In an age where digital transformation continues to shape our world, ensuring robust data protection mechanisms is more crucial than ever. This edition of CATTS Data Protection’s Quarterly News for FY24/03 provides an in-depth analysis of the latest regulatory developments and compliance updates across multiple regions, including the European Union, Poland, the Netherlands, Spain, Mexico, India, and Brazil. As nations grapple with the challenges posed by emerging technologies, from AI regulation to cross-border data transfers, our report highlights the critical steps being taken to safeguard personal data. Understanding these changes is essential for organizations striving to maintain compliance and protect individuals' rights in today’s interconnected digital landscape.

• Data protection in the EU
• Data protection in Poland
• Data protection in The Netherlands
• Data protection in Spain
• Data protection in Mexico
• Data protection in India
• Data protection in Brazil

• EDPB adopts statement on DPAs role in AI Act framework, EU-U.S. Data Privacy Framework FAQ and new European Data Protection Seal

During its latest plenary, the European Data Protection Board (EDPB) adopted a statement on the Data Protection Authorities’ (DPAs) role in the Artificial Intelligence Act (AI Act) framework.

According to the EDPB, DPAs already have experience and expertise when dealing with the impact of AI on fundamental rights, in particular the right to protection of personal data, and should therefore be designated as Market Surveillance Authorities (MSAs) in a number of cases. This would ensure better coordination among different regulatory authorities, enhance legal certainty for all stakeholders and strengthen the supervision and enforcement of both the AI Act and EU data protection law.

According to the AI Act, Members States shall appoint MSAs at national level before 2 August 2025, for the purpose of supervising the application and implementation of the AI Act.

In its statement, the EDPB recommends that:

• As already indicated in the AI Act, DPAs should be designated as MSAs for high-risk AI systems used for law enforcement, border management, administration of justice and democratic processes;

• Member States should consider appointing DPAs as MSAs also for other high-risk AI systems, taking account of the views of the national DPA, particularly where those high-risk AI systems are in sectors likely to impact natural persons rights and freedoms with regard to the processing of personal data;

• DPAs, where appointed as MSAs, should be designated as the single points of contact for the public and counterparts at Member State and EU levels;

• Clear procedures should be established for cooperation between MSAs and the other regulatory authorities which are tasked with the supervision of AI systems, including DPAs. In addition, appropriate cooperation should be established between the EU AI Office and the DPAs/EDPB.

• EDPB to work together with European Commission to develop guidance on interplay GDPR and DMA

The Commission services in charge of the enforcement of the Digital Markets Act (DMA) and the European Data Protection Board (EDPB) have agreed to work together to clarify and give guidance on the interplay between DMA and GDPR.

This enhanced dialogue between Commission’s services and the EDPB will focus on the applicable obligations to digital gatekeepers under the DMA which present a strong interplay with the GDPR, as there is a need to ensure the coherent application to digital gatekeepers of the applicable regulatory frameworks. 

Developing a coherent interpretation of the DMA and GDPR while respecting each regulators’ competences in areas where the GDPR applies and is referenced in the DMA is crucial to effectively implement the two regulatory frameworks and achieve their respective and complementary objectives.

The DMA established a High Level Group to provide the Commission with advice and expertise to ensure that the DMA and other sectoral regulations applicable to gatekeepers are implemented in a coherent and complementary manner. The Commission and representatives from the EDPB and EDPS already engaged on data-related and interoperability obligations in the High Level Group. This project builds on this engagement and deepens the cooperation in relation to the two specific regulatory frameworks.

• Fine for the sales platform Vinted

On 2 July 2024, the Lithuanian Data Protection Authority imposed an administrative fine of more than €2.3 million on Vinted UAB, the operator of a sales platform and associated application that allows users to sell and buy second-hand clothes.

The  proceedings in the case of Vinted was  initiated by the State Data Protection Inspectorate (the Lithuanian supervisory authority) following complaints forwarded to it by the DPA in 2021 and 2022. In their complaints, users of the sales platform alleged that the company did not fulfil their requests related to the right to be forgotten (Article 17 GDPR) and the right of access to data (Article 15 GDPR).

The Polish users of the service pointed out that although registering on the site is simple, withdrawing funds collected for items sold there is already complicated and requires a lot of personal data. Among other things, the company requires a scan of an identity card. If the user did not provide those data, the funds accumulated by him/her from the sale of clothes were blocked and their withdrawal was impossible.

The Vinted company informed the persons who requested their data to be deleted that it would not take any action in their case, as the requests made by them lacked the indication of ‘specific grounds’ in accordance with the wording of Article 17 of the GDPR. The State Data Protection Inspectorate also found that the company, in its response to the complainants' requests, did not specify all the purposes for which the complainant's data, to a certain extent, were still to be processed.

• What should be taken into account when implementing the Artificial Intelligence Act?

