Welcome to another edition of the Bulletin! In this 38th edition, we highlight that the National Data Protection Authority (ANPD) participated in the II Digital Dialogue Brazil-United Kingdom 2021, an […]
Welcome to another edition of the Bulletin!
In this 38th edition, we highlight that the National Data Protection Authority (ANPD) participated in the II Digital Dialogue Brazil-United Kingdom 2021, an initiative in which experiences were shared between entities of the governments of Brazil and the United Kingdom, in order to improve their digital agendas. Among the bodies and entities that participated in the Dialogue, are the Ministry of Foreign Affairs, the Ministry of Communications and the Ministry of Science, Technology and Innovations.
Also in the Brazilian context, two bills regarding data protection were presented. On the one hand, Bill No. 1599/2021, presented by Senator Rose de Freitas (MDB / ES), pretends to modify the LGPD in order to improve the provisions on information security. On the other hand, Bill No. 1589/2021, proposed by Deputy Soraya Manato (PSL/ES) also seeks to change the LGPD, but with the objective of prohibiting the abusive sharing of personal data and discrimination of individuals on the internet.
We also highlight a publication made by the Portuguese Data Protection Authority (CNPD), which ordered the National Statistics Institute (INE) to suspend the sending of personal data from the country’s 2021 Census to the United States. After a series of complaints about the conditions of online data collect, the CNPD initiated an investigation and concluded that INE has outsourced details on the functioning of the census questionnaire for the Cloudflare, Inc., a California company, through an agreement data processing, which provides the transfer of information to the United States. Finally, the highlight goes to the formal warning, under the terms of the EU Regulation, issued by the Italian Authority to all ministries and other parties involved in the creation and management of the standard on “green certifications” in the country. The Guarantor noted that the so-called “reopening decree” does not treat an adequate legal basis for the use of “green certificates” on a national scale and is incomplete in terms of data protection, without an assessment of the possible risks to the rights of the holders.
We wish you a great reading!
Bruno Bioni, Mariana Rielli and Júlia Mendonça
Data Protection at Authorities
The National Data Protection Authority (ANPD) public servers participated, between 12 and 23 April, in the Academic Data Protection Academy course, conducted by the Maastricht University European Center on Privacy and Cybersecurity. As a result of the cooperation between the ANPD and the European Commission, the course was attended by all members of the Authority’s technical staff and made it possible to approach essential matters for the fulfillment of the Strategic Planning established goals. The Maastricht University European Center on Privacy and Cybersecurity stands out as one of the main global references in privacy and data protection and one of the course highlights was exactly the approach based on the Brazilian General Data Protection Law (LGPD) and the General Data Protection Regulation (GDPR). The opportunity was the result of closer cooperation between the ANPD and the European Commission, for proposing guidelines and regulations at the European scope, as well as for facilitating international personal data transfers.
The National Data Protection Authority (ANPD) participated in the UK-Brasil Digital and Cyber Dialogue 2021, an initiative in which experiences are shared between Brazil and UK governments entities, in order to reciprocally improve their digital agendas. Among other bodies that participated in the Dialogue, there are the Ministry of Foreign Affairs, the Ministry of Communications and the Ministry of Science, Technology and Innovations. Regarding the theme “International Data Flows and Data Protection”, Miriam Wimmer, Director of ANPD, highlighted some of the challenges that ANPD has faced since its recent creation, in November 2020, and the measures that have been recovered to overcome them. Also participating in this debate were Joe Jones and Declan Shaw, representatives of the Department of Digital, Culture, Media and Sport – DCMS, from the United Kingdom, and William Middleton, Director of the Foreign Commonweath & Development Office – FCDO, also from the United Kingdom, who emphasized the importance of cooperation to countries in the field of personal data protection.
The Danish Data Protection Agency has published an opinion stating that web forms and solutions for personal data processing require security measures, and that controllers need to ensure that personal data does not reach unauthorized persons. According to the Authority, this can be done with the adoption of transport layer encryption (TLS) in version 1.2 or higher. In addition, the Authority points out that versions 1.0 and 1.1 of the TLS contain known vulnerabilities that do not guarantee the necessary confidentiality and integrity of the information exchanged.
