17 July 2012
Privacy is paramount
Respecting and protecting our customers’ privacy is fundamental to the success of our business; it’s a vital part of our ethical responsibility and how we earn customers’ trust. This is reflected in Vodafone’s Privacy Commitments, which form the heart of our global policy on privacy. The Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights also establish, as a matter of international law, the right to privacy. In addition, most of the countries where we operate have privacy or data protection laws that protect privacy and personal information.
Therefore, the provision to law enforcement of any form of assistance that may impede, restrict or intrude upon a person’s privacy must be a lawfully and narrowly prescribed exception. Our policy is designed to ensure that this remains so.
Law enforcement assistance by communications service providers
As a communications service provider, Vodafone is subject to legal obligations to assist law enforcement authorities and other government agencies in ways that can impact peoples’ privacy.
These legal obligations include the disclosure to government authorities of information about our customers, such as information about their communications, or the interception of their communications, enabling law enforcement authorities to hear the content of calls or read the content of messages. Vodafone can also be obliged to develop the technical capabilities to do these things, or to retain data that it would not otherwise retain in the ordinary course of its business. Throughout this document, we refer to these activities generally as ‘assistance’.
There are many legitimate reasons for governments to reserve these powers. It is widely claimed by law enforcement authorities that the assistance provided by communications service providers is an essential element in the fight against crime, terrorism and the protection of national security.
However, these powers must be balanced with the respect for civil liberties and freedoms. Striking this often delicate and difficult balance and ensuring the protection of human rights is the responsibility of governments, as confirmed in the UN Guiding Principles for Business and Human Rights. Vodafone’s responsibility, as outlined in the UN Guidelines, is to respect human rights, and that is reflected in our first Privacy Commitment: Respect.
The nature of the law
Limiting the assistance Vodafone provides to law enforcement to what is prescribed by law may sound straightforward in principle, but can be very difficult in practice. While governments should respect the rule of law, and laws providing for these powers should be clear and accessible, in practice, laws are often not as clear as they could be, and also frequently lag the development and use of communications technology. Coupled with the reality that the use of these powers occurs in relation to sensitive and sometimes critical matters of national security or public safety, how assistance is given in practice requires careful judgement in difficult circumstances.
Vodafone’s policy is designed to achieve three main objectives:
(i) Ensure a robust assessment of the scope of the law
Vodafone must have a clear understanding and appreciation of government legal powers to demand assistance and associated legal due process to avoid ‘over-compliance’ or complicity in allegations of government violations of human rights.
(ii) Create accountability through a governance process founded on clear guiding principles
All decision making concerning law enforcement assistance must be consistent with our guiding principles, and those decisions and operations must be overseen by the most senior level of executive management to ensure accountability.
(iii) Address the complexities of law enforcement in a global environment
Risks arising from potential tensions and conflicts between governmental authorities in different countries, while operating a global, increasingly integrated, business environment, need to be anticipated and managed.
What is Vodafone’s policy?
Vodafone’s policy establishes a governance framework, a set of principles that guide our local companies when they respond to or work with law enforcement agencies or other government authorities, and lays out a series of other requirements covering operational matters. Here is a brief description of the main elements:
An executive level local governance committee oversees the implementation and management of the policy in each market. This includes the general oversight and management of the local company’s implementation of the policy and acts as an escalation body in the event that demands for assistance cannot be dealt with in accordance with the principles outlined below.
The general principle is that privacy is paramount and law enforcement assistance is an exception to this principle that can only apply in limited circumstances. These exceptional circumstances are as follows:
1. Mandatory compliance with law:
Vodafone may provide assistance where and to the extent that the local law mandates compliance.
To ensure that we are able to apply careful judgement in difficult circumstances, as explained above, each company must ensure that it has sufficiently senior and experienced counsel available who are knowledgeable in the relevant fields of law and due process to ensure Vodafone is clear what needs to be done to comply with the law, and importantly, what does not need to be done. The policy sets out a series of criteria to be followed by counsel in assessing demands and protocols for assistance.