The implementation of the provisions of the Artificial Intelligence Act (AI Act) into the Polish legal order is connected with the introduction into the national law system of a number of solutions affecting fundamental rights - the processing of personal data, as well as the privacy of individuals. Therefore, Mirosław Wróblewski, President of the Personal Data Protection Office (UODO), sees the need to address comments on this matter.

As noted by the President of the Personal Data Protection Office (UODO), one of the fundamental issues of systemic consistency of the regulation implementing the application of the AI Act is to ensure the compliance of the created law with the standards being in force in Poland protecting personal data and privacy. This involves respecting the provisions of the Constitution of the Republic of Poland (in particular Article 51 - the right to protection of personal data and Article 47 - the right to privacy) as well as the General Regulation on the protection of personal data (GDPR) and the so-called Police Directive (DODO). Therefore, it is crucial for the adopted solutions implementing the AI Act that the Polish legislator takes into account in this process the provisions stemming from the aforementioned legal acts, which require parallel application.

This is because the matter regulated by the AI Act involves the creation, development and use of artificial intelligence systems that process personal data, including special categories of data, on a massive scale.

It will also be necessary to review the provisions already in force in the national legal order based on an analysis of the interplay between the above-mentioned legal acts.

The Personal Data Protection Office pledges expert support if legislative work is undertaken on draft acts, especially those that would constitute sources of generally applicable law and would need to be assessed for compliance with the General Data Protection Regulation.

• Not every interruption of data access constitutes a breach

In the context of the global cloud services outage revealed today, we would like to remind you that not every outage constitutes a data protection breach. Outages such as today's cause great confusion and trouble in many industries, including strategic ones such as transport and healthcare. Deputy Prime Minister, Minister of Digital Affairs Krzysztof Gawkowski said that outages related to the interruption of access to cloud services have been reported, but do not involve critical infrastructure.

The interruption of access to cloud services and the resulting lack of access to data, in certain situations, may result in a violation of persons' rights and freedoms. However, not every such violation requires notification to the President of the Personal Data Protection Office. The controller should, in each case, conduct a risk analysis and, if such a breach resulting in a risk of infringement of persons' rights or freedoms occurs, report such an incident to the supervisory authority. It is worth emphasizing that the risk will occur in a situation where it is likely to affect the rights or freedoms of an individual, e.g. a direct threat to health or life.

This outage confirms, a fact derived from the GDPR standards, that inventorying resources in organizations is very important. It is also important to assess risks in terms of access to data and the impact of a possible outage on the protection of data subjects.

• More than 7 million employees targeted by hackers

35 per cent of small and medium-sized enterprises (SMEs) are afraid of the theft of their employees' personal data, according to a survey undertaken on behalf of ChronPESEL.pl and the National Debt Register under the patronage of the Personal Data Protection Office. The main reasons for these fears are the awareness of frequent attacks by cyber criminals, for whom companies are an attractive target due to the processing of large amounts of data. Micro, small and medium-sized enterprises employ 7.3 million people.

Surveyed entrepreneurs list the frequent successful attacks by cyber criminals on companies (59 per cent), the processing of large amounts of data (29 per cent) and the fact that they are an attractive target for personal data thieves (26 per cent) as the main reasons for being concerned about the theft of employees' personal data. However, it is interesting to compare these responses with the arguments indicated by the more numerous group of entrepreneurs (65 per cent) who are not afraid of such attacks. They list well-secured computers in first place (50 per cent), but in second place the fact that they do not process large amounts of personal data (39 per cent) and that they are not an attractive target for cybercriminals (35 per cent).

• President of the Polish SA bans Meta company from publishing ads using Omena Mensah's data in Poland

The President of the Personal Data Protection Office has obliged Meta Platforms Ireland Limited to stop the display of false advertisements using real data and the image of journalist and presenter Mrs Omena Mensah on Facebook and Instagram in the territory of the Republic of Poland for three months. The order in this case in relation to Mrs Omena Mensah's complaint was issued by Mirosław Wróblewski, President of the Personal Data Protection Office, on the basis of Article 60(1) of the GDPR and Article 70(1) and (2) of the Act of 10 May 2018 on the Protection of Personal Data.

False information has been circulated on Facebook regarding the journalist's death, the fact that she was beaten by her husband, or that she was sent to prison. The Deepfake advertisement uses the journalist's real, actual personal data. The complainant claimed to have detected as many as 263 advertisements (which many times numbered between 2 and 6 versions), the number of which is constantly increasing, as she receives daily signals about further advertisements featuring her. Moreover, this kind of information strongly affects her sense of security, dignity, privacy, and negatively affects the emotional state of those close to her.

• How to protect whistleblowers’ data – summary of the seminar

On 7 August, a seminar was held at the Personal Data Protection Office, during which Mirosław Wróblewski, President of the Personal Data Protection Office, together with employees of the Office, representatives of the Social Team of Experts at the President of the Personal Data Protection Office and external experts, discussed the comments submitted as part of the public consultations and presented proposals for the interpretation of the provisions of the Act on the Protection of Whistleblowers with regard to personal data. The meeting, also available online, was attended by over a thousand people.

