Brazil's Telecom Operators Made Strides and Had Shortcomings in Internet Lab's New Report on User Privacy Practices

Brazil’s biggest internet connection providers made moderate advances in protecting customer data and being transparent about their privacy practices, but fell short on meeting certain requirements for upholding users’ rights under Brazil's  data protection law, according to InternetLab’s 2022 Quem Defende Seus Dados? (Who Defends Your Data?) report.

In this seventh annual assessment of Brazil’s providers, InternetLab evaluated six companies, and looked at both their broadband and mobile services. Operators assessed include Oi fixed and mobile broadband; Vivo (Telefónica) fixed and mobile broadband, TIM fixed and mobile broadband,Claro/NET (América Móvil), Brisanet fixed and mobile broadband, and Algar (broadband only). The operators were evaluated in six categories, including providing information about their data protection policies, disclosing guidelines for law enforcement seeking user data, defending user privacy in courts, supporting pro-privacy policies, publishing transparency reports, and notifying users when the government requests their data.

This year, Oi broke into the top and tied with TIM in receiving the highest scores—each company garnered  full credit in four out of six categories. Every company in the report received full credit for challenging privacy-abusive legislation and government requests for user data except Algar, which received half credit. While Brisanet improved its overall standing, earning full credit in this category, it received the least amount of credit among its peers, echoing last year’s report.

With Brazilian providers steadily improving transparency and customer data protection over the years, methodological changes were made in this edition to raise the bar for achieving credit in a few categories. Specifically, assessing companies’ compliance with data protection legislation has been expanded to include more requirements for transparency about data sharing with third parties. New criteria for measuring transparency around customers’ rights,  data handovers to authorities, and cybersecurity protocols were also added.

Finally, InternetLab checked which companies took a public stance against making it mandatory for users to undergo facial recognition authentication to activate their mobile phone services.

The report’s complete results are here. 

Data Protection Policy Transparency: Pluses and Minuses

Nearly all companies received full credit for informing users about what data about them is collected, how long the information is kept, and who it is shared with. InternetLab noted advances in how companies were providing information to customers about their data, especially the creation of portals allowing users to click on links to access  privacy and transparency policies and file complaints concerning their rights under the Brazil Data Protection Law (Lei Geral de Proteção de Dados or LGPD).

However, the survey revealed deficiencies in companies’ response times to users’ requests through  the portals. Under the LGPD, customers have the right to access their personal information, ensure its accuracy, and request deletion, among other things. Most companies were not responding to users’ requests within the maximum of 15 days as required by the law. Only Claro/NET and Algar complied with the provision, under which companies are required to provide a clear and complete response. InternetLab researchers testing company practices were not able to obtain any information from Oi and Tim in response to requests seeking to confirm whether the companies held their personal data and, if so, the quality and quantity of such data. As for Vivo, InternetLab could not even file the request due to technical problems on the company's app.

Finally, Brisanet doesn't provide any online channel for non-customers to confirm whether the company processes their data. Non-customers may have their personal data processed by a telecom operator, for example, when calling or receiving calls from that operator's customers. They have the same right as customers to confirm whether the company processed their personal data and get access to that data. But Brisanet requires non-customers to send a physical letter to the company's headquarters with notarized copies of her national ID and signature. Although checking measures are relevant to verify if the data requested pertains to the person making the request, the company should provide an online and less bureaucratic alternative for all users, not only their customers.

Law Enforcement Guidelines and Public Advocacy for User Privacy

The rep