Hello! In the 23rd edition, we highlight the decision of the STJ on access to location data, the comment by Professor Laura Schertel on the recognition, by the STF, of data protection as a fundamental right and the EDPS guidelines on segmentation of social media users.
Data Protection at Authorities
Autorité de protection des données – Belgium
Through its judgment in Case C-311/18 (known as the “Schrems II” judgment), the CJEU invalidated European Commission decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield based on in the access and use by the US authorities of data transferred from the EU to the US under the US government’s monitoring programs, which do not comply with the principle of proportionality. On the other hand, the CJEU declared the European Commission decision 2010/87 on the standard contractual clauses for the transfer of personal data to subcontractors established in third countries valid. However, the CJEU clarified that if the standard data protection clauses are not or cannot be respected in this country and if the protection of transferred data, required by Union law, cannot be guaranteed by other means, the controller established in the EU must itself suspend or terminate the transfer. If this is not the case, national authorities should do so if they consider it necessary.
Commission for Personal Data Protection – Bulgaria
At its 37th Plenary, held on September 4, 2020, The European Data Protection Supervisor (EDPS) adopted Guidelines on the concepts of controller and operator under the General Data Protection Regulation, in addition to Guidelines on the Segmentation of Data Social Network Users. The authority adopted guidance on the concepts of controller and operator for GDPR. Since the entry into force of the Regulation, questions have arisen as to the extent to which these concepts have been changed, in particular with regard to joint controllers and the obligations of operators. The guidelines consist of two main parts – one explaining the different concepts and the other including detailed guidelines for controllers, operators and joint controllers. The guidelines include a diagram that provides additional practical explanations. Guidance on the concepts of controller and processor under the General Data Protection Regulation was made available for public consultation, which will take place until October 19, 2020.
The Office for Personal Data Protection – Czech Republic
The document contains indications on how to find an overview of the countries that are considered safe in terms of the level of protection provided, in the transmission section based on a decision on the appropriate level of protection of personal data by the European Commission. It also answers questions about how the authority will behave in the face of the Privacy Shield decision, claiming that Article 4 of Commission Decision 2010/87 on contractual terms gives the authority powers to prohibit or temporarily or permanently suspend the transfer of data based on in standard contractual clauses in specific cases where the transfer could harm the rights of individuals in connection with the processing of their personal data.
The authority published on its website the document of the Council of Europe, which summarizes the basic tasks of States in the field of human rights and the main limits of their powers in establishing anti-pandemic measures. The area of protection of personal data is one of the areas discussed. The document’s objective is to provide governments with a set of tools to face the current health crisis in a way that respects the fundamental values of democracy, the rule of law and human rights.
Datatilsynet – Denmark
Based on a complaint, the Danish authority expressed serious criticism that the processing of personal data by NCC Danmark A/S did not occur in accordance with the rules of the General Data Protection Regulation on the processing of personal data and sensitive personal data and that the NCC has failed to fulfill its duty to inform the data subject about the processing. The company had dismissed an employee and a case was pending in the Labor Court with allegations of undue behavior at the time of dismissal. In an internal briefing sent by e-mail to several company employees, NCC exposed personal information such as name, reason for dismissal, previous employment relationship and union membership. The authority concluded that the processing of NCC personal data in the email did not take place in accordance with GDPR rules, as the company did not show a legitimate interest in reporting on the rejection of complaints and the previous employment of the claimants.
In view of the increase in COVID-19 infection, health authorities encouraged restaurants, cafes, etc. to make a voluntary record of the names and contact information of customers, so that they can be used for later detection if one of the customers is infected. The authority gave six tips for respecting the protection of personal data when collecting such data: (i) it must be the individual choice of the customer whether he or she wishes to record their information. And that choice must be genuinely voluntary – that is, there should be no inconvenience to the customer for not making it; (ii) it must be made clear to customers what is registered, what is the purpose of the registration and for how long the data is stored. If the restaurant uses, for example, an online reservation system, it must also indicate whether the reservation information can be used for infection detection; (iii) you must register only the necessary information, usually name, contact information and the time the customer spent at the restaurant; (iv) it must be ensured that unauthorized persons do not have access to the registered information; (v) the information should not be used for other purposes and (vi) the information should be deleted continuously.
European Data Protection Supervisor – EDPS
The European Commission launched two public consultations on its Communication “A European strategy for data” (the data strategy) and its “White book on Artificial Intelligence – A European approach to excellence and trust”. According to the article, AI, like any other technology, is a mere tool and must be designed to serve humanity. Benefits, costs and risks must be considered by those who adopt a technology, especially by public administrations that handle large amounts of personal data and whose increase in AI adoption has not necessarily been accompanied by an assessment of what the likely impact on individuals and society will be. The article is in favor of the idea of a moratorium on automated face recognition, but also and mainly of fingerprints, DNA, voice, keys and other biometric or behavioral signals.
CNIL – France
After suffering some attacks, the French authority published recommendations specifically for platforms that use the Elasticsearch search engine: (i) establish authentication mechanisms before accessing the data; (ii) configure firewall and connection filtering rules; (iii) encrypt communications and (iv) disable or restrict the execution of the script.
The authority explains the challenges of this technology in the white paper, in order to offer a new and as complete vision as possible. It is based on his work on the topic, carried out since 2016, both in terms of compliance and research. In addition to this analysis, CNIL presents good practices for designers, application developers, integrators and also for organizations that wish to deploy voice assistants in shared locations, emphasizing the need for transparency and security of devices designed to respect the GDPR and the privacy of individuals.
