loading...

ABNT Security Certification Diverges from the European Authority’s Position on Privacy and Data Protection

A TV commercial recently broadcast to promote a vehicle hire application informed viewers that it was the first and only company in the sector security certified by the Brazilian Association of Technical Standards (ABNT).

According to the ABNT itself, the auditing and certification process takes three (3) months.  It involves evaluating the potential risk of using app technology and mapping strategies to safeguard drivers’ and passengers’ security.  According to the ABNT, audits have already been conducted on twenty-two (22) application platform protection frameworks.

Other aspects evaluated included using artificial intelligence to predict crimes, areas of risk, classroom and online courses, registration of drivers, and specialized assistance for emergencies, which are all undoubtedly important means to improve security conditions.

Although the article published on ABNT’s website does not document it, the TV commercial reported that the company promoting the rideshare application had implemented measures to improve security, citing as an example the installation of cameras and audio recording mechanisms.

And therein lies the controversy: the Deputy Data Protection Ombudsman, Finland’s personal data regulator, issued a decision in Helsinki on May 29, 2020, against a taxi company – Taksi Helsinki – imposing a fine of € 72,000.00 for non-compliance with the general principles of data processing provided for in the European data protection law (GDPR).

According to the Finnish authority, the company did not assess the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video into its taxis. It did not conduct protection impact assessments regarding its processing activities, including security camera surveillance, geolocation data processing, automated decision-making, and profiling as part of its loyalty program. Also, the processing of audio data was deemed not to comply with the GDPR principle of data minimization.

Although the Finnish authority’s decision is based on the GDPR, it is important to note that the relevant Brazilian law – the General Data Protection Law (LGDP) – bears a lot of similarity with the European law in this respect. Also, the Brazilian authority – the National Data Protection Authority (ANPD) – already regulated but not yet active, may, in the near future, adopt a point of view similar to that of the Finnish authority.

Therefore, there are 2 (two) reflections to be made in the present case:

  1. Neither the ABNT nor the transport application company has clarified whether they adequately assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in their taxis, from the perspective of privacy and data protection of the subjects involved.  Nor is it clear whether data protection impact assessments of their processing activities were carried out, including, among other elements, security camera surveillance
  2. The processing of audio data did not comply with the GDPR principle of data minimization in the Finnish case. Here in Brazil, that principle is equivalent to the principle of necessity. This reflection concerns the extent to which the transport application company needs and has the right to record conversations among passengers.  Indeed not only between passengers and the driver but even those involving an aggressor made for security reasons.

As soon as it is fully operational, the ANPD may potentially rule in the face of a similar situation in the future.