Samsung Electronics Co. Ltd.
Key findings
- Samsung disclosed less than most internet and mobile ecosystem companies about policies affecting users’ freedom of expression and privacy.
- The company lacked transparency on how it polices content in its app store and about how it handles government demands for user data.
- The company improved its disclosure of options users have to control how their information is used for targeted advertising, but still lacked transparency about its handling of user information in key areas.
Analysis
Samsung ranked eighth out of the 12 internet and mobile ecosystem companies evaluated, disclosing less than most of its peers about policies affecting users’ freedom of expression and privacy. Despite some improvements in the 2018 Index, the company continued to lag behind Kakao, the other South Korean company evaluated. Samsung improved its disclosure of senior leadership oversight over how policies and practices may affect freedom of expression and privacy, and disclosed new information about its human rights impact assessments. It also improved its disclosure of options users have to control how their information is used for targeted advertising. While South Korea has one of the strongest data protection regimes in the world—for instance, it requires companies to obtain consent from users when collecting and sharing user information—Samsung still lacked clarity about these policies and practices in its public disclosure. Companies are also legally required to offer grievance mechanisms, but Samsung did not publicly disclose clear options for users to submit freedom of expression and privacy-related complaints.
- Provide avenues for redress. The company should provide comprehensive information about how users can file complaints if their freedom of expression or privacy rights are violated by company practices.
- Be transparent about external requests. The company should provide data on how many third party requests it received to restrict content and accounts, as well as requests received to hand over user information.
- Clarify what user data it collects and shares. Samsung should be more clear with users about what types of data it collects, shares, and for what purpose, and whether it combines user information across different services.
Samsung Electronics Co. Ltd. sells a range of consumer electronics, home appliances, and information technology solutions worldwide. It produces products including televisions, mobile phones, network equipment, and audio and video equipment.
Governance
Samsung ranked eighth among internet and mobile ecosystem companies in the Governance category, below Kakao and all U.S.-based internet and mobile ecosystem companies. The company clarified that members of its executive- and management-level teams oversee how its policies and practices may impact privacy (G2), and provided more insight into human rights impact assessments related to privacy risks (G4). However, the company did not disclose a commitment to engage with stakeholders on freedom of expression and privacy issues (G5) and lacked clear disclosure of how users can submit freedom of expression and privacy related grievances (G6).
G2. Governance and management oversight
The company improved its disclosure of whether senior leadership has oversight over freedom of expression and privacy issues within the company.
G4. Impact assessment
Samsung clarified that it conducts privacy risk assessments related to new products and activities.
Freedom of expression
Samsung disclosed little about its policies affecting users’ freedom of expression, ranking eighth out of 12 internet and mobile ecosystem companies in this category, on par with Russian internet company Mail.Ru.
Content or account restrictions: Samsung lacked transparency about its processes for policing content and activities that violate its own rules in its app store, but disclosed more than Apple and several other companies. For both Galaxy users and app developers, Samsung disclosed some information about why it may restrict content or accounts (F3), but disclosed no data about the volume or nature of content or accounts it restricted for violating these rules (F4). Samsung also failed to disclose whether it notifies users who attempt to access content that has been restricted (F8).
Content and account restriction requests: Samsung was one of two internet and mobile ecosystem companies, including Chinese company Baidu, that disclosed no information about its process for handling government or private requests to restrict content or user accounts (F5), or data about the number of such requests it received and with which it complied (F6, F7). There are no regulatory obstacles in South Korea preventing the company from disclosing this information. Notably, Kakao is far more transparent about these processes, demonstrating that increased disclosure of how the company handles these types of demands is possible.
Identity policy: Samsung disclosed that users and developers are required to submit a government-issued ID or phone number (F11).
Privacy
Samsung disclosed less about its policies affecting users’ privacy than most other internet and mobile ecosystem companies evaluated, other than Mail.Ru and Baidu.
Handling of user information: Samsung disclosed less than most other internet and mobile ecosystem companies about its policies for handling user information, scoring higher on these indicators than only Yandex, Baidu, and Mail.Ru (P3-P9). The company was less clear in the 2018 Index about whether it combines user information across different services (P5). While Samsung improved its disclosure of options users have to opt-out of targeted advertising, but this suggests that targeted advertising is on by default (P7). It also failed to disclose if it tracks users across third-party websites using cookies, widgets, or other types of tracking tools (P9).
Requests for user information: Samsung was one of three internet and mobile ecosystem companies, including Mail.Ru and Tencent, that disclosed no information about its process for responding to government or private requests for user information (P10). It did not publish any data about such requests it received or with which it complied (P11), and failed to disclose whether it notifies users when their information is requested (P12).
Security: Samsung disclosed little about its security policies compared to its peers (P13-P18). It disclosed a bug bounty program but, like most companies, fell short of committing to refrain from prosecuting security researchers (P14). It disclosed that it receives security updates from Google for its Android operating system, but did not specify a timeframe for delivering updates to users (P14). It disclosed nothing about its policy for responding to data breaches (P15), or about what types of encryption are in place to protect user information in transit or on Samsung devices (P16).
P2. Changes to privacy policies
Samsung improved its disclosure of policies for directly notifying users of changes to its privacy policies.
P5. Purpose for collecting and sharing user information
The company’s score declined due to a change in its privacy policy, which makes it less clear whether the company combines user information across different Samsung services.
P6. Retention of user information
The company improved its disclosure of how it handles user information after account termination.
P7. Users’ control over their own user information
Samsung improved its disclosure of options users have to opt out of targeted advertising.