Hello reader! In the 27th edition of the Bulletin, we highlight the millionaire fines imposed by ICO, with the collaboration of all European authorities, British Airways companies and the Marriott […]
In the 27th edition of the Bulletin, we highlight the millionaire fines imposed by ICO, with the collaboration of all European authorities, British Airways companies and the Marriott hotel group for leaking customer data. It is worth noting that this cooperation between authorities is a novelty, proposed by Article 60 of the GDPR, which deals with cooperation between lead supervisory authorities (in this case, ICO) and concerned authorities (CNIL). We also highlight the guide published by ICO regarding the processing of data related to criminal offenses and the agreement signed between FTC and Zoom after finding false statements by the company regarding privacy and data protection of users.
At the same time, the agreement with Zoom is underway due to the non-fulfillment of the requirements identified as necessary for the preservation of privacy, including through the use of encryption, it was reported in an Austrian newspaper, on November 8, that there is a resolution of the Council of Europe to prohibit the use of end-to-end encryption on the grounds of enabling the competent authorities to combat terrorism. From the point of view of the protection of personal data and other rights, it is a worrying proposal, since, with a general purpose of guaranteeing national security, they are directly affected rights such as privacy and freedom of expression.
We also highlight the Dutch Authority’s emphatic position on the use of facial recognition technology and how, under the aegis of GDPR, it should be an exception. Thus, the Authority pointed to the inadequacy of the use of facial recognition in the sector in which it is most common in the country: retail. The use of facial recognition in stores is not new in Brazil, which has the emblematic case of networks like Hering and Carrefour, which use technology to capture the emotions of customers and, from them, direct advertising to them. The practice is contested by entities such as the Brazilian Institute for Consumer Protection – Idec. On the subject, the Brazilian Institute of Consumer Protection together with InternetLab published the report “Facial Recognition and Private Sector”, which is a guide for the adoption of good practices for the use of technology especially by private establishments.
We wish you all a good reading!
Bruno Bioni, Iasmine Favaro & Mariana Rielli
Data Protection at Authorities
The Authority pointed out that the delivery of a document by public decree can be done in two ways, by posting a document, or by posting a mere notification of the possibility of retaking a document, on the official notice board of the administrative body that delivers the document. When choosing between these two options, it is necessary to take into account the purpose of the publication of the document and the fact that the document contains personal data. It also defined that the administrative body must take into account the circumstances of a given case and the content of the document cited in order to comply with the obligation to fix a document or notification. For example, publishing a notice of the possibility of assuming a document is not possible when it is delivered to unknown recipients whose identities are unknown and are determined by another characteristic, but when it is delivered to a specific known natural person, that person may be identified and the option to publish a notice on the possibility of withdrawing the document can be used. Within the scope of this notice, only the personal data necessary to identify the recipient may be published, in addition, the recipient’s right to privacy is investigated, when the data contained in that document are not published. The person responsible for the processing of personal data is also obliged to take appropriate measures to avoid the possible unjustified disclosure of personal data, taking into account the GDPR. In justified cases, in particular if the full text of the document is made available by delivery by public decree, it is necessary that the person responsible for the processing of personal data takes the appropriate measures to ensure that the electronic address is not indexed, to the extent that documents published through the official electronic bulletin contain personal data that, without preventing the indexing of the relevant web pages or caching them on an internet search engine, remains accessible when using search engines and web files for some time after having removed from the electronic bulletin board. If the personal data are for which the documents should be published in order to allow remote access, if it is still accessible by the entire population, it is an undesirable situation that the person responsible for processing the personal data is obliged to try to avoid. The Authority has therefore decided that the general indexing ban procedure can be considered, in this and similar cases, as a standard measure by the person responsible for processing personal data.
