In an era defined by rapid technological advancements, CATTS Data Protection's Quarterly News for FY23/04 provides a crucial overview of pivotal developments in data protection across the European Union, Poland, The Netherlands, Spain, Mexico, India, and Brazil. As society becomes increasingly reliant on digital platforms, understanding the profound impact of regulations and decisions in the realm of data protection is paramount.

• Data protection in the EU
• Data protection in Poland
• Data protection in The Netherlands
• Data protection in Spain
• Data protection in Mexico
• Data protection in India
• Data protection in Brazil

The evolving landscape, as discussed in the news, highlights the ongoing efforts to safeguard individual privacy, enforce accountability, and foster international cooperation. From the European Data Protection Board's insights on the digital euro to Mexico's initiatives for accountability and international collaboration, each update underscores the global significance of adapting data protection frameworks to protect citizens' rights and maintain trust in the digital age. These developments not only reflect the commitment of regulatory bodies but also emphasize the shared responsibility of businesses and individuals in ensuring the ethical and secure use of personal data.

Data protection in the EU

• Digital euro: ensuring the highest data protection and privacy standards

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a Joint Opinion on the proposed Regulation on the digital euro as a central bank digital currency. The digital euro aims to provide individuals with the possibility to make payments electronically, both online and offline, as an additional means of payment alongside cash.

The EDPB and the EDPS acknowledge that the proposed Regulation addresses many data protection aspects of the digital euro, notably by addressing an offline modality to minimise the processing of personal data. In particular, the EDPB and the EDPS strongly welcome that digital euro users will always have the choice to pay in digital euros or in cash. At the same time, the EDPB and the EDPS make several recommendations to better ensure the highest standards of personal data protection and privacy for the future digital euro.

• EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta

On 27 October, the EDPB adopted an urgent binding decision instructing the Irish (IE) DPA as lead supervisory authority (LSA) to take, within two weeks, final measures regarding Meta Ireland Limited (Meta IE) and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).

The urgent binding decision followed a request from the Norwegian Data Protection Authority (NO DPA) to take final measures in this matter that would have effect in the entire European Economic Area (EEA).

The ban on processing will become effective one week after the notification of the final measures by the IE SA to the controller.

The Irish DPC has notified Meta on 31/10 about the EDPB Urgent Binding Decision.

The EDPB takes note of Meta's proposal to rely on a consent based approach as legal basis, as it was reported on 30/10. The Irish DPC is currently evaluating this together with the Concerned Supervisory Authorities (CSAs).

• EDPB provides clarity on tracking techniques covered by the ePrivacy Directive

The EDPB adopted Guidelines on the technical scope of Art. 5 (3) of the ePrivacy Directive. The Guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals.

Guidelines analyse the key notions referred to in this article, such as 'information', 'terminal equipment of a subscriber or user', 'electronic communications network', 'gaining access', and 'stored information/storage'. The Guidelines also include a set of practical use cases featuring common tracking techniques.

The Guidelines only address the scope of the application of Art. 5(3) ePrivacy Directive. They do not address how consent should be collected, or the exemptions set out in the article. 

The Guidelines will be submitted for public consultation until 18 January 2024.

• EDPB Application of the GDPR successful, but sufficient resources are necessary to tackle the challenges of the future

During its latest plenary, the EDPB adopted its contribution to the European Commission’s report on the application of the GDPR. The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. While a number of important challenges lie ahead, the EDPB considers it premature to revise the GDPR at this point in time and calls on the co-legislators to swiftly adopt the new Regulation laying down additional procedural rules relating to the cross-border enforcement of the GDPR. In addition, the EDPB stresses that the DPAs and the EDPB need sufficient resources to continue carrying out their tasks.

Regarding enforcement, the EDPB is convinced that effective and efficient cooperation between DPAs leads to a common data protection culture. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way. The EDPB  and  the  DPAs  will  continue  their  efforts  to further enhance enforcement  cooperation and to  achieve  more  efficient  and consistent results within the current legal framework.

