Hi, In this 26th edition of the Bulletin, we highlight the various positions of the National Data Protection Authorities, in particular the guidelines published by the European Data Protection Board […]
In this 26th edition of the Bulletin, we highlight the various positions of the National Data Protection Authorities, in particular the guidelines published by the European Data Protection Board for Privacy by Design & Default, the two academic articles on collective protection in the protection of personal data and on the compulsory gratuity of digital services as an element of flexibility of the right to privacy, in addition to the Bill that deals with the admissibility of digital evidence and, in the same subject, the decision of the São Paulo Court of Justice that determined that it is not proof illicitly providing messages exchanged in groups of Whatsapp in the process, even without a judicial decision that determines it.
We also highlight the opening of two inquiries against Facebook by the Irish authority, alleging that there were several complaints about the processing of data on children and adolescents on the Instagram platform. Also, in this edition, we have the investigation opened by the Italian authority against Telegram, after receiving reports of sharing deep fakes involving intimate exposure of women developed using the “DeepNude” software available on the platform.
The note published by the German authority on German security law also demonstrates the urgency of discussing how the rules and policies related to public intelligence and security must respect the principles of the protection of personal data in order to maintain the democratic environment. Professor Ulrich Kelber, president of the authority, called for a moratorium on German security law until they could technically discuss what the proposed traceability would represent for the country: “There is a risk that the extent of state surveillance in practical application will exceed what is tolerable for a democracy. “.
In Brazil, the formation of the Directing Council of the National Data Protection Authority was represented in three of the five seats by the military. The moment is one of attention and caution to what this may represent in terms of selecting priorities for the agency, its positions and possible confusions between the discipline of personal data protection and guidelines more connected to cybersecurity, intelligence activities and national security.
We wish you all a great reading!
Bruno Bioni, Iasmine Favaro & Mariana Rielli
Data Protection at Authorities
The president commented on the international conference IS2 – Information Security Summit, saying that it is not enough to wait for a global solution. The aim should be to achieve the highest possible degree of self-sufficiency in the technical domain of data protection. “The self-sufficiency mentioned will give us control over how our data is actually treated and that the deleted data will not have its backup version stored anywhere. Unfortunately, the State faces persistent security problems in the management and construction of ICT systems, which has been confirmed by many BIS or SAO annual reports in recent years, “said the president. He also highlighted that cybersecurity is becoming increasingly relevant during the current measures against the COVID-19 pandemic, when working from home has become commonplace. He said that such a practice has proved to be a major security challenge not only for small and medium-sized companies, which may not be fully prepared for a similar reality, but also for the state administration. At the same time, the President reaffirmed, there is a significant danger with regard to the large public databases of the State.
The Global Privacy Assembly (GPA) is a global forum that aims to promote cooperation between national data protection authorities, for example, through the adoption of reports and resolutions on topical issues, which must be prepared before the annual meeting of several working groups. The GPA has recently focused on the data protection issues that the processing of the coronavirus outbreak has given rise to. In this context, a task force was created that brought together best practices and worked on capacity building in the Member States. At the meeting, GPA adopted resolutions on, for example, the management of the outbreak of COVID-19, artificial intelligence and facial recognition. A resolution has also been adopted to allow GPA to play a more active role in raising global awareness of legal data protection issues. The full resolution can be accessed here.
The authority pointed out that controllers should not encourage citizens to send sensitive or confidential personal information over an unencrypted Internet connection and, therefore, they should provide secure communication solutions for transmission. The authority also said that the authorities and companies should, as controllers, ensure – based on an assessment of the risk to citizens’ rights – that adequate security measures are in place. This means, among other things, that authorities and companies are responsible for establishing secure transmission solutions that address the risks identified for citizens – not only when they send information to them, but also when they collect their information for processing a case or service.
The authority stated that as the borders between countries are not as clearly marked in the digital world as in the physical world, attention must be paid and security in the processing of cross-border data with third countries, including the USA and, in this context, the authority has definitely recommended prioritizing Estonian service providers. In addition, the authority stated that the European Court of Justice’s Shrems II trial did not change the principles of cooperation between the US and Europe, but limited the possibilities for data transfer, which in turn affects the use of authentication solutions provided by US service providers.
The authority is investigating an invasion of the data system of a psychotherapy center called Vaastaamo. The advice is: (i) Report the police if you notice that the leaked information has been disseminated or if you have received an extortion message related to the hacking of the data system. Do not reply to the extortion message or pay the extortionist. Enter all information about the sender and the time when the message was accurately received when reporting the offense. Save and store the email messages, other messages and other possible evidence that you have received. (ii) Monitor your bank transactions. If you notice transactions in your bank account that were not made by yourself, file a complaint with your bank. Your bank’s customer service will provide further instructions. (iii) Prepare for the possibility that leaked information may come up again later. Think ahead of time how you will react to such a situation. If you know where your information was published or processed, you can ask the data file manager in question to delete the information about you.
