Monday, August 27, 2018

Comparing informed consent in the Brazilian Data Protection Law and in the GDPR: What is The Status of Opt-Out in Brazil?

[To read this post in Portuguese, click here]

On August 14th 2018, the new Brazilian Data Protection Law was approved, and it seems very much inspired by the General Data Protection Regulation (GDPR). In this and in the following posts, I intend to analyse their similarities and differences - specially the practical consequences of their differences.

For those unfamiliar with the topic, the GDPR is the European Union's (EU) new legal framework for the protection of personal data. The GDPR brought significant changes to the old regime (which was regulated by the Directive 95/46/EC) and companies worldwide had to invest time and money to adapt to the new regime. In this blog you will find other posts about the GDPR. My PhD is in the field of ​​data privacy, and as my legal training was in Brazil, I found it important to compare both regimes.

In this post I would like to focus on the issue of informed consent, which is a central element for both legislations as hypothesis of lawful collection and processing of personal data. In Brazil, informed consent is the first possibility (out of ten) mentioned in Article 7 for the processing of personal data and in the EU it is also the first possibility (out of six) mentioned in Article 6, which deals with the hypotheses of lawful processing of personal data.

The definition of informed consent in the Brazilian law is similar to that of the EU, take a look below:

Brazilian law:
Art. 5 (XIV) consent: free, informed and unequivocal manifestation by which the holder agrees with the treatment of his personal data for a determined purpose;
GDPR:
Article 4 (11): ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
An immediate analysis highlights the absence of the terms "specific" and "by a clear statement or affirmative action" in the Brazilian definition. The GDPR already in the definition seems to make clear its preference for opt-in ("clear affirmative action"). In addition, the advisory board Article 29 Working Party (since May 2018 replaced by the EDPB) expressly mentioned in this opinion adopted on April 10th 2018 that:

"This means, a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes." (p.12) 
"Without prejudice to existing (national) contract law, consent can be obtained through a recorded oral statement, although due note must be taken of the information available to the data subject, prior to the indication of consent. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice." (p.16)

Turning now to the Brazilian law, it brings another descriptive element of consent in its Article 8:

Article 8. The consent foreseen in the item I of the Art. 7 of this Law must be provided in writing or by other means that demonstrate the expression of will of the holder.
Even in writing, a pre-filled field on a form is able to demonstrate the individual's manifestation of will, since by clicking "ok" he is consenting. Therefore, the Brazilian law makes no specific mention of an active manifestation of the data subject, and to my knowledge there are no additional documents or advisory boards that have commented on the opt-in/opt-out issue.

My main question here is: in practice, is opt-out valid in Brazil? Many surveys today show the importance of defaults and how sticky they are (in the sense that the average user rarely changes the default settings in a device/application). Therefore, a default that is not privacy-protective, even if it has the opt-out function (i.e. the user is free to unclick the field that is already filled), will statistically tend to remain a non-protective configuration, as the user will probably not change it.

A discussion that may seem merely grammatical in the beginning, comparing the definitions of consent in both legislations, ends up bringing a much larger dimension that can directly affect the level of data protection received by data subjects in Brazil vs. in the EU.

These and other points of doubt in the new Brazilian law should be discussed as soon as possible so that the Brazilian data subject can benefit from a secure and privacy-protective online environment.

*

If you have any contribution to the topic, feel free to comment below.

Best,

Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy
about.me/luizajarovsky

Brazil and EU

Thursday, August 23, 2018

Comparando o Consentimento Informado na Lei Brasileira de Proteção de Dados e na GDPR: Qual o Status do Opt-Out no Brasil?

[This post is in Portuguese, a post in English about the topic is coming soon]

Para quem está acompanhando, no dia 14 de agosto de 2018 foi sancionada no Brasil a Lei nº 13.709, que dispõe sobre a proteção de dados pessoais (e altera o marco civil da internet). Como a lei brasileira parece ter sido bastante inspirada na General Data Protection Regulation (GDPR), como pretendo mostrar neste post e em posts seguintes comparando ambos os sistemas, é interessante analisar suas semelhanças e diferenças - e quais as consequências práticas das diferenças.

Para quem não está familiarizado com o tema, GDPR é o novo diploma legal da União Europeia (UE) para a proteção de dados pessoais. A GDPR trouxe mudanças significativas ao antigo regime (que era regido pela Directive 95/46/EC) e empresas no mundo inteiro tiveram que investir tempo e dinheiro para se adaptar ao novo regime. Neste meu blog (em inglês) você encontrará outros posts sobre a GDPR. Meu doutorado é na área de data privacy e como minha formação jurídica foi no Brasil, achei importante comparar os regimes.

