Two of Peru's Top ISPs Improve Transparency Practices, While Two Competitors Lag Behind, New Hiperderecho's Report Shows

Peru’s top two telecom operators Movistar (Telefónica) and Claro (América Móvil) continued to earn high marks for being transparent about government requests for user data, while competitors Bitel (Viettel) and Entel slightly improved practices promoting human rights, but in general lagged behind, according to a new report issued today from digital rights group Hiperderecho.  Hiperderecho’s new ¿Quién Defiende Tus Datos? (“Who Defends Your Data”) report, launched today, reveals disparities in data protection and privacy practices among Peru’s four leading internet service providers (ISPs). Movistar came out slightly ahead in the new report after tying with Claro for the top position in the report’s last edition. Except for the user notification category, Movistar received full credit in all other evaluated parameters. Even though all four companies—Bitel, Claro, Entel, and Movistar—have improved their marks since the first edition in 2015, the disparities in the latest results are evident. In four out of eight evaluated categories, Bitel and Entel received no credit, highlighting their lack of transparency regarding government requests for getting access to user personal data. Only Movistar and Claro received scores  for publishing information about government requests for user data, disclosing guidelines they follow when responding to such requests, explicitly committing to require judicial orders before handing user data to authorities, and disclosing practices for notifying users about such government requests. The report also looked at companies’ privacy policies, digital security practices, and human rights policies. In those categories, all four companies earned at least partial scores. This report, the fourth evaluating Peru’s major telecom operators,  included a new category: whether telecom companies make available webpages, contracts, and/or privacy policies in native languages, like Quechua and Aymara. As Hiperderecho’s report highlights, “[w]e consider this to be of utmost importance because there is no free and informed consent if the information presented regarding the processing of personal data is not in an understandable language.”  Main findings Publishing privacy policies is already a steady practice among evaluated ISPs. All earned full scores in the last two reports. They publish privacy/data protection policies that apply to their telecommunication services (not only to their apps or communication channels), disclosing, in simple and clear language, what  information they collect, for how long, and instances when they share data with third parties. Movistar stands out for a Transparency Center on its website that presents the information in a more helpful and attractive way. As for publishing more detailed guidelines on how they handle government requests for user data, both Claro and Movistar received full scores. In contrast, Bitel and Entel don’t disclose any guidelines. For the first time, Movistar went beyond publishing its global policies, and published guidelines relating to Peru. Claro had done so already in the last report. Back then and this year, Claro’s published guidelines earned a full star. Claro discloses applicable norms for lifting telecommunications secrecy, competent authorities to issue data requests, requirements they should follow, and the ISP procedure for processing government demands. The guidelines mention norms that include communications content and metadata.  Both companies also explicitly commit to requiring a judicial order before handing user data to government authorities. With transparent law enforcement guidelines, Claro and Movistar disclose more than vague statements that they may hand user data “to comply with legal requirements.” Those vague statements are all that Hiperderecho could find in Bitel and Entel policies. Again, only Claro and Movistar publish transparency reports about government requests for user data. Telefónica (Movistar) has been publishing annual transparency reports since 2016. But the company only recently made the reports available on Movistar Peru’s website. In turn, Claro improved its practices since last edition and earned a full star for disclosing more  details about the requests received, like the requesting authorities and the reason for the request (for criminal or other matters, and the type of crime under investigation). Claro’s transparency report also shows the number of government requests for location data in real time as per Legislative Decree 1182, which requires subsequent judicial review, instead of a previous judicial order. Hiperderecho’s report notes that in 2021 legislators expanded the cases in which authorities can access user data under LD 1182. Before the legislative change, authorities could access user data under LD 1182 only in cases where a crime was in the process of being committed. ("flagrante delicto" cases). Now they also cover preliminary investigations of a significant range of cri

Two of Peru's Top ISPs Improve Transparency Practices, While Two Competitors Lag Behind, New Hiperderecho's Report Shows

Peru’s top two telecom operators Movistar (Telefónica) and Claro (América Móvil) continued to earn high marks for being transparent about government requests for user data, while competitors Bitel (Viettel) and Entel slightly improved practices promoting human rights, but in general lagged behind, according to a new report issued today from digital rights group Hiperderecho

Hiperderecho’s new ¿Quién Defiende Tus Datos? (“Who Defends Your Data”) report, launched today, reveals disparities in data protection and privacy practices among Peru’s four leading internet service providers (ISPs). Movistar came out slightly ahead in the new report after tying with Claro for the top position in the report’s last edition. Except for the user notification category, Movistar received full credit in all other evaluated parameters. Even though all four companies—Bitel, Claro, Entel, and Movistar—have improved their marks since the first edition in 2015, the disparities in the latest results are evident. In four out of eight evaluated categories, Bitel and Entel received no credit, highlighting their lack of transparency regarding government requests for getting access to user personal data.

