1. Introduction: MERCOSUR-EU Agreement and the legislation on Data Protection
As is well known, last year, after several rounds of negotiations, the agreement between Mercosur and the European Union on economic matters emerged. Said agreement included matters related to customs duties, exchange of goods and services, sanitary measures, intellectual and industrial property rights, SMEs, dispute resolution, among other issues of relevance to both blocks.
Among these issues, although not as an integral part of the text of the agreement, discussions related to the Protection of Personal Data were also included. Currently, the States of the European Union are governed by the General Data Protection Regulation, or by its acronym, the GDPR, which is mandatory since May 25, 2018. During her visit to Argentina, in July of last year, the European Commissioner for Justice, Consumers and Gender Equality Vera Jourova, spoke about the benefits that the regulation and harmonization of data protection legislation would bring to both blocs.
For sure the EU is at the forefront in this matter, and in order to enable the advancement of this agreement for both blocs and above all, for the MERCOSUR countries, it is necessary that their laws harmonize with the provisions and principles of the GDPR, as which would bring about a quantitative and qualitative leap towards respect for the individual rights of people, the self-determination of the person regarding the processing of their data on the internet and in files, the final recognition of data protection as a fundamental human right, among other conquests.
Nowadays, in the current global situation of the coronavirus pandemic that hits the whole world, the negotiations have stalled, since there are urgent issues to address regarding the countries that make up each block. However, it is noteworthy that the will to move forward is intact.
That is why is necessary to carry out a review of the situation in which the laws of the MERCOSUR countries are in relation to the Protection of Personal Data, and why it is almost mandatory to use this time to be able to adapt them to the required standards by the EU in order to finally reach the conclusion of the negotiations carried out at the time of carrying out the revision of the Agreement between the two trade blocs.
2. Country by Country: MERCOSUR-EU Agreement and the legislation on Data Protection
The law that regulates the protection of personal data in Argentina is Law 25326, enacted on October 4, 2000, and is currently in force.
This law regulates what pertains to the treatment of personal data, its classification, the principles that should govern its treatment, international transfer of data, the rights of its owners, and the resources and actions that they have both administrative as well as judicially to obtain the deletion, rectification, modification, addition and correction of the data found in files or databases, both public and private, and the obligations of the owners of said files or databases when collecting and processing personal data.
In Argentina, the enforcement authority regarding Personal Data and Access to Public Information is the National Agency of Access to Public Information, which has a secretariat that is in charge of regulating and supervising everything related to personal data and the compliance of the Personal Data Protection law, which is the National Office of Protection of Personal Data.
In 2018 a Bill was presented to amend the Data Protection law and bring it as closely as possible to the GDPR standards, but unfortunately, the bill lost parliamentary status this year.
In 2018 it was sanctioned the new Law on Personal Data Protection – No. 13,709 LGPD-. On August 26 the Brazilian Parliament decided that the suspension of its enforceability would not be extended, so it is the law that is currently in force in Brazil to regulate everything related to the protection of the personal data of natural persons, processed both within the borders of the country, and by foreign companies that process data of persons located in Brazil.
This law has many points in common with the European General Data Protection Regulation, establishing an adequate legal framework regarding the collection, processing, and storage of personal data in general and sensitive data in particular, as well as the obligations and responsibilities of those –processors and controllers- who collect, process, select and store personal data, and may be liable –in case of non-compliance with the provisions of the law-, to be sanctioned administratively, civilly and criminally.
Likewise, it establishes the rights of the holders of personal data to grant informed consent for the collection and processing of their data and to control access, correction, rectification, updating, anonymization, and deletion of their data that are contained in databases both public and private.
For this law, it is mandatory -in certain cases- the need to have a Data Protection Delegate, and the enforcement authority is the National Data Protection Agency of Brazil.
In Paraguay, the Protection of Personal Data is regulated not only in the country’s Constitution but is also based on Laws No. 1682/2001, 1969/2002, which amends the first one and Law 5542 / 2015.