• EDPB cookie pledge initiative should help protect fundamental rights and freedoms of users

During its latest plenary, the EDPB adopted a letter in response to the European Commission regarding the cookie pledge voluntary initiative. The EDPB welcomes the Commission’s initiative, which aims to help protect the fundamental rights and freedoms of users, to empower them to make effective choices, and to increase transparency towards users

The cookie pledge initiative was developed by the European Commission in response to concerns regarding the so-called “cookie fatigue” phenomenon and consists of a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. On 10 October 2023, the European Commission asked the EDPB to consider whether any of the draft pledge principles would be contrary to the GDPR and the ePrivacy Directive.

The draft pledging principles would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. In addition, with the draft principles, consent should not be asked again for a year once it has been refused, this is an important step towards reducing cookie fatigue. 

Furthermore, the EDPB flags that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive. The data protection authorities remain competent to exercise their powers when necessary.

Data protection in Poland

• WSA upholds financial penalty imposed on Virgin Mobile

After the Office for Personal Data Protection re-examined Virgin Mobile's (now P4) breach of RODO regulations and reduced the fine imposed on this administrator from 1.9 million to 1.6 million, the Voivodship Administrative Court in Warsaw did not challenge the supervisory authority's decision.

• PESEL identification number better protected

As of 17 November, it is possible to reserve the PESEL number to counteract the incurring of liabilities on our data. According to UODO, this is only the first step towards more effective protection of our data in this area. Link

• Another administrative fine for failure to report a data protection breach

The President of the Office for Personal Data Protection (UODO) imposed an administrative fine of PLN 103 752 on Link4 Towarzystwo Ubezpieczeń S.A., based in Warsaw. The reason for the penalty is the failure to report a personal data protection breach to the President of the Office for Personal Data Protection without undue delay, no later than 72 hours after the breach was discovered.

• Collaborating to keep patient data safe

The ransomware attack combined with the ALAB data leak has seriously concerned the public, both because of the scale of the leak and the potential scope of the data, which could include health data of many patients. Therefore, the President of UODO and the Patient Ombudsman, as part of an inter-agency agreement, are taking joint action on the incident.

• Personal data on an employee's private computer must also be protected

The Provincial Administrative Court upheld the decision of the President of UODO, which had imposed a warning penalty on the Financial Ombudsman for the lack of adequate technical and organisational measures to ensure the security of personal data processed.

• Better data protection in pharmacies

Revealing and eliminating legal violations related to the processing of personal data of patients and employees of general pharmacies - this is the main objective of the agreement signed on 7 December 2023 between the President of the Office for Personal Data Protection and the Chief Pharmaceutical Inspector.

• Companies will be able to obtain industry certification of compliance of personal data processing with GDPR

The President of the Office for the Protection of Personal Data has approved the Additional Requirements for the Accreditation of Certification Entities. Based on this document, certification bodies will be accredited to verify compliance of personal data processing operations carried out by controllers and processors. The certification aims to increase transparency and improve compliance with personal data protection standards taking into account the specificities of the industry. Certification bodies will award certificates to applicant companies in specific sectors. Ownership of the certificate will be voluntary and is intended to confirm the highest standards of compliance with data protection legislation.

In Poland, certification will be carried out by accredited certification bodies holding accreditations granted by the Polish Centre for Accreditation (PCA). The accreditation will be based on the ISO/IEC 17065/2012 standard and the Additional Requirements for Accreditation of Certification Bodies just approved by the President of UODO.

Data protection in The Netherlands 

• €30,000 fine for municipality of Voorschoten

The Dutch Data Protection Authority (DPA) has issued a fine of €30,000 to the municipality of Voorschoten because the municipality retained information on the waste generated by individual households for much longer than was necessary, and did not properly inform residents that it was doing so.

In 2018 and 2019 the municipality of Voorschoten replaced wheelie bins (for houses) and underground containers (for apartment buildings). The new wheelie bins and tokens for underground containers have a chip with a number, each of which is linked to a specific address. The aim is to collect more household rubbish separately, by limiting the amount of residual waste residents are permitted to deposit.

• AP monitors UWV recovery operation after illegal use of algorithm

The Dutch Data Protection Authority (AP) will ensure that the UWV takes remedial measures for a large group of people receiving benefits. Until the beginning of this year, the UWV illegally monitored the online behavior of people with unemployment benefits. The UWV recently promised the AP that it would rectify the matter. The AP keeps a close eye on the implementation of this.

