Author: Thomás Gomes Pereira Prete

Lawyer

Trust as a Service: the data protection officer

5 de June, 2021

I consider respect for privacy as the main objective of personal data protection rules.

This is because privacy is the basis on which the individual freely forms and exercises his/her personality. Privacy is the intimate domain of your physical, mental, emotional and spiritual condition. It concerns only you, with exceptions. And so is the law.

The letter “e-” precedes each day more substantives, a consequence of entrepreneurship. I also recognize the growing importance of the processing of personal data for the full exercise of economic freedom. And so does the law.

In this sense, I interpret the processing of personal data as a lawful but risky activity. From this follows consequent management, to all effects. Here too, reckless, negligent or omissive management causes serious financial, reputational and regulatory consequences. And so prescribes the law.

The proposed solution to the imminent risk of data breach is to map it and rigorously enforce the standard. Compliance security effectively reduces risk. It is a daily, continuous and persistent activity. It is feasible and it has benefits.

Even in case of failure, the foregoing compliance is a precedent of good faith and of necessary acknowledgement by the supervisory authority and the judge.

The data protection officer (DPO) is part of this context. Its knowledge of the company’s lawful treatment processes, combined with the technical and precise application of the standard, reduces costs and enables new processes.

The DPO is responsible for maintaining and improving personal data protection measures, in a free and independent manner, in the interest of the law, the data subjects and the licit activity at risk.

The DPO is also responsible for the analysis and framework of new data processing activities in accordance with regulations, for the management of data protection processes and for interfacing with data subjects, supervisory authorities and senior management.

Its activity is expressly foreseen and recognized in the data protection regulation of the European Union (GDPR) and in the Brazilian law (LGPD). More than a function, it is a role and a service.

The European norm requires the appointment of a person in charge or such service in three cases: a) in public authorities b) in companies whose object consists of regular or systematic monitoring of data subjects on a large scale, or c) in companies that deal on a large scale with special categories of personal data, such as data indicating membership of an ethnic, religious, political, union group, or health, medical and sexual data, for example.

Brazilian law has not ruled on the mandatory hypotheses for the exercise of the data protection officer, but it expressly recognizes his service and does not leave it aside.

Its mention in the law is already a clear indication that it will be valued by the data protection authority and the courts, especially if in the full exercise of its capacity to conform treatments to the standard.

Relying on the service of a data protection officer, apart from its intrinsic technical benefit, will be regarded as a certificate of security, reliability, quality and respect for the individuals whose personal data is being processed.

We are at your disposal for further information about this service and about data protection solutions at Thomas.prete@outlook.com.

New strategical steps on privacy and data protection in Europe

19 de February, 2021

The European Union unveiled on 17 February 2021 its “Agenda for a Renewed Multilateralism”, a set of policy proposals aimed at increasing its leadership and influence in key global areas. Among seven relevant and strategical objectives, it has clearly identified the digital space as one of its priorities. The EU plans to establish rules for new digital technologies and will seek to build strategic partnerships to shape the global digital agenda. Following EU’s leadership in the framework and promotion of data protection with the binding General Data Protection Regulation (GDPR), the EU Commission will particularly engage in the development of normative frameworks for Artificial Intelligence and in the protection of human rights online.

As a clear strategical step, the EU also declared its support to the United Nations Secretary General’s Road Map on Digital Cooperation, unveiled in June 2020. In essence, the UN Road Map appoints eight key areas of the digital space for priority development, such as connectivity and internet to all; access to open source and digital public goods; digital inclusion; digital capacity building and training; digital human rights (in particular data privacy and protection, limitations on surveillance and facial recognition, tools to curb online harassment and violence – mainly against women – and for content governance, a clear approach and rules for artificial intelligence), as well as digital security and trust and finally global digital cooperation – allowing for effective and inclusive channels for more countries and associations to participate in discussions.

It is relevant to note that Europe has been at the forefront of data privacy and data protection. The jurisprudence of the European Court of Human Rights is consistent in its interpretation of the European Convention on Human Rights, as to consider the right to data privacy contained in one’s “right to respect for his private and family life, his home and his correspondence” (Article 8). In a great step forward, the Charter of Fundamental Rights of the European Union expressly provides for the protection of personal data as a human right (“Everyone has the right to the protection of personal data concerning him or her” – Article 8, 1), provides the underlying principles to protect this right, sets the limits to data processing and adds rights for its duly exercise (by establishing the right to access and also right to rectify his/her own data in Paragraph 2).

EU’s most recent legal developments in the digital area include final negotiations for a specific Regulation – binding in nature under EU Law, as does the GDPR – concerning privacy in the field of electronic communication services in the Union (the E-privacy Regulation). Its draft was presented on 6 January 2021 by the Portuguese Presidency of the EU after failed attempts in the last two years by other Presidencies and is currently under discussion.

Once the E-privacy Regulation is approved, it will replace the current E-privacy Directive (2002/58/EC), which relies on member state law to be effective and to some extent has not been able to bring uniformity of interpretation and application within the Union.  The E-privacy Regulation will provide new and uniform rules for the confidentiality of communications and processing of metadata, for the monitoring and tracking of data using cookies and for device integrity, with an extended scope that complements the existing GDPR. This framework was indeed expected to enter into force in conjunction with the GDPR in 2018 but it has been postponed due to lack of agreement.

Another relevant recent step taken in Europe for increased personal data protection has been the 2018 modernisation of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, dated of 27 January 1981, as it was further amended by its Protocol CETS No. 223 – and then rebaptised as Convention 108+. Convention 108 has been regarded as the landmark of data protection legislation in many European countries (with 47 ratifications) and the reference for subsequent European diplomas, culminating in the GDPR. Its modernised version Convention 108+ is open for signature and ratifications.

