Dear reader, It is with great pride that we present the 29th Bulletin and the last of the year 2020, with new publications, guidelines, opinions, scientific articles, bills and court […]
It is with great pride that we present the 29th Bulletin and the last of the year 2020, with new publications, guidelines, opinions, scientific articles, bills and court decisions that indicate that 2021 will be a year of even more intense discussion, with consolidations and improvements of the processes that started in 2020.
In this edition, we highlight the first publication of the Brazilian National Data Protection Authority, with an important document for the kick-off of the agency’s performance in the country. In the question and answer format, the Authority sought to clarify the basic concepts of personal data protection, explaining the importance of the LGPD coming into force for Brazilian society.
In the world, we highlight the instructions of the Czech Authority for conducting the Data Protection Impact Assessment (DPIA), with a series of explanations as to the purpose of the document, in which situations it is mandatory and which procedures and components must be taken into account for its realization. This is an important guideline, since the Brazilian General Data Protection Law adopts the DPIA as a safeguard mechanism for the protection of personal data and, with the law in force, many organizations will have to carry it out. It is important to note that the LGPD does not require an Impact Assessment to be carried out prior to processing, but, as noted in the guidelines published by the Czech Authority and as determined by the GDPR, the risk-based approach is important to avoid breaches of privacy and protection of individuals’ data. In this sense, it is urgent that, in 2021, the ANPD also express directions and positions regarding the adoption of the DPIA.
We also highlight the worldwide movement to discuss the personal data protection from a competitive point of view. The Google-Fitbit case has moved the field since the end of last year and, in recent months, the debate on data protection and competition law has gained prominence, as the case of the United Kingdom shows. On December 8, it was reported that the British Competition and Market Authority, in conjunction with the Data Protection Authority (ICO), was advising the British Government to produce a new regulatory regime for Big Techs, in which the priority should be to stimulate competition. On the other side of the Atlantic, there are also strong regulatory movements by the technology giants, with consequences for data protection, as is the case with the forty-eight American states that sued Facebook for abuse of market power.
We believe that, in 2021, this will be one of the hottest topics to be explored at the intersection with the protection of personal data in the world and also in Brazil. As Ana Frazão points out, in Antitrust Law for the 21st century, the single-pointed view of Antitrust Law must be overcome to maximize consumer protection.
We would like to thank all readers who accompanied us in the intense year of 2020 and we hope that the 29 editions of the Privacy and Data Protection Bulletin have contributed to research, debates, doubts and analyzes. We also hope that we can contribute more and more in the year 2021.
We wish you all a great reading!
Bruno Bioni, Iasmine Favaro & Mariana Rielli
Data Protection at Authorities
The document aims to explain basic concepts related to the function of the General Data Protection Law, what is its importance for the country and definition of concepts personal data, sensitive personal data, data processing, legal bases, etc. It is also concerned with explaining what the ANPD is, what its function is and how its activities are carried out, in addition to pointing out the structural profile of the agency and ways for society to participate in the processes that will be developed by the agency.
The case concerns some individuals who installed on their property a video surveillance system composed of five cameras. The couple’s neighbors complained to the Authority because some of these cameras were filming part of the public road, in addition to their private property. The whistleblowers took the images that concern them as evidence, which were subsequently shared with an expert under a procedure with the Environment Secretariat. The Authority considered the transfer of images obtained through the camera to an expert in the context of a dispute to be illegitimate. On the one hand, the images were obtained without a valid legal basis. On the other hand, the law provides for the possibility of transferring images to police or judicial services, but the expert in question was not part of any of them. Thus, the Authority imposed a fine of 1,500 euros on the couple, for the two infractions: poor placement of the cameras and sharing with third parties.
According to the Authority, the objective of DPIA is that the person responsible for the processing of personal data, who considers the beginning of a new processing of personal data or a major change to the existing one, correctly fulfills his personal data protection obligations. The purpose of the impact assessment is to determine whether the planned or modified processing of personal data creates or increases the risk for data subjects. The risk-based approach (RBA), which requires controllers of personal data, as in other sectors, to assess and minimize the risk to data subjects, as well as other risks arising from the processing of personal data, is one of the innovations introduced by GDPR and it is the set of appropriate procedures to identify and mitigate or eliminate the privacy risks of people affected by the interference caused by or resulting from certain processing of personal data. Regarding the content of the DPIA, the Authority points out that, first of all, it is necessary to determine and explicitly state at the outset whether any new processing of personal data has been established and whether the same procedure applies if the existing processing of personal data is changed. In that case, it is necessary to clearly indicate the nature of the change – individual parameters, especially extension or reduction of processing, altered processing parameters, for example, retention period of personal data, extension of the number or range of individual data items. In addition, the personal data protection impact assessment always explicitly addresses the rights of the data subject. The content of the data subject’s authorizations is expressed verbally, that is, through the nomenclature of individual authorizations. The document follows with a series of important instructions and procedures for the proper implementation of a DPIA.
