It's Panama’s turn to take a closer look at the practices of its most prominent Internet Service Providers, and how their policies support their users’ privacy. IPANDETEC, the leading digital rights NGO in Panama, has launched its first "Who Defends Your Data" (¿Quién Defiende Tus Datos?) report. The survey shines a light on the privacy practices of the main ISPs of the country: Claro (America Movil), Movistar (Telefonica), Digicel, and Más Móvil (A joint operation between Cable & Wireless Communications and the Panamanian State, who owns 49% of the shares).

This year, while all companies surveyed received a low score,  Movistar (Telefonica) led the pack in protecting their customers -- with Digicel right behind.

Movistar is the only company that published both a transparency report and law enforcement guidelines, but unfortunately, it did so only on its parent company’s site. Digicel is the only ISP to publish its privacy policy on its Panamanian website; Claro came close, but its policy was limited to the company’s website, not its wider privacy practices. Más Móvil and Movistar direct visitors to their parent company’s privacy policy.

Movistar and Claro, through their parent companies, both assured their users that they require judicial authorization before authorities can access consumer data. Más Móvil and Digicel do not.

Movistar and Claro were the only ISPs that proactively responded to IPANDETEC’s survey. Más Móvil and Digicel, on the other hand, did not respond when contacted. This is a missed opportunity. At their heart ¿Quién Defiende Tus Datos? reports are a chance for civil society groups and ISPs to understand each other's work. The report will be published each year, and plans to capture ISPs’ progress as they improve.

The final results of the study are below.  For more information on each company and Panama’s ICT sector, you can find the full report in Spanish on IPANDETEC’s website.

Evaluation Criteria

  • Data Protection: Does the company post a document detailing its collection, use, disclosure, and management of personal customer data?   
    • The data protection policy is published on its website
    • The policy is written in clear and easily accessible language
    • The policy details what data is collected
    • The policy establishes the retention period for user data
  • Transparency: Does the company post an annual transparency report listing the number of government requests for customer data they’ve received, and how many were accepted and rejected?    
    • The company publishes a transparency report on its website
    • The report is written in clear and easily accessible language
    • The reports contain data related to the number and type of requests received, and how many were accepted
  • User Notification: Does the company promise to notify users when the government requests their data?    
    • The company states it will notify users when the government accesses their information as soon as the law allows
    • The company supports public policy that gives users the right to prior notification, allowing them to contest the government request 
  • Judicial Authorization: Does the company explicitly state it will only comply with authorities’ request for user data if they have a warrant?
    • The company states in its policies that it requires a warrant before law enforcement can access the content of users' communications
    • The company rejects requests by law enforcement that violate legal requirements
  • Defense of Human Rights: Does the company publicly promote and defend the human rights of their users, specifically the privacy of their communications and protection of their personal data?
    • The company promotes user privacy and data security through campaigns or initiatives
    • The company supports legislation, impact litigation, or programs favoring user privacy and data security
    • The company participates in cross-sector agreements promoting Human Rights as a core tenant of their business
  • Digital Security: Are the company’s website and online payment service secure?
    • The company uses HTTPS on its website 
    • The company uses HTTPS when processing payments online
  • Law Enforcement Guidelines: Does the company outline procedures, guidelines, and legal requirements required for law enforcement requesting customer data?
    • The company publishes guidelines for law enforcement data requests

Main Findings

 

Conclusions

While all four companies received relatively low scores, Movistar is comfortably in the lead in protecting their customers, with Digicel not far behind. 

We hope to see all four ISPs engage in a conversation with IPANDETEC to improve their privacy practices in preparation for next year’s report. 

This project is only one piece of a much larger initiative across Latin America and Spain. EFF’s Who Has Your Back? has held U.S. internet companies accountable for their privacy policies and processes. Now EFF’s partners around the world are doing the same.