Here you will find the discussion of the 34th EDPB Plenary, the report on the international transfer of data to Brexit after the Privacy Shield was invalidated, the EDPB report on cryptography and the references published by CNIL on data processing in the health sector..
Data Protection at Authorities
Croatian Personal Data Protection Agency – Croatia
At the meeting, members of the European Data Protection Council stressed that, according to the judgment, the EU and the US must adopt a complete and effective structure that ensures that the level of data protection in the USA is equal to that guaranteed in the European Union. The Council pointed out that it intends to make a constructive contribution and help to create a new framework that is fully in line with the GDPR. In addition, registered the obligation of the competent supervisory authorities to suspend or prohibit the transfer of data to a third country in accordance with the standard clauses, should the authority discover that the contractual clauses are not respected by the third country.
During the meeting, the authority representatives actively analyzed the technical functionality of elements in order to assess the application pursuant to GDPR, as well as the guidelines and opinions of the European Data Protection Council for contact tracing. In addition, further cooperation was agreed, ie the continuation of activities between the Ministry of Health and related authorities to application development and monitoring/verification of compliance with the GDPR.
In Brazil, the App Coronavirus SUS, from the Ministry of Health, has just been launched. The app uses Bluetooth technology and has a decentralized model of data processing.
Office for Personal Data Protection – Czech Republic
The authority recalled that, according to article 5 and article 24 of the GDPR, the controller is always responsible for the processing of personal data. In this sense, he has a duty to guarantee and be able to demonstrate that the processing is carried out according to the GDPR. The authority stated that, from the point of view of the data protection, it is unacceptable to argue that the controller uses the information system of an external supplier and therefore has no responsibility for the processing.
Datatilsynet – Denmark
The Commission published the information in order to define the legal situation after the transition period for the United Kingdom to leave the European Union. The document outlined standards for data protection clauses and pointed out that, pursuant to Article 46 of Regulation 679/2016, personal data may be transferred based on binding cooperation rules that, in turn, require the approval of the supervisory authority competent. Also in accordance with the Regulation, the information recalled that the transfer of personal data must be based on codes of conduct approved under Article 40 of the Regulation, together with the commitment of the controllers and operators of the third country.
The authority audited several systems in order to verify that the company had sufficient procedures to ensure that personal data were not stored for longer than necessary for the purposes for which they were collected. During the process, the Authority found that a particular system contained a lot of personal data that should have been deleted according to the established deadlines. The system contained approximately 500 thousand customer profiles. As a result, the company was fined DKK 1.1 million.
The Danish authority took a decision in a case where three secondary schools reported a breach of the security of personal data relating to the MaCom S/A system, which as an operator passed on part of the responses of students and researchers from the Department of Computer Science at the University of Copenhagen for the development of anti-plagiarism programs. In the decision, the authority established that MaCom acted in violation of the rules of the data protection law, transmitting extracts from the answers attributed to the researchers without having received instructions to do so. Finally, the authority found that responses to school tasks can be considered personal information, as they are an expression of the respondent’s thought, judgment and critical sense.
The authority took a decision in a case in which the southern region of Denmark reported a breach of the security of personal data. The violation concerned unauthorized access to the name of 365 people, social security number and information related to pregnancy. In the decision, the authority expressed serious criticism about the lack of necessary risk assessment and testing during the development of an IT system, in addition to the lack of documentation on violations and deficiencies in the notification of personal data holders about the breach. The decision also clarified how the failure to detect and document a security breach can affect the controller’s ability to comply with GDPR rules.
European Data Protection Supervisor – EDPS
The authority stressed the importance of new governance mechanisms establishing a clear legal basis for the processing of personal data, as well as specific rules for accessing and sharing information, especially when the personal data being processed is sensitive. In addition, it recommended that adequate safeguards exist to ensure compliance with the principles of minimization, purpose, and the right of data subjects to be informed when data is collected and for what purposes it will be used. The authority stated that he supports the idea of structuring, through partnerships, joint efforts between police authorities and the private sector in relation to the debate on money laundering and terrorism financing, provided that these exchanges have a solid legal basis and comply with the data protection requirements.
The report deals with the workshop held by the Internet Privacy Engineering Network (IPEN) on “the state of the art of cryptography and its role in protecting privacy and personal data”. The event was designed to better understand why encryption should be used and what you need to know to use it correctly. Professor Carmela Troncoso, principal researcher on the DP3T project (a decentralized approach to contact tracing) shared her experience on using cryptography in addition to the confidentiality of transmitted or stored data. The participants highlighted the diversified use of technology, such as to allow the comparison of data sets without gaining access to their content and to guarantee the impossibility of linking the holders to actions or messages, pointing out that there is a clear need to invest more in understanding and analysis cryptographic technologies.
CNIL – France
CNIL has created a repository for the management of routine treatments in medical practices and two repositories for managing data retention periods in order to facilitate compliance by healthcare professionals. The repository is a frame of reference that allows healthcare professionals to place the processing of personal data used for the management of medical practices in accordance with the GDPR. The repository, however, is not mandatory. The controller may not follow the recommendations if, for example, it identifies another legal basis for the processing, provided that the choice is justified and is under its responsibility. Some basic rules have been clarified, such as the identification of legal bases, and new obligations related to the compliance process have also been incorporated, in particular with regard to maintaining a processing record. As for the repositories related to the data retention period, the objective is to support, in an operational manner, the actors in the identification and determination of the relevant period for the processing. One of the repositories aims to process data in the health field and the other to process data for research, study and evaluation purposes in the health field.
