Welcome to another edition of the Bulletin! In this 40th edition, we highlight several recent movements of the National Data Protection Authority (ANPD). For example, ANPD published the “Guia Orientativo […]
Welcome to another edition of the Bulletin!
In this 40th edition, we highlight several recent movements of the National Data Protection Authority (ANPD). For example, ANPD published the “Guia Orientativo para Definições dos Agentes de Tratamento de Dados Pessoais e do Encarregado”. The document, the first of its kind published by the Authority, seeks to establish non-binding guidelines for processing agents and explain who can exercise the role of controller, processor and DPO, the respective legal definitions, liability regimes, and specific cases that exemplify ANPD’s explanations and frequently asked questions regarding the subject. According to the Authority, the receipt of suggestions for improving the guide is continuous and the document will be updated as the new regulations and understandings are published and established.
Also in the Brazilian context, we emphasize that the Department of Consumer Protection and Defense (DPDC) of SENACON, fined Pan Bank in R$ 8.8 million for violating the Consumer Defense Code in the offer and contracting payroll-deductible loans, which also involved data protection violations. It was highlighted that, after data leaks of retirees and pensioners linked to the National Institute of Social Security (INSS), telephone approaches were being made in an abusive manner so that the elderly could acquire a payroll loan or credit card. There were cases where such consumers did not even were informed regarding the opening of accounts and registrations. The aforementioned administrative proceeding was initiated after a complaint by the Collective Defense Institute and the Technical Note was published on may 31st.
In the judiciary, we highlight the judgment of the TJ/DFT on the MPDFT v. Serasa S.A (Serasa Experian) case. In the Public Civil Action, the 2nd Civil Panel of the Court of Justice of the Federal District and Territories (TJDFT), confirmed, based on the brazilian General Data Protection Law (LGPD), the injunction previously granted, maintaining the suspension of data commercialization millions of consumers by Serasa Experian. In November last year, the Court granted the MPDFT an injunction, prohibiting Serasa S.A from selling such information, however, the company appealed the decision. The lawsuit was filed by the Special Data Protection and Artificial Intelligence Unit (Spec), after the Unit identified that Serasa Experian sold, for the price of R$ 0.98 per registered person, personal information such as name, address, CPF, telephone numbers, location, financial profile, purchasing power and social class, for advertising purposes and for companies interested in attracting new customers.
We wish you a great reading!
Bruno Bioni, Mariana Rielli and Júlia Mendonça
Data Protection at Authorities
Brazil
ANPD opened registration for participation in a meeting on data protection impact assessment
On May 25, the Brazilian National Data Protection Authority (ANPD) opened registration for the participation of experts in its technical meetings on the data protection impact assessment. Enrollments, which can be made until 23:59 on 06/01, do not guarantee a place to participate, but signal the specialist’s interest in contributing to the regulation process. It is noteworthy that ANPD will take into account diversity in the selection of candidates. Six experts will be selected to answer fourteen questions on June 21, June 23 and June 25, which will be divided into three blocks: (i) Block 01: It will address questions about which methodology is the most appropriate, understanding of “high risk”, request for an independent audit by ANPD, among other debates; (ii) Block 02: It will address the exceptions to the data protection impact assessment identification of which circumstances must be present for a assessment to be recommended, as well as if there are cases of mandatory nature, among other points; (iii) Block 03: It will seek to understand whether a processing based on legitimate interest must require a prior data protection impact assessment, as the industrial or commercial secret may limit the content of a report, among other discussions. The meetings will be broadcast on ANPD’s YouTube channel, always at 10:00 am, and the interested party must be available to attend, virtually, on the aforementioned days and times.
ANPD and CADE signed a cooperation agreement on Wednesday (06/02)
On June 2 (Wednesday), the National Data Protection Authority (ANPD) and the Administrative Council for Economic Defense (Cade) signed a Technical Cooperation Agreement. The signing took place at an event broadcast online with the presence of the presidents of the institutions: Alexandre Barreto, from CADE, and Waldemar Gonçalves Ortunho Júnior, from ANPD. This is the second Technical Cooperation Agreement signed by ANPD, and represents another step in the Authority’s articulation with other bodies to strengthen the environment for the protection of personal data and privacy in Brazil. The president of ANPD, Waldemar Gonçalves Ortunho Junior, indicates that “the objective of this agreement is to combat activities that are harmful to the economic order and to encourage and disseminate the culture of free competition in services that claim the protection of personal data.” This objective will materialize the execution of common obligations for ANPD and CADE, such as the sharing of knowledge and experiences, holding meetings and workshops, joint promotion of events and, in particular, cooperation in cases of infractions to the economic order involving personal data.
