Latin American and Spanish telecommunications companies have made important advances in their privacy policies and practices, but persistent gaps and worrying trends pose potential risks for internet and mobile phone users, according to a new consolidated report published today by EFF. The report is based on the analyses and assessment of industry practices by EFF partners over the last eight years to shed light on telecom and Internet service providers’ (ISPs) commitments to users’ privacy, in an initiative based on EFF’s Who Has Your Back project.

Through periodic reports within the ¿Quién defiende tus datos? project, key digital rights groups in Colombia (Fundación Karisma), Perú (Hiperderecho), México (R3D), Brazil, (InternetLab), Chile (Derechos Digitales), Paraguay (TEDIC), Argentina (ADC), Spain (Eticas), and Panamá and Nicaragua (IPANDETEC), have been rating ISPs and holding them to account vis-à-vis privacy best practices and international human rights standards. Evaluating companies’ public statements, policies, service contracts, transparency reports, law enforcement guidelines, and judicial or administrative challenges to government demands for user data, each national edition assesses whether and how ISPs defend users’ privacy and protect their data.

The cover of the report PDF

The report we are releasing today provides an overview and comparative analysis of this series of editions. It highlights achievements and gaps throughout editions’ shared criteria, looking at companies’ data protection and digital security policies, how transparent ISPs are about government data demands, whether they notify users about data requests, and whether they require a previous judicial order to hand user data to authorities. It compares the performance of regional and global companies, like Telefónica and América Móvil, in countries the project covers. The imbalances this comparison reveals is a mix of gaps in companies’ commitments and in national law, which  mirrors how weak or strong privacy safeguards are in countries’ legal frameworks. Moreover, the report describes how our partners’ studies revealed privacy issues during the COVID-19 pandemic, particularly the rise of data-sharing agreements with governments related to policies aimed at curbing the spread of the virus.  

The new report analyzes the findings in light of international human rights standards for  communications surveillance and evolving data protection frameworks in Latin America and Spain. It points out progress over time, but also underlines ISPs’ shortcomings, deficiencies in national legislation, and worrying emerging trends. Among those trends, we highlight government mandates to retrieve user data and communications through direct access to telecom networks, law enforcement wholesale and indiscriminate requests for user data, and the increasing use of mandatory facial recognition and biometric data collection to activate telecom services.

Based on these analyses and conclusions, the report makes recommendations for companies and States to tackle both enduring and novel challenges in Latin America and Spain in the face of warrantless surveillance and weak safeguards for privacy and data protection.

We invite you to read our new report, follow our partners editions, and demand robust data privacy from your ISP and strong legal safeguards from your legislatures. ¿Quién defiende tus datos? editions have been paving the way for users and we hope this comparative look puts a spotlight on the flaws companies need to fix and improvements they must maintain along the way.