Jonatas S. de Souza,Jair M. Abe,Luiz A. de Lima,Nilson A. de Souza

DOI: https://doi.org/10.48550/arXiv.2009.14313

2020-09-29

Cryptography and Security

Abstract:Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.

Lucas Gonçalves da Silva,Reginaldo Felix Nascimento,Lívia Nayara Rocha da Silva

DOI: https://doi.org/10.9771/rppgd.v34i0.60420

2024-06-30

Revista do Programa de Pós-Graduação em Direito

Abstract:This work should be considered a panoramic work, which establishes the process of evolution of the Fundamental Right to the Protection of Personal Data in Brazil, taking as a starting point the Constitution of the Federative Republic of Brazil of 1988, until its formalization as a Fundamental Right Autonomous and Express through Constitutional Amendment No. 115/2022. Furthermore, the work addresses the social and economic aspects that demonstrate the context and importance of having the protection of personal data as a Fundamental Right, which binds all agents in society. Finally, the work addresses the infraconstitutional peculiarities of personal data protection in Brazil, to demonstrate how this Fundamental Right behaves outside the constitutional text. The method used was hypothetical-deductive, using bibliographic and documentary resources. Finally, the Fundamental Right to the Protection of Personal Data functions as a very important right to protect subjects in private relationships, so that it is possible to affirm, in the 35 years since the Constitution of the Federative Republic of Brazil of 1988, that the constitutional text remains compromised with the preservation of the axiom of the Dignity of the Human Person and in providing answers to the social and economic dilemmas experienced by society.

Isabel Maria Lopes,Teresa Guarda,Pedro Oliveira

DOI: https://doi.org/10.1007/s10916-020-1521-0

IF: 4.92

2020-01-10

Journal of Medical Systems

Abstract:The focus on personal data has merited the EU concerns and attention, resulting in the legislative change regarding privacy and the protection of personal data. The General Data Protection Regulation (GDPR) aims to reform existing measures on the protection of personal data of European Union citizens, with a strong impact on the rights and freedoms of individuals in establishing rules for the processing of personal data. The GDPR considers a special category of personal data, the health data, being these considered as sensitive data and subject to special conditions regarding treatment and access by third parties. This work presents the evolution of the applicability of the Regulation (EU) 2016/679 six months after its application in Portuguese health clinics. The results of the present study are discussed in the light of future literature and work are identified.

health care sciences & services,medical informatics

Sâmmara Éllen Renner Ferrão,Geovana Ramos Sousa Silva,Edna Dias Canedo,Fabiana Freitas Mendes

DOI: https://doi.org/10.1016/j.infsof.2024.107396

IF: 3.9

2024-01-07

Information and Software Technology

Abstract:Context: Ensuring compliance with current data privacy legislation poses a significant challenge for software development teams, demanding adaptations to processes in order to align with legal requirements. Objective: This study proposes a comprehensive taxonomy of privacy requirements, drawing from the Brazilian General Data Protection Law (LGPD) and ISO/IEC 29100. The aim is to assist software development teams in navigating the complexities of legal compliance. Method: To define the research gap, we conducted a systematic literature review (SLR) initially, identifying existing taxonomies of privacy requirements. Subsequently, we applied the Goal-Based Requirements Analysis Method (GBRAM) to extract privacy requirements from LGPD and ISO/IEC 29000. Finally, we implemented the proposed taxonomy in the privacy policies of Brazil's three largest banks. Results: The taxonomy comprises 129 requirements, categorized into 10 distinct groups across 5 contexts. In applying the taxonomy to ISO/IEC 29100, analysis of 63 statements for GDPR+ISO/IEC 29100 yielded 33 requirements, whereas for LGPD+ISO/IEC 29100, 58 statements resulted in 57 requirements. Application of the taxonomy revealed adherence percentages ranging from 40% to 71% concerning the evaluated solutions. Conclusions: The outcomes strongly suggest that major corporations are yet to achieve full LGPD compliance. We posit that the proposed taxonomy offers a valuable industry tool for validating LGPD compliance within implemented systems, as exemplified by our successful use case with Brazilian banks.

computer science, information systems, software engineering

Luiz Paulo Carvalho,Jonice Oliveira,Flávia Maria Santoro,Claudia Cappelli

DOI: https://doi.org/10.5753/isys.2021.1235

2021-08-20

Abstract:Data protection and data-driven solutions are two progressing areas permeating Brazilian society. This work presents an interdisciplinary theoretical approach related to Ethics, from the ethics in computing perspective; the LGPD, from the Law studies perspective; and the Social Network Analysis in Brazil, from the Informatics perspective. This research area utilizes personal data extensively for knowledge construction, with semantic contributions, analyzing the reality; or pragmatic, building artifacts. Challenges and inseparable issues are observed, exposed, and debated in this work. We present considerations combining the three topics, personal data in the research field of social networks in Brazil respecting the LGPD and ethics precepts.

