-transferable password.

Regarding parameter VI, it was considered partially met. Claro’s Privacy Policy specifically states that “the User may request the exclusion of their Personal Data”, but does not specifically mention consumers rights over their data under current legislation (such as rectification and erasure), nor does it provide specific means for the exercise of such rights.
Finally, regarding parameter VII, it was also considered partially met. This is because the company’s website has a data security section (https://www.claro.com.br/celular/seguranca-da-informacao), which contains some relevant information on privacy and data protection. In addition, we welcome the ease of find the contracts on the company’s website, available at the footer of the home page (“regulation”), as well as in the privacy policy.
However, as we could not locate any environments on Claro’s website, either on the main page or on the pages for contracting specific services, that present complete information on privacy or data protection, such as those contained in the contracts mentioned above, the parameter was considered only partially met.
Otherwise, the company could improve the accessibility to other documents such as its sustainability reports, code of ethics and privacy policy of the América Móvil group, which are only in Spanish and can only be found in holding company’s website.

CATEGORY: Information on the conditions of data sharing with State agents

Result:

Claro got ¼ of a star, because it met only parameter I and, partially, parameters II and VI.
In its privacy policy, the company states that it only suspends the secrecy of personal information and provides individualized data in accordance to current legislation and by court order, thus meeting the first parameter. América Móvil’s privacy policy reinforces the orientation to comply with current legislation regarding data sharing. Also, in its contracts, the company states that, among the rights of subscribers, are the inviolability and secrecy of the flow of their communications over the Internet, except by court order, in accordance with the law.

Contract for Postpaid Personal Mobile Service

“8.1 In addition to the rights already provided for in this Agreement, the SUBSCRIBERS rights established in the SMP Regulation and in Law No. 12.965/2014 are secured, such as: h) inviolability of intimacy and private life, its protection and compensation for material or moral damage resulting from its violation; i) inviolability and confidentiality of the flow of its communications over the Internet, except by court order, in accordance with the law; j) inviolability and confidentiality of its stored private communications, except by court order.

Privacy Policy:

CLARO BRASIL has the obligation to suspend the secrecy and hand over data to the authorities that, in accordance with the law, have the competence to request this information. Individualized information will only be handed over by law, court order or when previously authorized by the user.

It should be noted that the differentiation between the processing of subscriber data, location data and connection records remains unclear. Specifically regarding subscriber data (II, III and IV), in the contract for prepaid personal mobile service, in section 15.6 can be found a provision according to which the company will hand over subscriber data to judicial authorities. In this case, there is no mention to the possibility of request by administrative authorities, as provided for in some legal texts. On the other hand, in the postpaid mobile service agreement, the company establishes the possibility of handing over data by means of a definition of “public authority”, without mentioning competence, specifying the authorities thus considered or the hypotheses of relevance.

Post-paid

15.6 All information related to the SUBSCRIBER contained in CLARO’s subscription is confidential and can only be handed over to people and situations as follows: a) to the SUBSCRIBER; b) to the legal representative of the SUBSCRIBER provided with a specific Power of Attorney allowing access to such information; c) to a lawyer or specialized agency, hired by CLARO, for the exclusive purposes of the collection; d) as a result of determination by public authority; and e) to other providers of telecommunications services, for the specific purpose of providing such services.

Pre-Paid

15.6 All the information of the register of the SUBSCRIBER is confidential and can only be handed over: a) to the SUBSCRIBER; b) to the representative with specific power of attorney; c) to the judicial authority; and d) to other Telecommunications Service Providers, for specific purposes for the rendering of these services.

We consider parameter II as partially met, since in both modalities there is no exhaustive information on the circumstances in which access is granted. Regarding subscriber data, in the face of controversy over which are such “competent administrative authorities”, it is essential that the company is transparent about which interpretations of the law it applies when receiving requests for breach of confidentiality.
Regarding parameter V, the company does not provide clear legal information or references on the circumstances in which it hands over location data to judicial or administrative authorities;
Regarding parameter VI, in its contracts, among the rights of subscribers, the company assures the subscriber the right not to hand over their personal data to third parties, including connection records and records of access to Internet applications, except upon free consent. It does not address, however, the possibility, determined by law, of access by judicial order, failing to clarify to the user the hypotheses in which his privacy may be compromised, besides not specifying the company’s understanding of what constitutes connection records. Therefore, we consider this parameter to be partially met.

8.1 In addition to the rights already provided for in this Agreement, the SUBSCRIBERS rights established in the SMP Regulation and in Law No. 12.965/2014 are secured, such as:

d) inviolability of privacy and private life, its protection and compensation for material or moral damage resulting from its violation; e) inviolability and secrecy of the flow of their communications over the Internet, except by court order, in accordance with the law; f) inviolability and secrecy of their stored private communications, except by court order; (…) i) failure to provide third parties with their personal data, including registration of connection, and access to Internet applications, except upon free consent.

As we have noted before, it is important that the company clearly informs that connection records can only be handed over by court order, according to the Brazilian Internet Civil Rights Framework.
As anticipated since the first edition, our intention is to take into consideration the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in law, making public their procedures and interpretations. Thus, it is important that Claro informs customers more clearly about what types of data are handed over and under what circumstances, as is already done by large companies in the sector.

CATEGORY: Defense of user’s privacy in courts

Result:

Claro got a full star because it met both parameters.

As for parameter I, we conducted exploratory searches and located the filing of a motion for clarification (“embargos de declaração”) by Claro, in the scope of Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of logical gate data to police authorities. The parameter was therefore considered met. We point out that the ACEL’s Direct Unconstitutionality Action (ADI) No. 5642 has already been considered in the last edition of QDSD and has not advanced since our last report, and has therefore not been taken into consideration.

Regarding parameter II, we conducted exploratory searches on the website of the São Paulo State Court of Justice and no cases related to criminal proceedings were found. The research returned, however, a civil case for providing logical gates, whose argument did not involve the issue of privacy (AI No. 2214824-53.2017.8.26.0000). More relevant in this category is an appeal in a writ of mandamus (1002366-10.2017.8.26.0451) in which the company challenged notices issued by the Regional Tax Office of Campinas which requested registration data of users based on their IP addresses, arguing for the violation of the constitutional guarantees of privacy and protection of data confidentiality.

We point out that in next year’s edition of the report, the parameters of this third criterion will be tightened. Specifically, only the filing by companies of voluntary pleadings – i.e., which the company might not have produced, such as initial petitions and appeals – within the analyzed period will be considered for full compliance with the parameters.

CATEGORY: Public pro-privacy engagement

Result:

Claro didn’t get a star in that category.

On some occasions throughout the period covered in this research, Internet service providers have had the opportunity to speak out on public policies and bills that affect users’ privacy. The processing of Provisional Measure No. 869, of 2018 in the National Congress is an example of this opportunity.

CATEGORY: Transparency reports about data requests

Result:

Claro got an empty star because it didn’t meet the parameters. Although the América Móvil Sustainability Report contains information and parameters on data protection and privacy, it does not publish statistics on requests, nor does it identify the responsible authorities or the grounds they present.

CATEGORY: User notification

Result:

Claro obtained an empty star because there is no mention to user notification in any of the analyzed documents.

Scroll to table

NET

CATEGORY: Information on data processing

Result:

NET obtained a full star because it fully met parameters I to IV and partially met parameters V and VI, which is equivalent to meeting 5 parameters.

Regarding parameter I, the company’s Privacy Policy provides some information on the collection of data on the user’s consumption profile and usage information. América Móvil’s Privacy Policy also provides guidelines for the protection of employee and customer data, including provisions on data collection upon consent and in accordance with applicable law. The contract refers only to ANATEL’s provisions that state rights and establish duties:

Section 35.02. The rights and duties of subscribers to the multimedia communication service are set forth in articles 56, 57 and 58 of ANATEL Resolution 614/2013. The rights and obligations of the PROVIDER are set forth in articles 41 to 55 of the same Resolution.

Privacy Policy:

Claro may collect information from the consumption profile of its users, such as location, resources and equipment used, navigation, contracted or searched for offers, information provided during the use, frequency and duration of its activities, as well as other information on usage patterns whilst the operation of Claro’s services.

Although the contract does not contain any information on the processing of customers’ personal data, it was possible to find it in other documents. For this reason, the parameter was considered met. It should be noted, however, that although the Privacy Policy includes all the provisions, it determines that the contracts provide for specific rules applicable to each service. In the case of NET, this was not observed.

Regarding parameter II, in the Privacy Policy, the company presents information on the use of the data and its purpose. América Móvil’s Privacy Policy also provides guidelines for data processing, including the purposes and uses of such data. The item was considered met.

Privacy Policy:

The processing and use of the information collected are only for CLARO BRASIL’s internal use, with the purpose of improving the User’s experience, promoting the improvement of the network’s performance, expanding the coverage area, customizing product and service offerings, sending alerts or notifications, among other benefits or commercial advantages that may be obtained. We may use Personal Information to identify and make available relevant content to Users and to send, for example, information about accounts, consumption, packages, promotions, etc.

Regarding parameter III, NET’s Privacy Policy provides detailed information on where the data is stored and for how long. In addition, consumption, location, behavior and services use data are anonymously stored and in an aggregate manner, according to the company. The company also provides for cases in which the user can request the exclusion of the data. The parameter was therefore considered met.

There is still room for improvement regarding the rules for data exclusion, in the absence of user request, for example, by extinction of the mandatory storage period. América Móvil’s Privacy Policy also provides guidelines for data exclusion. In this document, the exclusion is determined when the data is no longer necessary for the purposes that motivated the collection. It is worth mentioning, however, that this policy is not available on NET’s website and is not easily accessible to customers.

Privacy Policy:

The User may request the exclusion of his/her Personal Data and CLARO will adopt, through possible and reasonable time and efforts, the applicable measures to meet the request. Storage of connection and application records. By virtue of the contract signed and in accordance with the service(s) hired by the Subscriber, CLARO will store the subscription data and records of services usage, as required by current legislation, including the limitations applicable to each mode of service. In the provision of Internet connection, Claro will store the connection records for a period of 01 (one) year, and will not keep the records of access to Internet applications that allow the identification, in an individualized manner, of the accessed content. In the provision of Internet application, in its own applications (Claro’s) the respective records of access to applications will be stored for 06 months (only Claro’s App). Registration and billing data will be stored for at least 5 years. Most of the information is processed in the Datacenters of CLARO BRASIL, in accordance to current legislation. Specific cases may be processed externally and/or stored in a foreign country that offers the same level of protection and security as CLARO BRASIL.

Regarding parameter IV, in its Privacy Policy, NET informs the standards, practices and security measures it adopts, including hypotheses of anonymization. In the América Móvil Code of Ethics (p. 17-19), there is information about data protection, such as principles, parameters and guidelines to be followed for the security and protection of customer data and for the privacy of their communications.
Also, in the Sustainability Report and in the Privacy Policy of América Móvil, there is information on data security and data protection and privacy (p. 29-34 of the 2017 report, and p. 52-58 in the 2018 report). The item was therefore considered met.

Privacy Policy

Data sharing with third parties occurs only in an anonymous and aggregated manner, thus preserving the identity and privacy of users. Claro does not share individualized or pseudo-anonymized information (which allows, through processing, the identification of the user), except for the exclusive purposes of customer service, support and other services necessary for the performance of CLARO’s activity, always backed by appropriate security and confidentiality measures.

Security in data access and storage. Claro uses appropriate solutions and technical security measures to guarantee the inviolability of data, such as encryption or equivalent protection measures, compatible with international standards and the use of good practices. It also uses security measures appropriate to the risks, such as against accidental or illegal destruction or accidental loss, alteration, disclosure or unauthorized access. Only authorized persons have access to the stored information. Permission and exclusive access privileges are defined by Claro according to the responsibilities involved.

Privacy Policy

Data sharing with third parties occurs only in an anonymous and aggregated manner, thus preserving the identity and privacy of users. Claro does not share individualized or pseudo-anonymized information (which allows, through processing, the identification of the user), except for the exclusive purposes of customer service, support and other services necessary for the performance of CLARO’s activity, always backed by appropriate security and confidentiality measures.

CLARO BRASIL has the obligation to suspend the secrecy and make the data available to the authorities that, in accordance with the law, have the competence to request this information. Individualized information will only be shared by law, court order or when previously authorized by the user. Consent to the sharing of individualized information may be reviewed at any time through the “Minha Claro” self-service application or website by using a personal, non-transferable password.

Regarding parameter VI, it was considered partially met. The company’s Privacy Policy specifically states that “the User may request the deletion of their Personal Data”, but does not specifically mention consumers rights over their data under current legislation (such as rectification and erasure), nor does it provide specific means for the exercise of such rights.

