Key findings
- Etisalat was one of the lowest-scoring telecommunications companies in the Index, disclosing almost nothing about policies and practices affecting users' freedom of expression and privacy.
- The company failed to disclose even basic information about its privacy policies, including which policy applied to which service.
- While slightly improving its disclosure of its security policies, Etisalat disclosed almost nothing about policies affecting users’ privacy, including what user information it collects, shares, or for what purpose, or how it handles government and private requests to hand over user information.
Analysis
Etisalat ranked ninth out of the 10 telecommunications companies, disclosing almost nothing about policies and practices affecting freedom of expression and privacy. Etisalat is a majority state-owned company, operating in a political and regulatory environment that restricts expression online. While companies in the UAE are discouraged from making public commitments to human rights, Etisalat could still be more transparent about basic policies affecting users’ freedom of expression and privacy. For instance, it could clarify which privacy policies apply to different services. It could also provide more information about its security policies, as there is no law prohibiting companies from disclosing their processes for responding to data breaches. Given that the company is majority state-owned and that the overall operating environment discourages transparency, it is unlikely Etisalat would disclose information about government requests to block content or to hand over user information. However, Etisalat could disclose its policies for responding to private requests.
- Improve privacy policy disclosure. The company should clarify which privacy policies apply to different services, and be more transparent about how it handles user information.
- Be transparent about private requests. The company should disclose its processes for responding to private requests to block content or accounts and to hand over user data, and regularly publish data about these requests.
- Improve redress. The company should improve its grievance mechanisms by disclosing that its process for receiving complaints includes complaints related to freedom of expression and privacy, and providing clear remedies for these types of complaints.
Etisalat Group operates telecommunications, fiber optics networks, and other services in the United Arab Emirates and across the Middle East, Africa, and Asia.
Governance
Etisalat performed poorly in the Governance category, scoring higher than only Axiata and Ooredoo. Etisalat provided no formal commitment to respect users’ freedom of expression and privacy as human rights (G1), and disclosed no senior-level oversight over these issues (G2). The company revealed no evidence of a human rights due diligence process (G4), or of engaging with stakeholders on freedom of expression or privacy issues (G5). It received some credit for disclosing a grievance and remedy mechanism, though the company did not explicitly state that this process includes complaints relating to free expression or privacy (G6).
Freedom of expression
Etisalat ranked sixth out of the 10 telecommunications companies evaluated in the Freedom of Expression category, ahead of Ooredoo, MTN, Axiata, and Bharti Airtel.
Content and account restriction requests: Like most telecommunications companies, Etisalat provided almost no information about how it handles government or private requests to block content or restrict accounts (F5-F7). Likewise, Etisalat did not publish any data on the number of such requests it received or with which it complied (F6, F7). While it is a criminal offense to not comply with government blocking orders, there is no law prohibiting Etisalat from disclosing its processes for handling or compliance rates with either government or private content-blocking requests.
Network management and shutdowns: Etisalat UAE was among the lowest-scoring companies on these indicators, though it offered slightly more disclosure than Ooredoo Qatar (F9-F10). The company failed failed to disclose any information about its network management policies (F9) and disclosed almost nothing about its policies for responding to government orders to shutdown networks (F10).
Identity policy: Etisalat UAE disclosed that it requires pre-paid mobile service users to provide government-issued identification (F11), as it is mandated for all mobile phone service subscribers in the UAE.
Privacy
Etisalat received the second-lowest privacy score of all telecommunications companies evaluated, disclosing slightly more than Qatar-based telecommunications operator, Ooredoo.
Handling of user information: Etisalat UAE disclosed almost nothing about how it handles user information, scoring better than only Ooredoo Qatar on these indicators (P3-P8). The company’s privacy policy referred only to the Etisalat UAE website and online services with no indication of whether this policy applies to mobile or fixed-line broadband services. It therefore received no credit on indicators addressing company disclosure of what types of user information it collects, for what purpose, and for how long it retains it (P3, P5, P6). The company did not disclose options users have to control what information it collects and shares about them (P7). The company did, however, disclose that it shares user information with authorities if legally required and in cases of national security (P4).
Requests for user information: Etisalat provided no information about how it handles government or private requests for user information, making it one of three companies, along with Ooredoo and Axiata, that received no credit on these indicators (P10, P11, P12). It provided no information about its process for responding to these types of requests (P10), or whether it notifies users when their information is requested (P12). The company also did not publish any data on the number of requests it received for user information (P11). However, Etisalat’s operating license requires it to install equipment allowing authorities to access the network, so the company may not be aware when government authorities access user information. Still, there is no law specifically prohibiting Etisalat from disclosing its policy for responding to user information requests that come through private processes.
Security: Etisalat UAE disclosed almost nothing about its security policies and practices, scoring better than only Ooredoo Qatar on these indicators (P13-P18). It disclosed that it limits employee access to user data and has security teams monitoring for cybersecurity threats and data breaches. However, the company provided no additional information regarding its internal processes for ensuring that user data is secure, including whether it conducts security audits (P13). It disclosed nothing about policies for addressing security vulnerabilities (P14) or for responding to data breaches (P15). There are no apparent legal obstacles to disclosing this information.
P13. Security oversight
Etisalat improved its disclosure of its internal security oversight processes by clarifying it has a security team actively monitoring privacy and security threats.