Telecommunications companies

Vodafone Group Plc.

Rank: 2nd
Score: 42%

Headquartered in the United Kingdom, Vodafone Group provides mobile, fixed-line, and other telephony and internet services across 22 countries in Europe, Africa, Asia, and Oceania. The company had a mobile user base of 273 million in 2020.

Vodafone ranked second among telecommunications companies after Telefónica, but still had significant gaps in its transparency on both privacy and freedom of expression. As the COVID-19 pandemic spread through the world, Vodafone and other telcos provided user data to authorities in the EU, Australia, and Ghana to help track the spread of the virus. The large scale of this tracking program raised public concerns about potential privacy violations and government surveillance, even though the company assured its customers that the data collected and used in the program was anonymized. In 2018 the U.K.’s telecommunications watchdog launched a probe into Vodafone’s zero-rating program, Vodafone Passes, for potentially breaching EU net neutrality regulations. The company continued to offer the program despite offering no evidence that it had conducted human rights due diligence on it. In addition, during elections in Tanzania in October 2020, Vodafone Group’s subsidiary in the country blocked text messages by opposition activists at the behest of the government, casting doubt on the company’s commitment to push back on overly broad government demands.

Key takeaways

  • Vodafone and Telefónica were the only companies to explicitly commit to protect human rights in their development and use of algorithmic systems. Vodafone also had the highest overall governance score among telecommunications companies after Telefónica.
  • While Vodafone made a commitment to net neutrality, it did not maintain this commitment in practice since it offered a zero-rating program, a form of network discrimination that undermines net neutrality in practice.
  • Vodafone published more information about its policies and practices for protecting customers’ security than any other telecommunications company.

Key recommendations

  • Improve human rights due diligence. Vodafone should demonstrate that it carries out human rights impact assessments on its existing services, the enforcement of its policies, and on algorithms, targeted advertising, and zero-rating programs.
  • Clarify handling of user data. Vodafone should be more transparent about its reasons for collecting, sharing, and inferring user information and clarify options users have to control what data is collected, shared, and inferred about them.
  • Uphold net neutrality in practice. Vodafone should affirm its commitment to upholding net neutrality principles by refraining from engaging in paid prioritization of traffic, including offering zero-rating programs.

Services evaluated:

  • Operating company evaluated: Vodafone UKFor telecommunications companies, the RDR Index evaluates relevant policies of the parent company, the operating company, and selected services of that operating company.
  • Market cap: $228.08 billion (as of February 4, 2021)
  • LSE: VOD
  • Website: https://www.vodafone.com

The 2020 RDR Index covers policies that were active between February 8, 2019, and September 15, 2020. Policies that came into effect after September 15, 2020 were not evaluated for this Index.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Veszna Wessenauer, Jan Rydzak

Changes since 2019

  • Vodafone lost points on governance for removing a statement from its website asserting that it assesses privacy risks associated with new products and services.
  • Vodafone publicly listed some of the third parties with which it shares user information.
  • Vodafone improved the information it published on its third-party security audits and provided a reporting channel for security researchers to submit vulnerabilities they discover, with a clear time frame for review.
+ 0.74 points

Gained 0.74 points on comparable indicators since the 2019 RDR Index.

Governance68%
Freedom of expression32%
Privacy39%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 68%

Vodafone had the highest overall governance score among telecommunications companies after Telefónica.

  • Commitment to human rights: Vodafone made explicit commitments to respect users’ privacy and freedom of expression rights. It was one of just two companies in the RDR Index to commit to abide by human rights in its development and deployment of AI technologies (G1). In addition, the company disclosed strong management oversight processes and internal implementation systems, including training and whistleblower programs, to support the fulfillment of its commitments (G2, G3).
  • Human rights due diligence: Vodafone lagged behind many of its peers in human rights due diligence. The company regularly assessed the impact of laws affecting both privacy and freedom of expression and information and stated that it conducted assessments when entering new markets, but it failed to clarify whether its assessments encompassed risks and impacts associated with existing services, policy enforcement, algorithms, targeted advertising, or zero-rating programs such as Vodafone Passes (G4).
  • Stakeholder engagement: Vodafone is a member of the Global Network Initiative, a multistakeholder organization. However, GNI focuses primarily on government demands and does not cover a wider set of human rights issues that internet users face (G5).
  • Remedy: Vodafone had the strongest remedy mechanism for freedom of expression and privacy grievances after Telefónica. The company also provided a time frame to settle such grievances, but it did not publish any data about the complaints it received or any evidence to prove that it actually provided remedy (G6a).