In concrete terms, this now means, among other things, that the UWV checks in 703 cases whether people have wrongly had their benefits reduced or whether people have wrongly received a fine. 

Algorithm

The NOS exposed the unlawful actions of the UWV in July. Media reporting then showed that until mid-February the UWV had used data from unemployment benefit recipients for an algorithm called Risk Scan Stay Outside the Netherlands. The UWV monitored and analyzed the behavior of visitors to UWV websites to see whether they were staying abroad illegally while receiving unemployment benefits. Website visitors were not told they were being tracked.

• Code of conduct access policy for ISPS companies approved by AP

The Dutch Data Protection Authority (AP) has issued the Privacy Code of Conduct and Access Policy for ISPS companies of Port Privacy B.V. approved. ISPS companies are port companies that handle international shipping traffic. They are obliged to implement an access policy for the safety and security of ships and port facilities. They process personal data.

The AP does attach a suspensive condition to the approval, because the required supervisory body is not yet in place.

Approval code of conduct

An industry or sector that has drawn up a code of conduct can ask the AP to approve it. The AP approves a code of conduct if it meets the requirements for a code of conduct satisfies. It is especially important that the code of conduct provides a concrete elaboration of the GDPR.

The AP previously published one draft decision to approve the code of conduct for Access Policy for ISPS companies. Interested parties could then submit their views on this.

The AP has now made a final decision. Interested parties who cannot reasonably be blamed for not having submitted an opinion can still appeal against the decision.

• Ban on personalized advertising on Facebook and Instagram

Meta must stop unlawfully offering personalized advertisements on Facebook and Instagram within Europe. The European privacy regulators, including the Dutch Data Protection Authority (AP), have determined this in the European Data Protection Board (EDPB).

Aleid Wolfsen, chairman of the AP and vice-chairman of the EDPB: "Meta keeps track of what you post, click or like on Facebook and Instagram and uses that information to offer personalized advertisements. Wrongfully processing the personal information of millions of people on Facebook is a revenue model for Meta. By putting an end to this, people's privacy is better protected."

• AP advises companies: report on privacy policy

The Dutch Data Protection Authority (AP) advises large companies to be more transparent about how they deal with privacy. For example, by paying structural attention to the privacy policy in annual reports. The AP has drawn up 2 guidelines to help companies with this.

“Privacy ties in with an important theme: corporate social responsibility,” says AP vice-chairman Monique Verdier. "Companies are increasingly showing that they are concerned with sustainability, working conditions of factory workers or the impact of business operations on the climate and environment. More attention to privacy fits in well with this." 

"Companies are using more and more data from more and more people, also due to increasing digitalization. Of course, digitalization offers opportunities, but it also comes with privacy risks. By actively showing how you deal with these risks as a company, you can gain trust."

• Blog post: concerns about generative AI

The Dutch Data Protection Authority (AP) supervises all types of processing of personal data. This also applies to algorithms and AI that process personal data. Since this year, our supervision of algorithms and AI has been more intensive. In a number of blog posts we discuss the social, legal and technological aspects of the use of algorithms and AI. We kick off with Cecile Schut, director of System Supervision, Security and Technology at the AP. 

We are seeing an explosive increase in the use of generative AI applications. New apps are added every day. AI tools, whether or not based on language models, seem to be springing up like mushrooms. Governments and companies see benefits for their employees, but also for citizens and customers.

AI applications that create content based on commands ('prompts') are called generative AI. For example, text, computer code, images, sound or video. Generative AI is expected to be increasingly applied in the coming period.

• Necessity for large-scale data collection in youth care has not been demonstrated

The Dutch Data Protection Authority (AP) has objections to a bill that leads to large-scale data collection in youth care. The proposal should enable research into the availability of youth care within municipalities. But it is not sufficiently clear why a lot of privacy-sensitive information from young people and their parents must be shared in such research.

• AI & algorithm risks are increasing, national delta plan necessary

The risks of artificial intelligence (AI) and algorithms are increasing further, partly due to the rise of generative AI. Such as the risk of spreading disinformation, but also of privacy violations and discrimination. The increasing efforts and technological innovations are currently happening faster than we as a society can recognize and tackle such risks through, for example, regulations and supervision. 

