The Federal Court of the Argentine province of Córdoba, on December 29, 2020, in the file FCB 88747/2018/1 / CA1, issued a judgment, from which it confirmed the decision of the 1st Instance Judge who declared that the IP address is not personal data.
The official defense of the accused filed an appeal in order to revoke the judicial decision of the federal judge of 1 ° instance that rejected the proposal for nullity against the measure carried out by the Prosecutor, from which she requested reports to different agencies -among them the Federal Administration of Public Revenues and companies that provide internet services-, which involved the use of the defendant’s IP address, from which information was extracted, regarding changes of addresses, issuance of invoices-making state date of issue, name of the purchaser, type of invoice, voucher number, point of sale and IP address- and economic activities that involved it, as well as its full name and address.
The reports, as recorded in the case and was the basis for the appeal, were requested without a prior court order.
The Official Defender relied on art. 18 of the Argentine Constitution -which protects private correspondence- and the laws No. 25,326 of Protection of Personal Data and No. 25,520 of National Intelligence, to found that the IP is personal data and that its violation is comparable to the interception of telephone communications.
The prosecutor, for her part, requested the rejection of the nullity claim filed by the defense, broadening her position that: 1) the information requested is exempt from fiscal secrecy; 2) that the Public Prosecutor’s Office, based on said exception, has the faculties to request it directly from the AFIP – Argentinean Taxes Bureau-, as long as the prosecutor herself directs the investigation; 3) and that the IP address is simply an interface that allows, among other issues, to establish who is the internet service provider company, not being able to expressly know the user’s activities.
The judge of first instance rejected the proposal of nullity of the accused’s defense, arguing that in no way is equivalent to the act of telephone interception, the request for ownership of the IP to internet service providers, basing its criteria on judicial precedents and legal interpretations, especially of the personal data protection law, art. 5, part 2, sections b and c, outlining that certain data even have less protection than others.
Finally, the Court confirmed the rejection of the nullity claim based on the following arguments: 1) that the appealed resolution was issued in accordance with the law and properly founded; 2) That the judge a quo made a correct interpretation of why the request for ownership of the IP is not comparable to telephone interception; 3) That the prosecutor did not exceed the functions that the procedural law grants her when requesting information on the ownership of the IP; 4) That the Court takes the arguments provided by the Prosecutor’s Office by accepting that the IP address does not allow access to personal data or correspondence of its owner, so it is not comparable to telephone interception; 5) That the personal data protection law on does not apply to the case and that the rights that it protects are not absolute when there are exceptions to the general principle of the obligation to obtain the consent of the owner (art. 5 °, 2nd part, subsections b and c); 5) That the data collected is nominative and does not affect the privacy of the owner; 6) That, finally, judicial authorization is not required to carry out the evidentiary diligence carried out by the Prosecutor’s Office since the privacy of the holder is not being violated.
In view of the worldwide aspect that Protection of Personal Data has acquired, and its category of Human Right in many laws around the world, it is necessary to have an adequate protection framework, which is not only limited to the laws that regulate its treatment and safeguarding, but also must extend to the relationships that are managed between the data controllers, data processors, third companies and the owners of said data.
From the incursion of personal data in all possible areas of interaction, the Law is not foreign at all, much less in the contractual field, as one more link in the chain of measures aimed at providing all current or current information accumulation, potentially related to a specific or determinable natural person. Therefore, it is unavoidable to make a list of the contracts that are used in this type of situation both in the field of cyberspace and in the relationships that are developed between the owner of the data with the person in charge of treatment, and of the latter with the data processor.
It could be taken into consideration that the privacy policies that abound in the websites have a contractual legal nature, with a predisposed content and the possibility for the user to select the browsing preferences to determine what data is available to share or allow them to be collected and which ones not.
- What information will be collected (names, emails, phone numbers, etc.).
- How the information will be used (for statistics, to improve the shopping or browsing experience, promotions, Email Marketing, etc.).
- What will be done with the collected data.
- The possibility of modifying the policy in the future.
- Contract form (for modifications, updates, or cancellations).
- Cookies policy.
- It offers relevant information about the way in which the data is protected.
b) Terms and conditions
It is an unnamed, on-line, electronic contract for adhesion to pre-arranged clauses.
Terms and conditions are established between the user of a certain website and the owner of said site and is mainly intended to inform the user of issues related to the content of the page and the services offered through it, as well as information appropriate to the user about what is done with the collection and processing of their personal data, and the type of data that is transferred to the person in charge through the site.
Also, within the terms and conditions are established the duties and responsibilities of the user and the correct use of the site, intellectual property issues, legal framework, among others.