Freedom of expression 32%

Vodafone disclosed more about its policies and practices affecting freedom of expression and information than any other telecommunications company except Telefónica, but it still lacked transparency in key areas such as content governance and advertising.

  • Content blocking and account restrictions: Vodafone’s terms of service documents were not all easy to locate (F1a) and the company fell short of committing to directly notify users about changes to those policies (F2a). The company did not articulate all of the content or activities it prohibits, nor did it articulate what actions it would take to enforce those rules (F3a). Like all other telcos, Vodafone released no data about content or accounts it removed to enforce its terms of service (F4a, F4b). The company’s various services were inconsistent in committing to notify users when content was blocked or their accounts were restricted (F8).
  • Algorithmic systems: Vodafone did not publish an operational-level policy governing the use of algorithmic systems across its services (F1d).
  • Advertising content and targeting: Vodafone did not disclose what advertising content it prohibited on its platform or what actions it would take to remove advertisements that violate company rules (F3b). Vodafone stated that it may send tailored messages to users based on their location, browsing information, or other activities, but it revealed nothing about how it regulated targeted advertising, such as what types of targeting behaviors were banned (F3c). The company did not publish any data about the ads it removed for rules violations (F4c).
  • Network management: While Vodafone made a commitment to net neutrality, it did not maintain this commitment in practice. The company offered a zero-rating program called Vodafone Passes on its prepaid and postpaid mobile services (F9). After Telefónica and Telenor, Vodafone was most forthcoming about how it handled network shutdown demands. The company’s Freedom of Expression and Network Censorship report outlined reasons why it might carry out network shutdowns and how it responds when governments order them. But it did not provide further details to reinforce its transparency such as data about shutdown demands (F10).
  • Censorship demands: Vodafone stood out for the comprehensive information it provided about its internal process for handling government demands to restrict content or accounts (F5a). But the company failed to clarify how it handled private requests to restrict content or accounts (F5b). While it described some of the measures it took to protect children’s digital rights, it disclosed little else about how it handles private requests for content or account restrictions (F5b). Vodafone did not release any data about third-party requests for content or accounts restriction (F6, F7).

Privacy 39%

Vodafone earned the third-best privacy score among telecommunication companies, and disclosed more on security than any of its peers.

  • Handling of user data: Vodafone provided some information about what user data it collected and inferred but failed to commit to limit its data collection or inference to what was strictly necessary for business purposes (P3a, P3b). The company was vague about describing how and why it collected and shared user information (P4, P5) and acknowledged that even when users terminate their accounts, the company still retains some of the information (P6). Targeted advertising was the lone area in which Vodafone provided its customers with options to control how their data was used (P7). Vodafone gave options for users to obtain a copy of their user information, but it remained unclear if users could obtain all of the information the company held about them (P8).
  • Government and private demands for user data: The Vodafone Law Enforcement Disclosure Statement clearly explained the company’s process for handling government demands to access user information, including the legal basis under which it might comply with them, due diligence processes, and a commitment to push back on overbroad demands (P10a). But it did not reveal how it would respond to private requests for user information (P10b). Furthermore, Vodafone did not publish any data about third-party requests to access user information (P11a, P11b). Like other telecommunication companies, Vodafone failed to commit to notifying users when third parties requested their information.
  • Security: Vodafone revealed more about its policies and practices to protect the security of users’ data than any other telecommunications company. It was the only company in the entire 2020 RDR Index to receive a full score on its processes for addressing data breaches. The company made a commitment to notify relevant authorities and users who were affected by a breach and to identify specific steps to address such incidents (P15). In addition, Vodafone introduced a new portal for external researchers to submit reports of security vulnerabilities, but it did not commit to refraining from legal action against these researchers (P14). The company conducted internal and external security audits but its evidence was not sufficient to prove that the external audits were conducted regularly (P13).