A new addition to the Index, Ooredoo received the lowest score of any company evaluated this year. The political and regulatory environment in Qatar is not conducive to companies making public commitments to human rights, including to freedom of expression and privacy. Ooredoo is majority owned by the government. According to Amnesty International, freedom of expression is “strictly controlled” in Qatar. Under its cybercrime law users may be punished for posting or sharing online content that violates Qatar’s “social values.” However, Ooredoo could still significantly improve its public disclosures even within such constraints. The company could clearly disclose its privacy policies and provide basic information about its security practices, including how it handles data breaches. Qatar passed its first comprehensive data privacy law in 2016, which requires companies to take steps that “protect personal data from loss, damage, modification, disclosure or being illegally accessed” and notify the government and users in the event of a data breach.
Ooredoo Q.S.C. provides telecommunications services such as mobile, broadband, and fiber in Qatar and 11 other countries in the Middle East, North Africa, and Asia. Formerly known as Qatar Telecom (Qtel), the company changed its name in 2013. It also provides services including satellite and data center solutions.
Ooredoo performed poorly in the Governance category, receiving the lowest score of all telecommunications companies and second-lowest score in the entire Index. Ooredoo offered no public commitment to freedom of expression and privacy as human rights (G1), nor did it disclose having senior-level oversight over these issues (G2). Although it disclosed a whistleblower policy, the policy did not mention if it covers freedom of expression or privacy issues (G3). The company also offered no evidence that it has any human rights due diligence processes in place (G4), or if it engaged with stakeholders on freedom of expression or privacy issues (G5). Ooredoo Qatar provided some disclosure of how customers may submit complaints, but there was no additional information about its processes for receiving and responding to such grievances (G6).
Ooredoo performed poorly in the Freedom of Expression category, receiving the third-lowest score among telecommunications companies, and scoring just slightly better than MTN, Axiata, and Bharti Airtel.
Content and account restriction requests: Ooredoo, like most of its peers, received no credit on these indicators (F5-F7). It provided no information about its process for responding to government or private requests to block content or restrict users’ accounts (F5), nor did it supply any data about the number of government or private requests to restrict content or accounts that it receives or complies with (F6, F7), although there is no apparent legal barrier to supplying this information. The lack of disclosure is likely a result of Ooredoo being majority state owned as well as from a general lack of transparency in the Qatari legal environment.
Network management and shutdowns: Ooredoo did not disclose any information about its network management policies (F9). The company provided vague disclosure on why it may shut down service to an area or particular group of users, but did not disclose any other information on its processes related to government requests for network shutdowns (F10).
Identity policy: Ooredoo Qatar disclosed that it requires pre-paid mobile users to provide government-issued identification (F11), although it is unclear if this is required by law.
Ooredoo received the lowest score among telecommunications companies in the Privacy category, and was the only company evaluated in the Index to receive no credit for any privacy indicator.
Requests for user information: Ooredoo, Etisalat, and Axiata were the only three telecommunications companies to receive no credit across these indicators (P10-P12). Ooredoo did not disclose any information about its process for responding to government or private third party requests for user information (P10) including whether it notifies users when such parties request their information (P12). The company also did not publish any data about the number of requests it receives for user information (P11).
Security: Ooredoo was the only company in the entire Index to provide no disclosure across this set of indicators (P13-P18). It did not disclose whether it has systems in place to monitor or limit employee access to user information (P13), nor did it provide any information about its processes for addressing security vulnerabilities or for handling data breaches (P14, P15).