Welcome to another edition of the Bulletin!

In this 48th edition, we highlight that the National Data Protection Authority (ANPD) held a welcoming meeting of the National Council for the Personal Data Protection and Privacy (CNPD), of which Bruno Bioni, director of the Data Privacy Research, is a participant. On the occasion, the Councilors introduced themselves and the ANPD Directors spoke about the main results of the Authority in almost a year of operation.

As announced in previous editions, the first meeting of the G7 Data Protection Authorities was held, coordinated by the ICO. The purpose of the meeting was to discuss and identify solutions to answer the most relevant issues related to the protection of personal data in the current global scenario, in particular with regard to the new problems and challenges posed by emerging technologies and the global pandemic situation. The meeting was attended by institutions that coordinate data protection strategies in Canada, France, Germany, Japan, Great Britain, Italy and the United States of America and, as guests, representatives of the Organization for Economic Cooperation and Development (OECD ) and World Economic Forum (WEF).

Finally, at the academy, we highlight the text “A Bahia está virando um laboratório de reconhecimento facial”, produced by The Intercept in conjunction with Data Privacy Research. The article analyzes the surveillance infrastructure inaugurated by the Government of Rui Costa (PT/BA), which will ensure that, in addition to Salvador, other 77 cities will gain 4,095 cameras connected in the state. Thus, in view of this situation, with the use of facial recognition cameras for public safety purposes, the main impacts for most of the data subjects are analyzed.

We wish you a great reading!

Bruno Bioni, Mariana Rielli e Júlia Mendonça

Data Protection at Authorities

Brazil

ANPD held a welcome meeting of the National Council for the Personal Data Protection of and Privacy (CNPD)

The National Data Protection Authority (ANPD) held a welcome meeting of the National Council for the Personal Data Protection and Privacy (CNPD). On the occasion, the Councilors introduced themselves and the ANPD Directors spoke about the main results of the Authority in almost a year of operation. The meeting began with the presentation of the Councilors and Counselors, who spoke briefly about their trajectory in the area. The presentations were very rich and a common element was present in all the speeches: the desire to contribute to the formation of a personal data and privacy protection in Brazil. Then, the chairman, Waldemar Gonçalves Ortunho Junior, spoke about the history and institutional advances of the Authority, as well as about the role and structure of ANPD. In turn, the Authority’s Inspector, Artur Coimbra, spoke on the topic “Conflict of Interest” and complemented his speech by indicating relevant points about the functioning of the Council. The meeting ended with the manifestation of all the Directors and Directors of ANPD, an opportunity in which the Board members were able to clarify doubts and bring contributions to the future steps of the CNPD. If you want to know all the Directors and functions, go here.

European Data Protection Board

EDPB established task force on cookie banners

During its last plenary, the European Data Protection Board (EDPB) decided to create a working group to coordinate the response to complaints regarding cookie banners submitted to various Data Protection Authorities. The working group was established in accordance with art. 70 (1) (u) of the GDPR and aims to promote cooperation, information sharing and best practices among the European Authorities. In particular, the task force aims to: (i) exchange views on legal analysis and possible infringements; (ii) support activities at the national level; (iii) streamline communication between entities.

Slovenian SA ordered a content production agency to delete a collection of 88 photos, based on Article 17 of the GDPR

A media content production agency owned a collection of 88 photos of a specific data subject, taken during the last 7-15 years, during different social events. Such photos were posted on a website and also put up for sale online. In view of this, the said holder requested his right of deletion (right to be forgotten) defined in article 17 of the GDPR, noting that he did not provide consent for the processing of his personal data, that there are no legitimate interests for the treatment, in addition to requesting its right of opposition. In turn, the company refused to end the treatment and meet the requirements, under the justification of exercising freedom of expression, for “media activities”. Upon learning, Slovenian SA, Slovenian Authority, decided that the controller should delete all photos from the site, along with the individual’s name, URL address and metadata that allowed access to the photos. For the authority, the right to personal data protection must be balanced with freedom of expression, and to justify an interference with this right, the controller must have demonstrated a strong public interest or justified reduction in the expectation of privacy. Therefore, considering that the website’s content did not contribute to the debate of social relevance, nor did it refer to an issue of public interest, the company did not demonstrate the existence of legitimate interests in the processing of data.

