Samsung ranked ninth out of the 12 internet and mobile companies evaluated and placed 13th in the Index overall. Samsung is new to the Index, and its evaluation is based on its Galaxy mobile ecosystem, which along with Apple’s iOS and Google’s Android rounded out the new mobile ecosystem service category. Of the three mobile ecosystems evaluated, Samsung provided the least amount of disclosure to users about how its policies affect their freedom of expression and privacy.
While South Korea has one of the strongest data protection regimes in the world, Samsung could do more to explain how it adheres to privacy-protecting regulations, as there are no legislative or regulatory barriers preventing Samsung from doing so. The company can clarify its process for policing third-party apps on the Galaxy Apps store, and include such figures in a company-wide transparency report that also provides information about government and other third-party requests for user information.
Samsung Electronics Co. Ltd. sells a range of consumer electronics, home appliances, and information technology solutions worldwide. It produces products including televisions, mobile phones, network equipment, and audio and video equipment. Its parent company, Samsung Group, is South Korea’s largest public company.
Samsung ranked 12th in the Governance category of all 22 companies in the Index, placing behind Twitter but ahead of Apple. The company made a strong public commitment to human rights (G1), but did not disclose senior-level oversight over freedom of expression and privacy issues within the company (G2). It did disclose that it has a unit in charge of employee training on protecting personal information (G3). However, researchers were unable to find meaningful disclosure about human rights due diligence (G4), stakeholder engagement (G5), or grievance and remedy mechanisms (G6).
Samsung ranked 10th out of the 12 internet and mobile companies on freedom of expression, ahead of only Tencent and Baidu.
Content or account restrictions: For both Galaxy users and app developers, Samsung clearly disclosed what types of content and activities are prohibited (F3), but failed to disclose any information about content or accounts restricted for terms of service violations (F4), nor did it disclose whether it notifies users who attempt to access content that has been restricted (F8).
Content and account restriction requests: Samsung disclosed no information about its process for handling government or private requests to restrict content or user accounts (F5), or about the number of such requests it receives and complies with (F6, F7).
Samsung received the third-lowest score among internet and mobile companies on privacy, ahead of only Mail.Ru and Baidu.
Handling of user information: Samsung disclosed less than most of the internet and mobile companies evaluated about its policies for handling user information. Korean law requires data processors such as Samsung to obtain consent from users when collecting and sharing user information; however, Samsung does not disclose whether users have control over the company’s collection, use, or retention of each type of user information it collects (P7). It failed to disclose whether users can obtain a copy of all the information that the company has about them (P8) or whether it collects user information from third parties (P9).
Requests for user information: Samsung disclosed no information about its process for responding to government or private requests for user information (P10), nor did it publish any data about such requests it receives or complies with (P11). It also did not disclose whether it notifies users when their information is requested (P12).
Security: Samsung disclosed little about its security policies compared to its peers (P13-P18). It did disclose a bug bounty program but fell short of committing to refrain from prosecuting security researchers. Samsung disclosed that it receives security updates from Google for its Android operating system but did not specify a timeframe for delivering updates to users (P14). It disclosed nothing about its policy for responding to data breaches (P15) or about the types of encryption that protects user information in storage on its servers, in transit, or at rest on user devices (P16). However, it did disclose ways users can protect their information from unauthorized access to their account (P17).