Welcome to another edition of the Bulletin! In this 44th edition, we highlight that the National Data Protection Authority (ANPD) and the NIC.br signed a Cooperation Agreement between the entities. […]
Welcome to another edition of the Bulletin!
In this 44th edition, we highlight that the National Data Protection Authority (ANPD) and the NIC.br signed a Cooperation Agreement between the entities. This agreement is the result of actions provided for in ANPD’s Strategic Planning, which has as one of its objectives the promotion of dialogue with governmental and non-governmental entities, in order to build strategic partnerships for the promotion of studies, joint action and incorporation best practices on personal data protection.
In the international context, we highlight that the Dutch Data Protection Authority fined the TikTok app 750,000 euros for violating the privacy of children and teenagers. This is because, in the Authority’s understanding, by offering the privacy statement only in English and not in Dutch, the application would not have adequately explained how it performs the collection and processing of personal data, thus violating the principles provided for in the data protection regulation.
Finally, we emphasize that, with the aim to help facing the challenges involving the use of Artificial Intelligence and data protection, the ICO has launched a tool kit that intends to help understanding the risks to holders rights’ by organizations, in addition to providing suggestions on best practices and technical measures that can be used to mitigate the risks involved in processing operations. In this regard, the kit provides a clear methodology for auditing AI applications and ensuring that they carry out personal data processing in accordance with the country’s personal data legislation.
We wish you a great reading!
Bruno Bioni, Mariana Rielli e Júlia Mendonça
Data Protection at Authorities
The Director-President of the National Data Protection Authority (ANPD), Waldemar Gonçalves Ortunho Júnior, and the Director-President of the Information and Coordination Center of “Ponto BR” (NIC.br), Demi Getschko, signed a Cooperation Agreement between the entities. Among its main objectives, the following stand out: (i) the establishment of the exchange of information; (ii) carrying out actions of common interest with regard to the protection of personal data and information security; (iii) mutual scientific technical cooperation aimed at the development of actions and production of training and awareness materials on the subject; (iv) provision of institutional support between the entities and the joint and coordinated production of studies, analyzes and research on the protection of personal data, information security, privacy in networks and technology. The Cooperation Agreement also has as consent the Coordinator of the Internet Steering Committee in Brazil – CGI.br, Marcio Migon. This agreement, the third to be signed by ANPD this year, is the result of actions provided for in the Authority’s Strategic Planning, which has as one of its objectives the promotion of dialogue with governmental and non-governmental entities, in order to build strategic partnerships to promote studies, work together and incorporate best practices in the subject of personal data protection.
As the first result of the Cooperation Agreement signed between the National Data Protection Authority – ANPD and the Information and Coordination Center of “Ponto BR” – NIC.br on Tuesday (20), two issues of the Internet Security Booklet were published , which can be accessed on the authority’s website. The published issues reflect ANPD’s guiding and educating posture, as well as its competences, listed in art. 55-J, I and VI, of Law 13.709/2018. The first issue, on data protection, presents information on how to adopt a preventive posture, use the appropriate safety devices and know a little about the current legislation, in addition to also demonstrating how there is currently an overexposure of the data and make suggestions to mitigate it. In turn, the issue on data leakage presents the main risks of leakage and practical tips on how to proceed with cases. In view of the incipient data protection culture in the country, the growing exposure of personal data on the internet and the constantly reported cases of leaks, as entities point out the need to educate the population so that everyone is aware of what data protection is, what are your rights, how to proceed to minimize the risks and obligations for controllers of personal data.
The GDPR EVALÚA RIESGO tool, launched by the Spanish Authority (AEPD), aims to assist data processing agents in charge of identifying risk factors for the rights and freedoms of interested parties, whose data are present in processing operations, performing a first risk assessment, to verify, for example, the need or not to produce a Data Protection Impact Assessment (DPIA), which can be produced in accordance with the guide “Risk management and impact assessment in the processing of personal data”, published by the AEPD recently. It should be noted that the risk factors presented in the tool are not exhaustive, but minimal, and the agent must identify those that are specific to the treatment and include them in their own assessment.
