Intervalo: 07/07/2020 - 07/07/2020

What is the impact of the Schrems-Facebook case decision on the transfer of personal data of European citizens? What do the authorities have to say about Privacy Shield? Google fined for not respecting the Right to be Forgotten, while EDPB establishes guidelines for its use. This and much more…

Data Protection at Authorities

Autorité de protection des données – Belgium

Belgian authority fines Google 600,000 euros for failing to respect the right to be forgotten

After the company rejected a citizen’s request for deindexation (excluding search results linked to his name) from outdated information that hurt his reputation, the authority decided on a € 600,000 fine, the highest ever imposed by the authority. The plaintiff asked for the deindexation of pages related to political guidance and also about a harassment complaint against him, declared unfounded for years. The authority agreed with the exclusion of pages related to political guidance, due to their role in public life and the importance of such references for the public interest. The fine, therefore, was related to the non-exclusion of articles on the complaint of harassment, the latter under which there would no longer be informational use.In Brazil, RE/1010606, of general repercussion in the Supreme Federal Court, discusses the so-called right to be forgotten. It is important to mention that, during the process, there was a public hearing in order to consolidate the right to be forgotten in Brazil.

Commission for Personal Data Protection – Bulgaria

Bulgarian authority publishes judgment of the Vienna Regional Court in the Schrems-Facebook case

The Vienna Regional Court ruled in the case between activist Max Schrems and Facebook, answering questions about the corporation’s ability to obtain users’ consent, its compliance with requests related to personal data and explanation of the terminology “data exclusion” and its meaning in practice. The decision describes in detail the way Facebook creates user profiles, by automatically reading the history of the pages visited, as well as the information obtained from connections with friends or likes. This practice, however, does not take into account the sensitivity of these data, pointed out the Court. From the facts found, it was not possible to conclude whether there was a violation of art. 9 of GDPR, which talks about the processing of special categories of data – sensitive data, but that there was a violation of art. 15 of the Regulation, since the company does not present enough opportunities for the review of the stored data, by the holder.

In Brazil, the delay in installing the National Data Protection Authority (ANPD) not only undermines the eventual recognition that Brazil is a country with an adequate level, but also that contractual instruments are activated (eg, contractual clauses) as alternatives to the free flow of data (articles 33 and 35 of the LGPD).

Datatilsynet – Denmark

Danish authority criticizes the road transport company Fynbus I/S.A

After conducting an audit of Fynbus, the Danish authority concluded that the company has failed to fulfill its duty to provide information related to the collection of personal information in three of the five web applications/services, because the necessary information is not provided clearly. Customers needed to look for information on the website itself, so the authority criticized the company’s conduct, claiming that the privacy policy is extremely deficient.In Brazil, a similar argument was used by the National Department of Consumer Protection against facebook due to the lack of transparency regarding the sharing of data from users of the platform with the Whatsapp and Instagram platforms.

Judgment of the European Court of Justice in Schrems II

The European Court of Justice decided on 16 July 2020 in Case C-311/18, the so-called “Schrems II case”. The European Court of Justice has ruled that the “Privacy Shield decision” is invalid. This means that, in the future, no personal data can be transferred to the United States using such a bilateral international agreement. The Court of Justice of the European Communities, on the other hand, determines that the standard contract terms of the EU Commission standard contracts remain valid. However, the decision raises a number of issues that need to be further examined, especially what other measures, in addition to the mere adoption of such contractual instruments, for the purpose of international transfer.

European Data Protection Supervisor – EDPS

EDPS publishes guidelines on reactions to the coronavirus crisis for employers and institutions

The document compiles all guidelines directed to issues related to the coronavirus crisis, such as teleworking tools, team management, aspects of health data treatment and others. The authority points out that the data protection rules are flexible enough to allow for several measures that allow the work to continue, and that it is possible that some adaptations resulting from the emergency situation may require some time.In Brazil, the non-entry into force of the LGPD is harmful, in this sense, since it contains the rules for the good proceduralization of this type of data processing – for the use of eventual tools to combat the pandemic – which would configure legal security and respect for fundamental rights for such types of practices.

