LAW ENFORCEMENT ASSISTANCE VODAFONE GLOBAL POLICY STANDARD Objective/Risk Create the governance and safeguards necessary to ensure we appropriately balance respect for our customers right to privacy and freedom of expression with other obligations necessary to a free and secure society. Scope and Compliance This Policy Standard applies to all Vodafone companies and joint ventures with an interest of 50% or more, or managed control, and to their employees, contractors, suppliers, and directors. Compliance levels will be monitored on a regular basis and results reviewed by appropriate governance bodies. Any breach will be treated as a serious disciplinary offence and may be subject to disciplinary actions in accordance with the provisions of the relevant local HR policy. Contents 1 The Principles... 2 1.1 Why is this important?... 2 1.2 What are the basic requirements?... 2 1.3 What do we mean by law enforcement authority?... 2 1.4 What do we mean by assistance?... 2 2 Controls and deliverables required for compliance... 3 2.1 Governance Committee... 3 2.2 Vodafone Support Companies and Suppliers... 3 2.3 Assisting foreign law enforcement authorities... 4 2.4 Reporting... 4 3 Roles and responsibilities... 4 3.1 Corporate Security/Legal... 4 3.2 Privacy Counsel... 4 3.3 Governance Committee... 5 3.4 Public Policy/External Affairs... 5 4 Exceptions... 5 5 Supporting documents... 5 Annex 1 - Law enforcement assistance requirements: mandatory assistance... 6 Annex 2 - Law Enforcement Assistance Requirements: Discretionary Assistance... 6 Annex 3 - Law Enforcement Assistance Requirements: Challenging Demands... 7 Page 1 of 7
1 The Principles 1.1 Why is this important? Vodafone s Privacy Commitments, as set out in the Code of Conduct, include a commitment to ensure that we balance respect for privacy (including the human rights and civil liberties of our customers) with other obligations necessary to a free and secure society, by working to minimize privacy impacts. 1.2 What are the basic requirements? Our commitment to respect the privacy of our customers must in certain circumstances be balanced with our obligations to cooperate with the governments and law enforcement agencies of the countries in which we operate. When we assist these bodies, we do so under prescribed circumstances and we always follow the requirements laid out here. We will provide assistance to law enforcement authorities only under certain carefully prescribed circumstances, and must follow the requirements applicable to each circumstance: When we are required by law to provide it (mandatory assistance): A country s laws may require us to provide law enforcement assistance. Here, we act only in accordance with Annex 1 Law enforcement assistance requirements: mandatory assistance. When we are not prevented by law from providing it (discretionary assistance): If law enforcement assistance is not mandated by law; and providing assistance would not break a law (for example, an applicable privacy or data protection law), then we may decide to provide assistance in accordance with Annex 2 Law enforcement assistance requirements: discretionary assistance. When we have a legitimate business purpose: To the extent reasonably necessary to protect a legitimate business interest, such as fraud or other crime committed against us, we may provide assistance, but only if doing so would not break a law. When we receive a demand from a law enforcement authority that falls outside these three categories, we must decline to assist or escalate the demand to the Governance Committee to consider challenging it in accordance with Annex 3 Law enforcement assistance requirements: challenging demands. 1.3 What do we mean by law enforcement authority? When we use the term law enforcement authority throughout this document, we mean it broadly. It could include: a) public law enforcement and security authorities (for example, the police, intelligence services, customs or immigration) b) regulatory bodies c) courts and tribunals or other judicial authorities d) any bodies given the status of a law enforcement authority by a relevant local law. 1.4 What do we mean by assistance? When we refer to assisting law enforcement in this document, this includes any of the ways we could be asked to cooperate with them in relation to our business and our networks, for example by: a) disclosing information about our customers or their use of our services b) real-time surveillance or monitoring, such as intercepting voice telephony, messaging content or data traffic c) collecting, retaining or preserving records (for example, Know-Your-Customer obligations), or the systematic use or retention of data on customers use of our services Page 2 of 7