The Supreme Court understood that the installation of security cameras that can be used to film what is happening on joint properties cannot be presumed to be the object of the condominium. The Court ruled that apartment owners can decide to install recording cameras on joint properties by a majority vote. If the owner of an apartment considers that, for security reasons, cameras should be installed to record what is going on in the condominium, he can propose to other owners to make a decision accordingly. If the majority of tenants do not agree with the decision to install cameras, they cannot be installed.
The European Data Protection Supervisor issued a strategic document with the aim of monitoring the compliance, by European institutions, bodies, agencies and agencies, of the “Schrems II” judgment in relation to transfers of personal data to third countries, in particularly the United States. The aim is for current and future international transfers to be carried out in accordance with EU data protection legislation. As a short-term compliance action, the Authority issued an order to the institutions to complete a mapping exercise, identifying which ongoing contracts, acquisitions, procedures and other types of cooperation involve data transfers. Institutions are expected to report to the Authority on certain types of transfers, such as those that do not have a legal basis, transfers that are based on derogations and transfers to private entities in the USA that present high risks for data subjects. With regard to new processing operations or new contracts with service providers, the EDPS strongly encourages European institutions to avoid processing that involves the transfer of personal data to the United States. As a medium-term compliance action, the Authority will provide guidance and seek compliance and / or enforcement actions for transfers to the USA or other third countries, on a case-by-case basis. Institutions will be asked to carry out the Data Protection Impact Report to identify, for each specific transfer, whether an equivalent level of protection, as provided for in the EU, is offered in the third country of destination. Based on these assessments, institutions should decide whether it is possible to continue the transfers identified in the mapping exercise. Also, the Authority noted that it will begin to explore the possibility of joint assessments of the level of protection of personal data in third countries in order to provide guidance to controllers.
The UK data protection authority, ICO, recently imposed the biggest fines under the General Data Protection Regulation (GDPR). The fines of £ 20 million (approx. € 22 million) for British Airways and £ 18.4 million (approx. € 20 million) for the Marriott hotel chain stem from breaches of personal data that made them accessible to third parties . In the case of British Airways, the data of approximately 430,000 people, including names, surnames, addresses and, in the case of 200,000 of them, bank details (credit card numbers and CVV codes) were made available. Regarding the Marriott hotel group, 339 million customer accounts were affected, including 30 million European accounts, containing names, surnames, e-mails and passport numbers. In both cases, these are companies that process a large amount of personal data and that have financial resources and highly qualified personnel to guarantee a high level of security. The Authority stated that GDPR has made information security a general principle to be observed, creating new obligations in this area, and that these decisions are a reminder that data security requires constant surveillance, with serious consequences in the event of a breach. It also recalled that a previous decision by the German data protection authority based on the security obligation had already led to a fine of almost 10 million euros against a telecommunications operator. In addition to the fine, pointed out the CNIL, these sanctions generally lead to significant investments aimed at preventing the recurrence of personal data breaches and strengthening the security of organizations.
The Authority asked suppliers and manufacturers of facial recognition cameras for information on which sectors they supply the most and which sectors are most interested in purchasing their systems in the future. For example, stores, number 1 on the list, use facial recognition to detect people who steal more frequently. Security companies, fair venues and amusement parks want to use technology for access control. “If we fill the country with such systems, you can be monitored continuously. These cameras don’t just record you, they know who you are,” says Vice President of the Authority, Monique Verdier and continues: “They can recognize you when you enter the liquor store to buy a bottle of wine, for example, and they can also register you if you do it more often than someone else. This is not only an unpleasant idea, but also illegal. We understand that, as a retailer, you want to prevent theft, but this is not allowed in this way. “The Authority stressed that, in principle, it is prohibited to use biometric data to identify someone. But there are two exceptions to this ban: (i) people videotapes expressly gave their consent and (ii) facial recognition is used for security or authentication purposes, but only to serve a ‘relevant public interest’. An example would be the safety of a nuclear power plant. But, according to the Authority, the security of a store, for example, is not so important as to allow the processing of biometric data.
