Key findings
- MTN disclosed less about policies and practices affecting freedom of expression and privacy than most of its peers.
- While it completed its first human rights impact assessment evaluating risks to users’ freedom of expression and privacy, MTN still lacked transparency about key policies affecting these rights, including how it handles government requests to shut down networks and to hand over user information.
- MTN disclosed almost nothing about how it handles user information, including what it collects, shares, and for what purpose, as well as what steps it takes to keep user information secure.
Analysis
MTN ranked sixth out of the 10 telecommunications companies evaluated, disclosing little about policies and practices affecting freedom of expression and privacy. In 2017, the company conducted its first human rights impact assessment evaluating freedom of expression and privacy risks associated with its products and services, resulting in an improved governance score in the 2018 Index. However, MTN’s privacy score declined due to less clear disclosure of how it responds to government requests for user information. While South African law prevents MTN South Africa from disclosing information about government requests for user information, MTN at the group level could still be much more transparent about many of its policies and practices that affect users’ freedom of expression and privacy.
- Be more transparent about external requests affecting user rights. MTN should disclose information about government and private requests to restrict content or accounts, and about private requests for user information.
- Improve disclosure about network shutdowns. MTN should disclose more information about how the company handles government network shutdowns, including making a clear commitment to push back against these types of requests.
- Do more to protect privacy and security. MTN should be more transparent about how it handles user information, including how it keeps user information secure.
MTN Group Limited is a telecommunications company that serves markets in 24 countries in Africa and the Middle East. It offers voice and data services, and business services, such as cloud, infrastructure, network, software, and enterprise mobility.
Governance
MTN received the fifth-best governance score among telecommunications companies. It improved its governance score in the 2018 Index by disclosing it conducted human rights due diligence on its products and services (G4). The company disclosed an explicit commitment to freedom of expression and privacy as human rights (G1), and evidence of senior leadership oversight within the company on these issues (G2). However, the company fell short on other governance indicators: it disclosed a whistleblower program, but only for reporting cases of corruption and fraud (G3). Likewise, it lacked clear disclosure of whether it engages with stakeholders representing people whose freedom of expression and privacy are directly impacted by the company’s business (G5), or of a grievance and remedy mechanism allowing users to voice freedom of expression and privacy complaints (G6).
G4. Impact assessment
The company improved its G4 score by disclosing it conducted its first human rights impact assessment.
Freedom of expression
MTN tied with Axiata for the second-lowest score of all telecommunications companies in the Freedom of Expression category, ahead of only Bharti Airtel.
Content and account restriction requests: MTN was one of six telecommunications companies to disclose nothing about its process for handling government and private requests to block content or restrict user accounts (F5-F7). South African law does not prevent companies from disclosing information about how they handle these requests, nor does it prohibit them from publishing this data.
Network management and shutdowns: MTN South Africa disclosed little about its network management and shutdown policies, on par with Airtel India and América Móvil’s Telcel (F9). The company disclosed a program enabling users to access Facebook without it counting towards their data cap, a practice known as “zero rating,” but disclosed no additional information about its network management practices (F9). MTN committed to notify users about network service disruptions when it is “safe and legal” to do so, and provided an example of when it pushed back against a network shutdown request, though it fell short of making a clear and unequivocal commitment to push back against all such requests (F10).
Identity policy: MTN South Africa did not disclose if it requires pre-paid mobile users to register their SIM card with the company using their government-issued identification. All mobile phone users in South Africa are legally required to do so (F11).
Privacy
MTN ranked eighth out of the 10 telecommunications companies in the Privacy category, ahead of only Etisalat and Ooredoo.
Handling of user information: MTN South Africa disclosed less than most of its peers about its handling of user information (P3-P8). It provided just minimal information about what types of user information it collects and why (P3, P5), and no information about what information it shares (P4), or for how long it retains user information (P6). It also did not disclose any options for users to control what information the company collects and uses (P7), or options for users to obtain all of the information the company holds on them (P8).
Requests for user information: Like most telecommunications companies, MTN provided almost no information about how it handles government and private requests for user information (P10-P11). While the company previously provided information on how it carries out due diligence on government and private requests, researchers were unable to locate such information in current company disclosure. Companies in South Africa are prohibited from publishing information about government requests for user information, including the fact that a request was made, but nothing prevents them from fully disclosing how they handle private requests and the number of these requests they receive and comply with.
Security: MTN South Africa disclosed minimal information about its security policies, performing better than only Etisalat UAE and Ooredoo Qatar on these indicators (P13-P18). However, it was one of only two telecommunications companies (along with AT&T) to offer any disclosure on its processes for addressing security vulnerabilities (P14). Like most of its peers, MTN South Africa provided no information about its policies for responding in the event of a data breach (P15).
P10. Process for responding to third-party requests for user information
In the 2017 Index, MTN earned some credit on P10 for information included in its 2013 Social and Ethics report explaining the company’s process for carrying out due diligence on government and private requests for user data. That same information is not included in the 2016 Social and Ethics report, hence the company lost credit in the 2018 Index.