Read in Arabic here.
Internet service providers in Tunisia fail to protect customers’ privacy, retaining and sharing personal data with third parties without their prior knowledge or explicit consent, finds ImpACT International for Human Rights Policies and Access Now.
The joint study, titled Privacy Violated, found that seven of the country’s main internet service providers (ISPs) — Tunisie Telecom, Ooredoo, TOPNET, Orange Tunisia, GlobalNet, HexaByte Tunisia and BEE — violate basic principles of customer data protection. The main findings include:
- Only one company, Orange Tunisia, purports to comply with all requirements laid out in Article 4 of the Organic Law No. 2004-63. However, in practice, the company has failed to do so.
“Internet users in Tunisia are at significant risk of identity theft or other abuse of their personal information,” said Maha Hussaini, Executive Manager at ImpACT International. “The Tunisian report, Privacy Violated, is the latest in a series of studies focusing on ISPs across the Middle East and North Africa — all evaluating the extent to which customers’ right to privacy is protected.”
Until recently, Orange Tunisia was the only ISP that complied with the requirements of Organic Law No. 2004-63, which governs the protection of personal data and provides a clear statement of the company’s responsibility for securing and protecting customers’ personal information. As the new study documents, however, the law too often is treated as mere ink on paper, without commitment to implementation. Orange Tunisia broke its record of compliance in August, 2018, when it recklessly discarded approximately 1,500 copies of customer ID cards and passports onto the streets.
“Clearly, Organic Law No. 2004-63 is no longer sufficient to protect personal data in an environment marked by ever-evolving technology,” said Maha Hussaini.
ImpACT International for Human Rights Policies and Access Now call on the Tunisian government to adopt a new law that raises the profile of human rights in Tunisia, and ensure the Council of Europe’s Convention No. 108 on data protection — to which Tunisia is a 2007 signatory — is fully and effectively implemented. Existing domestic data-protection laws must be revised to adhere to best practices outlined in the convention.
The groups’ study also found that ISPs in Tunisia collect personal data for EU customers, and therefore must comply with the General Data Protection Regulation (GDPR).
Read the full report.