Chile’s New “Who Defends Your Data?” Report Shows ISPs’ Race to Champion User Privacy

Derechos Digitales’ fourth ¿Quien Defiende Tus Datos? (Who Defends Your Data?) report on Chilean ISPs' data privacy practices launched today, showing that companies must keep improving their commitments to user rights if they want to hold their leading positions. Although Claro  (América Móvil) remains at the forefront as in 2019’s report, Movistar (Telefónica) and GTD have made progress in all the evaluated categories. WOM lost points and ended in a tie with Entel in the second position, while VTR lagged behind.

Over the last four years, certain transparency practices that once seemed unusual in Latin America have become increasingly more common. In Chile, they have even become a default. This year, all companies evaluated except for VTR received credit for adopting three important industry-accepted best practices: publishing law enforcement guidelines, which help provide a glimpse into the process and standard companies use for analyzing government requests for user data; disclosing personal data processing practices in contracts and policies; and releasing transparency reports.

Overall, the publishing of transparency reports has also become more common. These are critical for understanding a company’s practice of managing user data and its handling of government data requests. VTR is the only company that has not updated its transparency report recently—since May 2019. After the last edition, GTD published its first transparency report and law enforcement guidelines. Similarly, for the first time Movistar has released specific guidelines for authorities requesting access to user's data in Chile, and received credit for denying legally controversial government requests for user's data.

Most of the companies also have policies stating their right to provide user notification when there is no secrecy obligation in place or its term has expired. But as in the previous edition, earning a full star in this category requires more than that. Companies have to clearly set up a notification procedure or make concrete efforts to put them in place. Derechos Digitales also urged providers to engage in legislative discussions regarding Chile’s cybercrime bill, in favor of stronger safeguards for user notification. Claro has upheld the right to notification within the country's data protection law reform and has raised concerns against attempts to increase the data retention period for communications metadata in the cybercrime bill.    

Responding to concerns over government’s use of location data in the context of the COVID pandemic, the new report also sheds light on whether ISPs’ have made public commitments not to disclose user location data unless it is anonymized and aggregated, without a previous judicial order. While the pandemic has changed society in many ways, it has not reduced the need for privacy when it comes to sensitive personal data. Companies’ policies should also push back sensitive personal data requests that seek to target groups rather than individuals. In addition, the study aimed to spot which providers went public about their anonymized and aggregate location data-sharing agreements with private and public institutions. Movistar is the only company that has disclosed such agreements.

Together, the six researched companies account for 88.3% of fixed Internet users and 99.2% of mobile connections in Chile.

This year's report rates providers in five criteria overall: data protection policies, law enforcement guidelines, defending users in courts or Congress, transparency reports, and user notification. The full report is available in Spanish, and here we highlight the main findings.

Main results

Data Protection Policies and ARCO Rights

Compared to 2019’s e