ANPD opened Public Consultation on inspection standard
The National Data Protection Authority (ANPD) published this Friday, May 28, the public consultation on the Authority’s inspection standard. The consultation, which will be available on the Participa + Brasil platform for the next 30 days, is the first to be carried out by ANPD, which has already used participation instruments such as grant taking and technical meetings. The General Data Protection Law (LGPD) determines that ANPD conduct consultation and public hearing before publishing its normative acts, thus allowing the promotion of direct dialogue between the Authority and the citizen in the data protection regulation process in Brazil. According to Director Joacil Basilio Rael, the publication of the public consultation demonstrates that ANPD works to meet the deadlines set by the LGPD and is concerned with social participation in this process. The Regulatory Impact Analysis Report and the votes cast by the directors were also made available on the platform. Soon, the Authority will disclose the date for holding a public hearing, which should be held remotely.
ANPD opened Public Consultation on inspection standard
The National Data Protection Authority (ANPD) published this Friday, May 28, the public consultation on the Authority’s inspection standard. The consultation, which will be available on the Participa + Brasil platform for the next 30 days, is the first to be carried out by ANPD, which has already used participation instruments such as grant taking and technical meetings. The General Data Protection Law (LGPD) determines that ANPD conduct consultation and public hearing before publishing its normative acts, thus allowing the promotion of direct dialogue between the Authority and the citizen in the data protection regulation process in Brazil. According to Director Joacil Basilio Rael, the publication of the public consultation demonstrates that ANPD works to meet the deadlines set by the LGPD and is concerned with social participation in this process. The Regulatory Impact Analysis Report and the votes cast by the directors were also made available on the platform. Soon, the Authority will disclose the date for holding a public hearing, which should be held remotely.
ANPD has published an Advisory Guide on processing agents and DPO
On May 28, ANPD published the “Guia Orientativo para Definições dos Agentes de Tratamento de Dados Pessoais e do Encarregado”. The document, the first of its kind published by the Authority, seeks to establish non-binding guidelines for processing agents and explain who can exercise the role of controller, processor and DPO, the respective legal definitions, liability regimes, specific cases that exemplify ANPD’s explanations and frequently asked questions on this regard. It is noteworthy that the current version is the first edition of the guide, which is subject to comments and contributions by civil society. According to the Authority, the receipt of suggestions for improving the guide is continuous and the document will be updated as new regulations and understandings are published and established. For Waldemar Gonçalves Ortunho Junior, President of Authority, the publication of the guide is an important step for ANPD’s guiding function: “The preparation of the guide demonstrates ANPD’s concern with the questions that have been raised by treatment agents and by the holders of Dice. The document brings legal certainty and resolves some of the main doubts that arose over the first months of the Authority’s existence”
SENACON’s Department of Consumer Defense (DPDC) imposed a fine of 8 million reais on Banco Pan
SENACON’s Department of Consumer Protection and Defense (DPDC) fined Banco Pan in R$8.8 million for violating the Consumer Defense Code in offering and contracting payroll loans, and also violating personal data. According to Technical Note No. 35/2021 (SENACON/MJ/DPDC), the bank would have carried out “abusive practices in the offer of payroll-deductible loans”, in addition to not having provided clear and adequate information to consumers, also incurring in the “violation of personal data of seniors”. It was also highlighted that after data leaks of retirees and pensioners linked to the National Institute of Social Security – INSS, telephone approaches were being made in an abusive manner so that the elderly could acquire a payroll loan or credit card, in cases where such consumers do not were even informed of the opening of accounts and registrations. The aforementioned administrative procedure was initiated after a complaint by the Collective Defense Institute and the Technical Note was published on 05/31 (Monday).
Argentina
The COVID-19 pandemic accelerated the use of various technological tools by children and adolescents, mainly to continue their studies and learning. In light of this, the Argentina Authority drew up a set of recommendations to promote the responsible use of technologies and protect the privacy of young people. Children and teenagers are exposed to content that is not appropriate for their age, from web pages that usually use applications, social networks and even online advertising, that can have very harmful consequences for the emotional and psychological sphere. Thus, the Authority believes it is important that children learn the rights they have over their personal data from an early age. Thereby, to prevent access to inappropriate content such as pornography, gambling, addictions, misinformation, among others, and also to protect privacy, the Authority recommends the following precautions: (i) Encourage the safe use of technology in the family group and continuously accompany the younger ones; (ii) Establish specific mechanisms that limit access to inappropriate content and allow control of the use of devices by children and adolescents; (iii) Promote the use of safe applications with exclusive content for children, which facilitate parental control options; (iv) Implement privacy and security settings for the applications used; (v) Read application terms and conditions in order to verify recommended age of use.