Finally, we couldn’t find any environments on NET’s website, either on the main page or on the pages for contracting specific services, which present information on data privacy and protection in an accessible manner. In view of this, parameter VII was not considered met.

Anyway, we praise the fact that it is easy to find the contracts in the company’s website, available at the footer of the home page (“regulation”), as well as in the privacy policy (http://www.netcombo.com.br/politica-de-privacidade), in the item about contracts and regulations. Thus, customers should not have too many difficulties to find this type of information. The easy access to this information, however, was not enough in this edition of the report for parameter VII to be considered met.

Even so, we consider that the company can improve the accessibility to other documents, such as the sustainability reports, the code of ethics and the privacy policy of América Móvil, which are in Spanish and are found only on the website of the holding company.

CATEGORY: Information on the conditions of data sharing with State agents

Result:

NET got ¼ of a star because it met only one parameter.

NET complies with parameter I by stating, in its Privacy Policy, that it has an obligation to suspend confidentiality and hand over data in accordance with the law. América Móvil’s privacy policy reinforces the orientation to comply with current legislation regarding data sharing.

Privacy Policy:

CLARO BRASIL has the obligation to suspend the secrecy and hand over data to the authorities that, in accordance with the law, have the competence to request this information. Individualized information will only be handed over by law, court order or when previously authorized by the user.

Still in this aspect, it is worth noting that the company refers, in the contract, to ANATEL’s provisions that contain rights and establish duties:

Section 35.02. The rights and duties of subscribers to the multimedia communication service are set forth in articles 56, 57 and 58 of ANATEL Resolution 614/2013. The rights and obligations of the PROVIDER are set forth in articles 41 to 55 of the same Resolution.

NET does not, however, inform customers about which data is handed over and under which circumstances. In section 28.01 of the contract, the company states that, in the face of harmful practices, it will be possible to hand over any and all information about the subscriber, at any time, to the competent authorities.

Section 28.01. Without prejudice to other cases not listed hereby, the following are considered harmful practices to NET VIRTUA service and/or to the other SUBSCRIBERS, subjecting the offender to all resulting legal actions, including contractual termination:

a) The SUBSCRIBER will be responsible for keeping the device configurations necessary to access the services herein contracted, and it is prohibited to change these configurations in an attempt to hold third parties responsible or hide their identity or authorship. In the event of the occurrence of the cases mentioned herein, the PROVIDER may, at any time, hand over any and all information about the SUBSCRIBER to the competent authorities, as well as cancel the account automatically, without prior notice, and the SUBSCRIBER shall be held accountable both civilly and criminally for their acts;

The wording of the provision makes it seem that data is only handed over to authorities when the user engages in activities that are harmful to the company itself, which is not the case in reality.

The company also does not clarify to the user the fact that subscriber data and connection records have different legal procedures, nor does it explain its understanding as to what constitutes connection records. In this regard, it is important that the company clearly informs that connection records can only be handed over by judicial order, according to the Brazilian Internet Civil Rights Framework. Regarding subscriber data, this same law authorizes that they be requested without judicial order by competent administrative authorities. Currently, however, in the face of controversy over which are such “competent administrative authorities”, it is essential that the company be transparent about which interpretations of the law it applies when receiving requests for breach of confidentiality. Such clarity should also encompass provisions about location data.

As anticipated since the first edition, our intention is to take into consideration the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in law, making public their procedures and interpretations. Thus, it is important that NET informs customers more clearly about what types of data are handed over and under what circumstances.

CATEGORY: Defense of users’ privacy in courts

Result:

NET got a full star because it met both parameters.

As for parameter II, we conducted exploratory searches on the website of the São Paulo State Court of Justice and no cases related to criminal proceedings were found. The research returned, however, a civil case for providing logic gates, whose argument did not involve the issue of privacy (AI No. 2214824-53.2017.8.26.0000). More relevant in this category is an appeal in a writ of mandamus (1002366-10.2017.8.26.0451), in which the company challenged notifications issued by the Regional Tax Office of Campinas, requesting registration data of users from the IP addresses provided, arguing the violation of constitutional guarantees of privacy and protection of data confidentiality.

CATEGORY: Public pro-privacy positioning

Result:

NET got an empty star in this category.

On some occasions throughout the year, Internet service providers have had the opportunity to speak out on public policies and bills that affect users’ privacy. The processing of Provisional Measure No. 869, of 2018 in the National Congress is an example of this opportunity.

CATEGORY: Transparency report about data requests

Result:

NET got an empty star because it did not meet the parameter.

Although the América Móvil Sustainability Report contains information and parameters on data protection and privacy, it does not publish statistics on requests, nor does it identify the responsible authorities or the grounds they present.

CATEGORY: User notification

Result:

NET was not awarded a star, as there is no mention to user notification in any of the documents reviewed.

Scroll to table

OI BROADBAND

CATEGORY: Information on data processing

Result:

Oi – Broadband got an empty star, because it met only one parameter (two partially met parameters).

Parameter I was not considered met because the company does not provide clear legal information or references on data collection, including which data is collected and in which circumstances the collection occurs.
Parameter II, which concerns the provision of clear legal information or references on the use and/or processing of data, including the purposes for which they are used and how they are used, was considered partially met. In its broadband services contract, in section 9.20 (subscriber rights), Oi establishes some general provisions. However, data processing and its purposes are not specified. It is only stated that “they are used for purposes that justify their collection”.

9.20. Receive data protection, both subscriber data and those relating to the connection records, which can only be used for purposes that: (i) justify its collection; (ii) are not prohibited by legislation and (iii) are specified in this service agreement or in the offer regulation.

Regarding parameter III, the company does not provide clear legal information or references on the filing, storage and exclusion of data, nor on for how long and where they are stored or when/if they are excluded. Therefore, the item was not considered met.

In the assessment of parameter IV, considered partially met, we found that the company, in its Sustainability Report (p. 6 to 37), states that the privacy and security of customer data is one of its areas of concern and ensures that it takes security measures to protect it. Its Data Security Policy has also been published on the website. Although it includes references to ISO standards of data security and presents some guidelines and parameters to be followed by the company’s employees, broad and generic parameters are stated and no specific information is available regarding practices adopted in relation to customer data, such as the security of data centers, anonymization processes, profiles and conditions of access to data. The policy consists mainly of guidelines and general principles.

Broadband service contract, among the customer’s rights:

9.20. Receive data protection, both subscriber data and those relating to the connection records, which can only be used for purposes that: (i) justify its collection; (ii) are not prohibited by legislation and (iii) are specified in this service agreement or in the offer regulation.

Sustainability report, page 37:

Actions towards guaranteeing security for customer data processed by the Company are grounded on the applicable legal standards and seek to define standards of network technology and team awareness, especially in the business, information technology and engineering areas. The flow of approvals will assess whether the user has access to the group of information being processed. Data security management ensures minimum security requirements in product research and development, as well as in pre-production testing, and acts to provide information to customers. We are always evaluating improvements in our internal processes, with the aim of improving the data security of our customers.

Regarding parameter VI, it was also not considered met, since none of the documents analyzed refer to consumers’ rights over their data, nor do they offer mechanisms for contacting Oi to exercise these rights.

Finally, we couldn’t find any environments on Oi’s website, either on the main page, or on the pages for contracting specific services, which present information on data privacy or protection in an accessible manner. In view of this, parameter VII was not considered met.

In this item, we also emphasize that not even Oi’s broadband services contracts, which contain some of the necessary information on the subject, are easily accessible. To access broadband services contracts, we identified that, first, it is necessary to inform a location in which the service is available (note that Oi does not provide broadband services in São Paulo). Then, one must log on to the website’s Internet section and inform the ZIP code and number to check the availability of the service. If the service is available, a page with all available offers is displayed. One must then select an offer. On the offer page, it is necessary to enter in “see more information” and, only then, there is a link to the page with all the contracts and broadband service regulations. The Data Security Policy, in fact, is published on the website, but is not easily accessible, as it is necessary to access the button “about oi“, then “companies“, and then “Data Security Policy“. We would recommend, as a good practice, that in the absence of a specific space dedicated to privacy and data protection information, at least the contracts that deal with this subject are easily accessible on your website, even before starting to contract any specific service.

CATEGORY: Information on the conditions of data sharing with State agents

Result:

Oi Broadband obtained half a star because it fully met parameters I, II and partially met parameter VI.

Initially, it should be noted that, in comparison with the evaluation undertaken in 2018, significant changes were identified both in broadband service contracts and in Personal Mobile Service (SMP) contracts in the post-paid modality. However, these changes were not observed in prepaid Personal Mobile Service (SMP) contracts.

In section 9.9 of its broadband service contract, among the rights of the subscriber, the provider promises to respect the data privacy and protection of users, except in constitutional and legal cases of breach of confidentiality, without specifying them. Also in section 9 (subscriber rights) and section 11.1 (Oi’s obligations), it refers to ANATEL’s resolutions No. 614, of May 28, 2013 and No. 632, of March 7, 2014 – and the rights and obligations therein provided as integral elements of the contract. It also promises to preserve the privacy, intimacy and confidentiality of data in section 11.13, both of subscriber data and connection records. In the Sustainability Report (p. 37), Oi promises to hand over such data to the authorities only in the legal and constitutional hypotheses of breach of confidentiality. This satisfies parameter I.

Broadband contract:

Section 9. In addition to the other rights set forth in this Agreement and set forth in articles 41 to 58 of Resolution No. 614, of May 28, 2013, as well as Resolution No. 632, of March 7, 2014 of ANATEL, with respect to ANATEL’s multimedia communication service, the SUBSCRIBER has the following rights: (…)

9.9 To receive a billing document with a breakdown of the amounts charged for the provision of the Oi’s broadband service, as well as to be respected in your privacy regarding these documents and regarding the use of your personal data by Oi, except in cases of breach of confidentiality as constitutionally and legally permitted. (…)

11.13 Respect the preservation of the intimacy, privacy, honor and image of the parties directly or indirectly involved in what concerns data confidentiality, regarding both subscriber data and those relating to the connection records.

Sustainability Report (page 37):

The subscriber data and telephone communications information of customers are only handed over to public authorities in constitutional and legal cases of breach of confidentiality.

As for parameter II, the company meets with it given that it states that subscriber data that informs personal qualification, affiliation and address of the client may be handed over to the administrative authorities that have legal competence for its request, however, without identifying them or specifying the legal hypotheses they consider appropriate. It therefore does not meet parameters III and IV.

11.15. Hand over subscriber data, without the need for prior judicial order, only to administrative authorities that have legal competence for the request.

In the analyzed documents, there is no mention to scenarios in which the company may hand over location data, so that parameter V was not met.

Finally, on parameter VI, Oi Broadband sets forth in the contract that connection records are handed over only upon the order of a judge. However, this section is not strictly limited to the terms of the Brazilian Internet Civil Rights Framework (i.e., it does not specify that only the date and time of the start and end of an Internet connection, its duration and the IP address used will be shared). It therefore only partially meets parameter VI.

11.14. Hand over the connection and access to Internet applications records, autonomously or associated with personal data or other information that may contribute to the identification of the user or the terminal, by means of a court order.

CATEGORY: Defense of user’s privacy in courts

Result:

Oi Broadband got half a star, because it met the parameter II.

As for parameter I, in searches on google, in specialized media (telesintese, teletime, sinditelebrasil) and in the Federal Supreme Court website, no new lawsuits could be located that have as their object laws or policies that affect the privacy and secrecy of communications. We point out that the Action for Unconstitutionality (ADI) 5642 filed by ACEL was already considered in the last edition of QDSD and has not had any updates. The parameter has therefore not been met.

As for parameter II, we conducted exploratory searches on the website of the São Paulo State Court of Justice and several lawsuits were effectively found in which Oi challenged court orders for breach of confidentiality to provide personal data of users, including subscriber data, location (ERB), IPs, among others. Considering the reasoning of the lawsuits, we identified that the court orders determining access to data were challenged for being broad, generic, for lack of proper and individualized grounds, and for violating the constitutional guarantee of privacy, intimacy and the protection of confidentiality of data and communications.

These are the lawsuits: HC 2180050-94.2017.8.26.0000 (broad and nonspecific court order); HC 2173266-04.2017.8.26.0000 (generic court order and lacking of grounds); HC 2182623-71.2018.8.26.0000 (generic and broad court order); HC 2198244-45.2017.8.26.0000 (court order to provide access password, subscriber data and call records for 6 months, as it is generic, broad, covering excessive time); HC 2028417-65.2019.8.26.0000 (court order for access password, subscriber data, connection records and location data, for being generic and lacking suitable and specific grounds); HC 2077474-23.2017.8.26.0000 (generic court order, broad and excessive term); HC 2050353-49.2019.8.26.0000 (generic court order, and lacking individual grounds); HC 2011168-38.2018.8.26.0000 (generic court order and lacking individual grounds).

