2020 RDR Index
Telecommunications companies

Orange S.A.

Rank: 6th
Score: 27%

Headquartered in France, Orange provides mobile, landline, broadband, and digital media services. With 266 million users across 26 countries across Europe, Africa, and the Middle East, Orange is the 10th largest mobile telecommunications company in the world.

Telefónica
1
49%
Vodafone
2
42%
AT&T
3
37%
Telenor
3
37%
Deutsche Telekom
5
34%
Orange
6
27%
MTN
7
23%
América Móvil
8
22%
Axiata
9
16%
Bharti Airtel
10
15%
Etisalat
11
10%
Ooredoo
12
6%

Orange was the lowest-scoring European telecommunications company in the 2020 RDR Index. Orange operates in several volatile countries, where governments are prone to censorship and network shutdown orders. In Guinea, the company carried out a government-ordered shutdown during a controversial presidential referendum, but offered little transparency around its handling of the order. Orange performed poorly on our indicators measuring various issues related to freedom of expression and information, including network shutdowns. In this category, it scored lower than MTN, one of its primary competitors in sub-Saharan Africa.

Key takeaways

  • Orange is behind the curve on protecting its users’ freedom of expression and information rights. The company had one of the weakest results of any telco in the RDR Index, falling behind MTN as well as nearly all of its European peers, and disclosing no commitment to uphold net neutrality.
  • Orange’s transparency reporting is incomplete and vague. Although it offered some information about its process for handling government demands, it had poor transparency on demands for user data, and it offered insufficient information on threats that are common in some of its operating markets, such as network shutdowns.
  • Orange failed to disclose sufficient information on how it protects its users’ privacy and security. Its privacy policies lacked detail and the company disclosed less than all of its European peers and AT&T about its security policies, including how it addresses data breaches and security vulnerabilities.

Key recommendations

  • Commit to net neutrality. Orange should commit not to prioritize, block, or delay certain types of traffic, applications, protocols, or content for any reason beyond assuring quality of service and network reliability.
  • Improve transparency reporting. Orange should publish data on demands it receives to restrict content and accounts, hand over user information, and shut down networks.
  • Expand the scope of human rights impact assessments. Orange should conduct human rights impact assessments on its zero-rating programs and on its use and development of algorithmic systems.

Services evaluated:

  • Operating company evaluated: Orange FranceFor telecommunications companies, the RDR Index evaluates relevant policies of the parent company, the operating company, and selected services of that operating company.
  • Market cap: $31.30 billion (as of February 4, 2021)
  • ENXTPA: ORA
  • Website: https://www.orange.fr

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Jan Rydzak, Veszna Wessenauer
Download data and sources

Changes since 2019

  • For the first time, Orange published information about its process for responding to government demands to restrict content or accounts. It also improved transparency around its process for responding to government demands for user information, but it aggregated its data on demands from authorities in France in a way that made that data difficult to understand.
  • Orange published more information about its process for responding to network shutdown requests but removed its commitment to push back against them.
+ 2 points

Gained 2 points on comparable indicators since the 2019 RDR Index.

Governance65%
Freedom of expression10%
Privacy24%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 65%

Orange made no improvements on governance in 2020 but its performance in this category was far stronger than it was in the other two categories, with lack of comprehensive human rights due diligence as its most notable shortcoming.

  • Commitment to human rights: Orange made an explicit commitment to respect users’ freedom of expression and privacy rights (G1). It published an AI ethics policy, but stopped short of making a commitment to adhere to human rights as it develops and deploys algorithms. Orange published comprehensive information on management oversight of human rights issues (G2) as well as training and whistleblower programs (G3).
  • Human rights due diligence: Orange disclosed evidence of conducting robust human rights impact assessments on how laws and regulations affect freedom of expression and privacy in the markets in which it operates (G4a). But the company disclosed nothing about conducting similar assessments of its own policy enforcement, targeted advertising, algorithmic systems, or zero-rating programs (such as through its partnership with Facebook under the Free Basics program) (G4b, G4c, G4d, G4e).
  • Remedy: While Orange did offer remedy mechanisms for privacy and freedom of expression grievances, the details of these processes were not clear. The company also did not provide any evidence that it was addressing these grievances, for instance by providing data on the number of complaints received (G6a).
  • Stakeholder engagement: Orange is a member of the Global Network Initiative, a multi-stakeholder organization. However, GNI focuses primarily on government demands and does not cover a wider set of human rights issues that internet users face (G5).