The Dutch Data Protection Authority (AP) therefore warns in the second edition of the Report AI & algorithm risks in the Netherlands that there must be more and better insight and control over these risks. And advocates a delta plan that brings together human control, secure applications and systems and requirements for organizations. Investments must also be made in social education about and awareness of algorithms and AI among young and old. It must be clear to people what role algorithms and AI play in their lives and how they can gain and maintain control over it. For example, when using algorithms in education and in the workplace.

• Tech blog post: factors in authentication

For example, when using algorithms in education and in the workplace. The combination of username and password is still one of the most used ways to log in. In the previous two blog posts we therefore discussed what makes a password strong. And how to use those strong passwords in practice. But what function do passwords actually have in the login process? And are there alternatives? 

In this third and final blog post we explore the concept of 'authentication'. This time, AP technologist Jonathan Ellen is assisted by Jasper van Hilten, senior inspector at the AP's Primary Care Research department.

Data protection in Spain

• Data Spaces in the EU: Synergies between data spaces and privacy, challenges of the EU and experiences of Spain

The Spanish Data Protection Agency (AEPD) and the European Union Agency for Cybersecurity (ENISA) have organized the event Data Spaces in EU: Synergies between data protection and data spaces, EU challenges and experiences of Spain, a meeting that brought together more than 350 professionals interested in European data space initiatives from the perspective of privacy. 

They are technological infrastructures that will allow the massive exploitation of data in a federated and open manner but including governance mechanisms, among which the management of data protection and privacy tools stand out by design. These mechanisms will make the exchange of information possible but not the distribution and transmission of personal data. The EU agenda includes the promotion of more than 20 data spaces, among which the European Health Data Space initiative stands out.

The event, in which professionals from European public administration, research and private business have participated, included a of conferences and round tables broadcast openly and another of working groups in which the synergies that can be established between the guarantees to protect the fundamental rights of people and the data access market have been practically analyzed.

The conclusions of this act will be reflected in a final report that will serve to develop future actions and whose publication is scheduled for the end of the year.

• The Agency launches the ValidaCripto tool to evaluate encryption systems

The Spanish Data Protection Agency (AEPD) has launched the new tool Validate GDPR Crypto, which helps evaluate encryption systems to facilitate regulatory compliance by analyzing each of the elements of the process. After the publication of the Guidelines for the validation of cryptographic systems in data protection together with ISMS Forum and APEP last May, and due to the good national and international reception of the guide, the Agency has transferred its methodology to an agile and intuitive web tool.

The free tool runs locally in the browser, without recording or transmitting any data to the AEPD. It has a help section where its operation is explained step by step, from selecting the impact of the encryption system on the treatment, categorizing the most critical elements, reviewing the suggested controls and generating follow-up documentation. . Its objective is to offer an effective solution to verify the suitability of the cryptographic systems implemented in the processing of personal data, selecting in the list of controls proposed those that could be the most appropriate. Data can be stored and loaded into a local file, under full user control, and allows for reporting.

The protection of personal data is a fundamental right that requires appropriate measures to guarantee its security. One of these measures is the use of cryptographic systems that allow sensitive information to be encrypted, transforming the information into an apparently unintelligible set of data. Currently, two billion people use encryption daily to protect their communications (European Digital Rights 2023). The General Data Protection Regulation mentions it as a measure that is part of the conditions for the compliance of the treatment and as help to mitigate the risks of a possible personal data breach.

• The AEPD renews Gap Advisor and Gap Communication, tools that help act in the event of security breaches that affect personal data

The Spanish Data Protection Agency (AEPD) has updated its tools related to the management of security breaches that affect personal data. Gap Advisor aims to help data controllers decide whether they should notify a personal data breach to the supervisory authority while Communicate-Gap. It helps those responsible in making decisions when faced with the obligation to communicate a personal data breach to those affected.

The main novelty of the updates of both tools is that at the end of their execution, those responsible and data protection officers (DPOs) have the possibility to download a complete report with the answers recorded in the tool and the result obtained. In this way, they will be able to complete the basic information on the treatment affected by the breach in the report and keep the report as part of the internal documentation about it. .