CATEGORY: Public pro-privacy positioning

Result:

Oi Broadband didn’t get a star in this category.

After we conducted searches in official government websites, specialized and traditional media and companies’ press rooms, we couldn’t find any material in this regard, which led to the assessment that the parameters were not met. It is interesting to note that, on page 51, Oi’s Sustainability Report states that the company monitors bills of law related to personal data protection. However, there is no indication or disclosure of positions or declarations associated with such projects.

CATEGORY: Transparency report about data requests

Result:

Oi Broadband got an empty star, because it did not meet the parameter. In its Sustainability Report (p. 37), the company limits itself to informing that subscriber data and other information are handed over to public authorities in the cases authorized by law. It does not, however, disclose requests statistics, nor does it differentiate the responsible authorities or the grounds on which they are based.

CATEGORY: User notification

Result:

Oi Broadband did not obtain a star, since there is no mention to user’s notification in any of the analyzed documents.

OI – MOBILE

CATEGORY: Information on data processing

Result:

Oi Mobile obtained an empty star, because it met one parameter (two partially met parameters).

Parameter I was not considered met because the company does not provide clear legal information or references on data collection, including which data is collected and in which situations the collection occurs.

Parameter II, which concerns the provision of information or legal references on the use and/or processing of data, including the purposes for which they are used and how they are used, was considered partially met. In its contract for the postpaid modality, in section 9.1-XIII, among the subscriber’s rights, Oi establishes some general provisions. However, data processing and its purposes are not specified. It is only stated that “they are used for purposes that justify their collection”.

9.1 – XII. Receive data protection, both subscriber data and those relating to the connection records, which can only be used for purposes that: (i) justify its collection; (ii) are not prohibited by legislation and (iii) are specified in this service agreement or in the offer regulation (postpaid).

Regarding parameter III, the company does not provide clear legal information or references on the filing, storage and exclusion of data, or for how long and where they are stored, when/if they are excluded. Therefore, the item was not considered met.

In the assessment of parameter IV, considered partially met, we found that the company, in its Sustainability Report (p. 6 to 37), states that the privacy and security of customer data is one of its areas of concern and ensures that it takes security measures to protect it. Its Data Security Policy has also been published on the website. Although it includes references to ISO standards of data security and presents some guidelines and parameters to be followed by the company’s employees, broad and generic parameters are stated and no specific information is available regarding practices adopted in relation to customer data, such as the security of data centers, anonymization processes, profiles and conditions of access to data. The policy consists mainly of guidelines and general principles.

Sustainability report, page 37:

Actions towards guaranteeing security for customer data processed by the Company are grounded on the applicable legal standards and seek to define standards of network technology and team awareness, especially in the business, information technology and engineering areas. The flow of approvals will assess whether the user has access to the group of information being processed. Data security management ensures minimum security requirements in product research and development, as well as in pre-production testing, and acts to provide information to customers. We are always evaluating improvements in our internal processes, with the aim of improving the data security of our customers.

As regards parameter V, i.e. transparency related to the communication, transfer, transmission, distribution or dissemination of data to third parties, including information on the circumstances in which this would happen and/or the need for the customer’s consent, the available information relates only to access by authorities, which is assessed in the second category of this survey. Therefore, the item was not considered met.
Regarding parameter VI, it was also considered not met, since none of the documents analyzed refer to consumers’ rights over their data, nor do they offer mechanisms for contacting Oi to exercise these rights.

Regardless, we would like to highlight the fact that Personal Mobile Service (SMP) contracts in the postpaid and prepaid modalities are easily accessible at the bottom of each plan’s page. The Data Security Policy, in fact, is published on the website, but is not easily accessible, as it is necessary to access the button “about oi“, then “companies“, and then “Data Security Policy“. The ease of access to this information, however, was not enough in this edition of the report for parameter VII to be considered met.

CATEGORY: Information on the conditions of delivery of data to State agents

Result:

Oi Mobile obtained half a star, because it fully met parameters I and II and partially met parameter VI.

In section 16.11 of its Postpaid Personal Mobile Service contract, Oi undertakes to respect the preservation of the intimacy, privacy, honor and image of the parties directly or indirectly involved with regard to data confidentiality, regarding both the subscriber data and those relating to the connection records. In the Sustainability Report (p. 37), Oi promises to hand over such data to the authorities only in the legal and constitutional hypotheses of breach of confidentiality. This satisfies parameter I.

Contract:

16.11. Oi undertakes to respect the preservation of intimacy, privacy, honor and image of the parties directly or indirectly involved in what concerns data confidentiality, both the subscriber data and those relating to the connection records;

16.12. Oi undertakes to hand over the connection and access to Internet applications records, independently or associated with personal data or other information that may contribute to the identification of the user or the terminal, by court order.

16.13. Oi undertakes to hand over subscriber data, without the need for prior judicial order, only to administrative authorities that have legal competence for the request.

Sustainability Report (page 37):

The subscriber data and telephone communications information of customers are only handed over to public authorities in constitutional and legal cases of breach of confidentiality.

As for parameter II, the company complies with it given that it states that the subscriber data will only be handed over to administrative authorities that have legal jurisdiction for its request, without, however, identifying them or specifying the legal hypotheses they consider appropriate. It therefore does not meet parameters III and IV.

16.13. Oi undertakes to hand over subscriber data, without the need for prior judicial order, only to administrative authorities that have legal competence for the request.

In the documents analyzed, there is no mention to scenarios in which the company may hand over location data, so that parameter V was not met.

Finally, regarding parameter VI, Oi Mobile provides in the contract that connection records are handed over only upon the order of a judge. However, this section is not strictly limited to the terms of the Brazilian Internet Civil Rights Framework (i.e., it does not specify that only the date and time of the start and end of an Internet connection, its duration and the IP address used will be shared). It therefore partially meets parameter VI.

16.12. Oi undertakes to hand over the connection and access to Internet applications records, independently or associated with personal data or other information that may contribute to the identification of the user or the terminal, by court order.

CATEGORY: Defense of user’s privacy in courts

Result:

Oi Mobile obtained half a star, because it met parameter II.

As for parameter I, in searches on google, in specialized media (telesintese, teletime, sinditelebrasil) and in the Federal Supreme Court website, no new lawsuits could be located that have as their object laws or policies that affect the privacy and secrecy of communications. We point out that the Action for Unconstitutionality (ADI) 5642 filed by ACEL was already considered in the last edition of the QDSD and have not had any updates. The parameter has therefore not been met.

As for parameter II, we conducted exploratory searches on the website of the São Paulo State Court of Justice and several lawsuits were effectively found, in which Oi challenged court orders for breach of confidentiality to provide personal data of users, including subscriber data, location (ERB), IPs, among others. Considering the reasoning of the lawsuits, we identified that the court orders determining access to data were challenged for being broad, generic, for lack of proper and individualized grounds, and for violating the constitutional guarantee of privacy, intimacy and the protection of confidentiality of data and communications.

CATEGORY: Public pro-privacy positioning

Result:

Oi Mobile didn’t get a star in that category.

CATEGORY: Transparency report about data requests

Result:

Oi Mobile got an empty star, because it did not meet the parameter. In its Sustainability Report (p. 37), the company limits itself to informing that subscriber data and other information are handed over to public authorities in the cases authorized by law. It does not, however, disclose application statistics, nor does it differentiate the responsible authorities or the grounds on which they are based.

CATEGORY: User notification

Result:

Oi Mobile obtained an empty star because there is no mention to user notification in any of the analyzed documents.

Scroll to table

TIM – Broadband

CATEGORY: Information on data processing

Result:

TIM Broadband got ¼ of a star, as it partially met parameters II, IV and V, which means it complied with the equivalent of 1.5 parameters.

Parameter I was not deemed fulfilled, as the company does not provide clear legal information or benchmarks on data collection. Although the “Contrato de Prestação de Serviço de Comunicação Multimídia” (Multimedia Communication Service Agreement) acknowledges the “inviolability of the secrecy of its communication” and other legal safeguards, InternetLab considered it to be a generic wording, and several improvements are required (as noted below).

Regarding parameter II (use and processing of data), section 3.1 (r) of the aforementioned agreement states that it is TIM’s obligation to strictly protect the confidentiality inherent to the telecommunications services and the confidentiality of the subscriber’s data and information, using all the necessary means and technology to ensure the users’ rights.

Section 4.2 (e) states the customer rights to the inviolability and confidentiality of their communication, in compliance with the constitutional and legal provisions and conditions for the breach of confidentiality of telecommunications as well as the intermediation of the communication of disabled people, under the terms of regulation; item (j) stresses that the company respects the privacy of users in its billing documents and in the use of her or his personal data by the provider.

“CONTRACT FOR THE PROVISION OF MULTIMEDIA COMMUNICATION SERVICE – SCM 3.1. (r) to observe the obligation to strictly ensure the confidentiality inherent to the telecommunications services and the confidentiality of the subscriber’s data and information, using all means and technology necessary to ensure this right for users; 4.2. The CLIENT’s rights are: (e) the inviolability and secrecy of its communication, in compliance with the constitutional and legal provisions and conditions for the breach of confidentiality of telecommunications and the activities of intermediation of the communication of the disabled, under the terms of the regulation; (j) the respect of her/his privacy in the billing documents and use of personal data by the provider; 12.5 The CLIENT takes all and any responsibility for eventual operations of purchase and sale by virtual means that imply the transfer of confidential information from CLIENT and/or from third parties.

In addition, the Sustainability Report states that the access to records and communication data of users will only be granted to employees who need to access such information for professional activities, and that data from records and telephone communications will only “be shared with authorities, in compliance with Brazilian law, and for the fulfillment of judicial obligations of lawful interception”. However, such information is provided in a too general manner. For example, it would be expected that specific information is provided on which data is collected and what use will be made of it. Thus, as there is no complete information on how the company uses and processes the data collected, parameter II was considered only partially met.

Sustainability Report 2018 (p.48):

The Customer Data Privacy Policy states that:

– Only authorized employees can access the subscriber’s information and communication data of customers and in specific situations.

(…)

Subscriber data and telephone communications are only shared with authorities, in accordance with Brazilian law, and for the fulfillment of judicial obligations of lawful interception.

Regarding parameter III, the company does not provide clear legal information or references on the filing, storage and exclusion of data, or for how long and where they are stored, or when and if they are excluded. Therefore, the item was not considered met.

As for parameter IV, the Sustainability Report (p. 51), within the scope of safety, informs that the company follows the best practices in the market, in accordance with ISO 27001 (although they do not have certification). As the report is not easily accessible on the Company’s website, requiring specific efforts from the client to find it, and then to become aware of the mentioned certification, only partial compliance was considered. We would recommend facilitating access to this information, also in line with art. 16 of Decree No. 8.771/2016, which requires, for this information, “clear and accessible disclosure, preferably through their websites”.

Regarding parameter V, considered partially met, the company informs in its Sustainability Report that the use of communication data and users’ records by third parties will be allowed only to employees who need to access such information for professional activities, and provides some information regarding the handing over of subscribers data and telephone communications (see excerpt copied above). However, it is known that the sharing of data to partners or other companies of the same economic group is a common and necessary activity for the normal functioning of the business of a telephone and internet company, and it is insufficient to state that these will only be accessed by employees who need such information. The excessively general wording would be improved if it were stated, for example, which employees have access to which data, what specific limits are imposed on sharing (e.g. stating that the data will not be sold for marketing purposes, or collecting consent to such sale) etc. For data handed over to public authorities, the wording could also be improved by specifying which authorities could receive such data, for example.

Regarding parameter VI, it was also considered not met, since none of the documents analyzed mentioned consumers’ rights over their data, nor did they offer mechanisms for contacting Tim to exercise such rights.

Regarding the last parameter, we could not find on Tim’s website any sections, either on the main page or on the pages for contracting specific services, presenting information on data privacy or protection in an accessible way. Therefore, parameter VII was not considered met.

Anyway, we praise the fact that the access to the main documents regulating the relationship between client and provider as regards the processing and protection of data is simple. The ease of access to this information, however, was not enough in this edition of the report for parameter VII to be considered met.

Finally, we emphasize that the privacy policy on Tim’s website, as it only refers to the data of website visitors, was not considered for this report. TIM Group’s Sustainability Report 2018 was, on the other hand, analyzed, but the information contained therein in relation to Brazil did not change the conclusions we pointed out above.

CATEGORY: Information on the conditions of data sharing with State agentes

Result:

TIM Broadband got ¼ of a star, because it met parameter I.

