Spanish ISPs Fall Short of Robust Commitments to User Privacy in New Eticas’ Report

Spanish Internet Service Providers (ISPs) continue to fall short of robust transparency about their data protection and user privacy practices, with many failing to meet criteria  that directly builds on Spanish and EU data protection regulations.

While highlighting that internet companies in Spain need to step up their user privacy game, Eticas Foundation’s third edition of ¿Quien Defiende Tus Datos? (Who Defends Your Data?) Spain showed that Movistar (Telefónica) maintained a leadership position among companies evaluated, with a total of 18 out of 21 points. The ISP scored well in all evaluated criteria except for user notification. On the other hand, Som Conexión received the lowest score, with just 3.5 points.

All of Spain’s ISPs received credits in the privacy policy category, which covers crucial information companies should provide users about their data processing practices. ISPs made significant strides in this category in Eticas’ last report. Yet, this year's edition shows companies have lost traction, improving in some parameters but losing credit for others. The balance between advances and gaps of Spain’s Internet companies shows there is still plenty of room for progress.

This year, Eticas checked public policies and documents of 15 Internet companies that handle user data in their day-to-day activities, including telecom providers, home sales and rental sites, and apps for selling second-hand goods. Eticas added three new companies to the report: the telecom provider Digi Spain Telecom, the second-hand goods app Vinted, and the startup Trovit.es, which offers deals for selling or renting homes, cars, and other products. Telecom provider Euskatel is no longer in the ranking after its acquisition by MásMóvil.

This year’s study has also introduced new criteria. To earn a full star, companies’ privacy policies must state why and through which channels they collect user data. Considering the context of the COVID-19 pandemic and policies to combat the spread of the virus that involve mass collection of user data, Eticas pushed companies to commit to only sharing anonymized and aggregate data for policy, rather than law enforcement, purposes. The new report introduced a special red star to indicate whether ISPs went public with any specific data protection measure related to the pandemic. 

Vodafone was the only service provider to receive credit for both COVID-related data collection categories. The ISP published a specific data protection policy regarding data-sharing for COVID-19 control actions. The policy includes important safeguards, such as only sharing aggregate and anonymized data and respecting principles of

proportionality and purpose limitation. The policy’s disclosure about data security, however, only mentions that Vodafone has put “adequate and appropriate security measures” in place, without providing details. The company should include more detail on the type of measures taken and their efficacy in preserving data privacy and security.

The summary of results is below.

Movistar, Orange, and Vodafone were the only service providers  credited for parameters beyond their privacy policies. Movistar and Vodafone earned scores for disclosing information on the legal framework authorities must follow to request user data, and which competent authorities can request access to users’ communications content and metadata. The three ISPs also received credit for carrying out initiatives promoting user privacy, like the Telecommunications Industry Dialogue and the Global Network Initiative. Disappointingly, Movistar remains the only company that publishes periodic transparency reports with statistical information about government data requests. And Orange, which stood out in previous editions for committing to notify users about data requests, lost this credit in the new edition.

When it comes to ISPs’ privacy policies, there are ups and downs. Almost half of the 15 companies evaluated did not provide information about profiling and automated decision-making, failing to comply with disclosure standards set forth in Spain’s data protection legislation (which incorporates GDPR obligations). They have also fallen short of other parameters that build on GDPR's transparency rules for user data processing. For example, almost one-third of featured companies did n