As a result of the seminar discussion, written explanations from the Personal Data Protection Office will regularly appear on the Personal Data Protection Office’s website, suggesting the appropriate directions for interpreting the provisions of The Act on the Protection of Whistleblowers with regard to personal data.

• Nearly PLN 1.5 million fine for a medical company after a hacker attack

The IT infrastructure of the Company American Heart of Poland SA was attacked by hackers, who thus gained access to the detailed personal data of approximately 21,000 individuals. The President of the Personal Data Protection Office found that this occurred because the company had incorrectly estimated the risk to the data. Additionally, during the pandemic, the company did not comply with its own data security policy.

Unauthorized persons gained access to the data of patients and employees of the company. The incident covered a wide range of data, i.e.: surname, first name, parents' first names, mother's family name, date of birth, data on earnings or assets held, health data, bank account number, residence or stay address, personal identification number (PESEL number), username or password, ID card series and number, telephone number and email address.

The company learned of the data leakage from hackers, who demanded a $3 million ransom for not disclosing the intercepted data. The company notified the President of the Personal Data Protection Office of the incident, and informed those whose data had leaked of the risks associated with the incident.

• Administrative fine for the Independent Public Health Care Centre in Pajęczno after loss of data

The President of the Personal Data Protection Office imposed a fine of PLN 40,000 on the Independent Public Health Care Centre in Pajęczno. As a result of the hacking attack, the Centre lost access to patient and employee data. It only took corrective action after the fact. Before that, it had not carried out a risk analysis for personal data. Therefore, it could not effectively protect personal data - hence the fine.

The hacking attack occurred in February 2022. Malicious ransomware encrypted the personal data of 30,000 patients and more than 1,000 employees. The Health Care Centre notified the Personal Data Protection Office and the police. However, it considered that the attack was not serious, as the data did not leak - they only became inaccessible (an external expert indicated that the data could not be decrypted - the attackers made the decryption of the data conditional on paying a ransom in cryptocurrency).

• Fine for the National Public Prosecutor's Office for disclosing the data of a crime victim

The President of the Personal Data Protection Office, Mirosław Wróblewski, imposed a fine of PLN 85,000 on the National Public Prosecutor's Office in connection with the breaches found. In addition, he ordered the National Public Prosecutor's Office to notify the victim, in accordance with the GDPR, of the possible consequences of the breach and of the measures, applied or proposed by the controller, to minimize the effects of the breach.

The issue concerns a press conference at which Mr Tomasz Szafrański, Prosecutor of the National Public Prosecutor's Office, and Mr Zbigniew Ziobro, Prosecutor General - Minister of Justice, discussed the case of one of the District Prosecutor's Offices. During the conference, the Prosecutor of the National Prosecutor's Office and the Minister of Justice - Prosecutor General disclosed personal data of a person having the status of a victim in criminal proceedings and information concerning the facts of the case contained in the judgment of the district court. Among the data disclosed, in addition to information such as name and surname, there was information constituting special categories of data. Despite the fact that a personal data breach occurred in this way, the controller did not report the personal data breach to the President of the Personal Data Protection Office, nor did he notify the natural person of the breach.

• AP and RDI: Supervision of AI systems requires cooperation and must be arranged quickly

Cooperation between supervisory authorities is of paramount importance in the supervision of artificial intelligence (AI), the Dutch Data Protection Authority (Dutch DPA) and the Dutch Authority for Digital Infrastructure (RDI) write in their advice to the Dutch government. Decisions on which bodies will carry out the different supervisory tasks need to be made soon, as the first parts of the new European AI Act will come into force at the start of 2025.  

• AI Risk Report Summer 2024: turbulent rise of AI calls for vigilance by everyone

Artificial intelligence (AI) is developing at a rapid pace, but as a technology, it is still in its infancy. Hence, there is a lot of experimentation, ranging from a ‘rat race’ in generative AI among big tech companies to the application of AI-based behavior recognition systems in supermarkets and gyms in The Netherlands. However, adequate risk management of AI systems is not keeping up with this rapid development. For the Netherlands, this not only means that careful deployment of AI-systems has to take priority but also that society must be prepared for more AI-related incidents. This necessitates vigilance for AI-risks by Dutch citizens, corporate leaders and legislators.

• AI Act comes into effect: work to be done for developers and users

On 1 August 2024, the AI Act will officially enter into force. This Act applies to the entire European Union, including the Netherlands. In the coming period, the various requirements that this law imposes on developers and users of artificial intelligence (AI) are going to apply step by step. The first requirements will apply from February 2025. From that moment, certain AI systems will be prohibited and organizations that use AI must ensure that their employees are sufficiently AI literate. Developers and users of AI should start preparing for these new requirements as soon as possible.

The AI Act is the world's first comprehensive law on artificial intelligence, setting rules for responsible development and use of AI by companies, governments and other organizations.