European Data Protection Supervisor
On September 23, 2020, the European Commission presented the New Pact on Migration and Asylum, which includes five legislative proposals: i) an amended Proposal for a Eurodac Regulation; ii) an amended Asylum Procedure Proposal; iii) a Proposal for the Asylum and Migration Management Regulation; iv) a Selection Regulation Proposal; v) Crisis and Force Majeure Regulation Proposal. It also includes a number of non-legislative initiatives.
EDPS points out that it recognizes the need for more effective management of migration and asylum. At the same time, as set out in the EDPS 2020-2024 Strategy, data protection is one of the last lines of defense for vulnerable individuals, such as migrants and asylum seekers who approach the EU’s external borders. In this regard, it considers that the proposal’s comprehensive approach should be based on full respect for the fundamental rights of persons seeking international protection and other migrants, including their right to data protection and privacy.
It further states that an in-depth assessment of the impact on fundamental rights and data protection should be carried out. It is also of the opinion that legislative proposals should clearly assign the respective responsibilities to the different actors involved in the processing of personal data.
More specifically, with regard to the amended proposal for the Eurodac Regulation, EDPS recommends that the authorities of the Member States and Union bodies continue to be able to see only the data that are relevant to the performance of their specific functions, even if the data set are linked.
With regard to the proposal for tracing the pact, EDPS stresses that the accuracy of the information processed is of fundamental importance and that the right to rectify and / or complement the personal data of third-country nationals must be guaranteed in all cases. Furthermore, it considers that the proposal remains very general with regard to the methods that can be used to collect data provided by or obtained from the third country national for its identification or verification, especially in view of the wide range of practices used at national level, with different degrees of intrusion and effectiveness.
Having received several complaints against the CARREFOUR group, CNIL carried out checks between May and July 2019. On this occasion, CNIL noted deficiencies in the processing of customer and potential user data. The President of the Authority has therefore decided to initiate a sanction procedure against these companies. The information provided to users of the carrefour.fr and carrefour-banque.fr websites, as well as to people who wish to join the loyalty program or the Pass card, was not easily accessible (access to very complicated information, in a very long time containing other information ), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). In addition, it was incomplete with regard to the duration of data retention, representing a breach of the obligation to inform data subjects. CNIL noted that when a user connects to the carrefour.fr website or the carrefour-banque.fr website, several cookies are automatically placed on their terminal, before any action on their part. Several of these cookies are used for advertising and therefore the user’s consent must have been collected before the cookies were deposited. In addition, the company Carrefour France did not respect the data retention deadlines set by it. Data for more than twenty-eight million customers who have been inactive for five to ten years have been maintained as part of the loyalty program. The same happened with 750,000 users of the carrefour.fr website who have been inactive for five to ten years. Unless opposed to commercial prospecting, Carrefour France required proof of identity for any request to exercise rights. This systematic request was not justified, as there was no doubt about the identity of the people who exercise their rights. In addition, the company was unable to process several requests for the exercise of rights within the time limits required by the GDPR.
The Government sent text messages to subscribers of telephone operators in order to communicate in the new application TousAntiCovid (ex-StopCovid) and its use in the context of the reopening of stores. According to CNIL, this operation is provided for in the decree of 27 November 2020, which provides for measures to deal with the epidemic of COVID-19 under the state of health emergency. It allows the Government to ask telecommunications operators to disseminate to their subscribers, on an ad hoc basis, “warning and information messages to mitigate the effects of the health catastrophe”. It also affirms that in the scope of these operations, no telephone number is transmitted to the Government: the message is sent by the Government to mobile phone operators, who are responsible, with their own databases, to forward it to subscribers.
The CMA is advising the British government on the design and implementation of the UK’s new pro-competition regime for digital markets. The new regime will proactively shape the behavior of the most powerful technology companies and this will ensure that consumers and businesses are treated fairly and will help to level the playing field for smaller rival technology companies. The board was produced by the Digital Markets Taskforce, commissioned by the government in March and led by the Competition and Markets Authority (CMA), working together with Ofcom, ICO and FCA. The main proposals are:
i. A new legally binding code of conduct, tailor-made for each company and where the evidence shows that problems can occur, designed and supervised by the Digital Market Units (DMU). The code will help shape the behavior of powerful digital companies, right from the start, and govern the elements of how they do business with other companies and treat their users. There will be a range of powers available to the DMU to address any concerns, including the potential for significant penalties.
ii. Pro-competitive interventions, which can be used to address sources of market power, allow competition to flourish and unlock the potential for transformative innovation by others in the market. An example of such an intervention could be the imposition of interoperability requirements on technology companies and better empowerment of consumers to control and share data.
iii. Enhanced merger rules, which would allow CMA to apply a more detailed examination to transactions involving Strategic Market Status (SMS) companies. This would include the obligation to notify the CMA of a transaction, imposing a block on completing a deal until the CMA has investigated and a move to a more cautious legal test when examining the likelihood of harm to consumers in order to address concerns on historical under-execution of mergers involving large technology companies.
