Key findings
- Ooredoo was the lowest scoring telecommunications company in the Index, disclosing almost nothing about policies and practices affecting freedom of expression and privacy.
- The company failed to disclose sufficient information about its policies affecting users’ freedom of expression, including its processes for blocking content or responding to government demands to shut down networks.
- It did not publish a privacy policy, making it impossible for users to understand what the company does with their information, including what it collects, shares, and why.
Analysis
Ooredoo received the lowest score of all telecommunications companies, disclosing less about policies and practices affecting users’ freedom of expression and privacy than any of its peers, including Etisalat, the UAE-based telecommunications company. Ooredoo, which is majority owned by the government of Qatar, was one of four companies in the Index to make no improvements in the 2018 Index. While the political and regulatory environment in Qatar discourages companies from making public commitments to human rights, the company could still be more transparent about basic policies affecting freedom of expression and privacy in a number of areas. For instance, it could make its privacy policies publicly available to users. It could also provide information about what steps it takes to keep user information secure, as there are no legal obstacles preventing the company from doing so. In 2016, Qatar passed its first comprehensive data privacy law requiring companies to notify the regulators and users in the event of a data breach, but the company does not disclose this information.
- Publish privacy policies. Ooredoo should clearly disclose its privacy policies and ensure these policies are both easy to find and to understand.
- Clarify content and access restrictions. Ooredoo should be more transparent about its process for handling government and private requests to block content or restrict user accounts, and for handling government requests to shut down networks.
- Improve redress. The company should improve its grievance mechanisms by disclosing that its process for receiving complaints includes complaints related to freedom of expression and privacy, and providing clear remedies for these types of complaints.
Ooredoo Q.S.C. provides telecommunications services such as mobile, broadband, and fiber in Qatar and 11 other countries in the Middle East, North Africa, and Asia.
Governance
Ooredoo performed poorly in the Governance category, receiving the lowest score of all telecommunications companies. It did not make a public commitment to respect freedom of expression and privacy as human rights (G1), nor did it disclose having senior-level oversight over these issues within the company (G2). Although it disclosed a whistleblower policy, it did not mention if this policy pertains to freedom of expression or privacy issues (G3). It offered no evidence that it has any human rights due diligence processes in place (G4), or if it engages with stakeholders on freedom of expression or privacy issues (G5). Ooredoo disclosed some information about a grievance mechanism through which customers may submit complaints, but there was no additional information about its processes for receiving and responding to such grievances (G6).
Freedom of expression
Ooredoo disclosed little about policies affecting freedom of expression, receiving the third-lowest score among telecommunications companies, ahead of MTN, Axiata, and Bharti Airtel.
Content and account restriction requests: Ooredoo, like most of its peers, provided no information about its process for responding to government or private requests to block content or restrict users’ accounts (F5), nor did it supply any data about the number of government or private requests to restrict content or accounts that it receives or complies with (F6, F7). There is no apparent legal barrier to supplying this information. The lack of disclosure is likely a result of Ooredoo being majority state-owned as well as from a general lack of transparency in the Qatari legal environment. Telecommunications companies in Qatar are legally required to comply with all judicial orders to block content, though there is no law prohibiting Ooredoo from disclosing its processes for handling or compliance rates with either government or private content-blocking requests.
Network management and shutdowns: Ooredoo Qatar did not disclose any information about its network management policies (F9). Like most telecommunications companies, it disclosed little about its processes for handling government requests to shut down its networks (F10).
Identity policy: Ooredoo Qatar disclosed that it requires pre-paid mobile users to provide government-issued identification (F11), although it is unclear if this is required by law.
Privacy
Ooredoo received the lowest privacy score of all telecommunications companies evaluated, as the company did not publish a privacy policy for pre- or post-paid mobile, or for fixed-line broadband services.
Handling of user information: Ooredoo Qatar was the only company in the entire Index to disclose nothing about what user information it collects, shares, retains, and its reasons for doing so (P3-P8). The company did not publish a privacy policy for the services evaluated.
Requests for user information: Ooredoo provided no information about how it handles government or private requests for user information, making it one of three companies, along with Etisalat and Axiata, that received no credit on these indicators (P10, P11, P12). It provided no information about its process for responding to these types of requests (P10), or whether it notifies users when their information is requested (P12). The company also did not publish any data on the number of requests it received for user information (P11). The lack of disclosure is likely a result of Ooredoo being majority state-owned as well as from a general lack of transparency in the Qatari legal environment. Still, there is no law specifically prohibiting Ooredoo from disclosing its policies for responding to user information requests that come through private processes.
Security: Ooredoo Qatar was the only company in the entire Index to disclose nothing about its policies and processes for keeping users’ information secure (P13-P18). It did not disclose whether it has systems in place to monitor or limit employee access to user information (P13), nor did it provide any information about its processes for addressing security vulnerabilities or for handling data breaches (P14, P15).