Derechos Digitales’ fourth ¿Quien Defiende Tus Datos? (Who Defends Your Data?) report on Chilean ISPs' data privacy practices launched today, showing that companies must keep improving their commitments to user rights if they want to hold their leading positions. Although Claro  (América Móvil) remains at the forefront as in 2019’s report, Movistar (Telefónica) and GTD have made progress in all the evaluated categories. WOM lost points and ended in a tie with Entel in the second position, while VTR lagged behind.

Over the last four years, certain transparency practices that once seemed unusual in Latin America have become increasingly more common. In Chile, they have even become a default. This year, all companies evaluated except for VTR received credit for adopting three important industry-accepted best practices: publishing law enforcement guidelines, which help provide a glimpse into the process and standard companies use for analyzing government requests for user data; disclosing personal data processing practices in contracts and policies; and releasing transparency reports.

Overall, the publishing of transparency reports has also become more common. These are critical for understanding a company’s practice of managing user data and its handling of government data requests. VTR is the only company that has not updated its transparency report recently—since May 2019. After the last edition, GTD published its first transparency report and law enforcement guidelines. Similarly, for the first time Movistar has released specific guidelines for authorities requesting access to user's data in Chile, and received credit for denying legally controversial government requests for user's data.

Most of the companies also have policies stating their right to provide user notification when there is no secrecy obligation in place or its term has expired. But as in the previous edition, earning a full star in this category requires more than that. Companies have to clearly set up a notification procedure or make concrete efforts to put them in place. Derechos Digitales also urged providers to engage in legislative discussions regarding Chile’s cybercrime bill, in favor of stronger safeguards for user notification. Claro has upheld the right to notification within the country's data protection law reform and has raised concerns against attempts to increase the data retention period for communications metadata in the cybercrime bill.    

Responding to concerns over government’s use of location data in the context of the COVID pandemic, the new report also sheds light on whether ISPs’ have made public commitments not to disclose user location data unless it is anonymized and aggregated, without a previous judicial order. While the pandemic has changed society in many ways, it has not reduced the need for privacy when it comes to sensitive personal data. Companies’ policies should also push back sensitive personal data requests that seek to target groups rather than individuals. In addition, the study aimed to spot which providers went public about their anonymized and aggregate location data-sharing agreements with private and public institutions. Movistar is the only company that has disclosed such agreements.

Together, the six researched companies account for 88.3% of fixed Internet users and 99.2% of mobile connections in Chile.

This year's report rates providers in five criteria overall: data protection policies, law enforcement guidelines, defending users in courts or Congress, transparency reports, and user notification. The full report is available in Spanish, and here we highlight the main findings.

Main results

Data Protection Policies and ARCO Rights

Compared to 2019’s edition, Movistar and GTD improved their marks on data protection policies. Companies should not only publish those policies, but commit to support user-centric data protection principles inspired by the bill reforming the data protection law, under discussion in Chilean Congress. GTD has overcome its poor score from 2019, and has earned a full star in this category this year. Movistar received a partial score for failing to commit to the complete set of principles. On the upside, the ISP has devised a specific page to inform users about their ARCO rights (access, rectification, cancellation, and opposition). The report highlights other positive remarks for WOM, Claro, and Entel for providing a specific point of contact for users to demand these rights. WOM went above and beyond, and has made it easier for users to unsubscribe from the provider’s targeted ads database. 

Transparency Reports and Law Enforcement Guidelines

Both transparency reports and law enforcement guidelines have become an industry norm among Chile’s main ISPs. All featured companies have published them, although VTR has failed to disclose an updated transparency report since the 2019 study. Amid many advances since last edition, GTD  disclosed its first transparency report referring to government data requests during 2019. The company earned a partial score in this category for not releasing new statistical data about 2020’s requests.

As for law enforcement guidelines, not all companies clearly state the need for a judicial order to hand over different kinds of communication metadata to authorities. Claro, Entel, and GTD have more explicit commitments in this sense. VTR requests a judicial order before carrying out interception measures or handing call records to authorities. However, the ISP does not mention this requirement for other metadata, such as IP addresses. Movistar’s guidelines are detailed about the types of user data that the government can ask for, but it refers to judicial authorization only when addressing the interception of communications.

Finally, WOM’s 2021 guidelines explicitly require a warrant before handing phone and tower traffic data, as well as geolocation data. As the report points out, in early 2020, WOM was featured in the news as the only ISP to comply with a direct and massive location data request made by prosecutors, which the company denied. We’ve written about this case as an example of worrisome reverse searches, targeting all users in a particular area instead of specific individuals. Directly related to this concern, this year’s report underscores Claro’s and Entel’s commitment to only comply with individualized personal data requests. 

Pushing for User Notification about Data Requests

Claro remains in the lead when it comes to user notification. Beyond stating in the company policy that it has a right to notify users when this is not prohibited by law (as the other companies do, except for Movistar) – Claro’s policies also describe the user notice procedure for data requests in civil, labor, and family judicial cases. Derechos Digitales points out the ISP has also explored with the Public Prosecutor’s Office ways to implement such notification with regard to criminal cases, once the secrecy obligation has expired. WOM’s transparency report mentions similar efforts, urging authorities to collaborate in providing information to ISPs about the status of investigations and legal cases, so they are aware when a secrecy obligation is no longer in effect. As the company says:

“Achieving advances in this area would allow the various stakeholders to continue to comply with their legal duties and at the same time make progress in terms of transparency and safeguarding users' rights.”

Having Users' Backs Before Disproportionate Data Requests and Legislative Proposals

Companies can also stand with their users by challenging disproportionate data requests or defending users’ privacy in Congress. WOM and Claro have specific sections on their websites listing some of their work on this front (see, respectively, tabs “protocolo de entrega de información a la autoridad” y “relación con la autoridad”). Such reports include Claro’s meetings with Chilean senators who take part in the commission discussing the cybercrime bill. The ISP reports having emphasized concerns about the expansion of the mandatory retention period for metadata, as well as suggesting that the reform of the country’s data protection law should explicitly authorize telecom operators to notify users about surveillance measures. 

Entel and Movistar have received equally high scores in this category. Entel, in particular, has kept its fight against a disproportionate request made by Chile's telecommunications regulator (Subtel) for subscriber data. In 2018, the regulator asked for personal information pertaining to the totality of Entel's customer base in order to share those with private research companies for carrying out satisfaction surveys. Other Chilean ISPs received the same request, but only Entel challenged the legal grounds of Subtel’s authority for such a demand. The case, which was first reported for this category in the last edition, had a new development in late 2019, when the Supreme Court confirmed the sanctions against Entel for not delivering the data, but reduced the company’s fine. Civil society groups Derechos Digitales, Fundación Datos Protegidos, and Fundación Abriendo Datos have recently released a statement stressing how Subtel's request conflicts with data protection principles, particularly purpose limitation, proportionality, and data security.

Movistar's credit in this category also relates to a Subtel request for subscriber data, this one in 2019. The ISP denied the demand, pointing out a legal tension between the agency’s oversight authority to request customer personal data without user consent and privacy safeguards provided by Chile’s Constitution and data protection law that set limits on personal data-sharing.

***

Since its first edition in 2017, Chile’s reports have shown solid and continuous progress, fostering ISP competition toward stronger standards and commitments in favor of users’ privacy and transparency. Derechos Digitales’ work is part of a series of reports across Latin America and Spain adapted from EFF’s Who Has Your Back? report, which for nearly a decade has evaluated the practices of major global tech companies.