This functionality has been included following the contributions made by the data protection delegates of the public sector in the meetings organized by the Agency with the DPDs of the AGE, Autonomous Administrations and Local Entities.

Furthermore, in the case of Comunica-Brecha, the report includes a template for possible communication to those affected. Those responsible can fill out and use the template to guarantee that their communication to those affected complies with the minimum information required in art. 34 of the General Data Protection Regulation (GDPR).

• Modification of the AUTOCONTROL Code of Conduct 'Data processing in advertising activity'

The Spanish Data Protection Agency (AEPD) has approved the modification of the Code of conduct 'Data processing in advertising activity', promoted by the Association for the Self-regulation of Commercial Communication (AUTOCONTROL).This modification is essentially due to the need to adapt its content to the provisions of the Circular 1/2023 of the AEPD on the application of article 66.1.b) of General Telecommunications Law 11/2022, and has incorporated a seal that identifies those adhered to the code. 

The code of conduct regulates a mediation procedure, for extrajudicial resolution of disputes that arise between citizens and member entities to the code due to data processing carried out in the field of advertising activity. 

Unwanted advertising is one of the most frequent complaints raised before the Agency, so the presentation of these through AUTOCONTROL and this code of conduct, open to all companies that carry out advertising activities, allows the establishment of a mediation procedure. voluntary and free for citizens to provide a more agile response to the claims they raise against the participating entities.

• The AEPD publishes a guide on the use of biometric data for presence and access control

The Spanish Data Protection Agency (AEPD) has published the Guide Presence control treatments using biometric systems, a document that sets the criteria for the use of biometrics for access control, both for work and non-work purposes, establishing the measures to be taken into account so that personal data processing that uses this technology complies with the General Data Protection Regulation (GDPR) among other regulations.

Biometric systems and the processing of data that can be obtained from them are evolving very quickly. The new systems increase the detail of the information collected and even allow the possibility of collecting information without the cooperation of the person, who sometimes is not even aware of it. Added to this is the development of artificial intelligence, which can be used to infer additional information about people.

The Agency considers the processing of biometric data, for both identification and authentication, as a processing of high risk which includes special categories of data. As established by the GDPR, in order to process these categories, there must be a circumstance that lifts the prohibition of their processing and, in addition, a condition that legitimizes it.

In the case of registration of working hours and access control for work purposes, if the lifting of the prohibition is based on article 9.2 .b) of the RGPD, the person responsible must have a standard with the status of law that specifically authorizes the use of biometric data for this purpose. The Agency specifies that, within the framework of these treatments, consent cannot lift the prohibition or be a basis for determining its legality, as there is an imbalance between the person who is subjected to the treatment and the person who is carrying it out corporal.

• The AEPD participates in the European Blockchain Sandbox, a European Commission project to offer legal security

The Spanish Data Protection Agency (AEPD) participates in the European Blockchain Sandbox, an initiative of the European Commission that aims to provide a framework for regulators, supervisory authorities and entrepreneurs with projects that use blockchain to participate in a regulatory dialogue, identify obstacles and increase the legal security of these innovative technological solutions, offering guidance in a safe and confidential environment.

The initiative, launched this year, has published the 20 selected projects, covering all EU/EEA regions and representing a wide range of sectors and topics. At this point, the stage of confidential regulatory dialogues now begins, in which the AEPD participates together with other authorities. At the conclusion of these dialogues, a good practices report will be published.

• The AEPD presents an age verification system to protect minors from accessing adult content on the Internet

The Spanish Data Protection Agency (AEPD) has presented a practical and effective proposal for an age verification system and protection of minors in Internet regarding access to adult content. With the presentation of this system, the Agency demonstrates that it is technically possible to protect minors from access to inappropriate content while guaranteeing the anonymity of adults when browsing the Internet.

The system presented by the Agency is made up of a Decalogue that includes the principles that an age verification system must comply with, a technical note with project details and the practical videos that demonstrate how the system works on different devices, with different operating systems and using several identity providers. This is complemented with a graphic that shows the risks of the age verification systems currently used.

