Telecommunications company

Telefónica, S.A.

Domicile: Spain
Website: www.telefonica.com 
Operating company evaluated: Telefónica Spain
Download company report: English | Español

1

Key findings

  • Telefónica received the top score among telecommunications companies, and made the most improvements to its disclosure of policies affecting freedom of expression and privacy of any company evaluated.
  • Telefónica disclosed more than all other companies about its governance and oversight over human rights issues, and was one of only three companies to disclose that it conducts human rights risk assessments on its use of automated decision-making technologies.
  • Telefónica disclosed more than any telecommunications company about policies affecting freedom of expression, but still failed to disclose enough about how it handles government requests to block content and restrict user accounts.
Services evaluated

Analysis

Telefónica received the highest score among telecommunications companies in the 2019 RDR Index, disclosing more about its commitments, policies, and practices affecting freedom of expression and privacy than any of its peers.1 It made the most improvements of any company evaluated this year, topping Vodafone for the number one spot in this year’s ranking.2 It improved its disclosure of policies affecting users’ freedom of expression and privacy, including how it handles government requests to restrict content and accounts, to shut down its networks, and to hand over user data. Still, there is room for improvement. Telefónica should publish data about actions it takes to restrict content and accounts that violate its rules. It should also publish more information about its security policies, including how it addresses security vulnerabilities and data breaches.

 



Telefónica, S.A. provides mobile, fixed-line broadband, and other services to more than 272 million mobile customers in Spain, Latin America, and internationally.3

Market cap: USD 44.0 billion4
BME: TEF

  • Clarify security policies: Telefónica should be more transparent about its security policies, including how it responds to data breaches and how it addresses security vulnerabilities.
  • Clarify handling of user information: Telefónica should disclose more about its handling of user information, including its data retention policies and practices.
  • Disclose more about third-party requests: Telefónica should disclose more comprehensive data about how it responds to government and private requests to restrict access to content or accounts and to hand over user data.

Governance

Telefónica significantly improved disclosure of its governance and oversight over human rights issues, earning the highest score in this category of any company in the 2019 RDR Index. It earned the highest score on all six indicators in the Governance category, and stood out for disclosing the clearest grievance and remedy mechanism of any company in the entire Index (G6). Notably, Telefónica was among the few companies evaluated to disclose that it assesses freedom of expression and privacy risks associated with enforcing its terms of service and its use of automated decision making technologies. However, it failed to disclose if it assesses risks associated with its targeted advertising practices and policies (G4).

G2. Governance and management oversight

Telefónica disclosed management-level oversight over how its policies and practices affect freedom of expression and privacy.

G4. Impact assessment

Telefónica disclosed more information about the human rights impact assessments it conducts.

G6. Remedy

Telefónica clarified the number of freedom of expression related complaints it received.

Freedom of Expression

Although Telefónica disclosed more about policies affecting freedom of expression than any other telecommunications company evaluated, it still fell short in key areas. The operating company Telefónica Spain’s terms of service were somewhat difficult to find and understand (F1), and it was not clear whether users would be directly notified of changes (F2).5 Telefónica improved its disclosure of how it responds to government requests, including those submitted by governments in foreign jurisdictions, but was less transparent about how it responds to requests it receives through private processes (F5). Telefónica provided some data about government requests it received and complied with (F6), but no data about requests received through private processes (F7).

Telefónica Spain was one of only two companies to commit to upholding net neutrality principles (F9). The company only partially disclosed the reasons why it may shut down or restrict access to its networks or certain protocols, though it was the only company to disclose both the number of requests it received and with which it complied (F10).

F5, F6. Requests for content or account restriction

Telefónica improved its disclosure of how it responds to government requests to restrict access to content or accounts, and disclosed more comprehensive data about such requests.

F9. Network management

Telefónica disclosed that it does not engage in network management practices for reasons beyond assuring the quality of service and reliability of the network.

F10. Network shutdowns

Telefónica improved its disclosure of how it responds to government requests to shut down its networks.

Privacy

Telefónica made a number of improvements to its policies affecting privacy, but still lacked disclosure in a number of areas. Telefónica Spain revealed more than most of its peers about how it handles user information (P3-P8)—and made some key improvements—but could do more to clearly explain what user data it shares with third parties (P4), and options users have to control what data it collects and uses, including for purposes of targeted advertising (P7). It disclosed some information about its data retention policies, but did not disclose how long it retains personal data once users terminate their accounts (P6).

Telefónica was more transparent than most of its peers about how it handles government and private requests for user information (P10-P11). It clarified its process for responding to government requests for user data, including those submitted by foreign governments (P10), and provided some data on government requests for user information, though this data could be more comprehensive (P11). But like most companies in the Index, it lacked transparency about how it handles private requests for user information (P10, P11)—and did not disclose if it notifies users when government entities or other types of third parties request information (P12).

Telefónica Spain disclosed less than Deutsche Telekom, Vodafone UK, and AT&T about its security policies and practices (P13-P18). It disclosed that it has an internal security audit team, but failed to clearly disclose whether it limits or monitors employee access to user data (P13). It improved its disclosure of how it addresses security vulnerabilities by disclosing a program allowing researchers to report vulnerabilities (P14). However, the company lost points in this year’s Index for disclosing less clear information about its policies for responding to data breaches (P15).

P1 & P2. Privacy policies

Telefónica improved the clarity of its privacy policies and its commitment to notify users of changes.

P3, P4, P6, P8. Handling of user information

Telefónica disclosed more about the types of user information it collects, provided commitment to minimize data collection, clarified some aspects of its data retention policies, and clarified options users have to obtain a copy of their user information.

P10. Process for responding to third-party requests for user information

Telefónica improved its disclosure of how it responds to government requests for user information.

P14. Addressing security vulnerabilities

Telefónica disclosed a mechanism for researchers to submit security vulnerabilities.

P15. Data breaches

Telefónica was less transparent about when it will notify data subjects in the event of a data breach.

Footnotes

[1] The research period for the 2019 Index ran from January 13, 2018 to February 8, 2019. Policies that came into effect after February 8, 2019 were not evaluated in this Index.

[2] For Telefónica’s performance in the 2018 Index, see: https://rankingdigitalrights.org/index2018/companies/telefonica 

[3] “Telefónica in Numbers - FY2017” (Telefónica), Accessed January 15, 2019, https://www.telefonica.com/documents/153952/142035615/Telefonica-in-numbers-FY-2017.pdf/83eb9de4-42e5-a285-dfdb-581307080a4f 

[4] Bloomberg Markets, Accessed April 18, 2019, https://www.bloomberg.com/quote/TEF:SM 

[5] For most indicators in the Freedom of Expression and Privacy categories, RDR evaluates the operating company of the home market, in this case Telefónica Spain.