Data processing in the electoral context, guidelines for the use of thermal cameras, investigation of the TikTok application, opening borders and interoperability of contact tracing applications, this and much more…
Data Protection in the Authorities
Autorité de Protection des Données – Belgium
After Brussels airport installed sophisticated temperature scanners in the past few days, the Belgian authority published a note questioning the legality of this type of data processing. The official pointed out that the GDPR prohibits the processing of health data a priori, there being allowed only a limited number of exceptions that can be found in Article 9.2 of the Regulation.
The authority said it is asking several questions about installation, especially on how the technology works; whether the data controllers are carrying out or have already carried out the impact assessment; and the proportionality of the installation of these smart cameras. DPA suspects that there are possible risks to citizens’ rights in relation to data protection.
Croatian Personal Data Protection Agency – Croatia
The authority points out that at least one of the following requirements must be met: (a) the interviewee consents to having their personal data processed for one or more specific purposes; (b) processing is necessary for the performance of the contract to which the interviewee is a party; (c) processing is necessary to comply with the legal obligations of the controller; (d) processing is necessary to protect the vital interests of the interviewee or another natural person; (e) processing is necessary to perform a task in the public interest or in exercising the official authority of the controller and (f) processing is necessary for the legitimate interests of the controller or third party, except when those interests conflict with the interviewee’s fundamental rights and freedoms that require the protection of personal data, in particular if the interviewee is a child.
Office for Personal Data Protection – Czech republic
Datatilsynet – Denmark
The authority criticized the Council for not deleting the former employee’s personal data shortly after consent was withdrawn and said that, with the withdrawal of consent, all personal data, image and video files of the former employee should necessarily be deleted.
The authority made serious criticisms of the data processing carried out by the municipality, since personal data were published on the official website and the municipality did not report the incident and did not inform the citizens affected by the disclosure of the personal data. Data such as name, address and information on the welfare of students at a special school were published.
Among the guidelines pointed out by the authority are: (i) live broadcast only to the extent necessary for that purpose or only during parts of the event; (ii) offer transparency on the processing of personal data, with complete information provided in advance to employees, students and family members; (iii) configure clear signs and markings about filming; (iv) if the objective is only the live broadcast, do not record or store images; (v) observe that children have special protection in accordance with the rules for the protection of personal data; (vi) be aware that specific categories of data may be processed, such as health data; (vii) restrict the access flow, using a login; (viii) implement appropriate technical measures to ensure information security; (ix) establish guidelines for dealing with the rights of data subjects, such as how to deal with an objection to streaming opposed by a data subject; (x) involve the educational institution’s data protection officer.
The authority is investigating whether the solution complies with data protection rules, pointing out that it must be voluntary, specific, informed and an unequivocal expression of the website visitor’s will. Accordingly, the authority is investigating whether the Blue Avis solution allows withdrawal of consent and whether the requirements for obtaining consent have been met.
The authority says that data sharing is important for conducting research and that access to a large amount of data is based on the premise that this is done responsibly, so that Danes can be sure that their information will be processed properly when included in research projects. In this way, the authority intends to carry out an assessment of the specific case in order to elucidate and clarify the general challenges in the rules that the researchers encounter.
CNIL – France
The authority points out that there are a large number of complaints regarding telephone contacts made by political parties, questioning the origin of the data used to contact them. CNIL stresses that the candidate must correctly inform the recipients of his political prospecting messages about how their data was collected and this information cannot be general or inaccurate and must specifically contain the origin of the data collected. The authority also points out that the files kept by the city halls cannot be used to send an electoral campaign to citizens and it is also forbidden for the leading candidate, for example, of a company or association to use files of clients or members to send messages in connection with the election campaign. Finally, the authority points to the importance of the possibility of opposing these contacts and deleting the personal data contained in transmission lists.
First, the authority states that the use of this type of technology must respect proportionality, have a limited useful life, measures of pseudonymisation and anonymisation and not represent individualized monitoring. In addition, if sensitive data is processed, such as health data or biometric information, or if the right to object is not possible, it is necessary to establish an adapted legal framework that respects articles 9 and 23 of the GDPR.
The €50 million fine filed against Google LLC was applied after complaints against the company, for lack of transparency and adequate information and lack of valid consent for advertising customization. The Council of State attested to the authority’s decision, confirming that the fundamental principles of the GDPR related to transparency and consent were correctly applied.
The structure is responsible for storing and making available to researchers the data necessary to carry out research on the pandemic. It is a tool that should make it possible to promote research, especially through techniques based on artificial intelligence, but the data used must not be identifiable a priori, so they must be pseudonymised. In this sense, the authority will analyze the necessary documents in order to observe the pseudonymization techniques that are being used in a short period of time.