In connection with the COVID-19 escalating situation in Denmark (February-March 2020) and the subsequent lockdown, the Statens Serum Institut (SSI) was responsible for making personal data- mainly health data- available to a group of specialists that should calculate the possible for the “reopening” measures in the country. SSI itself assessed that the risks were moderate to high and also verified that, at the beginning of the treatment, a complete mapping and assessment of the compromised risks had not been carried out. Thus, SSI has already verified that the situation alone implied a high risk for the individual’s rights, however, it did not seek to implement the required security measures. In this view, the Danish Data Protection Agency issues an opinion expressing serious criticism to the institute data initiated processing: a) without sufficient risk assessment; b) without carrying out an impact report; c) without consulting the Authority itself, among other factors
European Data Protection Supervisor (EDPS)
The Portuguese Data Protection Authority (CNPD) ordered INE (National Institute for Statistics) to suspend the sending of personal data from the Census 2021 to the United States.CNPD has issued a decision addressed to INE for the suspension of any international transfer of personal data to the United States or other third countries without an adequate level of protection in the context of Census 2021 questionnaire. Following a number of complaints concerning the conditions for the online data collection, CNPD carried out a quick investigation and concluded that the INE outsourced to Cloudflare, Inc. the operation of the census questionnaire, through a data processing agreement that provides for the transfer of personal data to the United States.Cloudflare is an undertaking established in California. By the type of services which it provides, it is directly subject to the US surveillance legislation for the purposes of national security, which imposes on it the legal obligation to give the United States authorities unrestricted access to personal data held or kept by Cloudflare, without being able to inform its customers of that fact. Given that the data in question are personal data from an almost total universe of citizens residing on national territory, including sensitive data such as health and religion data, the CNPD took the view that the transfer of data to the United States or to any other third country without adequate protection should be suspended with almost immediate effect.
Smart home security and monitoring company Vivint Smart Homes Inc. has agreed to pay $20 million to settle Federal Trade Commission allegations that the Utah-based firm misused credit reports to help unqualified customers obtain financing for the company’s products and services. In a complaint filed by the Department of Justice on behalf of the FTC, the Commission alleged that Vivint violated the Fair Credit Reporting Act (FCRA) by improperly obtaining credit reports in order to qualify potential customers for financing for its smart home monitoring and security products. The FTC also alleged that Vivint violated the FTC’s Red Flags Rule by failing to implement an identity theft prevention program, which is required of certain companies that regularly use or obtain credit reports.
In the text written by Steve Wood, Deputy Commissioner and Chair of the OECD Working Group on Data Protection and Privacy, effective data protection safeguards are pointed out that can help improve public access to digital services, in addition to reducing risks of security. Digital identity systems have started to come of age, driven by the opportunities and challenges of the digital economy and public services. According to the text, the public need safe and secure ways to establish their identity in light of the reality of how digital services work in their daily lives, and it is essential to transmit confidence about how personal data is used in a digital identity system. In this regard, the Vice-Commissioner made some recommendations: a) Any system must be user-centered and the limits for use and collection must be clearly established; b) Effective measures must be in place to analyze the risks related to minimizing and limiting the purpose; c) Organisations operating in the trust framework must have appropriate technical and organisational security measures in place to protect the personal data held in the system.
