2020 RDR Index
Telecommunications companies

Etisalat Group

Rank: 11th
Score: 10%

Headquartered in the United Arab Emirates (UAE), Etisalat offers mobile, fixed broadband, and technology services to 149 million users across the Middle East, Africa, and Asia.

Telefónica
1
49%
Vodafone
2
42%
AT&T
3
37%
Telenor
3
37%
Deutsche Telekom
5
34%
Orange
6
27%
MTN
7
23%
América Móvil
8
22%
Axiata
9
16%
Bharti Airtel
10
15%
Etisalat
11
10%
Ooredoo
12
6%

For the first time in 2020, Etisalat made its privacy policy available to users. Yet this improvement was barely enough to move Etisalat upward in our ranking of telecommunications companies. It obtained the second-lowest score among telcos in the 2020 RDR Index, outperforming only its Qatari counterpart, Ooredoo. Etisalat, which is majority-owned by the Emirati government, is required to block web content deemed objectionable by authorities, and this has been used in practice to block pornography, slander, various kinds of political speech, and websites of independent media outlets and human rights organizations. The company published relatively little information about how it manages online content, including how it handles government censorship demands. Etisalat also failed to publicly explain its approach to network management. The company continued to violate network neutrality principles by blocking calling features of international VoIP apps and charging users an extra fee for making international calls using VoIP apps licensed by the country’s Telecommunications Regulatory Authority.

Key takeaways

  • Etisalat did not publish a commitment to respect users’ freedom of expression or privacy rights.
  • Despite progress in the privacy category, Etisalat was not transparent about its handling of user information, including its policies on sharing and retaining user information.
  • Etisalat did not disclose its process for handling government and private demands to remove content and accounts or to access user data. While it is a criminal offense in the UAE not to comply with government blocking orders, there is no law prohibiting Etisalat from disclosing how it handles these requests or its compliance rates with either government or private content-blocking requests.[1]

Key recommendations

  • Commit to protect freedom of expression and privacy. Etisalat should commit to freedom of expression and privacy in accordance with international human rights standards.
  • Disclose processes for responding to government censorship demands. Etisalat should publish policies clearly outlining its processes for responding to government demands to block websites and restrict access to networks and services, since there are no regulations that would prohibit it from doing so.
  • Be transparent about the handling of user information. Etisalat should be more transparent about how it handles user information. It should articulate which user information it shares and with whom, and the duration of time it retains this information.

Services evaluated:

  • Operating company evaluated: Etisalat UAEFor telecommunications companies, the RDR Index evaluates relevant policies of the parent company, the operating company, and selected services of that operating company.
  • Market cap: $46.93 billion (as of February 4, 2021)
  • ADX: ETISALAT
  • Website: https://www.etisalat.ae

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Afef Abrougui, Zak Rogoff
Download data and sources

Changes since 2019

  • Etisalat increased its transparency on internal governance by disclosing that it trains employees on privacy and that it has a whistleblower program enabling employees to report some privacy-related concerns.
  • Etisalat clarified that its website privacy policy applies to all its services.
  • Etisalat improved its security policies by clarifying that it has a security team that conducts regular internal security audits and that it commissions third-party audits.
+ 6.42 points

Gained 6.42 points on comparable indicators since the 2019 RDR Index.

Governance13%
Freedom of expression7%
Privacy11%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 13%

Despite progress in the category since the previous RDR Index, Etisalat still fell behind on its governance processes to ensure respect for human rights.

  • Commitment to human rights: Etisalat committed to protecting users’ privacy but did not characterize privacy as a human right. It also did not commit to human rights in its development and use of algorithmic systems (G1).
  • Human rights due diligence: We found no evidence of Etisalat conducting any type of human rights due diligence, including assessments of freedom of expression and information, privacy, and discrimination risks associated with its use of algorithmic systems, targeted advertising, or zero-rating practices (G4).
  • Stakeholder engagement: Etisalat provided no evidence of engaging with stakeholders whose rights are directly affected by the company (G5).
  • Remedy: Etisalat provided users with a mechanism for submitting complaints, but it did not specifically mention that this covers privacy and freedom of expression and information complaints (G6a).

Indicators

Freedom of expression 7%

Etisalat was one of the least transparent telecommunications companies we evaluated when it came to policies affecting freedom of expression and information.

