In this 39th edition, we highlight that the National Data Protection Authority (ANPD) released the triple lists with those nominated for the National Council for the Protection of Personal Data […]
In this 39th edition, we highlight that the National Data Protection Authority (ANPD) released the triple lists with those nominated for the National Council for the Protection of Personal Data and Privacy (CNPD). The choices were made after a unanimous decision by the Directing Council, giving greater legitimacy to the deliberation. The lists, organized in alphabetical order, will be forwarded to the Presidency of the Republic which will choose a holder and a substitute. We highlight that Bruno Bioni, Data Privacy Research Association director, was one of the selected candidates.
In the judiciary context, we highlight the IDEC Vs. Viaquatro case judgment. In the lawsuit, proposed in 2018, the Brazilian Institute for Consumer Protection (IDEC) requested that the ViaQuatro concessionaire, responsible for the yellow line of the São Paulo subway, immediately cease data collection, with the shutdown and permanent removal of the cameras installed, which had the objective of recognizing human presence and identifying emotion (happy, dissatisfied, surprised and neutral), gender and age range of passengers positioned in front of the sensor. In this sense, the ruling confirmed the suspension of collection, determined by the court in 2018, in addition to prohibiting ViaQuatro from capturing images, sounds and any personal data without prior authorization. The Court sentence also determined the payment of an indemnity in the amount of R $ 100 thousand for collective moral damages, which will be allocated to the Diffuse Rights Fund
We wish you a great reading!
Bruno Bioni, Mariana Rielli and Júlia Mendonça
Data Protection at Authorities
The National Council for the Protection of Personal Data and Privacy (CNPD) is one of the priorities of the ANPD and the dissemination of information about its composition is within the Authority’s commitment to transparency and social participation, principles observed throughout the process of formation of lists. In this sense, the triple lists with those nominated for the Council were released, which came from a unanimous decision by the Directors Board, giving greater legitimacy to the deliberation. The lists, organized in alphabetical order, will be forwarded to the Presidency of the Republic which will choose a holder and an substitute. We highlight that Bruno Bioni, Data Privacy Research Association director, was one of the selected candidates.
The Danish Data Protection Agency has published an opinion stating that web forms and solutions for personal data processing require security measures, and that controllers need to ensure that personal data does not reach unauthorized persons. According to the Authority, this can be done with the adoption of transport layer encryption (TLS) in version 1.2 or higher. In addition, the Authority points out that versions 1.0 and 1.1 of the TLS contain known vulnerabilities that do not guarantee the necessary confidentiality and integrity of the information exchanged.
European Data Protection Supervisor (EDPS)
The Portuguese Data Protection Authority (CNPD) ordered INE (National Institute for Statistics) to suspend the sending of personal data from the Census 2021 to the United States.CNPD has issued a decision addressed to INE for the suspension of any international transfer of personal data to the United States or other third countries without an adequate level of protection in the context of Census 2021 questionnaire. Following a number of complaints concerning the conditions for the online data collection, CNPD carried out a quick investigation and concluded that the INE outsourced to Cloudflare, Inc. the operation of the census questionnaire, through a data processing agreement that provides for the transfer of personal data to the United States.Cloudflare is an undertaking established in California. By the type of services which it provides, it is directly subject to the US surveillance legislation for the purposes of national security, which imposes on it the legal obligation to give the United States authorities unrestricted access to personal data held or kept by Cloudflare, without being able to inform its customers of that fact. Given that the data in question are personal data from an almost total universe of citizens residing on national territory, including sensitive data such as health and religion data, the CNPD took the view that the transfer of data to the United States or to any other third country without adequate protection should be suspended with almost immediate effect.
The Icelandic Data Protection Authority fined the company InfoMentor for ISK 3,500,000 (EUR 23,100) for failing to ensure adequate security of personal data within the Mentor, a system aimed at schools and other sectors that work with children. Due to a vulnerability that made each user’s six-digit system number visible at the URL address within the Mentor system, unauthorized parties gained access to the national identification numbers and profiles of more than 400 children. The incident was reported as a data breach in February 2019. InfoMentor admitted that the company was aware of the vulnerability and that a solution had already been created, however, due to human error, it was not fully implemented. InfoMentor also mistakenly sent the national ID numbers of students affected by the incident to the wrong schools, making the situation even more worrying.
