Welcome to another edition of the Bulletin! In this 47th edition, we highlight that Data Privacy Brasil launched the Artigo 50 Award, an initiative that aims to reward good practices […]
Welcome to another edition of the Bulletin!
In this 47th edition, we highlight that Data Privacy Brasil launched the Artigo 50 Award, an initiative that aims to reward good practices in the area of data protection. The award will apply to individuals from the public, private and third sector sectors who are committed to strengthening the creation of a culture of privacy and data protection in Brazil. For more information just visit our website
In the Brazilian context, we highlight that the National Data Protection Authority (ANPD) and the National Consumer Secretariat (SENACON) launched the Guide “Como proteger seus dados pessoais?”, which focuses on raising consumer awareness about the importance of their personal data. Among the contents of the guide, the situations in which it is possible to process such data are clarified, what information is necessary and who can carry out this treatment, in addition to guiding the consumer on what should be done in case of violations involving the improper sharing of data.
Finally, regarding the performance of authorities in the international sphere, the Italian Data Protection Authority expressed its favorable opinion to the decree that introduces simplified procedures on the use of the Green Certificate in the school’s environment. The text aims to ensure the correct fulfillment of obligations relating to the Certificate for school employees, compliance with personal data protection rules, in addition to avoiding discriminatory consequences in the work environment.
We wish you a great reading!
Bruno Bioni, Mariana Rielli and Júlia Mendonça
Data Protection at Authorities
The National Data Protection Authority (ANPD) and the National Consumer Secretariat of the Ministry of Justice and Public Security (SENACON/MJSP) launched the Guide “Como proteger seus dados pessoais”, which focuses on raising consumer awareness of the importance of your personal data. The Guide was launched at an event organized by SENACON to commemorate the 31 years of the Consumer Defense Code. The material has a simplified language, in order to elucidate topics that are of great relevance and aiming to raise awareness and clarify the entire society, as it gathers information on the General Personal Data Protection Law, with basic concepts and guidelines on consumer relations, mostly governed by the Consumer Defense Code. Among the contents of the guide are clarifications on the situations in which it is possible to process personal data, what information is necessary for this and who can carry out this processment, as well as guidance to the consumer on what should be done in case of violations that involve the improper sharing of data. The guide can be accessed here.
A public hearing for the debater of a proposed LGPD application standard for micro and small businesses will be held on September 14 and 15, 2021, remotely, according to an order published in the Official Diary (DOU). The purpose of the hearing is to discuss the normative proposal with a society, which is available for public consultation until September 29, 2021, through the Participa + Brasil platform. The session will be open to the public and will be broadcast on ANPD’s YouTube channel. The organization of the demonstrations was defined by the alphabetical order of the registered institutions, followed by the alphabetical order of registered natural persons without institutional affiliation. Each one will have up to 5 (five) minutes to carry out their exhibition. In cases where the institution has more than one member, the representatives will be able to choose who will represent them or, alternatively, they will be able to divide the time as they prefer.
During the current school year, a political party’s youth organization website has received media attention for inviting students to report classroom speeches that have “left-wing” content. The form posted on the website also allows the submission of images or videos to support the “complaint”. The Belgian Authority (APD) questioned the legality of the platform and, because of that, contacted the creators through a letter, to obtain more information on the matter. In addition, the DPA also highlighted that data relating to the political opinions of identified or identifiable persons are sensitive data, based on the GDPR (Article 9), which makes, therefore, their treatment restricted to some specific hypotheses. In this regard, the Authority highlighted that it is still unclear to what extent any of the exceptions could be applicable in the present case.
Children and young people have special protection in the GDPR. In this regard, the Danish Data Protection Authority stated that it is paying extra attention to this, especially when the respective personal data are exposed to processings that cannot, in principle, be avoided, as in the cases of the use of online platforms for educational purposes. The Danish Authority’s decision, in the specific case of the use of Google Chromebooks, stated that the Folkeskole Act gives municipalities the right to choose the IT equipment and programs to be used in teaching. However, he stressed that it is their responsibility, as controllers, to ensure that equipment and programs are used in such a way that data protection standards are complied with. For the Authority, in the specific case, the municipality in question did not carry out the necessary assessments, resulting in several risks for the holders. Finally, it was also warned that the use of additional products from the G-Suite cannot be carried out legally without the preparation of an Data Protection Assignment, through which the risks to the rights of the holders can be analyzed and mitigated.
