MTN has published its first transparency report, providing statistics on requests for customer data in 17 countries where it operates.
This is similar to the transparency reports that companies like Google, Facebook, and Twitter issue on a regular basis.
MTN stated that requests for a customer’s private data may come from local authorities or non-governmental entities. In some markets, it is also possible for private individuals to lodge formal requests for private data.
In South Africa, MTN said it received 15,903 requests from authorities regarding criminal investigations.
It also received 783 requests which involve civil litigation from non-governmental entities.
According to the report, all of the requests were fulfilled.
Due diligence framework
MTN explained that it follows a due diligence framework across all the markets it operates when deciding whether to fulfil a request for a customer’s private data. This is based on the UN Guiding Principles for Business and Human Rights framework — “Protect, Respect, and Remedy”.
The same process is followed irrespective of whether it is a non-judicial government demand or court order from local or foreign government jurisdictions, MTN stated.
The company said it will attempt to avoid negative human rights impacts where it identifies a risk of these rights being infringed.
MTN said there are several reasons it would comply with a request:
- To support application of the law by any public body
- To comply with a regulatory requirement
- To support the conducting of any legal proceedings
- For lawful purposes related to licence obligations
Private data across Africa
While the numbers disclosed for South Africa only featured requests pertaining to criminal or civil litigation, MTN explained that in the other markets where it operates it can receive several other types of requests.
It disclosed the following types of requests from various authorities:
- Data requests pursuant to criminal investigations
- Data requests for location disclosure
- Data requests pursuant to suspension of MSISDNs, SIM cards, service restriction orders and Internet shutdown
- Data requests for lawful intercept
- Data requests pursuant to governmental or regulatory oversight
From non-governmental entities it received the following types of requests:
- Data requests for personal or private use
- Data requests pursuant to civil litigation
No location data disclosure in South Africa
Of note is the fact that no data requests for location disclosure are mentioned in South Africa.
Following the assassination of Lieutenant-Colonel Charl Kinnear it has emerged that there was widespread abuse of Wireless Application Service Provider (WASP) interfaces that allowed people to pay to track cellphones without the consent of the person being tracked.
Murray Hunter, a digital rights activist formerly with the Right2Know Campaign, said that a report like this would not count location tracking requests unless they came through official channels.
“A report like this only counts official requests for customer data that the company’s local officials have a record of having received, and that they are legally allowed to disclose,” Hunter said.
“[It’s] a very limited glimpse of the picture but welcome all the same.”