The presentation of this system took place at the event celebrating the 30th anniversary of the AEPD, in which the director of the Agency, Mar España has highlighted the importance of implementing a mechanism that treats the age attribute on the user's device, without the person's identity or status as a minor being accessible to web pages. “In this project we have combined the protection of children and the best interests of minors with the fundamental right to data protection of all citizens, putting on the table a practical, respectful and pioneering solution in Europe.

Data protection in Mexico

• National Open Data Policy seeks to consolidate the accountability system in Mexico

The National Open Data Policy seeks to promote greater citizen participation and social oversight to consolidate an effective accountability system in Mexico, said Adrián Alcalá Méndez, Commissioner of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI).

• INAI and SNT promote actions to close gaps in proactive transparency in Mexico

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), in collaboration with the guarantor bodies that make up the National Transparency System (SNT), promotes actions to close the gaps that exist in terms of proactive transparency in the different entities of the country, said Commissioner Adrián Alcalá Méndez. Participating in the inauguration of the forum Successful Experiences of Proactive Transparency in Mexico, Alcalá Méndez stressed that it is important to standardise the development of policies and knowledge of advanced topics such as proactive transparency.

• International cooperation is essential to guarantee data protection in the digital environment: INAI, at the 45th Global Privacy Assembly

International cooperation is essential to effectively and efficiently address the challenges posed by the digital environment for the protection of privacy and the security of personal data, said the President Commissioner of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), Blanca Lilia Ibarra Cadena, at the opening of the 45th edition of the Global Privacy Assembly (GPA), which is being held in Bermuda.

• INAI proposes to members of the Global Privacy Assembly to recognize privacy as a human right at the constitutional level

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) proposed at the 45th edition of the Global Privacy Assembly (GPA), which takes place in Bermuda, the constitutional recognition of privacy as a human right in the member countries of the assembly. As chair of the GPA, INAI, represented by Commissioner Josefina Román Vergara, at the table "International cooperation in action: the role of the GPA", raised the importance of recognising privacy as a human right in the fundamental law or Constitution of each country.

• INAI Obtains Global Privacy Award, for tool to prepare impact assessments on data protection

The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) won one of the Global Privacy and Data Protection Awards 2023, for the development and implementation of the online tool Personal Data Protection Impact Assessments. The distinction is awarded by the Global Privacy Assembly (GPA), with the aim of recognising the initiatives developed by the member institutions, which promote good practices in the field of personal data protection and demonstrate their international commitment to guaranteeing this right. In the sixth edition of the contest, INAI was the winner in category C "Accountability", with the web application it launched in 2022, to facilitate the online processing of the Personal Data Protection Impact Assessments (PDIAs) by public sector decision-makers in the federal sphere.

• Recommendations regarding the protection of personal data for the population affected by Hurricane “Otis”, on the coast of Guerrero

The Interdisciplinary Working Group composed of the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), the Citizen Participation Committee (CPC) of the National Anti-Corruption System, the Executive Secretariat of the National Anti-Corruption System (SESNA) and Transparencia Mexicana (TMX), as well as the university seminars on socio-environmental risks (SURSA) and transparency (SUT) of the National Autonomous University of Mexico (UNAM) provide civil society and the authorities with a set of supporting recommendations on the protection of personal data.

• Mexico and Singapore strengthen cooperation on personal data protection

The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) and the Personal Data Protection Commission (PDPC) of Singapore signed a Memorandum of Understanding to strengthen cooperation on personal data protection between the two countries; this instrument represents the first collaboration of its kind between the PDPC of Singapore and a data protection authority of a Latin American country. Data governance and cross-border data flows are essential for global trade in a digital economy. As such, the protection of personal data is a global issue that requires collaboration between countries to build trust and facilitate reliable cross-border data flows.

• INM must report on the processing of personal data collected with biometric identification systems in AICM: INAI

The National Institute of Migration (INM) must report on the treatment of personal data collected with biometric identification systems at the Mexico City International Airport (AICM), instructed the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI). Among the information to be disclosed by the obligated entity are the legal grounds for the use of these systems, the number of people recognised correctly or incorrectly, the number of records that make up the databases generated, the treatment of this information and the analysis of the impact on the right to privacy of the application of this technology, which may include face or iris readers.