This set of laws regulate, among other issues: the processing and treatment of personal data contained in files, records, and public and private databases. The collection, processing, and treatment of personal data is only allowed for scientific, economic, statistical, or marketing purposes.
However, the current legislation establishes nothing regarding the figures of the database administrator; but it does regulate obligations pertaining to those responsible for said bases. Nor does it make a distinction between processors and controllers. Nor does it establish any obligation to report data breaches or incidents that occur with personal data.
The international transfer of data and its regulatory framework is not established in the legislation of Paraguay.
Likewise, there is no authority in Paraguay that regulates matters relating to the Protection of Personal Data and compliance with the law.
Finally, although the law does not establish anything regarding the possibility of making claims before administrative or judicial entities for violation of Personal Data, the penalties are established by other regulations, which allow those whose data have suffered any violation the right to claim before civil or criminal justice the pursue of a compensation.
There is a bill presented to the Paraguayan Parliament in 2019.
In Uruguay, personal data is ruled by Law No. 18,331, amended by Law No. 19,670, whose regulatory decree 64/020 modified certain articles of the first-mentioned law.
The law regulates the following aspects: a) it establishes a sort of glossary with definitions pertaining to personal data and the principles applicable; b) it also regulates the registration of the databases of the entities that collect and process personal data, whether they are located in Uruguay or process personal data of persons residing in Uruguay -under certain circumstances-; c) Establishes for public and private entities the need to have a Data Protection Officer and its obligations and responsibilities thereof; d) the need to have the informed consent of the owner of the data to collect, process and treat said data; e) the international transfer of data, the cases in which it proceeds and the requirements to transfer data to third parties; f) the obligations of the person in charge and the administrator of the databases; g) In the event of personal data breached or incidents that occur with them, the collectors, processors and responsible of the databases has to give notice and take the necessary measures to minimize risks; h) administrative sanctions concerning non-compliance with the rules contained in the law, ranging from warning to imposition of fines.
The application authority in the field of Data Protection in Uruguay is the Regulatory and Control Unit of Personal Data.
In February 2020, Law 19,670 was regulated, which among other issues complements Law 18,331 in terms of: 1) the adoption by the person responsible for the treatment of technical and/or organizational security measures to avoid and/or minimize incidents and breaches that may occur with personal data; 2) the promotion of national and international standards on cybersecurity; 3) the documentation of such measures and the planning and impact assessment regarding Personal Data.
3. Conclusion: MERCOSUR-EU Agreement and the legislation on Data Protection
After having made a brief reference to the Agreement between the European Union and Mercosur and the current state of the negotiations, reviewing the legislative situation of some of the countries that make up this last regional bloc, the truth is that it is essential to have an adequate level of protection of personal data, especially due to the extraterritoriality principle generated by compliance with the provisions of the GDPR and the cross-border flow of data.
Today we are witnessing a new era in human rights, where digital self-determination is no stranger. Where the right to digital existence of people cannot be overwhelmed over other issues such as those of an economic nature. That existence must be protected against any kind of violation.
Likewise, it is necessary to harmonize the laws of both economic blocs, which pushes MERCOSUR to take all the necessary steps to adapt its laws and regulate this new human right as an imperative, in order to achieve safer agreements in pursuit of a conciliatory and protective globalization of this new right that appears today.
Finally, it is worth highlighting the position that countries such as Argentina and Uruguay have in terms of recognition by the European Union regarding the adequate level of protection that these countries ensure to Personal Data, which places them at the forefront in the region.
However, it is mandatory for Argentina to update its law in order to continue maintaining that position in the face of the constant requirements of a globalized world both materially and digitally.
Background of the case
The young Austrian Maximiliano Schrems – law student and resident in Ireland – made a complaint in 2011 to the Irish Commissioner for Data Protection against the social network Facebook, for transfer of their data from the servers of Facebook in Ireland to the servers of Facebook Inc. located in the United States for further processing.