The French Authority has opened a public consultation on its draft recommendations on the processing of biometric data. Biometric data (such as fingerprints, for example) are, by nature, particularly sensitive data. In this sense, its processing by default is prohibited by the GDPR, except in a limited number of cases listed in article 92 of the Regulation. This is why the Authority has identified such data types as a priority in its Strategic Plan 2020-2025. The purpose of the recommendation, which is available for comments on the entity’s website, is to guide data processing agents in order to allow them to apply and correctly interpret data protection rules on the processing of biometric data. The consultation will be open until September 1, 2021.
The CNIL published its position on the extension of the mandatory use of the health pass (Green Certificate) provided for in the draft law on the management of the COVID-19 crisis. The Authority has already commented on the health pass twice, through opinions of May 12, 2021 and June 7, 2021. The health pass was then limited to leisure events that can bring together more than 1,000 people and trips abroad. The health crisis management bill, urgently examined by Parliament this week, provides in particular for an extension of the system until December 31, 2021, in addition to the extension regarding the enforceability of the certificate: its presentation would be necessary for access to bars, restaurants, long-distance public transport and large shopping centers. In this sense, the president of the CNIL questioned the Parliament about the effectiveness of the health pass in comparison with other measures put in place since the beginning of the pandemic. In addition, he pointed out that the obligation to wear a mask, telecommuting for health services, TousAntiCovid application, reminders, vaccination campaign and Green Certificate must be preceded by a law that provides for the principle of rigorous and scientific evaluation, especially for those involving digital devices, in order to remove instruments that reveal themselves or have become unnecessary, or that generate risks to individual rights and freedoms.
The CNIL carried out an inspection in 2019 in relation to the AG2R LA MONDIALE group, in order to verify compliance with the processing operations implemented within the scope of the management of supplementary pensions for private sector workers, as well as its activity as an insurance company. At the time, the CNIL pointed out that the company, responsible for coordinating pension, dependency, health and savings insurance, stored the data of millions of people for an excessive period of time, in addition to not complying with the information obligations related to the campaigns of prospecting for customers. Based on such elements, the CNIL body responsible for applying sanctions considered that the company had violated several fundamental obligations provided for in the GDPR. As a result, it imposed a fine of 1,750,000 euros on the violating company.
The Dutch Data Protection Authority (AP) fined the TikTok app 750,000 euros for violating the privacy of children and teenagers. The usage guidelines that Dutch users – mostly children – received from TikTok when installing and using the app were in English and therefore not easy to understand. According to the Authority, by not offering the privacy statement in Dutch, the application did not adequately explain how it performs the collection and processing of personal data. Thus, in the Authority’s understanding, Tiktok would have violated personal data protection legislation.
What is certification for privacy purposes? What guarantees does accreditation offer? Who can issue data processing certifications and who can apply for them? Can a single product, such as employee data management software, be GDPR certified? These and other questions are answered by the Frequently Asked Questions page published by the Italian Authority and by Accredia, the only national accreditation body for certification bodies (CB). This first FAQ, dedicated to general aspects, was prepared in the context of the agreement aimed at exchanging information on the certification activities provided for in the EU Regulation on the protection of personal data. The document provides useful clarification to all controllers, both in the business sector and in the public administration, who wish to use a certification to demonstrate their commitment to complying with data protection obligations and the requirements of the GDPR. The content is available on the websites of the Authority www.gpdp.it and Accredia www.accredia.it .
In order for the population to take care of themselves and not fall victim to fraud related to the misuse of personal data, through Internet calls or messages, the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) has issued a series of recommendations. Among the most common fraudulent behaviors to obtain a citizen’s personal data, over the telephone or the Internet, are the use of the image or name of any known public institution or company, misleading posts on social media profiles, false promotions, and even sending documents to the address of the possible victim. It is important to note that sharing personal information can have many consequences, such as fraud, financial loss, the use of unauthorized accounts and/or personal data, among other factors. Therefore, the Authority issued the following recommendations to users: (i) Avoid answering calls with suspicious numbers or numbers that are not visible or private; (ii) Do not provide personal data, through telephone calls, such as keys or passwords for banking services; (iii) Handle Internet calls or messages requesting personal information for alleged social programs, offers, discounts or promotions; (iv) Always check that the website that requests your personal data corresponds to the official page of the institution or organization. (v) Try not to enter websites via links included in emails, text messages or social media.