Garante per la Protezione dei Dati Personali – Italy
The authority has determined that the online publication of school grades is a particularly invasive form of disclosure of personal data and does not comply with data protection legislation. The authority indicates that bulletins are published using other platforms, where the grades are not publicly available.
He says there is a frightening asymmetry in the digital economy between China and the rest of the world, pointing out that hundreds of millions of Europeans use the social network, in particular young people aged 10 to 15 years. Soro points out that the authority will start collecting information to try to reduce the asymmetry pointed out, making concrete actions against violations reported by European citizens possible.
State Data Protection Inspectorate – Lithuania
The authority notes that organizations must take into account the nature, scope, context and purpose of data processing, in addition to the risks related to people’s rights and freedoms when designing organizational and technical security measures. In addition, the authority states that organizations should conduct data protection risk assessments in accordance with GDPR and ISO standards.
Autoriteit Persoonsgegevens – Netherlands
The authority points out that, with the opening of borders, Member States may take additional measures such as testing for coronavirus at the border, mandatory medical certificate or mandatory use of applications, raising a warning that EU members continue to protect the right to privacy.
European Data Protection Board – EDPB
EDPB adopted a declaration on the interoperability of contact tracing applications, based on the guidelines already published and offering a more in-depth analysis on the main aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimization, information security and data accuracy in the context of creating an interoperable network of applications. In addition, the EDPB adopted a declaration on the processing of personal data in the context of the reopening of borders in the EU, recalling that data protection legislation remains applicable and allows an efficient response to the pandemic, while protecting citizens’ rights. It stresses that processing must be necessary and proportionate and that the level of data protection must be consistent across the EU.
Datainspektionen – Sweden
After receiving complaints, the authority determined that the cameras should be removed from the stairs and the main entrance of the condominium, since the habits, visits and social circle of the residents could be mapped. The authority states that, although this surveillance is allowed, the condominium must be able to demonstrate the pressing need for the installation of cameras, as is not the case in question.
Datatilsynet – Norway
The authority determined that all collection of personal data through an application by the government should cease and that all data received be deleted. The ban was determined after the authority considered that the processing is no longer proportional and that this is a very invasive measure to the privacy of citizens. In addition, the authority questioned the lack of freedom of choice for users, since citizens who use the applications necessarily have their data shared for analysis and research.
Data Protection in Universities
The article presents biopolitics and biopower as a mechanism in the economic order and social control, so that the relationship between biopolitics and technological evolution is represented by the unified control of the individual, based on the aggregation of one’s information. The article treats the General Data Protection Law as an inhibitor of this process, since it limits the informational power over an individual and decreases the possibility of manipulation and social control.
The dissertation deals with the idea of balancing open data and data protection as well as with the possible conflict between the development of smart cities and data protection legislation. The author examines the statement that the material scope of data protection in the EU would be overly expanded, departing from the original framework of the right to privacy. The paper then proposes a balance between the open data policy necessary for the development of smart cities and the protection of personal data.
Data Protection in the Brazilian Legislative Branch
Presented on June 15, Bill No. 3311/2020, by Federal Deputy Alexandre Padilha of PT, changes the Penal Code to make unauthorized photographic or cinematographic registration in a health establishment a crime. The project proposes an exception for health facility workers, health union representatives and professional councils, as long as the patient’s right to image is respected.
Federal Deputy Fernanda Melchionna of PSOL requested, on June 10, to the Ministry of Economy, information about the data sharing of the National Driver’s License of 76 million Brazilians, which were transferred by SERPRO to the Brazilian Intelligence Agency – Abin. On June 19, House President Rodrigo Maia approved the application, forwarding the request.
Bill No. 1494/2020, by Federal Deputy Ruy Carneiro of the PSDB, which allows telehealth care for occupational physiotherapeutic and therapeutic purposes, was approved by the Chamber of Deputies on June 18. The Law does not establish specific criteria for the security of health data.
Data Protection in the Judiciary
After the filing of an Internal Civil Appeal No. 2076403-78.2020.8.26.0000 / 5000 by the State of São Paulo against a citizen who requested exclusion from the SIMI-SP system, on June 11, Judge Cristina Zucchi revoked an injunction previously granted, under the allegation that the system makes anonymous use of geolocation data and that, therefore, it would not affect the protection of personal data. The magistrate uses the General Data Protection Law to affirm that anonymized data is not in the scope of application. Therefore, the right to be excluded from the SIMI-SP system was revoked.