The company mentions, in Section 3.2 of the “Contrato de Prestação de Serviço de Comunicação Multimídia” (Multimedia Communication Service Agreement) and in Section 4.2 of the Service Provision Agreement, the inviolability and secrecy of its communication, in compliance with the constitutional and legal provisions and conditions of breach of confidentiality of telecommunications.

CONTRACT FOR THE PROVISION OF MULTIMEDIA COMMUNICATION SERVICE – SCM: 3.2. The CLIENT’s rights are all those established in the SCM Regulation and in current legislation, such as: (e) the inviolability and secrecy of its communication, respecting the constitutional and legal provisions and conditions of breach of secrecy of telecommunications and the activities of intermediation of the communication of people with disabilities, under the terms of the regulations;

CONTRACT FOR THE PROVISION OF SERVICES:
4.2. The CLIENT has the right to: (e) the inviolability and secrecy of its communication, in compliance with the constitutional and legal provisions and conditions of breach of secrecy of telecommunications and the activities of intermediation of communication of people with disabilities, under the terms of the regulations; (g) unilaterally by TIM, if the service is used to commit criminal acts, notably crimes against children and adolescents provided for in the Statute of the Child and Adolescent and other applicable legislation, TIM’s right to seek redress for losses and damages against the CLIENT, in the event that TIM is sued by third parties that have been affected, in the context of civil or criminal actions in relation to the responsibility for the commitment of such offensive acts, through LIVE TIM, in which case TIM is allowed to hand over all the CLIENT’s subscriber data to the judicial authorities in accordance with Law No. 12.965/2014 for the investigation of the criminal act and accountability of the perpetrator of the offenses.

In the Sustainability Report, the company also states that information about subscriber data and telephone communications is handed over to the authorities allowed by law and in compliance with judicial orders for telephone interception.

Sustainability Report 2017 (p. 51): The information about registration data and telephone communications are handed over to the authorities allowed by law and in compliance with judicial orders for telephone interception.

InternetLab considers this wording to be generic, with room for improvement.
It does not clarify to the user the fact that subscriber data and connection records have different legal procedures. In this regard, it is important that the company clearly informs that connection records can only be handed over by judicial order, according to the Brazilian Internet Civil Rights Framework. As far as subscriber data is concerned, this same law authorizes that it be requested without judicial order by competent administrative authorities. Currently, however, in the face of controversy over which are such “competent administrative authorities”, it is essential that the company be transparent about which interpretations of the law it applies when receiving requests for breach of confidentiality..

As we have warned since the first edition, our intention is to take into consideration the specification of these differences, rewarding companies that promise to protect the data according to the nuances existing in law, disclosing their procedures and interpretations. Therefore, it is important that TIM informs customers more clearly about what types of data it hands over and under what circumstances.

CATEGORY: Defense of user’s privacy in courts

Result:

TIM Broadband got a full star because it met both parameters.

As for parameter I, during the document exchange stage, TIM presented to InternetLab judicial proceedings documents that prove its performance in lawsuits which the Company considers that the interpretation of the law does not protect the privacy of its users. Therefore the parameter was considered met. We point out that the Action for Unconstitutionality (ADI) 5642 filed by ACEL was already considered in the last edition of the QDSD and have not had any updates, and was therefore not taken into consideration in this one.

Regarding parameter II, TIM also presented to InternetLab, during the document exchange stage, court documents in which it challenges abusive requests, proving its performance in defense of the privacy of its customers.

CATEGORY: Pro-user privacy public engagement

Result:

TIM Broadband obtained three-quarters of a star because it fully met parameters I and II and partially met parameter IV.

During the documents exchange stage, TIM informed InternetLab that it participated, especially through its Data Protection Officer, Piero Formica, in several public debates where it defended the adoption of practices that favored the privacy of its users (thus meeting parameter I).

In these debates, he has publicly defended the adoption of the new Brazilian General Data Protection Law (LGPD), including actively, “not simply doing what the authority orders”, which is why parameter II was considered met.

As for parameter III, although the company has defended a “new concept of ‘Internet of Trust'”, we weren’t able to find, in the public debates in which TIM has taken part of, a specific defense of the adoption of data security techniques and protection of the confidentiality of communications, which is why parameter III was not considered met.

Finally, parameter IV is considered to have been partially met. This is because the company, when referring to the GDPR, mentions international parameters with which it intends to comply. However, it does not do so directly, nor beyond what would be required by a protective interpretation of Brazilian law. Among the company’s public participations, we highlight the following:

Piero Formica, TIM Brazil’s compliance director, sees LGPD as an opportunity for transparency in the relationship between providers and their clients and partners. But he highlighted that Brazil will have to do in months what was done in Europe in 20 years, whereas since 1998 the region regulates the relationship between personal data and telecommunications companies. “Everything will work if we manage to reconcile the business with a change of relationship with customers, employees, partners, government,” he said. “TIM has created a specific area to take care of compliance, but the business, marketing, security and legal departments must understand that they are also actors”, he added. “We need to work together, interact and not just do what the authority tells us. We have to define together, build flows to act. The LGDP is something that cannot be done alone, neither within the organization, nor in the market”, he advised, suggesting that the law in Brazil can be a reference for the world. (source: https://sis-publique.convergenciadigital.com.br/cgi/cgilua.exe/sys/start.htm?infoid=50779&sid=4).

Mário Girasole, vice president of regulatory affairs at TIM, believes that telecommunications operators can lead a movement to create an environment of trust on the Internet. “The real issue with big data is not playing data analyst. The answers that data can give are unlimited. What is needed is to understand the demand. And within that we have the question of not turning ‘social good’ into ‘private evil’,” he said. “The president of Facebook was in the U.S. Congress saying, ‘data from 90 million people leaked, but sorry, I did what I had to do, and next time I’ll do better’. Now, imagine a telecom operator that ends up infringing some issue of users’ rights, takes a lawsuit and arrives at Anatel to say ‘sorry, I did what I had to do’?”. Girasole agrees with the counsellor that the issue of privacy is becoming more and more an economic issue, and that is why we need to think about a new concept of “Internet of Trust” (source: https://teletime.com.br/25/05/2018/teles-precisam-liderar-movimento-da-internet-of-trust-diz-girasole/).

CATEGORY: Transparency reports about data requests

Result:

TIM Broadband got ¼ star because it partially met parameter I.

TIM publishes a Sustainability Report on its activities in Brazil. However, the report does not contain any information related to requests for data received and/or answered. Even so, since it publishes information on the number of lawsuits in which it is involved, parameter I was considered partially met.

Sustainability Report 2018 (p. 48):

“In 2018, the Company was involved in 195 lawsuits related to the violation of data privacy (appropriation of information by third parties due to improper chip exchange and consequent damage to the client, material and/or moral). Of the total, 132 are still under trial and 63 were closed, 19 with a favorable opinion to TIM and 44 with compensation payments by TIM to customers”.

CATEGORY: User notification

Result:

TIM Broadband did not obtain a star because we weren’t able to find any mention to user notification mechanisms in cases of requests from state authorities in the materials analyzed.

TIM – MOBILE

CATEGORY: Information on data processing

Result:

TIM Mobile got ¼ star, as it partially met parameters II, IV and V, which means it complied with the equivalent of 1.5 parameters.

Regarding parameter II, Section 3.3.g of contract for prepaid service (which has the same wording as Section 3.5.f of postpaid service contract), states that the company secures client rights such as inviolability and confidentiality of its communication, in compliance with the legal provisions of breach of confidentiality and except for the case of availability of information, exclusively for statistical purposes, providing information and legal references on the use of data.

PREPAID PERSONAL MOBILE SERVICE CONTRACT (“CONTRACT”): 3.3 The CLIENT is guaranteed the rights established in the SMP Regulation, such as: g) inviolability and confidentiality of its communication, respecting the constitutional and legal provisions and conditions of breach of telecommunications confidentiality and except for the cases of availability of information, exclusively for statistical purposes.

POSTPAID PERSONAL MOBILE SERVICE CONTRACT (“CONTRACT”): 3.5 f) inviolability and confidentiality of its communication, respecting the constitutional and legal provisions and conditions of breach of telecommunications confidentiality and except for the cases of availability of information, exclusively for statistical purposes.

In addition, the Sustainability Report states that the access to records and communication data of users will only be granted to employees who need to access such information for professional activities, and that data from records and telephone communications will only “be shared with authorities, in compliance with Brazilian law, and for the fulfillment of judicial obligations of lawful interception”. However, such information is provided in a too general manner. For example, it would be expected that specific information are provided on which data is collected and what use will be made of it. Thus, as there is no complete information on how the company uses and processes the data collected, parameter II was considered only partially met.

Sustainability Report 2018 (p.48):

The Customer Data Privacy Policy states that:

– Only authorized employees can access the subscribers information and communication data of customers and in specific situations.

(…)

Subscriber data and telephone communications are only shared with authorities, in accordance with Brazilian law, and for the fulfillment of judicial obligations of lawful interception.

Dados cadastrais e de comunicações telefônicas somente são compartilhados com autoridades, de acordo com a legislação brasileira, e para o cumprimento de obrigações judiciais de interceptação telefônica.

With regard to parameter III, the company does not provide clear legal information or references on the filing, storage and exclusion of data, or for how long and where they are stored, or when and if they are excluded. Therefore the item was not considered met.

As for parameter IV, the Sustainability Report (p. 51), within the scope of safety, informs that the company follows the best practices in the market, in accordance with ISO 27001 (although they do not have certification). As the report is not easily accessible on teh Company’s website, requiring specific efforts from the client to find it, and then to become aware of the mentioned certification, only partial compliance was considered. We would recommend facilitating access to this information, also in line with art. 16 of Decree 8.771/2016, which requires, for this information, “clear and accessible disclosure, preferably through their websites”.

Regarding parameter VI, it is also considered that it has not been met, since none of the documents analyzed mentioned consumers’ rights over their data, nor do they offer mechanisms for contacting Tim to claim such rights.

Anyway, we praise the fact that the access to the main documents regulating the relationship between client and provider with respect to the processing and protection of data is simple. The ease of access to this information, however, was not enough in this edition of the report for parameter VII to be considered met.

Finally, we emphasize that the privacy policy on the website, as it refers to the data of visitors, was not considered in this report. The Sustainability Report 2018 of the TIM group was, on the other hand, analyzed, but the information contained therein in relation to Brazil did not change our conclusions as pointed out above.

CATEGORY: Information about data disclosure to government authorities

Result:

TIM Mobile got ¼ star, because it met parameter I.

The Company states, in Section 8.4 of contract for prepaid service (which has the same wording as Section 10.12 of postpaid service contract), that user data and communications are processed in a secret and confidential manner confidencial when complying with requests by competent authorities.

PREPAID PERSONAL MOBILE SERVICE CONTRACT (“CONTRACT”):

3.3 The CLIENT is guaranteed the rights established in the SMP Regulation, such as: g) inviolability and confidentiality of its communication, respecting the constitutional and legal provisions and conditions of breach of telecommunications confidentiality and except for the cases of availability of information, exclusively for statistical purposes.

10.4 TIM processes CLIENT’s data and communications in a secret and confidential manner but may hand over this data in case of order by competent authority.
POSTAID PERSONAL MOBILE SERVICE CONTRACT (“CONTRACT”):

3.5. The CLIENT is guaranteed the rights established in the SMP Regulation and in current legislation, such as: (…)

f) inviolability and confidentiality of its communication, respecting the constitutional and legal provisions and conditions of breach of telecommunications confidentiality and except for the cases of availability of information, exclusively for statistical purposes

10.12 TIM processes CLIENT’s data and communications in a secret and confidential manner but may hand this data over in case of order by competent authority.

In the Sustainability Report, the company also states that the information about subscriber data and telephone communications are handed over to the authorities allowed by law and in compliance with judicial orders for telephone interception.

Sustainability Report 2017 (p. 51): The information about registration data and telephone communications are handed over to the authorities allowed by law and in compliance with judicial orders for telephone interception.

InternetLab considers the wording to be generic, with room for improvement.
It does not clarify to the user the fact that subscriber data and connection records have different legal procedures. In this regard, it is important that the company clearly informs that connection records can only be handed over by judicial order, according to the Brazilian Internet Civil Rights Framework. As far as subscriber data is concerned, this same law authorizes that they be requested without judicial order by competent administrative authorities. Currently, however, in the face of controversy over which are such “competent administrative authorities”, it is essential that the company be transparent about which interpretations of the law it applies when receiving requests for breach of confidentiality.

CATEGORY: Defense of user’s privacy in courts

Result:

TIM Broadband got a full star because it met both parameters.

