Study finds telecom firms’ privacy, data protection policies inadequate
ISLAMABAD: The privacy policies of telecommunications providers in Pakistan are inconsistent, lack adequate oversight and updates and are not always readily available to the public, research has found.
The Digital Rights Foundation (DRF) on Friday released a report on ‘Telecoms Privacy and Data Protection Policies in Pakistan’, in which the NGO studied the country’s major telecommunications companies: Mobilink, Telenor Pakistan, Ufone, Warid and Zong, and found that their privacy policies have not met privacy and customers’ data protection standards.
The study found that none of the available privacy policies indicated an awareness of the provisions of the Prevention of Electronic Crimes Act (PECA) passed earlier this year.
The report stated: “Where provisions in the policies indicated that customers could contact the companies concerning possible privacy breaches, there were again inconsistencies, with Mobilink, for example, being unable to provide a privacy breach form on its website, despite stating so only a few paragraphs earlier.”
‘Policies and their public availability are inconsistent, lack oversight and updates’
DRF also noted instances where a telecommunications provider’s parent company had clear privacy policies and safeguards “in the event of requests made by government or non-government entities” while their Pakistani subsidiaries had only generic privacy policies “if at all”.
The study noted the case of Telenor Pakistan, which lacked clear and detailed privacy policies for dealing with cellular telecommunications data while its parent company the Telenor Group had detailed measures in this regard.
The study also found that while other companies did have some policies “gathered or compiled in one location or webpage”, Zong did not have “clearly defined or easy to find” privacy policies.
According to the study’s main findings, published on the DRF website, the closest Zong came to a privacy policy was “a section of the company’s Code of Commercial Conduct section, which listed the laws of Pakistan that Zong and its parent, China Mobile Pakistan, must adhere to”.
The study also stated that telecommunication companies must not only develop in-depth privacy policies, but should also make them “readily and widely available to citizens that may not speak English” but speak Urdu, Punjabi or other regional languages widely spoken in the country.
Research methodology
“It took six months to complete the study, as Pakistan’s cellular companies were not at all ready to cooperate despite a number of attempts and appointments sought with them,” DRF Executive Director Nighat Dad told Dawn.
According to the report, a series of questions were to be given to officials at each telecommunications company responsible for the creation and development of each privacy policy.
There were two batches of questions; the first was to be given to the officials, which covered whether the company had a privacy policy that was easily accessible to customers and the public, what safeguards were in place to protect customer data, what were the standard operating procedures and framework for local or foreign government requests for user data and the ramifications for the company after the passing of the Prevention of Electronic Crimes Act.
The report stated that there was to be a series of follow-up questions after the initial set, which “never came to pass”. “Despite numerous attempts to either make initial or follow-up contact with the major cellular telecoms companies in Pakistan, we were left with a total lack of responses...even in cases where companies we reached out to had initially agreed to get back to us with answers.”
“In the first step, we tried to search the companies’ websites and tried to contact them. The policies were not mentioned on the websites, and companies could not be contacted through their websites – whenever we tried to send complaints, we received messages saying ‘that link is not available’,” Ms Dad said.
“In the second step we tried to reach out to cellular companies’ representatives, who deal with the policies, but they did not meet with us or respond to us. After that, we had no choice but to form a report based on the information available on their websites.”
Scorecard
The report also included a scorecard that rated the privacy and data protection policies of the aforementioned companies, and ranked them according to the language of the policies, ease of understanding and accessibility, clarity concerning what data is collected and how it is it stored, the purpose of storing the data and the circumstances under which it is shared with third parties.
The report’s summary stated that Mobilink and Warid’s privacy and data protection policies were “good, with room for improvement”, Ufone’s need improvement and Telenor and Zong’s are “concerning”.
Published in Dawn December 31st, 2016