Brazil’s biggest internet connection providers continue to make strides towards better protection of customer data and greater transparency about their privacy practices, according to InternetLab’s 2021 “Quem Defende Seus Dados?" (“Who defends your data?)" report. Released today, the report is the sixth annual assessment of Brazilian providers’ adherence to best-practices criteria that look at whether they are doing their level best under the law to protect users when law enforcement requests their personal information, defend privacy rights in court and in their public policy positions, and publicly disclose information on user data collection, government requests for user data, and more.

InternetLab evaluated six providers in this edition, all of whom hold at least 1 percent of the telephony market in Brazil and looked at both broadband and mobile services. Brisanet, a leading independent provider, was evaluated for the first time, while Sky was dropped, as well as Nextel, which was incorporated into Claro after being acquired by América Móvil, Claro’s parent company.

Telecom provider TIM, owned by Telecom Italia SpA, received the highest score this year, as it did last year. Its broadband and mobile services received full credit for meeting standards in four of the six categories and 75 percent credit for a fifth category. Claro Mobil and NET, both part of América Móvil, were a close second, with full stars in four categories and a quarter star in a fifth, while Vivo achieved full stars in three categories, three-quarters star in a fourth, and half star in a fifth.  Algar made slight improvements over last year’s scores, with one full star, a ¾ star, and a half star, while Brisanet Mobil and Brisanet Broadband came in last, earning a half star in just one category.

As highlighted by Bárbara Simão, InternetLab’s Head of Research, the report shows Internet Service Providers (ISPs) improving disclosure of relevant information on how they handle user data. “Some companies, such as TIM, Vivo, and Algar, started to publish specific protocols with rules for handing over data to public authorities,” Simão said. However, there is still plenty of room for providers to strengthen privacy-protective best practices. One key issue relates to companies’ public response about security breaches. According to Simão, “some major data breaches related to ISPs were reported last year, and the companies involved failed to respond adequately.

All but two companies received top scores for providing clear and complete information on privacy policies, including what data they collect and why, how long it’s stores it, and who has access to it.  Improvements in this category are in part attributed to Brazil’s new law, the EU General Data Protection Act (GDPR)-inspired regulation that took effect last year. Oi and Vivo, which both received ¾ stars last year, improved their scores, while Algar slipped from getting a full star last year to ¾ star this year. Brisanet Mobil and Brisanet Broadband earned a half star, the only category in which the company scored.

All but a few companies performed well in taking a public stance supporting privacy and defending user privacy in court. Last year InternetLab evaluated companies’ activities defending privacy against unprecedented government pressure to access telecom data during the COVID-19 pandemic. This year the organization revised this parameter, and looked at whether companies took a public stance, in consultations and debates or in the media, in favor of practices promoting the security of its users' data and providing concrete information on strategies to mitigate risks and prevent security breaches.

The revised parameter reflects concerns about security and data breaches involving TIM, Claro, and other leading providers that occurred in 2020 and 2021, in which over 100 million cell phone numbers and personal information were exposed. Investigations into the incidents were opened by the National Consumer Secretariat (Senacon) and by Procon-SP. The companies involved provided only generic explanations and little in the way of information about safeguards to prevent future security break-ins. Regulatory agencies, in response, implemented initiatives aimed at combating cybersecurity threats, including the creation of the Regulation of Cybersecurity Applied to the Telecommunications Sector by Anatel (Brazil’s telecom regulator) and the technical note published by the National Data Protection Authority (ANPD), with guidelines for providers in the event of a security breach.  As such, this year’s report evaluated companies’ commitments to securing the personal data of their users and publicly voicing support for these initiatives.

Unfortunately, companies continue to fall well short of best practices for informing users about requests for their data. This year, as in 2020, not a single company received a star for this category. No Brazilian law compels companies to notify targets of surveillance, but they are not prevented from notifying users when secrecy is not legally or judicially required. Companies also lag when it comes to their transparency reports and data protection impact assessments. TIM, NET, and Claro received partial stars in this category, while the rest received no stars.

Main Results

Overall, this year's report evaluates providers in six criteria: data protection policies, law enforcement guidelines, defending users in the judiciary, defending privacy in policy debates or the media, transparency reports and data protection impact assessment, and user notification. The full report is available in Portuguese. These are the main results:

Brasil QDSD 2021 table

Category 1 Results: Data Protection Policies

While most providers are now telling users about what data they collect about them, how long the information is kept, and who they share it with, some are failing to be fully transparent in responding to users’ requests for information about their own personal data. InternetLab researchers tested company practices by requesting their personal data. Oi, TIM, Vivo, and Brisanet complied, but only disclosed subscriber information, even though the Brazilian Data Protection Law ensures users’ right to access all the personal data companies collect about them.

TIM, this year and last, took additional steps to certify the requestor's identity before disclosing the data, a good practice that deserves to be highlighted. Algar had done the same in 2020, but this year failed even to respond to requests for access to data.

InternetLab added a new standard that companies must meet to get full credit in this category: provide information about under what circumstances they will transfer users’ personal data to other countries. Law enforcement around the world is increasingly seeking data across borders in criminal investigations, so it’s important for companies to provide clear and detailed information about how it handles user data requests from foreign police.

The report shows that, except for TIM and Algar, companies are less than fully transparent, failing to provide specific information about where data is stored or what steps are required to transfer it to other countries.

For example, Claro’s privacy policy says the company hires cloud storage services, which “may take place outside the national territory.” However, there is no further detail about which international entities receive such data.  Oi’s policy has generic language saying it may transfer users’ personal data abroad for cloud storage or, if needed, to provide a service.  Vivo’s policy has limited information, saying, “as part of the Telefónica Group, (it) may, in certain circumstances and when necessary, share personal data with other companies within the Group. In addition, your data may be shared with partners and suppliers based in other countries, always in compliance with applicable law and in accordance with contractual clauses.”

