Welcome to another edition of the Bulletin! In this 45th edition, we highlight the publication of the decree appointing members to compose the National Council for the Personal Data Protection […]
Welcome to another edition of the Bulletin!
In this 45th edition, we highlight the publication of the decree appointing members to compose the National Council for the Personal Data Protection and Privacy (CNPD), also emphasizing that Bruno Bioni, founding director of Associação Data Privacy de Pesquisa, was nominated to occupy one of the seats assigned to civil society organizations. The CNPD is a consultative body created as a mechanism for institutionalized participation in society and its main powers are to propose strategic guidelines, provide subsidies for the preparation of the National Policy for the Protection of Personal Data and Privacy and suggest actions to be taken by the National Protection Authority of Data.
In the international context, we highlight that the Luxembourg National Commission for Data Protection (CNPD) fined the company Amazon Europe Core in the amount of 746 million euros. Considering that this is the hypothesis of application of the cooperation procedures between authorities established by the GDPR, since the Amazon Europe Core company is installed in its territory, the CNPD was the competent entity to deal with the case, thus, after carrying out a collective complaint addressed to the French Authority (CNIL), the case was referred to the CNPD. However, in fact, this is not the first sanction applied to Amazon, given that the CNIL sanctioned the company in December of last year, together with Google, for non-compliance with the legislation on cookies, with fines in the amount of €135 million and €100 million respectively.
Finally, still highlighting the movement of international Authorities, we emphasize that the Italian Authority has been working to simplify privacy information, through the “Creative Commons” (CC) method. To this end, a Memorandum of Understanding was signed with the objective of evaluating the feasibility of creating a system, in the model that CC has for copyright, that allows data controllers to automatically generate standardized information, allowing the holders to have more knowledge about the processing of their personal data. Although the study starts from the analysis of the Italian context, the ultimate goal is to create a system to be made available in all European Member States to build a digital environment in which data protection issues are managed in a coordinated and harmonious way.
We wish you a great reading!
Bruno Bioni, Mariana Rielli e Júlia Mendonça
Data Protection at Authorities
Brazil
The Presidential Decree was published that named the CNPD – Bruno Bioni was one of the chosen
The publication of the decree appointing the members to compose the National Council for the Protection of Personal Data and Privacy represents the consolidation of the formation process of the CNPD, the multi-sector consultative body of the National Data Protection Authority (ANPD). In this sense, we highlight that Bruno Bioni, founder-director of the Associação Data Privacy Brasil de Pesquisa, was one of those nominated to occupy one of the chairs assigned to civil society organizations. The constitution of the seats began with the convening by ANPD of the society through the publication of Notices for the formation of the triple lists, 122 nominations were received for the 5 published notices (see the list of nominees here). The ANPD Board of Directors drew up triple lists of members and alternates for the constitution of the CNPD and submitted them to the Minister of State, Chief of Staff of the Presidency of the Republic, for nomination by the President of the Republic. The CNPD is a consultative body created as a mechanism for the institutionalized participation of society and is part of the ANPD structure. Its composition is provided for in Article 58 – A of the General Law for the Protection of Personal Data (Law No. 13.709), with 23 full and alternate members with government and civil society representatives, and its main powers are to propose strategic guidelines, provide subsidies for the elaboration of the National Policy for the Protection of Personal Data and Privacy and suggest actions to be taken by ANPD.
ANPD released a half-yearly follow-up report on the Regulatory Agenda
The National Data Protection Authority (ANPD) approved, through Ordinance No. 11, of January 27, 2021, its Regulatory Agenda for the 2021-2022 biennium. The document contains 10 (ten) priority themes, with the respective instrument to be used to materialize its regulation or interpretation by the Authority. In compliance with art. 4 of the aforementioned Ordinance, and with the objective of providing ample transparency and providing society with up-to-date information on the progress of regulatory initiatives, the General Coordination of Standardization prepared the Semiannual Monitoring Report of the Regulatory Agenda. Finally, it should be noted that all projects scheduled to start in the 1st half of 2021 were formally started and are in progress, as can be seen on the entity’s website.
