Brazil’s biggest internet connection providers made moderate advances in protecting customer data and being transparent about their privacy practices, but fell short on meeting certain requirements for upholding users’ rights under Brazil's  data protection law, according to InternetLab’s 2022 Quem Defende Seus Dados? (Who Defends Your Data?) report.

In this seventh annual assessment of Brazil’s providers, InternetLab evaluated six companies, and looked at both their broadband and mobile services. Operators assessed include Oi fixed and mobile broadband; Vivo (Telefónica) fixed and mobile broadband, TIM fixed and mobile broadband,Claro/NET (América Móvil), Brisanet fixed and mobile broadband, and Algar (broadband only). The operators were evaluated in six categories, including providing information about their data protection policies, disclosing guidelines for law enforcement seeking user data, defending user privacy in courts, supporting pro-privacy policies, publishing transparency reports, and notifying users when the government requests their data.

This year, Oi broke into the top and tied with TIM in receiving the highest scores—each company garnered  full credit in four out of six categories. Every company in the report received full credit for challenging privacy-abusive legislation and government requests for user data except Algar, which received half credit. While Brisanet improved its overall standing, earning full credit in this category, it received the least amount of credit among its peers, echoing last year’s report.

With Brazilian providers steadily improving transparency and customer data protection over the years, methodological changes were made in this edition to raise the bar for achieving credit in a few categories. Specifically, assessing companies’ compliance with data protection legislation has been expanded to include more requirements for transparency about data sharing with third parties. New criteria for measuring transparency around customers’ rights,  data handovers to authorities, and cybersecurity protocols were also added.

Finally, InternetLab checked which companies took a public stance against making it mandatory for users to undergo facial recognition authentication to activate their mobile phone services.

The report’s complete results are here. 

QDSD InternetLab 2022

Data Protection Policy Transparency: Pluses and Minuses

Nearly all companies received full credit for informing users about what data about them is collected, how long the information is kept, and who it is shared with. InternetLab noted advances in how companies were providing information to customers about their data, especially the creation of portals allowing users to click on links to access  privacy and transparency policies and file complaints concerning their rights under the Brazil Data Protection Law (Lei Geral de Proteção de Dados or LGPD).

However, the survey revealed deficiencies in companies’ response times to users’ requests through  the portals. Under the LGPD, customers have the right to access their personal information, ensure its accuracy, and request deletion, among other things. Most companies were not responding to users’ requests within the maximum of 15 days as required by the law. Only Claro/NET and TIM complied with the provision, under which companies are required to provide a clear and complete response. InternetLab researchers testing company practices were not able to obtain any information from Oi in response to requests seeking to confirm whether the companies held their personal data and, if so, the quality and quantity of such data. Algar replied it does not process any personal data from the indicated account, although the request came from a customer of the company. As for Vivo, InternetLab could not even file the request due to technical problems on the company's app.

Finally, Brisanet doesn't provide any online channel for non-customers to confirm whether the company processes their data. Non-customers may have their personal data processed by a telecom operator, for example, when calling or receiving calls from that operator's customers. They have the same right as customers to confirm whether the company processed their personal data and get access to that data. But Brisanet requires non-customers to send a physical letter to the company's headquarters with notarized copies of her national ID and signature. Although checking measures are relevant to verify if the data requested pertains to the person making the request, the company should provide an online and less bureaucratic alternative for all users, not only their customers.

Law Enforcement Guidelines and Public Advocacy for User Privacy

The report showed improvements in two important categories. Every company received full credit for disclosing information on how they handle law enforcement requests  for  user data, except Brisanet, which received no credit. Algar and TIM again stood out for publishing a specific document detailing their guidelines for law enforcement access to user information. Oi joined them for the first time with substantive guidelines on the types of data that can be requested, the legal basis required to obtain data, which competent authorities may request data, and the company's internal process for analyzing the request before handing user information to authorities. Vivo has also received partial credit for a specific section on its website about government requests.   

Regarding defending user privacy in court, five out of six companies, including Brisanet, received full credit. Algar received half credit. All companies, represented by telecom industry trade associations such as ACEL and TELCOMP, challenged in court state laws giving law enforcement officials power to request location data without a previous judicial order. Moreover, Oi, Claro/NET, TIM, Vivo, and Brisanet directly challenged government requests for user data because they lacked a judicial order, showed an insufficient legal basis, or went beyond companies' legal obligations to store data. Further, companies improved their scores for publicly taking a stance in support of user privacy, with Oi and TIM receiving full credit and Claro/NET, Vivo, and Algar receiving half credit. Among other actions, all of them collaborated in launching a code of good practices on data protection for the telecommunications sector, which industry trade group Conexis presented to Brazil's National Data Protection Authority. As in 2021, Brisanet received no credit in this category.

Companies Lack Commitments to Notify Users of Government Data Requests, But Improved on Reporting Numbers

This edition reiterates the complete lack of  public commitment from companies to notify users when their information is handed over to the government. Since the first edition, all companies have failed to receive credit in this category. The report also reveals that some companies need to improve their transparency reports. This year, Brisanet and Algar failed to disclose general statistical data about government requests for user data. Oi and Claro/NET disclosed this data  for the first time ever. Except for Vivo, no other company reveals the number of customers affected by government requests. However, Vivo failed to disclose the number of rejected requests. Only Oi mentioned challenged requests in its report, stating that it  filed 18 lawsuits to challenge requests it considered unlawful in 2021.

Finally, no evaluated company published a data protection impact assessment.

Use of Facial Recognition Assessed

Facial recognition use is on the rise at internet connection providers, especially for prepaid lines. As we’ve said, face recognition represents an inherent threat to privacy, social justice, free expression, and information security. Unfortunately, the InternetLab report showed there was little commitment from companies to increase privacy protections when implementing face recognition as a method of verification, which InternetLab considered especially privacy invasive. This is troubling because some companies have been actively promoting facial recognition technologies, which may have significant consequences for digital privacy in Brazil.

While Oi provides connectivity services for initiatives involving facial recognition in the context of bank fraud and public security, the company does not use the technology when registering users for mobile prepaid services, the InternetLab report shows. TIM, in turn, said it was using facial recognition only with the consent of account holders, and was not making its use mandatory as a security measure. Real and meaningful opt-in consent is the least companies should ensure when tying face recognition to the provision of telecommunication services. This is not the case if giving your face away is mandatory to activate your mobile account. Government proposals forcing users to provide biometric data to use mobile telephone services stirred great civil society resistance in México and Paraguay, which was able to suspend its implementation and final approval, respectively.

Conclusion

Over the last seven years, Brazil’s internet providers have made steady progress in transparency and commitments to protect user privacy. This year’s report shows this trend continued in 2022. The passage of the LGPD has led over the years to more sophisticated and user-friendly tools for customers to get information about how providers are handling their personal data. But the report also shows that companies still have work to do to fully comply with LGPD requirements and implement best practices for notifying users of data handovers, publishing data protection impact assessments and transparency reports, and taking a stronger stance in favor of user privacy when it comes to face recognition. InternetLab’s work is part of a series of reports across Latin America and Spain adapted from EFF’s Who Has Your Back? report, which for nearly a decade has evaluated the practices of major global tech companies.