EDPS publishes statement on the Schrems II case

The authority reaffirmed the importance of maintaining a high level of protection for personal data transferred from the European Union to third countries. It further states that it is the second time in five years that a European Commission decision on the suitability of the United States has been invalidated by the court, so there are severe criticisms of Privacy Shield. Finally, EDPS recalls that the protection of personal data is a fundamentally widely recognized right that not only in the European context and, therefore, the United States must impose all possible efforts and means to move towards a comprehensive legal framework in data protection and privacy, which genuinely meets the requirements and adequate safeguards reaffirmed by the Court.

CNIL – France

French authority publishes recommendations for controllers and personal data processors

After conducting checks with fifteen IT service and IT solution providers online, the authority published some good practices to be adopted, such as: (i) determining the status of the actors involved: observing who does what and in which framework is in the GPDR; (ii) establish a clear contract: organize reports and obligations and integrate all the information listed in article 28 of the GDPR; (iii) document the subcontracting activity; (iv) offering tools that respect the protection of personal data; (v) helping the controller to respond to requests for the exercise of human rights and (vi) ensuring the security of the data collected.

Unlike GDPR, the LGPD is not as detailed about the due diligence obligations of the controllers as to their operators. However, Brazilian law establishes, as a rule, joint and several liability of the controller for the actions of the operator, so that there is an incentive for there to be such control in the data processing chain.

French authority publishes a practical guide and set of procedures for authorized third parties

The authority has published the practical guide that presents the problems that can be encountered by the data controller and possible points of surveillance when processing a data communication request by an authority that requires it. In addition, it listed the actors likely to request the disclosure of personal data. Among the guidelines, we highlight: (i) obtaining a written communication request specifying the legal basis of the request; (ii) the quality control of the authorized third party making the request; (iii) verify that the scope of the request is in accordance with the legal provisions invoked; (iv) application of confidentiality measures to guarantee the exchange and (v) preservation of the traceability of the exchanges and checks carried out.

CNIL is analyzing the consequences of the invalidity of Privacy Shield

The authority is currently conducting an accurate analysis of the sentence handed down by the European Union Court of Justice in the Schrems II case, together with its European counterparts meeting in the European Data Protection Committee. It is intended, from the analysis, to extract the consequences for the transfer of data from the European Union to the United States.

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit – Germany

German authority publishes comments on the Schrems II case

Professor Ulrich Kelber pointed out that “The CJEU makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Now, special data protection measures must be taken for data exchange with the US. Companies and authorities can no longer transmit data based on the Privacy Shield, which the Court declared ineffective. “. The authority also stated that the main focus will be the review of the European Commission’s standard contractual clauses, as well as the need for the US to ensure that the fundamental rights of the European population are assimilated to those of the citizens of the USA.

German authority decides on the topic of access to telecommunication data

BfDI Vice President Jürgen H. Müller stated that “not every crime can lead directly to consultation with telecommunications providers. BfDI has been pointing out the disproportionality of the regulation for years. The legislator must now better consider citizens’ rights to informational self-determination when revising the Telecommunications Law.”. The authority recalled that the decision does not make the data fundamentally inaccessible, but that there must be a proportionate and properly defined legal basis for both the telecommunications provider and the security authorities that carry out the consultation. There must always be a specific danger or the initial suspicion of a crime in individual cases, otherwise, fundamental rights may be affected.In Brazil, the Criminal Procedure Code (article 13-A) provides that telecommunications companies provide registration data for purposes of criminal prosecution, just as the Civil Rights Framework for Internet in Brazil also allows access to connection logs and registration data, also for purposes prosecution and criminal investigation and by judicial decision that allows it. The limits around such a data retention regime were debated at the public hearing of the Parliamentary Commission of Inquiry (CPI) on Cyber ​​Crimes, in 2015.

Data Protection Commission – Ireland

Irish authority publishes note on Schrems II case

The authority reinforced the idea that European citizens do not enjoy the level of data protection required by EU law when their data is transferred to the United States, and in that sense, although the trial captures Schrems-related Facebook data transfers, it is clear that its scope extends far beyond that, addressing the position of the citizens of the European Union in general. The authority pointed out that the Court determined that the transfer mechanism used for countries around the world is, in principle, valid, although it is clear that in practice the application of the mechanism is questionable and that this is therefore an issue that will require further examination by the European authorities.