Most EU regulations in this field require extraterritorial compliance, such as the GDPR, for those who offer goods or services to European Union residents. Foreign companies and individuals willing to benefit from the European Union market will need to gain practical and professional knowledge of EU rules and will be required to have their their practises and process duly adapted as a consequence. Compliance with such EU rules is also clear evidence of sound practices and respect for personal data and privacy.

We plan to follow the developments of the E-privacy Regulation discussions and report key discussions for its approval, understand the next steps in the debate for a framework of Artificial Intelligence and clarify specific EU initiatives related to the UN’s Road Map on Digital Cooperation.

Brief notes on the duty of data protection in Brazil – why, who should, how and when to adapt?

18 de November, 2020

The new General Brazilian Data Protection Law – in this text called “law” to facilitate reading – is already partially in force. It originates from the European General Data Protection Regulation – GDPR – in force since 2018 in the European Union, in which it has many similarities. Our purpose here is to seek to answer very briefly the most objective questions about the Law in order to provide the reader with an introduction to the subject.

This law exists with the objective of increasing the security of data of individuals and its protection, which is in possession of entities and professionals, in order to protect one’s fundamental rights of freedom and privacy and to allow the free development of one’s personality. Concretely, the law seeks to protect people’s data from unauthorized violations, collections or exchanges and the improper use of such data, amidst a digital environment that is increasingly eager to treat and process information for the most diverse reasons, many times beyond the control of laypersons.

It is important to clarify that natural persons, if they use data for professional or commercial purposes (lawyers, accountants, doctors, dentists, psychologists, body therapists, commercial representatives, private teachers, among others), as well as all legal and collective entities (such as such as limited liability companies and their subsidiaries, stores, factories and also companies, commercial representations, clinics, hospitals, churches, political parties, universities, schools, associations, etc.), must comply with the law. There are very few exceptions that apply.

The answer on how to adapt to the law means, above all, to understand what data is currently being treated and how it should be treated based on the law. The criterion that determines adequacy to the current treatment system is the nature of the data under analysis, which is directly related to one’s professional activity. This is because the law clearly establishes two sets of data to be processed differently: the most common standard – “personal data” and, contained therein and as its subset, subject to even more strict rules of treatment, the standard of “sensitive personal data”.

“Personal Data” according to the law is the one related to identified or identifiable natural persons. That is, everything that is known of a person to potentially allow us to individualize her. Thus, the Brazilian taxpayer registry number (CPF), personal and professional addresses, full name, telephone number, but also particulars that support further identification, such as membership in a club or brotherhood, are personal data.

“Sensitive personal data” according to the law refers to data on the individual’s racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to his health or sexual life, or genetic or biometric data, when linked to a natural person. We obviously deduce that the information from medical and dental records are to be regarded as “sensitive”, but also photos, images, voice, iris and fingerprints, for example.

Once the typology has been clarified, the lawyer will be able to counsel the client in consultation as to the measure and the need to change processes in order to respect the duty to protect personal data and the duty to protect sensitive personal data. There will be cases in which it will be enough to establish simple protocols for protection, others that will require new internal rules, new procedures and new contracts with third parties. The client will define the investment to be assumed for the recommended treatment and protection. The measure subject to implementation must be directly related to the objective of the law, that is, to ensure security and privacy to the data that it protects.

There is still a perception – which is wrong – that the law is not exactly in force. This is because in the law the supervisory authority to be established (National Data Protection Agency – ANPD) would have only recently been appointed and installed to fulfil its duties, and also because the law does establish the application of legal reprimands and administrative fines provided (which may arrive up to R $ 50 million) starting only by August 2021. Nevertheless, this interpretation is dangerous and exposes persons and companies to unnecessary legal risks.

The law applies immediately to the processing and exchange of data in the private sector and to commercial and professional relations between persons and legal entities located in Brazil and abroad, and establishes the principles, duties and rules for the treatment of the data to which it refers, all currently in force. And since each duty corresponds to a responsibility (and, technically, a liability), in all cases the violation of the duty of protection required by the law, once the cause and damage has been proven, will compel the indemnity of the injured party.

It will be up to the judge, in the specific case, to decide whether to assign responsibility for the violation despite proof of guilt by the company, when requesting from the injured party only the evidence of the damage itself, or whether the aggrieved person will be required to provide evidence of the violation as a probable cause of the damage. In the latter, the aggrieved person will have to demonstrate the violation as arising from an involuntary (but predictable and preventable) act or omission, or negligence in the treatment or lack of correct technique applied to the case that, due to non-complied with legal obligation, is in turn proven to be the cause the damage.

In practice, we foresee a tendency for a greater number of decisions to require the aggrieved person only to have to prove the damage suffered, and to exempt her from having to prove the guilt of the entity causing the damage. In fact, there are many situations in which it is relatively easy to demonstrate with documents the disclosure or leakage of previously protected data, without necessarily resorting to more complex procedures with experts, witnesses and evidence. It should be noted that the liability arising from this breach, in any case, will be attributed to the legal entity that controls the data, despite any outsourcing commitments.

The law also allows the judge and the supervisory authority to mitigate penalties in cases of violations by entities that prove fairness, compliance and good faith in their operations, that is, if despite the violation, the entity is able to demonstrate that it has employed the best practices and systems in the opposite direction. Timely implementation is therefore also an effective argument to mitigate financial risks.

We understand that the potential for future administrative sanctions by the supervisory authority, applicable from August 2021, is not the absolute and relevant framework for seeking compliance with the law. We recommend that entities subject to the law must review – with their trusted lawyers – how they treat and protect the data of third parties in their custody, to reduce or even eliminate the risk of possible violation of a legal duty already in force.