The authority recalls that codes of conduct are part of the compliance tools provided by GDPR and allow an industry to support the compliance of the professionals involved through practical and operational recommendations. The association representing the professionals must organize the monitoring of the code after its approval. To this end, GDPR envisages the intervention of a third party, previously approved by the data protection authority, to carry out the monitoring task. In order for the supervisory body to fulfill this function, the French authority created the following requirements: (i) independence of the body, as well as absence of conflict of interest; (ii) adequate level of knowledge of the auditors; (iii) specific security measures; (iv) transparent handling of complaints; (v) regular control procedures and (vi) procedures for the adoption of sanctions and other corrective measures.
Garante per la Protezione dei Dati Personali – Italy
Stanzione pointed out that “the advent of new technologies marked a true anthropological revolution, but also a social, cultural, political and economic one. As with any ‘disturbing’ phenomenon, the risk to be avoided is that of an eternal search, by law, for a technique almost unattainable in terms of speed and depth of evolution. The key to the governance of innovation, however, is precisely the guarantee of the principle of technological neutrality on which GDPR is based, which allows its continuous adaptation to the material to be regulated.”
European Data Protection Board – EDPB
The document contains information on the content of the decision, its implications for transfer tools that are not covered by Privacy Shield, issues related to the other transfer tools provided by Article 46 of the GDPR, the possibility of transferring data from the EU to the USA based on the derogations provided for in article 49 of the GDPR (such as the need for transfer for contract execution between the data subject and controller and for important reasons of public interest, among other issues).
From 2015 to 2019, the company held sweepstakes and, for that purpose, collected personal data from the participants, including contact details and health insurance affiliation. AOK used the data for marketing purposes and collected consent from part of the participants, but approximately 500 participants had their data used for another purpose without having provided consent. In addition to the fine, technical and organizational measures were taken to ensure that the company complies with GDPR.
State Data Protection Inspectorate – Lithuania
The authority said there was an incident with a high impact on the security of the state company’s personal data. The incident exposed real estate registration data, CNPJ, marriage contracts, mortgage registration, bailiff information systems, residence registration and declaration information systems, and electronic health services. The authority said it is currently reviewing the notifications received, assessing the actions and scope of the investigation.
ICO – United Kingdom
The guidance contains recommendations on best practices and technical measures that organizations can use to mitigate the risks caused or exacerbated by the use of AI. Simon McDougall, vice president of innovation and regulatory technology at ICO, said that “technology that uses AI is characterized by fast-moving innovation and evolution and we will continue to evolve with the guidelines to keep up with it.” The guidance will help organizations to reduce risks from a data protection perspective, explaining how the principles established by GDPR apply to AI projects, without losing sight of the benefits that technologies can offer.
The authority recommended, in accordance with the guidelines published by the European Data Protection Board (EDPB), that everyone who makes an international transfer should take stock of the transfers they make and react promptly to the measures and guidelines that have been made available. It is also important to carry out a risk assessment to see if there is sufficient protection within the local legal framework and whether the transfer is to the United States or to another location. Both ICO and EDPB are working to formulate specific guidelines for the international transfer of data, in compliance with the decision of the Court of Justice of the European Union to invalidate the Privacy Shield.
Data Protection at Univesities
The article presents a mapping of the literature on ethics in artificial intelligence in healthcare and summarizes the current debates, identifying open questions for future research. The article concludes that ethical issues can be (a) epistemic, related to mistaken, inconclusive or inscrutable evidence; (b) normative, related to an unfair result and (c) related to traceability. The article also points out that ethical issues are divided into six levels of abstraction: individual, interpersonal, group, institutional and social or sectorial.
The article aims to discuss how the concept of privacy applies to the virtual environment and how technologies have enabled the development of new forms of intimacy and practices such as revenge pornography. The article makes a comparative study between legislation and emblematic cases of Brazil and the United States, in order to evaluate the effectiveness of the instruments existing in both countries for the protection of victims and the repair of damages from the practice of intimate exposure on the Internet.
Data Protection in the Brazilian Legislative
On July 29, Federal Representative Rejane Dias of the PT presented Bill 3988/2020, which amends the Law Maria da Penha of confrontation of the domestic and familiar violence against women and the Law on access to public information to suppress the mandatory information contained in the transparency or on the official websites referring to the name and capacity of public servants who are under the scope of protective measures determined by the Judiciary Power under the Maria da Penha Law.
On July 20, it was presented by federal deputies Perpétua Almeida from PCdoB, Professor Marcivania, Renildo Calheiros, Jandira Feghali, Daniel Almeida, Alice Portugal, Orlando Silva, Márcio Jerry and others, Bill on the creation of a virtual public platform for distance learning, with open code, to be used by public and private education networks basic education for the development of distance education for students and teachers.
On July 29, it was presented by Federal Deputy Dagoberto Nogueira of the PDT-MS, which changes the Marco Civil da Internet, in its article 10, to determine that the internet application provider will require the user to request registration in any of its services proof of adulthood. The document presented may be an identity card, work card, professional card, passport, functional identification card, military identification documents or other public document that allows identification.
Data Protection in the Brazilian Judiciary
Judge Carlos Alberto Martins Filho decided in case 0422384-32.2019.8.07.0016, for the condemnation of Facebook Serviços Online do Brasil LTDA in a process of which the company is accused of violating consumer privacy for unauthorized access to personal data extracted from its social network and subsequent fraudulent requests via Whatsapp. The judge decided that the compensation for losses resulting from the breach would be appropriate, as there would be a security breach in the account activation process on the Whatsapp platform. Activation may or may not be done with “2-step verification” using the PIN. PIN verification only occurs if the user activates in his own account, otherwise and – in case the user does not have knowledge of the tool – he is subject to greater insecurity of his information. In this sense, the judge understood that the platform would be responsible for the violation of personal information contained in the user’s personal account, condemning the company to compensate for the resulting losses.