As for parameter I, during the document exchange stage, TIM presented to InternetLab judicial proceedings and documents that prove its participation in lawsuits in which the Company considers that the interpretation of the law does not protect the privacy of its users. Therefore, the parameter was considered met. We point out that the Action for Unconstitutionality (ADI) 5642 filed by ACEL was already considered in the last edition of QDSD and has not had any updates, and was therefore not taken into consideration this year.

Regarding parameter II, TIM also presented to InternetLab, during the document exchange stage, court documents in which it challenges abusive requests, proving its participation in the defense of its customers’ privacy.

CATEGORY: Pro-user privacy public engagement

Result:

TIM Broadband obtained three-quarters of a star because it fully met parameters I and II and partially met parameter IV.

In these debates, he has publicly defended the adoption of the new Brazilian General Data Protection Law (LGPD), including actively “not simply doing what the authority orders”, which is why parameter II was considered met.

Finally, parameter IV was considered partially met. This is because the company, when referring to the EU’s GDPR, mentions international parameters with which it intends to comply. However, it does not do so directly, nor beyond what would be required by a protective interpretation of Brazilian law. Among the company’s public participations, we highlight the following:

Piero Formica, TIM Brazil’s compliance director, sees the LGPD as an opportunity for transparency in the relationship between providers and their clients and partners. But he highlighted that Brazil will have to do in months what was done in Europe in 20 years, whereas since 1998 the region regulates the relationship between personal data and telecommunications companies. “Everything will work if we manage to reconcile the business with a change of relationship with customers, employees, partners, government,” he said. “TIM has created a specific area to take care of compliance, but the business, marketing, security and legal departments must understand that they are also actors”, he added. “We need to work together, interact and not just do what the authority tells us. We have to define it all together, to build workflows to act. The LGDP is something that cannot be complied with alone, neither within the organization, nor in the market”, he advised, suggesting that the law in Brazil can be a reference for the world. (source: https://sis-publique.convergenciadigital.com.br/cgi/cgilua.exe/sys/start.htm?infoid=50779&sid=4).

Mário Girasole, vice-president of regulatory affairs at TIM, believes that telecommunications operators can lead a movement to create an environment of trust on the Internet. “The real issue with big data is not playing data analyst. The answers that data can give are unlimited. What is needed is to understand the demand. And within that we have the question of not turning ‘social good’ into ‘private evil’,” he said. “The president of Facebook was in the U.S. Congress saying, ‘data from 90 million people leaked, but sorry, I did what I had to do, and next time I’ll do better’. Now, imagine a telecom operator that ends up infringing some issue of users’ rights, takes a lawsuit and arrives at Anatel to say ‘sorry, I did what I had to do’?”. Girasole agrees with the counsellor that the issue of privacy is becoming more and more an economic issue, and that is why we need to think about a new concept of “Internet of Trust” (source: https://teletime.com.br/25/05/2018/teles-precisam-liderar-movimento-da-internet-of-trust-diz-girasole/).

CATEGORY: Transparency reports about data requests

Result:

TIM Broadband got ¼ of a star because it partially met parameter I.

TIM publishes a Sustainability Report on its activities in Brazil. However, the report does not contain any information related to requests for data received and/or complied with. Even so, since it publishes information on the number of lawsuits in which it is involved, parameter I was considered partially met.

Sustainability Report 2018 (p. 48):

“In 2018, the Company was involved in 195 lawsuits related to the violation of data privacy (appropriation of information by third parties due to improper chip exchange and consequent damage to the client, material and/or moral). Of the total, 132 are still under trial and 63 were closed, 19 with a favorable opinion to TIM and 44 with compensation payments by TIM to customers”.

CATEGORY: User notification

Result:

TIM Broadband did not obtain a star because we weren’t able to find any mention to user notification mechanisms in cases of requests from state authorities in the materials analyzed.

Scroll to table

VIVO – BROADBAND

CATEGORY: Information on data processing

Result:

In this category, Vivo broadband got a full star.

In its broadband agreement, the company has the section: “The Use of Customer’s Personal Data”. In it, as its name suggests, is offered relevantinformation on data processing and security – Vivo states that it will collect personal data from the customer and records of their Internet connection, as well as for what period and, in general, who has access to this information, thus complying with parameter I. Vivo also addresses this issue in its Privacy Center, both in video and text.

Privacy Center (subsection “collected information”):

Vivo collects your information in accordance with the service you use. Find out what this information is:

Registration data: What you made available when you contracted our services, such as name, address, taxpayer number (CPF) etc.;

Data traffic volumes on the Internet via 2G, 3G and/or 4G network;

History of use of products and services contracted: Exactly what the name says, but it is important to know that this history does not involve data on the apps used on your phone or what you do on social networks or websites. This is only true for Vivo apps! Only in this case is the data collected used to make the app better and better;

SMS events that are inside and outside the national Vivo network: This collection includes international Vivo events and international operators in roaming;

History of calls made and received: Accounting and tax information, invoice and customer payment;

Recharge transactions and monitoring of the use of these credits;

Customer data relating to services provided in stores and in the call center.

Vivo uses cookies to make it easier for you to navigate the website and to further customize our services. And you can rest easy if you don’t want to enable cookies! Configure your browser to accept or reject this tool.

As for parameter II, in the Privacy Center’s subsection “Why and how do we collect information?”, the company describes some of the purposes of data collection, such as improving the network service, customizing the service, etc. Also in the broadband agreement, in section 13.1, the company provides information on data processing, including the purpose and manner of use.

Privacy Center (subsection “Why and how do we collect information?”):

So, let’s explain here why we collect all this information:

For recharge transactions and monitoring the use of these credits;

To improve network performance and increase the quality of our services;

To correct failures in mobile, fixed and TV network services even faster;

To enable the processes for the elaboration of plans, services and personalized offers to be even closer to your profile;

To evaluate demand by geographic region;

To help with Vivo’s strategic decisions, such as redistributing the signal or reallocating the service portfolio;

To improve the relationship experience between you and Vivo, such as sending direct marketing and providing more relevant offers.

CONTRACT FOR FIXED TELEPHONE SERVICE (STFC), MULTIMEDIA COMMUNICATION SERVICE (SCM) AND CONDITIONED ACCESS SERVICE (CABLE TV – SEAC): 5.3 The CLIENT has the option to either authorize VIVO or not to send him/her e-mails, direct mail, inserts or any other communication instrument offering services and/or products of VIVO or companies related to VIVO or its partners, as well as to provide them with the registration/personal data provided in the scope of this agreement, for the offer of their products and/or services. Such permissions may be revoked by the CLIENT, at any time, by means of a request made to the Relationship Center with the CLIENT. 13.1. The Client’s personal data collected by VIVO within the scope of this Agreement will be treated in the form of current legislation and applicable regulations, exclusively for the purpose of providing the telecommunications service(s) subject to this Agreement, as well as for profile analysis of the Client, or for marketing purposes, in order to (i) ensure the adequacy of the best offers according to the Client’s needs; and (ii) improve the performance of the services provided, and such data may also be treated by VIVO, its partners or by third parties contracted by VIVO, in an anonymised manner, in order to allow analysis and construction of standards, behaviours, choices, and consumptions for the purposes set forth herein.

In another subsection, “For how long do we store data?”, the company informs the data storage time, thus satisfying parameter III. Also in the contract, in sections 13.2 and 13.3, the company provides information and legal references about the storage and deletion of data, including for how long and by whom the personal data and connection records of the customer will be stored.

Privacy Center (subsection “For how long do we store data?”):

According to the Brazilian Internet Civil Rights Framework, Vivo stores for at least 1 year its connection records, which are the information about the time of your Internet connections and the IP for sending and receiving data. Your registration data (such as full name, address and taxpayer number (CPF) and billing data (documents of fiscal nature) are stored for at least 5 years for judicial and administrative proceedings. We do not store content from app providers, other than from apps we create. So, in this case, according to the Brazilian Internet Civil Rights Framework, we keep the register for up to 6 months, under secrecy, in a controlled and security environment. Individualized information will only be shared with partners if you so authorize.

CONTRACT FOR FIXED TELEPHONE SERVICE (STFC), MULTIMEDIA COMMUNICATION SERVICE (SCM) AND CONDITIONED ACCESS SERVICE (CABLE TV – SEAC): 13.2 The Client’s personal data collected by VIVO within the scope of this Contract will be stored by VIVO or by a third party subcontracted by VIVO for a period of 5 (five) years, and the Contracts will be stored for a period of 10 (ten) years in order to guarantee compliance with the corresponding applicable legal obligations, being guaranteed to the CLIENTS that the storage of their personal data by VIVO or by subcontracted third parties will be carried out through the adoption of security measures and physical and logical protection of information. 13.3 By legal stipulation, VIVO will store the records of your Internet connection for a period of 1 (one) year, guaranteeing for this purpose the adoption of physical and logical security measures that safeguard the protection and security, secrecy and confidentiality of the connection records, so that after the expiry of the period of 1 (one) year, VIVO will delete all connection records from its records. The police or administrative authority or the Public Prosecutor’s Office may request precautionary storage of the connection records for an additional period in relation to the prescribed period.

Regarding parameter IV, in the Sustainability Report (p. 57), the company informs some of the safety standards it uses to ensure the protection of users. In addition, in the “Privacy Center”, the company informs the security standards it uses, ensures the signature of a security term by partners and declares to have a Corporate Information Security Policy, which establishes mandatory guidelines for all employees. On anonymization, in the subsection “Where do we share this data?”, the company states that when conducting behavior studies, it is not possible to individualize this information – and individualized information, in turn, is only shared with partners with the customer’s authorization.

The privacy center (“information security” section):

Vivo is concerned with the security of its customers’ information. That’s why we are committed to protecting it from intrusion and ensuring that all your data remains confidential. For this to happen, all information that leaves your computer and reaches Vivo’s servers is encrypted. Please note: Meu Vivo contains personal information. Therefore, we do not recommend that you share your password with others, as this may put your security and personal data at risk.

Confidentiality: We allow access to data and to our systems only to authorized persons, according to the “principle of minimum privilege”;

Integrity: We preserve the reliability of data and information against any kind of change, whether accidental or fraudulent;

Availability: We have established the necessary controls so that the information is available to be accessed when necessary;

Auditability: We enable any action or transaction to be univocally cross-referenced, ensuring compliance with the fundamental controls established in the corresponding standards. If a safety incident occurs, we are committed to acting quickly and responsibly to minimize impacts and potential damage. We also maintain a business continuity plan to mitigate potential impacts on you that could affect the provision of services.

Vivo uses resources to investigate security vulnerabilities that put your privacy at risk, ensuring that the right remediation measures are in place. You will only be informed of relevant cases in which the loss, misuse or disclosure of the information has occurred due to a breach of security of the company’s systems and networks or which are related to an internal decision or technical action. In such cases, you will know what corrective actions will be taken and the recommendations to protect your interests. In our relationships with legal authorities, we respect local laws and regulations. If you are aware of any vulnerability or threat that may affect Vivo’s infrastructure, please contact our Security Incident Response team (CSIRT Vivo) at csirt.br@telefonica.com.

Regarding parameter V, Vivo specifies the circumstances and conditions under which it shares data with third parties, both in the contract and in its Privacy Center. In section 13.1 the company exemplifies in which circumstances it will share data with third parties contracted by Vivo or its partners, specifying that such sharing is limited to “analysis and construction of standards, behaviors, choices, and consumptions for the purposes set forth herein”. In addition, Section 13.6 states that by signing into the agreement, the customer authorizes Vivo to disclose its name as part of its Customer List in Brazil, and the customer may cancel this authorization as soon as s/he sends a written notice to the company. Section 13.7 states that outside the provisions of the foregoing, there will be no provision of further personal data and connection records by third parties except with free, express and informed consent or in the cases provided for by law.

CONTRACT FOR FIXED TELEPHONE SERVICE (STFC), MULTIMEDIA COMMUNICATION SERVICE (SCM) AND CONDITIONED ACCESS SERVICE (CABLE TV – SEAC): 13.6 The CLIENT hereby authorizes VIVO to disclose his name as part of the Client relationship in Brazil. The CLIENT may cancel the authorization provided for in this item at any time, without justification, upon prior written notice to VIVO. 13.7 Except as provided in the previous items, there will be no provision to third parties of other personal data, including connection records, except upon free, express and informed consent or in the cases provided by law, as identified in sections 13.4 and 13.5 of this Agreement.

Privacy Center:

Your data may be shared: With partners, whenever related to the provision of the service contracted by you (e.g. when you are roaming); In cases provided for by law and/or court order; With partners, individually, only with your express consent and always with the possibility of opting out.

