How many times do we find these two concepts? It always appears in the small print of contracts, as delimiting of the services that we will get, but how much do we know about them and what are its implications?

By Laura Andrea Mora Ardila*

Many intermediaries have to intervene in order for us to surf the web. These intermediaries are the ones that allow us to search (such as Yahoo or Google), to surf (such as Mozilla, Internet Explorer), to connect to the Internet (such as Claro, Telefónica), and many more.

They establish terms and conditions covering diverse subjects: intellectual property, their own data protection policies, and their responsibility in service delivery, among others. These policies usually appear on the companies’ websites and should be adjusted to the law, but even go further in defining details of their relationship with users and also how to protect them.

In Colombia, we surf the Internet because we have a contract with the intermediaries. By using their services, we have accepted their terms of use: clauses that we almost never read because, as we have no bargaining power, it is a matter of “take it or leave it.” However, as these documents determine what we can do or not, rights and responsibilities we have as users and consumers, they are very important texts that deserve more attention.

How much do we know about these documents? Do we know what we are accepting when we use the service? To answer these questions, I analyzed the terms and conditions, especially data protection policies, of one type of intermediaries: the leading Internet access providers in Colombia (Claro, Movistar, DirecTV, UNE-Tigo, ETB). With this review, I wanted to learn more about these documents and how they affect our use of the web.

In general, the terms of all companies make explicit that –as part of their obligations– they develop control actions ranging from preventive suspension to service interruption in the event of misuse of the service by the user, or their use for fraudulent, sexist, racist, misconduct activities, among others.

These words may sound reasonable, but it is not clear what comprise these control actions: Can they read my messages? Can they see my conversations? How do they have access to my events and how do they categorize them as “misuse of service”?

In addition, at this point it is worth recalling the famous “Ley Lleras”. Everything indicates that intermediaries do not need to wait for the enactment of such norm, because they can suspend or interrupt the Internet service, block the content to which Colombian user access with a wide margin of discretion, simply because we agreed under a contract. Moreover, I wonder whether companies have made use of that power, how many times, and how.

Of the revised texts, I also have a concern about the users’ rights. Generally, companies do not consider necessary to notifying users when they understand that they are committing an illegal and inappropriate behavior, or when the government, for instance, request users’ data. However, in reviewing the terms and conditions I found out that, at least, the Telephone Company of Bogota (ETB, in Spanish), states that, in some cases, customers will be asked to correct any inappropriate behavior; others companies have not even considered to look at it. It is clear that there is a lot to do regarding users’ rights.

Regarding the data protection, I noticed that the Terms and Conditions of Use mixed those provisions related to personal data management with those derived from financial obligations. While the 1991 Constitution protects data in general, the financial system was the first to be regulated and is much more developed, whereas the legal mechanism for the personal data protection is a new subject (2013). In the terms and conditions of use, I see an effort to comply with data protection law, but yet it persists much confusion.

The terms and conditions of the analyzed intermediaries indicate that, as users, we are entitled to revoke the authorization we gave them to use of our data, as well as we have the right to know how our data have been used. These provisions are positive and are derived from a legal obligation –in fact, we can always decide to cancel the service–.

However, these intermediaries often include in their terms and conditions very broad statements about its ability to retain users’ personal data. For example, one of Telefónica’s clauses states:

“The database of Colombia Telecomunicaciones has indefinite duration. The collected personal data will be kept for the duration of the relationship between the company and the owner of the data, and the time required for compliance with legal or contractual obligations that Colombia Telecomunicaciones should observe.”

Such terms compel me to question myself if neither death separates us. It is important to note that the data retention rules stems not only from the financial habeas data, but also from intelligence rules and, as already explained on other occasions, its adoption and implementation is very problematic.

In relation to personal data, since this activity is limited by law and have specific requirements, terms and conditions should be much more precise. However, according to my analysis, they only include some provisions related to these requirements in a broad sense and isolated. That is, companies have not articulated protocols or institutional procedures that explain how they apply the law in order to give us tranquility on the management of our data –or at least, they are not publicly available on their websites–.

Usually, these intermediaries determine that they will provide information to vendors and partners if they have a data protection policy. In addition, they also provide users’ data whenever there are judicial warrants or requests by government agencies in compliance with their legal functions. The terms and conditions of use analyzed are aligned with this practice.

TIGO, however, has a much broader clause, as it states that it will provide data to “products and services providers, to companies in the same business group to which it belongs, and third parties that provide services or who has any kind of relationship…”. The clause continues with a long list of situations in which data will be provided, including “to respond to inspection bodies.”

This point is striking, because in comparison with the same subject in the terms and conditions of UNE (company merged with TIGO in 2014), the related clause is more protective, stating that:

“The requests made by judicial and administrative authorities acting in the exercise of their duties must comply with the formalities and requirements covered by current regulations. [And that] Before these, UNE shall record and inquire the verification of the terms in case of doubt, respecting confidentiality.”

The contrast is striking due to the merger of UNE and TIGO, two related companies that have very different terms and conditions. Users of TIGO, then, authorize providing data to the entire world for countless grounds, including providing data beyond “judicial and administrative authority in the exercise of their functions”, as it relates to a generic “inspection body.”

Civil society has been working to create opportunities for advocacy to improve data protection and users’ navigation. To this end, initiatives such as DondeEstanMisDatos.info arise: a project that will be launched next May 20 in Colombia, as an invitation to make periodic revisions of the terms and conditions of the 5 largest Internet access intermediaries in the country.

Although we forget what we have signed, the documents are there, watching and regulating how we use the Internet and how the intermediaries manage our data. While we cannot negotiate when we want to acquire the service, we can audit to ensure that they are complying with the law. Together we can ask for more information and even ask them to be clearer, shorter and safer for all.

*Laura Mora is a political scientist and student of Masters in Communication and Media at the National University of Colombia. It is part of Karisma Law, Internet and Society Working Group. Twitter: @laumora10

Image credit: (CC: BY-NC-SA) LOSINPUN / Flickr