loading...

Is there potential for excessive rigor in data protection?

The General Data Protection Law (LGPD), created in 2018, finally came into force in Brazil in 2020. The National Data Protection Agency (ANPD) was structured accordingly to begin managing and controlling the effective protection of personal data. However, to date, the ANPD has not yet started to standardize obscure aspects of the law and address gaps that need regulation.

Meanwhile, in Europe, the European General Data Protection Resolution (European GDPR) management and control bodies demonstrate that they are attentive to abuses committed not only by companies and associations but also by those public bodies that oversee personal data processes. Some countries are much more rigorous than others, either in the number of penalties or in the value of penalties.

However, arguably, some of these decisions display excessive rigor, as the following examples illustrate.

Let us start with a very recent case, dated January 8, 2021, in which the Data Protection Authority of Niedersachsen in Germany imposed a EUR 10.4 million fine on electronics retailer Notebooksbilliger.de. This fine was levied because the company monitored its employees and used surveillance cameras for at least two (2) years, allegedly without legal basis. Although the company argued it used cameras to prevent theft or investigate criminal acts and track the movement of goods, the German data authority claimed the company should employ “softer” means of control and that using video surveillance to detect criminal acts would only be possible if there was reasonable suspicion against specific people, who could then be monitored for a limited period. Thus, video recordings were limited to particular people and for a limited time only.

However, the German data authority position does not seem reasonable, because regardless of the country, the absence of controls encourages the incidence of theft, even more when dealing with small-sized and high value-added goods. Therefore, it seems quite reasonable for the company to have a legitimate interest in establishing such security measures, without this constituting an abuse in the processing of personal data of its employees.

Another example that deserves consideration is from October 30, 2020, when the Information Commissioner’s Office (ICO) in the United Kingdom fined the Marriott International Inc. hotel chain due to a cyber incident that it was promptly notified of (in November 2018) by Marriott itself.  Approximately 339 million guest registrations worldwide would have been exposed by the incident, of which about 30 million would be from residents of 31 European Economic Area (EEA) countries. The vulnerability is believed to have started when the Starwood hotel group’s systems were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the customer information exposure was not discovered until 2018. The ICO concluded that Marriott’s due diligence in the acquisition of Starwood was not sufficient to resolve the problem and therefore imposed a fine of £ 18.4 million (approximately EUR 20.4 million).

In this case, the issue is the value of the penalty, given how Marriott handled the problem, promptly notifying ICO and cooperating fully with the entire investigation, as the English data authority admitted. Three other facts must also be considered. The first is that Marriott did not fail to perform due diligence when acquiring Starwood, although due diligence did not detect a breach in data security; the second is that there was no sensitive personal data involved, and the third is that, until then, there was no identification of any damage to any of the holders of the respective personal data. The determination of the penalty must undoubtedly take into account the alleged violator’s self-denunciation and full collaboration to encourage transparency in similar situations, or, otherwise, it will promote silence and omission.

The third case is from August 8, 2020, when the French Commission Nationale de l’Informatique et des Libertés (CNIL) fined the online retailer Spartoo EUR 250 thousand for keeping the full recording of all telephone conversations (including personal data such as address and bank order details), in addition to allegedly storing bank data without encryption, which would be a violation of the principle of data minimization and a failure of security measures, respectively.

Although data security procedure deserves extra attention by Spartoo and more effective control by CNIL, there was no harm to any data subject.  In addition, their position regarding the storage of telephone calls seems to be excessive since, for a company that works online, recordings are effectively their only means of proof to contradict any claim to the contrary made by a consumer.

In any case, in Brazil, considering other laws that would directly impact the above issues, such as the Civil Code and the Consumer Protection Code, the ANPD is expected to be prudent, reasonable, and fair in preventing violations and applying penalties.