Four years have passed since our partners first published Who Defends Your Data (¿Quién Defiende Tus Datos?), a report that holds ISPs accountable for their privacy policies and processes in eight Latin America countries and Spain. Since then, we’ve seen major technology companies providing more transparency about how and when they divulge their users’ data to the government. This shift has been fueled in large part by public attention in local media. The project started in 2015 in Colombia, Mexico, and Peru, joined by Brazil in 2016, Chile and Paraguay in 2017, Argentina and Spain in 2018, and Panama this year.
When we started in 2015, none of the ISPs in the three countries surveyed had published transparency reports or any aggregate data about the number of data requests they received from governments. By 2019, the larger global companies with a regional presence in the nine countries surveyed are now doing this. This is a big victory for transparency, accountability, and users’ rights.
Telefónica (Movistar/Vivo), a global company with a local presence in Spain and in 15 countries in Latin America, has been leading the way in the region, closely followed by Millicom (Tigo) with offices in seven countries in South and Central America. Far behind is Claro (America Movil) with offices in 16 countries in the region. Surprisingly, in one country, Chile, the small ISP WOM! has also stood out for its excellent transparency reporting.
Telefonica publishes transparency reports in each of the countries we surveyed, while Millicom (Tigo) publishes transparency reports with data aggregated per specific region. In South America, Millicom (Tigo) publishes aggregate data for Bolivia, Colombia, and Paraguay. In 2018, Millicom (Tigo) also published a comprehensive Transparency report for Colombia only. While Claro (America Movil) operates in 16 countries in the region, it has only published a transparency report in one of the countries we surveyed, Chile. Chilean ISPs such as WOM!, VTR, and Entel have all also published their own transparency reports. In Brazil, however, Telefónica (Vivo) is the only Brazilian company that has published a transparency report.
All of the reports still have plenty of room for improvement. The level of information disclosed varies significantly company-by-company, and even country-by-country. Telefónica usually discloses a separate aggregate number for different types of government requests—such as wiretapping, metadata, service suspension, content blocking and filtering—in their transparency report. But for Argentina, Telefónica only provides a single aggregate figure that covers every kind of request. And in Brazil, for example, Telefónica Brazil has not published the number of government requests it accepts or rejects, although it has published that information in other countries.
Companies have also adopted other voluntary standards in the region, like publishing their law enforcement guidelines for government data demands. For example, Telefónica provides an overview of the company's global procedure when dealing with government data requests. But four other companies, who operate in Chile, publish more precise guidelines adapted only to that country's legal frameworks including the small ISP WOM! and Entel, the largest national telecom company.
A Breakdown by Country
Colombia and Paraguay
In 2015, the ¿Quién Defiende Tus Datos? project showed that keeping the pressure on—and having an open dialogue with—companies pay off. In Colombia, Fundación Karisma's 2015 report investigated five local ISPs and found that none published transparency reports on government blocking requests or data demands. By 2018, five of seven companies had published annual transparency reports on data requests, with four providing information on government blocking requests.
Millicom’s Transparency Report stood out by clarifying the rules for government access to data in Colombia and Paraguay. Both countries have adopted draconian laws that compel Internet Service Providers to grant direct access to their mobile network to authorities. In Colombia, the law establishes hefty fines if ISPs monitor interception taking place in their systems. This is why tech companies claim they do not possess information about how often and for what periods communications interception is carried out in their mobile networks. In this scenario, transparency reports become irrelevant. Conversely, in Paraguay, ISPs can view the judicial order requesting the interception, and the telecom company is aware when interception occurs in their system, and could potentially publish aggregate data about the number of data requests.
Brazil and Chile
InternetLab’s report shows progress in companies’ commitment to judicially challenge abusive law enforcement data requests or fight back against legislation that harms users’ privacy. In 2016, four of six companies took this kind of action. For example, the mobile companies featured in the research are part of an association that challenged before the Brazilian Supreme Court a law that allows law enforcement agents to access users' data without a warrant in case of human trafficking (Law 13.344/2016). The case is still open. Claro has also judicially challenged a direct request by the policy to access subscriber data. This number remained high in 2018 when five out of eight ISPs fought against unconstitutional laws, two of which also challenged disproportionate measures.
In contrast, ISPs in Chile have been hesitant to challenge illegal and excessive requests. Derechos Digitales' 2019 report indicates that many ISPs are still failing to confront such requests in the courts on behalf of their users—except one. Entel got top marks because it was the only ISP to refuse the government requests for an individual’s data, out of the several ISPs contacted for the same information.
Chilean ISPs WOM!, VTR, Claro, and Entel also make clear in their law enforcement guidelines the need for a prior judicial order before handing content and metadata over to authorities. In Derechos Digitales' 2019 report, these companies published law enforcement guidelines out of the six featured in the research. None of these companies took these steps in 2017, the project's first year of operation in Chile.
An even more significant achievement can be seen in user notification. ISPs in the region have always been reluctant to lay out a proper procedure for alerting users of government data requests, which was reflected in Chile's 2017 report. In the latest edition, however, WOM!, VTR, and Claro in Chile explicitly commit to user notification in their policies.
In Peru, three of five companies didn't publish privacy policies in 2015. By 2019 only one failed to provide details on the collection, use, and processing of their users’ personal data. Hiperderecho's 2019 report also shows progress in companies' commitment to demand judicial orders to hand over users' data. Bitel and Claro explicitly demand warrants when the request is for content. Telefónica (Movistar) stands out by requiring a warrant for both content and metadata. In 2015, only Movistar demanded a warrant for the content of the communication.
The Way Forward
Despite the progress seen in Brazil, Colombia, Chile, and Peru, there’s still a lot to be done in those countries. We also need to wait for upcoming evaluations for Argentina, Panama, Paraguay, and Spain, which were only recently included in the project. But overall, too many telecom companies—whether large or small, global or local—still don't publish law enforcement guidelines or have not established proper procedures and legal obligations. Those guidelines should be based upon the national legal framework and the countries’ international human rights commitments for the government to obtain users' information.
Companies in the region equally fall short on committing to request a judicial order before handing over metadata to authorities. Finally, ISPs in the region are still wary of notifying users when governments make requests for user information. This is crucial for ensuring users’ ability to challenge the request and to seek remedies when it’s unlawful or disproportionate. The same fear keeps many ISPs from publicly defending their users in court and in Congress.
For more information, see https://www.eff.org/qdtd and the relevant media coverage about our partners’ reports in Colombia, Paraguay, Brazil, Peru, Argentina, Spain, Chile, Mexico, and Panama.