Nesse post eu gostaria de focar na questão do consentimento informado, que é um elemento central para ambas as legislações como hipóteeses de autorização da coleta e do processamento de dados pessoais. No Brasil ele é a primeira possibilidade (de dez) mencionadas no Artigo 7 para o tratamento de dados pessoais e na UE ele é também a primeira possibilidade (de seis) mencionadas no Artigo 6, que trata das hipóteses de legalidade de processamento de dados.

A definição de consentimento informado brasileira é semelhante à da UE, vejam abaixo:

Lei brasileira:
Art. 5(XIV) consentimento: manifestação livre, informada e inequívoca pela qual o titular concorda com o tratamento de seus dados pessoais para finalidade determinada;
GDPR:
Art. 4(11): ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Uma análise imediata realça a ausência dos termos "específica" e "por uma declaração ou ação afirmativa clara" na definição brasileira. A GDPR já na definição parece deixar clara a preferência pelo opt in ("clear affirmative action"). Adicionalmente, o advisory board Article 29 Working Party (desde Maio de 2018 substituído pelo EDPB) expressamente mencionou neste parecer adotado em 10 de abril de 2018 que:

"This means, a controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes." (p.12)
"Without prejudice to existing (national) contract law, consent can be obtained through a recorded oral statement, although due note must be taken of the information available to the data subject, prior to the indication of consent. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice." (p.16)

Voltando agora à lei brasileira, ela traz um outro elemento descritivo do consentimento em seu Artigo 8:
Art. 8º O consentimento previsto no inciso I do art. 7º desta Lei deverá ser fornecido por escrito ou por outro meio que demonstre a manifestação de vontade do titular.

De qualquer forma, mesmo por escrito, um campo pré-preenchdo em um formulário é capaz de demonstrar a manifestação de vontade do indivíduo, já que ao clicar em "ok" ele está consentindo. Portanto, a lei brasileira não faz nenhuma menção específica ao elemento de manifestação ativa do titular da informação, e do meu conhecimento não há documentos adicionais ou advisory boards que tenham comentado sobre a questão do opt-in / opt-out.

Minha questão principal aqui é: na prática, no Brasil opt out está válido então? Muitas pesquisas hoje mostram a importância dos defaults e como eles são sticky (no sentido de que o usuário médio raramente muda o default nas configurações de uma aplicaçãp / aparelho). Portanto, um default que não seja protetivo da privacidade, mesmo que tenha a função de opt out (ou seja, o usuário é livre para desclicar o campo que já está preenchido), estatisticamente tenderá a permanecer uma configuração de baixa proteção, já que o usuário provavelmente não irá mudar

Uma discussão que pode parecer meramente gramatical no início, com a comparação das definições de consentmento em ambas as legislações, acaba por trazer uma dimensão muito maior que pode afetar diretamente o nível de proteção recebido pelos usuários no Brasil vs na UE.

Esses e outros pontos geradores de dúvida na nova lei brasileira devem ser debatidos o quanto antes para que o usuário possa se beneficiar de um ambiente online seguro e que garanta a proteção de seus dados pessoais.

***

Se você tem alguma contribuição sobre o tema, não deixe de comentar abaixo.

Até breve!

Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy
about.me/luizajarovsky


Monday, November 20, 2017

5 Reasons Why Small Businesses Should Get Ready (ASAP) to the GDPR

The GDPR (General Data Protection Regulation) will apply from May 2018 and it will bring relevant changes to the data protection legal environment - not only in the European Union (EU), but the in the whole world. But what does it have to do with small businesses? Is the GDPR relevant to anyone else besides big data-collectors such as Facebook, Google etc?

And the answer is yes, it is very relevant to small businesses as well, and small business owners should be familiarized with it as soon as possible (ASAP), as we are only 5 months away from the applicability date. In the next paragraphs I will describe the 5 main reasons for that. 

[The posts on this blog have educational purposes, they do not substitute a consultation with a lawyer. To read the GDPR, click here. All articles mentioned in the text are from the GDPR.]

1- Material Scope:

To begin with, the GDPR is applied to (article 2):

"the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system"

There is no distinction between small, medium and large businesses, as long as data collection/processing happens. The same article 2 establishes exceptional cases where the GDPR will not be applicable, but in most of commercial cases of data processing, it will be applicable.

2- Geographical Scope:

The GDPR will be applied not only to businesses located in the EU, but also in any other part of the world, provided that they collect or process data from people from the EU.