Privacy policies can be found separately from the terms and conditions, or in a single identified body.
C) Data outsourcing
The outsourcing contract, in general terms, is mainly intended to delegate to a company, or a specialized natural person, a portion of the business process that is the responsibility of another company, which the latter considers that it is more suited to carry out that portion of the process involved. It is the outsourcing of activities.
With regard to the field of data in general and personal data in particular, a company that develops an activity in the process of which requires or feeds on said data hires another for the management and processing of personal data. The owner of the database is the data controller and the data processor is the third party that provides the outsourcing service.
Points to consider in the data outsourcing contract
- The data controller should include in the contract a clause by which it obliges the data processor, to fulfill and respect the purpose for which the database or registry was created, not being able to carry out acts tending to undermine said purpose, taking reservation of the data obtained and applying a treatment that serves said purposes.
- As the data processor is acting on behalf and order of the owner of the database, it is necessary that he respects the instructions given by the latter, having to abide by them and the framework of the contract and its purpose and also the contract and –if applicable- criminal law that govern the matter. Especially for the responsibility that entails the person responsible for the data, the election of the person in charge of personal data processing, and the development of the work of this one in front of third parties.
- The person in charge of the processing of personal data has to abstain from transferring the data that is subject to treatment to third parties. Data Processor does not have the authorization to obtain from the owner the consent to carry out the assignment -as he is not the owner or person in charge of the database.
- Once the objective or the purpose for which the data were collected and processed has been fulfilled, Data Processor must return all that information to the Data Controller, not being able to store or keep the data in their possession, unless there are subsequent situations expressly established, which determine the maintenance of these data in the possession of the data processor.
- There must be a duty of confidentiality on the part of the person in charge of the treatment, which consists primarily of not disclosing or using for purposes contrary to the contract, the law, public order or the rights of the owners and third parties, the personal data whose treatment was entrusted. Even this duty must be maintained after the ending of the contractual relationship between both parties.
- Both Data Processor and Controller have a security duty regarding not only the treatment of the data in general but also regarding the fact that databases where these data are stored, comply with, or have a level of security appropriate to the protection of the information stored there.
d) Transfer of data
The transfer of personal data is a contract that is established between Data Controller and third parties or companies. It inevitably requires the consent of the owner of the personal data and the cause of the transfer must be explained, which must be related to the legitimate and legal activity carried out by the person responsible for the database, file, registry, or archive or be related to the activity of the assignee.
The object of the data transfer contract must be circumscribed to those data contained in the databases, registers, files, and which are those collected by the person responsible for the treatment.
At Moeller IP Advisors we have a specialized worldwide work team with the ability to advise on drafting contracts and certain clauses that involve personal data, both in corporate and digital environments. Contact us!Read More
1. Introduction: MERCOSUR-EU Agreement and the legislation on Data Protection
As is well known, last year, after several rounds of negotiations, the agreement between Mercosur and the European Union on economic matters emerged. Said agreement included matters related to customs duties, exchange of goods and services, sanitary measures, intellectual and industrial property rights, SMEs, dispute resolution, among other issues of relevance to both blocks.
Among these issues, although not as an integral part of the text of the agreement, discussions related to the Protection of Personal Data were also included. Currently, the States of the European Union are governed by the General Data Protection Regulation, or by its acronym, the GDPR, which is mandatory since May 25, 2018. During her visit to Argentina, in July of last year, the European Commissioner for Justice, Consumers and Gender Equality Vera Jourova, spoke about the benefits that the regulation and harmonization of data protection legislation would bring to both blocs.
For sure the EU is at the forefront in this matter, and in order to enable the advancement of this agreement for both blocs and above all, for the MERCOSUR countries, it is necessary that their laws harmonize with the provisions and principles of the GDPR, as which would bring about a quantitative and qualitative leap towards respect for the individual rights of people, the self-determination of the person regarding the processing of their data on the internet and in files, the final recognition of data protection as a fundamental human right, among other conquests.
Nowadays, in the current global situation of the coronavirus pandemic that hits the whole world, the negotiations have stalled, since there are urgent issues to address regarding the countries that make up each block. However, it is noteworthy that the will to move forward is intact.
That is why is necessary to carry out a review of the situation in which the laws of the MERCOSUR countries are in relation to the Protection of Personal Data, and why it is almost mandatory to use this time to be able to adapt them to the required standards by the EU in order to finally reach the conclusion of the negotiations carried out at the time of carrying out the revision of the Agreement between the two trade blocs.
2. Country by Country: MERCOSUR-EU Agreement and the legislation on Data Protection
The law that regulates the protection of personal data in Argentina is Law 25326, enacted on October 4, 2000, and is currently in force.
