Argentina – new regulation on international transfer of personal data

Argentina – New regulation on data transfers – See Spanish version here.

The Argentina data Protection Agency (DPA) has issues a new regulation on international transfers of personal data (DNPDP Disposition 60 – E/2016). Under the new regulation the DPA has:

  • Approved a model form for international transfers to a data controller and also another form for transfer to a data processor (for rendering services).
  • The model is party based in the EU model with some changes.
  • If the data controller is using a different model, then he needs to file its agreement with the DPA for approval within 30 days.
  • The new regulation list countries that are considered adequate (those recognized as adequate by the EU).

The Battle for Encryption in Brazil

This piece was written by Danilo Doneda and Joana Varon and originally appeared here.

The Facebook-owned messaging platform WhatsApp is the leader in the Brazilian mobile messaging market, surpassing 100 million users. Brazilians have long ceased to use SMS messaging as a means of daily communication. The strong presence of WhatsApp is favoured by some telecom companies delivering the service for ‘free’ in the zero-rating model, in which the app doesn’t use a person’s data.

Hence, the multiple recent bans on WhatsApp’ services ordered by Brazilian magistrates ignited widespread discussion. Currently, the platform has been ordered to suspend its services four times, with law enforcement authorities arguing that the company hasn’t released to law enforcement user data which was deemed fundamental for criminal investigations. The issue recently escalated with WhatsApp adopting end-to-end encryption by default to all its users, meaning that, in theory, the company will hold no user content data.

Throughout 2016, several court orders have demanded temporarily blockage of WhatsApp due to disputes over access to encrypted data, however, Brazilian Law does not prohibit or ban encryption. The most recent of these court orders occurred in October 2016. The third order occurred in July 2016 and the platform was subsequently banned in the country for hours. Unlike previous cases in which a magistrate required the company to produce users’ IDs and the content of conversations, in this case the magistrate asked WhatsApp to disable its encryption and allow for real time monitoring of conversations. The case in question was an investigation on criminal organizations.

Continue reading in original here.

Access to CCTV footage

I have discussed in this blog issues related to CCTV regulation  the past, specially in Argentina the CCTV resolution enacted in the year by the DPA that requires companies to register the database of CCTV footage, and to include visible signs indicating use of CCTV monitoring and an internal manual.

Now the DPA has issued a new legal report related to access to footage of CCTV. The report of the DPA is an answer to several financial entities that requested the DPA to explain how to grant access to CCTV footage at the request of access by an individual. The CCTV regulation generally mentions that the right of access exists but do not explain how this access should take place if there is a vague access request (e.g. the bank will have a huge expense in searching all the CCTV footage of several months).

In this report the DPA clarifies that the data subject may send as part of it request a photo so the data controller can identify the frames where the data subject was recorded.

In addition the DPA points out that the request may be subject to a fee if it is too onerous to a bank. The information can be provided in writing or recorded in a CD-ROM.

Text of the report.