Belgium
Approved the “EU Cloud CoC”, a European code of conduct for cloud systems
On May 19, the European Data Protection Council (EDPB) issued a favorable opinion, allowing the Belgium Data Protection Authority to approve its first transnational code of conduct. Also, the DPA has accredited Scope Europe as the body responsible for overseeing the regulation, ensuring that members comply with its provisions. The “EU Cloud CoC” incorporates the requirements of article 28 of the GDPR, as well as other relevant points, in order to promote its implementation in the cloud system (including the provision of IaaS or “Infrastructures as a service”, PaaS “platforms as a service” and SaaS services “software as a service”). Adherence to this European cloud code of conduct is also possible for SMEs active in the sector. According to the Belgian Authority, by approving this code of conduct, the DPA is contributing to a harmonized interpretation of the GDPR provisions for the cloud system across the European Union.
Catalonia
Catalan Authority has published new FAQs to resolve recurring questions about data protection
The Data Protection Authority of Catalonia (APDCAT) has developed new frequently asked questions (FAQS) on data protection, with the aim of clarifying the most recurrent doubts of the public and those responsible for the personal data processing. In this sense, the Authority renewed the corresponding web section, incorporating new questions and answers with a more intuitive structure, organized by around five thematic areas. Two of them are new: the one which includes questions addressed to those responsible for the processing and the one which includes questions addressed to citizens. Three others have been updated or expanded, and deal with the APDCAT’s scope of action, the entry into force of the European regulation (GDPR), the glossary of main concepts, among other points. Finally, the director of APDCAT, M. Àngels Barbarà, highlighted that this update is one of the objectives of the Strategic Plan of APDCAT 2020-2022.
European Data Protection Board (EDPB)
Spanish Authority imposed a fine of 1,500,000 euros on the company EPD Energía, SAU for violations of the GDPRThe Spanish Authority (AEPD) considered that EDP ENERGIA, SAU did not adopt adequate technical and organizational measures to verify whether the legal bases adopted for treatment operations in the company are adequate, especially regarding the transfer of information to third-parties companies. The Consent legal basis was initially required during the contracting procedure, with specific purposes that were not observed during other processing operations. Consequently, the AEPD concluded that the company violated Article 25 of the GDPR. Therefore, in accordance with Article 83(4)(a), a fine of 500,000 euros was imposed. The Authority also considered that the company’s document intended to provide data processing guidance to data subjects did not provide sufficient information on the controller, on the legal basis used, nor did it demonstrate the possibility of opposing processing activities based on the legal basis. legitimate interest. In addition, in some procedures for hiring the company’s services (for example, hiring by telephone), the way to access the information required in article 13 of the GDPR is not simple and immediate as it should be, culminating in the violation of this provision as well. . Thus, under the terms of article 83, paragraph 5, subparagraph b) of the same legislation, another fine was imposed in the amount of 1,000,000 euros.
Spain
The AEPD has published a new version of its guide to notify personal data breaches
The Spanish Data Protection Agency (AEPD) has published an update of its “Guide to the notification of personal data breaches”, a document that aims to guide data controllers on the obligation to notify data protection authorities and communicate to the affected parties that a security incident has occurred. This guide updates the version published in 2018, when the General Data Protection Regulation (GDPR) entered into force, and includes the experience accumulated, both at national level and in relation to the criteria established by the European Data Protection Council Data (EDPB). The main objective of the update is to facilitate the efficient fulfillment of the final objective of the personal data breach notification: the effective protection of the individuals rights and freedoms, the creation of a more resilient environment based on the knowledge of the organization’s vulnerabilities and the guarantee of legal certainty. The Guide starts by defining what a personal data breach is in the context of the European, national and sectoral regulatory landscape. Furthermore, identifies when this breach must be notified to the Data Protection Authority, within what period, and what the notification must contain. With regard to communication with affected holders, the document also specifies the cases, content and respective deadlines. Lastly, the document provides guidelines to facilitate and simplify the fulfillment of obligations.