TIM received full credit for the criteria, disclosing that the main third-party servers that store personal data under TIM’s control are in Brazil, EEA (European Economic Area), and California (USA). Algar also received a full score for explaining the legal criteria applied for international data transfers. Brisanet’s policies do not comply with InternetLab’s guidelines.

Category 2 Results: Law Enforcement Guidelines

To earn stars in this category, companies must have clear guidance for law enforcement about accessing user data and follow the most privacy protective interpretations of the law when personal data are requested by law enforcement agents.

Claro/NET, TIM and Vivo received full stars after receiving only partial stars last year.  Vivo and TIM for the first time received credit for publishing a specific document on how  they respond to government data requests. Although both documents could provide more information on the procedures adopted and break down details by different types of communications data, they certainly represent a good start.

Claro is more transparent than last year, telling users that it discloses subscriber data to authorities, which it identifies, as well as identifying which crimes justify the disclosure of subscriber data without a warrant. It also provides information on the circumstances in which it provides geolocation data and promises to provide authorities with connection records only by court order. However, it does not publish a specific document with information about procedures and rules followed to give user data to authorities, another criterion for Category 2.

Algar had the most dramatic improvement in this category. The company went from receiving no star last year to a full star this year. Algar’s first published law enforcement guidelines are the only ones providing more detailed information broken down by the type of data requested, clearly asserting the details and commitments that InternetLab’s report seeks to obtain in Category 2.

Category 3 Results:  Defending Users in Courts

To earn stars in this category, companies should challenge privacy-abusive legislation and abusive administrative or judicial requests for user data.

Claro, NET, and TIM achieved full starts for complying with both parameters after receiving half stars last year.  Oi received a full star this and last year. Algar and Brisanet received no score in this category.

Claro, Oi, TIM, and Vivo filed a lawsuit challenging a state law compelling companies to identify the caller number for every telephone call (preventing blocked numbers, for example). Vivo, along with other telco companies, challenged modifications to the General Regulation on Consumer Rights of Telecommunications Services that would oblige companies to provide, to any recipient of telephone calls, personal data of the person who made the call.

Meanwhile, Oi has challenged a judicial order authorizing a police request to provide passwords granting access to all telephone-related stored data for 6 months, including subscriber information, call and SMS records, and location data. The company challenged the general nature of the order and requested the police to specify which users and devices were targeted. It has also requested information about which criminal investigation the order was related to.

Claro denied a request for handing subscriber data directly to the Office of the Comptroller General (Controladoria Geral da União), without prior judicial authorization, stating that doing so would be a violation of constitutional and legal safeguards. Vivo has also denied police and prosecutors requests for users call records and location data without prior judicial orders.

Category 4 Results: Public Stance in Favor of Privacy

Claro, NET and TIM received full stars for taking a public stance in support of privacy, while Oi, Vivo, and Algar received 1/2 stars. Highlights included a new document from TIM entitled "Information Security and Cybersecurity Policy," which, among other things, provides a specific communication channel for security cases. InternetLab’s report congratulates the company for making available a specific document that provides detailed information about security practices and means to exercise rights.

But the news wasn’t all good. Even though Claro, Oi, and TIM received stars for public statements in regard to security and cyber risk mitigation, InternetLab points out that they all failed to provide robust answers to accusations of data breaches (Claro in 2020, and Oi and TIM in 2021).

The ISPs provided only “generic answers,” InternetLab reports.  “No robust explanations about the case were given, nor were any standards or techniques concretely advocated that could address the allegations [of data breach],” the organization said. Vivo also faced data breach accusations in 2020, receiving notification from consumer and telecom authorities. InternetLab said the company sent public responses to authorities, claiming to have evaluated its internal systems and found no security incidents. The responses didn’t mention any improvements in Vivo’s security measures.

Category 5 Results: Transparency Reports and Data Protection Impact Assessments

Brazil’s internet and telecommunications providers are not where they should be when it comes to publishing transparency reports, a best practice that has grown in the tech industry. Algar, Oi, and Brisanet received no stars, while Claro and Net received a quarter star—they disclose aggregate data about users’ requests for their own data, but no statistical data about government data requests.

TIM received ¾ star; the company does not publish a transparency report, but does publish a Sustainability Report with general information about government data requests and total figures for last year’s requests for telephone interception, subscriber information, and “telephone extracts.” Vivo has improved its mark since last year. Telefónica Brazil, of which Vivo is part, published for the first time its comprehensive transparency report in Portuguese.

As in last year’s report, none of the featured companies published a data protection impact assessment (DPIA). The Brazilian data protection law has rules about DPIA, but the Data Protection Authority still must regulate when this assessment is mandatory.

Category 6 Results: User Notification

No company informs users when government authorities seek their data, so no stars were awarded. This is unchanged from last year.

Conclusion

Since its first edition in 2016, Brazil’s reports have shown solid progress, fostering ISP competition toward stronger standards in favor of transparency and users’ privacy. This year report highlights advances in the disclosure of law enforcement guidelines and Brazilian providers’ continuous commitment in defending their users in courts. It also shows that there is room for improvement in user notification, data protection impact assessments, and even in transparency reports—a best practice already consolidated in other countries and for other players, such as tech companies. InternetLab’s work is part of a series of reports across Latin America and Spain adapted from EFF’s Who Has Your Back? report, which for nearly a decade has evaluated the practices of major global tech companies.