Garante per la Protezione dei Dati Personali – Italy

Italian authority fines mobile phone companies

Research on abusive marketing revealed that MyWind and My3 applications were configured to require the user to provide every new access, a number of consents for various processing purposes (marketing, profiling, communication with third parties and geolocation). The companies were fined 200 thousand euros. The authority also examined the results of the investigation against the company Iliad, which was found to be deficient in terms of internal access methods that allowed employees to have access to customer data and, for that reason, was sanctioned at 800 thousand euros.In Brazil, the Public Ministry of the Federal District (MPDFT) has already investigated VIVO on the use of subscriber data to target advertising (Vivo Ads), which did not allow customers to oppose the processing of their personal data for advertising purposes.

Garante answers to questions about contact tracing applications

The authority clarified that people cannot be forced to install the applications, so there can be no negative consequences for those who do not install them. Therefore, it is not possible for a specific region to condition your access to the use of the contact tracing application. It also emphasized that applications should process only the data strictly necessary to pursue the processing objectives, avoiding excessive data collection and limiting themselves to asking for permissions to access resources or information on the device only if necessary.

Autoriteit Persoonsgegevens – Netherlands

Dutch authority points to breach of privacy and discriminatory practices by tax authorities

The authority stated that the tax authorities should not have processed the dual nationality of the child care subsidy applicants, as were violations of GDPR – discriminatory. In May 2018, a total of 1.4 million people with dual nationality were registered in the Public Tax and Customs Administration systems and, as the investigation indicated, dual nationality has nothing to do with the evaluation of a subsidy application, of that the tax authorities misused this data. In addition, the system discriminated between Dutch and non-Dutch people to designate the risk of certain grant applications, an obviously discriminatory practice. The Dutch authority will assess whether the tax authorities will be sanctioned with a fine.

European Data Protection Board – EDPB

East Power company fined 4,000 euros for failing to provide the supervisory authority with access to personal data and other information necessary for investigative performance

The fined company provides employment services in Poland and Germany, and a complaint against his actions was filed by a German citizen because it  processed his personal data for marketing purposes. The complaint was lodged with the competent German data protection authority for Rhineland-Palatinate, but was taken up for consideration by the president of UODO (Polish authority), who was the main authority in this case, because the company is based in Poland. It was only in response to the notice of initiation that the company provided more extensive explanations, but these were incomplete and required further investigation. Therefore, the President of the Office of Personal Data Protection considered that the company does not wish to cooperate with him and does not fulfill the obligation – provided for in the GDPR – to provide access to personal data and other information necessary to carry out his tasks, in this case, handle a complaint lodged by a German citizen.

Declaration on the judgment of the ECJ for the Schrems II case

The EDPB welcomed the judgment of the CJEU, which highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. With regard to the Privacy Shield, the EDPB stressed that the EU and the USA must achieve a complete and effective framework that ensures that the level of protection afforded to personal data in the USA is essentially equivalent to that guaranteed in the EU, in accordance with judgment. Finally, the EDPB will evaluate the trial in more detail and provide additional clarifications to interested parties and guidance on the use of instruments for the transfer of personal data to third countries under the terms of the trial.

EDPB publishes guidelines on the Right to be Forgotten criteria in search engine cases

The document is divided into parts, such as the grounds for requesting deregistration from a search engine and gives some possibilities, such as the right to exclusion when personal data is no longer needed for processing by the supplier, when the holder of the data withdraw consent and there is no other legal basis for processing, in exercising the right to opposition or when personal data have been illegally processed. The document also speaks of the balance between public interest, purposes of scientific scientific research and the rights of the data subject.

Data Protection at Univesities

Countermovements to Reinstate Countervailing Powers


This is a review by Mireille Hildebrandt on the book “Between Truth and Power: The Legal Constructions of Informational Capitalism”. Hildebrandt defends, in his words, that “Cohen affirms that Montesquieu’s powers of compensation demand reinvention in the face of the radical reconfiguration of the political economic scenario created by the shift from neoliberal economic markets to vertically monopolistic and multifaceted platform economies”.