This law regulates what pertains to the treatment of personal data, its classification, the principles that should govern its treatment, international transfer of data, the rights of its owners, and the resources and actions that they have both administrative as well as judicially to obtain the deletion, rectification, modification, addition and correction of the data found in files or databases, both public and private, and the obligations of the owners of said files or databases when collecting and processing personal data.
In Argentina, the enforcement authority regarding Personal Data and Access to Public Information is the National Agency of Access to Public Information, which has a secretariat that is in charge of regulating and supervising everything related to personal data and the compliance of the Personal Data Protection law, which is the National Office of Protection of Personal Data.
In 2018 a Bill was presented to amend the Data Protection law and bring it as closely as possible to the GDPR standards, but unfortunately, the bill lost parliamentary status this year.
In 2018 it was sanctioned the new Law on Personal Data Protection – No. 13,709 LGPD-. On August 26 the Brazilian Parliament decided that the suspension of its enforceability would not be extended, so it is the law that is currently in force in Brazil to regulate everything related to the protection of the personal data of natural persons, processed both within the borders of the country, and by foreign companies that process data of persons located in Brazil.
This law has many points in common with the European General Data Protection Regulation, establishing an adequate legal framework regarding the collection, processing, and storage of personal data in general and sensitive data in particular, as well as the obligations and responsibilities of those –processors and controllers- who collect, process, select and store personal data, and may be liable –in case of non-compliance with the provisions of the law-, to be sanctioned administratively, civilly and criminally.
Likewise, it establishes the rights of the holders of personal data to grant informed consent for the collection and processing of their data and to control access, correction, rectification, updating, anonymization, and deletion of their data that are contained in databases both public and private.
For this law, it is mandatory -in certain cases- the need to have a Data Protection Delegate, and the enforcement authority is the National Data Protection Agency of Brazil.
In Paraguay, the Protection of Personal Data is regulated not only in the country’s Constitution but is also based on Laws No. 1682/2001, 1969/2002, which amends the first one and Law 5542 / 2015.
This set of laws regulate, among other issues: the processing and treatment of personal data contained in files, records, and public and private databases. The collection, processing, and treatment of personal data is only allowed for scientific, economic, statistical, or marketing purposes.
However, the current legislation establishes nothing regarding the figures of the database administrator; but it does regulate obligations pertaining to those responsible for said bases. Nor does it make a distinction between processors and controllers. Nor does it establish any obligation to report data breaches or incidents that occur with personal data.
The international transfer of data and its regulatory framework is not established in the legislation of Paraguay.
Likewise, there is no authority in Paraguay that regulates matters relating to the Protection of Personal Data and compliance with the law.
Finally, although the law does not establish anything regarding the possibility of making claims before administrative or judicial entities for violation of Personal Data, the penalties are established by other regulations, which allow those whose data have suffered any violation the right to claim before civil or criminal justice the pursue of a compensation.
There is a bill presented to the Paraguayan Parliament in 2019.
In Uruguay, personal data is ruled by Law No. 18,331, amended by Law No. 19,670, whose regulatory decree 64/020 modified certain articles of the first-mentioned law.
The law regulates the following aspects: a) it establishes a sort of glossary with definitions pertaining to personal data and the principles applicable; b) it also regulates the registration of the databases of the entities that collect and process personal data, whether they are located in Uruguay or process personal data of persons residing in Uruguay -under certain circumstances-; c) Establishes for public and private entities the need to have a Data Protection Officer and its obligations and responsibilities thereof; d) the need to have the informed consent of the owner of the data to collect, process and treat said data; e) the international transfer of data, the cases in which it proceeds and the requirements to transfer data to third parties; f) the obligations of the person in charge and the administrator of the databases; g) In the event of personal data breached or incidents that occur with them, the collectors, processors and responsible of the databases has to give notice and take the necessary measures to minimize risks; h) administrative sanctions concerning non-compliance with the rules contained in the law, ranging from warning to imposition of fines.
The application authority in the field of Data Protection in Uruguay is the Regulatory and Control Unit of Personal Data.
In February 2020, Law 19,670 was regulated, which among other issues complements Law 18,331 in terms of: 1) the adoption by the person responsible for the treatment of technical and/or organizational security measures to avoid and/or minimize incidents and breaches that may occur with personal data; 2) the promotion of national and international standards on cybersecurity; 3) the documentation of such measures and the planning and impact assessment regarding Personal Data.
