Derechos Digitales, the leading digital rights organization in Chile, published its third annual Who Defends Your Data report today, in collaboration with EFF. The report assesses whether the country’s top ISPs enforce privacy policies and practices that put their users first. Kurt Opsahl, EFF’s Deputy Executive Director and General Counsel, joined the launch in Santiago de Chile, which highlighted the main findings and achievements of the report.
ISPs have made considerable strides forward in this year's edition. Five of the six ISPs now publish transparency reports; four have released public guidelines on how and when they hand over user's data to government officials. Claro leads the pack in protecting its customers’ data, with WOM close behind. Both have policies that are both public and privacy-protective, publish clear and detailed law enforcement guidelines, and have made significant progress towards notification about authorities’ requests for personal information—a real breakthrough for users' rights throughout Latin America. VTR, Movistar and GTD Manquehue still have a long way to catch up.
The summary of the latest Who Defends Your Data? report is below. The full report, including details about each company, is available in Spanish.
- Data Protection: Does the company have a copy of their internet service contract and its data protection policy published on its website?
- ISPs were not only judged on whether or not they published their policies on their website, but also the policies’ privacy-protective contents.
- Full star: Policies prominently published, clear, reflected key user-centric data protection principles, were in line with the current national legislation, and identified a point of contact to address user grievances.
- Partial star: Partial compliance.
- Transparency: Does the company have a transparency report?
- Full star: Published a transparency report on users’ data management and handling of government data requests
- Must have included the specific number of data requests the ISP has approved or rejected; a summary of the requests by investigation authority, type, and purpose; whether the report disaggregates the requests by geographic region; and whether third-parties managing user data do so in a privacy-protective manner and inform about government data requests they receive.
- Partial star: Published transparency reports, but did not specifically refer to data protection and the monitoring of communications.
- User Notification: Does the company notify users about government requests for information?
- Full star: Notify users about authorities' requests for access to their personal information at the earliest possible moment under the law
- Partial star: Making progress to implement a notification system.
- Law Enforcement Guidelines: Does the company publish the procedure, requirements and legal obligations that the government must comply with when requesting personal information from its users?
- Full star: Specifically outline, on their website, the requirements authorities must comply with when requesting user data. The description must be easy to understand; it must specify the procedures the company uses to respond to data requests from authorities; and it must indicate how long it retains user data.
- Partial star: Publishes information on how it handles user data, but does not fully specify the requirements that authorities must comply with.
- Commitment to Privacy: Has the company defended privacy and actively protected users' data, either in court or as part of a legislative discussion in Congress?
- Full star: Challenged government requests in courts as unlawful or disproportionate requests for data.
- Partial star: Publicly defended users outside of court, whether that be opposing bills or administrative procedures that threaten user privacy, or joining a multi-stakeholder coalition in favor of users' rights.
Compared to last year’s edition, the new report gave lower overall scores for the companies’ data protection policies, with Movistar, GTD, and VTR lagging behind. That’s because the 2019 report raised the standards, requiring that ISPs not only publish clear data protection policies, but also go a step further and commit to privacy-protective principles considered in the research. Both WOM and Claro were the only two to do so, maintaining their perfect scores.
WOM, VTR and Claro stood by supporting the user’s right to notification. For years, similar reports across Latin America have underscored ISPs’ reluctance and fear to lay out a proper procedure for alerting users of government data requests, in contrast to notification practices now common in the United States. In previous installments of Derechos Digitales’ report, this has been a serious shortfall for the country’s ISPs. This year’s edition, however, shows Chile is making significant improvements. WOM, VTR, and Claro laid out users’ right to be notified within their policies. Claro went above and beyond in making it easy for its users: they even crafted a formal letter for users to use to gather more information in the event of a notification. This is crucial for ensuring users’ ability to challenge the request and to seek remedies when it’s unlawful or disproportionate.
ISPs have also been hesitant to challenge illegal and excessive requests. Chile’s report indicates that many ISPs are still failing to confront such requests in the courts on behalf of their users—except one. This year, Entel got top marks because it was the only ISP to refuse the government’s request for an individual’s data, out of the several ISPs contacted for the same information. Claro and WOM made strides as well, the first for supporting legislative initiatives favoring users’ rights and the latter for not handing over personal information they saw as confidential in administrative procedures.
Finally, this year’s edition shows more stars shining in transparency reports and public law enforcement guidelines for access to users’ data. Now, VTR and Entel joined WOM and Claro in publicly sharing their law enforcement guidelines. All four received full stars, indicating that not only were their guidelines listed, but also that their contents met the standards. And except for GTD Manquehue, all the other ISPs published transparency reports—a huge improvement from the almost three full stars given last year. It signals a larger trend within Chile that will hopefully make transparency reports an industry norm. All five of the reports covered in this category meet the baseline standards laid out in the research.
There’s a clear gap between Chilean companies when it comes to defending users privacy. Claro and WOM are comfortably in the lead in protecting their customers, with Entel not far behind. As for Movistar and GTD Manquehue, there’s a great deal they need to improve on.
Derechos Digitales’ work is part of a series of reports throughout Latin America and Spain adapted from EFF’s Who Has Your Back? report, which for nearly a decade has evaluated the practices of major global tech companies. Fundación Karisma in Colombia published its report in late 2018, Hiperderecho in Peru has launched its second edition this year, and IPANDETEC in Panamá is about to start its own series.