Key findings
- Vodafone earned the top score among telecommunications companies, and disclosed more about policies and practices affecting freedom of expression than the rest of its peers.
- Vodafone was the only company out of all 22 companies evaluated in the Index to provide comprehensive information on the company’s response to data breaches.
- The company disclosed little regarding how users can control the company’s handling of their user information, and failed to make a commitment to turn off targeted advertising by default.
Analysis
Vodafone was the highest scoring company out of all 10 telecommunications companies evaluated. In addition to other improvements, the company strengthened its commitment to protecting users’ human rights by joining the Global Network Initiative (GNI) in March 2017. At the corporate level, Vodafone made strong commitments to protect freedom of expression and privacy as human rights, but there is room for improvement. The company should provide clear evidence that it responds to complaints from users who believe their rights to freedom of expression and privacy were violated by the company (G6). The company should also provide users with more options to control collection of their user information, and it should commit to turn off targeted advertising by default (P7). Notably, Vodafone was the only company out of all 22 companies evaluated in the Index to clearly disclose its process for handling data breaches (P15).
- Be transparent about government requests. Vodafone should better inform users about different third party requests it receives, including government requests to shut down a network, and disclose where laws may prevent the company from being fully transparent.
- Clarify its handling of user data. The company should be more clear about what user information it collects and shares, and for how long it retains this information.
- Make user privacy the default setting. The company should give users more options to control their own data and clearly commit to turn off targeted advertising by default.
Vodafone Group Plc provides telecommunications services in Europe, Asia, Middle East, and Africa. The company serves 516 million mobile, 17.9 million fixed broadband, and 13.8 million TV customers.
Governance
Vodafone was the highest-scoring telecommunications company in the Governance category. Vodafone publicly committed to respect freedom of expression and privacy as human rights (G1), and provided evidence of senior level oversight over these issues within the company (G2). Vodafone improved its disclosure of human rights impact assessments, but there continues to be room for improvement (G4). Company disclosure also improved in terms of stakeholder engagement due to Vodafone joining the GNI in March 2017 (G5). Vodafone tied with Bharti Airtel for the second highest score on disclosure of its grievance and remedy mechanisms (G6); however, gaps in disclosure remained. While Vodafone provided users with several options to submit complaints, including those related to freedom of expression and privacy, it offered no information about the number of complaints it received or any evidence that it is responding to them.
G4. Impact assessment
Vodafone disclosed that the company takes into consideration how laws affect freedom of expression when making decisions about what products and services it offers in different markets.
G5. Stakeholder engagement
The company improved its commitment to engage with stakeholders by joining the Global Network Initiative (GNI) in March 2017.
Freedom of expression
Vodafone was the highest-scoring telecommunications company in the Freedom of Expression category, outscoring AT&T by five percentage points and Telefónica by more than ten points.
Content and account restriction requests: Vodafone lagged behind AT&T for its disclosure of how it handles government and private requests to restrict content and accounts, but it was one of only four telecommunications companies to receive any credit on these indicators (F5-F7). While the company had notably strong disclosure of its process for handling government requests to remove or block content or restrict user accounts, it did not fully disclose how it handles such requests it receives through private processes (F5). It also disclosed no data about the number of government or private requests it received to restrict content or accounts (F6, F7).
Network management and shutdowns: Vodafone UK earned the highest score for its disclosure of network management policies, and it was the only company to receive full credit for clearly committing not to block or prioritize content (F9). Despite making improvements to its disclosure of network shutdowns, it did not disclose how many shutdown requests it received or with which it complied (F10). Under limited circumstances, UK law may prevent telecommunications operators from disclosing certain government requests to shut down a network. The company should clearly inform users about these restrictions.
Identity policy: Vodafone UK and AT&T were the only two telecommunications companies evaluated that did not disclose a requirement that users verify their identity with a government-issued ID for pre-paid mobile services (F11).
F8. User notification about content and account restriction
The company’s score declined for failing to disclose whether it notifies users who attempt to access content that it has been restricted.
F10. Network shutdown
Vodafone improved its disclosure of why it may restrict access to specific protocols or applications, as well as its process for responding to requests to shut down a network or restrict access to a service.
Privacy
In the Privacy category, Vodafone ranked second out of 10 telecommunications companies, behind AT&T and ahead of Telefónica.
Handling of user information: Vodafone UK disclosed more than most of its peers about how it handles user information, but less than AT&T (P3-P8). However, it still did not sufficiently disclose what user information it collects (P3), shares (P4), and why (P5). It disclosed little about how long it retains user information (P6), but it was the only telecommunications company besides AT&T to disclose anything about these policies. Vodafone UK did not disclose whether users can control collection of their own information or whether users can delete some of this information. It clearly explained how users can opt out of having their information used for advertising purposes, but it failed to disclose that targeted advertising is off by default (P7).
Requests for user information: Vodafone disclosed less than AT&T about how it handles government and private requests for user information (P10, P11), but more than any other telecommunications company evaluated. The company explained its process for responding to government requests for user data, but did not disclose how it responds to private requests (P10).
Security: Vodafone UK disclosed more than any other telecommunications company about its security policies (P13-P18). Notably, it was the only company out of all 22 companies evaluated in the Index to provide comprehensive information on its handling of data breaches (P15). However, the company did not disclose anything about how it addresses security vulnerabilities (P14).
P15. Data breaches
The company improved its disclosure of its policies for responding to data breaches.