Some business owners might think that because they are small and are not based within the EU limits, the GDPR is not applicable to them. This is not true. The specifications of the territorial scope are in article 3 of the GDPR, and all small business owners should be aware of them, as they are very broad.

3- New rules:

The GDPR, when compared to the previous data protection regime in the EU (Directive 95/46/EC), adds news rules and requirements to data collection and processing, which the small business owners should review together with their lawyer. Thus even if the business owner had had contact before with the Directive, the GDPR is different and needs extra attention.

For example: informed consent. We are now used to tick boxes around the internet, accepting all and any kinds of data collection requested. Consent has gained a new dimension in the GDPR, as we can see, for example, in article 7, which sets the conditions for consent.

Article 7.1 stipulates that: "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." For some small businesses, this type of "demonstration" might be easy to implement, for others not. There are many other examples of new requirements imposed by the GDPR, therefore the sooner the small business owner gets ready to it - the better.
4- Fines:

Fines are high. Article 83, for example, establishes that  "non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

There a few types of fines foreseen by the GDPR, and small business certainly do not want to incur such costs. Therefore it is better to be prepared and aware well in advance.

5- Reputation:

The GDPR is a comprehensive regime about data protection and brings the focus on this subject to a whole new level. Companies are being collectively pushed to offer higher levels of data protection and this upgraded level will soon become the default - the minimum required by individuals using those products and services. 

Small businesses that want to avoid reputational losses - in addition to the financial losses that will result from non-compliance - should ASAP get ready to the GDPR.

*

That's all for today. Do you have comments about this post? Feel free to post them below.

Best,

Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy




Monday, October 30, 2017

GDPR step-by-step - Part 2 - Personal, Pseudonymised and Anonymous Data

This is the second post in my new series about the GDPR (General Data Protection Regulation), in which in I will highlight relevant aspects of this new regulation, specially for businesses.

The GDPR shall apply from May 2018, so it is very important that businesses are fully prepared to the new rules. This series is an attempt to help business owners to be aware of the new rules and the specific challenges that they might present in different information systems. These posts have educational purposes, they do not substitute a consultation with a lawyer. I hope that the content can be useful to you. All highlights and comments in yellow are mine. To read the GDPR, click here.

In this Part 2, you will find:

1- What is personal data?
2- What is pseudonymized data?
3What is anonymous data?

[Part 1]



1- What is personal data?


As we saw last week, in Part 1 of this series, article 2 of the GDPR, which deals with the material scope of the new regulation, states that "This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data (...)".


The question that we should as then is
: what is personal data?

Article 4(1) of the GDPR brings this definition (which might surprise some, as also information relating to an identifiable person is considered personal data):


"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"


It is a broad definition and also contextual, as if there are technologies that in some context might identify a person only by knowing a single cultural element, for example, this cultural element, in that case, will be considered personal data and its processing will be subject to the GDPR.


Recital 26 of the GDPR helps us understand this concept:


"The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.


Again, it seems that the legal definition is contextual here, as in order to understand if the data can be identified, account should be taken on "objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments." 
For now, it seems that, in practice, all data can be considered personal data. So what can a business owner do? Let's then go to item 2, which deals with pseudonymisation.


2- What is pseudonymised data?

The GDPR also defines what is pseudonymised data. According to article 5:


"‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"

In recital 28, the GDPR expresses the advantages of pseudonymisation:

"The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection."

When dealing with data protection by default and by design (Article 25), the GDPR states that:

"1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects."

It is also associated with data security, as article 32, dealing with security of processing, establishes that:

"1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data;"

In any case, we cannot forget what we read in recital 26, which stated that "personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person" - meaning that the GDPR is applicable to pseudonymised data.

Now we go to the last type of data for our purpose - anonymous data.

3What is anonymous data?

According to the end of recital 26, "(...) the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."

Therefore only in cases in which information is considered anonymous - according to the GDPR definition - the processing of this data will not be subject to the GDPR.

As we saw today, it is very important to understand the concepts of personal data, pseudonymised data and anonymous data, as it might influence the rules applicable to the processing of such data.


*
That's all for today. Do you have comments about this post? Feel free to post them below. 



Best,

Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy

GDPR, data protection
privacy


Tuesday, October 24, 2017

GDPR step-by-step - Part 1 - Material Scope, Geographical Scope and Lawfulness of Processing

This is the first post in my new series about the GDPR (General Data Protection Regulation), in which in I will highlight relevant aspects of this new regulation, specially for businesses.