Marriott estimates that 339 million guest registrations worldwide were affected after a 2014 cyber attack on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, when the company was acquired by Marriott. The personal data involved differed between individuals, but may include names, e-mail addresses, telephone numbers, unencrypted passport numbers, arrival / departure information, guests’ VIP status and loyalty program member number. The exact number of people affected is unclear, as there may be multiple records for a single guest. The ICO investigation found that Marriott did not implement adequate technical or organizational measures to protect the personal data processed in its systems, as required by the General Data Protection Regulation (GDPR). The ICO investigation tracked the cyber attack until 2014, but the penalty refers only to the breach as of May 25, 2018, when the new GDPR rules came into effect. The action and penalty imposed were approved by the other EU DPAs through the GDPR cooperation process. In July 2019, ICO issued Marriott a notification with the intention of fining. As part of the process, ICO considered Marriott’s representations, the measures taken by Marriott to mitigate the effects of the incident and the economic impact of COVID-19 on its business before establishing a final penalty.
In the guide, the Authority refers to these data as ‘criminal offense data’, although this is not a term used in GDPR. This includes not only data referring to a specific criminal conviction or judgment, but also any other personal data “related to” criminal convictions and infractions. “Relate to”, according to ICO, should be interpreted broadly. It covers all personal data related to criminal offenses or that is specifically used to infer something about an individual’s criminal record or behavior. The presumption is that this type of data should be treated with more caution, as collection and use are more likely to interfere with fundamental rights or to subject the person to discrimination. This is part of GDPR’s risk-based approach. Despite this, the guide points out that this kind of data is treated differently from other types, such as data from special categories, which are considered particularly sensitive. This is because the interests of society at large and the need to protect the public from criminal activities probably mean that the use of criminal offense data can be justified in a wider variety of circumstances, despite the potential impact on individual rights.
The FTC has just announced a case on the security of consumer information for video conferences from the Zoom app. The FTC claimed that Zoom failed to protect users’ information in several ways: (i) Zoom said it provides end-to-end encryption – a way to protect communications so that only the sender and recipient can access them. – for Zoom meetings. This has not been confirmed. (ii) Zoom said that it guaranteed a higher level of encryption for meetings than it actually provided. (iii) Zoom informed users who recorded a meeting that it would save an encrypted and secure version of the recording as soon as the meeting ended. In fact, Zoom kept unencrypted recordings on its servers for up to 60 days before moving them to its secure cloud storage. (iv) Zoom installed the software, called ZoomOpener, on Mac users’ computers. This software bypassed a Safari browser security setting and put users at risk – for example, it could have allowed strangers to spy on users through cameras from their computers or exploiting the vulnerability to download malware and take control of users’ computers. If users deleted the Zoom application, ZoomOpener remained, as did these security vulnerabilities. Zoom can reinstall the application without the user’s permission and without prompting the user. (Apple removed the ZoomOpener web server from users’ computers in 2019.) and (v) Zoom did not give users direct information about the ZoomOpener software. The company resolved to make a deal and, although it has already discontinued many of the practices contested in the complaint, the deal requires the company to keep its privacy and security promises and implement a comprehensive security program designed to protect users’ information – or it will be sanctioned .
Data Protection at Universities
In the article, the authors explore the theoretical bases for GDPR sanctions and test the action of DPAs in relation to them. They use an analysis of the various functions of sanctions (confiscation, retribution, incapacitation, etc.) to determine that their main objective in the context of the GDPR is to act as a deterrent, inciting the fulfillment of the expected obligations. To achieve deterrence, they argue, the sanctions must be severe enough, which was not the case with the GDPR, as demonstrated by examining the real value of the sanctions. This may seem paradoxical, as there is a substantial increase in the maximum potential for fines under the GDPR. Pre-law sanctions, with certain exceptions, were generally limited to amounts below € 1 million (for example, £ 500,000 in the UK, € 100,000 in Ireland, € 300,000 in Germany and € 105,000 in Sweden). On the occasions when GDPR was applied, the sanctions ranged from € 28 for Google Ireland Limited in Hungary to € 50 million for Google Inc in France, much lower than the potential maximum penalty of 4% of revenue, or approximately € 5 , 74 billion for Google Inc. in the year 2019. Although the higher sanctions under the GDPR have been substantially higher than those assessed under previous legislation, they are still far from the maximum fines permitted by law.
