Protection of personal data is an issue that has gained relevance in the last year in all parts of the world. An example of this phenomenon is the implementation of the General Regulation of Personal Data (GDPR) in the European Union in 2018 or the new laws, modifications to the current ones or judicial decisions on the matter, that Latin American countries began to implement to be in accordance with the community regulations.
In this respect, in a recent judicial ruling, the Supreme Court of Justice of the Nation of Mexico (SCJN) analyzed the pertinent period to keep personal data within the Law for the Protection of Personal Data in Possession of Obligated Subjects of the State of Guerrero and determined the invalidity of a portion of the regulations since it established generic terms for the preservation of personal data.
In this sense, the Court understood that this generic term was in violation of the right to the protection of these data, since the treatment of them requires individualization in each specific case, so to decide what deadlines to apply should be attended to the applicable provisions in the matter in question.
As a result of the aforementioned resolution, the Supreme Court ordered the Institute of Transparency, Access to Information and Protection of Personal Data of the state of Guerrero to issue, within 90 days, the guidelines to which the general law of the corresponding subject refers. Finally, it is important to note that this decision was applied to other states such as Jalisco, Michoacán and Sinaloa, in which the Institute of Transparency, Public Information and Protection of Personal Data was notified to adapt its regulations to this criterion, since it was improperly extended the term to one year, in the local law.
Source: www.elpuntocritico.comRead More
On May 25, 2018 the European Union, after its approval in Parliament and its European Council, came into force the General Data Protection Regulation (GDPR), in order to unify the regulations of all the Member States on the matter. Faced with this new regulation, which affects both, citizens and European companies, the complex exit of the United Kingdom from the Union, for which a new date has been set for October 31st* of this year, is one of the biggest concerns for the community companies that operate in the Anglo-Saxon country.
Faced with this situation, different hypotheses are presented taking into account whether the English House of Commons decides to leave the EU with an agreement, also known as the “Soft Brexit”, or without agreement, giving way to a Hard Brexit”.
In the event that the exit situation happens within an agreement, or the so-called “Soft Brexit”, the GDPR will continue to be applicable during the transition period set by the aforementioned agreement, creating a period of transposition of laws as a result. From that date, the United Kingdom would have until December 31st, 2021 to sign new treaties with the European Union, including those related to data protection.
On the other hand, if no exit agreement is reached, it would lead to what is known as “Hard Brexit”, whereby the UK’s relationship with the EU would be similar to that maintain with the United States, where “safe harbor” agreements are required as well as the compliance with another series of requirements to allow the acquisition and handling of data of European citizens and companies. In other words, a legal vacuum would be created for all European companies that currently operate with data in the United Kingdom for a period of time, until the signing of new agreements on the subject.
Therefore, taking into account the present scenario and the continuous postponement of the famous Brexit, during the current year, it is certain that the departure of the United Kingdom from the EU will not be calm and peaceful, affecting different aspects of the community system, such as the protection and control in the exchange of data. Thus, the most advisable for companies that handle European data is to comply with both the GDPR and the previous regulations, the Organic Law of Protection of Personal Data (LOPD), to avoid any type of conflict during this transition.
* After the postponement of Brexit for 04/12/2019, the departure from Great Britain is delayed until 10/31/19, in order to offer six months extra time to reach an agreement that allows an orderly departure.
Source: www.zonamovilidad.esRead More
Artificial Intelligence and GDPR
The interaction of Personal Data Protection and Artificial Intelligence (AI) becomes particularly interesting when issues arise from the use of personal data with AI.
General Data Protection Regulation (GDPR)
The new General Data Protection Regulation (GDPR) of the European Union (EU), which entered into force on 25 May 2018, aims to give control to citizens of and residents in the EU over their personal data.
Regarding Artificial Intelligence, in particular, GDPR aims to create transparency rights and safeguards against automated decision-making, meaning decisions that are made by machines when personal data is used.
In essence, GDPR states that:
- When companies collect personal data, they have to say what it will be used for, and not use it for anything else.
- Companies are supposed to minimize the amount of personal data they collect and keep, limiting it to what is strictly necessary for those purposes stated. They also are supposed to put limits on how long they hold that data, too.
In short, companies must tell people what data they hold on them, and what’s being done with it.
- Companies should be able to alter or get rid of people’s personal data if requested.
- If personal data is used to make automated decisions about people in an AI system, companies must be able to explain the logic underpinning the algorithm used for the decision-making process, i.e., the general functionality of the automated system.
In particular, Article 22 of the GDPR grants individuals the right to contest a completely automated decision if it has legal or other significant effects on them.Read More