The GDPR shall apply from May 2018, so it is very important that businesses are fully prepared to the new rules. This series is an attempt to help business owners to be aware of the new rules and the specific challenges that they might present in different information systems. These posts have educational purposes, they do not substitute a consultation with a lawyer. 
I hope that the content can be useful to you. All highlights and comments in yellow are mine. To read the GDPR, click here.

In this Part 1, you will find:


1- The GDPR's material scope;
2- The GDPR's geographical scope;
3- Lawfulness of processing.

[Part 2]

*

1- To what type of data processing is it applicable? - material scope - article 2:

The GDPR is applicable to "the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." (article 2)

both automated means and not automated means

It is NOT applicable to "the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."


2- To which territories it applies? - geographical scope - article 3:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

if the controller is in the European Union - GDPR applies


2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 


(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or


(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.


both situations in which the controller is not in the European Union, nevertheless the GDPR is applied


3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.



3- Lawfulness of processing - article 6:

all data processing, in order to be legal, has to correspond to one of the items below

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; 

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

item "a" will be a frequent justification for business, therefore we need to know what is consent according to the GDPR. Article 4(11) explains:

"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

indication of the data subject has to be:
- freely given
- specific
- informed
- unambiguous

it has to be delivered by
- a statement or
- a clear affirmative action

*
That's all for today. Do you have comments about this post? Feel free to post them below.

Best,


Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy
GDPR, data protection
privacy

Monday, September 5, 2016

Browser Fingerprinting Study: Sign Up Today

Hi, all,

Please find below an invitation by Dr. Zinaida Benenson, from the University of Erlangen-Nuremberg, for you to participate in her browser fingerprinting study. Participation takes less than 1 minute per week and no account is needed to sign up.

If you would like to receive the next posts by email, don't forget to subscribe.


Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy

***

"My research group seeks support for an innovative browser fingerprinting study. Participation takes less than 1 minute per week, no account is needed to sign up: https://browser-fingerprint.cs.fau.de

The study is running for 6 months, here are the first statistics: https://browser-fingerprint.cs.fau.de/statistics

Your support would help all research groups over the world that do research on browser fingerprinting, as we are going to release an open data set of fingerprints at the end of 2016. Till now, everybody has to compile their own data set, and this is extremely time-consuming.

Our data set will be unique, because through our novel study design we have an unprecedented level of ground truth: We can assign each fingerprint to a particular (of course, anonymized) participant. In all other projects, recurring participants are recognized through cookies, which is very error-prone, as people delete their cookies"


Dr. Zinaida Benenson
Human Factors in Security and Privacy Group
Chair for IT Security Infrastructures
University of Erlangen-Nuremberg


The Unintended Consequences of “People You May Know”

Post Written By Mark Warner - usable privacy and security researcher. Twitter: @privacurity

Going to see a psychiatrist can be a daunting prospect for many due to the often-intimate information being disclosed. The doctor-patient confidentiality regulations are designed to provide an environment in which the patient feels comfortable to disclose and discuss very sensitive information without fear of negative consequences. While the intimate information disclosed during a session must remain confidential, so too should the attendance itself.

Last week, an article written by Kashmir Hill at Fusion.net, reported on a psychiatrist who was made aware that her patients were being recommended as potential friends to one another over Facebook. While the psychiatrist herself reported only occasional use of the social messaging platform and never shared her e-mail or phonebook contacts, the recommendation engine was able to find common factors between her patients, recommending them to one another as “people you may know”. 

Facebook states that its suggestion engine works by analysing “mutual friends, work and education information, networks you’re part of, contacts you’ve imported and many other factors”. The vagueness of this statement leads to the question, what are these other factors?

Could it be that her patients have “checked-in” to similar places in and around the treatment location? Could these common locations be factors that Facebook analyse to generate friend suggestions? If the patients are sharing their email and phonebook contacts, could Facebook be linking them through their common contact with the psychiatrist? If so, could this be actively exploited to identify patient details?

This example illustrates the way technology is bridging the gap between the professional space and the personal. It also acts as a warning sign for the growing use of technologies that were never designed, or intended for medical use, which are now fast becoming everyday tools within the industry. WhatsApp is a great example of this. It’s inexpensive, simple to implement, has almost no integration with hospital or clinical systems, but enables real time, media rich communication between medical staff, and even patients.

The rapid adoption of these technologies into and on the boundaries of the medical industry could have huge benefits, but unintended consequences may result in significant personal and societal costs. How these technological changes are managed to allow society to benefit while maintaining fundamental values that protect the individuals right to privacy is at the forefront of the Privacy & Us project. These types of questions will be the focus of our multidisciplinary research over the next three years, so watch this space.

Post Written By Mark Warner - usable privacy and security researcher. Twitter: @privacurity