Paraguay’s leading broadband service providers last year upped their commitments to users to be transparent about their privacy policies and to adopt accessibility practices, but most fell short on disclosing information about government requests seeking their data, according to the new edition of TEDIC’s ¿Quién Defiende Tus Datos? (“Who Defends Your Data).
The report reveals a troubling trend among Paraguayan internet and telecommunications providers: most don’t publish reports with statistical data on such requests or disclose procedures they follow when handing user’s data to authorities. What’s more, companies still resist making a public commitment to notify users about government data demands. Although this is usually a difficult commitment to get from companies evaluated in the region, we see some strides in Chile, Colombia, and Argentina. In Paraguay’s report, however, all service providers failed in this category.
This undermines users’ ability to make informed choices about which companies they should entrust their data to. Our reliance on internet connection providers to browse, access information online, and communicate with others puts vast amounts of highly sensitive data into the hands of service providers. TEDIC’s report shows they must address this weakness by giving users more information about how these requests are handled and revealing to what extent they have users’ back when the government demands their data.
Paraguay’s full study is available in Spanish.
Regarding privacy and data protection policies, TEDIC’s study checked whether companies provided clear and easily accessible information about personal data collection, processing, and sharing with third parties, as well as retention times and security practices. All companies but Vox scored for publishing their privacy and data protection policies and earned at least partial stars for accessibility features on their websites. Both Claro and Tigo received a full star. Personal and Copaco earned only a quarter star, as their policies are generic and don’t contain relevant details on what personal information is collected and stored, for how long, and how third parties and authorities can have access to and use customers’ data.
Unlike other countries in Latin America, Paraguay still doesn’t have a comprehensive data protection law in force. TEDIC and allies have been working to push forward legislation that can fulfill this gap and ensure robust data protection principles and safeguards for all Paraguayans. Yet, companies don’t have to wait for the bill to be approved to increase transparency about how they process their users’ personal information. In fact, the broadband providers in the report should have already taken that on.
Paraguay’s report also analyzed whether companies publish transparency reports with information about government requests for users’ data, and whether such reports provide additional detail on types of data requested, requesting authorities, and justification for the request. Only Tigo and Claro scored in this category, earning half-stars for reports published by their parent companies—Millicom and América Móvil, respectively. Both companies didn’t provide all the details required. They do not break out figures for government requests received in Paraguay. Their reports instead aggregate all government data demands received in the South American countries they operate. Paraguay’s branches of both companies should follow the example of other South American units that publish local transparency reports, like Tigo in Colombia, and Claro in Chile. Also, Millicom and América Móvil reports are not available on their local providers’ websites, which should be fixed.
As for publishing law enforcement guidelines they follow when responding to user data requests, again only Claro and Tigo received points for documents disclosed by their parent companies. América Móvil published for the first time a specific global report with information on its procedures before responding to government data demands and applicable legal frameworks in each country. In turn, Millicom’s report presents their global guidelines for assisting law enforcement, without breaking down information by country. That’s why the company received only a half star in the category, as in the previous year’s edition.
Judicial authorization and user notification remained the lowest scoring categories. Companies still don’t make any public commitment to notify their users about government data requests, while only Tigo explicitly states that a judicial order is needed before handing the content of users’ communications to authorities. América Móvil’s report fails to make this clear in its section on Paraguay, even while sections on other countries in the report say a judicial order is needed. No company publicly commits to request a judicial order for delivering users’ metadata to authorities. This occurs mainly because of a problematic Supreme Court ruling that didn’t consider law enforcement access to telephone metadata without a court order a violation of Paraguay’s constitutional privacy safeguards. As TEDIC explains in the report, such interpretation runs afoul of constitutional and legal protections, as well as inter-American privacy standards that apply both to metadata and communications content.
Finally, regarding human rights policies, all companies received at least a quarter star for public campaigns providing information about or training in issues like digital security or privacy, or for joining sectoral or multistakeholder initiatives aligned with the promotion and defense of human rights.
TEDIC’s Paraguay ¿Quién Defiende Tus Datos? series of reports is part of a region-wide project, inspired by EFF’s Who Has Your Back, aimed at encouraging companies to be more transparent and better protect user privacy to garner a competitive advantage in Latin America and Spain. Fundación Karisma has recently launched their new edition for Colombia.