The Federal Trade Commission (FTC) has punished SpyFone and its CEO Scott Zuckerman over allegations that the Stalkerware apps company secretly collected and shared data about people’s location, phone usage and online activities through a hidden device hack. The company’s apps sold access to real-time device surveillance, allowing stalkers and cybercriminals to stealthily track their potential targets. SpyFone’s lack of basic security has also exposed device owners to hackers, identity thieves and other cyber threats. In addition to enforcing the Surveillance Business ban, the FTC order required SpyFone to delete illegally collected information and notify device owners that the app was secretly installed. In the case, after a hacker accessed the company’s server and obtained personal data from about 2,200 consumers in august 2018, it committed to working with an outside data security company and law enforcement authorities to investigate the incident. However, the FTC highlighted that the company did not comply with the agreement.
The Italian Data Protection Authority, as a matter of urgency, expressed its favorable opinion to the decree of the President of the Council of Ministers, which introduces simplified procedures for verification of school Green Certification. The text incorporates the suggestions indicated by Garante in the context of discussions and meetings with representatives of the Ministry of Education and the Ministry of Health of the country, in order to guarantee the correct fulfillment of the obligations related to the Green Certificate for school employees, including protection standards of personal data, in addition to avoiding discriminatory consequences in the work environment. In particular, educational institutions, as employers, will limit themselves to verifying, through the Educational Information System-Sidi and the National Platform-DGC, the possession of the Covid-19 Green Certification by their employees, dealing only with strictly necessary data. The verification process must be carried out daily prior to the access of workers to the facilities and must focus only on personnel who are expected to be effectively present on the day of verification, excluding, in turn, those who are absent for reasons specific: for example, by vacation, leave or illness.
The Green Certificate regulation provides that it must, only in places where it is determined under the law, be verified at the entrance of establishments through the application developed by the Government, which allows the verifier to access only restricted information, such as, for example, whether or not the document holder has a valid Certificate, without any reference to vaccine-related information, or Covid19 recovery. Thus, for the Authority, the request for a copy of the document and indication of the expiration date, as a condition for attending a sports center or gyms, constitutes a violation of the legislation in force on the protection of personal data. For the Authority, it is clear and understandable that the practice that is spreading in the country would make life easier for gym and sports center owners, but at the same time, it could frustrate the objectives of reconciling privacy and health protection. The reopening of the country, pursued with the Green Certificate, puts into circulation a greater amount of personal data than necessary and, above all, determines its collection and multiplication in a series of databases, which makes it necessary to adopt some restrictions, such as those mentioned above.
With two different opinions [Documents n. 9690691 e n. 9690902], the Italian Authority authorized the Public Security Secretariat and the General Command dell’Arma dei Carabinieri using body cameras to document critical public order situations during events or demonstrations. In any case, the two Police Forces will have to observe some indications of the Authority regarding the implementation of security measures and the monitoring of access to data, in order to make the processing operations in accordance with the personal data protection legislation. In particular, the Authority asked the Ministry to specify that the system it intends to use does not allow for unique identification or facial recognition of individuals. Body cameras can only be activated in the presence of concrete and real situations of danger of disturbance of public order or criminal offences. Continuous recording of images is not allowed, much less “non-critical” episodes. Among the data collected are recorded audio, video and photos of people, date, time of recording and GPS coordinates, which will be available with different levels of accessibility and safety, for later verification of activities.