Spain
AEPD announced the “2021 Data Protection Awards” to identify and reward the best practices adopted
The Spanish Authority (AEPD) recently announced the creation of the “2021 Data Protection Awards”. The award will be awarded in six different categories: (i) Entrepreneurship “Ángela Ruiz Robles”; (ii) Best practices for greater protection of the privacy of women survivors of gender-based violence; (iii) Proactivity and good practices for complying with the GDPR; (iv) Communication; (v) Good educational practices for the safe use of the internet by children and adolescents and (vi) “Emilio Aced” survey. The categories encompass several modalities that recognize the effort and commitment of people and projects, both from the public and private sectors. The deadline for submitting applications in all modalities ends on November 21st.
European Data Protection Board
At its last plenary session, the EDPB issued a dispute resolution decision based on art. 65 of the GDPR. The decision was aimed at resolving the lack of consensus on certain aspects of a position issued by the Irish Authority, as the main supervisory authority (LSA), in relation to WhatsApp Ireland Ltd, as well as on subsequent questions made by other supervisory competent authorities (CSAs). In view of the divergences identified, the case was referred to the EDPB for deliberation pursuant to art. 65 (1) (a) of the GDPR, thus initiating the dispute settlement procedure. In this sense, the EDPB issued a position that addressed the merits of the objections considered “relevant and substantiated”, in line with the requirements of art. 4 (24) GDPR, as well as indicated that it will formally notify its decision to the supervisory authorities involved. (IE) SA must adopt its final decision based on the decision of the EDPB, within a maximum period of one month after the formal notification.
United States
The Federal Trade Commission (FTC) announced that Aristotle International Inc. (Aristotle) has been removed from the list of self-regulatory organizations that enforce compliance with the Children’s Online Privacy Protection Act (COPPA). Operators of websites and online services who have paid fees to such organization for the purpose of participating in its self-regulation program can no longer be considered “adequate” under the relevant legislation. That’s because Aristotle is the first organization to be removed from the FTC’s list of self-regulatory child privacy programs since COPPA came into effect two decades ago. COPPA requires operators of commercial websites and online services aimed at children under the age of 13, or general public websites that collect personal information from children, to notify parents and obtain their consent before collecting, using or disclosing any information. As part of its oversight of the Safe Harbor program, the FTC alerted Aristotle earlier this year that the agency was concerned that the organization was not monitoring its member companies sufficiently to ensure compliance with the required guidelines. After receiving an inadequate response, in addition to other developments, the FTC team announced the removal of the organization.
France
The Luxembourg National Commission for Data Protection (CNPD) fined Amazon Europe Core in 746 million euros
Recently, the Luxembourg National Commission for Data Protection (CNPD) fined the company Amazon Europe Core in the amount of 746 million euros. Considering that this is the hypothesis of application of the cooperation procedures between authorities established by the GDPR, since the Amazon Europe Core company is installed in its territory, the CNPD, which was the competent entity to deal with the case, thus, after carrying out a collective complaint addressed to the French Authority (CNIL) through the association La Quadrature du Net (LQDN), it was referred to the CNPD. The CNIL worked closely with the CNPD throughout the entire procedure, in the context of the verification and analysis of the evidence obtained, as well as during the final assessment of the case. The decision is not public at this stage, due to the application of Luxembourg law, which provides that publicity only occurs after the exhaustion of resources. It should be noted that this is not the first sanction applied to Amazon, considering that the CNIL sanctioned the company in December last year, together with Google, for non-compliance with the legislation on cookies, with fines in the amount of 35 million euros and 100 million euros, respectively.
CNIL imposed a penalty of 50,000 euros against SOCIÉTÉ DU FIGARO for violations of the use of cookies
The CNIL sanctioned the company SOCIÉTÉ DU FIGARO with a fine of 50,000 euros for the use of advertising cookies on the lefigaro.fr website without obtaining the prior consent of users. The CNIL, based on a complaint, carried out several checks between 2020 and 2021 on the aforementioned news site, which showed that when a user accessed it, cookies were automatically inserted into their computer by the company’s partners, without any consent. Several of these cookies were for advertising purposes and should be subject to the user’s consent. Based on these elements, the CNIL body responsible for applying the sanctions considered that the company had failed to comply with its privacy and data protection obligations, imposing a fine of 50,000 euros.
