Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day.  This year's results are more encouraging than those in 2015's report, with Telefonica's Movistar making significant improvement in its privacy policy, responses to judicial orders, and commitment to privacy. Five out of the six ISPs now publish specific, detailed policies on how they collect and process personal data. However, the report also revealed that there is plenty of room for improvement, especially when it comes to user notification and Peruvian ISPs' public commitment to privacy. 

Internet access has grown significantly in Peru in recent years, particularly through mobile networks. Movistar (Telefónica) and Claro (América Móvil) are the main players, making up 70% of the Internet market. For landline connections, these two ISPs connect more than 90% of users in Peru; Movistar alone has 74.4% of them. The report also evaluated four other telecom operators: Bitel, Entel, Olo, and Inkacel. Every day, these users provide these companies with specific information about their movements, routines, and relations - a treasure trove of data for government authorities, who can use unnecessary and disproportionate measures to access it. This constant threat from State authorities demands public awareness and oversight.

That’s why this new Peru report aims to push companies to counter surveillance measures that are conducted without proper safeguards, and to be transparent about their policies and practices.

This year’s report, available in Spanish, evaluated each ISP on five categories:

Privacy Policy:

To earn a star in this category, a company must have published a privacy policy that is easy to understand. It should inform the reader about what data is collected from them, how long it is stored, and for what purposes. Partial compliance got a partially filled star.

Judicial Order:

Companies earned a star in this category if they require that the government obtain a warrant from a judge before handing over user data (either content or metadata). Compliance with this requirement for the content of communications, but not for metadata, earned a company a half star.

User Notification:

To earn a star in this category, companies must promise to inform their customers of a government request at the earliest moment permitted by the law.

Transparency:

This category looked for companies publishing transparency reports about government requests for user data. To earn a full star, the report must provide useful data about how many requests have been received and complied with, and include details about the type of requests, the government agencies that made the requests, the reasons provided by the authority, and describe the guidelines and procedures the company adopts when an authority requests the data. We demanded high standards, but partial compliance gained companies part of a star.

Commitment to privacy:

This star recognizes companies who have challenged inaccurate or disproportionate access to data requests. It also rewards companies that have publicly taken a position in favor of their users’ privacy before Congress and other regulatory bodies. Partial compliance is rewarded with a half star.

The chart below ranks the six Peruvian telecommunications companies:

This latest report awards more stars than the first edition, which was published in 2015. Now, five out of the six ISPs have published their policies with specific information about the collection and processing of personal data. However, Claro and Entel provide this information using highly technical language, which reduced their score. In order to earn a full star, the information provided must be easily understandable, otherwise it is just a formal measure, with little to no effect in empowering users to fight for their rights. Still, all companies detail how long and for which purposes users’ data is stored. Even Olo, which doesn’t publish a privacy policy, added this information to its regular service provision agreement.

We also saw progress in the companies’ commitment to demanding a judicial order before handing over data to government authorities. Bitel and Claro were given a half star for explicitly demanding a warrant when the request was for the content of communications. Movistar received a full star for adhering to this commitment for users’ content and metadata. In 2015, only Movistar received any credit in this category, with a half star.

Movistar also stands out in the transparency category. The company’s annual transparency report outlines how many requests they’ve received and complied with, what types of requests they received, as well as the guidelines and procedures the company follows when an authority requests data. Being transparent about the law enforcement guidelines companies follow is crucial to shedding a light on how companies  deal internally with government requests for data. This information allows users to understand how they interpret and apply the legal requirements and whether their procedures follow national and international safeguards. Although Bitel and Claro publish the instances in which they hand user data over to government authorities, they did not go as deeply into detail as Movistar does.

There is still much work to be done. No company earned a star for a public commitment to speak up for their users’ privacy, either in the courts or in legislative and regulatory bodies. Similarly, none of the six companies commit to notify their customers of a government request at the earliest moment allowed by the law. Peru’s new Criminal Procedure Code states that once a judicial measure has been executed and immediate investigations have been carried out, the user affected must be informed of it whenever the investigation object permits the notification, and as long as it does not endanger life or the physical safety of third parties. In turn, no restriction for notice is provided by the controversial Legislative Decree 1182, which regulates the direct access by police authorities to location data.

Hiperderecho stressed in the report: “Even if the legal obligation is of the judicial authority’s responsibility, there is much more that companies could do in this context. They can keep a record of the interventions made, promote notification to users after the measure expires or make simultaneous notifications with the authorities (…) in a way that users can enforce their right to go to the courts to request reexamination of the measure or to challenge the decisions issued.” Such proactive measures are particularly important because the law only gives users three business days to challenge these measures.

Hiperderecho's report shows that telecommunications companies are making progress when it comes to complying with the law, but they’re not doing as well as they could. Yet the ¿Quién Defiende Tus Datos? reports, much like EFF’s Who Has Your Back? project, are not only about fulfilling established legal rules. Their aim is to push companies to go beyond the requirements of the law. Peru’s companies must do more, and we’ll remain vigilant to ensure that happens.

The report is part of a series across Latin America and Spain adapted from EFF’s Who Has Your Back? reports. Last year, Spain’s ETICAS Foundation, Argentina’s ADC, Chile’s Derechos Digitales, Brazil’s Internet Lab, and Colombia’s Karisma Foundation published their own reports.