France

CNIL fined Société nouvelle de l’annuaire français (SNAF) for non-compliance with the rights of the holders

The CNIL fined the Société nouvelle de l’annuaire français (SNAF) in the amount of 3,000 euros for violations of the rights of various data subjects. The French Authority received sixteen complaints, between 2018 and 2019, which indicated several difficulties encountered by the holders when requesting the deletion and rectification of their personal data. The president of the CNIL then notified the SNAF to carry out the necessary adjustments with the GDPR within two months, which the company did not comply with. Therefore, the restricted committee – the CNIL body responsible for the sanctions – applied a fine of 3,000 euros to the SNAF, due to non-compliance with the rights of rectification and deletion and non-cooperation with the CNIL. The Authority highlighted that the sanction took into account the size and financial situation of the company, also emphasizing that its publicity is justified by the educational dimension of the sanctions.

Italy

Italian Authority Requests Information About Facebook’s New Smart Glasses

Two meetings were held between the Italian Authority and representatives of Facebook and Luxottica, with the aim of starting a discussion on the issues raised by the Authority involving the possible privacy implications of the use of Ray-Ban Stories smart glasses, recently introduced in the market by companies. The glasses are equipped with the “Facebook View” feature that allows audio and video recording. In recent days, the Authority has launched a formal procedure in conjunction with the competent Irish Authority (DPC-Data Protection Commission) to request a range of useful information and assess the smart glasses’ compatibility with privacy and data protection standards. During the meetings, the two companies expressed their willingness to work for the launch of informative and awareness-raising actions, with the aim of empowering both those who buy the glasses and all citizens. In turn, the Authority reserved the right to assess the effectiveness of the operational proposals that will be presented by the companies.

First G7 World Meeting of Data Protection and Privacy Authorities concluded

The first meeting of the G7 Data Protection Authorities was held, coordinated by the Information Commissioner’s Office (ICO). The purpose of the meeting was to discuss and identify shared solutions to answer the most relevant issues related to the protection of personal data in the current global scenario, in particular with regard to the new problems and challenges posed by emerging technologies and the global pandemic situation. The meeting was attended by institutions that coordinate data protection strategies in Canada, France, Germany, Japan, Great Britain, Italy and the United States of America and, as guests, representatives of the Organization for Economic Cooperation and Development (OECD ) and World Economic Forum (WEF). The Italian Authority was officially represented by its Vice President, Prof. Ginevra Cerrina Feroni. In his speech, two important themes were presented and developed, recognized in the final communiqué: (i) the reaffirmation of the centrality of the role of data protection authorities in defining the fundamental principles and criteria for the digital world, safeguarding the fundamental rights related to data protection, a role that has become even more crucial in the current pandemic emergency; (ii) the need to improve and promote the competences of data protection authorities in the complex and constantly evolving domain of artificial intelligence and the future developments and applications of associated technologies.

Ireland

DPC has initiated two investigations against TikTok regarding GDPR compliance on the handling of children’s personal data and data transfers to China

The Irish Data Protection Commission (DPC) has initiated two investigations, on its own initiative, under section 110 of the GDPR to determine the compliance of the TikTok Technology Limited (TikTok) with the requirements of that regulation. The first investigation will examine TikTok’s compliance with GDPR data protection guidelines and standard requirements regarding the context of platform settings for users under 18 and age verification measures for under 13. The second investigation will focus on Tiktok’s transfers of personal data to China and the application’s compliance with GDPR requirements for personal data transfers to third countries.

Mexico

INAI Commissioner participated in the presentation of the guideline “Data Protection as a tool to prevent digital violence”, held in Tijuana

All Internet users who have their personal data circulating online, especially children and teenagers, are the most vulnerable to cyber attacks, as information about their mood, location, intimate family photos, among others, is usually published on their networks. that makes them an easy target for cybercriminals, warned the commissioner of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), Norma Julieta del Río Venegas. During his participation in the presentation of the guidance guide “Data protection as a tool to prevent digital violence”, in Tijuana, Baja California, the INAI Plenary member stated that the unpreserved use of technology can put the personal data of those who navigates on endangered networks. Thus, he asserted the importance of the considerations brought by the study of the protection of personal data and proposed a reflection: “We are not going to stop using technology, but we have this challenge: to use it, but also to raise awareness (about) the misuse of networks”.