According to the Data Protection Authority of France (CNIL), in the last months, actions involving the use of “ransomware” have increased in the country. In this sense, the attacks mainly target the data and information of local communities and companies, health establishments, in addition to several other sectors. In order to assist such establishments in their efforts to improve security, CNIL published a document with the main lessons learned in its investigations on the topic. The recommendations are also based on cases reported by controllers in notifications of security incidents context, in addition to being based on the best practices presented by the Agence nationale de la sécurité des systèmes d’information (ANSSI)
On April 26, 2021, through Resolution No. 418, the Czech Republic Government preliminarily approved the extraordinary measure prepared by the Ministry of Health, which determines that barber shops, hairdressers, manicurists, cosmetic and other services, maintain a register with customers data, in case of an eventual epidemiological inquiries are initiated. A large number of companies that, in many cases, have never collected data about their customers, nor have the technical conditions, will have to face a new obligation to process personal data. However, according to the Czech Republic Authority, the processing obligation was imposed without sufficiently clear specifications, failing to provide essential guidance, such as detailing the purpose of the processing, the period of data retention, the guidelines for technical and organizational security, in addition to the need to provide information to data subjects. In this regard, the Authority concluded that the obligation to keep customer registers for a “possible epidemiological investigation”, without determining the specific purpose and other processing parameters, based on GDPR’s data protection principles, is unacceptable.
A recently approved standard by the Italian government for the creation and management of “green certificates” can raise critical questions for the validation and functioning of the system for the reopening of travel during the pandemic. The Italian Authority warned that urgent action is needed to protect individual rights and freedoms and, for that reason, added a formal warning, under the terms of the EU Regulation, to all ministries and other parties involved. The Guarantor noted, first, that the so-called “reopening decree” is not a legal basis for the use of “green certificates” ‘on a national scale and is incomplete in terms of data protection, without an assessment of the possible risks for the rights of the individuals. In addition, in contrast to the provisions of the GDPR, the decree does not precisely define the purposes of data processing, especially those linked to health, opening margin for future and unpredictable uses, potentially out of line with a previous initial proposal.
The Italian Authority opened an investigation to verify the legality of the “green certification” project to control Covid-19, launched by the Autonomous Province of Bolzano. Based on public statements issued by the local body and the text of a recently approved ordinance, only individuals with the so-called “CoronaPass Alto Adige” will be able to access certain accommodations, leisure and training facilities, as well as participate in other activities, such as sports events and practices. The pass is issued only to people who have completed the vaccination cycle, those who have recovered from Covid, or who have recently tested negative. As already communicated, the Authority reiterates that the processing of personal data related to initiatives that limit people’s rights and freedoms can only occur from an appropriate legal basis, combined with a risk assessment, with subsequent adoption of measures to protect the stakeholders. In the communication sent to the Autonomous Province of Bolzano, the Authority also indicates that it will evaluate the adoption of limitations (temporary or definitive) in relation to the certification project, including eventual prohibition of treatment.
In 2017, the Enschede city, Norway, decided to measure movement in the city center using sensors, hiring a company specializing in counting passers-by. Measurement boxes on the streets captured the WiFi signals from cell phones of people passing by, and a unique code was registered for each phone. However, a recent investigation by the Norwegian Authority found that it was possible to track which phone passed through each measurement box for a long time, allowing people to be tracked. Although it was not the council’s intention to track individuals and no evidence has been found that this has happened, however, the very existence of “Wi-Fi tracking” already violates the principles set out in the GDPR. In view of this, the Authority imposed a fine of 600,000 euros on the Enschede city.
According to the Commissioner President, Blanca Lilia Ibarra Cadena, the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) and guarantors of the National Transparency System (SNT), are committed to developing actions that promote the knowledge of the data protection rights for young people. As part of the celebration of the Girl and the Boy Day, the Commissioner also pointed out that, due to the health emergency, more families depend on technological platforms and digital solutions for their children to learn, have fun and connect to the world. However, despite the fact that platforms have transformed our lives, because we are connected with different educational, entertainment and social interaction tools, the dangers to the privacy and data protection of minors have also increased. In this sense, not all children and adolescents have sufficient knowledge, skills or resources to protect their rights in these environments. In this view, the Commissioner Román Vergara pointed out that INAI, in coordination with the SNT, launched several initiatives, including “Monsters on the Net”, which provides newsletters with the help of characters from Vila Sésamo, with the aim that girls and boys “ from a young age have critical skills, notions of protection and basic concepts for using information technologies ”.