In one of the excerpts of the extensive speech, Ferroni points out that “Following the evolution of robotics is, therefore, essential to understand the cultural, ethical, legal and political challenge that the fourth industrial revolution brings. Paradoxically, it means taking a trip to the future of humanity, trying to understand its essence, looking precisely at the non-human, but being intelligent. The concept of “intelligence” must, therefore, be redefined. The operation itself should in no way be taken for granted, because different meanings can be included in this concept: capacity for logical reasoning, understanding, planning, self-awareness, creativity, problem solving, learning, etc. It is worth taking a broad definition of intelligence, as suggested by Max Tegmark (Vita 3.0. Human beings in era of artificial intelligence, Raffaello Cortina Editore, 2018): intelligence is the “ability to achieve complex goals”, or even “the ability to acquire and apply knowledge and skills “. Putting the topic in this way, the question that follows is: to speak of an intelligent entity, is the ability to calculate, that is, to make calculations automatically, sufficient, or is a certain degree of understanding necessary? That is, to be considered intelligent, the machine will only have to return a correct answer after processing the acquired information, or better, also demonstrate that it understood the question and answer in a certain way, based on elements not only memorized, but also shared and made your own? “And ends:” The perspective must therefore be reversed. We must claim the right to make mistakes, aware of our physiological fallibility. Otherwise, the risk is to find yourself trapped in a totalitarianism of efficiency, sustainable, perhaps, from an economic and ecological point of view, but not human. Really inhuman. An efficiency that could even predict paradoxical scenarios such as self-destruction, when calculated in terms of collective benefit. Disturbing are the many questions that arise about the fate of our freedoms and our democracy. That is why it becomes really crucial, in the method, even before the merit, to start a new phase of constitutionalization in the “modern projection”. That has the purpose of “guiding the design, development and use of artificial intelligence solutions in an ethical and legally sustainable direction” (A. Longo, G. Scorza). “.
EDPB published a statement on the future electronic privacy regulation. In this statement, it is concerned with the inspection of the e-Privacy Regulation. EDPB, in partnership with other European Union privacy regulatory bodies, has expressed its opinion on the monitoring of the Electronic Privacy Regulation, which will replace the 2002 e-Privacy Directive. The Council considers that the supervision of the processing of personal data under of the Electronic Privacy Regulation should be entrusted to the same national authorities that oversee the GDPR, as this would guarantee a high level of protection, a level playing field and a harmonized interpretation and application by the EU, according to the EDPB. In addition, he underlined his previous position that the Electronic Privacy Regulation should not decrease the level of protection of the current e-privacy directive of 2002. Finally, he points out that the electronic privacy regulation should complement the GDPR, providing strong safeguards of confidentiality and protection of all types of electronic communications.
A Autoridade aponta que, para transferir dados pessoais para um país terceiro, ou seja, países fora do EEE, normalmente é necessária uma base legal para a transferência. Além disso, deve-se seguir os termos adicionais do acórdão Schrems II e isso pode envolver avaliações complexas e demoradas. No entanto, essas medidas não precisam ser tomadas se a Comissão da UE tiver dado ao país em questão uma chamada decisão de adequação. A Comissão pode emitir uma decisão de adequação se concluir que o nível de proteção no país é equivalente ao do EEE. Nesses casos, os dados pessoais podem ser transferidos livremente para o país. A Comissão Europeia está considerando se deve dar ao Reino Unido uma decisão de adequação. Atualmente, não se sabe se este trabalho será concluído antes de 1 de janeiro. Nesse sentido, existem dois cenários: (i) se a Comissão Europeia der ao Reino Unido uma decisão de adequação antes do Ano Novo, as empresas não precisam tomar qualquer medida em relação à transferência de dados pessoais e (ii) se a Comissão Europeia não der ao Reino Unido uma decisão de adequação antes do Ano Novo, as empresas que transferem dados pessoais para o Reino Unido devem garantir uma base de transferência e cumprir os termos adicionais da decisão Schrems II se quiserem continuar a transferir dados pessoais após 31 de dezembro.
Data Protection at Universities
“Over the past decade, societies significantly improved their understanding of the competitive dynamics at play in digital markets. However, a challenge remains in designing remedies that actually improve overall welfare.