Regarding parameter VI, it is also considered met, since the company’s “privacy center” contains a specific item with information about the “Right of Access, Rectification, Opposition and Cancellation”, as well as ways to contact Vivo to exercise such rights.

Finally, on parameter VII, the main page of Vivo’s website is accessible to the “privacy center” page, with clear and organized information about the company’s privacy practices. Even so, it should be noted that the privacy center is not easily visible on the main page, being more easily found in the Sustainability Report. We would also recommend, as a good practice, that the privacy center be accessible through other locations on the website, for example when contracting specific plans, in order to increase its visibility and accessibility.

CATEGORY: Information on the conditions of delivery of data to State agents

Result:

Vivo Broadband got a full star, because it met five parameters fully and one partially.

Regarding parameter I, in the Sustainability Report (p. 21), the company states that it seeks to comply with legislation and regulatory frameworks at the national level. In its Privacy Center, in the “breach of confidentiality” section, it clarifies that in some situations, “such as in the case of court orders and requests from competent authorities”, there may be the sharing of connection records, voice and data without the knowledge of the user, “in accordance with the current legislation in Brazil”. Finally, in the contract, this commitment is also expressed.

Sustainability Report (p. 21)

We seek to ensure compliance with legislation and regulatory frameworks at the international, national and regional levels, in order to anticipate trends and changes that influence our business in environmental issues, the supply chain and taxes.

CONTRACT FOR FIXED TELEPHONE SERVICE (STFC), MULTIMEDIA COMMUNICATION SERVICE (SCM) AND CONDITIONED ACCESS SERVICE (CABLE TV – SEAC): 5.1.3. Inviolability and secrecy of the communication exchanged between the CLIENT and VIVO, respecting the constitutional, legal and administrative hypotheses and conditions of breach of secrecy of telecommunications and the activities of intermediation of the communication of people with disabilities, under the terms of applicable regulations. 5.1.5 Respect for your privacy in the billing documents and in the use of your personal data by VIVO, under the terms of the applicable legislation and regulations.

On parameters II, III, IV and V, in the Report of Transparency in the Communications of 2018, there is the definition of which would be the competent authorities for interceptions and request of metadata according to the Brazilian legislation. Thus, in there, the data, conditions and authority to whom the company grants access are addressed.

Telefónica Group Transparency Report (2018):

It defines a common global internal procedure at the request of certain authorities in accordance with the legislation of each country and aims to guarantee the legality of these requirements and the fundamental rights of those interested in this type of procedure. The Principles that govern this process are Confidentiality, Completeness, Statement of Grounds, Diligent Response and Safety. Our commitment is to ensure the participation in the process of legal areas or similar areas with legal competence in the reception of petitions. We have fixed interlocutors as a one-stop shop in our relationship with the competent authorities, so we reject any request that does not come through this regulatory channel.

LEGAL INTERCEPTATION (p. 14)

Competent authorities: According to article 3 of the Brazilian Federal Law No. 9.296/1996 (law on interceptions), only the judge (from the criminal sphere) may determine interceptions (telephone and telematic), at the request of the Public Prosecutor’s Office (Ministério Público) or Police Commissioner (“Autoridade Policial”).

Legal Context: Constitution of the Federal Republic of Brazil: Art. 5; Law No. 9.296, of July 24, 1996; Resolution No. 426 of December 9, 2005; Regulation of Fixed Telephony Service – STFC. STF; Resolution No. 614 of 28 May 2013; Multimedia Communication Service Regulations.

ACCESS TO METADATA (p. 15)

Competent authorities:

Public Prosecutor’s Office, Police Commissioners and Judges of any jurisdiction, as well as Presidents of Parliamentary Investigation Commissions: the name and address of the registered user (subscriber data), as well as the identity of the communication equipment (including IMSI or IMEI).

Judges of any jurisdiction: data to identify the origin and destination of a communication (e.g. telephone numbers, user names for Internet services), the date, time and duration of a communication and the location of the device.

Legal context: Constitution of the Federal Republic of Brazil: Art. 5; Law No. 9.296 of 24 July 1996; Law No. 9.472 of 16 July 1997. Art. 3; Law No. 12,683 of 9 July 2012. Art. 17-B; Law No. 12,830 of 20 June 2013. Art. 2; Law No. 12850 of 20 August 2013. Section 15; Law No. 12965 of 23 April 2014. Art. 7; 10 and 19; DECREE No. 8,771 of 11 May 2016. Art. 11; Resolution No. 426 of December 9, 2005 / Regulation of Fixed Telephony Service – STFC. STFC. Art. 11; 22;23 and 24 / Resolution No. 477 of 7 August 2007/ Personal Mobile Service Regulations – SMP. Art. 6;10 ;12;13; 89 and 90. / Resolution No. 614 of 28 May 2013/ Multimedia Communication Service Regulations. Art. 52 and 53.

Also with respect to such parameters, the Agreement establishes that the company will share subscriber data after simple request (without a court order) to competent administrative authorities (II) and connection records only with a court order (VI). Although they present less exhaustive information than the Report, when observed together, the documents differentiate the regimes of access to data (registration, location and connection records), discriminate the competent authorities and indicate the legal basis and limits of their competence.

CONTRACT FOR FIXED TELEPHONE SERVICE (STFC), MULTIMEDIA COMMUNICATION SERVICE (SCM) AND CONDITIONED ACCESS SERVICE (CABLE TV – SEAC): 13.4 Connection records will only be made available by VIVO, independently or in connection with personal data, by court order, in accordance with the law. 13.5 The registration data that inform the personal qualification, affiliation and address of the CLIENT can be sent to the administrative authorities that have legal competence for its request.

This means that Vivo delivers registration data upon request from representatives of the Public Prosecutor’s Office, police authorities and judges. Connection records and location data is only made available by court order.

Finally, regarding parameter VI, we have considered it partially met. On the one hand, the wording above is clear when defining that only judges will have access to data on the origin and destination of a communication, from which it can be inferred that such access will only be by court order. However, this section is not strictly limited to the terms of the Brazilian Internet Civil Rights Framework (i.e., it does not specify that only the date and time of the start and end of an Internet connection, its duration and the IP address used will be shared).

InternetLab praises Telefónica Global’s conduct in publicizing its interpretations of which authorities are competent to request user data and in what circumstances. However, we emphasize that there is a need to present such information in Portuguese so that the company can be scored without reservations, whether in contracts, in a Sustainability Report, or in other materials.

CATEGORY: Defense of users’ privacy in courts

Result:

Vivo broadband got half a star in this category, because it met parameter I.

As for parameter I, we have conducted exploratory searches and located the filing of a motion for clarification (“embargos de declaração”) by Vivo in the scope of Public Civil Action No. 0005292-42.2003.4.03.6110, which questions, among others, the delivery of logical gate data to police authorities. The parameter was therefore considered met. We point out that the ACEL’s Direct Unconstitutionality Action (ADI) No. 5642 has already been considered in the last edition of QDSD and has not advanced since our last report, and has therefore not been considered this year.

As for parameter II, we conducted exploratory searches on the website of the Court of Justice of the State of São Paulo and could not find any results in which the company contested abusive requests from state authorities.

CATEGORY: Public pro-privacy positioning

Result:

Vivo broadband didn’t get a star in this category.

On some occasions throughout the year, Internet service providers have had the opportunity to speak out on public policies and bills that affect users’ privacy. The processing of Provisional Measure No. 869 of 2018 in the National Congress is an example of this opportunity.

After searches on official government websites, specialized and traditional press, and company press rooms, we did not find any material in this regard. We note, however, the following: During the LGPD proceedings, on June 26, 2018, the Senate Economic Affairs Committee held a public hearing on the bill of law. At this hearing, the “Declaration for the approval of the Data Protection Law”, signed by various entities and organizations, including the private sector, was presented. No Telecom operator signed the document, although Telefonica’s Director has affirmed in an event that the company would have done so.

Public statements by “Enylson Camolesi, director of Telefónica:

“We support the law. The citizen must be in the centre.”

“For Camolesi, the worst scenario is to have a series of vetoes in the sanction of the law, because, in this case, one can have a legal framework that does not meet the desires of society. Since one hast to make long-term investments, there is the need for a legal framework. We believe in transparency and that the central element must be the person.”

We emphasize that Telefónica’s contribution to the public consultation proposed by the Ministry of Science, Technology, Innovation and Communications on the regulation of 5G was analyzed for this report. However, since it only refers to the company’s internal practices, without defending any specific position within the scope of the consultation, it was considered that such participation was not sufficient for the parameters of this criterion to be met.

CATEGORY: Transparency report about data requests

Result:

Vivo got a full star, because it met both parameters.

For the third consecutive year, the Telefónica Group’s 2018 Transparency in Communications Report was published (document in Spanish), detailing the regulatory framework in each country in which the group operates, the number of data requests it received in each country between 2013 and 2017 and, especially in the case of Brazil, which authorities it considers competent.

In Brazil, in 2017, there were 437,770 interception requirements and 1,942,267 metadata access requirements (Transparency Report, 2018, p. 14 and 15). Thus, by including statistics and clarifying which authorities it considers competent according to the law, the company complied with the parameter.

InternetLab reinforces the importance of publishing such a document in Portuguese, so that the company is scored without reservations in the final report and continues to receive a full score in future editions of the project.

CATEGORY: User notification

Result:

Vivo did not obtain a star, as there is no mention to the possibility of user notification in any of the analyzed documents. It should be noted that, in the Telefónica Group Transparency Report (2018), the issue is only addressed in the case of the United Kingdom, because of a legal provision.

VIVO MOBILE

CATEGORY: Information on data processing

Result:

In this category, Vivo mobile got a full star.

Although the mobile phone agreements in the prepaid and contract modalities do not offer substantial information about the data collected, we found that such information is available in the Sustainability Report and in the Privacy Center on Vivo’s website. In this environment, users can find a brief informative video on the main points of data protection by the company and then, through the menu, they can find more detailed information.

Vivo meets parameter I by discriminating in both video and text the data collected.

Privacy Center (subsection “collected information”):

Vivo collects your information in accordance with the service you use. Find out what this information is:

Registration data: What you made available when you contracted our services, such as name, address, taxpayer number (CPF) etc.;

Data traffic volumes on the Internet via 2G, 3G and/or 4G network;

History of use of products and services contracted: Exactly what the name says, but it is important to know that this history does not involve data on the apps used on your phone or what you do on social networks or websites. This is only true for Vivo apps! Only in this case is the data collected used to make the app better and better;

SMS events that are inside and outside the national Vivo network: This collection includes international Vivo events and international operators in roaming;

History of calls made and received: Accounting and tax information, invoice and customer payment;

Recharge transactions and monitoring of the use of these credits;

Customer data relating to services provided in stores and in the call center.

Vivo uses cookies to make it easier for you to navigate the website and to further customize our services. And you can rest easy if you don’t want to enable cookies! Configure your browser to accept or reject this tool.

Regarding parameter II, in the subsection “Why and how do we collect information?” the company describes some of the purposes of data collection, such as improving the network service, customizing the service, etc.

Privacy Center (subsection “Why and how do we collect information?”):

So, let’s explain here why we collect all this information:

For recharge transactions and monitoring the use of these credits;

To improve network performance and increase the quality of our services;

To correct failures in mobile, fixed and TV network services even faster;

To enable the processes for the elaboration of plans, services and personalized offers to be even closer to your profile;

To evaluate demand by geographic region;

To help with Vivo’s strategic decisions, such as redistributing the signal or reallocating the service portfolio;

To improve the relationship experience between you and Vivo, such as sending direct marketing and providing more relevant offers.

In another subsection, “For how long do we store data?”, the company informs the data storage time, thus satisfying parameter III.

Privacy Center (subsection “For how long do we store data?”):

According to the Brazilian Internet Civil Rights Framework, Vivo stores for at least 1 year its connection records, which are the information about the time of your Internet connections and the IP for sending and receiving data. Your registration data (such as full name, address and taxpayer number (CPF) and billing data (documents of fiscal nature) are stored for at least 5 years for judicial and administrative proceedings. We do not store content from app providers, other than from apps we create. So, in this case, according to the Brazilian Internet Civil Rights Framework, we keep the register for up to 6 months, under secrecy, in a controlled and security environment. Individualized information will only be shared with partners if you so authorize.

The privacy center (“information security” section):

Vivo is concerned with the security of its customers’ information. That’s why we are committed to protecting it from intrusion and ensuring that all your data remains confidential. For this to happen, all information that leaves your computer and reaches Vivo’s servers is encrypted. Please note: Meu Vivo contains personal information. Therefore, we do not recommend that you share your password with others, as this may put your security and personal data at risk.