Indicators

Freedom of expression 10%

Orange earned one of the lowest scores in this category, lagging far behind its European peers and South Africa’s MTN.

  • Content blocking and account suspensions: Orange’s terms of service were easy to find but they were written in minuscule type and with language that made these policies difficult to understand (F1a). Policies clearly explained what type of content and activities are prohibited on its services and the circumstances in which content could be blocked or restricted, and accounts terminated, for violations to these rules (F3a). But the company disclosed no data detailing actions it took to enforce these rules, such as blocking content or suspending accounts (F4a).
  • Advertising content and targeting: Orange published no relevant information about the rules governing advertising content and targeting on its services or how those rules were enforced (F1b, F1c, F2b, F2c, F4c).
  • Censorship demands: Orange significantly improved its transparency on its process for handling government demands to restrict content and accounts (F5a). However, it produced no data associated with such demands (F6). Orange also revealed no information about how it handles requests to remove content or restrict accounts that come through private processes (F5b).
  • Network management: As we have highlighted in previous years, Orange once again published no information about its network management practices, nor did it make a clear commitment to net neutrality. It also did not reveal if it engages in practices that prioritize network traffic, such as zero-rating programs, despite there being evidence that the company does offer such programs in the form of “social passes” in some European markets as well as through its participation in Facebook’s Free Basics program (F9). New information in the company’s 2020 Vigilance Plan clarified the process it followed when receiving network shutdown demands, though the company no longer shared a commitment to push back against such demands (F10). Its reporting also aggregated shutdowns with other “major events,” further reducing its transparency on this topic. Shutdowns have occurred in several of the countries where the company operates, underscoring the need for better information in this area.

Indicators

Privacy 24%

Orange made slight progress on security and on transparency regarding demands for user information, but remained the lowest-scoring European company in the privacy category.

  • Handling of user data: Orange published a clear and accessible Privacy Policy (P1a) but did not commit to notify users of changes to this policy (P2a). The company specified the types of data it collected, but offered inconsistent details on how it collects that data (P3a). It also published nothing about the types of data it inferred (P3b) and barely any information about how long it retained information or how it de-identified it (P6). Orange’s Privacy Policy also conferred vaguely worded rights to object to some uses of information and delete some types of data, but it was impossible to determine what data this applied to (P7).
  • Government and private demands for user data: Orange published by far the least comprehensive information about third-party demands for user data of any European telecommunications company. But there were signs of progress. For instance, in a new transparency report, the company detailed three formal requirements it applies to government demands, even though it was not clear if these requirements applied to all jurisdictions (P10a). The quality of its reporting on government demands declined, as the company aggregated the data on France across all mobile operators in the country (P10a). Like many other companies, Orange published nothing about private requests for user data (P10b, P11b).
  • Security: Orange published a patchwork of policies on security. While its Charter on Personal Data Protection stated that it limited employee access to sensitive user information and its 2019 Annual Report outlined 30 data security reviews the company conducted in 2019 (P13), other information was scarce. Orange revealed new information about how to report security vulnerabilities (P14) but nothing about how it handled data breaches (P15).

Indicators

50%
0%
25%
P4. Sharing of user information
25%
P5. Purpose for collecting, inferring, and sharing user information
40%
P6. Retention of user information
10%
P7. Users' control over their own user information
3%
P8. Users' access to their own user information
25%
P9. Collection of user information from third parties
0%
14%
10%
P12. User notification about third-party requests for user information
0%
P13. Security oversight
50%
P14. Addressing security vulnerabilities
25%
P15. Data breaches
0%
P16. Encryption of user communication and private content (digital platforms)
NA
P17. Account security (digital platforms)
NA
P18. Inform and educate users about potential risks
100%