Telecommunications company

Etisalat Group

Domicile: United Arab Emirates (UAE)
Website: www.etisalat.com 
Operating company evaluated: Etisalat UAE
Download company report: English | العربية

11

Key findings

  • Etisalat was the second-lowest scoring telecommunications company in the Index, disclosing almost nothing about policies and practices affecting users' freedom of expression and privacy.
  • Etisalat did not publish a privacy policy, making it impossible for users to understand what the company does with their information, including what it collects and for what purposes.
  • Etisalat disclosed nothing about how it handles government and private requests to hand over user information.
Services evaluated

Analysis

Etisalat ranked eleventh out of the 12 telecommunications companies evaluated, disclosing almost nothing about its policies and practices affecting freedom of expression and privacy.1 It made no improvements to its disclosure of policies evaluated by the RDR Index over the last year.2 Etisalat is a majority state-owned company, operating in a political and regulatory environment that restricts expression online.3 While companies in the UAE are discouraged from making public commitments to human rights, Etisalat could still be more transparent about basic policies affecting users’ freedom of expression and privacy. The operating company Etisalat UAE did not publish a privacy policy, making it impossible for users to understand how the company handles their information.4 Etisalat provided little information about its security policies, although there is no law prohibiting companies from being more transparent in this area. Given that the company is majority state-owned and that the overall operating environment discourages transparency, it is unlikely that Etisalat would disclose information about government requests to block content or to hand over user information. However, it could disclose its policies for responding to private requests.



Etisalat Group operates telecommunications, fiber optics networks, and other services in the United Arab Emirates and across the Middle East, Africa, and Asia.

Market cap: USD 39.4 billion5
ADX: ETISALAT

  • Publish privacy policies: Etisalat should clearly disclose how it handles user information and make its policies both easy to find and understand.
  • Be transparent about private requests: Etisalat should disclose how it responds to private requests to block content or accounts and to hand over user data, and regularly publish data about the requests.
  • Improve redress: Etisalat should improve its existing grievance mechanisms by explicitly including complaints related to freedom of expression and privacy, and by providing clear remedies for these types of complaints.

Governance

Etisalat performed poorly in the Governance category, scoring higher than only Ooredoo.6 It did not publish a commitment to respect users’ freedom of expression and privacy as human rights (G1), and failed to disclose evidence of senior-level oversight over these issues at the company(G2). It also revealed no evidence of carrying out human rights due diligence, such as conducting risk assessments (G4), or of engaging with stakeholders on freedom of expression or privacy issues (G5). It received some credit for disclosing a grievance and remedy mechanism, though the company did not explicitly state that this process includes complaints related to freedom of expression or privacy (G6).

No score changes

Freedom of Expression

Etisalat disclosed little about its policies affecting freedom of expression. Etisalat UAE’s terms of service policies were not easy to find, but were available in the primary languages of its home market and were presented in an understandable manner (F1). It disclosed some information about how its rules are enforced (F3) and how users are notified when the company takes actions to restrict accounts (F8).

However, aside from some minimal disclosure about reasons why it may restrict access to its network or specific applications and protocols due to government demands (F10), the company failed to disclose any other information about its policies or practices that affect users’ freedom of expression. It failed to disclose any information about its network management policies or commit to uphold net neutrality principles (F9). Like many telecommunications companies, Etisalat provided no information about how it handles government or private requests to block content or restrict accounts (F5-F7). It did not publish any data on the number of such requests it received or with which it complied (F6, F7). Moreover, the company lost points due to a change in its disclosure, which made it less clear when it complies with private requests (F5). While it is a criminal offense in the UAE not to comply with government blocking orders, there is no law prohibiting Etisalat from disclosing how it handles these requests or its compliance rates with either government or private content-blocking requests.7

F5. Process for responding to third-party requests for content or account restriction

Etisalat revealed less information about the circumstances under which it will respond to requests to restrict content that it receives through private processes.

Privacy

Etisalat received the second-lowest privacy score of all telecommunications companies evaluated, disclosing only slightly more than Qatar-based telecommunications operator Ooredoo. Like Ooredoo Qatar, Etisalat UAE did not publish a privacy policy, making it impossible for users to understand what the company does with their information, including what it collects, shares, and why. Aside from disclosing that it shares user information with government authorities if legally required and in cases of national security (P4), the company disclosed nothing about how it handles the user information it collects (P3-P8).

Etisalat provided no information about how it responds to third-party requests for user information, making it one of four companies, along with MTN, Ooredoo, and Axiata, that received no credit on these indicators (P10-P12). It provided no information about its process for responding to these types of requests (P10), or whether it notifies users when their information is requested (P12). However, Etisalat’s operating license required it to install equipment allowing authorities to access the network, so the company may not be aware when government authorities access user information.8 Still, there is no law specifically prohibiting Etisalat from disclosing its policy for responding to user information requests that come through private processes.

Etisalat UAE disclosed almost nothing about its security policies and practices, scoring better than only Ooredoo Qatar on these indicators (P13-P18). It disclosed that it has policies governing employee access to user data and has security teams monitoring for security threats and data breaches (P13). However, the company provided no additional information regarding its internal processes for ensuring that user data is secure, including whether it commissions external security audits (P13). It disclosed nothing about policies for addressing security vulnerabilities (P14) or for responding to data breaches (P15). There are no apparent legal obstacles to disclosing this information.

No score changes

Footnotes

[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.

[2] For Etisalat’s performance in the 2018 Index: rankingdigitalrights.org/index2018/companies/etisalat/ 

[3] “Freedom on the Net” (Freedom House, November 2018), freedomhouse.org/report/freedom-net/2018/united-arab-emirates 

[4] For most indicators in the Freedom of Expression and Privacy categories, RDR evaluates the operating company of the home market, in this case Etisalat UAE

[5] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/ETISALAT:UH 

[6] For Etisalat’s performance in the 2018 Index: rankingdigitalrights.org/index2018/companies/etisalat/ 

[7] “Federal Decree-Law No. (5) of 2012 on Combating Cybercrimes” (2012), ejustice.gov.ae/downloads/latest_laws/cybercrimes_5_2012_en.pdf 

[8] “Public Telecommunications License No. 1/2006” Telecommunications Regulatory Authority, accessed March 15, 2018, www.tra.gov.ae/assets/03VgXUV3.pdf.aspx