d) implementing or developing surveillance capabilities (for example, technical or operational interception or data retention capabilities), or decrypting protected communications e) blocking, filtering, censoring or shutting down networks or telecommunication services like SMS. 2 Controls and deliverables required for compliance Each local market and group entity will ensure processes are in place to comply with the following requirements: 2.1 Governance Committee Vodafone Group and each Local Market shall establish a Governance Committee of senior management. The Governance Committee must: be chaired by the CEO (or a nominee reporting directly to the CEO) and include the Privacy Board Sponsor, Privacy Counsel, the Head of Corporate Security, and representatives from Legal and Government Affairs. This requirement could be met with an existing committee. The Governance Committee will meet at least quarterly to: review the exercise of discretion in accordance with Annex 2 Law enforcement assistance requirements: discretionary assistance. make determinations in accordance with Annex 3 Law enforcement assistance requirements: challenging demands.; and issue directions or guidance in accordance with this Standard. The Governance Committee can decide that their decisions should be used as a precedent for subsequent cases without referral back to the Committee. The CEO is accountable for the decisions of the Governance Committee. 2.2 Vodafone Support Companies and Suppliers 2.2.1 Vodafone Support Companies Vodafone Support Companies provide support services to other Vodafone companies and to other external parties; they essentially act as internal or external suppliers. If a Vodafone Support Company receives a demand to provide assistance related to data or services hosted or managed on behalf of another Local Market, the Vodafone Support Company must, to the extent permitted by law: decline to assist the law enforcement authority on the matter promptly notify the appropriate person within the Corporate Security Team and the Privacy Counsel so that the affected Local Market to take control of the demand in accordance with the requirements outlined in this Standard, and promptly notify the nominated contact in Group Security and Group Privacy. 2.2.2 External Suppliers External suppliers may not reply directly to demands they receive for assistance relating to Vodafone data. To the extent permitted by law, each Vodafone company must ensure that its contracts: Page 3 of 7
prohibit suppliers from responding to requests to provide law enforcement assistance; and require suppliers to notify any affected Vodafone company of such requests and allow the affected company to take control of the request. 2.3 Assisting foreign law enforcement authorities Vodafone Local Markets must provide assistance only to the law enforcement authorities of the country in which they are established. If a Local Market receives a request from the authorities of another country, it must decline to assist or refer the request to the Governance Committee to challenge or consider its response in accordance with Annex 3 Law enforcement assistance requirements: challenging demands. 2.4 Reporting The Disclosure Officer shall provide the aggregate number of individual warrants served received in their Local Market relating to lawful intercept and disclosure of communications data, respectfully, to the Group Corporate Security Team for publication in the annual Vodafone Law Enforcement Disclosure Report unless one of the following six circumstances apply: Disclosure unlawful No technical implementation of lawful interception Awaiting guidance government or a relevant agency or authority Unable to obtain guidance from government or a relevant agency or authority Cannot publish Government publishes In which case, the Disclosure Officer shall cite the relevant circumstance in their response to the Group Corporate Security Team. 3 Roles and responsibilities Each Local Market will ensure processes are in place and appropriate responsibilities allocated to meet this Standard. 3.1 Corporate Security/Legal Law enforcement assistance may only be conducted under the supervision of the relevant local Head of Corporate Security or Head of Legal. An appropriate person within the Corporate Security Team is responsible for helping the Privacy Counsel create the quarterly reports required by this Standard. The Head of Corporate Security is responsible for ensuring all employees involved in law enforcement assistance are appropriately trained and supported to conduct their duties in accordance with this Standard. 3.2 Privacy Counsel The Privacy Counsel is solely responsible for determining whether there is a legal obligation to provide law enforcement assistance. If a Local Market does not have such internal expertise available, it is responsible for seeking external legal advice. The Privacy Counsel, with the help of the Corporate Security Team, is responsible for creating the quarterly reports in accordance with this Standard. Page 4 of 7