Data protection in India

• Govt may release personal data bill rules in a fortnight

The government is likely to release the administrative rules under the Digital Personal Data Protection (DPDP) Rules within the next fortnight and may notify the final version of the bill by the end of January 2024.

A meeting of senior executives from social media and internet intermediaries was held with senior officials from the ministry of electronics and information technology on Wednesday during which important points such as child gating, the consent architecture to be framed as well as the rights and obligations of data principals were discussed, a source said.

The Digital Personal Data Protection Act, ratified in August this year, mandates that any company or individual collecting, managing or working with data from other users must obtain explicit consent from them by

telling them about the purpose for which the said data has been obtained.

The DPDP Act also mandates that such companies which collect, manage or process data, must not go beyond the mandate for which the consent was obtained.

The Act had received The President’s assent in August this year, making a privacy law a reality after five years in the making. The government is yet to release the executive rules which will define the rules and regulations of how the law will be implemented.

Data protection in Brazil

• ANPD takes the topic of personal data protection to four more panels at Futurecom 2023

October 4^th, the National Data Protection Authority (ANPD) participated in the second day of Futurecom 2023, an event that addresses the main national and international trends in the areas of technology and innovation . The servers brought the Autarchy's perspective to several panels, disseminating knowledge about the protection of personal data.

The Director-President of ANPD, Waldemar Gonçalves, opened the Future Congress plenary session , in the afternoon, with the panel “Data regulation in Europe and Brazil: European experiences that can be imported and Brazilian specificities”. He highlighted that the Authority already has national recognition, but it will be with the standard of international transfers of personal data that the Authority will gain an opening on the world stage. 

• Temporary AI Committee debates the effects of artificial intelligence on the fundamental rights of the holder of personal data

October 19^th, 10 a public hearing took place at the Internal Temporary Commission on Artificial Intelligence in Brazil (CTIA) , of the Federal Senate. General points of Artificial Intelligence related to legal aspects, applications of technology and its legal consequences to fundamental rights, principles and foundations of the General Personal Data Protection Law were discussed. Issues relating to the applications of technology in citizens' daily lives were also addressed.  

• ANPD is accepted as a full member of the Global Privacy Assembly

The National Data Protection Authority (ANPD) was accepted yesterday (19) as a full member of the Global Privacy Assembly (GPA), at an annual meeting that took place in Bermuda. ANPD participated remotely and was represented by the General Coordinator of Institutional and International Relations, Juliana Müller.  

The integration of ANDP as a full member strengthens international cooperation in the field of data protection, and, consequently, guarantees greater legal security for Brazilian individuals and private entities and greater fluidity for cross-border flows.

• ANPD participates in the 2nd Serpro Privacy and Data Protection Week

Servers from the National Data Protection Authority (ANPD) participate, this week, in the programming of the 2nd Serpro Privacy and Data Protection Week , which runs from October 24th to 26th, in Brasília . 

The Chief Executive Officer of the Federal Data Processing Service (Serpro), Alexandre Gonçalves de Amorim, at the opening table, stated that the objective of the event is to promote the development of an open and modern culture on privacy and data protection in Brazil . He also highlighted the role of Serpro in the area. "As a public company, we are part of this challenge, and we need to debate the topic very responsibly", he declared. 

At the opening, the Chief Executive Officer, Waldemar Gonçalves , congratulated Serpro for the initiative to promote the event and highlighted the Authority's commitment to transparency and dialogue to build a culture of personal data protection in Brazil. "The road is long, and it is actions like this that will make us take something to change the country's culture. Not only the sectors of the economy, but also, making the data subject understand the importance of their data and treat it with the importance they have", he stated.  

Waldemar also took the opportunity to recall ANPD's recent achievements and achievements. The Authority was accepted as a full member of the Global Privacy Assembly (GPA) , advanced the inspection processes and started the Regulatory Sandbox project.

• Privacy Notice clarifies the holder on how ANPD treats personal data of internet users

The National Data Protection Authority published October 26th, Resolution No. 9, which approves the Privacy Notice for the A NPD website. According to the regulations, the objective is to clarify and inform data holders, who access the agency's website, how their data is treated, especially with regard to collection, use, storage and sharing.   