3. Conclusion: MERCOSUR-EU Agreement and the legislation on Data Protection
After having made a brief reference to the Agreement between the European Union and Mercosur and the current state of the negotiations, reviewing the legislative situation of some of the countries that make up this last regional bloc, the truth is that it is essential to have an adequate level of protection of personal data, especially due to the extraterritoriality principle generated by compliance with the provisions of the GDPR and the cross-border flow of data.
Today we are witnessing a new era in human rights, where digital self-determination is no stranger. Where the right to digital existence of people cannot be overwhelmed over other issues such as those of an economic nature. That existence must be protected against any kind of violation.
Likewise, it is necessary to harmonize the laws of both economic blocs, which pushes MERCOSUR to take all the necessary steps to adapt its laws and regulate this new human right as an imperative, in order to achieve safer agreements in pursuit of a conciliatory and protective globalization of this new right that appears today.
Finally, it is worth highlighting the position that countries such as Argentina and Uruguay have in terms of recognition by the European Union regarding the adequate level of protection that these countries ensure to Personal Data, which places them at the forefront in the region.
However, it is mandatory for Argentina to update its law in order to continue maintaining that position in the face of the constant requirements of a globalized world both materially and digitally.
Background of the case
The young Austrian Maximiliano Schrems – law student and resident in Ireland – made a complaint in 2011 to the Irish Commissioner for Data Protection against the social network Facebook, for transfer of their data from the servers of Facebook in Ireland to the servers of Facebook Inc. located in the United States for further processing.
In his claim, Schrems – based on the facts and evidence provided by Edward Snowden through which, the former agent revealed how the United States operated in global surveillance-, alleged that said country did not offer adequate protection to the personal data that received from users in the countries that are members of the EU, and did not even contain a process for the selection and treatment of these data, but rather took them in large quantities and thus processed them, using them for purposes other than those that truly informed the users of the social network –in their eagerness to fight terrorism-.
This motivated Schrems to request a ban on his data being transferred to the servers of Facebook Inc. The Irish body rejected Schrems’ proposal, based on Decision 2000/520 / EC, of July 26, 2000S, considering that The United States complied with an adequate level of protection. However, Schrems appealed this decision to the highest court in Ireland – the High Court -, which finally held that the United States made excessive interference with the personal data that was transferred to its territory.
The decision of the CJEU. Schrems´ I judgment.
The High Court asked the European Court to issue a preliminary ruling regarding the issue of whether said decision -2000/520/EC- is valid and whether it makes it impossible – or not – for the national authorities of the countries of the European Union to carry out a correct control regarding the personal data that is transferred from an European country – in this case, Ireland – to a third state. Finally, the European Court ruled that, although the EC decision 2000/520 prescribes that the United States has an adequate level of protection, the truth is that also the national organizations responsible for ensuring the protection of the data of its inhabitants, they are empowered to carry out this control, although the invalidity of a Decision – in this case, the one adopted by the European Commission – can only be declared by the CJEU.
Finally, the European Court, in order to rule as it did –declaring the invalidation of the EC decision-, taking into account, not what was established by the Commission’s Decision, but, in factual terms, whether the privacy of the data owners was protected when transferred to the United States. In other words, when making such an assessment, the third country is not required to have a regulatory framework and a level of protection identical to that of the EU; more than anything, that this third country provides an adequate protection framework for the data of the holders.
For all these reasons, it declared Decision 520/2000 invalid based on the following arguments:
1) That there was an interference with the right to privacy;
2) Declared that said interference meant a violation of the essential content of the right to privacy.
Due to the judgment issued by the CJEU that invalidated decision 520/2000 of the European Commission regarding what is known as “safe harbor”, regarding the transfer of data to the United States, it was adopted within this framework, the so-called decision 1250/2016, better known as “Privacy Shield”.
The purpose of this decision is summarized as follows:
– Acknowledges that the EU-EE Privacy Shield comprised of the privacy principles applicable to certified United States organizations (companies) and related commitments made by the Department of Commerce and other United States authorities, it provides an adequate level of protection for personal data transferred from the EU to these organizations.
– This means that personal data can be freely transferred to organizations in the United States included in the “Privacy Shield List”, which is prepared and published by the United States Department of Commerce.
– The application of the Privacy Shield guarantees the right to respect for privacy and the right to the protection of personal data of all persons in the EU whose personal data is transferred through the Privacy Shield.
– It also guarantees legal certainty for companies that rely on your application to transfer personal data from the EU to US organizations certified by the Privacy Shield.
Precisely this decision is the one that was declared invalid in the judgment of the Schrems II Case, issued by the CJEU on 07/16/2020, which will be subsequently commented.
By Ivan Blomqvist.
ePrivacy Regulation (ePR)
The “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”, known also as the ePrivacy Regulation (ePR), is a proposed legal act of the European Union, enforceable as law in all member states, that intends to focus on a more expansive regulation of electronic communications by outlining data security laws and reinforcing rules regarding the electronic transfer of data.