• Caution: use of AI chatbot may lead to data breaches

Recently, the Dutch Data Protection Authority (Dutch DPA) has received a number of notifications of data breaches caused by employees sharing personal data of, for example, patients or customers with a chatbot that uses artificial intelligence (AI). By entering personal data into AI chatbots, the companies that offer the chatbot may gain unauthorized access to those personal data. 

The Dutch DPA notices that many people in the workplace use digital assistants, such as ChatGPT and Copilot, for answering questions from customers or summarizing large files, for example. This may save time and take less pleasant work off the hands of employees, but it also entails high risks. 

In the case of a data breach, personal data are accessed without this being permitted or intended. Often, employees use the chatbots on their own initiative and contrary to the agreements made with the employer. If personal data have been entered in the process, this means there is a data breach. Sometimes, the use of AI chatbots is part of the policy of organizations. In this case, it is not a data breach, but often not permitted by law. Organizations need to prevent both situations.

Most companies behind the chatbots store all data entered. As a result, these data end up on the servers of those tech companies, often without the person who entered the data realizing and without that person knowing exactly what that company will do with those data. Moreover, the person whose data it concerns will not know either.

• Dutch DPA imposes a fine of 290 million euro on Uber because of transfers of drivers' data to the US

The Dutch Data Protection Authority (DPA) imposes a fine of 290 million euros on Uber. The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers. According to the Dutch DPA, this constitutes a serious violation of the General Data Protection Regulation (GDPR). In the meantime, Uber has ended the violation.

• Dutch DPA imposes a fine on Clearview because of illegal data collection for facial recognition

The Dutch Data Protection Authority (Dutch DPA) imposes a fine of 30.5 million euro and orders subject to a penalty for non-compliance up to more than 5 million euro on Clearview AI. Clearview is an American company that offers facial recognition services. Among other things, Clearview has built an illegal database with billions of photos of faces, including of Dutch people. The Dutch DPA warns that using the services of Clearview is also prohibited.

• Organizations provide insufficient information to victims of data breaches, Dutch DPA gives advice

People who have become the victim of a data breach often receive insufficient information from the organization that had the data breach. As a result, victims are insufficiently aware of the risk of abuse of their personal data. And they do not know exactly what they can do themselves to reduce the risks of online swindling, for example. This is the warning given by the Dutch Data Protection Authority (Dutch DPA) on the basis of an investigation into the largest data breaches of 2023.

• Spanish supervisory authority fined UNIQLO EUROPE, LTD for violations of Article 5.1(f) and 32 of the GDPR

The complainant in the case, whose employment contract had been terminated, requested access to their payroll information for July 2022. In responding to the request, the controller sent an e-mail to the complainant that contained an attached PDF document that included his payroll and that of 446 other workers on the staff.

The documentation in the file offers clear indications that UNIQLO violated article 5.1.f) of the GDPR, by not duly guaranteeing the confidentiality and integrity of the personal data of its employees, having been brought to the attention of an unauthorized third party. This duty of confidentiality and integrity must be understood as having the purpose of preventing data leaks that are not consented by the data subject.

Also, the documentation shows the violation of article 32.1 of the GDPR, due to the failure to adopt appropriate technical and organizational measures.

UNIQLO justifies a series of technical and organizational measures to preserve the security and privacy of its information systems. These measures were not appropriate to avoid the facts that are the subject of the complaint. A series of measures adopted subsequently have been provided, such as allowing former employees access to their payrolls for a period of 60 days after the termination of the contract or the review of the payroll process by the human resources department, as well as redesigning the internal protocols of said department. These measures cannot be taken into consideration for the purposes of assessing UNIQLO's responsibility in the facts.

The negligent action of the employee in the management of the personal data in the workers' payslips does not exempt UNIQLO from liability. The liability of the company in the field of sanctions for the negligent action of an employee that involves non-compliance with data protection regulations has been confirmed by the jurisprudence of the Spanish Supreme Court.

The Spanish Supervisory Authority, AEPD imposes a total fine of 450,000 euros for the infringement, which was reduced to 270,000 euros, based on provisions in the Spanish law allowing for a reduction in the fine amount when a controller voluntarily pays the fine and acknowledges responsibility for the violation.

• Worldcoin agrees to stop its activity in Spain

The Spanish Data Protection Agency (AEPD)ordered last Marcha precautionary measure for Tools for Humanity Corporation to cease the collection and processing of personal data that it was carrying out in Spain within the framework of its Worldcoin project.

Meanwhile, the investigations by the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), the data protection authority of Bavaria (Germany), where the company has its main establishment in Europe, are progressing and are expected to conclude soon with a final decision aligned with all the European supervisory authorities concerned. In this context, the company has made a legally binding commitment not to resume its activity in Spain until the end of the year or until the BayLDA adopts a definitive resolution in relation to the data processing carried out by the company.

