News on personal data protection
By Mariano Peruzzotti and Valentina Gonzáles Medina.
In this BeNews edition we comment on three news concerning privacy that took place during the last weeks: (i) a sanction imposed on a company for not responding to a request to delete personal data; (ii) the order to suspend the update of the privacy policies of WhatsApp; (iii) the appointment of a data protection officer on a probate process (iv) the appointment of the Head of the Agency of Access to Public Information; and (v) the creation of COVID-19 vaccination database.
A company was sanctioned for not responding to a data removal request
The Agency for Access to Public Information (“Agency”), supervisory authority of Personal Data Protection Law No. 25,326 (“PDPL”), sanctioned Rappi Arg SAS, a company that provides delivery services, for not responding to a data removal request in due term.
The complainant, who was both a platform user and rider, claimed that the request to delete his personal data addressed to the company had not been properly answered and that he continued to receive advertising messages.
Among other defenses, the company argued that, as a general rule, the data was kept to comply with different legal obligations and that the company reserved the right to keep personal data for 10 yeas in accordance with the Civil and Commercial Code.
The Agency decided that Rappi infringed the provisions of the PDPL, specifically article 16, given that the information had not been deleted when it had ceased to be relevant for the purposes that motivated its collection and additionally the request for deleting the personal data was not adequately addressed. As a consequence, the Agency imposed a fine of Argentine Pesos 80.000 (USD 808 at the current exchange rate).
In Argentina, the deadline to answer an access request is 10 calendar days while in the cases of requests for updating, modification, deletion and confidentiality treatment is 5 business days.
A suspension of WhatsApp privacy policy update was ordered
Through Resolution 492/2021 (“Resolution”) published in the Official Gazette on May 17, 2021, the Ministry of Inner Trade ordered the Argentine subsidiary of FACEBOOK INC. and/or FACEBOOK IRELAND LIMITED and/or WHATSAPP INC. and/or WHATSAPP LCC and/or WHATSAPP IRELAND LIMITED to refrain from implementing and/or suspend the update of the WhatsApp conditions of service and privacy policy in Argentina for a period of 180 days or until the ending of the investigation initiated by the National Competition Authority for alleged commission of anticompetitive behaviors , whichever occurs first.
The Resolution also orders the cease of data sharing that was described in the privacy policy update as well as the communication of the full text of the decision to its users through the WhatsApp application or the company’s official website.
In January 2021 WhatsApp implemented an update of its terms of service and privacy policy that had to be accepted by the users. Starting on May 15, 2021, users would begin to receive a reminder until they accepted the update. WhatsApp reserved the possibility of adopting limitations to the functionality of the application if the user does not accept the update.
As explained in the Resolution, the changes implied the possibility for companies to make use of Facebook as a technology provider, to manage responses on their behalf, process information within the context of interactions or messages that the user has with other WhatsApp users, which could involve the possibility of FACEBOOK INC. to process certain limited information obtained through the WhatsApp service.
The Ministry of Inner Trade considers that, by updating their policies, Facebook and WhatsApp will be able to strengthen their dominant position in other markets such as online advertising, raising barriers to entry or hindering activities of non-integrated competitors and, ultimately, monopolizing the market to the detriment of the general economic interest.
It should be noted that on May 14, 2021, the Agency announced the initiation of an investigation on WhatsApp LLC due to the implementation of its new privacy policies in order to verify whether the update complies with the PDPL and its complementary regulations.
Appointment of a data protection officer in the context of a succession proceeding
In an unusual resolution, the Civil and Commercial District Court No. 2 of the City of Azul in the Province of Buenos Aires appointed a data protection officer within the framework of a succession proceeding.
In the case “García Gloria Beatriz s/suceción ab intestato”, court file No. 52586, the judge hearing the case decided to appoint a data protection officer who will be in charge of securing the application of the data protection policy adopted within the context of the court file. The parties may contact the data protection officer to request the removal, anonymization or pseudoanonymization of the data.
The Judge considered that the public nature of information handled in court cases must be balanced against the parties’ privacy rights since “privacy regulations play a valuable role in giving us room for freedom”. In this sense, the Court highlights that digital document management systems have multiplied the disclosure of court information and have turned these judicial digital ecosystems into “big data epicenters”, which is the reason why it is necessary to protect the privacy of the individuals involved.
The PDPL does not impose the obligation to appoint a data protection officer. However, the Agency has recommended its designation, particularly in the case of the public sector (Resolution No. 40/2018 of the Agency).
The Head of the Agency has not been appointed yet.
As mentioned in the previous edition of BeNews, (https://www.ojambf.com/novedades-en-materia-de-proteccion-de-datos-personales/), the former director of the Agency resigned as from January 1, 2021. Consequently, the National Cabinet of Ministers proposed Gustavo Juan Fuertes as a candidate.
The observations and questions posted by third parties on such proposal were discussed during the March 23 public hearing. To date, the Executive Branch has not made any public release on its decision regarding the confirmation or withdrawal of the nomination. If the nomination is confirmed, Mr. Fuertes will be elected director.
Creation of a Database for vaccination against COVID19.
Through Provision 6/2021 of the Under-Secretariat of Open Government and Digital Country that depends on the Cabinet of Ministers (“Under-Secretariat”), a database was created in order to organize, speed up and conduct the administration of one or more vaccines against COVID19 that were authorized by the relevant entities and jurisdictions (“Database”).
The entity in charge of the Database will be the Under-Secretariat. The Database is subject to the scope and terms of the PDPL.
The Database will contain personal data of those citizens, users of the CUIDAR application (app developed by the Argentine Federal Government in the context of COVID-19 pandemic), who have voluntarily requested and obtained an appointment to receive one of the approved vaccines against COVID19.
The data may be transferred to jurisdictions, entities and National Public Administration agencies only in the context of the health emergency. Whenever possible, the data shall be disclosed dissociated.
For further information please contact: mperuzzotti@ojambf.com