The Spanish Data Protection Authority (AEPD) has published the guide “Protección de datos y relaciones laborales” with the aim of offering a practical tool to help public and private organizations in the proper compliance with the legislation. The application of the General Data Protection Regulation (GDPR) and the Organic Data Protection and Digital Rights Law implied a series of changes with respect to workers’ rights, with regard to collection and treatment of your data. Likewise, the guide also addresses issues that are being increasingly discussed, such as the possibility of consulting the employer on the worker’s social networks, internal systems of denunciation (whistleblowing), registration of working hours, protection of company data, or even the use of technology as an control element. The document starts by listing the legal bases that legitimize the processing of personal data, the information that must be provided and the data protection rights applied to the work environment. In addition, it also addresses the principle of minimization, since the conclusion of the employment contract does not imply that the employer can know all kinds of personal data of workers.
The Spanish Data Protection Authority (AEPD) has published a guide with the 10 most common misunderstandings about anonymization. According to European Union data protection legislation, mainly the General Data Protection Regulation (GDPR), anonymous data constitutes “information that does not refer to identified natural persons, who have been made anonymous in order not to enable it to be identified. ”Such types of data play an important role in the context of research in areas such as medicine, demography, marketing, economics, statistics and many others. However, this great interest has led to the spread of misunderstandings about the Thus, the purpose of the document is to make the public aware of some misunderstandings related to anonymity, and to motivate readers to verify the veracity of the statements related to technology, instead of accepting them without question.
The Information Commissioner’s Office (ICO) and the New Zealand Office of the Privacy Commissioner (OPC) have today signed a Memorandum of Understanding (MOU). The MOU builds a strong relationship between ICO and OPC, recognising their shared common mission to uphold people’s information rights, while supporting digital innovation and economic development. Cooperation between international data protection authorities is essential in our times of global data-driven business and this MOU builds on the strong collaboration the two authorities already enjoy as active members of the Global Privacy Assembly, which the ICO currently chairs. The MOU comes soon after New Zealand’s new privacy law has come into force, and at a time of increasing trade between the UK and New Zealand. The MOU codifies and sets out how the authorities will continue to share experiences and best practice; cooperate in specific projects of interest; and share information or intelligence to support their enforcement work.
In December 2020, in addition to having ordered the payment of fines in the amounts of 60 and 40 million euros, the French Authority (CNIL) ordered the companies Google Llc and Google Ireland Limited to, within three months, inform in advance to users, on the homepage of the website “google.fr”: a) the purposes of all cookies, as well as that they are subject to users’ consent; b) the means available to users to refuse them. In view of the responses provided by the companies within the stipulated period and considering that they satisfied the injunction issued, the CNIL committee decided to close the procedure on April 30, 2021.
CNIL issued an opinion on the French Government’s plan regarding the implementation of the “health pass” system to regulate access to certain places, establishments, or events, due to the context of the current global health situation. First, the Authority recalls the need to guarantee the temporary nature of the provision. Then, it considers that the pass should be limited to events that involve large crowds of people, excluding, in particular, activities of daily life (workplaces, restaurants, shops, etc.), which allows to reduce the risk of violations of privacy and protection of people’s data. However, considering that the fundamental rights and freedoms of citizens are at stake, CNIL understands that the law must define, in a precise way, the purposes, the nature of the places, establishments and events under discussion, as well as the maximum number of people at each location. The possibility of professionals not covered by the system, on their own initiative, conditioning access to your establishment should also be prohibited, upon presentation of the health pass. Finally, CNIL emphasizes that the system must incorporate some guarantees to the holders, in order to limit the disclosure and retention of personal information as much as possible, in addition to avoiding any risk of discrimination.
The Dutch Data Protection Authority (AP) imposed a EUR 525,000 fine against Locatefamily.com. According to investigations, this domain publishes addresses and phone numbers of people, usually without their knowledge. In addition, it is not easy to request that the data be deleted, since Locatefamily.com does not have a representative in the European Union (EU), which in itself represents a violation of legislation and privacy and entails the imposition of a fine. To force Locatefamily.com to set up a representation, the Authority also imposed that by 18 March 2021, the company should appoint a representative in the EU. In case of non-compliance, Locatefamily.com must pay 20,000 euros for every 2 weeks in which the charge is not met, with 120,000 euros being the maximum amount to be paid.