This legally binding commitment adopted by the company does not affect the powers of the BayLDA or the AEPD to adopt additional supervisory measures in the event of non-compliance with these obligations.

The precautionary measure, established in article 66.1 of the General Data Protection Regulation (GDPR) to protect the rights and freedoms of interested parties, was endorsed by the National Court considering that “the safeguarding of the general interest, which consists of the protection of the right to the protection of personal data of the interested parties, prevailed over the particular interest of the company.”

Following the Agency's provisional measure, Tools for Humanity Corporation announced changes to its operations, such as the introduction of age verification checks and the possibility of removing the iris code.

The Agency is collaborating with the Bavarian Data Protection Authority, which is the lead authority for data processing, and the AEPD is the data protection authority concerned, as established by the GDPR.

• The Agency and the European Data Protection Supervisor analyze the challenges for data protection posed by the processing of neurodata

The Spanish Data Protection Agency (AEPD) and the European Data Protection Supervisor (EDPS) have published a joint report analyzing the challenges that the processing of neurodata poses for people's rights and freedoms. The paper, which examines this emerging phenomenon, provides an overview of neurodata and assesses its impact on privacy and personal data protection, including practical cases.

Recent advances in neurotechnology are enabling the emergence of a growing number of connected devices that monitor brain activity for a variety of purposes . The brain plays a crucial role in human cognitive abilities, decision-making, emotions and behavior, among other functions. The report explains that brain imaging techniques were originally developed in the context of clinical medicine and neuroscientific research, proving to be effective for a variety of treatments.

However, in recent years, there has been a trend towards marketing-related use . For example, to measure the reaction of the human brain to advertisements or products in order to study, analyze and predict consumer behaviour. Neurotechnologies have also been used in wearable devices for a range of everyday activities, such as education and entertainment. Furthermore, brain implants offer the possibility of influencing and rewriting people's brain activity . This accessibility, together with the capabilities of Artificial Intelligence to combine data from various sources, can substantially interfere with fundamental rights and freedoms.

The report analyses what the processing of neurodata entails in different contexts and with examples of use cases , such as in education or video games, as well as the threats posed by some of them. It then specifies the data protection requirements and principles that must be met for the processing of this type of personal data, which often constitute special categories of data (for example, biometric data or data relating to health). In principle, the processing of special categories of data is prohibited, subject to exceptions where certain circumstances apply. Where permitted, the processing of neurodata must continue to comply with all other data protection requirements and principles, such as proportionality, accuracy, transparency and fairness.

The report states that those who consider processing neurodata must always take into account the intrusive nature of processing such data and carefully assess whether the purpose pursued fully justifies this “extremely invasive and sensitive data processing, which affects the most intimate aspect of people's lives.” It also highlights the crucial need to carry out an in-depth analysis of neurodata and assess the impact of its processing on fundamental rights, including the need to create neurorights .

The Charter of Fundamental Rights of the European Union expressly recognizes the fundamental right to mental integrity (Article 3), as one of the expressions of the fundamental right to human dignity (Article 1), which is also the foundation of the right to privacy and the protection of personal data (Articles 7 and 8 of the Charter).

The Agency has established among its strategic lines the promotion of the regulation of the processing of neurodata and the corresponding neurorights, especially in the field of services aimed at minors.

• The AEPD prepares guidelines on obligations and responsibilities for the use of mobile devices in educational centers

The Spanish Data Protection Agency (AEPD) has published guidelines on ‘Responsibilities and obligations in the use of mobile digital devices in early childhood, primary and secondary education', which analyses the implications that the use of this technology may have and what principles must be complied with by educational centers and educational authorities so that the processing of personal data derived from the use of these devices complies with data protection regulations. These guidelines are aimed at educational authorities, school management teams, teachers and families.

Nowadays, mobile phones and tablets are frequently used in educational centers, often owned by students or their families . In many cases, the services and products used in schools as a teaching method process large volumes of personal data that are stored in the cloud by third parties beyond the school or educational authority itself.

These devices can collect numerous data from students, such as device identifiers, user accounts, geolocation, usage habits, etc., information that can be processed for purposes other than the educational function. In this regard, the AEPD stresses that the processing of this information must comply with the provisions of the General Data Protection Regulation (GDPR).

The guidelines cover situations that may arise in relation to the regulation of mobile phone use in schools (the possibility of carrying devices is prohibited or limited; they are used in the classroom at the request of teachers or there is no regulation on their use) and the responsibilities that each of them entails.

The Agency also points out that the use of smartphones and other digital devices for educational purposes, owned by students and their families, may generate data processing that seriously affects their rights and freedoms , specifically their right to non-discrimination and education; to private and family life; to the physical and mental integrity of the minor, and to the protection of their personal data, in addition to their comprehensive development as individuals.

For all these reasons, the Agency advises against the use of smartphones and other mobile digital devices in educational centers if the intended educational purpose can be achieved through another more suitable resource .

