The General Data Protection Regulation and You

A cursory look at your email inbox this past month presents an intriguing trend. Multiple online services seem to have taken it upon themselves to notify changes to their Privacy Policies at the same time. The reason, simply, is that the European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, 2018.

The GDPR marks a substantial overhaul of the existing data protection regime in the EU, as it replaces the earlier ‘Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.’ The Regulation was adopted by the European Parliament in 2016, with a period of almost two years to allow entities sufficient time to comply with their increased obligations.

The GDPR is an attempt to harmonize and strengthen data protection across Member States of the European Union. CCG has previously written about the Regulation and what it entails here. For one, the instrument is a ‘Regulation’, as opposed to a ‘Directive’. A Regulation is directly binding across all Member States in its entirety. A Directive simply sets out a goal that all EU countries must achieve, but allows them discretion as to how. Member States must enact national measures to transpose a Directive, and this can sometimes lead to a lack of uniformity across Member States.

The GDPR introduces, among other things, additional rights and protections for data subjects. This includes, for instance, the introduction of the right to data portability, and the codification of the controversial right to be forgotten. Our writing on these concepts can be found here, and here. Another noteworthy change is the substantial sanctions that can be imposed for violations. Entities that fall foul of the Regulation may have to pay fines up to 20 million Euros, or 4% of global annual turnover, whichever is higher.

The Regulation also has consequences for entities and users outside the EU. First, the Regulation has expansive territorial scope, and applies to non-EU entities if they offer goods and services to the EU, or monitor the behavior of EU citizens. The EU is also a significant digital market, which allows it to nudge other jurisdictions towards the standards it adopts. The Regulation (like the earlier Directive) restricts the transfer of personal data to entities outside the EU to cases where an adequate level of data protection can be ensured. This has resulted in many countries adopting regulation in compliance with EU standards. In addition, with the implementation of the GDPR, companies that operate in multiple jurisdictions might prefer to maintain parity between their data protection policies. For instance, Microsoft has announced that it will extend core GDPR protections to its users worldwide. As a consequence, many of the protections offered by the GDPR may in effect become available to users in other jurisdictions as well.

The implementation of the GDPR is also of particular significance to India, which is currently in the process of formulating its own data protection framework. The Regulation represents a recent attempt by a jurisdiction (that typically places a high premium on privacy) to address the harms caused by practices surrounding personal data. The lead-up to its adoption and implementation has generated much discourse on data protection and privacy. This can offer useful lessons as we debate the scope and ambit of our own data protection regulation.

Advertisements

Towards a Data Protection Framework (CCG Privacy Law Series)

Smitha and I are writing a series of papers on a data protection law for India, based on our research. We hope that our discussion of the options before us and their relative merits and demerits will help other engage with these difficult questions in a nuanced manner.

The first paper sets out the context for the data protection law. It discusses the
reasons and purpose for regulation and what specifically will be regulated.
It also discusses who will be regulated, since this is important while
considering the regulatory strategies to use while implementing the data
protection principles. It is available here.

Back to the Basics: Framing a New Data Protection Law for India

Over the past decade or so, the use of personal and big data has changed the way many businesses and governments operate. Regulators and legislative bodies have been struggling to keep up with the changes in technology, and increasing concerns about what it means for the privacy of individuals.

In India, we have worked with the Information Technology Act, 2000 (IT Act)[1], and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (Data Protection Rules) for a few years now[2]. These rules were arguably put together as a response to claims that Indian law did not meet European data protection standard, and for the purpose of ensuring that Indian companies do not lose cross border business (with the European Union)[3]. The rules are fraught with inconsistencies, right from the scope of the rules, to the manner in which they can be enforced[4].

Barring these rules, we have had minimal regulations on the use of personal data in certain sectors[5].

The Committee of Experts (Committee), constituted by Ministry of Electronics and Information Technology (MEITY), is currently working on recommendations regarding a new legal and regulatory framework for protection of personal data in India[6]. With all signs pointing only towards an increase in not only data driven businesses, but also data driven solutions to problems in many aspects of our life, it is imperative that we get it right this time.

