MTN Group Limited
Domicile: South Africa
Website: www.mtn.com
Operating company evaluated: MTN South Africa
Download company report: English
Key findings
- MTN failed to disclose enough about policies and practices affecting users’ freedom of expression and privacy.
- It lacked strong governance and oversight over human rights issues, and disclosed almost nothing about policies affecting freedom of expression.
- MTN disclosed very little about how it handles user information, particularly its policies around sharing and retaining user information, as well as what steps it takes to keep user information secure.
- MTN South Africa (Prepaid mobile)
- MTN South Africa (Postpaid mobile)
- MTN South Africa (Fixed line broadband)
Analysis
MTN ranked eighth out of the 12 telecommunications companies evaluated, tying with Bharti Airtel.1 Despite making several improvements to its disclosure, MTN still lagged behind its peers, disclosing very little about policies and practices affecting freedom of expression and privacy.2 It provided minimal information about how it responds to government demands to shut down its networks, and disclosed nothing about how it handles government requests to hand over user information. While South African law may discourage MTN from disclosing information about such requests, the company could still improve its disclosures in several other key areas. For instance, it could be more transparent about how it handles user information and its network management policies. It could also disclose more about its process for handling requests to block content or restrict user accounts.
MTN Group Limited is a telecommunications company that serves markets in 24 countries in Africa and the Middle East.3 It offers voice and data services and business services, such as cloud, infrastructure, network, software, and enterprise mobility.
Market cap: USD 13.8 billion4
JSE: MTN
- Improve disclosure of human rights due diligence: MTN should disclose more information about its human rights due diligence, including whether it conducts risk assessments on new and existing services and when entering new markets.
- Be more transparent about handling of user information: MTN should be explicit about what user information it collects and shares, for what purposes, and for how long it retains it.
- Be more transparent about external requests affecting user rights: MTN should disclose information about government and private requests to restrict access to content or accounts, and about private requests for user information.
Governance
MTN disclosed weak governance and oversight over human rights issues. While it made some improvement by clarifying senior-level oversight over freedom of expression and privacy issues (G2), it fell short on most other indicators in this category. It published very limited information about conducting human rights impact assessments, failing to disclose whether it assesses freedom of expression and privacy related risks associated with its use of automated decision-making or its targeted advertising practices (G4). It had grievance and remedy mechanisms for users to submit their freedom of expression and privacy related complaints, but did not disclose its remedy procedures or specify a time frame for redressing these complaints (G6).
G2. Governance and management oversight
MTN improved its disclosure about management-level oversight over how company practices affect freedom of expression and privacy.
G4. Impact assessment
MTN no longer disclosed whether or not it conducts human rights impact assessments on a regular basis.
Freedom of Expression
MTN disclosed almost nothing about policies and practices affecting freedom of expression, tying with Bharti Airtel for the lowest score of all telecommunications companies in this category. It provided no information at all about how it handles external requests to block content or deactivate accounts—it disclosed nothing about its process for handling government and private requests to block content or restrict user accounts (F5-F7). South African law does not prevent companies from disclosing information about how they handle these requests, nor does it prohibit them from publishing this data.
It also lacked transparency about its own internal processes for enforcing its rules: The terms for MTN South Africa’s mobile and broadband services were not easy to find or understand (F1), and the company did not commit to notifying users of changes to these services (F2).5 In addition, the operator revealed nothing about its network management policies and did not publish a clear commitment to uphold net neutrality (F9). Although it clarified reasons why it may shut down its networks, MTN still did not sufficiently disclose its policies for handling government network shutdown orders (F10).
F1. Access to terms of service
MTN South Africa made it easier for users to access the terms of services of its prepaid mobile service.
F2. Changes to terms of service
MTN South Africa improved its disclosure on maintaining an archive of past changes made to the terms of service of its prepaid mobile service.
F10. Network shutdown (telecommunications companies)
MTN improved its disclosure of how it responds to government requests to shut down networks.
F10. Network shutdown (telecommunications companies)
MTN no longer disclosed information regarding its commitment to push back on government shutdown requests.
Privacy
MTN failed to disclose sufficient information about policies and practices affecting the privacy and security of its users, ranking tenth out of the 12 telecommunications companies in this category, ahead of only Etisalat and Ooredoo. MTN South Africa provided minimal information about the types of user information it collects and why (P3, P5), and no information about what information it shares (P4), or for how long it retains user information (P6). It also did not disclose any options for users to control what information the company collects and uses (P7), or options for users to obtain all of the information the company holds on them (P8).
MTN failed to provide any information about how it handles third-party requests for user information (P10-P12). The only piece of information MTN had previously disclosed was a commitment to push back on inappropriate or overbroad government requests; however, researchers were unable to locate such information in current company disclosures. While regulations in South Africa may discourage companies from publishing information about government requests for user information, including the fact that a request was made, nothing prevents MTN from fully disclosing how it handles private requests and the number of these requests it received and with which it complied.
The operating company MTN South Africa disclosed minimal information about its security policies, outperforming only Celcom (Axiata), Etisalat UAE, and Ooredoo Qatar on this set of indicators (P13-P18). It disclosed less than nearly all of its peers about its internal mechanisms to keep user information secure (P13)—but was one of only five telecommunications companies evaluated to disclose anything about its processes for addressing security vulnerabilities (P14). Like many of its peers, MTN South Africa provided no information about its policies for responding to data breaches (P15).
P1. Access to privacy policies
MTN South Africa made it easier for users to access its privacy policy.
P10. Process for responding to third-party requests for user information
MTN no longer shared information regarding its commitment to push back on overbroad government requests for user data.
Footnotes
[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.
[2] For MTN’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/mtn
[3] “Where We Are,” MTN Group, Accessed January 15, 2019, www.mtn.com/en/mtn-group/about-us/our-story/Pages/where-we-are.aspx
[4] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/MTN:SJ
[5] For most indicators in the Freedom of Expression and Privacy categories, RDR evaluates the operating company of the home market, in this case MTN South Africa.
