Internet and mobile ecosystem companies

Samsung Electronics Co., Ltd.

Domicile: South Korea
Website: www.samsung.com
Download company report: English | 한국어

9

Key findings

  • Samsung disclosed less than most of its peers about its policies that affect users’ freedom of expression and privacy, and scored below its South Korean peer, Kakao.
  • Samsung received the second-lowest score of all internet and mobile ecosystem companies in the Privacy category, and disclosed less about its security policies than all of its peers.
  • Samsung failed to provide any information about grievance and remedy mechanisms for freedom of expression and privacy complaints, although in South Korea companies are required to offer these mechanisms by law.
Services evaluated

Analysis

Samsung ranked ninth out of the 12 internet and mobile ecosystem companies evaluated, disclosing less than most of its peers about policies affecting users’ freedom of expression and privacy.1 It continued to lag behind Kakao, the other South Korean company evaluated in the Index. Samsung’s overall score declined due to the company’s less clear disclosure about its security policies.2 It disclosed less information about how it addresses security vulnerabilities, and no longer provided users with information about how to defend themselves against cyber-risks. While South Korea has a strong data protection regime—for instance, it requires companies to obtain consent from users when collecting and sharing their information—Samsung still lacked clarity about these policies and practices in its public disclosures.3 Companies are also legally required to offer grievance mechanisms, but Samsung did not publicly disclose clear options for users to submit freedom of expression and privacy-related complaints.



Samsung Electronics Co., Ltd. sells a range of consumer electronics, home appliances, and information technology solutions worldwide. Its products include televisions, mobile phones, network equipment, and audio and video equipment.

Market cap: USD 247.1 billion4
KOSE: A005930

  • Improve security disclosures: Samsung should be more transparent about measures it takes to keep user information secure, including policies for responding to data breaches, and if it encrypts user communication and private content.
  • Offer remedy: Samsung should provide users with grievance and remedy mechanisms to address their freedom of expression and privacy concerns.
  • Be transparent about third-party requests: Samsung should publish data about third-party requests for content and account restrictions, and for user data.

Governance

Samsung disclosed less about its governance and oversight over human rights issues than most internet and mobile ecosystem companies, and slightly less than its South Korean counterpart Kakao. Samsung made a public commitment to respect users’ human rights to freedom of expression and privacy (G1), but lacked clear evidence of how it ensures it is implementing these commitments across its global operations. It disclosed evidence of senior-level oversight over privacy issues, but not those pertaining to freedom of expression (G2). The company provided very little information about conducting human rights impact assessments, and, like most companies, failed to disclose whether it assesses risks associated with its use of automated decision-making and its targeted advertising practices and policies (G4). It did not disclose a commitment to engage with stakeholders on freedom of expression and privacy issues (G5) nor did it provide clear mechanisms for users to submit freedom of expression and privacy-related grievances (G6). Companies in South Korea are required by law to provide a complaints mechanism.5

No score changes

Freedom of Expression

Samsung disclosed little about its policies affecting users’ freedom of expression, ranking eighth out of 12 internet and mobile ecosystem companies in this category. Samsung published terms of service that were easy to find and understand for Cloud, but not for Android (F1). However, while Samsung disclosed some information about why it may restrict access to content or accounts (F3), it disclosed no data about the volume or nature of content or accounts it restricted for violating these rules (F4). It revealed very little information about its policies for notifying users of content and account restrictions (F8), disclosing only a commitment to notify users and developers of Galaxy apps before terminating their access to the service.

Samsung was one of two internet and mobile ecosystem companies, including Chinese company Baidu, to disclose no information about its process for handling government or private requests to restrict content or user accounts (F5), or data about the number of such requests it received and with which it complied (F6, F7). There are no regulatory obstacles in South Korea preventing the company from disclosing this information. Notably, Kakao is far more transparent about these processes, demonstrating that increased disclosure of how the company handles these types of demands is possible.

F11. Identity policy

Samsung clarified that it only requires developers requesting commercial status to verify their identities.

Privacy

Samsung received the second-lowest score of all internet and mobile ecosystem companies in the Privacy category, and disclosed less about its security policies than all of its peers. It was especially opaque about its handling of government and other types of third-party demands for user data—it was one of three internet and mobile ecosystem companies, including Tencent and Mail.Ru, to disclose nothing about its policies for handling these types of requests (P10) or data about the number of such requests it received and with which it complied (P11).

The company did not reveal enough about how it handles user data: it disclosed some information about the types of user information Samsung collects (P3), shares (P4), and for what purposes (P5), but was far less transparent about its policies for retaining user information (P6). While it provided users with some options to control their own information, including for purposes of targeted advertising (P7), it did not provide them with any options to access and obtain that information (P8).

Samsung also disclosed minimal information about its policies to keep user information secure (P13-P18). It disclosed that it monitors and limits employee access to user information and that it conducts data security audits, but failed to disclose whether it has a dedicated security team and if it commissions third-party security audits (P13). It disclosed some information about how it addresses security vulnerabilities, but was less clear about whether it made any modifications to the Android mobile operating system and how changes might impact users’ ability to receive security updates (P14). It disclosed nothing about its policies for responding to data breaches (P15), or about what types of encryption are in place to protect user information in transit or on Samsung devices (P16).

P14. Addressing security vulnerabilities

Samsung did not clearly state if it had introduced modifications to the Android mobile operating system that might affect users’ ability to receive security updates.

P18. Inform and educate users about potential risks

Samsung no longer provided Android users with information to protect themselves from cyber-risks.

Footnotes

[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.

[2] For Samsung's performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/samsung 

[3] ‘Act on Promotion of Information and Communications Network Utilization and Information Protection (ICNA)’, 22 March 2016. www.law.go.kr/법령/정보통신망이용촉진및정보보호등에관한법률;
‘Personal Information Protection Act (“PIPA”)’, 29 March 2016. www.law.go.kr/법령/개인정보보호법  

[4] Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/005930:KS 

[5] ‘Act on Promotion of Information and Communications Network Utilization and Information Protection (ICNA)’, 22 March 2016. www.law.go.kr/법령/정보통신망이용촉진및정보보호등에관한법률 ; ‘Telecommunications Business Act’, 19 May 2011. www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%A0%84%EA%B8%B0%ED%86%B5%EC%8B%A0%EC%82%AC%EC%97%85%EB%B2%95