United Kingdom
ICO took action against QR code provider company for contact tracking
ICO fined a company for sending direct marketing emails to people who provided their personal data for contact tracking purposes. Tested.me Ltd (TML) provides digital contact tracking services that work by giving people a QR code to be scanned upon arriving at a company’s premises. The company sent around 84,000 nuisance emails at the height of the Covid-19 pandemic between September/2020 and November/2020, when companies were using private QR code providers to collect personal data, in order to comply with government security rules. ICO fined TML in £8,000 for using personal data for marketing without proper valid consent. In addition, ICO has also analyzed the increased use of QR code technology, with the aim of helping to comply with data protection regulations, having contacted 16 QR code providers to ensure that they too were handling personal information properly. The inquiries revealed that most companies understood the relevance of the legislation, as well as the importance of handling personal data fairly and securely.
ICO and CMA defined dilation plan in digital films
The Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have published a joint statement outlining their shared views on the relationship between competition and data protection in the digital economy. The UK regulators’ declaration on competition and data protection – the first of its kind worldwide – highlights the strong overlap between promoting competition in digital markets and protecting personal data. Coherent and clear regulation is vital for creating the conditions that allow new innovative services to flourish and for people to have confidence in digital services. The ICO and CMA claim that rather than competition and data protection being in opposition, they are complementary agendas. Regulators are committed to work together to find regulatory solutions that achieve good results in competition and data protection. Competitive digital markets, with consistent and well-targeted regulation, can empower consumers, giving them greater control over their personal data and driving positive competitive outcomes. The commitment was made through an updated Memorandum of Understanding (MOU) which sets out how the two regulators will collaborate more in the future, for example through information sharing and the potential for joint projects.
The ICO fined the American Express company for sending four million unlawful emails
The Information Commissioner’s Office (ICO) fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails to unwilling customers. ICO began investigating when it received complaints from Amex customers who were receiving marketing emails despite having chosen not to receive them. The emails included details about online shopping rewards with Amex; making the most of card usage and encouraging customers to download the company’s app. In this sense, the company rejected its customers’ complaints by stating that the e-mails in question were for service and not marketing. During the investigation, the ICO found that Amex had sent more than 50 million “service emails” to its customers. It was also revealed that for almost 12 months, between June 1, 2018 and May 21, 2019, 4,098,841 of these emails were from marketing, intended to encourage customers to make purchases with their cards that would financially benefit the Amex. The Authority concluded that the case reveals a deliberate action for the organization’s financial gain, considering that the company did not revise its marketing model after several customer complaints.
ICO Blog Post: Child Code Standards Spotlight – Data Protection Impact Assessment
ICO has started a new series of blogposts, with the aim of supporting organizations to comply with the Age Appropriate Design Code. According to the Authority, in the coming months a detailed explanation of the 15 standards defined in the code will be provided, with practical tips and advice, to explore some of the more differentiated and specific aspects of the text. The series is aimed at organizations that are already familiar with the UK Code and General Data Protection Regulations. The first post explores the use and design of Data Protection Impact Assessments (DPIAs), answering the following questions: (i) What is a DPIA and what does it offer me?; (ii) What should I do as part of a DPIA?; (iii) When should I produce a DPIA?.
Czech republic
The European Data Protection Board (EDPB) has recently adopted a new document: a recommendation on the legal basis for the retention of credit card data that has the purpose of facilitating new transactions. In connection with the COVID-19 pandemic, the digital economy and e-commerce are increasingly developing, which implies increased risks associated with the use of credit cards in the online space. Therefore, according to the Authority, it is important that controllers implement adequate safeguards to protect individuals’ data. The recommendation aims to promote the harmonized application of personal data protection rules when using credit card data, across the European Economic Area. Specifically, the document deals with the storage of these kinds of data by suppliers of goods and services on the Internet, to facilitate future purchases. It is, therefore, a situation in which the customer, the data holder, purchases products or services through a website or mobile application and, at the same time, provides his credit card data to carry out the transaction. As with any processing of personal data, in this case the person responsible must be guided by a valid legal basis, in accordance with article 6 of the General Data Protection Regulation (GDPR). Thus, the document analyzes and points out that not all legal bases mentioned in that article are applicable in this situation, explaining the specifics of each case.
France
On May 18, 2021, the President of the French Data Protection Authority (CNIL) sent around twenty formal notifications to organizations that do not allow internet users to refuse cookies as easily as they accept them. The list of notified entities includes international players in the digital economy and various public bodies. The deadline for compliance will be 1 month, and pecuniary penalties of up to 2% of the respective billing may be applied in case of non-compliance. This is the first campaign of verifications and corrective measures since the end of the period granted to players to adapt their websites and applications to the new cookies rules. According to the Authority, similar actions will be carried out in the coming months, with the theme being one of the priority areas of control of the CNIL in 2021.
