Welcome to the 34th edition of the Bulletin! In this 35th edition, we highlight the publication of the ANPD Internal Regulations in the Federal Official Gazette. This is an important […]
Welcome to the 34th edition of the Bulletin!
In this 35th edition, we highlight the publication of the ANPD Internal Regulations in the Federal Official Gazette. This is an important document for understanding the internal dynamics of the body and the distribution of the powers conferred on it.
We also highlight the publications of the Danish and Irish DPAs regarding the publication of personal data of children and adolescents on social networks and the processing of their data by internet providers. In the decision of the Danish DPA, the idea was consolidated that, for the publication of photos of children and adolescents on social networks, it is necessary to collect the prior consent of those responsible and, also, it was pointed out that the image publications on social networks they must observe a previously defined life cycle, especially if they are published by a service provider. In the Irish Authority’s publication, there are a number of principles and safeguards that must be followed by agents when carrying out personal data processing activities for children and adolescents, for example, the need to express themselves in accessible and age-appropriate language information about the treatments performed, among other measures.
In the Legislative Branch, two bills related to increasing the efficiency of public services through the use of technologies were presented. One aims at “smart cities” and the other regulates the use of artificial intelligence, both frontier themes, which take on new shapes in the context of the COVID-19 pandemic and carry important implications for privacy and data protection.
We wish everyone a great reading!
Bruno Bioni, Iasmine Favaro and Mariana Rielli
Data Protection at Authorities
Ordinance No. 01, of March 8, 2021, was published on the 9th of the same month after being approved by the Directing Council of the National Data Protection Authority (ANPD) and contains the Authority’s competences and organization. Miriam Wimmer, advising director of the Authority, points out that the publication of the Internal Rules is an essential step not only to organize the work procedures of the ANPD, but also to provide transparency and predictability about the decision-making processes, about the role of each organizational unit and on the forms of relationship between the company and the Authority.
The President of the National Data Protection Authority, Waldemar Gonçalves, and the Secretary of the National Consumer Secretariat (SENACON / MJSP), Juliana Domingues, signed, on March 22, the Technical Cooperation Agreement aimed at protecting consumer data . One of the objectives is to speed up the investigation of security incidents. For that, Senacon / MJSP will start sharing information collected on consumer complaints related to the protection of personal data and formalized a Nucleus, within the National Council for Consumer Protection, to deal with this convergence with the Authority. The ANPD, in turn, will establish the necessary interpretations for the application of the General Data Protection Law (LGPD) in specific cases.
In March 2021, the Danish Authority completed an audit of three providers offering COVID-19 tests without prior scheduling. The inspections investigated the suppliers’ compliance with GDPR rules, including the provision that the information provided to the data subject must be delivered in a concise, transparent, easy to understand and clear and simple language. The Authority concluded that the observance of the duty of information by suppliers was in accordance with the regulations, but one of the providers was recommended to supplement their communication to citizens, transmitted when receiving the results of the examination.
The Authority investigated the publication of photos on the Facebook page of the company Epic Booking. The audit found, among other things, that several images were treated in violation of the applicable data protection rules. According to the Authority, a large number of photos – almost 500,000 -, especially of children and young people, could be found on the company’s Facebook. The Authority concluded that the consent given by the people for the photos did not sufficiently correspond to the requirements that a consent must be informed, specific and free and also concluded that the company did not comply with the rules regarding the provision of adequate information about the treatment. In addition, the Authority considered that it was contrary to the principle of storage limitation if Epic Booking had not set a specific exclusion period. The lack of an exclusion deadline meant that the images would basically be kept public indefinitely. Based on this, the Authority assessed that a maximum period of 60 days would be sufficient to meet the customers’ needs for access to the images and defined the period for deleting the images.
The Authority recommends including in the proposal, which creates cross-border provisions on how to deal with emergency health situations, also specific provisions on the application of data protection legislation. Likewise, it argues that the role of entities subject to data protection legislation should be covered by the proposal. More specifically on the processing of ‘electronic health data outside clinical trials’ and ‘real-time data’, a clear definition of ‘data generated outside the scope of clinical trials’ should be included; and the meaning of “real world data” should be clarified, specifying at least examples of the type of data in question and the purpose for which that data will be used. In addition, regarding the creation of a European Center for Disease Prevention and Control, recommends that the categories of people who will have their personal data processed should be clearly demarcated, together with a description of specific measures to protect the rights and freedoms of the people involved , in accordance with data protection legislation and also that situations in which the tasks, within the scope of the Centre’s competence, involve the processing of personal data, are clearly identified, creating a strong data governance mechanism that requires clear identification of the main players in the processing of personal data. In the document, the Authority also states that, given the potential risks associated with the use of surveillance systems and artificial intelligence, it is recommended that ECDC carry out a DPIA before the deployment of a digital platform. .