  • Content blocking and account restrictions: In its terms and conditions, Etisalat clearly outlined the types of content and activities it does not permit on its services (F3a). While it did offer a form allowing users to flag URLs they believe to be in violation of Etisalat’s terms, the company did not disclose what other processes it uses to identify content and activities that violate its rules. It did not disclose any data about content and account restrictions to enforce its terms of service (F4a, F4b). It provided a vague policy pledging to notify users when it terminates their accounts, but it did not commit to issuing notifications to users when they attempt to access websites or URLs that the company blocks (F8).
  • Advertising content and targeting: Etisalat’s Business Marketing Platform service, which allows its business customers to target users with ads, is covered by the company’s terms and conditions for business services. The conditions, which serve as the company’s ad content policy, were difficult to find, but easy to understand (F1b). The policy provided some insight into the types of ad content Etisalat does not permit, but the company’s processes of enforcing these rules were nonexistent (F3b). In addition, Etisalat did not publish a policy outlining its ad targeting rules (F3c). It did not publish data on ads removed to enforce these rules (F4c).
  • Censorship demands: Etisalat did not disclose a policy for handling third-party demands to remove content and accounts, including government demands (F5-F7). Etisalat is required to comply with UAE legislation requiring operators to block and restrict access to content, including the country’s cybercrime law, which prohibits many types of content on the internet.[2] Yet there are no regulations that prohibit companies from disclosing their process for handling third-party demands to restrict access to content or accounts or to publish data about these demands.
  • Network management: Etisalat did not commit to respecting network neutrality (F9). While it provided some reasons why it may shut down service to a particular area or group of users and articulated that “unlicensed” VoIP apps are prohibited, it did not disclose anything else about its policy for responding to government shutdown demands (F10). For instance, it did not commit to pushing back against these types of demands or notifying users when it shuts down a network or restricts access to a particular service.

Indicators

Privacy 11%

Etisalat was not transparent about its policies affecting users’ privacy, disclosing only slightly more than Ooredoo. In our prior evaluations of Etisalat, we found that the company published a policy that referred only to the Etisalat website and online services, with no indication of whether this policy applies to mobile or fixed-line broadband services. In 2020, the company clarified that this privacy policy applies to all its services.

  • Handling of user data: Etisalat’s privacy policy was easily accessible from the company’s home page and written in understandable language (P1a). The company, however, was not transparent about how it handles user information. It disclosed some of the information it collects (P3a) and stated that it may share user information with legal authorities (P4). It also offered users the ability to access some of the information the company holds about them, but it did not specify the precise scope of information they can obtain (P8). Etisalat was silent about its data inference and how long it retains user information (P3b, P6) and did not provide users with any options to control how the company collects, shares, infers, or uses their information for targeted advertising purposes (P7).
  • Government and private demands for user data: Etisalat did not disclose a policy for handling third-party demands for user information, including government demands (P10-P12). There are no regulations that prohibit companies from disclosing their process for handling third-party demands for user information. However, Etisalat’s operating license in the UAE required it to install equipment allowing authorities to access the network, so the company may not be aware when government authorities access user information.[3]
  • Security: Etisalat had internal processes to keep user information secure, including processes limiting employee access to user information and a security team that conducts internal audits (P13). However, it did not have in place any other security policies. For example, it did not have a bug bounty program enabling security researchers to submit reports of security vulnerabilities (P14), nor did it have a policy for responding to data breaches (P15).

Indicators

50%
0%
8%
P4. Sharing of user information
25%
P5. Purpose for collecting, inferring, and sharing user information
0%
P6. Retention of user information
0%
P7. Users' control over their own user information
0%
P8. Users' access to their own user information
17%
P9. Collection of user information from third parties
0%
0%
0%
P12. User notification about third-party requests for user information
0%
P13. Security oversight
83%
P14. Addressing security vulnerabilities
0%
P15. Data breaches
0%
P16. Encryption of user communication and private content (digital platforms)
NA
P17. Account security (digital platforms)
NA
P18. Inform and educate users about potential risks
0%

Footnotes

[1] “Federal Decree-Law No. (5) of 2012 on Combating Cybercrimes” http://ejustice.gov.ae/downloads/latest_laws/cybercrimes_5_2012_en.pdf

[2] “Federal Decree-Law no. (5) of 2012 on Combating Cybercrimes” http://ejustice.gov.ae/downloads/latest_laws/cybercrimes_5_2012_en.pdf

[3] Telecommunications Regulatory Authority, “Public Telecommunications License No. 1/2006” www.tra.gov.ae/assets/03VgXUV3.pdf.aspx