The AEPD highlights that, in order to comply with the GDPR, these data processing processes in the educational field must successfully pass the suitability, necessity and proportionality tests .

Furthermore, remember that any processing that deviates from the purpose for which it was collected is illegal, and in addition to administrative liability for breach of data protection regulations, may give rise to liability for damages for which educational centers and administrations may be jointly liable .

These guidelines complement the Guide to Educational Centers published by the Spanish Data Protection Agency, and are added to other resources available in the area of ‘Education and minors ‘from the Agency's website.

• INAI pushes for the regulation of artificial intelligence in Mexico

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), the guarantor of privacy in Mexico, together with civil society organizations, the legislative branch and international institutions, is promoting the creation of a regulation on artificial intelligence (AI).

Commissioner Ibarra Cadena recalled that among the challenges of the use of artificial intelligence is to curb unethical uses, such as the creation of false information or fabrications that irreparably discredit people. 

• What is INAI and what is it for?

INAI is a public, independent and specialized institution, designed to act without political.

INAI emerged in response to citizen demand to know more about the performance and actions of government performance and actions.

The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) helps to (INAI) helps people exercise their right to know and their right to the protection of personal data.

● It is responsible for ensuring that people have access to public information about government offices, political parties, trade unions, and people who receive and exercise

● It is responsible for ensuring that people have access to public information from government offices, political parties, trade unions and those receiving and exercising state money.

● It monitors the right we all have to have our personal data properly used, protected and safeguarded by public sector institutions, organizations and individuals and by organizations and individuals in the private sector.

• Artificial intelligence must guarantee privacy and not discriminate

Artificial intelligence must ensure that personal data is handled appropriately and that its algorithms do not discriminate that its algorithms do not discriminate against anyone, said Josefina Román Vergara, Commissioner of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), at the inauguration of the Privacy Route in the state of Coahuila.

• What is personal data?

Personal data is information that distinguishes, describes, characterizes and differentiates you from other people, such as your name, address, telephone number or gender. This information allows you to identify yourself to other people, public institutions and private organizations.

• INAI to initiate ex officio investigation into Ticketmaster's alleged disclosure of personal data

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) will initiate an ex officio investigation into the alleged disclosure of personal data by Ticketmaster, a company that sells tickets for shows and entertainment in Mexico.

According to the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP), private companies or legal entities or individuals that process personal data are obliged to comply with the principles, duties and obligations set out in the law.

• RIPD and SEGIB sign memorandum of understanding to strengthen personal data protection in Ibero-America

The Ibero-American Data Protection Network (RIPD), chaired by the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), signed a memorandum of understanding with the Ibero-American General Secretariat (Segib) to strengthen cooperation on data protection in Ibero-America.

The memorandum establishes a framework of collaboration for the exchange of information, technical assistance and the formulation of public policies and regulations on personal data protection and privacy.

• Did you receive the Ticketmaster email? 

Cookies are tools that website and digital application designers use to store user-related information, such as keeping your browsing session active or adding items to your shopping cart in an e-commerce site.

Some cookies can disproportionately collect personal data and even invade the privacy of internet users, putting their security at risk.

• Protect your personal data when using internet-connected appliances

Inadequate security settings on household appliances that connect to the internet can pose a risk to the privacy of their users. These devices can be televisions, smart speakers or security cameras, which have the ability to detect, store, process and transmit personal information and transmit it over the internet.

• Protect your personal data when using public Wi-Fi networks

Open Wi-Fi networks are internet hotspots located in public spaces such as hotels, airports, cafes, shopping centers, parks and even on public roads.

Wi-Fi networks are attractive to internet users because of their availability, but they can pose risks of inappropriate processing of personal data and information transmitted over the internet.

• The rights of access to information and protection of personal data will be vigorously defended

The commissioners of the Plenary of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) and the Coordinator of the Guarantor Bodies of the Federal Entities of the National Transparency System (SNT) closed ranks to defend the rights of access to information and protection of personal data in Mexico with unity, leadership and firmness.

• INAI is an international benchmark on transparency and privacy

The work, organization and public policies designed and implemented by the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) were presented as an example to the Honduran Ministry of National Defense (Sedena) at a meeting led by Commissioner Blanca Lilia Ibarra Cadena.

• Citizens must be involved in debates on access to information rights and personal data protection 

The debate on the exercise of rights must be based on the multiculturalism and heterogeneity of Mexicans and the vulnerability that characterizes various sectors of the country, such as indigenous peoples and Afro-Americans, said INAI's President Commissioner Adrián Alcalá Méndez.

• INAI and guarantor bodies must remain autonomous to protect the right to privacy

The institutions that guarantee the right to the protection of personal data and privacy must remain autonomous, independent, solid and robust, said Adrián Alcalá Méndez, President Commissioner of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), at the inauguration of the fourth edition of the National Privacy Notice Workshop.

• 10 benefits of personal data protection law

With the right to personal data protection, you can obtain your medical records, fight against identity theft, change your personal documents according to your gender identity, and object to your data being disclosed or shared without your permission.

