Argentinian telecommunications providers have made strides in their commitments to protecting users’ data privacy, but the gains are uneven—they are doing a better job at informing about data processing and users' data rights, but still a poor job at disclosing how they handle government demands for user data, according to a new report by digital rights group ADC.
In this third edition of Argentina's report, most of the improvements relate to the ISPs’ privacy policies. ADC has increased the evaluation parameters in this category to follow crucial data protection principles. Among others, the report checks whether ISPs commit to only collect data for specific, explicit, and lawful purposes and stick to those purposes when processing user data; ensure the data they process is true, adequate, relevant, and not excessive in regard to the purposes of collection; and adopt security measures to protect user data. All companies received credit for their privacy policies, while none of them got more than a half star.
Once again, Movistar leads the ranking, with three and a half out of five stars. The company has almost doubled its score compared to the 2019 report, and is far ahead of second-place IPLAN, which earned roughly two stars. IPLAN was the only company to engage with ADC researchers in the last edition. Back then, IPLAN, a smaller company in Argentina’s market, was taking its first steps to properly adjust its data protection policies and practices. The improvements in IPLAN’s policy show the company’s disposition to receive criticism and recommendations, the ADC report highlights. Arlink, another small local ISP first featured in this new edition, came in last place, while Claro, a much larger provider, was almost as bad.
The new ¿Quién Defiende Tus Datos? (Who Defends Your Data?) edition evaluated Movistar (Telefónica), Claro (América Móvil/Carso), DirecTV, Personal (Telecom Group), Telecentro, IPLAN, and Arlink. While Personal and DirecTV failed to improve their scores over the last edition, all others featured in 2019 improved theirs, at least a little.
ADC assessed each company in five categories: how comprehensive their privacy policies are and whether they commit to notify users of any changes; if they publish transparency reports and what information they cover; whether they commit to notify users about government data requests; if they disclose guidelines authorities must follow to request user data (i.e., law enforcement guidelines) and whether ISPs commit to require a judicial order before handing over such data; and their policy commitments and practices towards human rights and defending users’ data privacy in courts and policy debates.
Here you can learn more about the main findings.
Privacy Policies and Information About Users’ Data Rights
This year, ADC assessed ISPs’ privacy policies against key data protection principles, such as purpose, security, and accuracy, and the duty to provide information. As always, the report also checked how easy it is for users to find privacy policies and, this year, recognized companies’ efforts to concentrate all relevant data privacy information on ISPs’ local websites. This is a bare minimum parameter, yet we still see problems in other ¿Quién Defiende Tus Datos? reports in the region, such as Panamá and Nicaragua—and even in this Argentina edition, as you can read below.
A key parameter is whether providers inform users about how they can exercise their data rights, particularly their right to access their personal information in companies’ databases. All evaluated companies inform users about their data rights, but not without ups and downs. Arlink requires a notarized physical letter to give users access to their personal data, a bureaucratic and unnecessary hurdle. Companies’ concern and responsibility to check the identity of the requesting person must not result in costs to users. Claro provides a form, which is not directly available on the local company website and, according to ADC, requires an excessive amount of user data compared to what is stipulated in Argentina's data protection law. On the upside, IPLAN offers a detailed explanation on how users can exercise their rights and provides a standard form that users can send either by email or physical mail to gain access to their personal data. The form allows users to choose whether they also want to access surveillance footage IPLAN may have on them.
Transparency and Privacy Safeguards Before Government Data Demands
ADC notes companies’ poor results in disclosing meaningful information about the government data demands they receive, and how they handle such requests. Telefónica-Movistar is the only one that both goes beyond generic statements and makes available on the local website a global transparency report detailed per country, including aggregate data on government requests for user data. América Móvil, Claro’s parent company, also publishes a global transparency report that covers Argentina. But it does not contain statistical information of government requests per country. Moreover, the transparency report itself is not directly available either in Claro Argentina’s or América Móvil’s websites. ADC could find a link to the report only in América Móvil’s 132-page Sustainability Report (we’ll make it easier for you, it’s at page 51).
ISPs also fall short of showing robust commitments to defend users’ privacy before disproportionate government data requests that run afoul of constitutional and human rights standards. “[S]everal companies refer to this aspect by explaining that simply complying with government requests is part of their obligations, implying that they are not empowered to establish requirements to prevent [government's requests] excesses,” ADC points out.
This is not OK. Regarding companies’ responsibility to ensure that their practices respect human rights and fundamental freedoms, including the right to privacy, the first report the UN High Commissioner for Human Rights (OHCHR) issued about the right to privacy in the digital age stresses that companies are expected to seek to honor the principles of human rights to the greatest extent possible. They should keep this commitment when faced with government demands contrary to international human rights standards, and be able to demonstrate their ongoing efforts to do so, the report says.
Human Rights Policy Commitments and Practices
Considering standards set in the UN Guiding Principles on Business and Human Rights, the new edition checked which ISPs have clear public policy commitments to respect human rights. Out of six evaluated companies, only IPLAN and Telefónica-Movistar received credit for having any public statement in that sense. Movistar's policies are far more comprehensive than IPLAN's. Telefónica-Movistar has also devised and published a Personal Data Protection Governance Model based mainly on compliance with the EU GDPR, and is the only featured ISP that reported on how the company periodically conducts impact assessments as part of its human rights due diligence.