The Chinese approach to artificial intelligence: an analysis of policy, ethics and regulation

ROBERTS, Huw. COWLS, Josh. MORLEY, Jessica. TADDEO, Mariarosaria. WANG, Vincent. FLORIDI, Luciano.

The article argues that the New Generation Artificial Intelligence Development Plan (AIDP) set strategic goals and outlined the overarching goal of making China a world leader in AI by 2030. In this regard, it seeks to understand the ramified implications and analyzes current political debates relevant China. To this end, the article maps the relevant AI legislation in China, analyzes interventions and the impact of legislation on the keys: international competition, economic growth and social governance. The last section of the article is focused on observing the ethical standards developed by China for the implementation of AI.

Data Protection in the Brazilian Legislative

Urgent regime required for Bill that provides for the use of videoconference by Public Defenders

Urgency Request submitted by Congresswoman Paula Belmonte (CIDADANIA/DF) and others, who “Requires an urgency procedure for the consideration of Bill No. 2559/2020, which” Provides for the use of teleconferencing and videoconferencing for Public Defenders during the Coronavirus (Covid-19) crisis.”.

Opinion published on Bill that requires the compulsory notification of death due to severe acute syndrome

The bill draftsman gave his opinion, in Bill 1622/2020 and attached, pointing to the need for active transparency regarding the data related to COVID-19. The data that will be used for dissemination by the Ministry of Health must be anonymized, according to the Congressman, so that they can be used for scientific research purposes and respect the privacy of those affected.

Presented Bill providing for the establishment of a system of information to COVID-19

On July 13, Law No. 3752/2020, authored by parliamentarians Célio Moura – PT/TO, Enio Verri – PT/PR, Beto Faro – PT/PA, João Daniel – PT/SE, Marília Arraes – PT / PE, Pedro Uczai – PT / SC, Carlos Veras – PT / PE, Bohn Gass – PT / RS, Luizianne Lins – PT / CE, Valmir Assunção – PT / BA, Afonso Florence – PT / BA, Nilto Tatto – PT / SP, Jorge Solla – PT / BA, Patrus Ananias – PT / MG, Alexandre Padilha – PT / SP, José Ricardo – PT / AM, Airton Faleiro – PT / PA, Rogério Correia – PT / MG, José Guimarães – PT / CE, Marcon – PT / RS and others, was published. It provides for the creation of an information system related to COVID-19, with the purpose of storing, processing and integrating data and information. The Bill was attached to the Bill 1622/2020 and included in the opinion published by the Rapporteur Dep. Fed. Aliel Machado.

Presented Bill that institutes and provides for the on-demand work regime

On July 17, Bill 3748/2020 was presented by Dep. Fed. Tábata Amaral, which institutes the work on demand regime, defining that it is the provision of services directly with the service on demand platform, which, in turn, presents a proposal for the performance of services for one or more workers. The Bill defines that the National Data Protection Authority (ANPD) will establish interoperability parameters to ensure the portability of on-demand worker assessments carried out by customers. Another project, with the same text, was presented by Senator Alessandro Vieira, PL 3754/2020.

Data Protection in the Brazilian Judiciary

Rio de Janeiro Court of Justice ruling condemns hospital for failing to protect patient’s personal data

On July 15, a decision was published in Civil Appeal No. 00313996-89.2016.8.19.0208, by Judge Regina Lucia Passos. The magistrate used the right to data protection and informational self-determination to condemn a hospital that did not protect the data of a patient who underwent an attempt to embezzle from the use of this data. The judge cited “the right to the protection of personal data is a new and active right, which imposes the operation of a security system to protect the individual whenever his personal data is collected and used.” (ARANHA, Estela e FERREIRA, Lucia Maria Teixeira. O direito fundamental à proteção de dados e a importância da proposta de alteração constitucional nº 17/2019) to uphold the appeal and order the hospital worth 5,000 reais and attorney’s fees.