For a safe digital environment for girls and boys, the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) calls for a joint effort to promote a culture of protection of personal data among young people, in order to avoid risks to your privacy. Within the framework of the celebration of Children’s Day, INAI considers essential to promote, since childhood, the personal data protection rights, given that, especially in the pandemic context, technologies have become a means for children and adolescents interact, attend classes and develop various recreational activities. In addition, it is increasingly common for children to access various social networks, in which the provision of personal information may pose a threat for their safety and physical integrity. In this regard, INAI reiterates the need to raise awareness about the importance of protecting personal data in the digital space and the dynamics of the digital ecosystem risks.
Data Protection at Universities
In this article, published in the collection “Robotics, AI, and Humanity”, Frank Pasquale analyses opportunities but also worrisome trends as AI is applied in finance, insurance, and real estate. In these domains, persons are increasingly assessed and judged by machines. The financial technology (Fintech) landscape ranges from automation of office procedures, to new approaches for storing and transferring value, to the granting of credit. The Fintech landscape can be separated into “incrementalist Fintech” and “futurist Fintech.” Incrementalist Fintech uses data, algorithms, and software to complement professionals who perform traditional tasks of existing financial institutions. It promises financial inclusion, but this inclusion can be predatory, creepy, and subordinating. These forms of financial inclusion undermine their solvency, dignity, and political power of borrowers. In turn, the concept of “Futurist Fintech” fits into the broader narratives in the sector about the role of automation in transforming society. Futurist Fintech’s promoters claim to be more equitable, but are likely to falter in their aspiration to substitute technology for key financial institutions. When used to circumvent or co-opt state monetary authorities, both incrementalist and futurist Fintech expose deep problems at the core of the contemporary digitization of finance.
In this study the author sought to examine the controversial issues relating to Administrative Law and the legal discipline of personal data protection. According to the text, the Union has the competence to discipline private access to personal data, for business or non-business purposes, but it would not have the competence to discipline state and municipal administrative access. In relation to non-corporate access, there would be exclusively administrative accesses, thus, the study sought to analyze the impossibility of such access being carried out by state-owned companies. For the author, this access is not equivalent to that made by private companies that are not part of the Indirect Administration. Finally, the text points out that the application of administrative sanctions by the ANPD would only be possible in relation to state companies that exploit economic activity.
Data Protection in the Brazilian Legislative
The Bill nº 1599/2021, presented by the senator Rose de Freitas (MDB/ES), alters the General Data Protection Law (LGPD), with the aim of improving the provisions on information security. Modifying articles 44, 46 and 55-J, the highlight goes to the amendment to article 44§1, which aims to reinforce the responsibility between the controller and operator who fails to adopt the safety measures provided for in article 46 of the Law. Currently, the bill is in the Senate Plenary.
The Bill nº 1589/2021, presented by the Deputada Soraya Manato (PSL/ES), alters the General Personal Data Protection Law (LGPD), to prohibit the abusive sharing of personal data and discrimination against users on the internet. The Bill adds provisions to prevent the holder’s access to the services provided by the controller from being conditioned to the sharing of personal data with third parties. Currently, the Bill is awaiting dispatch from the parliament.
Data Protection in the Brazilian Judiciary
Lawsuit nº 2085886-98.2021.8.26.0000, DJSP, p. 2492
Lawsuit nº 2085886-98.2021.8.26.0000, This is an Direct Unconstitutionality Action, filed in relation to Law No. 3,699, of the Itápolis/SP city, which makes public the list of vaccinations against Covid-19 in that municipality. The argument of the action points to the initiative defect in the edition of the normative act, that would be responsibility of the Municipal Executive Chief, in addition to maintaining that there would be an offense to intimacy principle and to the General Law for the Protection of Personal Data (Law No. 13.709 , of August 14, 2018), in opposition to articles 5, caput and § 2, and 47, items I, II, XIV and XIX, point ‘a’, and 144, of the Federal Constitution. The judge dismissed the preliminary injunction sought, considering that the essential requirements for the measure were not present.