The constant change and development in tech over the past few decades has shown us that it may be difficult to predict the way our technology and the internet will look in 10 years. It may be even more difficult to put in place the perfect legal system that addresses such technology. However, ensuring that the basic premise of the data protection law – what / who does it aim to protect, what the scope of the law is, and what principles the law is meant to uphold – is balanced and robust, will go a long way in ensuring that we have a strong, yet flexible legal framework[7].

In my paper titled ‘Back to the Basics: Framing a New Data Protection Law for India’, I take a preliminary look at each of these three concepts, while focusing largely on some of the principles that data protection laws have traditionally relied on, and how they can be revisited in today’s context.

The paper is available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3113536

 

 

[1] Information Technology Act, 2000, available at https://indiankanoon.org/doc/1965344/ (last visited on January 30, 2018)

[2] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, available at http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf (last visited on January 30, 2018)

[3] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[4] Krishna Prasad, Smitha, (Draft) Paper on Information Technology Act, 2000 and the Data Protection Rules (December 30, 2017). Available at SSRN: https://ssrn.com/abstract=3094792 (last visited on January 30, 2018)

[5] International Comparative Legal Guide, Chapter on Data Protection in India, 2017, https://iclg.com/practice-areas/data-protection/data-protection-2017/india (last visited on January 30, 2018)

[6] http://meity.gov.in/writereaddata/files/meity_om_constitution_of_expert_committee_31072017.pdf (last visited on January 30, 2018)

[7] Krishna Prasad, Smitha, “Defining ‘personal info’ broadly key to protecting it”, January 21, 2018, available at:  http://m.deccanherald.com/?name=http://www.deccanherald.com/content/655012/defining-personal-info-broadly-key.html (last visited on January 30, 2018)

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part III

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise. 

In our previous posts, we discussed the background against which we have provided our responses and recommendations, and the need for a separate regulatory framework for data within the telecom sector, in the context of the jurisdiction and powers of the TRAI.

In this post, we look at the basic data protection principles that we recommend form the basis for any new data protection regulation. Several of these principles are also discussed in the white paper of the Committee of Experts on a Data Protection Framework for India.

Any new data protection regulation, whether applicable across industries and sectors, or applicable only to the telecom sector, should be based on sound principles of privacy and data protection. As discussed in the Consultation Paper, the Report of the Group of Experts on Privacy[1] (GOE Report) identified 9 national privacy principles to be adopted in drafting a privacy law for India. These principles are listed below[2]:

  • Notice: A data controller, which refers to any organization that determines the purposes and means of processing the personal information of users, shall give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include disclosures on what personal information is being collected; purpose for collection and its use; whether it will be disclosed to third parties; notification in case of data breach, etc.
  • Choice and consent: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices.
  • Collection limitation: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection.
  • Purpose limitation: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed.
  • Access and correction: Individuals shall have access to personal information about them held by a data controller and be able to seek correction, amendments, or deletion of such information, where it is inaccurate.
  • Disclosure of Information: A data controller shall only disclose personal information to third parties after providing notice and seeking informed consent from the individual for such disclosure.
  • Security: A data controller shall secure personal information using reasonable security safeguards against loss, unauthorised access or use and destruction.
  • Openness: A data controller shall take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in order to ensure compliance with the privacy principles, information regarding which shall be made in an intelligible form, using clear and plain language, available to all individuals.
  • Accountability: The data controller shall be accountable for complying with measures which give effect to the privacy principles. Such measures should include mechanisms to implement privacy policies, including training and education, audits, etc.

With the growth of businesses driven by big data, there is now a demand for re-thinking these principles, especially those relating to notice and consent[3].

While notice, consent and the other principles set forth in the GOE Report have formed the basis for data protection laws for many years now, additional principles have been developed in many jurisdictions across the world. In order to ensure that any new regulations in India are up to date and effective, it will be prudent to study such principles and identify the best practices that can then be incorporated into Indian law.