In his claim, Schrems – based on the facts and evidence provided by Edward Snowden through which, the former agent revealed how the United States operated in global surveillance-, alleged that said country did not offer adequate protection to the personal data that received from users in the countries that are members of the EU, and did not even contain a process for the selection and treatment of these data, but rather took them in large quantities and thus processed them, using them for purposes other than those that truly informed the users of the social network –in their eagerness to fight terrorism-.
This motivated Schrems to request a ban on his data being transferred to the servers of Facebook Inc. The Irish body rejected Schrems’ proposal, based on Decision 2000/520 / EC, of July 26, 2000S, considering that The United States complied with an adequate level of protection. However, Schrems appealed this decision to the highest court in Ireland – the High Court -, which finally held that the United States made excessive interference with the personal data that was transferred to its territory.
The decision of the CJEU. Schrems´ I judgment.
The High Court asked the European Court to issue a preliminary ruling regarding the issue of whether said decision -2000/520/EC- is valid and whether it makes it impossible – or not – for the national authorities of the countries of the European Union to carry out a correct control regarding the personal data that is transferred from an European country – in this case, Ireland – to a third state. Finally, the European Court ruled that, although the EC decision 2000/520 prescribes that the United States has an adequate level of protection, the truth is that also the national organizations responsible for ensuring the protection of the data of its inhabitants, they are empowered to carry out this control, although the invalidity of a Decision – in this case, the one adopted by the European Commission – can only be declared by the CJEU.
Finally, the European Court, in order to rule as it did –declaring the invalidation of the EC decision-, taking into account, not what was established by the Commission’s Decision, but, in factual terms, whether the privacy of the data owners was protected when transferred to the United States. In other words, when making such an assessment, the third country is not required to have a regulatory framework and a level of protection identical to that of the EU; more than anything, that this third country provides an adequate protection framework for the data of the holders.
For all these reasons, it declared Decision 520/2000 invalid based on the following arguments:
1) That there was an interference with the right to privacy;
2) Declared that said interference meant a violation of the essential content of the right to privacy.
Due to the judgment issued by the CJEU that invalidated decision 520/2000 of the European Commission regarding what is known as “safe harbor”, regarding the transfer of data to the United States, it was adopted within this framework, the so-called decision 1250/2016, better known as “Privacy Shield”.
The purpose of this decision is summarized as follows:
– Acknowledges that the EU-EE Privacy Shield comprised of the privacy principles applicable to certified United States organizations (companies) and related commitments made by the Department of Commerce and other United States authorities, it provides an adequate level of protection for personal data transferred from the EU to these organizations.
– This means that personal data can be freely transferred to organizations in the United States included in the “Privacy Shield List”, which is prepared and published by the United States Department of Commerce.
– The application of the Privacy Shield guarantees the right to respect for privacy and the right to the protection of personal data of all persons in the EU whose personal data is transferred through the Privacy Shield.
– It also guarantees legal certainty for companies that rely on your application to transfer personal data from the EU to US organizations certified by the Privacy Shield.
Precisely this decision is the one that was declared invalid in the judgment of the Schrems II Case, issued by the CJEU on 07/16/2020, which will be subsequently commented.
By Ivan Blomqvist.
ePrivacy Regulation (ePR)
The “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”, known also as the ePrivacy Regulation (ePR), is a proposed legal act of the European Union, enforceable as law in all member states, that intends to focus on a more expansive regulation of electronic communications by outlining data security laws and reinforcing rules regarding the electronic transfer of data.
Noncompliance of ePrivacy Regulation could mean penalties of up to 20 million euros or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
ePrivacy Regulation objectives
The ePrivacy Regulation plans to account for the new players providing electronic communications services like WhatsApp and Skype, while benefiting from one single set of rules across all of the European Union.
It also looks to simplify the provision of cookies by utilizing rules that are friendlier to users and to prohibit unsolicited electronic communications, commonly referred to as spam, such as emails, text messages and automated calls. Additionally, the ePR seeks to repeal the Privacy and Electronic Communications Directive (Directive 2002/58/EC), also referred to as the ePrivacy Directive (ePD), while also overriding the General Data Protection Regulation (GDPR) on specific matters (lex specialis).