The government announced the implantation of “TousAntiCovid”, an application that replaces “StopCovid”, on which the CNIL voted on April 24 and May 25, 2020, and which aims to allow contact tracking in risk situations when users are unable to guarantee compliance with distance and prevention measures (wearing a mask, respecting social distance, etc.). The French government’s announcement pointed out that the structural elements of the system are not affected by changes in the application. Thus, the protocol called “ROBERT”, designed with the objective of minimizing the use of data, remains the one used by the application “TousAntiCovid”. Like “StopCovid”, the application is based on a voluntary approach on the part of people and allows contact tracking through Bluetooth technology, without using the geolocation of individuals. The “TousAntiCovid” offers new features to the user: the application now includes updated information on the circulation of the virus, on the one hand, and, on the other, links to other digital tools that already exist and are used by health authorities (for example, the map of locations to be tested or the exceptional travel certificate). CNIL notes that the “TousAntiCovid” application will be subject to regular changes. Therefore, the authority will remain vigilant in examining these future developments.
Professor Ulrich Kelber criticizes the Federal Government’s plans to allow intelligence services to monitor message exchange platforms, pointing out that the existing legal framework does not include the introduction of such usurpations of privacy. The professor says: “the courts showed a clear need for reform in the laws of the intelligence services. Instead of addressing these urgent reforms, new monitoring options have been created. I again call for a moratorium on the security law and an independent scientific review of existing laws. “The authority sees several gaps in the current bill, such as not specifying the scope of information collection. As a result, there is a risk that telecommunications monitoring becomes a source of surveillance. In the professor’s opinion, this violates the requirement of constitutional separation between police authorities and intelligence services: “There is a risk that the extent of state surveillance in practice will exceed what is tolerable for a democracy. “.
The authority pointed out that it has actively monitored complaints received from individuals in this area and identified potential concerns regarding the processing of children’s personal data on Instagram that require further analysis. The Instagram platform belongs to Facebook Ireland Limited (“Facebook”), which is the controller of personal data processed via Instagram. The first survey will assess Facebook’s use of certain legal bases for the processing of children’s personal data, seeking to determine whether the company has an adequate legal basis and whether it employs protections and/or restrictions on the Instagram platform to protect privacy and data. these children’s data. The survey will also consider whether Facebook fulfills its obligations as a controller with respect to transparency requirements. The second survey will focus on the Instagram profile, account settings and the suitability of these settings for children. Among other issues, the survey will explore Facebook’s adherence to GDPR requirements regarding Privacy by Design and Privacy by Default.
The Italian press reported the case of women who are victims of a certain type of “deep fake”, that is, videos and images made through applications that allow to transform people’s faces, voices and bodies, creating true “fakes”. Unbeknownst to them, women found themselves undressed on Telegram after some users manipulated their photos using a computer program – derived from software called “DeepNude” – available on the social channel and which uses artificial intelligence to reconstruct the appearance of the body under the clothes. The authority decided to open an investigation against Telegram. The note states that the serious damage to dignity and privacy to which the use of such software exposes people is evident, especially if they are minors, also considering the risk of such images being used for extortion or revenge pornography. In addition, the ease of use of this program makes anyone with a photo on the web potentially a victim of deep fakes. The authority will ask Telegram for information to verify compliance with data protection rules in making the computer program available to users, as well as to ascertain the possible conservation of the manipulated images and the purpose of this conservation.
After public consultation, EDPB adopted the final version of the Data Protection Guidelines from conception and by default. The main obligation enshrined in article 25 of the GDPR is the effective application of the principles of data protection and the rights and freedoms of persons from the conception. This means that controllers must implement appropriate technical and organizational measures and the necessary safeguards, aimed at implementing data protection principles in practice and protecting the rights and freedoms of data subjects. In addition, controllers must be able to demonstrate that the measures implemented are effective. The Council decided to create a Coordinated Implementation Framework (CEF). The CEF provides a structure for coordinating the recurring annual activities of the EDPB Supervisory Authorities. CEF’s objective is to facilitate joint actions in a flexible and coordinated way, ranging from awareness raising and information gathering to joint inspection and investigation actions. The objective of the coordinated annual actions is to promote compliance, empower data subjects to exercise their rights and raise awareness.
The background of the fine, according to the authority, is that, in the period 2013-2019, the extracts and reports stored by the hospital, containing patient records, were stored without adequate security. The list contained information such as health history, date of birth, reason for hospitalization, among others. There was no control over access to the storage area / folders where the reports were stored, nor was it recorded whether employees had access to such information.