Graham Greenleaf has compared data protection laws across Europe and outside Europe and found that today, second and third generation ‘European Standards’ are being implemented across jurisdictions[4]. These ‘European Standards’, refer to standards that are applicable under European Union (EU) law, in addition to the original principles developed by the Organisation for Economic Co-operation and Development (OECD)[5]. The second generation European Standards that are most commonly seen outside the EU are:

  • Recourse to the courts to enforce data privacy rights (including. compensation, and appeals from decisions of DPAs)
  • Destruction or anonymisation of personal data after a period
  • Restricted data exports based on data protection provided by recipient country (‘adequate’), or alternative guarantees
  • Independent Data Protection Authority (DPA)
  • Minimum collection necessary for the purpose (not only ‘limited’)
  • General requirement of ‘fair and lawful processing’ (not only collection)
  • Additional protections for sensitive data in defined categories
  • To object to processing on compelling legitimate grounds, including to ‘opt-out’ of direct marketing uses of personal data
  • Additional restrictions on some sensitive processing systems (notification; ‘prior checking’ by DPA.)
  • Limits on automated decision-making (including right to know processing logic)

He also notes that there are several new principles put forward in the EU’s new General Data Protection Regulation[6] (GDPR) itself, and that it remains to be seen which of these will become global standards outside the EU. The most popular of these principles, which he refers to as ‘3rd General European Standards’ are[7]:

  • Data breach notifications to the DPA for serious breaches
  • Data breach notifications to the data subject (if high risk)
  • Class action suits to be allowed before DPAs or courts by public interest privacy groups
  • Direct liability for processors as well as controllers
  • DPAs to make decisions and issue administrative sanctions, including fines.
  • Opt-in requirements for marketing
  • Mandatory appointment of data protection officers in companies that process sensitive personal data.

We note that there exist other proposed frameworks that aim to regulate data protection and ease compliances required by businesses. Such additional frameworks may also be considered while formulating new data protection principles and regulations in India. However, it is recommended that the ‘European Standards’ described above, i.e. those set out in the GDPR may be adopted as the base on which any new regulations are built. This would ensure that India has greater chances of being recognised as having ‘adequate’ data protection frameworks by the EU, and improve our trade relations with the EU and other countries that adopt similar standards.

Professor Greenleaf’s studies suggest that the 2nd and 3rd General European Standards are being adopted by several countries outside the European Union. We note here that adoption of principles that are considered best practices across jurisdictions would also assist in increasing interoperability for businesses that operate across borders.

While adoption of these practices is likely to raise the cost of compliance, it is also likely to ensure that India remains a very competitive market globally for the outsourcing of services. In the long term, this will benefit Indian industry and the Indian economy. It will also safeguard the privacy rights of Indian citizens in the best possible manner.

[1] Report of the Group of Experts on Privacy, available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf

[2] Report of the Group of Experts on Privacy, Chapter 3, as summarised in the TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, pages 7-9

[3] TRAI Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector, Page 9; and Rahul Matthan, Beyond Consent: A New Paradigm for Data Protection, available at http://takshashila.org.in/takshashila-policy-research/discussion-document-beyond-consent-new-paradigm-data-protection/ (last visited on November 5, 2017)

[4] Graham Greenleaf, European data privacy standards in laws outside Europe, Privacy Law and Business International Report, Issue 149

[5]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited on November 5, 2017)

[6] General Data Protection Regulation, Regulation (EU) 2016/679

[7] Graham Greenleaf, Presentation on 2nd & 3rd generation data privacy standards implemented in laws outside Europe (to be published and available on request).

CCG’s recommendations to the TRAI Consultation Paper on Privacy, Security and Ownership of Data in the Telecom Sector – Part II

In this series of blogposts, we discuss CCG’s responses and recommendations to the TRAI (available here), in response to their Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. We focus on the principles and concerns that should govern the framing of any new data protection regime, whether limited to the telecom sector or otherwise.

In our previous blogpost, the first of the series, we discussed the background against which we have provided our responses and recommendations. In this post, we look at whether there is a need for a separate regulatory framework for data within the telecom sector, and the jurisdiction and powers of the TRAI.