The book seeks to explore the question: do technology giants form monopolies? In the current environment of suspicion in relation to the main technology companies, as a result of concerns about their power and influence, it has become common to speak of Google, Facebook, Amazon, Apple, Microsoft or Netflix as the modern version of 19th century cartels. The technology giants are vilified by a series of damages resulting from the concentration, which affects consumers, workers and even the democratic process. The book builds a “moligopoly” theory, according to which the technology giants, or at least some of them, coexist both as monopolies and as competing oligopolies in an environment of great uncertainty and economic dynamism. With this, the book assesses the continued efforts of regulatory and antitrust policies and seeks to demonstrate that it is counterproductive to pursue policies that introduce more rivalry in moligopoly markets subject to technological discontinuities. And that non-economic damages, such as privacy violations, misinformation or hate speech, are difficult issues that belong to the realm of regulation, not antitrust remedies.
Data Protection in the Brazilian Legislative
The Bill, presented in May 2020 by Dep. Fed. Julio Cesar Ribeiro of REPUBLICANOS, proposes to amend the Statute of Children and Adolescents to limit access to internet portals that provide pornographic content to people over 18 years of age previously registered with the application providers. The bill was attached to Bill 3595/2015, which proposes to amend the Child and Adolescent Statute to make it difficult for children and adolescents to access adult content sites on the internet. None of the Propositions mentions the means of registration used and neither the safeguards for the protection of personal data of registered persons.
Bill 811/2020 and 329/2020, authored by Dep. Fed. José Guimarães do PT and Julio Cesar Ribeiro do REPUBLICANOS, respectively, were joined. Both propositions provide for the biometric identification of the user at the moment of commencing the provision of the passenger transport service. The propositions, however, do not demonstrate through data what the necessity and effectiveness of the measure would be, nor the safeguards for the protection of biometric data, which, according to the General Data Protection Law, are sensitive data, subject to a legal regime. more restricted.
The president of the Chamber of Deputies received, on the 5th, the proposal that was presented based on a report presented by a group of lawyers coordinated by Minister Nefi Cordeiro of the Superior Court of Justice. The draft must be presented by a federal deputy in the Chamber so that it can begin processing in the House.
Data Protection in the Brazilian Judiciary
Writ of mandamus No. 0101473-97.2020.8.26.9000 was brought by Google Ireland against a court decision that ordered the provision of personal information from the email of an individual accused of carrying out threats. The information required by the court was: the connection records, consisting of the address I.P. with respective date, time, time zone and logical port; all content stored in your message boxes; all information regarding the devices connected to the Google account; other useful information to identify the person responsible for the email. The company filed an appeal that states that, in this case, it could only provide the data from that e-mail account to a Brazilian authority through an international cooperation procedure between Brazil and Ireland. It also points out that due to the evidence to be obtained being in Ireland, it would be subject to the General Data Regulation of the European Union (GPDR), according to which the transfer of personal data outside the limits of the European Economic Area requires that the recipient country is considered suitable for this purpose and Brazil would not be certified as guaranteeing an adequate level of protection for personal data. Judge Maria Carolina de Mattos uses the Marco Civil da Internet to defend that in any operation of collecting, storing, keeping and processing records, personal data or communications by connection providers and internet applications in which at least one of these acts occur in national territory, Brazilian legislation and the rights to privacy, the protection of personal data and the confidentiality of private communications and records must be respected. Finally, it partially grants the appeal only so that the petitioners refrain from providing all content stored in the message boxes of the email account, but to provide the metadata (IP, date and time, etc.).