United Kingdom

Blog: Sharing Personal Data in an Emergency – A Guide for Universities and Colleges

Starting university or continuing education can be an exciting time, but for some it can also be a difficult and anxious transition. We know that universities and colleges work hard to support students who are struggling. This means that universities often have to deal with sensitive personal information about them. And we are aware that universities are sometimes hesitant to share students’ personal data in an urgent or emergency situation, citing data protection as the issue. For ICO, this should not be the case. Simply put university staff must do whatever is necessary and proportionate to protect someone’s life. Data protection law allows organizations to share personal data in an urgent or emergency situation, including to help them prevent loss of life or serious physical, emotional or mental harm. To help universities and colleges feel confident that they can share people’s information legally, ICO made several suggestions for action: (i) Plan ahead; (ii) Have a data sharing agreement in place; (iii) Employee training; (iv) Access our data sharing features.

 

Data Privacy at Universities

The Rise of Digital Constitutionalism in the European Union
GREGORIO, Giovanni de.

Over the past twenty years, European Union (EU) policy in the field of digital technologies has shifted from a liberal economic perspective to a constitutionally based approach. The development of digital technologies challenges the protection of individuals’ fundamental rights, such as freedom of expression and data protection. Most importantly, this new technological framework has also enabled transnational corporations operating in the digital environment as hosting providers to perform quasi-public functions in the transnational context. These two engines led the EU to enter a new phase of modern constitutionalism (ie digital constitutionalism). This paper analyzes the path (and reasons) that led EU policy to move from a liberal to a constitutional approach to the digital environment in the last thirty years. The main objective is to describe the characteristics of digital constitutionalism as a new constitutional moment and to outline the potential evolution of EU policy in the global context. This evolution is described by three constitutional phases: digital liberalism, judicial activism and digital constitutionalism. It then analyzes a fourth phase of the approaching EU constitutionalism, based on the extension of constitutional values ​​beyond the borders of the EU and on the expression of a human-centered technological model in a global context.

Privacy and Data Protection Magazine

Universidade Europeia

After the inaugural issue, Privacy and Data Protection Magazine, Scientific Journal of the European University, continues its commitment to regular publication, with an edition in which data protection issues are addressed based on a sociological study on consumption in today’s society . In addition to classic themes, the current issue invests in the theme of artificial intelligence, either through the publication of the proposed regulation presented by the European Commission, or through the revision and expansion of works that deal with the subject..

A Bahia está virando um laboratório de reconhecimento facial

FALCÃO, Cintia e Associação Data Privacy de Pesquisa

The text, produced by The Intercept with Data Privacy Research, analyzes the surveillance infrastructure inaugurated by the Government of Rui Costa (PT/BA) in Bahia, which entered into a R$ 665 million partnership with the Oi conglomerate and Avantia, specializing in security technologies, which means that in addition to Salvador, 77 other cities gain 4,095 cameras connected in the state. Thus, in view of this situation, with the use of various facial recognition cameras for public safety purposes, the text analyzes what are the main impacts for most of the data subjects.

Data Protection in Legislative

Proposed bill to address the processing of electronic procedural data

The Draft Bill 3244/2021, proposed by Deputy Carla Zambelli (PSL/SP), aims to change Law No. 11.419, of December 19, 2006, to provide for the processing of electronic procedural data on the world wide web. The Bill, among other points, amends article 13-A to provide that the procedural electronic systems will make available the consultation of basic data of legal proceedings, ensuring the right of access to procedural information to any and all persons, “regardless of prior registration or of demonstration of interest, except for the procedure in secrecy or secrecy of justice”. Currently, the Bill is on the Parliament Board of Directors.

Approved bill that makes the use of biometrics in sporting events mandatory

The Parliament Sports Committee approved Bill 10089/18, by licensed deputy Danrlei de Deus Hinterholz (PSD-RS), which makes the installation of biometrics in sporting events mandatory to identify fans prohibited by the courts from attending stadiums. The text amends the Fan Defense Statute to include the installation of the devices among the obligations of the entity responsible for the competition. Currently, this law provides for five duties, such as providing an ambulance for every ten thousand fans and taking out personal accident insurance. The bill is being processed conclusively and will still be analyzed by the Constitution and Justice and Citizenship Commission. The text has already been approved by the Commission on Public Security and Combating Organized Crime.