Noncompliance of ePrivacy Regulation could mean penalties of up to 20 million euros or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
ePrivacy Regulation objectives
The ePrivacy Regulation plans to account for the new players providing electronic communications services like WhatsApp and Skype, while benefiting from one single set of rules across all of the European Union.
It also looks to simplify the provision of cookies by utilizing rules that are friendlier to users and to prohibit unsolicited electronic communications, commonly referred to as spam, such as emails, text messages and automated calls. Additionally, the ePR seeks to repeal the Privacy and Electronic Communications Directive (Directive 2002/58/EC), also referred to as the ePrivacy Directive (ePD), while also overriding the General Data Protection Regulation (GDPR) on specific matters (lex specialis).
Since its inception in 2017, the ePR has been the subject of many discussions in the Council of the European Union. But, despite its progress, common ground could not be found on the some matters like the protection of terminal equipment information, the processing of electronic communications data by third parties, and the cooperation among data protection and telecommunications regulatory authorities.
In 2020, the current Presidency of the Council of the European Union released a newly revised draft of the ePrivacy Regulation in which it focuses on metadata and what can be considered as “legitimate interests” to process it and to also place cookies on end-users’ devices.
In March 2020, the current presidency invited all delegations to provide their final comments on the proposed draft, so that negotiations with the European Parliament can begin as soon as possible. Should the ePR be finally approved, it will finalize the European Union’s framework regarding the protection of data and the confidentiality of electronic communications.
By Maria Sol Porro, Trademarks Lawyer, and University Professor
Our photos in the “cloud”
The new filter that allows users to age their faces has caused FaceApp to be in the number one of downloads, on the one hand, and in the eye of the storm, on the other. The alarm has jumped when it has been discovered that the app does not notify at any time that the photos are processed in the “cloud”. When a photo is uploaded so that the faces appear older, younger or of another sex, the application sends it to a server that processes the file and returns it to us with the desired retouching, giving access to said data to all the signatures of the group Russian ¨Wireless Lab¨, the owner of FaceApp, as well as those unknown companies that become “affiliates.”
FaceApp, available on iOS and Android, explains that it does not rent or sell the information of its users to third parties outside of FaceApp (or the group of companies that FaceApp is a part of) without their consent, but in turn expose that they can share the User information without explicit consent with third-party organizations that help them provide the service. Again, the famous application would not be fully complying with the requirements in force in the General Data Protection Regulation in the case of the EU.
Are we the customer or are we the product that is sold?
In this context, FaceApp recognizes that they are working to improve the quality of this service, in its latest press release. However, it has not updated its conditions of use since 2017, forcing the user to have to look for them within the website. This means that almost nobody stops to consult what information is going to be shared with the application and what is the use that will be made of it. Faced with this reality, the aforementioned debate makes us wonder: if a service is free on the internet, are we the customer or are we the product that is sold?
Source: www.abc.esRead More
Fines for Infringement of the Data Protection Law
The National Authority for the Protection of Personal Data (ANPDP), which belongs to the Ministry of Justice, imposed fines for a total of $ USD 232,271.– to public and private institutions for infringement of the personal data protection law.
According to the Peruvian law which governs this matter (Law No. 29733 of Protection of Personal Data of Peru), the processing of personal data requires, as a general rule, obtaining the free, prior, informed, express and unambiguous consent of its owner, except as provided in the law. Likewise, security measures must be implemented to protect the collected personal data, such as documenting security protocols for access and privilege management, as well as periodically reviewing the aforementioned privileges, among others.
Case: Fine for infringement of the Data Protection
Example of this new policy followed by the National Data Protection Authority was one of the last sanctions imposed on ¨Supermercados Peruanos S.A.¨, which had collected personal data without the authorization of its clients. Likewise, security measures were not implemented and the Authority was not notified of the transfer of data outside the Peruvian territory.
Also, during 2018, the ANPDP also prepared 105 final reports of instruction, made 283 visits to public and private institutions on personal data, and issued 3.278 resolutions on the National Registry of Personal Data Protection. In this sense and in order to inform the data managers, conducted the training of more than 1.700 people in various events and 689 queries on standard interpretation of data protection legislation, as well as made the first Report on Supervision of Transparency Portals Standard of public entities.
In this way, it is important to highlight that these new measures clearly demonstrate that the APDP is fully committed to the actions necessary to guarantee the right to the protection of personal data in Peru, in relation to the new measures taken by several Latin American countries and The EU.
Source: https://gestion.pe/economia/Read More