3.3 Governance Committee The Governance Committee is responsible for reviewing the application of law enforcement assistance and issuing appropriate guidance as required by this Standard. 3.4 Public Policy/External Affairs Any external communication of local issues governed by this Policy Standard should be directed through the Local Market s External Affairs Department and Head of Corporate Security in consultation with the Privacy Counsel and Legal Director. Any external communication of issues relating to assisting law enforcement at a Group level should be directed through the Group External Affairs Department, the Director of Corporate Security and the Global Privacy Officer. 4 Exceptions There are no exceptions allowed for this Policy Standard. 5 Supporting documents This Policy Standard is part of the framework created by the privacy requirements of the Code of Conduct and should be guided by our Privacy Commitments. The following documents support this Policy Standard: Annex 1 Law enforcement assistance requirements: mandatory assistance. Annex 2 Law enforcement assistance requirements: discretionary assistance. Annex 3 Law enforcement assistance requirements: challenging demands. Page 5 of 7
Annex 1 - Law enforcement assistance requirements: mandatory assistance Vodafone will comply with applicable laws mandating law enforcement assistance. In doing so, each Operating Company is responsible for ensuring that the scope of the applicable law is evaluated by an appropriately qualified and senior lawyer, taking into account international laws and standards regarding the protection of privacy that the relevant country is a party to (e.g. International Covenant on Civil and Political Rights). In particular: i. Applicable laws and demands will be interpreted as narrowly as is lawfully possible to guard against unwarranted or over-broad disclosure or assistance. ii. iii. iv. In the event that a demand or request for law enforcement assistance appears over-broad, unlawful or otherwise inconsistent with applicable law and international laws and standards on privacy, the Operating Company shall seek clarification or modification from authorized officials. This may include requesting clear written communications from the relevant LEA that explains the legal basis for the demand, the name of the requesting LEA entity and the name, title and signature of the authorising official. Where a demand or request for law enforcement assistance is considered to be over-broad, unlawful or otherwise inconsistent with applicable law and international laws and standards on privacy, the decision on whether and how to respond shall be referred to the person responsible for disclosures within the local Corporate Security team (the Disclosures Officer ) and the Privacy Officer for a decision to refuse or challenge the demand, or to exercise discretion in accordance with exceptions to the general principle outlined in the global policy standard. Referrals to the Disclosures Officer and the Privacy Counsel under the previous paragraph shall be recorded, along with relevant details of the demand or request, the decision and the reasons upon which it was based, and made available to the Governance Committee. v. Vodafone will insist upon the relevant LEA observing lawful due process in making any relevant demand or request for law enforcement assistance. Annex 2 - Law Enforcement Assistance Requirements: Discretionary Assistance Vodafone may exercise its discretion to provide law enforcement assistance only where there are substantial grounds to believe that: i. The assistance is necessary and proportionate to prevent an imminent threat to national security or public safety, or the prevention of serious crime or risk to the life of, or serious personal injury to, any person; and ii. iii. iv. The information could not reasonably be obtained through any other route, person or means; and The demand is intended for use solely for legitimate law enforcement purpose; and Appropriate safeguards can be identified and implemented to minimise the intrusion into the privacy of any individuals affected by such assistance; and v. There are no other circumstances present that would cause Vodafone to suspect that the demand represents an unwarranted intrusion into the privacy of Vodafone s customers or users. Page 6 of 7
Every decision to exercise discretion should be approved by the Disclosures Officer and the Privacy Counsel. In such cases they are jointly responsible for ensuring that a record is retained, along with relevant details of the demand or request, the decision made and the reasons upon which it was based, classified as C4 and appropriately protected, and made available the Governance Committee. Annex 3 - Law Enforcement Assistance Requirements: Challenging Demands When presented with a law enforcement demand or request that cannot be appropriately handled under one of the three circumstances outlined in paragraph 1.2, the Governance Committee shall take into account the following factors in determining its response: i. the potential beneficial impact of declining or challenging a demand on the privacy of individuals affected; ii. iii. iv. the likelihood of success of such action; the severity of the case; its cost to Vodafone, including the potential personal risk to individuals or Vodafone assets or investments; and v. the representativeness of the case and whether the case is part of a larger trend. Decisions of the Governance Committee under this Annex must be recorded, along with the reasons upon which it is based, the identities of the Governance Committee that approved it, and classified as C4 and appropriately protected. Page 7 of 7