Netherlands
Dutch authority fined CP&A for privacy violations related to employee health information
The Dutch Data Protection Authority (AP) imposed a fine of 15,000 euros on the maintenance company CP&A for having committed violations in the handling of employees’ health data. CP&A implemented a system that requested details in the event of an employee’s absence, causing health data to be processed beyond what was proven to be necessary. The company register contained highly sensitive information about the physical and/or mental health of the employees, such as names of illnesses, specific complaints and pain indications. By knowing a person’s physical and emotional state, an employer can make judgments or make decisions that can have a big impact on employees’ lives. In this sense, the Authority highlights the needlessness for an employer to process all of this information, a situation that led to several violations of the protection of personal data
Italy
Italian Authority released document with guidelines and clarifications for DPO’s
What is the actual role of the Data Protection Officer (DPO)? What qualifications and what kind of professional experience should they have? When is it incompatible with other positions or can it generate conflict of interest situations? These and many other questions will be answered by the Italian Authority with a document that will address the designation, position and functions of the Data Protection Officer (DPO) in the public sphere, through the website www.gpdp.it. The need for clarification was necessary because, three years after the full application of the GDPR, there are still several uncertainties surrounding this important figure, mandatory for the public sector. The DPO is an essential reference to ensure a correct approach to data processing, especially now that public administrations are increasingly pressured by the challenge of “digital transformation”. An experienced and competent DPO, capable of carrying out his duties with autonomy of judgment and independence, in fact represents, even in the current period of health emergency, a fundamental resource for the Administrations and a valid contact point for the Authority.
Green Certificate: Italian Authority sent a formal notice to the Campania region
The Italian Authority has adopted an instrument whereby it formally alerts the Campania Region that the vaccination and recovery certification system (Green Certificate), promoted by the Region as a necessary condition for the use of numerous services, violates privacy legislation. Based on the investigation initiated by the Authority, it was discovered that an initiative lacks an appropriate legal basis. Provisions of this nature, which condition personal rights and freedoms, are only admissible if provided for by appropriate national legislation, and cannot be determined by regional decree. In addition, this decree went beyond the indications previously defined by the “Reopening Decree”, which already presented specific critical issues already communicated by the Authority to the Government. The use of smart cards was also sent as a “vaccination certificate issuance system”, without specifying the persons responsible for the treatment, who could access and use the information, as well as who could verify the validation and authenticity of the certificates. Thus, according to the Authority, the project violates the principles of the EU Regulation on the protection of personal data, such as the principle of legality, quality, transparency and privacy through design.
Mexico
Starting on June 18, children and teenagers in Mexico will be able to participate in the “Contest to be a Comisionada y Comisionado Infantil” and be part of the “Pleno Niñas y Niños 2021”, promoted by the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) and by the National System of Transparency, Access to Public Information and Protection of Personal Data (SNT), through the Guarantee Agencies of the Federative Entities.The objective of the contest is to promote the importance of privacy and the protection of personal data among the youngest, as part of civic education for exercising the right to the protection of personal data. Children and adolescents of Mexican nationality, aged 10 to 12, who can prove that they are attending the current school year, must present a video with a duration of 3 to 5 minutes, where they will present their arguments and ideas on any issue related to privacy, protection of personal data and childhood.
On World Internet Day, the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) promoted a joint effort to guarantee the country’s more than 80 million users safe access to the network, especially in view of the fact that the pandemic has increased its use, consolidating the Internet as an indispensable means of keeping society informed. As Authority for the right to the protection of personal data, INAI has implemented a series of actions to help users protect their privacy on the Internet. In this regard, during the commemoration, the Authority invited people to consult the recommendations, tools, microsites and guides that it had developed for this purpose. This is because, according to INAI, to maintain privacy on the internet, it is essential to have a minimum control over the flow of your data, which are collected through web pages, applications or any type of software that allows the storage of information.
Data Protection at Universities
First Steps Guide for Adapting Public Defenses to the LGPD
BIONI, Bruno; ZANATTA, Rafael; KITAYAMA, Marina.