The Dutch Data Protection Authority (AP) imposed a € 7,500 fine on the Dutch Party for Freedom (PVV). The fine was imposed because PVV Overijssel did not report a data breach to the AP. The incident caused a leak of several people political opinions, originated by an e-mail addressing a party meeting. In the email, 101 recipients were referred to as “PVV friends”. Due to a mistake by an employee of the group, the email addresses (andthe names) of the recipients were visible to everyone who received the invitation. As a result, the political views of the recipients were exposed without their consent.
Tik Tok is committed to adopting new measures in the Italian market to prevent children from accessing the platform. According to the Italian Authority, the procedures adopted by the company, after the emergency measures and recommendations issued by the Guarantor, brought significant results, but still not enough, given the importance of the interests at stake. In this sense, about 500 thousand users were removed due to the probability that they are under 16 years old, with approximately 400,000 of that total being excluded because they declared to be under 13 years old, while the other 140,000 had their accounts deleted after being implemented reporting tools in the application. Thus, Garante requested Tik Tok to implement a series of other interventions, with the aim of keeping minors under the age of 12 off the platform: a) ensuring the cancellation, within 48 hours, of the accounts reported and resulting, after verification, on behalf of users under the age of 13; b) strengthen the mechanisms for blocking devices used by children under 18 years of age to try to access the platform; c) to study and develop solutions, also based on artificial intelligence, which, in accordance with the regulations on the protection of personal data, make it possible to minimize the risk of using the platform by children under 13 years of age; d) launch new communication initiatives, both in the application, as well as through the radio and newspapers, in order to educate and enable a conscious and safe use of the platform; e) share with the Authority data and information regarding the effectiveness of the various measures adopted, in order to collaborate in the identification of effective measures capable of containing the phenomenon. It should be noted that the Italian Authority will monitor the fulfillment of the Tik Tok in relation to the commitments made, and will continue its investigation activity within the scope of the process already initiated against the platform.
Convention 108: the law that ratifies the Protocol of amendment in Italy was published in the Official Gazette, establishing more guarantees and rights for people to face the challenges of the digital age
Signed in 1981, long before the age of the Internet and electronic communications, the “Council of Europe Convention for the Protection of Individuals in relation to the Automated Processing of Personal Data” (Convention 108) aimed at protecting the right to respect for privacy and is the only legally binding multilateral agreement in the field of the protection of personal data. Convention 108 plays a key role in spreading the “European data protection model” worldwide, and is often used as a source of inspiration by countries that want to adopt new privacy regulations, or harmonize existing ones with international standards. The Amendment Protocol defines the principle of legality of processing in a more specific way (with reference to the requirements relating to consent), in addition to reinforcing the protection of special categories of data. The updated agreement also provides for additional guarantees for holders (in particular, the obligation to assess the likely impact of a data processing operation to be carried out, the obligation to take appropriate technical and organizational measures, and the obligation to report data breaches) and allows them to strengthen their rights (in particular, transparency and access to data). Finally, the updated agreement provides for the appointment of one or more independent Authorities responsible for ensuring compliance with the provisions, with additional powers, such as, for example, issuing decisions on their violation and imposing administrative sanctions.
On World Internet Day, the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) demanded that efforts be made to guarantee more than 80 million users in Mexico secure access to the network, considering that the pandemic has increased its use and has become an indispensable means, including, to maintain people’s access to information. As a guarantor of the right to the protection of personal data, INAI has implemented a series of actions to help users protect their privacy, inviting them to consult the recommendations, tools, microsites and guides it has developed for this purpose. To maintain privacy on the internet, it is essential to interfere with the flow of personal data that circulates, voluntarily or involuntarily, on the network, through web pages, applications, or any type of software that allows the storage of information, which more they can later be marketed for different purposes, such as market research.