This paper first maps out the frontier of remedy design in the digital world. Section I summarizes antitrust remedies imposed on digital companies to both group cases according to the different underlying concerns they tackle and to identify potential interplays with regulatory interventions that share the same rationale. Section II complements this analysis by reviewing eighteen key independent reports on competition in digital markets to identify proposals to advance antitrust or regulatory interventions. The overall conclusion is that while the interplay between antitrust and regulation is bound to grow, authorities lack a coherent framework that would allow them coherently and rationally apply these policies in practice.
Section III, the core of the paper, fills this gap by introducing a new framework to integrate antitrust and regulatory interventions in the digital world—one that is focused on two different levels of remedy design. First, it develops a compounded error-cost framework authorities can apply when choosing between remedies for a given conduct: when authorities accept higher risks of over-enforcement in deciding to intervene they should compensate by taking lower risks of over-enforcement in remedy design, and vice-versa. Second, it proposes four criteria authorities can rely on to allocate between different regulators three connected but different key activities in remedy design: (i) the identification of harmful behavior; (ii) the design of the intervention; and (iii) monitoring and adaptation of the remedy.
Section IV concludes by applying this framework to seven types of conduct that Sections I and II identified as potentially problematic: (i) discrimination, unfair processing and self-preferencing; (ii) exclusivity relations with suppliers, distributors or clients; (iii) tying or bundling through contractual agreements; (iv) MFNs and other price parity clauses; (v) refusals to deal, limited interoperability and lack of data portability; (vi) rules and terms of service imposed by digital platforms; and (vii) nudges, sludges and other concerns in user interfaces.”
Data Protection in the Brazilian Legislative
Presented on December 2 by Federal Deputy Luiz Philippe de Orleans and Bragança, Bill 5313/2020 proposes the institution of a Special Taxation Regime, with a series of tax benefits to Data Centers, under the justification that “The entry into force of the General Law for the Protection of Personal Data – LGPD, Law No. 13,709, of August 14, 2018, creates a perspective of expressive growth in the demand for secure data storage in the country. This is a perspective that must be faced with concern, since the investment in the expansion of data centers and the adaptation of security criteria and procedures will require a relatively long term for their effective realization “and continues:” The requirements for security and integrity of databases must also adapt to the specific requirements of Brazilian law applicable to each type of information stored.The complexity of our civil and commercial legislation and the infra-legal rules issued by and entities of the Executive Branch or resulting from judicial decisions add an increased variety of devices and interpretations to be incorporated into data processing and preservation software, which requires an effort to develop, codify and validate specific programs and routines. “. The Bill is currently on the Board of Directors.
Presented on December 2, Bill 5314/2020, authored by Federal Deputy Luiz Philippe de Orleans and Bragança, aims to amend Article 55-D of the General Data Protection Law to determine that “Members of the Board of Directors they will be chosen from among Brazilians who have an unblemished reputation, a high level of education, a high concept in the field of specialty of the positions for which they will be appointed and approved by the previous life inquiry and social investigation committee. ” and also that “The members of the ANPD’s Board of Directors will undergo a past life and social investigation investigation in a committee composed of: I – Director-General of the Federal Police; I – Director-General of the Brazilian Intelligence Agency; III – Minister of Defense; IV – Minister of Justice and Public Security; V – Chief Minister of the Institutional Security Office of the Presidency of the Republic; VI – Attorney General; VII – a member of the Board of Directors of the Chamber of Deputies; VIII – a member of the Board of Directors of the Federal Senate “. It also determines that “The committee for the investigation of past life and social investigation shall have the necessary means of investigation of each organ of its members so that in the end they consider the nominees apt or not to exercise the positions to which they will be appointed”. “It is forbidden to appoint a spouse, partner or relative in a straight line, collateral or affinity, up to the third degree, of authorities of the Legislative, Executive and Ministers of the Judiciary.” The Bill is currently on the Board of Directors.
Data Protection in the Brazilian Judiciary
The writ of mandamus 2076403-78.2020.8.26.0000, was filed against the Governor of the State of São Paulo, for the granting of security so that the effects of the COOPERATION AGREEMENT between the operators TIM, VIVO, OI and CLARO and the Governor of the State of São Paulo, in relation to the applicant, so that their mobile phone lines are not subject to data monitoring by the operators Vivo and Claro with the Government of the State of São Paulo. Minister Cristina Zucchi uses concepts such as anonymization, when quoting a text excerpt published in Folha de São Paulo by columnist Ronaldo Lemos and concludes that the data used by SIMI-SP in fact fit into the concept of anonymized data, in addition to bringing other decisions that allowed the use of aggregated data to combat the pandemic. Thus, the appeal was dismissed.