Tunisian ISPs violate customers’ privacy

Read in Arabic here.

Internet service providers in Tunisia fail to protect customers’ privacy, retaining and sharing personal data with third parties without their prior knowledge or explicit consent, finds ImpACT International for Human Rights Policies and Access Now.

The joint study, titled Privacy Violated, found that seven of the country’s main internet service providers (ISPs) — Tunisie Telecom, Ooredoo, TOPNET, Orange Tunisia, GlobalNet, HexaByte Tunisia and BEE — violate basic principles of customer data protection. The main findings include:

  • Only one company, Orange Tunisia, purports to comply with all requirements laid out in Article 4 of the Organic Law No. 2004-63. However, in practice, the company has failed to do so.
  • Three companies — GlobalNet, BEE, and HexaByte Tunisie — do not publish a privacy policy on their websites, and therefore cannot be considered in compliance in any respect with the requirements for customer protection. 
  • Tunisie Telecom does not make an explicit privacy policy available on its official website and only includes terms and conditions for the use of the service.

“Internet users in Tunisia are at significant risk of identity theft or other abuse of their personal information,” said Maha Hussaini, Executive Manager at ImpACT International. “The Tunisian report, Privacy Violated, is the latest in a series of studies focusing on ISPs across the Middle East and North Africa — all evaluating the extent to which customers’ right to privacy is protected.” 

Until recently, Orange Tunisia was the only ISP that complied with the requirements of Organic Law No. 2004-63, which governs the protection of personal data and provides a clear statement of the company’s responsibility for securing and protecting customers’ personal information. As the new study documents, however, the law too often is treated as mere ink on paper, without commitment to implementation. Orange Tunisia broke its record of compliance in August, 2018, when it  recklessly discarded  approximately 1,500 copies of customer ID cards and passports onto the streets

“To date, Orange Tunisia has not taken any legal action to remedy its data breach, nor has it provided a clear justification or explanation of the incident, despite a letter sent by Access Now to their legal department,” said Dima Samaro, MENA Policy Associate at Access Now. “Perhaps the largest roadblock to ISPs’ compliance with the right to privacy is simply that the current law (2004) can be described as desuetude, and does not provide any adequate guarantees for consumers. There is little right to compensation for those who have been victims of data breaches, including the sale or transfer of it abroad, and between countries, which gives these companies a large and wide space to use loose phrasing within their privacy policy, and no clear policy on their official websites.”

“Clearly, Organic Law No. 2004-63 is no longer sufficient to protect personal data in an environment marked by ever-evolving technology,” said Maha Hussaini

ImpACT International for Human Rights Policies and Access Now call on the Tunisian government to adopt a new law that raises the profile of human rights in Tunisia, and ensure the Council of Europe’s Convention No. 108 on data protection — to which Tunisia is a  2007 signatory — is fully and effectively implemented. Existing domestic data-protection laws must be revised to adhere to best practices outlined in the convention.

The groups’ study also found that ISPs in Tunisia collect personal data for EU customers, and therefore must comply with the General Data Protection Regulation (GDPR).

Read the full report.