In this edition we highlight the opinion and recommendations on the StopCovid contact tracing application, the Dutch authority’s note on the use of facial recognition in supermarkets, the Bill that prohibits telecommunications operators from selling geolocation data and the Bill that establishes rules for the use of pseudonyms and anonymous profiles on the internet.
Data Protection in the Authorities
Autorité de Protection des Données – Belgium
The authority states that temperature measurement can be covered by the GDPR if it involves the processing or storage of personal data and, if so, must fulfill all the obligations provided for by law, ensuring data security. It most likely should carry out an impact assessment and must always have an adequate legal basis for processing. If there is no type of storage and the measurement is made only for the purpose of direct reading and without registration, then the activity does not qualify as processing of personal data.
Datatilsynet – Denmark
The report contains, among other things, an overview of academic performance, financial results and expectations for the year 2021. In addition, the document makes a statement of achievement of targets for 2019, comparing the previous year’s report with the goals achieved in 2019.
Office of the Data Protection Ombudsman – Finland
After receiving complaints from customers, the authority prohibited the publication of customer identity numbers on invoices, pointing out that the practice does not comply with data protection legislation and that there is no justified need for the practice. The official pointed out that GDPR prohibits the unnecessary use of personal identity codes in printed documents.
CNIL – France
The authority explains that while using the app the smartphone stores a list of temporary nicknames for the devices it has “crossed” in the last 14 days. That way, when a user is diagnosed with COVID-19 they can choose to send their contact details to a central server. Then, the people with whom the diagnosed person has crossed are notified of the potential contagion so that they can perform a test and be quarantined. The authority also explained what their role is, recommending that the responsibility for processing the data should be entrusted to the ministry responsible for health policy, that there should be no negative consequence to the option of not using the application, that the implementation of the application should be limited over time and that proximity histories should be kept for a limited time. It states that each person is free to use the application or not and that anonymity must be guaranteed when using it.
Data Protection Commission – Ireland
The Irish authority sent a draft decision to other interested supervisory authorities regarding Twitter’s compliance with Article 33 of the GDPR, after reporting a controller data breach. The draft decision in question, not yet published, has several significant developments for major technology companies, such as Facebook and Whatsapp, which are also being investigated under other notifications. The decision on the Facebook Ireland case, which also deals with article 33 and article 60 of the GDPR, will be published on June 16. No publication date has been confirmed for the Twitter International Company decision.
Garante per la Protezione dei Dati Personali – Italy
The authority claimed that the applications have a lot of power over citizens’ data and that the use of self-managed systems has been occurring with little guarantee for privacy and data protection. Antonello Soro stated that the lack of appreciation of privacy by public opinion allowed applications to be implemented without fundamental guarantees being respected. The authority says that today applications must follow the guidelines published by the Italian authority and the Council of Europe, in order to have voluntary participation. They must also not use geolocation data, but Bluetooth, and its use must respect the principle of proportionality, in addition to all others principles provided for by the GDPR.
Italian authority authorized the Ministry of Health to start processing data by the “Immune” contact tracing application. Based on the impact assessment sent by the Ministry, the processing was considered proportional, since measures were foreseen to sufficiently guarantee the respect of the data subjects’ rights. The authority requested that users be adequately informed about the operation of the algorithm used to assess the risk of contagion and determined that the transparency and purpose of data collection and processing be guaranteed.
Data State Inspectorate – Latvia
The authority stated that the means of processing personal data for the applications are determined by the Center for Disease Control and Prevention and that the application is downloaded free of charge, in addition to the purpose of solely detecting new cases of the disease, allowing manual contact tracing to be done with greater speed. The authority says that the application was developed not to store geolocation data. It works with the activation of Bluetooth and under certain conditions of distance and duration of contact, the devices are then notified.
Autoriteit Persoonsgegevens – Netherlands
The authority informed the supermarket, through a trade association, about the rules regarding the use of facial recognition cameras. The authority recalls that the use of such sensitive data, such as biometric data is, in principle, prohibited. For the authority, there are only two exceptions to the use of facial recognition: the filmed persons have given explicit consent or facial recognition is used for security or authentication purposes to serve an “important public interest”.