In its opinion published on 11 March 2021, EDPS welcomed the Proposal for Directive SRI 2.0, which aims to replace the existing directive on the security of networks and information systems (SRI). The purpose of the Proposal is to harmonize and strengthen cybersecurity practices across the European Union (EU) and it is part of the EU’s cybersecurity strategy to ensure a global and open Internet with strong safeguards to mitigate the risks to the fundamental rights of women. including the right to data protection. The Authority’s opinion includes observations and recommendations on the proposed strategy and directive. The EDPS also stresses that the use of encryption, in particular end-to-end encryption, is crucial. For the Authority, encryption is an irreplaceable technology to protect individuals’ personal data and the right to privacy and, therefore, any weakening or evasion of encryption (for example, using mandatory backdoors, mandatory key deposit and hidden communication channels) it would completely empty the mechanism of any effective protection capacity and result in a loss of confidence. The proposal for a directive should therefore be clear: nothing in the proposal should be interpreted as an endorsement of the weakening of end-to-end encryption through “backdoors” or similar solutions.
Upon receipt of a complaint, on March 12, CNIL questioned the American company Alpha Exploration CO., Inc., publisher of the “Clubhouse” application, about the measures taken to comply with GDPR. CNIL thus opened an investigation and carried out initial checks which revealed that the company in question does not have an establishment in the European Union. However, according to the body, the European authorities communicate with each other on this point, in order to exchange information and ensure the consistent application of the Regulation. The investigation must verify whether it is applicable to the company and, if so, determine whether it has been disrespected and how. In addition, a petition gathering more than 10,000 signatures to date is circulating to alert CNIL of possible privacy violations by the Clubhouse app.
In France, since March 10, 2021, operators and managers of public transport services have been able to use smart cameras to measure the rate of mask use in the context of a public health crisis. They can therefore use devices of this nature to: (i) produce statistical assessments of compliance with the obligation to wear a mask and (ii) adapt their information and public awareness actions. The CNIL notes, in its opinion, that these devices are not intended, on the other hand, to impose sanctions in the event of violations of the regulations on the use of masks. In June 2020, CNIL warned about the implantation of such devices outside any legal framework, having insisted on the need for these devices to be subject to an appropriate textual framework, namely in cases where the right of opposition cannot be effectively exercised . In its opinion, the CNIL considered that the new devices have public health objectives, but they must also comply with regulations on the protection of personal data. The Authority also recalls that the capture and systematic analysis of people’s images bring risks to their rights and freedoms and present, in particular, the risk of generalizing a feeling of vigilance among citizens, of creating a phenomenon of habituation and trivialization of technologies intrusive. In this context, CNIL insisted on the importance of implementing guarantees that justify the possible limitation of the rights of the persons concerned. Finally, he recalled, in his opinion, that the devices referred to in the draft decree are not intended, nor can they technically allow, the direct and immediate identification of people. They are therefore not intended to process biometric data and, a priori, are not a facial recognition device.
Five fundamental principles of the published guide are, among others: 1. Protection floor: online service providers must provide a protection “floor” for all users, unless they adopt a risk-based approach to verify the age of their users. users, so that the protections set out in the guide are effectively applied to all data processing of children; 2. Unambiguous consent: When a child consents to the processing of his data, that consent must be given freely, specifically, informed and unambiguous, made through a clear statement or affirmative action; 3. Zero interference: if you are counting on legitimate interests as a legal basis for the processing of children’s personal data, it is necessary to ensure that these legitimate interests do not interfere, conflict with or negatively affect, at any level, the child’s best interests ; 4. Know your audience: Online service providers must take steps to identify their users and ensure that services targeted, intended or likely to be accessed by children have specific data protection measures for children in place; 5. Information in all cases: children have the right to receive information about the processing of their own personal data, regardless of the legal basis on which they are based. This is even the case when consent was given by a parent on her behalf for the processing of her personal data. In the document, it is also pointed out that the best interests of the child must be a key consideration in any DPIA and must overcome their commercial or third party interests.
