Spanish Internet Service Providers (ISPs) continue to fall short of robust transparency about their data protection and user privacy practices, with many failing to meet criteria  that directly builds on Spanish and EU data protection regulations.

While highlighting that internet companies in Spain need to step up their user privacy game, Eticas Foundation’s third edition of ¿Quien Defiende Tus Datos? (Who Defends Your Data?) Spain showed that Movistar (Telefónica) maintained a leadership position among companies evaluated, with a total of 18 out of 21 points. The ISP scored well in all evaluated criteria except for user notification. On the other hand, Habitaclia received the lowest score, with just 5.5 points.

All of Spain’s ISPs received credits in the privacy policy category, which covers crucial information companies should provide users about their data processing practices. ISPs made significant strides in this category in Eticas’ last report. Yet, this year's edition shows companies have lost traction, improving in some parameters but losing credit for others. The balance between advances and gaps of Spain’s Internet companies shows there is still plenty of room for progress.

This year, Eticas checked public policies and documents of 15 Internet companies that handle user data in their day-to-day activities, including telecom providers, home sales and rental sites, and apps for selling second-hand goods. Eticas added three new companies to the report: the telecom provider Digi Spain Telecom, the second-hand goods app Vinted, and the startup Trovit.es, which offers deals for selling or renting homes, cars, and other products. Telecom provider Euskatel is no longer in the ranking after its acquisition by MásMóvil.

This year’s study has also introduced new criteria. To earn a full star, companies’ privacy policies must state why and through which channels they collect user data. Considering the context of the COVID-19 pandemic and policies to combat the spread of the virus that involve mass collection of user data, Eticas pushed companies to commit to only sharing anonymized and aggregate data for policy, rather than law enforcement, purposes. The new report introduced a special red star to indicate whether ISPs went public with any specific data protection measure related to the pandemic. 

Vodafone was the only service provider to receive credit for both COVID-related data collection categories. The ISP published a specific data protection policy regarding data-sharing for COVID-19 control actions. The policy includes important safeguards, such as only sharing aggregate and anonymized data and respecting principles of proportionality and purpose limitation. The policy’s disclosure about data security, however, only mentions that Vodafone has put “adequate and appropriate security measures” in place, without providing details. The company should include more detail on the type of measures taken and their efficacy in preserving data privacy and security.

The summary of results is below.

QDTD Spain Third Edition

Movistar, Som Conexió, Orange, and Vodafone were the only service providers  credited for parameters beyond their privacy policies. Movistar and Vodafone earned scores for disclosing information on the legal framework authorities must follow to request user data, and which competent authorities can request access to users’ communications content and metadata. Movistar, Orange, and Vodafone also received credit for carrying out initiatives promoting user privacy, like the Telecommunications Industry Dialogue and the Global Network Initiative. Disappointingly, Movistar remains the only company that publishes periodic transparency reports with statistical information about government data requests. And Orange, which stood out in previous editions for committing to notify users about data requests, lost this credit in the new edition.

When it comes to ISPs’ privacy policies, there are ups and downs. Almost half of the 15 companies evaluated did not provide information about profiling and automated decision-making, failing to comply with disclosure standards set forth in Spain’s data protection legislation (which incorporates GDPR obligations). They have also fallen short of other parameters that build on GDPR's transparency rules for user data processing. For example, almost one-third of featured companies did not disclose how long they store user data. Almost half of them failed to commit to notifying users about changes in their policies, disclosing information about international data transfers, and enabling users to consent or opt-out to such transfers. On the upside, all service providers share contact information for their officers in charge of compliance with data protection rules, and most of them let users know they can opt out of certain uses of their data.

Eticas’ report also highlights cases where the Spanish Data Protection Authority (AEPD) punished ISPs for mishandling user data. As the most notable example, the AEPD imposed a cumulative fine of EUR 8.5 million to Vodafone for several breaches of data protection and other regulations.

Companies must commit to robust data privacy policies, and be held accountable in their practices for protecting the data their customers have entrusted them with. This new report  shows Spanish Internet companies still need  to improve their public commitments to user privacy. 

Eticas’ study is part of a series of reports across Latin America and Spain holding ISPs accountable to their users, and pushing companies to adopt policies and practices that provide solid data privacy safeguards.