To help address the challenges surrounding the use of Artificial Intelligence and data protection, ICO has launched a toolkit aimed at organizations. The work builds on the European Data Protection Board’s Guidance on AI and Data Protection, as well as joint guidance from ICO together with the Alan Turing Institute on explaining decisions made with AI. The kit contains analysis to help understand the risks to rights holders, as well as providing suggestions on organizational best practices and technical measures that can be used to manage and mitigate the risks, demonstrating compliance with data protection law. According to the ICO, the kit reflects the audit framework developed by the authority’s internal verification and investigation teams and provides a clear methodology for auditing AI applications and ensuring that they carry out personal data processing in compliance with the law. The kit is being presented in its beta version, after the comments received in the alpha version released in March 2021.
As part of its annual training plan, the Uruguayan Data Protection Authority has developed several activities with the aim of training, raising awareness and disseminating the protection of personal data among national bodies and citizens. Between April and May, the first edition of the year of the course for supervisors was held, with the significant presence of the private sector. At the meetings, tools for development were provided, in addition to deepening and discussing the most complex issues on the subject. Likewise, between May and June, two courses were held that targeted members of various State bodies. In turn, on May 27, the first virtual lecture of the year was held on the approval of the 108+ Convention, its impacts and opportunities for the country. Finally, in June, the Authority released a set of recommendations on the use of messaging applications, for managers, programmers and controllers, based on personal data protection guidelines.
Data Privacy at Universities
TRAUTH-GOIK, Alexander; BERNOTAITE, Ausma
Xi Jinping’s rise to power as chairman of the Chinese Communist Party (CCP) was accompanied by changes in national governance strategies in the People’s Republic of China (PRC) that progressively incorporated the use of big data. Shortly thereafter, in May 2015, the Chinese State Council released a set of policy reforms under the abbreviation Fang guan fu 放 管 服 (decentralize, manage and serve). According to the text, such reforms influenced the big data market in: (1) regulation; (2) supervisory and management systems; and (3) service delivery processes. Through an analytical case study approach, the text examines how advances in big data have contributed to such information centralization reforms in the country. Thus, the article offers evidence of big data surveillance by analyzing China’s fragmented intergovernmental policy system. According to the authors, the findings found after the research may have implications for future analyzes of the relationship between political organization and surveillance within other nation-state contexts, particularly in situations where Chinese technologies and systems are being adopted and adapted.
SAHEB, Tahereh; SAHEB, Tayebeh; CARPENTER, David
The growth of artificial intelligence in health promotion is progressing rapidly, however, according to the text, despite its promising nature, AI in the area of health also incorporates certain ethical challenges. Thus, the research aims to outline the most influential elements of scientific research on ethics in AI in health through bibliometric analyses, social network analysis and content analysis based on clusters of scientific articles. According to the authors, the text will provide a roadmap for policy makers and AI engineers and scientists as to which dimensions of AI-based medical interventions require stricter guidelines, robust ethical design and development, and a better delineated ethic of predictive analytics. Finally, the analysis promotes discussions on the ethics of AIand associated emerging technologies, such as nanotechnology and biotechnology, advancing research involving convergence on ethics and AIin health.
MENGUER, Rafael Bykowski dos Santos
The changes resulting from the pandemic brought changes to the entire Brazilian legal body. As the pandemic has a global character, it has based intense administrative and legislative changes for state norms in a national and global character. Thus, it is necessary to study and delimit the problem from a theoretical point of view, aiming at an adequate solution to the issue. From this perspective, the article was based on the changes that took place in digital law, arising from the period of public calamity, which took place at the federal, state and municipal levels. In particular, the investigation aimed to identify and analyze the proposals and measures established in the national territory, especially those relating to data protection and the new General Law on Personal Data Protection, addressing its most relevant changes, within the Brazilian legal paradigm.