The Authority informed the public that in the past few weeks it has received 75 reports of data leaks that have occurred in organizations that use Microsoft Exchange Server to receive and send e-mails. The National Cyber Security Center (NCSC) reported that at least 1,200 Dutch servers running Microsoft Exchange have been infected. The Authority, in this regard, has warned that it fears there are far more problems than just the 75 data breach reports received and has encouraged organizations to check their systems.
On March 17, the Association of Banks of Mexico reported that, in order to make use of the services provided by banks through digital channels, customers and users must provide consent for the processing of geolocation data. The Authority stated that the processing of geolocation data will only be possible with the consent of customers and users and that users who have their geolocation data treated without prior consent, must file a complaint against the banking institution in question with the Authority.
Data Protection at Universities
The article points out the weaknesses regarding the privacy of SUS users and proposes a theoretical solution, still to be tested based on an infrastructure based on personal data storage – personal data stores (PDS), in English – or, based on security of the blockchain. To this end, it performs a narrative review of national and international literature related to instruments, policies and cases focused on health information and communication technologies in order to point out the weaknesses regarding the privacy of users of this system. As a result, it was realized that there is still a lack of transparency in the treatment of personal data and little accountability on the part of citizens, making it necessary to change the technological and governance strategy. The PDS, in fact, empowers the user as it gives greater control and transparency over the treatment of their data. However, this solution, in a system like the one used by the SUS Department of Informatics, can compromise the accuracy of the data used in public policies, at the same time that it can compromise some citizens’ rights, as they are data saved in records and metadata are publicly available. The implementation of the PDS does not yet have the prospect of an optimal result. There are still some methodological restrictions regarding citizens’ rights or the efficiency of the State, but the authors maintain that it is a step in civil empowerment and an improvement required by law in terms of privacy and protection of personal data.
The book consists of sixty texts methodologically divided into twelve parts, with an introduction to concepts related to the theme of artificial intelligence and with a brief retrospective of the main moments that were spent to reach the current level of development in the area. A complete section on personality rights and issues concerning the autonomy of entities endowed with artificial intelligence, punctuating issues related, for example, to the use of facial recognition technologies. It also contains a section on civil liability and its institutes, which explores the different roles of civil liability, such as, for example, strict liability and compensation for damages caused by artificial intelligence, and another relating to the integration between artificial intelligence. and the data protection.
Data Protection in the Brazilian Legislative
Bill 976/2021, proposed on March 19 by Federal Deputy José Priante, institutes the National Policy for Smart Cities (PNCI), defining smart city as the urban space oriented towards investment in human and social capital, development sustainable economic and the use of available technologies to improve and interconnect the services and infrastructure of cities, in an inclusive, participatory, transparent and innovative way, with a focus on raising the quality of life and the well-being of citizens. In addition, the PL defines concepts such as the smart city plan, ICTs and determines “citizens’ privacy and data security” as one of the principles. It also determines the integration of Public Power databases through the use of interoperability and data sharing standards between federal entities. Currently, the PL is on the Board of Directors.
Bill 872/2021, presented on March 12 by the Venezuelan Senator Vital do Rêgo, points out as the foundation of the use of AI the protection of the privacy of personal data and the guarantee of human intervention, whenever necessary. In addition, the PL points out that the use must be compatible with the maintenance of social and cultural diversity and must not restrict personal lifestyle choices, in addition to following governance standards that guarantee the continuous management and mitigation of the potential risks of technology, among other guarantees. Currently the PL is in the Plenary of the Federal Senate.
Data Protection in the Brazilian Judiciary
Lawsuit nº 2033246-21.2021.8.26.0000, DJSP, p. 1647
Recently, the São Paulo Court of Justice has dealt with the issue of public administration data breach by unauthorized access to administrative documents and processes and influence peddling. In this case, it is alleged that a magistrate working in the municipality of Caieiras influenced the mayor to authorize a close friend of the judge, without any connection with the municipality, to carry out an audit of the city’s finances, in order to promote the leakage of sensitive information. The magistrate reportedly referred his friend to various investigations in order to promote a clandestine dossier to support the filing of actions against opponents and unwanted companies hired by the Caieiras City Hall, thus favoring associates and business partners. Among the information for the illegal formation of the dossier, there would be access to bank balances, financial transactions, data protected by password and reserved interests of the municipality due to fiscal secrecy, contradicting information security responsibilities, constitutional principles of Public Administration and art. 6th, I, of the LGPD. The decision of the TJSP, however, removed the competence to judge the action, observing the Constitution of the State of São Paulo.