We note that the Consultation Paper makes several references to stakeholders / players in the digital / telecommunications eco-system that are not traditional telecommunication service providers. These include online content / application service providers, device manufacturers, and providers of online communication services, operating systems, browsers. The Consultation Paper poses several questions about the regulation of data use and processing by such stakeholders.

In this context, we have examined the role and responsibilities of the TRAI beyond the regulation of traditional telecommunication service providers.

The preamble to the Telecom Regulatory Authority of India Act, 1997 (TRAI Act) states that the law is meant to “provide for the establishment of the Telecom Regulatory Authority of India and the Telecom Disputes Settlement and Appellate Tribunal to regulate the telecommunication services, adjudicate disputes, dispose of appeals and to protect the interests of service providers and consumers of the telecom sector, to promote and ensure orderly growth of the telecom sector and for matters connected therewith or incidental thereto”.

Telecommunication services have been defined to mean “service of any description (including electronic mail, voice mail, data services, audio tax services, video tax services, radio paging and cellular mobile telephone services) which is made available to users by means of any transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature, by wire, radio, visual or other electromagnetic means”[1]. Broadcasting services have been excluded from the definition of telecommunication services[2].

Service providers means either the government as a service provider, or a licensee[3] – which refers to any person licensed to provide telecommunication services under the Indian Telegraph Act, 1885[4].

Section 11 of the TRAI Act describes the functions of the TRAI. These functions are divided into two broad areas: (i) making recommendations of certain matters, and (ii) regulatory functions. The regulatory functions largely deal with monitoring compliance with the telecom licenses, and other functions of service providers.

The TRAI’s powers to make recommendations extend to the following matters:

  • need and timing for introduction of new service provider;
  • terms and conditions of licence to a service provider;
  • revocation of licence for non-compliance of terms and conditions of licence;
  • measures to facilitate competition and promote efficiency in the operation of telecommunication services so as to facilitate growth in such services;
  • technological improvements in the services provided by the service providers;
  • type of equipment to be used by the service providers after inspection of equipment used in the network;
  • measures for the development of telecommunication technology and any other matter relatable to telecommunication industry in general;
  • efficient management of available spectrum

We note that most of the above matters deal specifically with functions of service providers. However, as mentioned above, telecommunication services do include some services beyond those provided by traditional telecommunication service providers – such as electronic mail and voice mail among others.

In this context, we would argue that the functions and powers of the TRAI would not extend to making recommendations regarding, or regulating online content and application providers, device manufacturers or other businesses that do not provide communication services.

At best, the TRAI may derive powers to make recommendations regarding based on questions posed in the Consultation Paper, under sub-section (iv) which provides the TRAI with the authority to make recommendations on improving efficiency of telecommunication services.

In our next posts in this series, we will discuss principles that we believe any data protection regulation, irrespective of the sector it applies to, should address. We also note that as Indian businesses grow and adopt new technology, they are increasingly beginning to function across sectors. In this context, we recommend that a basic data protection law that is applicable horizontally across sectors and regions, to cope with these cross-sectoral business models.  Where required, additional regulations may be made applicable to collection and processing of sector specific sensitive personal data.

[1] Section 2(1)(k) of the Telecom Regulatory Authority of India Act, 1997

[2] Section 2(1)(k) of the Telecom Regulatory Authority of India Act, 1997

[3] Section 2(1)(j) of the Telecom Regulatory Authority of India Act, 1997

[4] Section 2(1)(e) of the Telecom Regulatory Authority of India Act, 1997

‘My Data, My Rules’ – The Right to Data Portability

Nandan Nilekani has recently made news cautioning against ‘data colonization’ by heavyweights such as Facebook and Google. He laments that data, which is otherwise a non-rival, unlimited resource, is not being shared freely, and is being put into silos. Not only does this limit its potential uses, users end up with very little control over their own data. He argues for ‘data democracy’ through a data protection law and particularly, one that gives users greater privacy, control and choice. In specific terms, Nilekani appears to be referring to the ‘right to data portability’, a recently recognized concept in the data protection lexicon.