Confidentiality: We allow access to data and to our systems only to authorized persons, according to the “principle of minimum privilege”;

Integrity: We preserve the reliability of data and information against any kind of change, whether accidental or fraudulent;

Availability: We have established the necessary controls so that the information is available to be accessed when necessary;

Auditability: We enable any action or transaction to be univocally cross-referenced, ensuring compliance with the fundamental controls established in the corresponding standards. If a safety incident occurs, we are committed to acting quickly and responsibly to minimize impacts and potential damage. We also maintain a business continuity plan to mitigate potential impacts on you that could affect the provision of services.

Vivo uses resources to investigate security vulnerabilities that put your privacy at risk, ensuring that the right remediation measures are in place. You will only be informed of relevant cases in which the loss, misuse or disclosure of the information has occurred due to a breach of security of the company’s systems and networks or which are related to an internal decision or technical action. In such cases, you will know what corrective actions will be taken and the recommendations to protect your interests. In our relationships with legal authorities, we respect local laws and regulations. If you are aware of any vulnerability or threat that may affect Vivo’s infrastructure, please contact our Security Incident Response team (CSIRT Vivo) at csirt.br@telefonica.com.

Regarding parameter V, Vivo specifies the circumstances and conditions of data sharing with third parties, both in the contract and in its Security Center, specifying that the sharing will only occur for the provision of services contracted by the customer. Even if the parameter has been considered met, we emphasize that it would be good practice to inform for what specific purposes the data can be shared, including in cases of individual sharing.

GENERAL TERMS AND CONDITIONS OF THE CONTRACT FOR THE PROVISION OF POSTPAID PERSONAL MOBILE SERVICE:

20.3 VIVO may disclose and commercialize in a list (either printed or digital) information contained in its register relative to the CLIENT, provided that the CLIENT has authorized the disclosure of its name and Access Code in the Term of Adhesion to the Personal Mobile Service or, alternatively, by verbal authorization via the “Call Center” service, at any time.

Privacy Center (subsection “data sharing”): Vivo may eventually support a behavior study in events that promote the displacement of an audience in a given location. But it is important to emphasize that, in this case, no form of individualization of this information is possible. Individualized information will only be shared with partners if you so authorize.

Your data can be shared: With partners whenever related to the provision of the service contracted by you (e.g. when you are roaming); In cases provided for by law and/or court order; With partners, individually, only with your express consent and always with the possibility of opting out.

Finally, on parameter VII, through the main page of Vivo’s website one can access the “privacy center” environment, which contains clear and organized information about the company’s privacy practices. Even so, it should be noted that the privacy center is not easily visible on the main page, being more easily found in the Sustainability Report. We would also recommend, as a good practice, that the privacy center be accessible through other locations of the website, for example when contracting specific plans, in order to increase its visibility and accessibility.

CATEGORY: Information on the conditions of delivery of data to State agents

Result:

Vivo got a full star, because it met five parameters fully and one partially.

Sustainability Report (p. 21)

We seek to ensure compliance with legislation and regulatory frameworks at the international, national and regional levels, in order to anticipate trends and changes that influence our business in environmental issues, the supply chain and taxes.

Telefónica Group Transparency Report (2018):

It defines a common global internal procedure at the request of certain authorities in accordance with the legislation of each country and aims to guarantee the legality of these requirements and the fundamental rights of those interested in this type of procedure. The Principles that govern this process are Confidentiality, Completeness, Statement of Grounds, Diligent Response and Safety. Our commitment is to ensure the participation in the process of legal areas or similar areas with legal competence in the reception of petitions. We have fixed interlocutors as a one-stop shop in our relationship with the competent authorities, so we reject any request that does not come through this regulatory channel.

LEGAL INTERCEPTATION (p. 14)

Competent authorities: According to article 3 of the Brazilian Federal Law No. 9.296/1996 (law on interceptions), only the judge (from the criminal sphere) may determine interceptions (telephone and telematic), at the request of the Public Prosecutor’s Office (Ministério Público) or Police Commissioner (“Autoridade Policial”).

Legal Context: Constitution of the Federal Republic of Brazil: Art. 5; Law No. 9.296, of July 24, 1996; Resolution No. 426 of December 9, 2005; Regulation of Fixed Telephony Service – STFC. STF; Resolution No. 614 of 28 May 2013; Multimedia Communication Service Regulations.

ACCESS TO METADATA (p. 15)

Competent authorities:

Public Prosecutor’s Office, Police Commissioners and Judges of any jurisdiction, as well as Presidents of Parliamentary Investigation Commissions: the name and address of the registered user (subscriber data), as well as the identity of the communication equipment (including IMSI or IMEI).

Judges of any jurisdiction: data to identify the origin and destination of a communication (e.g. telephone numbers, user names for Internet services), the date, time and duration of a communication and the location of the device.

Legal context: Constitution of the Federal Republic of Brazil: Art. 5; Law No. 9.296 of 24 July 1996; Law No. 9.472 of 16 July 1997. Art. 3; Law No. 12,683 of 9 July 2012. Art. 17-B; Law No. 12,830 of 20 June 2013. Art. 2; Law No. 12850 of 20 August 2013. Section 15; Law No. 12965 of 23 April 2014. Art. 7; 10 and 19; DECREE No. 8,771 of 11 May 2016. Art. 11; Resolution No. 426 of December 9, 2005 / Regulation of Fixed Telephony Service – STFC. STFC. Art. 11; 22;23 and 24 / Resolution No. 477 of 7 August 2007/ Personal Mobile Service Regulations – SMP. Art. 6;10 ;12;13; 89 and 90. / Resolution No. 614 of 28 May 2013/ Multimedia Communication Service Regulations. Art. 52 and 53.

CATEGORY: Defense of users’ privacy in courts

Result:

Vivo mobile got half a star in this category, because it met parameter I.

CATEGORY: Public pro-privacy positioning

Result:

Vivo mobile didn’t get a star in this category.

On some occasions throughout the year, Internet service providers have had the opportunity to speak out on public policies and bills that affect users’ privacy. The processing of Provisional Measure No. 869 of 2018 in the National Congress is an example of this opportunity.

Public statements by “Enylson Camolesi, director of Telefónica:

“We support the law. The citizen must be in the centre.”

“For Camolesi, the worst scenario is to have a series of vetoes in the sanction of the law, because, in this case, one can have a legal framework that does not meet the desires of society. Since one hast to make long-term investments, there is the need for a legal framework. We believe in transparency and that the central element must be the person.”

CATEGORY: Transparency report about data requests

Result:

Vivo got a full star, because it met both parameters.

In Brazil, in 2017, there were 437,770 interception requirements and 1,942,267 metadata access requirements (Transparency Report, 2018, p. 14 and 15). Thus, by including statistics and clarifying which authorities it considers competent according to the law, the company complied with the parameter.

CATEGORIA: Notificação do usuário

Result:

Vivo did not obtain a star, as there is no mention to the possibility of user notification in any of the analyzed documents.

Scroll to table

ALGAR

CATEGORY: Information on data processing

Result:

Algar got an empty star, because it did not meet any parameters.

Algar’s available contracts offer almost no information about the data it collects. Only in the Broadband Service Agreement (“Contrato de Prestação de Serviço de Banda Larga”) and in the Acceptable Use Policy (“Política de Uso Aceitável”) can any references to privacy and data protection be found:

Broadband Service Agreement: 4.1. ALGAR TELECOM’s obligations are, besides the others set forth in this instrument, its annexes and in the legislation in force: c) To respect the CONTRACTOR’s communication inviolability and confidentiality.

Acceptable Use Policy:

4.Uuser privacy. Algar Telecom respects the privacy of its clients and users, keeping the information collected under strict security and confidentiality standards. Any information given to Algar Telecom by users will be collected through ethical and legal means.

InternetLab considers this wording to be too general and in need of improvement. For example, we would recommend including information about what data is collected and in what form, for which purposes, with which third parties and for what purposes it will be shared, what are the consumers’ rights over their data and how to exercise them, etc.

Finally, we could not locate any environments in Algar’s website, either in the main page, or in the pages for contracting specific services, presenting any information about privacy or data protection in an accessible way. Thus, parameter VII was not considered met.

Anyway, we praise the ease of access to contracts on your website, which are visible in the services (“atendimento”) menu. The easy access to this information, however, was not enough in this edition of the report for parameter VII to be considered met.

CATEGORY: Information on the conditions of delivery of data to State agents

Result:

Algar got ¼ of a star, because it met only one parameter.

In section 4.1. of the Broadband Service Agreement, the company undertakes to respect the obligations arising from the legislation in force and the contractor’s communication inviolability and confidentiality.

This writing does not clarify to the user, however, how their registration, location and connection records data is treated. In this regard, it is important that the company clearly informs that connection records can only be delivered by judicial order, according to the Brazilian Internet Civil Rights Framework. Regarding registration data, this same law authorizes that it be requested without judicial order by competent administrative authorities, in the cases provided for by law. Currently, however, in the face of controversy over which are such “competent administrative authorities”, it is essential that the company be transparent about its practices and interpretations, with respect to requests for breach of confidentiality, as well as to its understanding of what it considers connection records. Also, with regard to location data, the company should provide clear information on the assumptions and the authorities to whom it grants access.

As we have warned since the first edition, our intention is to take into consideration the specification of these differences, rewarding companies that promise to protect data according to the nuances existing in law, publicizing their procedures and interpretations. Given the omission, the other parameters were not considered met.

CATEGORY: Defense of users’ privacy in courts

Result:

Algar got an empty star, because it did not meet any parameters.

As for parameter I, in google searches, searches in the specialized media (telesintese, teletime, sinditelebrasil) and in the Federal Supreme Court’s website, no new lawsuits could be located that have as their object laws or policies that affect the privacy and secrecy of communications. ACEL’s Direct Unconstitutionality Action (ADI) No. 5642 has already been considered in the last edition of the QDSD and has not recorded any advances. The parameter has therefore not been met.

As for parameter II, we conducted exploratory searches on the website of the Court of Justice of the State of São Paulo, in order to identify lawsuits in which Algar defended users or contested abusive requests. No lawsuits that met the search criteria were identified.

CATEGORY: Public pro-privacy positioning

Result:

Algar didn’t get a star in this category.

After searches in official government websites, specialized and traditional press and companies’ press rooms, we found no material in this regard, which led to the assessment that the parameters were not met.

CATEGORY: Transparency report about data requests

Result:

Algar got an empty star, because it didn’t meet the parameters.

Algar publishes a Sustainability Report about its activities in Brazil. However, the report does not contain any information relating to received and accepted data requests.

CATEGORY: User notification

Result:

Algar did not obtain a star, because there is no mention to notifying the user in any of the analyzed documents..

Scroll to table

NEXTEL

CATEGORY: Information on data processing

Result:

Nextel got an empty star, because it met only parameter V.

Nextel’s service agreement offers almost no information about the data it collects. Only regarding parameter V does the company provide any information, in which it outlines some possibilities of data access by third parties and the purposes of this sharing.

CONTRACT FOR THE PROVISION OF PERSONAL MOBILE INTERNET SERVICE: 7.1. In addition to the rights provided for in other sections of this instrument and in the governance standard, the Subscriber may: a. Access the information relating to the Subscriber her/himself and included in NEXTEL’s registers, including the Access Code, which is kept confidential and can only be provided in the following cases: (i) to the Subscriber or attorney-in-fact with specific powers to access such information; (ii) for purposes of disclosure in lists of subscribers in printed or digital media, directory assistance services and similar, provided that the Subscriber has authorized the disclosure of his name and Code of Access; (iii) to specialized agencies or databases in view of the breach of contractual obligations; (iv) as a result of administrative or judicial determination.

It is also important to point out that, under the “privacy policy” available at the company’s electronic address, it is possible to find provisions that relate to privacy, but only in the context of the website usage. Therefore, the parameters that make up this category have not been considered met.

Our Privacy Policy was created to reaffirm NEXTEL’s commitment to the security and privacy of information collected from users from their products and services and related to the public pages of the website www.nextel.com.br. Thus, we have developed a Privacy Policy that sets out how we obtain, use, disclose, transfer and store your information. Please check our privacy practices and let us know if you have any questions. (…)

The use of the website presupposes the acceptance of this Privacy Policy. In case the CLIENT disagrees with the conditions of this document, it is enough not to access or use the services available in the website, in which case there would be no obligation of NEXTEL in relation to the user’s information.

As regards parameter VI, although section 7.1. of the contract, transcribed above, mentions the possibility of access to the data by the subscriber himself, this wording was considered by InternetLab to be too broad and general. This is because the section does not specifically mention the rights of consumers over their data under existing legislation (such as rectification and erasure), nor does it provide specific means for the exercise of such rights. Therefore, the parameter was not considered met.

