Welcome to another edition of the Bulletin! In this 46th edition, we highlight that the National Data Protection Authority (ANPD) published a Public Consultation on the draft resolution that regulates […]
Welcome to another edition of the Bulletin!
In this 46th edition, we highlight that the National Data Protection Authority (ANPD) published a Public Consultation on the draft resolution that regulates the application of the LGPD for micro and small businesses, as well as for business initiatives of an incremental or disruptive nature. The aforementioned draft resolution presents the possibility of adopting simplified and differentiated procedures, facilitating this group’s compliance with the LGPD, and will be available on the Participa + Brasil platform for the next 30 days.
Still regarding the Brazilian Authority activities, we highlight that, after a joint movement involving the Administrative Council for Economic Defense (Cade), the Federal Public Ministry (MPF), the National Consumer Secretariat (Senacon) and the ANPD itself on the new policy of Whatsapp privacy, the company is committed to meeting the recommendations previously made. Therefore, among the main points of attention that Whatsapp must take into account are: (i) the adjustment of the Privacy Notice for Brazil, so that it reflects practices of transparency at levels compatible with what already occurs for users in the European Union; (ii) update of the WhatsApp Business Terms; (iii) preparation of impact reports and other documents requested by ANPD; (iv) systematization of internal control mechanisms; among other points.
Finally, regarding the latest events in the Judiciary, we emphasize that the Superior Court of Justice (STJ) dismissed a Special Appeal that dealt with the act of disclosing Whatsapp’s private conversations screen. In this sense, third parties can only have access to WhatsApp conversations with the consent of the participants or judicial authorization, since, when bringing public knowledge to a private conversation, in addition to the breach of confidentiality, the violation of legitimate expectation is configured, as well as to the privacy and intimacy of the issuer, being possible the liability of the one who made the disclosure if the damage is configured. Thus, it was decided that the illegal disclosure would generate the duty to indemnify.
We wish you a great reading!
Bruno Bioni, Mariana Rielli e Júlia Mendonça
Data Protection at Authorities
Brazil
The National Data Protection Authority (ANPD) published on Monday, August 30, 2021, the Public Consultation on the draft resolution that regulates the application of the LGPD for micro and small businesses, as well as for business initiatives of an incremental or disruptive nature that declare themselves to be startups or innovation companies, pursuant to art. 55-J, item XVIII of the law. The consultation will be available on the Participa + Brasil platform for the next 30 days. The public hearing was scheduled for September 14 and 15, 2021. The draft resolution presents the possibility of adopting simplified and differentiated procedures, facilitating the compliance of these groups with the LGPD and contributing to the dissemination of the data protection culture personal. Access the file with the resolution draft.
After the joint recommendation – issued by the National Data Protection Authority (ANPD), the Administrative Council for Economic Defense (Cade), the Federal Public Ministry (MPF) and the National Consumer Secretariat (Senacon) – on the new privacy policy of the WhatsApp messaging application, these four bodies, in a joint and isolated manner, held meetings with WhatsApp representatives, so that the measures they deem pertinent to the rights of the holders of users are effectively adopted. At the beginning of the negotiation table, WhatsApp agreed to suspend, for ninety days, the deadline for acceptance of the new Terms of Service and defined that no user would have their account suspended or deleted within this period. Approximately three months after the recommendation, the company presented commitments to comply with several points of the recommendation and ANPD’s technical note, as well as technical details for its feasibility. After a new technical note from ANPD, WhatsApp signaled that it intends to meet the required points, especially: (i) the adjustment of the Privacy Notice for Brazil to reflect transparency practices, at levels compatible with what it already does for Union users European; (ii) update of the WhatsApp Business Terms; (iii) preparation of impact reports and other documents requested by ANPD; (iv) systematization of internal control mechanisms; between others.
Argentina
Argentine Authority made recommendations for safe online shopping
During 2020, the COVID 19 pandemic caused online commerce to grow exponentially. The Argentine Chamber of Electronic Commerce (CACE) states that sales grew 124% compared to 2019 and sales reached more than $905 million pesos. Likewise, 1,284,960 people who previously did not buy online did so in 2020 and joined this new way of consuming. Because of this, the Argentine Authority has made some recommendations to be observed in every transaction that is made online: ‘’(i) The page where you buy must be verified. This can be confirmed if the website has a padlock on the left side of the web address. (ii) Do not respond to emails that ask you to fill in your personal data. Emails are one of the ways in which data that affects your privacy can be collected. (iii) Read the website’s terms and conditions to find out what uses will be made of your personal data. Companies must ask for your consent to process your personal data in writing or other similar means. In addition, companies must inform you in advance and in clear language about the purpose, consequences, recipients and, if stored in a database, the name and contact details of the controller. In case of non-compliance with any of the aforementioned recommendations, the Argentine Data Protection Authority emphasizes the possibility of filing a complaint with its board.
