Chile’s internet service providers (ISPs) have over the last five years improved transparency about how they protect their users’ data, thanks in large part to Latin American digital rights group Derechos Digitales shining a light on their practices through annual ¿Quien Defiende Tus Datos? (Who Defends Your Data?) reports.
Better transparency about when and how ISPs turn data over to the government is a win for Chile’s mobile and internet users, but increased state surveillance demands an even greater commitment to privacy. In Derechos Digitales’ new 2022 ¿Quien Defiende Tus Datos? report,, Chile’s six top telecom providers are assessed against new, tougher criteria that look at their practices amid increased concerns over state surveillance related to social protests in 2019 and the COVID 19 pandemic.
There’s plenty of good news in the report. Even with stricter criteria, Claro, WOM, and VTR received higher scores compared to last year, with Claro earning full credit in all categories and WOM earning full credit in three out of five categories. Another highlight: all companies evaluated received at least partial credit in all categories except for user notification—an improvement over 2021 results. Nonetheless, user notification remains a challenging category. Entel, GDT Manquehue, Movistar and VTR failed to take concrete steps to enable a notification system to their users. While many of them reserve the possibility or right to notify users in their policies, they didn’t take more concrete actions or commitments in that direction. As such, Derechos Digitales didn’t give them credit in that category.
Companies Must Do More With State Surveillance On the Rise
Chile’s telecom companies have met many of the challenges imposed by ¿Quien Defiende Tus Datos? annual assessments, which started in 2017, and implemented best practices in most categories covered by the reports. Certain transparency practices that once seemed unusual in Latin America have become the default among ISPs in Chile. For example, both transparency reports and law enforcement guidelines have become an industry norm among Chile’s main ISPs.
But companies need to be doing more to protect user data. The new criteria raises the bar on best practices, taking into account new privacy challenges and the incredibly magnified role digital technologies play in our lives compared to 1999, when Chile enacted its existing data protection law (Law No 19,628 of 1999). Transparency and data privacy protections must go beyond what was required 23 years ago.
Derechos Digitales set out to raise the standard of evaluations conducted in 2021. In this fifth edition, the report sought to answer the following questions:
New in this category are requirements that ISPs disclose instances where third parties process user data and which protection measures they adopt in such cases. New requirements also check if companies detail how they use and store user data, including if it is shared or processed abroad. Finally, companies must commit to notify users about changes in their policies and make previous versions available to the public. Claro received full credit in this category, and the other five ISP’s received 75 percent credit.
- Do companies have an updated transparency report that provides quality information?
To receive a full star, ISPs’ transparency reports must include more information than previously required, breaking down requests originating from court orders, requests that refer to a particular individual, and massive requests that refer to an undetermined group of people (in general, asking for information about all cellular telephones connected to a given antenna during a given period of time), among other new criteria.
Claro and WOM received full stars for their transparency reports (available here and here, respectively). Claro’s reports stand out for providing greater detail on the reasons for rejected requests, broken down by interception and user information/metadata requests. In the first quarter of 2022, rejection in most interception cases occurred because of errors in the requests. As for other user information demands, over half of refusals happened because the police request failed to copy the prosecutor in charge of the investigation, while in 19% of cases, requests came without a judicial order.
Claro, VTR, and WOM transparency reports also included information about requests seeking data about a large number of undetermined users, such as those whose mobile phones randomly connected to a cell tower. VTR reported receiving no requests of this nature between July 2021 and June 2022. Claro reported only one request during the first quarter of 2022. In turn, WOM reported receiving 429 cell tower data requests during 2021. Although the time periods differ, the discrepancy in numbers is striking. Additional data could help users understand the variation, considering that often law enforcement authorities don’t pick just one ISP to send cell tower data requests, but reach out to all relevant telcos with towers in a given geographical area of interest.
- Do ISPs notify their users about requests for access to their personal information by the authority or, at least, have made concrete efforts to do so?
To earn credit this year, companies must set up a notification procedure or make concrete and verifiable efforts to put them in place.
WOM was the only ISP to earn credit (75 percent) in this category besides Claro, which received full credit. WOM disclosed a statement about its efforts in 2019 and 2020 to work with authorities to establish a user notification mechanism in criminal cases (the efforts were included in the 2020 report so they didn’t count in the new report). New in the 2021 report is WOM’s commitment to notify users, as of January, about information requests in civil, labor, and family cases. Claro was the first ISP to abide by this commitment, which EFF highlighted in Chile’s 2019 report.
Derechos Digitales’ report notes Claro’s efforts in 2019, 2020, and 2022 advocating for user notification, including carrying out actions both in Congress and before the Public Prosecutor’s Office demonstrating its concern for finding a way to put in place a notification procedure that adheres to the notice right enshrined in Article 224 of the Code of Criminal Procedure. A particular highlight: in May, Claro urged the Public Prosecutor’s Office to again consider notifying people subject to interception or personal data requests, emphasizing that the possibility of implementing a pilot plan has been raised to the Prosecutor’s Office.
- Do ISPs have a public guide about law enforcement requests for user data that specifies the procedure, requirements, and legal obligations that must be fulfilled?
Companies now must make explicit the obligation to notify users affected by an intrusive investigative measure, according to Article 224 of Chile’s Criminal Procedure Code. ISPs must also state that requests for user data involving sensitive information, like location data, must refer to specific individuals and have a previous judicial order. If requests relate to the development of public policies, ISPs must commit to hand over only anonymized and aggregate data to the competent authority. Claro and WOM received full credit in this category; the other four ISPs received 75 percent credit.
- Have ISPs actively defended privacy and protected users’ data, either publicly, in judicial or administrative proceedings, or in a legislative discussion in Congress?
Examples of opportunities in which companies could have spoken out include the progress of bills promoting public surveillance and expanding the conditions under which intrusive investigative measures could be taken, and state spying cases, such as the tapping of Chilean journalist Mauricio Weibel’s phone.
Claro stands out again in this category. The report notes that Claro reached out to Chile’s Senator Jorge Pizarro, expressing concern about a bill to modify Chile’s data protection law. Specifically, Claro expressed concern about information requests from public bodies and suggested that standards and controls for personal data protection that apply to companies should also apply to the State Administration. Further, it suggested establishing preventive controls and having compliance officers for each public service.
Claro, GTD Manquehue and WOM scored in this category for challenging massive user requests for user information from Subtel, Chile’s telecommunications regulatory agency. According to examples provided in the report, Subtel sought the information to carry out research related to the use of roaming services and conduct a satisfaction survey with broadband users. On the latter, the companies argued that the sample of users Subtel required for the survey failed to consider the principle of proportionality.
Categories: Electronic Frontier Foundation