Netherlands
The Dutch Data Protection Authority (AP) has published recommendations for the development of so-called Smart Cities Apps. The recommendations are aimed at municipalities that collect or plan to collect data in public spaces using smart sensors and measuring equipment. The AP guidelines are necessary because cities do not always pay enough attention to privacy legislation, although this is essential for the development of the apps, as they, as a rule, carry out various operations of processing citizens’ personal data. It should be noted that poorly developed applications can undermine the freedom and rights of holders residing and visiting the municipalities involved, which highlights the importance of following the recommendations published by the Authority.
Italy
The processing of privacy policies can be simplified through the Creative Commons method, a system whereby the content and meaning of copyright-protected content use licenses are translated into standardized universal symbols. Therefore, continuing its action to simplify the obligations provided for in the EU Regulation, the Italian Authority signed a Memorandum of Understanding that initiates the collaboration with the “Creative Commons” (CC), an international non-governmental entity. The purpose of the Memorandum is to assess the feasibility of creating a system, in the model that CC has for copyright, that allows controllers to automatically generate simple and standardized information, allowing holders to have more knowledge about the treatment of their personal data. Although the study starts from the analysis of the Italian context, the ultimate goal is to create a system to be made available in all European Member States to build a digital environment in which data protection issues are managed in a coordinated and harmonious way.
Mexico
The Technical Committee of the 2021 Award for Innovation and Best Practices in Personal Data Protection set a deadline for the presentation of new works on the subject. The objective of the contest is to disseminate nationally and internationally best practices and innovative elements in the field of personal data protection developed in Mexico, both in the private and public sectors, at the federal, state and municipal levels, as well as the creation of incentives for raise the standards of personal data protection in the country. The Award is organized by the following entities: National Institute of Transparency, Access to Information and Protection of Personal Data (INAI), Institute for Legal Research (IIJ) of the National Autonomous University of Mexico (UNAM), Ministry of Economy (SE), Secretariat of Public Service (SFP), Organization for Economic Cooperation and Development (OECD), Internet MX Association (AIMX), National Chamber of the Electronic Telecommunications and Information Technology Industry (CANIETI) and the International Association of Privacy Professionals (IAPP, by its acronyms in English). It also has the collaboration of the National System of Transparency, Access to Public Information and Protection of Personal Data (SNT), through the Personal Data Protection Guarantee Agencies of Federal Entities, to promote and publicize the contest at the state level and municipal.
INAI issued recommendations to protect personal data during online purchases
The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) has issued recommendations to protect personal data when shopping through electronic devices and to reduce the risk of being a victim of cyber crimes, such as in cases of identity theft and fraud. The National Commission for the Protection and Defense of Users of Financial Services (Conducef) released data that indicate that in the first four months of 2021, the number of actions against possible “identity theft” has grown a lot. In this context, INAI emphasizes that consumers and holders of personal data have the right to exercise, at all times, their rights of access, rectification, cancellation and opposition, in addition to making the following specific recommendations: (i) Read carefully the Privacy Notice before providing personal data; (ii) Provide only personal data strictly necessary for the acquisition of the good or service of interest to you; (iii) Avoid shopping through connections to public Wi-Fi networks; (iv) Make sure that the website where you browse or purchase is trustworthy; (v) Be cautious with offers that condition the provision of your personal data, among others.
United Kingdom
ICO has published new guidance on direct marketing and public sector
The Information Commissioner’s Office (ICO) has published a new resource to help public sector organizations understand when direct marketing regulations will apply to their procedures. The guidance is aimed at those responsible for data protection in public sector organizations. Direct marketing is broad and encompasses all types of advertising or marketing aimed at individuals, involving any type of communication, including emails, text messages, direct messages on social media, and more traditional methods such as phone calls and mail. According to Anthony Luhman, Director of ICO, if you work in the public sector, “the law does not prevent you from sending promotional messages when it is necessary for your task or duties, however there are times when direct marketing rules apply and we want to help the public sector get it right”.