An ICO investigation found that the airline was processing a necessary amount of personal data without security measures in place. This breach violated a data protection law and subsequently a BA was the target of a cyber attack during 2018, which was not detected for more than two months. ICO researchers found that a BA should have identified the weaknesses in its security and resolved it with the security measures available at the time. Addressing these security issues would have prevented the 2018 cyber attack from being carried out this way, the researchers concluded. An information commissioner Elizabeth Denham said: “People have entrusted their personal data to BA and BA not taken as measures to keep these details protected.”
Data Protection at Univesities
”This article maintains that the General Data Protection Law (Law 13,709/2018) also becomes part of the common discipline of collective actions, due to its harmonization provisions with the Consumer Protection Code and its strategic view for collective protection in the defense of the rights of holders of personal data. More than that, the argument sustained in this article is that the LGPD has absorbed part of the tradition of collective tutelage in Brazil, opening space for the protection of the rights guaranteed in the legislation to be done collectively, alongside the multiple forms of individual protection of rights.” (our translation)
The prohibition of compulsory gratuitousness of digital services as a way of protecting the personal data of consumer users and mitigating the abuse of a dominant position by the platforms of two or multiple sidesCAMARGO, Gustavo.
“Digital platforms, structured as two – or multiple- sided markets, where the consumer does not pay, in cash, to access them, are used daily by billions of people around the world. Driven by immense computing power, they sell people’s attention to advertisers, in complex auction systems of ultra-segmented advertising spaces, who constantly seek to individualize the target and whose precision is directly linked to the immense amount of personal data captured and associated with each person who uses it, which turns them into big machines surveillance, threatening the Fundamental Rights related to the protection of personal data. This paper presents a regulation proposal that aims to raise the level of protection of the Fundamental Rights linked to the protection of users’ personal data by prohibiting the compulsory gratuity of these services. analyzes digital platforms from three different perspectives: a) the elements those articulated in its operation: computational power, personal data, time and content of others; b) the three simultaneous positions occupied by individuals, in a circular process, when using them: consumer, supplier of raw material and product and c) the positive externalities used by platforms to establish dominant positions in the market and even consolidate themselves as monopolies. The work also presents the limits of data protection legislation, such as the European General Data Protection Regulation (GDPR) and the General Data Protection Law – Law 13.709 / 2018 (LGPD) in Brazil, in addition to the need to articulate others legal mechanisms such as Consumer Law and Antitrust Law to jointly increase the effectiveness of Fundamental Rights. Finally, it presents the regulation suggestion, where platforms would be obliged to provide an offer option in which the consumer would pay, in cash, to use them, prohibiting the use of personal data and users’ attention for their own purposes platform or third parties, as a way of minimizing the processing of such data and, consequently, increasing the level of protection of the personality rights of consumer users. For this, the functionalist method of procedure was adopted, the deductive method of approach and the bibliographic and documentary research as techniques.” (our translation)
Data Protection in the Brazilian Legislative
Bill 4939/2020, presented by Dep. Fed. Hugo Leal of the PSD of Rio de Janeiro, provides for the guidelines of the Information Technology law and the rules for obtaining and admissibility of digital evidence in the investigation and in the process, in addition to other measures. The Bill is currently on the Board of Directors. The PL defines basic concepts such as electronic device, computer system, network protocol, among others and proposes the following principles: I – Fundamental right to data protection, insured and its use in an appropriate, necessary and proportional way; II – The guarantee of legitimate interested parties access to digital proof under the control or availability of third parties; III – Respect for national sovereignty; IV – International legal cooperation; V – Guarantee of authenticity and integrity of information; VI – The Preservation of the Company and its social function; VII – Transparency of the means of processing information.
Data Protection in the Brazilian Judiciary
In Civil Appeal No. 1027067-43.2019.8.26.0361, Judge Luiz Sergio Fernandes de Souza dismissed the appeal alleging that the sharing of messages exchanged in Whatsapp with a competent body without a judicial decision determining it would be illegal. The magistrate claimed that “Whoever participates in a group of application conversations is responsible for what they say and post. The Internet is not a free territory, anything goes. Intimacy exists in the recess of the house itself, in the interaction with family members, and not on social networks. In fact, for no other reason, they are social networks. In another aspect, there is no duty of the Municipal Public Administration to inform the name of the participant who sent him the content of the conversations held in the WhatsApp application.”. He also quoted the General Data Protection Law: “And don’t even argue that the messages could not be shared – by a member of the group maintained in the WhatsApp application – with the Municipal Public Administration, as it is certain that the protection of personal data, disciplined by Federal Law No. 13,709/18 , it does not deal with communications established on social networks, but only with the protection of users’ personal data.”.