Finally, we could not locate any environments in Nextel’s website, either in the main page, or in the pages for contracting specific services, presenting any information about privacy or data protection in an accessible way. Thus, parameter VII was not considered met.

In addition, we further note that there is significant difficulty in finding the service contract on the website, since there is no link to the regulations and contracts on the page with information about the plans. It is necessary to access the FAQ and use the website’s search engine or external search engines to find them.

CATEGORY: Information on the conditions of delivery of data to State agents

Result:

Nextel got an empty star, because it only partially met parameter II, by stating, in its contract, that the data may be made available to third parties due to administrative or judicial determination. However, it does not ensure compliance with the legislation or make any distinction as to which data may be made available, to which authorities or in what circumstances.

CONTRACT FOR THE PROVISION OF PERSONAL MOBILE INTERNET SERVICE:

7.1. In addition to the rights provided for in other sections of this instrument and in the governance standard, the Subscriber may:

a. Access the information relating to the Subscriber her/himself and included in NEXTEL’s registers, including the Access Code, which is kept confidential and can only be provided in the following cases:

(i) to the Subscriber or attorney-in-fact with specific powers to access such information;

(ii) to specialized agencies or databases in view of the breach of contractual obligations;

(iii) as a result of administrative or judicial determination.

CATEGORY: Defense of user’s privacy in courts

Result:

Nextel got an empty star, because it didn’t meet the parameters

As for parameter II, we conducted exploratory searches on the website of the Court of Justice of the State of São Paulo and were unable to identify lawsuits in which Nextel defended users or contested abusive requests.

CATEGORY: Public pro-privacy positioning

Result:

Nextel didn’t get a star in this category.

CATEGORY: Transparency report about data requests

Result:

Nextel got an empty star, because it didn’t meet the parameters.

We conducted searches in the company’s website and couldn’t find any documents containing the referred information.

CATEGORY: User notification

Result:

Nextel did not obtain a star, considering that user’s notification is not mentioned in any of the analyzed documents.

Scroll to table

SKY

CATEGORY: Information on data processing

Result:

Sky got half a star because it only met parameters I, II and V.

In its “General Terms and Conditions of Subscription” contract, the company establishes in section 7 that the client is obligated to share certain data, specifying what these are and when they are collected. In addition, sections 19.1 to 19.3 of this contract and sections 15.1 to 15.3 of the General Conditions for the provision of the communications service provide general guidelines regarding the use of such data, so that parameter I has been considered met.

General Subscription Conditions: 7. Client’s obligations: send a copy of personal identification documents, such as ID, taxpayer number (CPF), proof of address, documents regarding ownership of bank account and credit card, among others, at the time of contracting and whenever requested by Sky.

19.1 Identification data provided by the Client (such as name, address, ID and taxpayer number (CPF), telephone numbers and e-mail addresses) and data related to the provision of the services such as history of products used or purchased, amounts spent by the Client, number of televisions and their buying/consumption habits will be collected.

19.2 It is hereby agreed by the PARTIES that the collection and use of data mentioned above will occur solely and exclusively to provide the CLIENT with the best experience of SKY services.

19.3. the data referred to in section 19.1 above shall only be transferred to SKY’s partner and/or supplier companies, observing that these companies sign confidentiality agreements with SKY, in which they undertake not to share the data collected from SKY customers with third parties.

Regarding parameter II, the same above-mentioned sections establish that “the collection and use of data mentioned above [serves only] to provide the CLIENT with the best experience”. SKY online Users Terms and Conditions further establishes in section 9.1.1 the purposes of registration and maintenance of personal data in this service. The Privacy Policy and the General Conditions of subscription for SKY corporate clients also establish guidelines on the purposes of use of the data, so that the parameter was considered met.

Users Terms and conditions – SKY online: 9.1.1. The registration and preservation of Personal Data aims to establish the contractual link, the management, administration, provision, expansion and improvement of services, contents and facilities to the USER, as well to send technical, operational and commercial information related to the contracted SKY ONLINE.

General subscription conditions for SKY customers companies: 17.4. The CLIENT cedes their registration data free of charge to SKY and companies belonging to its economic group, to be used in material intended for advertising and registring of CLIENTS, subject to the confidentiality guaranteed by law.

17.5 SKY respects the privacy of the personal data provided by the CLIENTS, using them only for the purposes of this Agreement, under the terms of current legislation. The CLIENT hereby authorizes the sharing of such data to SKY’s service provider partners, who work with SKY or on behalf of SKY and are submitted to confidentiality agreements.

Regarding parameter III, the company does not provide clear legal information or references regarding archiving, storage and deletion of data, neither for how long and where they are stored, or on when and if they are deleted. Therefore, the item was not considered met.

As for parameter IV, although the Privacy Policy states that “no matter how secure our system is, no security system is completely impenetrable”, we were unable to find any specific information on which security practices the company adopts regarding data storage, whether there is a data anonymization policy or, specifically, who has access to the data. The parameter was therefore not considered met.

Regarding parameter V, that is, regarding transparency related to communication, transfer, transmission, distribution or dissemination of data to third parties, it was considered that it was met. This is because sections 19.3 and 17.5 of the contracts transcribed above make specific mention to the sharing of data with third parties, pointing to the imposition of limits through confidentiality terms and contractually expressed purposes.

We point out, however, that Section 9.2.1. of the SKY online Users Terms and Conditions broadly establishes the possibility of sending clients data, that compose the company’s user’s database, to partner companies, which reveals an overly generic wording and with little protective value to the client. We would recommend, as a good practice, that the possibilities and purposes of data sharing are also specifically established in this document.

Users Terms and conditions – SKY online: 9.2.1. The USER cedes his Personal Data free of charge to SKY and companies belonging to its economic group, which will be used to send information and emails about SKY or its partner companies and to compose the company’s users database, in accordance to the confidentiality guaranteed by law,

Regarding parameter VI, we also considered that it has not been complied with, since none of the documents analyzed refers to the rights of clients over their data, nor do they offer mechanisms for contacting Sky in order to exercise these rights.

Finally, we couldn’t find any environments on Sky’s website, either on the main page, or in the pages for contracting specific services, presenting any information about privacy or data protection in an accessible way. Even if such an environment exists on AT&T’s website, the information contained therein is very restricted and in English, and is not easily available to Brazilian clients. In view of this, parameter VII was not considered met.

Anyway, we praise the ease of access to contracts on the company’s website. They are available, along with the privacy policy, at the bottom of the home page (“general contracts” and “prepaid contracts”). Thus, customers should not have too many difficulties to find this type of information. The easy access to this information, however, was not enough, in this edition of the report, to consider parameter VII to be met.

CATEGORY: Information on the conditions of delivery of data to State agents

Result:

Sky obtained ¼ of a star because it fully met parameter I and partially met parameter II, totaling 1.5 parameters.

In AT&T’s 2018 Transparency Report, the company promises to “protect your privacy in compliance with applicable laws”. Furthermore, in SKY online Users Terms and Conditions, the company promises that the request for data by a public authority must be “duly substantiated”. At other times, it also promises to follow current legislation to protect the privacy of its users, as stated in section 17.5, transcribed in item 1 above. As a result, parameter I was considered met.

Transparency Report: At AT&T, we take responsibility for protecting your information and privacy very seriously. We employ our best efforts and commitment to protect your privacy in compliance with applicable laws.

Users Terms and conditions – SKY online: 9.3. If there is a formal request, by any Public Authority, duly substantiated, the USER expressly authorizes SKY to forward the requested registration data, regardless of prior notification to the USER.

In the same above-mentioned sections, the company also promises to deliver the data to authorities only upon a duly substantiated request. However, the text makes reference to “any public authority”, without differentiating which of them it considers to be competent, nor which could make such a request. As a result, parameter II was considered partially met, while parameters III and IV, for the same reasons, were not considered met.

The company does not clarify to users the fact that registration data and connection records have different legal processing, nor does it specify its understanding as to what constitute connection records, thus not meeting parameters V and VI. In this regard, it is important that the company clearly informs that connection records can only be delivered by judicial order, according to the Brazilian Internet Civil Rights Framework. Regarding registration data, this same law authorizes that they be requested without judicial order by competent administrative authorities. Currently, however, in the face of controversy over which are such “competent administrative authorities”, it is essential that the company be transparent about which interpretations of the law it applies when receiving requests for breach of confidentiality. Such clarity should also include predictions about location data.

As we have warned since the first edition, our intention is to take into consideration the specification of these differences, rewarding companies that promise to protect the data, according to the nuances existing in law, publicizing their procedures and interpretations. Therefore, it is important that Sky informs customers more clearly regarding what types of data it delivers and under which circumstances.

CATEGORY: Defense of users’ privacy in courts

Result:

Sky got an empty star because it didn’t meet any parameters.

CATEGORY: Public pro-privacy positioning

Result:

Sky didn’t get a star in that category.

CATEGORY: Transparency report about data requests

Result:

Sky got half a star because it met parameter I.

We were able to find the publication of the 2018 AT&T Transparency Report, in which there is some detail on the number of data requirements they received in each country where the group operates in 2017.

These requests are regarding historical information/registration data of subscribers and operating businesses, as well as requests for URL/IP blocking by government entities. In Brazil, the following requests were made: Historical information: subscriber’s registration data: 234 requests (1st semester 2017) / 339 (2nd semester 2017). IP/URL blocking: 2 requests (1st semester 2017) and 1 (2nd semester 2017).

Thus, parameter I was considered met. However, because there is no more detailed information in the report, for example on how many requests were granted and which authorities are thus considered competent, parameter II was not considered met.

CATEGORY: User notification

Result:

Sky has not obtained a star, as it specifically states in section 9.3. of the SKY online Users Terms and Conditions that it will provide data to public authorities upon justified request, regardless of notification to users.

/PRESENTATION

/WHO WE ARE

/OUR METHODOLOGY

Selection of evaluated companies

Applied methodology

CATEGORY 1: Information about Data Processing

Performance standards

CATEGORY 2: Information on the conditions of data sharing with State agents

Performance standards

CATEGORY 3: Defense of user’s privacy in courts

Performance standards

CATEGORY 4: Public pro-privacy engagement

Performance standards

CATEGORY 5: Transparency reports about data requests

Performance standards

CATEGORY: User notification

/OUR SOURCES

CLARO/NET

OI

TIM

VIVO

ALGAR

NEXTEL

SKY

/RESULTS

CLARO

CATEGORY: Information on data processing

CATEGORY: Information on the conditions of data sharing with State agents

CATEGORY: Defense of user’s privacy in courts

CATEGORY: Public pro-privacy engagement

CATEGORY: Transparency reports about data requests

CATEGORY: User notification

NET

CATEGORY: Information on data processing

CATEGORY: Information on the conditions of data sharing with State agents

CATEGORY: Defense of users’ privacy in courts

CATEGORY: Public pro-privacy positioning

CATEGORY: Transparency report about data requests

CATEGORY: User notification

OI BROADBAND

CATEGORY: Information on data processing

CATEGORY: Information on the conditions of data sharing with State agents

CATEGORY: Defense of user’s privacy in courts

CATEGORY: Public pro-privacy positioning

CATEGORY: Transparency report about data requests

CATEGORY: User notification

OI – MOBILE

CATEGORY: Information on data processing

CATEGORY: Information on the conditions of delivery of data to State agents

CATEGORY: Defense of user’s privacy in courts

CATEGORY: Public pro-privacy positioning

CATEGORY: Transparency report about data requests

CATEGORY: User notification

TIM – Broadband

CATEGORY: Information on data processing

CATEGORY: Information on the conditions of data sharing with State agentes

CATEGORY: Defense of user’s privacy in courts

CATEGORY: Pro-user privacy public engagement

CATEGORY: Transparency reports about data requests

CATEGORY: User notification

TIM – MOBILE

CATEGORY: Information on data processing

CATEGORY: Information about data disclosure to government authorities

CATEGORY: Defense of user’s privacy in courts

CATEGORY: Pro-user privacy public engagement

CATEGORY: Transparency reports about data requests

CATEGORY: User notification

VIVO – BROADBAND

CATEGORY: Information on data processing

CATEGORY: Information on the conditions of delivery of data to State agents

CATEGORY: Defense of users’ privacy in courts

CATEGORY: Public pro-privacy positioning

CATEGORY: Transparency report about data requests

CATEGORY: User notification

VIVO MOBILE

CATEGORY: Information on data processing

CATEGORY: Information on the conditions of delivery of data to State agents

CATEGORY: Defense of users’ privacy in courts

CATEGORY: Public pro-privacy positioning

CATEGORY: Transparency report about data requests