Data Privacy at Universities
Proteção de Dados e o Acordo de Livre Comércio Mercosul-União Europeia: Notas sobre a Adequação da Autoridade Nacional de Proteção de Dados no Brasil
RUARU, Regina Linden; SILVA, Cecília Alberton
The advancement of new technologies, driven by the disruptive influxes of the 4.0 Revolution, provided the creation and improvement of personal data protection laws around the world. In this context, data protection authorities started to assume a very important role in orchestrating international commercial exchanges and the transnational flow of data. That said, the work seeks to respond to the following hypothesis: In what way legislation in the European Union (“EU”) and in Latin America have been regulating the protection of personal data, especially with regard to the independence and autonomy of the authorities for the protection of Dice? The general objective of the research is to highlight this international context in the field of personal data protection in the EU and Latin America. Based on the delimited scenario, the specific objectives are (i) to identify the main characteristics of data protection legislation, notably the European Data Protection Regulation (“RGPD”) and local data protection laws in Latin America; (ii) verifying the way in which data protection authorities were structured in these locations; and (iii) after the presentation of the Free Trade Agreement between the European Union and Mercosur, analyze the case of the Brazilian National Data Protection Authority (“ANPD”).
A violação de dados pessoais na telemedicina: reparação do paciente à luz da LGPD
SCHULMAN, Gabriel; CAVET, Caroline
The intensification of data circulation, a consequence of technological innovations, challenges the legal system and puts the answers traditionally offered sub judice. In the field of health, we highlight the use of new systems that allow, in different ways, the realization of long-distance care, exams and even procedures. This article, in view of such transformations, aims to problematize the legal consequences of telemedicine in the area of the right to damages (civil liability), in particular, associated with the protection of the patient’s personal data; expose the telemedicine modalities; and explore challenges and new tort law issues in relation to the protection of personal data in distance medicine. About this intersection between health and protection of personal data, the Data Privacy Research Association recently launched the Data Viral platform, which originated from a research that investigated the technologies used to mitigate risks and damages related to COVID-19, with the mapping that encompasses the mechanisms adopted by municipal, state and federal governments.
Interactive Storytelling for Children: A case-study of design and development considerations for ethical conversational AI
CHUBB, Jennifer; MISSAOUI, Sondess; CONCANNON, Shauna; MALONEY, Liam; WALKER, James Alfred.
Conversational Artificial Intelligence Systems (CAI) and Intelligent Personal Assistants (IPA) such as Alexa, Cortana, Google Home and Siri are becoming ubiquitous in the lives of most people, including children, whose implications are receiving more attention, specifically with regard to effects on cognitive, social and linguistic development. Recent advances have addressed the implications of CAI technologies for privacy and data protection. However, according to the authors, there is a need to connect and incorporate ethical and technical aspects of design into discussions. Through a case study focused on the use of CAI for storytelling for children, the article reflects on the social context involving younger people and this type of technology. In addition, the authors describe the decision-making process behind child-directed recommendations, especially involving the creative industry.
Data Protection in the Brazilian Judiciary
TJ/SP denied an appeal that asked for moral damages using as a basis the LGPD
This is an appeal in which the plaintiff seeks to reform the sentence, arguing that the inclusion of his name on one of the defendant’s platforms (LIMPA NOME) discredits his image as a consumer, as it suggests the existence of unpaid debts, as well as impacts your credit score and can harm you in the market. As a result, it requested the recognition of the illegality resulting from the abuse of rights practiced by the defendants, the arbitration of indemnity for moral damages and the attribution of loss of suit exclusively to the defendants. In turn, citing article 7, item X, of the LGPD, the judgment highlighted that the hypothesis that authorizes the data processing, in cases involving analysis for granting credit, does not depend on the consent of the holder. In this sense, he stressed that the inclusion of the debtor’s name in the defaulting registry does not depend on authorization, requiring only prior notification (Article 43, §3 of the CDC). Thus, the prior consent of the consumer is no longer essential for inclusion in a positive record, requiring authorization only to share the credit history. In these cases, the waiver of authorization takes into account precisely the interest that is intended to protect, since “the LGPD itself recognized the existence of a legitimate interest in the processing of personal data with the purpose of risk analysis for granting credit”. However, the judgment concluded that “there is no such interest in the case of insertion of data related to prescribed debts, as SERASA S/A itself states that such data are not shared with third parties and are not used to define the credit score ”.
