Contact Us
Forging a Culture of Human Rights Policy

New Study: Tunisian ISPs violate customers' privacy

New Study: Tunisian ISPs violate customers' privacy

Tunis, LondonInternet service providers in Tunisia fail to protect customers' privacy, retaining and sharing personal data with third parties without their prior knowledge or explicit consent, finds ImpACT International for Human Rights Policies and Access Now.

The joint study, titled Violated Privacy, found that seven of the country’s main internet service providers (ISPs) —Tunisie Telecom, Ooredoo, TOPNET, Orange Tunisia, GlobalNet, HexaByte Tunisia and BEE — violate basic principles of customer data protection. The main findings include:

The Tunisian report, Privacy Violated, is the latest in a series of studies focusing on ISPs across the Middle East and North Africa — all evaluating the extent to which customers' right to privacy is protected

Maha Hussaini, Executive Director at ImpACT International

  • Only one company, Orange Tunisia, purports to comply  with all requirements laid out in Article 4 of the Organic Law No. 2004-63. However, in practice, the company failed to do so.
  • Three companies — GlobalNet, BEE and HexaByte Tunisie — do not publish a privacy policy on their websites; thus, they cannot be considered in compliance in any respect with the requirements for customer protection.
  • Tunisie Telecom does not make an explicit privacy policy available on its official website and only includes terms and conditions for the use of the service.

Internet users in Tunisia are at significant risk of identity theft or other abuse of their personal information,” said Maha Hussaini, Executive Director at ImpACT International, adding that, “The Tunisian report, Privacy Violated, is the latest in a series of studies focusing on ISPs across the Middle East and North Africa — all evaluating the extent to which customers' right to privacy is protected.”

Until recently, Orange Tunisia was the only ISP that complied with the requirements of Organic Law No. 2004-63, which governs the protection of personal data and provides a clear statement of the company’s responsibility for securing and protecting customers’ personal information. As the new study documents, however, the law too often is treated as mere ink on paper, without commitment to implementation. Orange Tunisia broke its record of compliance in August, 2018, when it  recklessly discarded  approximately 1,500 copies of customer ID cards and passports  onto the streets.

Perhaps the largest roadblock to ISP’s compliance with the right to privacy, is simply that the current law (2004) can be described as desuetude, and does not provide any adequate guarantees for consumers

Dima Samaro, MENA policy Associate at Access Now

“To date, Orange Tunisia has not taken any legal action to remedy its data breach; nor has it provided a clear justification or explanation of the incident, despite a letter sent by Access Now to their legal department,'' said Dima Samaro, MENA policy Associate at Access Now. “Perhaps the largest roadblock to ISP’s compliance with the right to privacy, is simply that the current law (2004) can be described as desuetude, and does not provide any adequate guarantees for consumers. There is little right to compensation for those who have been victims of data breaches, including the sale or transfer of it abroad, and between countries, which gives these companies a large and wide space to use loose phrasing within their privacy policy, and no clear policy on their official websites.”

Clearly, Organic Law No. 2004-63 is no longer sufficient to protect personal data in an environment marked by ever-evolving technology,” said Maha Hussaini.

ImpACT International for Human Rights Policies and Access Now call on the Tunisian government to adopt a new law that raises the profile of human rights in Tunisia, and ensure the Council of Europe’s Convention No. 108 on data protection —to which Tunisia is a  2007 signatory —is fully and effectively implemented. Existing domestic data-protection laws must be revised to adhere to best practices outlined in the convention.

The groups’ study also found that ISPs in Tunisia collect personal data for EU customers, and therefore must comply with the General Data Protection Regulation (GDPR).

 

 

Full study▼

Download File

Related

Legal Framework for Establishing of Human Rights Groups in Saudi Arab...

Saudi government frequently bans meetings and closes down associations

Companies must investigate supply chains and boycott businesses compl...

The list of 112 companies that do business in illegal Israeli settlements—released this week by a high U.N. official—should become a guide to who to black...

Guidance for business: Preserving human rights while combating COVID-...

As health and government officials work relentlessly to curb the spread of the novel coronavirus (COVID-19) around the world, businesses also must do thei...