Office for Personal Data Protection of Slovak Republic – Slovakia
The opinion sets out some basic questions that application operators should ask themselves regarding contact tracing before implementing the use of the application. Among the questions are: (i) have you taken an approach designed specifically to protect privacy? (ii) did you conduct a privacy impact assessment? Is this assessment up to date? (iii) have you addressed security, safeguarding and the need for centralized and decentralized models? (iv) did you have an open and constructive dialogue with the competent data protection authority? (v) are you transparent with users, including providing a clear privacy statement? (vi) are you transparent in a way that facilitates public debate? (vii) is your contact tracing application temporary and will you delete your data as soon as you no longer need it? (viii) do you intend to keep the data for research of public interest? If so, what privacy guarantees have been created and is anonymity foreseen in the design phase?
Datatilsynet – Norway
The authority says that, according to its privacy statement, the company World Citizen Report processes its information about, among other things, the data subject’s infection status and test history. The authority requires investigation into how the company, which has ambitions to process large amounts of health data, has ensured compliance with GDPR.
Data Protection in Universities
In the article, the authors propose questions and answers to carry out the analysis if the use of a particular contact tracing application is justified, in addition to inferring four main principles for its use: the use must be necessary, proportional, scientifically valid and have a time limit for its use. The authors point out that, in practice, there will be “trade-offs” and this will depend on the laws, values, attitudes and standards in different regions, but that it is extremely important that everyone follows the principles for the ethical use of contact tracing applications.
The article takes advantage of the recurring assertion among privacy advocates and activists that current privacy protection measures are insufficient to tackle the systemic threats presented. It discusses the ways in which protection attempts are at risk of producing results that paradoxically diverge and distort the normative objectives they intend to achieve: informational self-determination, empowerment and personal autonomy. The article argues that the increasingly individualistic and unilaterally liberal normative ideals create complicity with the structure of platform capitalism and that, therefore, they promote practices of digital use that are invasive to privacy. There lies the paradox.
Data Protection in the Brazilian Legislative Branch
Presented on May 28 by Federal Deputies General Peternelli, of the PSL; Carmen Zanotto do Cidadania; General Cirão do PSL; Dr. Luiz Antonio Teixeira Jr. of PP; Dr. Soraya Manato from PSL and Colonel Armando from PSL, Bill No. 2970/2020 provides for the sharing of information in public and private health establishments and determines, among other measures, that sharing occurs through software and / or a tool under the responsibility of the Ministry of Health that automatically retrieves the data contained in the programs used by health establishments, with data such as medical records, number of hospitalizations, causes of hospitalizations, among others, being shared.
Presented on May 28, Bill No. 2969/2020 authored by Federal Deputy Nilto Tatto of PT, alters the General Telecommunications Law to prohibit telecommunications operators from selling geolocation data, even if they are anonymized. The project proposes that the disclosure of individual information will depend on the user’s express and specific consent and that the provider will be able to disclose aggregated information to third parties about the use of its services, as long as it does not contain user localization data.
Presented on June 1, Bill No. 3044/2020 by Federal Deputy Paulo Ramos of the PDT alters the Brazilian Civil Rights Framework for the Internet and the General Data Protection Law to establish rules for the use of pseudonyms and anonymous profiles in Internet. The Bill prohibits anonymity, and proposes that the provider will only be obliged to make the records available, when associated with personal data or other information that may contribute to the identification of the user or terminal, through a court order. It adds the pseudonym as a lawful activity on the internet, and the identification of the natural person linked to the pseudonym in cases of ongoing investigation may be required.
Data Protection in the Judiciary
Judge Alcides Malossi Junior granted a precautionary measure in writ of mandamus 2098076-30.2020.8.26.0000 against a court decision that interrupted the obligation to provide information by Google, Google Ireland Limited, Google Brasil Internet LTDA, in an extortion case via Internet. The decision stated that it was impossible to provide information because it was from another jurisdiction, since the IP identified led to the locality of Ireland and that, being under the scope of the GDPR, a breach of confidentiality would not be in compliance. The judge accepted the appeal and reformed the decision, stating that the computer used to carry out the crime generated random IPs and that the perpetrator was not necessarily found in Ireland. In addition, the magistrate stated that the right to confidentiality of telegraphic correspondence and communications, data and telephone and telematic communications is not absolute and that, in the case of a judicial measure in a preparatory process essential to the collection of evidence necessary for the instruction of the criminal investigation the breach of confidentiality would not only be possible, but necessary.