In the course of using online services, individuals typically provide an assortment of personal data to service providers. The right to data portability allows a user to receive their data back in a format that is conducive to reuse with another service. The purpose of data portability is to promote interoperability between systems and to give greater choice and control to the user with respect to their data held by other entities. The aim is also to create a level playing field for newly established service providers that wish to take on incumbents, but are unable to do so because of the significant barriers posed by lock-in and network effects. For instance, Apple Music users could switch to a rival service without having to lose playlists, play counts, or history; or Amazon users could port purchasing history to a service that provides better recommendations; or eBay sellers to a more preferable platform without losing their reputation and ratings. Users could also port to services with more privacy friendly policies, thereby enabling an environment where services must also compete on such metrics.

The European Union’s General Data Protection Regulation (GDPR) is the first legal recognition of the right to data portability. Art. 20(1) defines the right as follows:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided”

Pursuant to this right, Art. 20(2) further confers the right to directly transmit personal data from one controller to another, wherever technically feasible.

The first aspect of the right to data portability allows data subjects to receive their personal data for private use. Crucially, the data must be a in a format necessarily conducive to reuse. For instance, providing copies of emails in pdf format would not be sufficient. The second aspect is the ability to transfer data directly to another controller, without hindrance.

There are certain prerequisites for the applicability of this right:

a) it applies only to personal data that the data subject ‘provided’ to the controller. This would include data explicitly provided (such as age, or address, etc., through online forms), as well as data generated and collected by the controller on account of the usage of the service. Data derived or inferred by the controller would not be within the scope of this right.

b) the processing must be pursuant to consent or a contract. Personal data processed for a task to be performed in public interest, or in the exercise of official authority is excluded.

c) the processing must be through automated means. Data in paper files would therefore not be portable.

d) the right must not adversely affect the rights and freedoms of others.

The GDPR does not come into force till May 2018, so there remain ambiguities regarding how the right to data portability may come to be implemented. For instance, there is debate about whether ‘observed data’, such as heartbeat tracking by wearables, would be portable. Even so, the right to data portability appears to be a step towards mitigating the influence data giants currently wield.

Data Portability is premised on the principle of informational self-determination, which forms the substance of the European Data Protection framework.  This concept was famously articulated in what is known as the Census decision of the German Federal Constitutional Court in 1983. The Court ruled it to be a necessary condition for the free development of one’s personality, and also an essential element of a democratic society.  The petitioners in India’s Aadhaar-PAN case also  explicitly argued that informational self-determination was a facet of Art. 21 of the Indian Constitution.

Data portability may also be considered an evolution from previously recognized rights such as the right to access and the right to erasure of personal data, both of which are present in the current Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. TRAI’s recent consultation paper on Privacy, Security and Ownership of Data in the Telecom Sector also refers to data portability as a way to empower users. The right to data portability may be an essential aspect of a robust and modern data protection framework, and India is evidently not averse to taking cues from the EU in this regard. As we (finally) begin to formulate our own data protection law, it may serve us well to evaluate which concepts may be suitably imported.

 

Google Faces Legal Hurdles Under Brazilian Internet Law

By Raissa Campagnaro[1]

The Brazilian Federal Prosecution Ministry has brought civil proceedings against Google for flouting its data protection law. The suit challenges Google’s access to the content of emails exchanged by Gmail users on multiple grounds, including Google’s failure to obtain express consent.

In October, 2016, Brazil’s Federal Prosecutor filed a public civil suit against Google, claiming that the search engine had failed to comply with the country’s internet law, the Internet Bill of Rights. The suit argues that during a previous prosecution investigation, through a civil inquiry, Google had made it public that it scans the content of emails exchanged by Gmail users. According to the Federal Prosecutor, this violates Brazilian data protection standards.

The Internet Bill of Rights establishes data protection principles similar to those set up under the EU Data Protection Directive 95/46/EC. Under this law, any processing of data must be pursuant to express consent. The law specifically requires that the clause seeking consent be prominently displayed and easy to identify amongst other terms of the contract. The law also recognises a right to not have one’s data transferred to third parties without consent and a right to be informed about the specific purposes of the personal data collection, usage, storage, treatment and protection.