The work, reflections and shared practices at the National Data Conference Open (DATACON) 2021 are the starting point for building a national public policy on open data in the country, said the commissioner of the National Institute for Transparency, Access to Information and Data Protection. Personal Data (INAI), Adrián Alcalá Méndez. The commissioner recognized the efforts of civil society organizations to hold the first edition of the Conference, as a space for dialogue and collaboration between national and international people and institutions, from different sectors, interested in the generation, publication, use and exploitation of open data , which was reflected in the panels with more than 70 exhibitors. He explained that in the different sessions experiences were shared, best practices, as well as the status of the open data agenda in Mexico was analyzed, debates that will be considered for the construction of a national policy on the matter, the results and agreements of which will be shared through the website datacon.mx.
Data Protection at Universities
Taking Shoshana Zuboff’s work on surveillance capitalism as a starting point, the article aims to explore the issue by focusing on one of Amazon’s newest business initiatives, Amazon Go. Launched in 2018, the initiative has involved opening twenty-six stores intended to enhance customer convenience by weaving “machine learning, computer vision, and AI into the very fabric of the store,” so customers “never have to wait in line.” Drawing on a range of data, including promotional videos, marketing reports, interviews with the designers of the initiative, and customer comments, I show how convenience operates not just as a coveted consumer product but also as an ideology that is central to Amazon’s abilities to exploit the behavioral surplus of its customers and legitimate new forms of capital accumulation and extraction. By interrogating how convenience functions in this capacity, this article seeks further understandings of the convenience economy while also returning to a long-standing question within economic anthropology: What role do ideologies play in sustaining and perpetuating exploitative economic systems?
BIONI, Bruno; ZANATTA, Rafael.
After a year of existence, Associação Data Privacy Brasil de Pesquisa launched the series “Texts of Discussion”, with the objective of amplifying the voices and debates on themes emerging from the relationship between technology, protection of personal data, privacy and other fundamental rights . In this sense, together with the Brazilian Institute for Consumer Protection (IDEC), the association published an unprecedented study addressing “data-centric acquisitions”, which consist of mergers of two or more previously independent companies, with business models based on economic exploitation of personal data. The research was produced by Lucas Griebeler (University of Chicago), presenting recommendations so that the Administrative Council for Economic Defense (Cade) can address acquisitions oriented to the economic exploitation of personal data, an emerging theme in contemporary competition law, based on the dialogue with National Authority for the Protection of Personal Data (ANPD).
Data Protection in the Brazilian Legislative
The Bill 1704/2021, presented by Senator Soraya Thronicke (PSL / MS), alters the General Law on Protection of Personal Data (LGPD), to provide guidelines for the portability of health information. Modifying article 11, the project proposes the insertion of paragraphs 4-A, 4-B and 4-C, with the objective of proceduralizing the data portability referred to item I of § 4.y that the project stipulates that personal data related to health must be kept “in an interoperable and structured format for shared use, under the terms of the regulation, guaranteeing the preservation of the integrity and confidentiality of the information”. Currently, the bill is in the Senate Plenary.
The Bill 1689/2021, proposed by Deputy Alê Silva (PSL / MG), changes the Civil Code to provide for profiles, pages, accounts, publications and personal data of a deceased person, including their treatment by wills and codicils. The PL adds provisions, for example, to include in the inheritance the copyright, personal data and other publications and interactions of the deceased in internet application providers, in addition to seeking to guarantee to the heirs the right to maintain and edit the digital information of the deceased, or turning the profile / website into a memorial. Currently, the PL is awaiting dispatch from the President of the Chamber of Deputies..
Data Protection in the Brazilian Judiciary
In 2018, the Brazilian Consumer Protection Institute (IDEC) filed a Public Civil Action against the concessionaire ViaQuatro, responsible for the yellow line of the São Paulo subway, questioning the technology implemented by the company, which consists of a camera that “recognizes the human presence and performs the identification of emotion (happy, dissatisfied, surprised and neutral), gender and age range of passengers positioned in front of the sensor ”. In the lawsuit, IDEC requested that the company immediately cease data collection, with the shutdown and permanent removal of the cameras already installed, also highlighting “ViaQuatro’s lack of caution with the protection of the image of children and adolescents, as provided for in Federal Constitution”. In this sense, the ruling confirmed the suspension of data collection, determined by court in 2018, in addition to prohibiting ViaQuatro from capturing images, sounds and any personal data without prior authorization. The sentence also determined the payment of an indemnity in the amount of R $ 100 thousand for collective moral damages, which will be allocated to the Diffuse Rights Fund.