The Data Privacy Research Association has released a document that addresses the main aspects to be considered by the Brazilian Public Defenders in the process of conforming to the General Data Protection Law (LGPD). The guide was developed based on observations of over a year of the project with the public agencies. Initially, the authors emphasize that the objective of the Guide is not, and could not be, to propose an absolute ‘step by step’ of the measures that a Public Defender’s Office should adopt to adapt to the LGPD. In fact, all the research work that supports the document is based on the premise that it would not be possible to deliver a ready-made model that would suit the complex and multiple realities of different Brazilian Public Defenses. For this reason, the Guide is an invitation to reflect on the use of data, bringing ideas and methodologies so that the Defenders themselves understand what is compatible with their reality, resources, needs and objectives. In this way, the document covers considerations of different natures and depths: from the perspectives and challenges that motivate its elaboration, to historical and structuring descriptions of the data protection and the LGPD, passing through practical issues of execution of an adaptation project.
Empowering Digital Users Through Design for Privacy
PARRILLI, Davide M; HERNÁNDEZ-RAMÍREZ, Rodrigo.
The article, which appeared in the Perspectives on Design and Digital Communication II collection, discusses the challenges and limitations of privacy by design as an effective tool to protect users’ privacy. According to the text, the EU data protection legislation requires all products, services, or systems that process personal data to be designed following a “privacy by design”. However, the authors contend that privacy by design does not have solid foundations to sustain privacy outside of its legal definitions, and it may only work as a legal compliance tool. Therefore, the text points to the need to build a designerly understanding of privacy, suggesting a definition of privacy by design based on a universally acceptable ethical framework, with the aim of creating a common concept of privacy for design and for designers. Based on the notion of privacy for design, the paper supports creating a new design discipline to enhance users’ and citizens’ privacy: design for privacy.
Data Protection in the Brazilian Legislative
Proposed bill to provide for the use of Artificial Intelligence Systems
The Bill 1969/2021, proposed by Deputy Gustavo Fruet (PDT/PR), creates a law to provide principles, rights and obligations in the use of artificial intelligence systems. The Bill, in addition to proposing initial concepts and principles applicable to providers that develop artificial intelligence systems, brings considerations about certain practices, prohibiting the use of AI systems that aim to exploit the vulnerabilities of specific groups of people, whether due to age or physical/mental condition. Another highlight is that the project also determines the prohibition of the AI system use, by the Government, with the purpose of “assessing or classifying the reliability of natural persons based on their social behavior or through mechanisms that result in a social scoring system of rewards and punishments”.
Data Protection in the Brazilian Judiciary
This is an appeal filed by the Public Ministry (DF) in the Public Civil Action No. 0736634-81.2020.8.07.0001, against SERASA SA. Based on the General Data Protection Law (LGPD), the 2nd Federal District and Territories Civil Court of Justice (TJDFT), unanimously confirmed the injunction previously granted and maintained the suspension of the personal data commercialization of millions of consumers by Serasa Experian. In November/2020, the Court granted the MPDFT anticipation of protection and prohibited Serasa S.A from selling such information; however, the company appealed the decision. The public civil action was filed by the Special Data Protection and Artificial Intelligence Unit (Spec), after the Unit identified that Serasa Experian sold, for the price of R$ 0.98, per registered person, personal information such as name, address , CPF, telephone numbers, location, financial profile, purchasing power and social class, for advertising purposes and for companies interested in attracting new customers. It is estimated that the company sells the personal data of more than 150 million Brazilians. In fact, the situation is even more serious, as demonstrated by the MPDFT, due to the fact that Serasa Experian has legal basis for the processing of data of this nature for credit protection purposes. However, the permissions do not include the uses indicated by the investigation.
In REsp 1.806.792/SP, the Superior Court of Justice (STJ) recognized the illegal use of the “SIMCARD” exchange technique (“SIM” card, acronym in English of the expression Subscriber Identity Module, commonly referred to in Brazil as a “chip”), for criminal investigation purposes. According to Minister Laurita Vaz, unlike telephone interception (Law No. 9.296/1996), under which the police investigator acts as a mere observer of conversations between the intercepted target and third parties, in the exchange of the enabled chip, the agent of the state has the possibility of acting as a participant in conversations, being able to interact directly with its interlocutors, sending new messages to any contact entered on the cell phone, in addition to being able to delete, with complete freedom, and without leaving any traces, messages on WhatsApp. Thus, the judgment ratified the argument brought by the origin Court, noting that “in the case of a measure that exempts the guarantee of the inviolability of communications, telephone and telematic interception must take place within the strict limits of the law, and it is not possible to extend the hypotheses or the creation of a different procedure.”, which prohibits the use of the aforementioned technique.