The Data Protection Commission (DPC) today announced the completion of its investigation involving WhatsApp Ireland Ltd. The DPC’s investigation began on December 10, 2018 and was intended to examine whether WhatsApp has complied with its transparency obligations, in terms of the GDPR, regarding the provision of information and the transparency of that information to users and non-users of the application service. This includes information provided to data subjects about sharing information between WhatsApp and other Facebook companies. After a long and comprehensive investigation, the DPC presented a draft decision to each of the Interested Supervisory Authorities (CSAs), pursuant to Article 60 of the GDPR, in December 2020. The DPC subsequently received objections from eight CSAs, but did not manage to reach an agreement on the content of the objections, which culminated in the beginning of the dispute resolution process (Article 65 of the GDPR). On July 28, 2021, the European Data Protection Council (EDPB) adopted a binding decision and the DPC was notified of this decision. In addition to imposing an administrative fine, the DPC also reprimanded WhatsApp with an order to process its compliance through a series of specified corrective measures.
The UK Information Commissioner’s Office (ICO) has asked the G7 data protection authorities to work together to review cookie consent pop-ups so that people’s privacy is more meaningfully protected and companies can deliver a better web browsing experience. With the membership of the Organization for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF), each authority will present a specific technology or innovation issue for which it believes closer cooperation is needed. The event is closely aligned with the G7 initiative “Free flow of data with confidence”. Chairing the meeting, the Information Commissioner, Elizabeth Denham, presented a proposal on how to improve the current cookie consent mechanism, making web browsing smoother and friendlier for business, and protecting data subjects. Today, many people automatically select “I Agree” when they are presented with Internet cookie pop-ups, which means they do not have significant control over their personal data.
Data Protection at Universities
Although technologies are often packaged as solutions to long-standing social problems, scholars of digital economies warn that, far from being liberating, technologies tend to further consolidate social inequalities and, in fact, automate structures of oppression. In this sense, for the authors, digital economies depend on colonial paths that end up serving to replicate a racialized and neocolonial world order. To write the text, the authors drew on the writings of W.E.B Du Bois on the historical development of capitalism through colonization and the global color line. Drawing on works by the aforementioned author to understand the global historical structure of racism, the text develops heuristics that make visible how the colonial logic operated historically and continues today, thus incorporating digital economies in this long history of capitalism, colonialism and racism. The application of a WEB Du Bois framework to the production and propagation of digital technologies shows how the development of such technology not only depends on preexisting racial colonial production pathways and the denial of racially and colonially rooted exploitation, but also replicates these structures even further global.
September 11, which took place exactly twenty years ago, was a catalytic event of geopolitical redirection in the name of the “War on Terror”. One of its many consequences has been the acceleration of the use of information technologies for surveillance and intelligence on unprecedented scales and ethically questionable methods. A paradigmatic example was the Stellar Wind, a surveillance program created in October 2001 by the George W. Bush administration, as one of the responses to the al-Qaeda attack, which allowed the scanning and mining of data such as email communications, data from use of telecommunications services, financial transactions and online activities. For the author, in the text published in JOTA and in the Observatório da Privacidade, the dramatic result of this process driven by September 11 was the increase of powers to the Executive, the radical secrecy imposed on the practices and programs of the National Surveillance Agency and the inability to demonstration of the necessity and reasonableness of these measures. Robert Mueller, director of the FBI, constantly mobilized the speech that, even though 99% of the data collected were from US citizens and foreigners without any connection with terrorism, the important thing was to do everything to “get to reach the 1%”. Thus, to understand Snowden and the ethical dilemmas of the surveillance and counterterrorism apparatus inaugurated in the US, it is necessary to return, in critical analysis, to the legal and institutional architecture – including the Patriot Act of 2001 – inaugurated after 9/11 and its fragile speeches legitimizers.
Data Protection in Legislative
The Draft Bill 3101/2021, proposed by Deputy Adriana Ventura (NOVO/SP), aims to change the Brazilian General Data Protection Law to ensure the transparency of information about public agents in the exercise of their functions. The Bill amends article 2 to insert a single paragraph providing that “no provision of this Law may be used to substantiate access denials to information about public agents in the exercise of their functions and about private agents who receive or manage public resources”. In addition, it also inserts paragraph 6, in article 23, to determine that the processing operations necessary to comply with the obligations provided for in Law No. 12,527/11, are also the purpose of the personal data processing by the Public Power. Currently, the Draft Bill is on the Parliament Directors Board.