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit – Germany
The NGO None-of-your-business filed a hundred and one complaints against the use of Google Analytics and Facebook Connect by European companies after the announcement of the Schrems II decision. The complaints were addressed to all national and state data protection authorities, five of which are German. In terms of content, the complaints refer to whether Google and Facebook can transmit personal data to the USA through the mentioned products and, therefore, whether the use by European suppliers’ websites is legal or not.
Data Protection Commission – Ireland
The authority recalled the principles that must be followed in this type of data processing, such as: (i) minimizing the amount of data that is collected; (ii) transparency with customers about the reason for collecting the data; (iii) secure storage of information; (iv) limitation of the purpose for which the data was collected; (v) deletion of contact details when it is no longer necessary to maintain them for purposes of contact tracing.
Datatilsynet – Norway
The authority noted that the Norwegian Health Directory used SMS notification based on geolocation to notify travelers of the increase in COVID-19 in certain regions and changes in travel recommendations that may lead to quarantine. SMS notification based on location was also used in other contexts by municipalities, both before and during the pandemic. The service can be used, for example, to count how many people are in a given geographic area at an aggregate level. The service used by the Norwegian Health Directory and some municipalities is provided by the company Everbridge Norway AS, which, in turn, has an agreement with telecommunications operators. In other words, there are several agents involved in SMS notification based on location, and the investigation will, among other things, identify who is the controller of the personal data that the notification services entail.
ICO – United Kingdom
Swansea CPS Advisory Ltd was fined £ 130,000 for making over 100,000 unauthorized direct marketing calls to people about their pensions. According to John Glen, economic secretary: “Unsolicited social security calls are the most common method used to initiate social security schemes, which can steal the savings that people struggle with and ruin lives. That’s why we ban them. today it should serve as a warning to others that unsolicited pension calls are unacceptable, and those who break the rules will be held responsible.”
Among the tips for companies in different sectors, but that use personal data, are: (i) incorporating the principles of data protection and information rights in their product from conception is an advantage in the market, encouraging customer confidence and reducing the risk of inspection action; (ii) placing individual rights at the center of your product development makes it easier to maintain them; (iii) education is the key. If you want to process personal data, you must be aware of your obligations under the law; (iv) it is important to adopt a privacy by design and privacy by default approach; (v) companies must do DPIA; (vi) it is also important to clearly frame the problem you are trying to solve, define your legal basis and only then decide what personal data – if any – it is necessary to collect; (vii) consider the use of synthetic data. When testing a product, anonymization and pseudonymization techniques are available to protect individuals when talking about large data sets. Synthetic data can help mitigate risk if it adequately reflects real-world data; (viii) if the product uses AI, companies must know their obligations.
Data Protection at Univesities
The purpose of the material is to present the positions of the Coalizão Direitos na Rede for applications and campaigns, content platforms and social networks, in addition to the Electoral Justice and the Electoral Public Ministry. The recommendations were organized into three thematic axes: combating disinformation, tackling hate speech and political violence, and protecting personal data.
The article shows the evolution of the subjects of data protection and net neutrality from the meetings of the Internet Governance Forum (IGF), both in the understanding of concepts and in the practices exercised, highlighting the importance of multi stakeholder discussions. To this end, the main issues discussed during the decade of 2010 were selected and which significantly involve the dynamics between government and private sectors. We highlight the technology giants Google and Facebook, for their central roles in collecting and processing personal data on a global level, as well as their influences on the theme of net neutrality, that is, that the content transmitted to the user is the same for everyone who access their services without any discrimination.
The commentary intends to analyze the general outlines of the jurisprudential framework in four parts. First, briefly presenting the specific case that gave rise to such a decision and highlighting the existing discussions about Provisional Measure 954/2020. Second, highlighting the historical significance of the decision by recognizing a fundamental right to the protection of personal data and analyzing the arguments presented in the votes cast. Third, seeking to list initial guidelines regarding the contours of this fundamental right, as well as the effects arising from its recognition. Fourth, explaining the minimum and necessary guidelines for the eventual limitation of this fundamental right.
Data Protection in the Brazilian Legislative
The Bill, proposed by Dep. Fed. Lauriete, of the PSC of Espírito Santo, on September 15, changes Law 8.212/1991 to compel the Institute to notify workers about the payment of contributions made by the employer. The Bill points to the need for workers to update their registration information with the INSS, but it does not propose models of communiqués or touch on the subject of privacy and protection of personal data. Currently the Bill is in Plenary.
Data Protection in the Brazilian Judiciary
In the appeal in Writ of Mandamus No. 62143/RJ, the decision of the first instance to identify users in a given geographic location for the purposes of criminal investigation was questioned. Minister Rogerio Schietti Cruz pointed out that, in the case in question, there would be no breach of confidentiality, since the interception of communications differs from what was required by the first instance magistrate and, also, secrecy would not be an absolute right. The Minister stated that “the breach of the confidentiality of stored data, autonomously or associated with other personal data and information, does not oblige the judicial authority to indicate in advance the persons being investigated, not least because the primary objective of this measure, in the expressive in most cases, it is precisely to provide the identification of the user of the service or the terminal used. “, not granting the appeal.