2. Discretionary assistance
There are instances where government or law enforcement authorities may ask for assistance without a legal power to compel Vodafone to do so. For example, local police forces helping distraught parents may seek help from Vodafone with locating missing youngsters, fearing for their safety. Or a customer may believe that they have been the target of fraud or identity theft, or are being harassed or stalked, and the police may ask for our help to investigate this.
We recognise that privacy is not the only right and should not be applied blindly or mechanically. There are circumstances where privacy must be balanced with other important social responsibilities, and this is also reflected in our Privacy Commitments.
In these cases, giving assistance may be the responsible thing to do, provided, of course, that doing so is not in breach of any other applicable laws in the country concerned (for example, data protection laws) and all other appropriate safeguards are taken. We refer to this type of assistance as ‘discretionary assistance’, since Vodafone would essentially be choosing to exercise its discretion to assist.
Discretionary assistance must not be done lightly. Our policy sets out a series of principles that guide the way discretion is exercised to respect the privacy of our customers but balances this with other legitimate and important social duties. The principles to be observed require the responsible officers in the local company to look at all the circumstances of any case, including whether the assistance requested is for a legitimate purpose, and that that purpose is a necessary and proportionate response to prevent an imminent threat to national security or public safety, or the prevention of serious crime or risk to the life of, or serious personal injury to, any person. They also require appropriate safeguards for privacy to be implemented and to ensure that there are no other circumstances that would indicate that the assistance amounts to an unwarranted intrusion into privacy.
In particular, discretionary assistance should not be used simply because the conditions required to give law enforcement authorities the legal power to compel compliance have not been made out, e.g. because of a failure by law enforcement to follow legal due process.
All exercises of discretion require the joint approval of the local disclosure officer and local privacy officer.
3. Legitimate business interests
Vodafone may provide assistance where it is reasonably necessary to protect its legitimate business interests. This is not a catch-all, but covers, for example, working with and assisting law enforcement to help tackle fraud or criminal activities perpetrated against Vodafone. For instance, if our network is hacked or attacked in order to gain access to our, or our customers’, information, we will work with law enforcement to identify the attackers and bring them to justice.
When a demand is made by a law enforcement authority that does not fall into one of the three exceptions outlined above, we will decline to assist or will challenge the demand in an appropriate manner. In these cases, the matter must be escalated to the governance committee.
Law enforcement in a global environment
Vodafone’s policy contains requirements to manage the challenges that can arise from operating globally. This includes managing law enforcement demands in respect of data hosted in the Vodafone cloud, i.e. our data and service platforms may be located in jurisdictions other than the jurisdiction where the Vodafone company providing the service has its operating business. This establishes the principle that a Vodafone company should assist only those law enforcement agencies located in the country where it is established, i.e. we do not use our network of operating companies and cloud service centres to assist foreign government surveillance. For this, governments must utilise international mutual assistance treaties.
The operational management of law enforcement assistance must be conducted under the supervision of appropriately qualified senior management, and any staff involved in providing law enforcement assistance must be appropriately supervised, trained and supported in conducting their duties.
Government Relations and Public Policy
We proactively engage with governments and law enforcement agencies to reach a mutual understanding of how we can meet the legitimate needs of governments and law enforcement that is consistent with Vodafone’s commitment to respecting and safeguarding the privacy of its customers.
What is Vodafone doing to ensure that this standard is met across its global footprint?
All global policies under Vodafone’s privacy programme are managed through the Vodafone privacy risk management system by our local privacy officers. Vodafone requires its local markets to report annually and quarterly to the Group Privacy Officer, and this includes compliance with the law enforcement policy. These reports are, in turn, included in reporting to the Group executive committee. We also conduct reviews of individual markets on a regular basis, both at an operational level and at a governance level.
How is Vodafone ensuring that this policy remains fit for purpose as technologies develop and new controversies arise?
Law enforcement assistance and the impact on human rights is one of the critical risks identified in Vodafone’s critical privacy risk register. It is therefore reviewed regularly to ensure its scope is adequate and it is effective at addressing its objectives.
We also conduct research and surveys into particular developments or risks relating to law enforcement, surveillance, and privacy, as well as engage regularly with our industry peers, partners and external stakeholders.