When asked about its compliance with the legislation, Google submitted that it analyses the email messages so it can improve consumers’ user experience by filtering the messages for unwanted content, spam, or other kind of malware. It also submitted that the scanning of messages is used to offer products and advertisement for the user and to classify emails into various categories such as ‘social’ ‘promotions’ etc. Finally, Google has contended that the scanning of emails is  consented to by the user at the time of signing up, by agreeing to the privacy policy within Gmail’s terms of service.

However, the Federal Prosecution Ministry considers these practices to be ‘profiling’ – a consequence of personal data aggregation that allows the creation of users’ profiles based on their behaviour, online habits and preferences. These can be used to predict their future actions and decisions. Profiling is frequently used for behavioural advertisements in which aggregated personal data is transferred to other ISPs, who use it to direct ads, products and services determined by the person’s past online activity. According to the Federal Prosecutor, this not only violates people’s right to privacy, especially their informational self-determination right, but also interferes with a consumer’s freedom of choice.

Several scholars and researchers have also opposed profiling and behavioural advertising, arguing that it has severe negative consequences. These include (i) denial of credit or loan concessions; (ii) offering different health insurance deals based on a person’s medical history or the nature of activities they engage in; and (iii) offers with adaptive pricing, based on a variety of criteria that involve some level of discrimination. This is problematic because online profiles are limited. A person’s life is based on several aspects apart from the online information which is collected and aggregated. As a result, personal data aggregation, processing and analysis can lead to an incomplete or incorrect picture of an individual, leading to wrongful interventions in their life. Even if the profile is a complete reflection of a person’s life, the choice to have one’s data collected and used for determined purposes must always be the users’.

The suit alleges that Google’s practices are not in consonance with the legal requirement of seeking express consent, including through prominent display within a policy. It suggests that Google be required to take specific consent in order to access the content of emails.

The case also  challenges the fact that Google’s privacy policy does not allow consumers to withdraw consent. This violates consumers’ control over their data. Further, it is also argued that consent should be sought afresh every time Google changes its privacy policy. The lack of clear and precise information around how data is processed is another issue that has been pointed out in the case, violating the right of Gmail users to information regarding the usage of their data.

To substantiate its case, the Federal Prosecutor is relying on an Italian case in which Google’s data processing activities had been challenged. The ruling was based on Italy’s Data Privacy Code, which establishes data protection guarantees such as i) fair and lawful processing of data; ii) specific, explicit and legitimate purposes and use of data; iii) processing to not be excessive in relation to the purposes for which it is collected or subsequently processed; and iv) that the data must only be kept for the amount of time truly necessary. In addition, the law stipulates that a data subject must receive notice about how their data will be processed, allowing them to make an informed decision. Furthermore, the Italian code also requires consent to be express and documented in writing.

In 2014, Garante’s (i.e. the Italian Data Privacy Authority, furthermore “the Authority”) decision held that Google had failed to comply with some requirements under the Italian legislation. Firstly, the information given by Google around how data processing was carried out was considered insufficient, as it was too general. Secondly, the consent format given through the privacy policy agreement was also held to be too broad. The Authority held that consent should be prior and specific to the data treatment. Although the decision condemned the company’s practices, it did not establish any guidelines for Google to adopt in this regard.

Through the present suit, the Brazilian Federal Prosecutor seeks (i) suspension of Google’s email content analysis, that is, scanning of emails of Gmail users where express consent has not been received ; (ii) an obligation to obtain express and consent from users before scanning or analysing the content of emails and (iii) ensuring the possibility of consent withdrawal. The suit seeks an order directing Google to change its privacy policy to ensure consent is informed and particular to content analysis.

This case demonstrates a new aspect of data protection concern. Apart from the most common cases over data breach situations, where the damage is usually too late or too massive to repair, the Brazilian and the Italian cases are great examples of proactive measures taken to minimise  future risks. Further, the importance of a legal framework that utilises data protection principles to guarantee consumers’ right to privacy is well recognised. Now, it appears that these rules are starting to be more effectively enforced and, in consequence, the right to privacy can be observed in practice.

[1] Raissa is a law student from Brazil with an interest in internet law and policy. Raissa has been interning with the civil liberties team at CCG for the past month.