Sent to subscribers in September 2019
2019 continues to be a year of intense activity around the protection of personal data. The adoption and implementation of the EU General Data Protection Regulation (GDPR) are having a viral effect around the world. Several countries have recently adopted their first data protection laws, for example, Brazil (during the summer of 2018) and, more recently, Thailand and Uzbekistan (to be added to this treatise in upcoming supplements). Elsewhere, countries are updating or amending their laws or supplementing them with additional laws. Below are examples of some of the recent developments that are described in further detail in the chapters of this 30th Supplement of the Global Privacy and Security Law treatise.
Argentina passed it first Personal Data Protection Act years ago. It is one of the few countries that the European Commission has determined provides an adequate level of protection of personal data. In its Disposition 47/18, issued by the National Directorate of Personal Data Protection in July 2018, Argentina expands the scope of its provisions regarding information security. Disposition 47/18 identifies a series of suggestions regarding security requirements. The suggestions follow the international standards, especially the ones of the European Union. Among other things, Disposition 47/18 suggests that entities affected by a breach of security report the breach to the Application Authority and appoint a security officer who will be in charge of reporting data breaches and to be the liaison with the Application Authority.
In Austria, the Austrian Data Protection Authority and the courts have actively prosecuted violations of the GDPR. The first decision of the DSB (the Austrian Data Protection authority) applying the GDPR was published on June 26, 2018. It determined that GDPR Art. 15 covers a customer’s request to obtain his or her historical bank account statements free of charge if no third-party rights are endangered. The DSB issued several decisions on the formalities of a data subject’s request. It has also ruled that the use of dash-cams is generally not in line with the legal data protection framework. In a rare case involving GDPR Art. 85, the DSB ruled on the availability of information to individuals and the privilege of “freedom of information.”
Brazil amended its recently adopted Privacy Act (which becomes effective on February 14, 2020) to formerly provide for the existence of a National Data Protection Authority (NDPA). While the Privacy Act originally approved by the Brazilian Congress created the NDPA as an independent federal agency linked to the Ministry of Justice, the concept was vetoed by the President of Brazil on constitutional grounds in the law-making process. The NDPA itself and its rules of operation have been reintroduced by the President by means of a provisional measure, and the existence of the NDPA was confirmed through the enactment of Federal Law 13,853, on July 9, 2019. The NDPA in turn will draft and issue other rules and provisions concerning specific requirements and guidelines to data collectors that are generally addressed in the Privacy Act, as well as the rules applicable to administrative procedures.
Brazil also adopted the Positive Credit Rating Law. The law sets out several obligations for the data controllers and conditions applicable to the collection, use, and sharing of financial information of the data subjects (individuals or legal entities) with other databases, as well as general access, amendment, cancellation, and opt-out rights for the data subjects.
While India is finalizing its national data protection law, its central government passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Ordinance, 2019 (the Aadhaar Ordinance) amending the Aadhaar Act in February 2019. The Aadhaar Ordinance introduces the method of offline verification of an individual’s identity using their Aadhaar in the manner provided by Unique Identification Authority of India. The ordinance further proposes that individuals may voluntarily use Aadhaar to establish their identities using authentication or offline verification with another private entity if that private entity complies with the applicable security and privacy safeguards and is permitted to carry out Aadhaar authentication by law or is seeking authentication for a purpose that the central government has prescribed to be in the interest of the state.
In the second quarter of 2019, the Italian Data Protection Authority (DPA) issued a number of significant decisions. It ordered Mediamarket, a subsidiary of the retailer Mediaworld, to cease and desist the processing of large amounts of personal data of customers collected before the GDPR and used for massive mailing of marketing materials. It found that the information notice and the consent did not comply with the law, but that they both had been changed after the effectiveness of the GDPR. There was no fine assessed, but the company received a cease-and-desist order.
The DPA did impose a fine of one million euros on Facebook with respect to the Cambridge Analytica case. The Italian DPA issued the fine against both Facebook Ireland and Facebook Italy, as co-processors. The procedure was under the old Italian law and not under the GDPR, which explains the amount of the fine.
Like Argentina, Uruguay was one the first countries that the European Commission determined provides adequate protection for personal data and privacy rights. In late 2018, Uruguay adopted an amendment to its original data protection law in the form of Ley de Presupuesto Nacional que modifica la Ley No. 18.331 (October 25, 2018) (National Budget Law Amending Law 18.331). The purpose of the law is to align Uruguay’s data protection law, Law 18.331, to the GDPR. The amendment extends the geographic scope of the data protection law to data controllers that are not established in Uruguay but target Uruguayan inhabitants for the purpose of selling them goods or services and collect their personal information to analyze their behavior. It also adds the obligation to immediately report a data breach, the principle of proactive responsibility, and the obligation to appoint a Data Protection Officer in certain cases.