Telefónica reports progress on privacy and free expression principles

On June 18, Telefónica published its 2013 Sustainability Report, which uses broad brush strokes to depict the company’s efforts to respect privacy, free expression, and other human rights, as well as social and environmental concerns, but fails to include many details.

Based in Spain, with mobile operations in 24 countries serving 323 million customers worldwide under the brands Movistar, Vivo, and O2, Telefonica exerts great influence on human rights across several continents.

While sustainability reports can often be glossy guides simply meant to praise a corporation and appease its investors, this year marks the first time Telefonica and its peers have addressed the Telecommunications Industry Dialogue’s Guiding Principles (IDGPs) in their reports. The IDGPs are a set of indicators that could shed light on a telco’s approach to privacy and freedom of expression risks. They were launched on March 2013 by the Telecommunications Industry Dialogue on Freedom of Expression and Privacy, a group of 9 international operators and vendors seeking to jointly address digital rights.

Despite this strong basis, the reports leave room for improvement. Access believes that, with fuller policy information, more on-the-ground evidence, and thorough third-party verification, Telefonica and other Industry Dialogue members could make their IDGP reports into useful, one-stop information sources for users everywhere.

Industry Dialogue

Given Telefonica’s impacts on user rights, Access supports the company’s decision to participate in the Telecommunications Industry Dialogue and report on the IDGPs. Influenced by the UN Guiding Principles on Business and Human Rights, the IDGPs focus on ways for corporations to push back against government requests that would restrict the human rights of users. Specifically, they cover corporate policies, due diligence and impact assessments, staff training, governmental surveillance demands, and external reporting practices.

In general, the company maintained that it is in accordance with and implementing all the Guiding Principles – claims that are ‘assured’ by Telefónica’s auditing firm Ernst & Young (though the extent of the auditor’s insight into the human rights risks particular to the telecom sector is not clear). However, there is no explanation or more detailed information about the rules and processes adopted by the company to comply, even on such important topics as surveillance and government requests for user data.

While acknowledgement and 3rd party assessment of human rights impacts are important steps, this inaugural report was short on detail. Access has several recommendations for how Telefonica could make their report stronger in the 2014 reporting cycle.

Recommendation #1: Reporting on privacy

According to the Sustainability Report, Telefónica has appointed a Chief Privacy Officer, who heads the implementation and monitoring of the Privacy Policy (approved by the Board in March 2013) and is supported by local Data Protection Officers.

Principle 1 of the ID Guiding Principles speaks to the need for policies respecting privacy and free expression. With regard to Telefonica’s Privacy Policy, the report only mentions the three pillars on which its policy was built: a) self-regulation, which goes “beyond” international and local laws; b) trust in Telefonica and its reputation; and c) “privacy as a key element to promote innovation, welfare and prosperity in the digital world.”

While a summary like this can be helpful, Telefónica’s report must offer more details from its Privacy Policy. For example, from the report it is impossible to know if Telefónica’s customers are notified in cases of data breach, exposure, or other data sharing that users didn’t consent to. Also, the report does not clarify what types of information Telefónica collected from its users (including potentially cell site and location data, phone call records, billing information, data and SMS records, address book, and contact lists), for how long the data are retained, and for what purposes. Access calls on the company to answer these questions, and link to its full Privacy Policy in the sustainability report.

Recommendation #2: Reporting on surveillance and due diligence

With regard to receiving and handling government requests (IDGP Principle 4), Telefonica did not provide any information on any procedures that might affect the privacy of their customers. For instance, they didn’t say whether they insist on individualized, written warrants or court orders from authorities before handing over user data, or whether governments may have direct access to their networks. As we can see from Vodafone’s Transparency Report, the provision of such information helps users and civil society assess the extent to which governments abuse telecommunications networks to violate user privacy and other rights.

There is no information on whether the company takes steps to limit or monitor the sale or transfer of surveillance technology, services or infrastructure. Also, there is no information on whether the company is applying such policies to its business relationships.

Under Principle 2, Industry Dialogue companies commit to conduct regular human rights impacts assessments and develop due diligence processes. In 2012, Telefónica contracted BSR to review its human rights risks and opportunities. This year, the telco “performed an assessment of all our operations to evaluate the overall impact of our activity.” According to the company “the assessment has let us define a formal process for proactive handling of risks and taking opportunities, as well as involving our principal stakeholders.” However, the company didn’t clarify either the result of such assessment nor how this “formal process” will handle risks. Without public disclosure of the assessment’s findings or Telefónica’s implementation, the sector does not benefit from any ‘lessons learned’ from the BSR review or the company’s new processes.

Telefónica and human rights

Based on our research, Telefónica takes an active and public stance on several issues that impact the rights of users.

For example, the company recently played a high-profile role in European public policy initiatives affecting human rights, including in the ongoing telecoms reform debate which includes provisions on net neutrality. Speaking at several public events, including a March 4 dinner, and a June 25 conference, Telefónica advised policymakers to shift to a less binding view on net neutrality, in order to enable ISPs to explore new “customized services” for users.

While the telco giant agrees that anti-competitive measures such as blocking and throttling of content should be banned, Telefónica strongly advocates the development of so-called “specialised services.” However, if broadly defined, such pay-to-play services could lead to the creation of a two-tiered internet where some online services that pay ISPs could benefit from fast lane treatment while others services are left in the slow lane. Either by charging users to access certain websites or allowing websites to pay to reach users faster than their competitors, telcos could prioritise content making profit from building out these fast lanes instead of investing in general broadband infrastructure, thus reducing the long-term quality of the open internet.

In addition, since 2012 Telefónica has been called out for violating the privacy of its users through Telefónica Dynamic Insights, a part of the Telefónica Digital umbrella, which has offered for sale the data of millions of its users and contracted with a big data analytics firm.

The policies underlying these actions affecting users should be open to assessment, and reviewed under the IDGPs and UNGPs, in consultation with civil society, to better align with human rights norms.

Still to Come: More reports to complete the puzzle

Currently, the Guiding Principles have the backing of manufacturers and operators like Alcatel-Lucent, AT&T, Millicom, Nokia Solutions and Networks, Orange, Telefónica, Telenor Group, TeliaSonera, and Vodafone. Participating companies are demonstrating their progress on the Guiding Principles as part of their annual sustainability reporting or in special sections of their Annual Reports for investors.

Access will continue to review those reports and identify areas to strengthen next year’s reporting cycle and meet the needs of users and investors hungry for data about how human rights are respected by the world’s largest telecom companies.