Denmark
Danish Authority pointed out that the Danish Immigration Service may receive a fine
The Danish Data Protection Authority notified the Danish Immigration Service to the police and recommended the imposition of a fine of DKK 150,000, as the Authority assesses that the agency did not comply with the requirements for an appropriate level of security with regard to protection of personal data. On August 25, 2020, the Authority initiated proceedings against the Ministry of Immigration and Integration when it became aware, through media coverage, of a possible registration error in an IT system associated with the Udrejsecenter Kærshovedgård (Danish Immigration Service) could have had consequences for the rights and freedoms of individuals. After analyzing the case, the Danish Authority concluded that the processing of personal data by the Immigration Service was not in accordance with the appropriate security rules, which could pose serious risks to the rights of the holders, which culminated in the recommendation to apply the aforementioned traffic ticket.
Netherlands
Dutch authority granted license for financial institutions to share information about fraud
The Dutch Data Protection Authority (AP) has granted more than 160 financial institutions a license to record fraudster data and share it with each other in an incident warning system under specific conditions. Fraudsters are often active in multiple institutions. Therefore, banks and insurance companies can now warn each other about the matter, exchanging fraud information. The conditions for data sharing are defined in the new Incident Alert System (PIFI) Financial Institutions Protocol, which contains rules that banks and insurance companies must comply with to track and exchange information about incidents, such as identity fraud or fraud banking help desk (spoofing).
México
INAI, IPN and ENBA signed an agreement on access to information, transparency and data protection
The National Institute of Transparency, Access to Information, Protection of Personal Data (INAI), the National Polytechnic Institute (IPN) and the National School of Library and Archival Science (ENBA) signed a general collaboration agreement with the purpose of undertaking joint actions and projects related to access to information, protection of personal data, document management, active transparency and archives. This agreement makes it possible to work in a coordinated manner to promote a culture of transparency in government actions, socialize the right to access information and promote accountability to society. At the virtual event celebrating the agreement, INAI President Commissioner Blanca Lilia Ibarra Cadena stated that the relationship between the academic sector and transparency must be close, harmonious and meaningful, since without valuable contributions from higher education institutions and the university community, it is not possible to lay the foundations to promote a culture of full and effective transparency.
Registration was opened to participate in the work of the Global Privacy Assembly 2021 (GPA), to be held in Mexico City, from October 18th to 21st, with the theme “Privacy and Data Protection: an approach focused on the human being”, whose purpose is to establish standards to ensure adequate protection of the human right to privacy and protection of personal data. The National Institute for Transparency, Access to Information and the Protection of Personal Data (INAI) is the host authority for this international event, which will bring together more than 130 data protection and privacy authorities from 80 countries. The objective is to discuss and analyze the coexistence between the development of new information technologies and the right to protection of personal data, in addition to positioning Mexico as a world reference in the matter. Due to the health crisis context, GPA will be held in a hybrid format, that is, with face-to-face and virtual activities, taking advantage of the use of new technologies to remove physical distance barriers and make cooperation and exchange of ideas on the subject possible among the participants.
United Kingdom
The Information Commissioner’s Office (ICO) has approved the first criteria of the UK data protection certification scheme. Certification was introduced by the UK General Data Protection Act as a way to help organizations demonstrate compliance with data protection rules and, in turn, instill confidence in the people who use their products, processes and services. Certification works by providing a framework for organizations to follow, which gives customers assurance that they are adhering to strict standards necessary to ensure safety. ICO approved the criteria for two protocols, which will now be implemented. The first is ADISA, where IT service specialists have developed a standard that ensures that personal data is properly handled when IT equipment is reused or destroyed. The second is the Age Verification Certification Scheme (ACCS) in which criteria have been developed for two procedures, the first related to age assurance and the second to children’s online privacy. Thus, organizations that meet the standards set in these certification schemes can create a competitive advantage and demonstrate that they have the highest level of commitment to data protection with their customers, partners and investors.
ICO Blogpost: As the Age Appropriate Design Code enters into force- what’s next?
The transition year is over and the Age Appropriate Design Code goes into effect on September 2nd. It is an innovative code that creates a better Internet for children, ensuring online services that can be accessed by children with respect for their rights and freedoms regarding their personal data. As expected, this is already having a great impact on the aforementioned services. For example, Facebook, Google, Instagram, TikTok and others have made significant changes to children’s privacy and safety measures recently. As a pioneering code on the world stage, it is also having a global influence. Members of the US Senate and Congress urged major US gaming and technology companies to voluntarily adopt the ICO Code standards for children in the US. ICO has also identified that, currently, some of the biggest risks to children’s audiences come from social media platforms, video and music streaming sites, and gaming platforms. In these sectors, children’s personal data is being used and shared to bombard them with personalized content resources and services. This can include inappropriate advertisements, unsolicited messages and friend requests, incentives that erode privacy, encouraging kids to stay connected. Therefore, the ICO highlights the concern with a series of physical, emotional and financial damages that can be generated from this use of data, which makes the adoption of changes urgent, many of which are provided in the Age Appropriate Design Code.
