For the academic community and professionals who deal with privacy protection, as well as for society at large, 2018 is already a year to celebrate a series of achievements for the institutionalization of data protection: (i) the modernization of the first binding international instrument on the processing of personal information, the Convention 108 of the Council of Europe, on May 18, by the Amending Protocol approval; (ii) the General Data Protection Regulation (GDPR) of the European Union entered into force on May 25; (iii) on June 22, the Supreme Court of the United States of America decided the case Carpenter v. United States, establishing a precedent which rationale and broad reach make it as important to constitutional privacy and to the Fourth Amendment doctrine in the digital age as Olmstead and Katz rulings were in the analogue age; (iv) on June 28, a few days later, the California Consumer Privacy Act of 2018 was approved, with a European Regulation-like legislative technique and content; and (v) the acceptance of the 128th national data protection law, which, after the President of Brazil’s endorsement, turned into the Law n. 13.709 of August 14, 2018, for the Brazilians – to enter into force on February 16, 2020.
However, one should keep in mind that many of these advances have a reactive element as a driving force. The year of 2018, hitherto, has also been marked by massive data breaches. The largest breach occurred in January when the Tribune News Service denounced the existence of a failure in the Indian single identity system Aidahaar, managed by the Unique Identification Authority of India (UIDAI). Paying 500 rupees – equivalent to US $ 7.14 – for anonymous sellers on WhatsApp, the journalists were able to get access to the data from more than 1 billion Indian citizens registered in the biometric and demographic information system: they had unrestricted access to data such as name, home address, photo, phone number and email.
Another recent data breach case took place in Singapore. On July 20, Singaporean government officials announced the largest breach of personal information in the country’s history: a cyber-attack targeted at the information systems of the group SingHealth resulted in the disclosure of the data (name, address, gender, race, date of birth and National Registration Identity Card number) of approximately 1.5 million patients who visited the clinics and polyclinics in the healthcare group between May 1, 2015 and July 4, 2018. In addition, the authors of the attack extracted medical prescription records of 160,000 patients, including the Singapore’s Prime Minister, Lee Hsien Loong.
Data protection statute and information security
Without the use of information security techniques, the right to the protection of personal data provided by law remains reduced to a indifferent statutory text, without real effectiveness. Data security is an essential element in giving the data subjects the control and management of their own information – what is known as informational self-determination since the German Federal Constitutional Court ruling on the 1983 Census Act (BVerfGE, 65/1).
It is not for another reason that the text of Brazil’s personal data protection statute provides, among its principles, for the security principle. According to the Article 6, VII, of the bill, the activities of processing of personal data must observe this principle, which states “the use of technical and administrative measures able to protect personal data from unauthorized access and from accidental or illegal situations of destruction, loss, alteration, communication or disclosure”.
The fact that they constitute a prerequisite and an essential element to data protection makes information security techniques call attention to: (i) the individual and collective dimensions of the protection of personal data, since without the implementation of data security measures the data subject has his/her informational self-determination diluted, and the cases of data breach affect entire collectivities, which demands the performance of enforcement agencies in the role of ombudsman; (ii) the fact that where there is a security failure, it can create a demand for even more intense collection and processing of personal data for services that rely on data that had been exposed – as it has already been considered in the SingHealth case in relation to banking services, and might happen in the case of Banco Inter, in Brazil. Actually, there would be a collision with the principle of necessity or data minimization (Law n. 13.709/2018, Article 6, III).
Data encryption, pseudonymization, and privacy by design
In Brazil, personal data processing agents will have, as of February 16, 2020, the obligation to adopt practices and security measures that are adequate, according to the state of the art, to protect personal information against unauthorized access, destruction, or other illicit risks and processing. That’s the meaning of the Article 46 of the Law n. 13.709/2018.
In the same way, the Regulation n. 679/2016 of the European Union in the Article 32 establishes the duty of data controllers and operators to implement appropriate technical and organizational measures of information security. The GDPR, nevertheless, is more detailed than the text of the Brazilian legislation. The European regulation adopted a risk-based approach, considering the gradation or level of risk caused by the personal information processing activity to the data subjects’ fundamental rights and freedoms in modulating the applicable regime and compliance actions.
Thus, personal data processing agents must take into account, in addition to the most advanced techniques, the application costs and the nature, scope, context and purpose of the processing, the risks of varying likelihood and severity for the rights and freedoms of natural persons when applying the adequate measures to ensure a level of security correspondent to the risk.
Emphasis should be given to two measures: encryption and data pseudonymization.
Encryption techniques, which are so fundamental to computational security, have been expressly mentioned by the European legislator (eg, Articles 25, 1, 32, 1). The implementation of cryptographic protocols, such as end-to-end encryption and the use of cryptographic hash functions are stimulated by the GDPR, notably in promoting the traditional purpose of cryptography: confidentiality. As an information security measure to be adopted, data encryption must be preceded by an evaluation of the risks of the processing activity at issue. In accordance with Recital 83 of the Regulation:
[…] Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
A method of using cryptographic techniques as security measure for personal data protection is by means of pseudonymization. According to the Article 29 Data Protection Working Party, it “consists of replacing one attribute (typically a unique attribute) in a record by another” (Opinion 05/2014); would be a process of masking or disguising identity (Opinion 04/2007). This is so that information can no longer be connected to a specific data subject without the use of supplementary information, provided that it is kept separately and subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (GDPR, article 4, 5).
In the famous case of AOL database publicly released on the internet in 2006, with 20 million search queries of its search engine users, there was, in fact, a pseudonymization, not an anonymization of the database. Meanwhile, an example of a cryptography application in data pseudonymization can be found in the field of medical scientific research. In order to respect the research subjects’ privacy and to securely process data in a useful fashion to the scientific research, encrypt certain original attributes for de-identification of patient information is an option for clinical radiology study. Only the responsible researchers will have the corresponding cryptographic keys to access the original data (plaintext).
Although the Brazilian law (n. 13.709/2018) does not explicitly provide for cryptographic techniques, and mentions pseudonymization only in the context of the processing of sensitive data for the purpose of health research (article 19, § 4º), both must be interpreted and applied as a concretization of the security principle, and adopted in function of the risks involved by the developed data processing activity. It must also be added that the two measures are adequate to the realization of the privacy by design imperative, enshrined both in the European regulatory framework (Article 25, 1) and in the Brazilian law (Article 46, § 2º)
Without an adequate level of information security in accordance with relevant and effective measures, the protection of personal data in practice becomes ineffective. And in a context of the digital technologies burgeoning spread and the Internet of Things, the need for security and implementation of appropriate measures to the risks involved in the processing of personal information is increasingly critical – the SingHealth case is symptomatic.
For the fulfillment of the right to personal data protection in all its dimensions, and of the fundamental freedoms that converge in it in the information society, the interpretation and application of the data protection law – Law n. 13709/2018, for Brazilians – must be oriented to promoting the adoption of security measures, especially data encryption, and the diligent compliance with the obligations of agents responsible for information processing. It is important to point out that for this the existence of a data protection authority with supervisory and sanctioning powers is essential. The need for this kind of authority in Brazil is already an urgency.