The cases of people who have exercised their right to personal data protection are a sample of practical and concrete uses in which this constitutional guarantee materializes in social benefits that improve the quality of life.

• The right to the protection of personal data is at risk due to the threat of the disappearance of INAI and state institutes.

It is necessary to preserve the autonomous institutions that guarantee the right to the protection of personal data and to have legislation in this area updated to technological advances, said Adrián Alcalá Méndez, INAI's President Commissioner, at the inauguration of the First International Congress on Personal Data Protection and Artificial Intelligence in León, Guanajuato.

• New National Transparency Platform

17 September, the new image and functionality of the National Transparency Platform (PNT), which allows society to obtain public information, make requests for access to information and personal data protection, and file complaints, will be presented.

• INAI recognizes 60 companies with self-regulation schemes to strengthen the protection of personal data

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) recognized 60 companies certified in the implementation of Binding Self-Regulation Schemes, which are a set of guidelines, precepts or criteria, additional to what is established in the legislation, that organizations develop or adopt and commit to comply with the objective of strengthening the protection of the personal data they process.

• India’s AI strides run into privacy law headwinds

A host of companies including information technology firms, banks and cloud storage providers are seeking legal advice amid apprehensions about their use of generative artificial intelligence (GenAI) running afoul of the provisions of the data law, said industry executives.

Many companies are building proprietary GenAI models without enough transparency about the use of personal data being processed for training purposes, experts said, adding that this could go against the principles of lawful consent, fairness and transparency as prescribed in the Digital Personal Data Protection (DPDP) Act.

The legislation, passed by Parliament in August last year, provides for the protection of the personal data of individuals while allowing the processing of such data for lawful purposes. With privacy being a fundamental right, companies are worried about legal liabilities that could arise over non-compliance.

• Draft data protection rules to be issued by Government of India within a month

India’s Information and Broadcasting Minister Ashwini Vaishnaw told the media on August 19 that the central government is expected to release a draft of the rules under the Digital Personal Data Protection Act (DPDP Act) within a month.

The intention appears to be to simplify the rules and pass it on for public consultation. After the rules are published, the public consultation period may last between 45-60 days, subject to further extensions, to draw out comprehensive feedback.

The government intends to review all feedback and begin implementing the DPDP Act within this financial year, with plans to establish a Data Protection Board during this period.

The finalized rules will detail the processes for filing complaints, appealing decisions, and other essential procedures.

The current version of the DPDP Act provides specialized protections for children and individuals with disabilities. It defines a child as anyone under 18 years old. Section 9 requires data fiduciaries to obtain consent from a parent or legal guardian and verify the child’s age before processing a minor’s data.

However, the implementation of the DPDP Act has been delayed due to the need for additional clauses and rules.

Key definitions compared to EU GDPR

The DPDP Act, while similar to the EU’s GDPR, differs in its terminology and definitions:

• Data Fiduciary: This entity determines the purpose and methods for processing personal data. It is akin to a data controller in the GDPR. The government can designate certain data fiduciaries as ‘significant data fiduciaries’ (SDFs) based on factors like data volume, sensitivity, and broader societal impacts. SDFs face stricter compliance requirements.

• Data Processor: An entity that processes personal data on behalf of a data fiduciary.

• Data Principal: The individual whose personal data is collected and processed, similar to a data subject under GDPR.

• Consent Manager: A registered individual who manages consent on behalf of data principals, allowing them to give, review, and withdraw consent through a transparent and interoperable platform.

• ANPD determines precautionary suspension of personal data processing for training Meta's AI

The National Data Protection Authority (ANPD) issued a Preventive Measure determining the immediate suspension , in Brazil, of the validity of the new privacy policy of the company Meta , which authorized the use of personal data published on its platforms for the purpose of training artificial intelligence (AI) systems . A daily fine of R$50,000 was established for non-compliance.

The measure refers to the update to the company's privacy policy that came into effect on June 26. The new policy applies to "Meta Products", which include Facebook, Messenger and Instagram , and allows the company to use publicly available information and content shared by users of its platforms to train and improve generative AI systems. Such treatment could impact a substantial number of people , since, in Brazil, Facebook alone has around 102 million active users.  

The ANPD became aware of the case and initiated an inspection process ex officio – that is, without any third party involvement – due to evidence of violations of the General Data Protection Law (LGPD) . After a preliminary analysis, given the risk of serious and difficult-to-repair harm to users, the Authority provisionally ordered the suspension of the privacy policy and the processing operation.

• ANPD and Gestão launch new service to receive requests from personal data holders

The National Data Protection Authority (ANPD) and the Ministry of Management and Innovation in Public Services (MGI) launched a new service for receiving requests from personal data holders. It will now be possible to send petitions and reports of violations of the General Data Protection Law (LGPD) on a new platform, accessible through GOV.BR.  