Only Movistar and Claro received scores  for publishing information about government requests for user data, disclosing guidelines they follow when responding to such requests, explicitly committing to require judicial orders before handing user data to authorities, and disclosing practices for notifying users about such government requests. The report also looked at companies’ privacy policies, digital security practices, and human rights policies. In those categories, all four companies earned at least partial scores.

This report, the fourth evaluating Peru’s major telecom operators,  included a new category: whether telecom companies make available webpages, contracts, and/or privacy policies in native languages, like Quechua and Aymara. As Hiperderecho’s report highlights, “[w]e consider this to be of utmost importance because there is no free and informed consent if the information presented regarding the processing of personal data is not in an understandable language.” 

Main findings

Publishing privacy policies is already a steady practice among evaluated ISPs. All earned full scores in the last two reports. They publish privacy/data protection policies that apply to their telecommunication services (not only to their apps or communication channels), disclosing, in simple and clear language, what  information they collect, for how long, and instances when they share data with third parties. Movistar stands out for a Transparency Center on its website that presents the information in a more helpful and attractive way.

As for publishing more detailed guidelines on how they handle government requests for user data, both Claro and Movistar received full scores. In contrast, Bitel and Entel don’t disclose any guidelines. For the first time, Movistar went beyond publishing its global policies, and published guidelines relating to Peru. Claro had done so already in the last report. Back then and this year, Claro’s published guidelines earned a full star. Claro discloses applicable norms for lifting telecommunications secrecy, competent authorities to issue data requests, requirements they should follow, and the ISP procedure for processing government demands. The guidelines mention norms that include communications content and metadata. 

Both companies also explicitly commit to requiring a judicial order before handing user data to government authorities. With transparent law enforcement guidelines, Claro and Movistar disclose more than vague statements that they may hand user data “to comply with legal requirements.” Those vague statements are all that Hiperderecho could find in Bitel and Entel policies.

Again, only Claro and Movistar publish transparency reports about government requests for user data. Telefónica (Movistar) has been publishing annual transparency reports since 2016. But the company only recently made the reports available on Movistar Peru’s website. In turn, Claro improved its practices since last edition and earned a full star for disclosing more  details about the requests received, like the requesting authorities and the reason for the request (for criminal or other matters, and the type of crime under investigation). Claro’s transparency report also shows the number of government requests for location data in real time as per Legislative Decree 1182, which requires subsequent judicial review, instead of a previous judicial order.

Hiperderecho’s report notes that in 2021 legislators expanded the cases in which authorities can access user data under LD 1182. Before the legislative change, authorities could access user data under LD 1182 only in cases where a crime was in the process of being committed. ("flagrante delicto" cases). Now they also cover preliminary investigations of a significant range of crimes, such as illegal mining and crimes against public administration. Shedding light on those requests is all the more important given their invasive nature and the lack of a previous judicial order requirement.

As for committing to notify users about data demands, Claro does so for labor, civil, and family cases—a key advance since the last report. However, both Claro and Movistar still refuse to notify users in criminal cases. Claro claims that the Prosecutor’s Office directs the investigation and therefore should determine the proper moment to notify. In turn, Movistar argues that Peru’s Criminal Procedure Code limits companies’ ability to notify. Hiperderecho holds a different understanding, defending user notification as a best practice companies should adopt. In any case, the report grants a partial score when companies publicly explain their practices relating to user notification, even if they explain the reason for not carrying it out.

Claro fell short, however, in the native language category, while Bitel almost received a full star. Bitel provides a service channel in Quechua, Aymara, Ashaninka and  Shipibo-conibo. In turn, Claro provides contracts and policies in Quechua. Movistar received the best score for having both service channels and contracts in native languages. 

Hiperderecho’s Peru ¿Quién Defiende Tus Datos? series of reports is part of a region-wide initiative, inspired by EFF’s Who Has Your Back project, aimed at encouraging companies to be more transparent and better protect user privacy to garner a competitive advantage in Latin America and Spain. Although companies with the largestmarket share, like Claro and Movistar in Peru, may have more resources to attain a leadership position, other ¿Quién Defiende Tus Datos? reports have shown that smaller operators can work to meet or even outperform the larger players. Peru’s Bitel and Entel should follow suit and do better next time.