In this edition we highlight the guidelines for anonymization published by the French Authority, the assessment carried out by the Dutch Authority on sharing telecommunication data to combat the pandemic and the decision by the São Paulo Court of Justice to maintain the use of the SIMI-SP system
Data Protection in the Authorities
Autorité de Protection des Données – Belgium
The authority fined a social network of international reach by 50,000 euros after examining the platform’s “invite contacts” function and concluding that data related to the user’s contacts were collected and stored, in addition to invitations being sent to people added by the user. The official points out that the social network did not use any legal basis when processing the data of third parties, which made the processing illegal. Twenty-three European data protection authorities were consulted prior to the decision.
Office for Personal Data Protection – Czech republic
The authority points to the need to carry out a proportionality test before the publication of personal data of public officials. The Radio provided the applicant with data on salaries and other surcharges, but deleted employees’ personal data. The authority assessed that this was the correct procedure, according to the principles of necessity and proportionality.
According to the authority, if the measured temperature is not recorded in connection with a name or other data that allows the employee to be identified, the practice will not be classified as processing of personal data. It also concludes that, in the event of the processing, it can fit into the legal basis of the legitimate interest of the employer, taking into account the hygiene and anti-infectious measures necessary to combat the pandemic.
Datatilsynet – Denmark
The Danish authority fined DKK 50,000 for the company which, upon receiving a request for access to the user’s own data, excluded from its database all the information of the user in question, thus preventing him from knowing which data specifically the company held. The Director of the authority stated that “when a controller deletes information about the citizen in connection with a request for access, it illegally excludes the citizen’s ability to verify that his fundamental right to data protection is being respected. It is not an expression of good practices in data processing “.
The report points out that one of the main misconceptions of the authorities is that they do not adequately document the focus of supervision and its planning. In addition, few inspections were completed according to plan. Finally, the report criticizes the late guidance, as the Danish authority specifically published guidelines only after the entry into force of the GDPR. It was considered inappropriate that the guidelines were not ready before that date.
Andmekaitse Inspektsioon – Estonia
The statement deals with situations related to video cameras that are not equipped with a biometric data processing program. The authority states that, in the case of stationary cameras, it is only possible to film the area of your own home, and in this case, it is not necessary to inform anyone about it, as long as the only purpose is personal use, any other use being prohibited, such as publications on the internet. In the case of cameras installed in condominiums, the authority points to the need to assess whether all other security measures have been exhausted and the installation of the cameras is inevitable to maintain security in space. In addition, cameras should never be aimed at private doors, only for collective spaces. Finally, the authority states that the recordings cannot be used for any other purpose and real-time monitoring is not allowed.
Office of the Data Protection Ombudsman – Finland
CNIL – France
In the article, the authority differentiates anonymization from pseudonymization and points out that in anonymization there is, in fact, the potential for reusing data without harming individuals’ right to privacy. The authority explains how anonymization should take place, advising that (I) identify the information to be maintained according to its relevance; (II) remove the elements of direct identification and the values that could allow an easy re-identification of individuals; (III) distinguish important information from secondary or useless information. The authority also puts the possibilities of randomization and generalization as methods of anonymizing personal data.
The authority points out that the implementation of an examination monitoring system constitutes the processing of personal data, regardless of the technology used, by video, photography, remote monitoring in real time or later, with or without the use of algorithms, etc. The authority recommends that in the case of video monitoring, the privacy of the people filmed must be respected and it is recommended that the student connect from an isolated room. Processing must have an established legal basis, preferably consent. The principles of purpose and proportionality and relevance of monitoring should be followed and data should have a limited retention period, in addition to an obligation to ensure the security of stored data.
Data Protection Commission – Ireland
The authority says that data breaches involving e-mail are usually linked to human error, through unintentional disclosures, and therefore proposes recommendations to verify that the appropriate recipient has been selected before sending an e-mail and whether the appropriate attachments have been selected. The authority still shows when it is appropriate to use the blind copy (Bcc) and copy (Cc) tools.
Garante per la Protezione dei Dati Personali – Italy
The authority explains that information related to the worker’s diagnosis or family history cannot be dealt with directly by the employer, but only by the occupational physician. However, the employer can process data related to the judgment of the adequacy of the worker’s return to the work performed, as well as any prescriptions or limitations that the competent doctor may establish. The authority also affirms that serological screening promoted against specific categories of workers at risk of contagion, such as health workers, can only be carried out freely and voluntarily.
Autoriteit Persoonsgegevens – Netherlands
The authority points out that, in practice, it is impossible to anonymize the data so that it remains usable. These are also particularly sensitive information, relating to the location of people at all times of the day and, therefore, it is necessary to be much more careful. The report also explains that the effectiveness of the use of telecommunications data must be proportional to the invasion of privacy, and it should be clear why less invasive alternatives are not enough to fight the virus.
Datatilsynet – Norway
The authority fined Nkr 3 million for the municipality that failed to comply with the requirements set by the authority for communication solutions between school and home. The official said the students’ personal information, which should have been protected, was made available to unauthorized people and, in one case, a contact list with address information was distributed to parents across the school. Finally, it points out that the impact assessments that were carried out were deficient and that there was no assessment of the risk associated with the processing of information about students.
Data Protection in Universities
The article aims to provide the necessary tools to help healthcare organizations protect their users’ privacy and improve the security systems of the data they store and handle. It proposes an impact assessment method that takes into account organizational characteristics and peculiarities of the organization, so that it becomes possible to measure, in a more effective way, possible breaches of security and select the most appropriate measures for each organization. In the article, the method presented is tested in two different health organizations.
The article presents an empirical study that explores and analyzes the bias of automation in the area of consumer finance, confirming that most Americans prefer to make investment or financing decisions following the recommendations of algorithms. The article seeks to demonstrate that not having a human “second opinion” in decision-making has as a consequence the incidence of unreviewed errors that impact on various aspects of the individuals’ lives. He concludes by proposing cultural changes for institutions and individuals, so that there is encouragement for algorithmic audits.
Data Protection in the Brazilian Legislative Branch
Bill No. 2763/2020, authored by Dep. Fed. Marcelo Brum of PSL in Rio Grande do Sul, changes the Marco Civil da Internet to oblige companies responsible for providing social networking services on the Internet to condition access to these applications to the previous registration of the user’s Individual Taxpayers’ Registry. The Bill has been on the Board of Directors since May 19.
After voting in the Federal Senate, there was a highlight, to vote separately on Article 18, which deals with the delay of the entry into force of the General Data Protection Law. It was determined, by majority, that only the sanctions provided for in the Law would have its entry into force delay to August 2021, while the other articles will come into force on the scheduled date: August 2020. The Bill will now go to presidential sanction.
Data Protection in the Judiciary
Decision published on May 15, on Writ of Mandamus No. 2069736-76.2020.8.26.0000, uses the General Telecommunications Law and the General Data Protection Law to conclude that, in this case, there is no risk to the protection of personal data because only anonymized data and “heat maps” are used. Magistrate Evaristo dos Santos still denies the exclusion from the SIMI-SP system required by the petitioner, claiming that, for such, it would be necessary to identify them.