The new service represents an important step forward in the modernization and accessibility of services offered to personal data holders. It is the result of a year of work aimed at providing a smooth and efficient experience for users. GOV.BR, already used by more than 150 million Brazilians, eliminates the need to create another password and simplifies access to more than 4,200 digital services. 

• ANPD approves rule on the role of the Data Protection Officer

The National Data Protection Authority (ANPD) published the regulation on the role of the Data Protection Officer. In addition to being published in the Official Gazette of the Union , the rule was announced by the CEO, Waldemar Gonçalves, at an event in Rio de Janeiro. The director is participating in the Computer Privacy and Data Protection for Latin America (CPDP LatAm ) conference. 

The Data Protection Officer was a figure created by the General Data Protection Law (LGPD) . According to the law, it is the Data Protection Officer's responsibility to act as an interface between the data subject, the processing agent and the ANPD. It is also their responsibility to guide the organization they work for regarding best practices in data processing. 

In compliance with the  LGPD, the regulation details aspects of the Data Protection Officer's role. The rule includes provisions on the disclosure of their identity and contact information; the duties of data processing agents; and situations of conflict of interest.

• ANPD welcomes the new composition of the National Council for Data Protection and Privacy

The National Data Protection Authority (ANPD) and the Ministry of Justice and Public Security (MJSP) held a welcoming meeting for members of the National Data Protection Council (CNPD). The meeting took place at the ministry's headquarters in Brasília. 

The meeting aimed to welcome and integrate the CNPD counselors , providing the appropriate environment for carrying out the collegiate's activities. From now on, the collegiate's meetings will take place ordinarily, according to its own calendar, and extraordinarily, whenever called by the President, the Secretary of Digital Rights of the MJSP, Lílian Cintra de Melo.

• ANPD approves regulation on international data transfers

The CD / ANPD Resolution No. 19/2024 , which establishes the International Data Transfer Regulation, was published in the Official Gazette of the Union. The text regulates articles 33 to 36 of the General Personal Data Protection Law ( LGPD) , establishing procedures and rules for recognizing the adequacy of other countries or international organizations, as well as regulating contractual mechanisms for carrying out international transfers of personal data.  

According to Rodrigo Santana dos Santos , General Coordinator of Standardization at the National Data Protection Authority (ANPD), “ the standard promotes greater legal certainty for the inclusion of processing agents in global trade and cross-border relations and , consequently, provides greater protection for data subjects throughout the processing chain, as provided for in the Law ”. 

Among the regulated international transfer mechanisms are the standard contractual clauses, which establish minimum guarantees and valid conditions for carrying out the transfer. Data processing agents that use contractual clauses to carry out international data transfers must incorporate the standard contractual clauses approved by the ANPD into their respective contractual instruments within a period of up to twelve months.  

• Meta complies with ANPD requirements and may resume, with restrictions, the use of personal data for artificial intelligence training

The National Data Protection Authority (ANPD) suspended, the ban imposed on Meta to use personal data to train its artificial intelligence.  

In early July, the Authority had issued a preventive measure suspending the use of personal data for training generative AI by the company Meta, considering that such processing could entail an imminent risk of serious and irreparable damage or damage that would be difficult to repair to the data subjects.  

The suspension of the preventive measure is within the scope of the appeal sent by Meta , based on documentation presented by the company and commitments made by it. In its new decision, the Board of Directors approved a Compliance Plan, which contains several measures that must be implemented by the company with a view to adapting its practices.  

• ANPD publishes report on data protection in the G20 digital economy

The National Data Protection Authority published, the report of the event: "Navigating data protection in the G20 digital economy agenda", held in June this year, in São Luis / MA .

The report brings together contributions from international experts and representatives from different areas, highlighting the importance of digital literacy in the protection of personal data. In addition, it addresses new forms of regulation to face the challenges brought by the global digital economy.  

• ANPD launches page on International Data Transfer

The National Data Protection Authority (ANPD) launched a specific page on International Data Transfer (TID) on its official website. The measure aims to ensure greater transparency and facilitate the understanding of companies and citizens about the mechanisms that govern the movement of personal data outside the national territory. 

The new website is an accessible platform where data controllers and operators can find detailed guidance on how to submit electronic requests and process requests for analysis of TID mechanisms. Among the regulated mechanisms already covered are specific contractual clauses and global corporate standards, which ensure that transfers comply with legal requirements.

• ANPD redesigns the Inspection page on the portal

The National Data Protection Authority (ANPD) has launched an update to its website page dedicated to Inspection. The aim is to facilitate access to data on monitoring activities, inspection and administrative sanctioning processes, as well as security incidents related to data protection. 

The new page also explains in a simplified way how the inspection process works. This is a measure of transparency and guidance for society.  

In addition to the content, the design of the page has also been rethought. The new interface is more intuitive and has improved features, highlighting the Authority's efforts to ensure transparency and accountability in the performance of its functions.  

If you have any questions, please send us an email to datasecurity@catts.eu