Since its inception in 2017, the ePR has been the subject of many discussions in the Council of the European Union. But, despite its progress, common ground could not be found on the some matters like the protection of terminal equipment information, the processing of electronic communications data by third parties, and the cooperation among data protection and telecommunications regulatory authorities.
In 2020, the current Presidency of the Council of the European Union released a newly revised draft of the ePrivacy Regulation in which it focuses on metadata and what can be considered as “legitimate interests” to process it and to also place cookies on end-users’ devices.
In March 2020, the current presidency invited all delegations to provide their final comments on the proposed draft, so that negotiations with the European Parliament can begin as soon as possible. Should the ePR be finally approved, it will finalize the European Union’s framework regarding the protection of data and the confidentiality of electronic communications.
By Maria Sol Porro, Trademarks Lawyer, and University Professor
Our photos in the “cloud”
The new filter that allows users to age their faces has caused FaceApp to be in the number one of downloads, on the one hand, and in the eye of the storm, on the other. The alarm has jumped when it has been discovered that the app does not notify at any time that the photos are processed in the “cloud”. When a photo is uploaded so that the faces appear older, younger or of another sex, the application sends it to a server that processes the file and returns it to us with the desired retouching, giving access to said data to all the signatures of the group Russian ¨Wireless Lab¨, the owner of FaceApp, as well as those unknown companies that become “affiliates.”
FaceApp, available on iOS and Android, explains that it does not rent or sell the information of its users to third parties outside of FaceApp (or the group of companies that FaceApp is a part of) without their consent, but in turn expose that they can share the User information without explicit consent with third-party organizations that help them provide the service. Again, the famous application would not be fully complying with the requirements in force in the General Data Protection Regulation in the case of the EU.
Are we the customer or are we the product that is sold?
In this context, FaceApp recognizes that they are working to improve the quality of this service, in its latest press release. However, it has not updated its conditions of use since 2017, forcing the user to have to look for them within the website. This means that almost nobody stops to consult what information is going to be shared with the application and what is the use that will be made of it. Faced with this reality, the aforementioned debate makes us wonder: if a service is free on the internet, are we the customer or are we the product that is sold?
Source: www.abc.esRead More
Fines for Infringement of the Data Protection Law
The National Authority for the Protection of Personal Data (ANPDP), which belongs to the Ministry of Justice, imposed fines for a total of $ USD 232,271.– to public and private institutions for infringement of the personal data protection law.
According to the Peruvian law which governs this matter (Law No. 29733 of Protection of Personal Data of Peru), the processing of personal data requires, as a general rule, obtaining the free, prior, informed, express and unambiguous consent of its owner, except as provided in the law. Likewise, security measures must be implemented to protect the collected personal data, such as documenting security protocols for access and privilege management, as well as periodically reviewing the aforementioned privileges, among others.
Case: Fine for infringement of the Data Protection
Example of this new policy followed by the National Data Protection Authority was one of the last sanctions imposed on ¨Supermercados Peruanos S.A.¨, which had collected personal data without the authorization of its clients. Likewise, security measures were not implemented and the Authority was not notified of the transfer of data outside the Peruvian territory.
Also, during 2018, the ANPDP also prepared 105 final reports of instruction, made 283 visits to public and private institutions on personal data, and issued 3.278 resolutions on the National Registry of Personal Data Protection. In this sense and in order to inform the data managers, conducted the training of more than 1.700 people in various events and 689 queries on standard interpretation of data protection legislation, as well as made the first Report on Supervision of Transparency Portals Standard of public entities.
In this way, it is important to highlight that these new measures clearly demonstrate that the APDP is fully committed to the actions necessary to guarantee the right to the protection of personal data in Peru, in relation to the new measures taken by several Latin American countries and The EU.
Source: https://gestion.pe/economia/Read More