As seen, 2018 was marked by the continuous
operation of the Public Attorneys’ Office of the Federal District and
Territories (MPDFT), that created the Personal Data Protection Committee, current
Artificial Intelligence and Data Protection Unit – ESPEC, the first national
initiative solely dedicated to the protection of personal data and privacy of
Brazilian nationals. The committee acted systematically on several cases
involving breach and improper use of personal data.
One of the first cases involves breach of data
held by Netshoes, an e-commerce company. At that point in time, 2 million
customers were affected by the breach of
data including names, tax ID number, CPF, e-mail, date of birth, purchase code
and purchase price. Such breach made public data that not only distinguished
each user but also their individual profile as consumer.
Despite the fact that currently there is no
legal provision establishing the obligation to inform data breaches to affected
users and to the general public (in particular due to the grace period
determined by the LGPD), the Public Attorneys’ Office, with grounds on legal
principles and taking into account the severity of the incident and risks
deriving from the exposure of personal data advised, through the Personal Data
Protection Committee, that the e-commerce company Netshoes should:
·
notify
customers affected by the security incident by means of a letter, with return
receipt (AR) or a telephone call, informing which personal data is involved in
the incident (failure to do so would result in a public civil action for moral
and material damages caused to consumers[1]);
·
refrain
from making any kind of payment to the alleged perpetrator of the security
incident, subject to characterizing procedural fraud[2].
The Committee also investigated the breach of
data held by Uber, which affected 57 million accounts of company’s drivers and
customers around the world, including data of 156 thousand Brazilian users,
such as name, telephone number and e-mail. The Committee, through a document
submitted to the General Manager of Uber in Brazil, inquired the company about
the data pertaining to Brazilian drivers and customers affected by the incident.
After the Committee’s inquiry, Uber decided to notify the affected customers
and to inform them about the incident.
With regard to the breach of data held by Banco
Inter, the Committee filed a Public Civil Action (ACP) against the financial
institution requesting the court to order the bank to pay a compensation for
moral damages in the amount of R$ 10 million for failure to take the necessary
precautions to ensure the security of personal data of customers and non-customers
of the institution.
According to the ACP, Banco Inter informed a
security incident in which personal data of customers and vendors were breached.
The Committee received from Central Bank of Brazil the customers’ data that was
breached, including bank, tax ID, account number and full name of the
titleholder of the account, individual or legal entity. Approximately 13.000 accounts/customers
had their banking information compromised and the data was being sold in the Deep Web.
On December 18, 2018, the court approved a
settlement between the MPDFT and Banco Inter. The settlement establishes
payment of R$ 1 million to government entities that fight cyber crimes and of R$
500 thousand to charities.
In addition to the cases mentioned above, the Committee is also investigating the following security incidents and improper use of personal data:
(check at the top of the page)