Data Protection at Universities
Proteção de Dados: contextos, narrativas e elementos fundantes
BIONI, Bruno e outros
The book “Proteção de Dados: contextos, narrativas e elementos fundantes” is a collection of 20 articles written by Bruno Bioni and several specialists in the field. The new book is curated by writings over 10 (ten) years of data protection research. In all, there are 20 (twenty) articles, many of which are co-authored with people who are references in the field. According to a review of the work done by Mariana Rielli, the Project Leader of the Associação data Privacy de Pesquisa, the multiplicity of approaches and related themes that are the object of Bruno Bioni’s interests and studies, as well as the research association he directs, are reflected in the wealth of the collection recently made available to the public, something that did not go unnoticed by Minister Ricardo Villas Bôas Cueva, who prefaced the book and highlighted the variety of topics covered and connected in this, which is a great contribution to the matter of privacy and data protection, especially in terms of building a robust legal dogmatics. Divided into two parts, the first – context and narratives – and the second – founding elements – give the work its name. To download the ebook for free, just go HERE.
Old Facts, New Beginnings: Thinking with Arendt about Algorithmic Decision-Making
HERZOG, Lisa.
More and more decisions in our societies are made by algorithms. What are such decisions and how do they compare to human decision making? In this text, central characteristics of algorithmic decision-making will be analyzed with three key elements – plurality, birth and judgment – based on Hannah Arendt’s political thinking. In “Arendtian practices”, human beings unite as equals, exchange arguments and make joint decisions, sometimes bringing something new to the world. With algorithms and automated decision making taking over more areas of life, opportunities for Arendtian practices are threatened. Based on the text, there is also a danger that algorithms will be in charge of decisions for which they are inadequate, or unable to provide an effective result. Finally, according to the author, the analysis of the contrast with Arendt’s thinking can be a starting point for outlining environments in which algorithmic decision-making should or should not be welcome.
Data Protection in Legislative
The Draft Bill 2758/2021, proposed by Veneziano Vital (MDB/PB), aims to change the Brazilian General Data Protection Law to provide for the composition of the National Council for the Protection of Personal Data and Privacy (CNPD). The Bill amends article 58-A to modify the composition of the CNPD, determining that there are 2 (two) vacancies for civil society entities with activities related to the protection of personal data and 1 (one) vacancy for a lawyer appointed by the Federal Council of the Order of the Lawyers of Brazil. Currently, the Draft Bill is awaiting an order from the President of the parliament..
Parliament approves in 2nd round of PEC 17/19 which includes the protection of personal data in the Constitution
On Tuesday (31) the Parliament approved the Senate’s Proposal for Amendment to the Constitution (PEC) 17/19, which makes the protection of personal data, including in digital media, a fundamental right and refers privately to the Union the competence to legislate on the subject. The proposal was approved in two shifts in the form of the substitute for the rapporteur, Deputy Orlando Silva (PCdoB-SP), and should return to the Federal Senate due to the changes made. In the second shift vote, there were 436 votes to 4. In the first shift, there were 439 to 1. According to the proposal, the Union will also be responsible for organizing and supervising the protection and processing of personal data, under the terms of the law. Finally, we emphasize that the Data Privacy Research Association contributed directly to the elaboration of the project, assisting Deputy Orlando Silva.
Data Protection in the Brazilian Judiciary
This is a Special Appeal judged by the 3rd Panel of the Court of Appeals (STJ), whose purpose is to decide, in short, whether the public disclosure of messages exchanged via WhatsApp characterizes an unlawful act capable of giving rise to liability for any damages arising from the publicity. According to the judgment, in cases where the content of conversations sent via WhatsApp may, in theory, be of interest to third parties, there will be a conflict between privacy and freedom of information, making it necessary to carry out a judgment of weighting. In this aspect, it must be considered that electronic messages are protected by secrecy because their content is private; that is, restricted to the interlocutors. Thus, continuing the argument, the Panel pointed out that it is certain that when sending a message to a specific recipient or recipients via WhatsApp, the sender has the expectation that it will not be read by third parties, let alone disclosed to the public, whether through the network, social or media. Thus, when making a private conversation public, in addition to breaching confidentiality, a violation of the legitimate expectation, as well as the privacy and intimacy of the issuer, will be configured, making it possible for the person who made the disclosure to be held liable if the damage is configured. Thus, considering that the illicit dissemination of screenshots of conversations generates the duty to indemnify, the Panel dismissed the special appeal.