In the Privacy Notice, published as an annex to the Resolution, ANPD informs what data may be collected when using the website, such as name, personal qualifications, address, CPF and other information related to the electronic address, such as e-mail and IP.   

Information about the data subject's interaction with the ANPD, about complaints (including data from the complainant) and related to the person in charge or legal representative of the processing agent may also be collected, if applicable. Exceptionally, the text warns, sensitive data may be subject to processing if necessary to comply with the ANPD's powers, as listed in the General Personal Data Protection Law (LGPD).  

The notice also includes a table listing the purposes, affected holders, legal hypotheses and categories of personal data that will be collected and processed. All with legal support under the LGPD. The text also provides a brief explanation about the use of cookies, whose objective is to improve the user's browsing experience and provide personalized services. “We use strictly necessary cookies, based on the legal hypothesis of legitimate interest, which cannot be deactivated in our systems. These cookies provide essential functionality for providing our services.”, explains the document.  

Finally, it explains how personal data is obtained, how it is stored, with which bodies it can be shared, how this information is deleted, how it is protected and what the rights of the holders of personal data are.

• ANPD opens Public Consultation for regulation on Data Controller

The National Data Protection Authority (ANPD) launched November 7th the public consultation on the draft resolution regarding the Data Controller regulation. The public will be able to contribute until December 7, 2023, exclusively through the Participa+Brasil platform.  

The objective of the public consultation is to support the Authority in drafting regulations regarding the role of the Person in Charge. In addition to the consultation, a public hearing is planned for the same purpose, to be announced in due course by A NPD.  

The role of the Authority responsible for the Processing of Personal Data is provided for in article 41 of the General Personal Data Protection Law. This is the person responsible for mediating the dialogue between the organization, the holders of personal data and the Authority. Its activities include receiving complaints from data subjects and communications from ANPD, as well as promoting good practices in the protection of personal data within organizations.

• ANPD publishes Technical Note on the Safe Stadium Project

The National Data Protection Authority (ANPD) published, November 10th a Technical Note with guidance on the Safe Stadium Project. The document lists actions to ensure that the processing and sharing of personal data complies with the General Data Protection Law (LGPD).   

The project is the result of a cooperation agreement, signed on September 20, by the Ministry of Justice and Public Security (MJSP), the Ministry of Sports and the Brazilian Football Confederation (CBF). The objective is to use technologies, such as facial recognition, to combat violence and racism in stadiums, by identifying people who have already committed crimes in these spaces. 

After analyzing the processing of personal data provided for in the project, the General Inspection Coordination (CGF) proposed the adoption of measures to prevent violations of the LGPD. It also presented implications and possible consequences if these measures are not adopted.  

• ANPD publishes Technical Note on the disclosure of microdata by INEP

The National Data Protection Authority (ANPD) published November 13th Technical Note on the inspection process in the face of the National Institute of Educational Studies and Research Anísio Teixeira (Inep). The process, concluded on September 16, analyzed how microdata from the School Census and the National High School Exam (Enem) were disseminated , an episode that came to light in February last year.  

Microdata is the smallest fraction of data and can be related to research or evaluation. The aggregation of microdata constitutes the information with which we are working.

The procedure concluded that the Institute adequately complied with the determinations of the General Inspection Coordination (CGF) of the ANPD . The body implemented measures that reduced the risks of privacy violations and  prepared a Data Protection Impact Report (RIPD), resulting in the closure of the process. The measures enabled the Institute to describe personal data processing processes that could create risks to civil liberties and fundamental rights.  

• ANPD specialist clarifies the role of the Data Officer and the importance of adapting to the LGPD

Person in Charge of Personal Data Processing at the National Data Protection Authority (ANPD), Danielle dos Santos Guimarães, participated, this Friday morning, in the Breakfast event between DPO's, promoted by the Brazilian Internet Association (Abranet) in partnership with PicPay, in São Paulo. 

The initiative, in celebration of the five years of the General Data Protection Law (LGPD), addressed the challenges to be faced by those in charge and data protection trends, both topics focusing on perspectives and best practices.

If you have any questions, please send us an email to datasecurity@catts.eu