By Ricardo Barretto, Juliana Ikeda, Lorena Pretti, Vitor Koketu and Isabella Aragão
The Public Prosecution Service of the Federal District and Territories (MPDFT), through the Special Unit for Protection of Personal Data and Artificial Intelligence (ESPEC), innovated by requesting from Telefônica Brasil SA (Vivo), on April 16, 2019, the preparation of a Data Protection Impact Assessment (DPIA) within 60 (sixty) days. The request referred to the processing of data collected for the use of the product “Geolocalized Media” of the Vivo Ads service, a platform used by the company to track the geolocation of its users. To this end, the processor must state how its customer data management processes worked and what the companys strategy would be to mitigate risks related to the protection of consumer information.
Among the topics that the DPIA must present were: i) how the organization would describe the data processing performed, pointing out its nature, scope and context (specifying internal and external factors that might affect expectations or impact) and what the organization planned to do with the personal information it obtained; ii) how the organization would assess the need and proportionality of data processing; iii) how the organization would identify and classify the risks that its processing could cause, whether physical, emotional or material, through an objective assessment that analysed their probability and severity; iv) how the organization would identify and mitigate risks; (v) a conclusion of the DPIA stating which additional measures the processor would intend to take if each risk were eliminated, reduced or accepted and what would be the overall level of residual risk after additional measures were taken; and vi) the signatures of those responsible for preparing the DPIA.
After expiration of the period in question, in view of Telefônicas (Vivo) abstention from filing the document, MPDFT filed a Public Civil Action, requesting urgent relief, against the telephone company, intending to sentence Telefônica (Vivo) to permanently suspend the availability and sale of the “Geolocalized Media” product of the Vivo Ads service, which uses qualified data and precise segmentation of the companys customers (such as profile, geolocation, places frequented and consumer behaviour) to provide advertising, under punitive sanction of daily fines and blocked platform. In addition, it also intends to sentence the company to prepare and deliver the DPIA to the Judiciary of the Federal District and Territories, as required by the Public Civil Inquiry previously presented.
The reason given by the public agency was that the preparation of the DPIA was given to the company to prove the legality of the service offered, but that its non-performance would lead to the belief that the company - even if it claims to have good faith and interest in collaborating with the investigations - would be performing improper processing of their customers personal data. In addition, the involvement of inviolable rights such as intimacy, privacy and image, as well as the consumerist nature of the relationship between Telefônica (Vivo) and its customers, would reinforce the need for clarification on the exact purposes for which data collected by the company are used, including the use of consumer personal and location data as a means of capture by companies paying services offered by the Vivo Ads platform and excessive and uncontrolled monitoring of their users personal and sensitive data without the necessary consent of the holders regarding its actual use.
It is important to mention that since the request to Telefônica (Vivo) of the DPIA in the Civil Inquiry, numerous discussions arose, mainly because we are talking about a document provided in the General Data Protection Law, still in vacatio legis in our legal system.
Although the LGPD will come into force only in August 2020, it is clear that the Government has long taken a stand that protects personal data, especially in the face of numerous scandals reported by all the media. In parallel with these developments, there has been a change in the behaviour of market players, much more attentive to privacy issues, either in the design of their business or in the adaptation projects of those already existing.
Without discussing its merits, the recently proposed Public Civil Action portrays a not so distant future and comes as a warning to companies and public agencies, which must - if they have not yet done so - comply with the rules of personal and data protection and be able to submit, upon request, their DPIA and processing records.
To learn more about compliance with the General Data Protection Act, please contact our Technology, Media and Telecommunication team.
Check out the full request for the DPIA, by the MPDFT here.
Check out the full Public Civil Action here.