Gabrielle Bezerra Sales Sarlet,Daniel Piñeiro Rodriguez

DOI: https://doi.org/10.1365/s43439-023-00081-2

Abstract:This article aims to identify the necessary elements for the independent and democratic structuring of the National Data Protection Authority (ANPD) in its definitive legal profile, as an autarchy under a special regime, so that it can achieve the technical and decision-making autonomy that it was granted by the Brazilian Data Protection Law (LGPD). Drawing on documentary research and findings on similar foreign authorities, it is possible to point out, as a partial result of this analysis, the insufficiency of entrusting such a mission to its recent formal separation from the Direct Administration, being also possible to conclude that the success of the state modernization in the Digital Age will depend, to a large extent, on intertemporal choices able to direct the ANPD towards a structure attentive to technological innovations. To this end, the training and continuing education of the institution's staff, as well as possible agreements to be signed by the entity, such as the alternatives sought by the Courts of Accounts in the field of information and communications technology (ICT), emerge as a determining factor.

Marcelo Negri Soares,Marcos Eduardo Kauffman,Kuo-Ming Chao,Maktoba Omar Saad

DOI: https://doi.org/10.5020/2317-2150.2020.9969

2020-01-01

Revista Pensar

Abstract:As technology continues to evolve at an exponentially increasing pace, it transforms our lives and societies, thus shaping our perceptions of reality with high speed and impacting the relationship between the individual and the society, including businesses and, as a result, the legal system. The young area of law is trying to explore the effects of new technologies in our relationships with it, as well as identify the best use of new technologies to reduce the gap among new technology, new societal behaviors and various legal systems. The purpose of this paper is to examine the current uses of wearable technologies in Brazil and the legal issues emerging from the various uses of these technologies and their impact on personality rights. So, to what extent do the Brazilian users of emerging technologies appreciate the terms and conditions agreed by themselves and their impact on personality rights? The authors used empirical quantitative data from a cross-section of Brazilian users to explore the level of awareness in regards to the terms and conditions associated with the use of emerging technologies and the impact on their personality rights. The authors found that the large majority of these users of technology are unaware of the adverse impact of the agreed terms and conditions on their personality rights. Furthermore, they are also unaware of the basics of how the technology operates and therefore are unable to enforce their rights. The research is based on data collected by using only one survey with a sample of 500 students from three universities in three Brazilian States with an age range between 18 and 40 years old. This paper extends the previous research on the impact of emerging technologies on personality rights and demonstrates with empirical data that there is a serious risk of erosion of such rights. Furthermore, this research provides a unique insight into the users of emerging technologies in the emerging Brazilian market and the impact on the Brazilian legal system.

Patricia Boshe,Moritz Hennemann,Ricarda von Meding

DOI: https://doi.org/10.54648/gplr2022008

2022-05-01

Global Privacy Law Review

Abstract:Data protection law is experiencing a global rise. Whilst setting the boundaries for public and private data processors, it has become a vital factor for individual protection and innovation alike. The quest for adequate data protection regimes is on-going, not only, but also on the African continent. Since 2001, the majority of African states have drafted and enacted data protection laws. Hard law and soft law instruments have been developed by the African Union and the African Regional Economic Communities. Regularly, EU-style legislation has been used as a source of inspiration – a process actively pushed for by the EU. Against this background, this study evaluates the current state of data protection law and data protection policy in Africa, questions the process of legal transplantation, and favours the consideration of a unique African approach to data protection. Thereby, this study is also a story about alternative routes to the General Data Protection Regulation (GDPR) which are – for many reasons – not easy to take. Africa, African Union, African Regional Economic Communities, Data Protection, Privacy, GDPR

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

J. Noar,N. Hemmings

DOI: https://doi.org/10.12968/ORTU.2018.11.3.110

2018-07-02

Orthodontic Update

Abstract:Abstract: The General Data Protection Regulations (GDPR) govern the use of personal data within the European Union as from 25th May 2018. This supersedes the legislation of the Data Protection Act (DPA). Whilst it has many similarities to the DPA, it has significant enhancements that require active engagement to ensure compliance. It is a requirement for practices to appoint a Data Protection Officer, pay the Information Commissioners Office (ICO) fee, update their privacy notices, create written contracts between controllers and processors, identify and document the lawful basis for processing data, and comply with the rights of individuals. CPD/Clinical Relevance: Data protection regulations have changed as part of EU legislation. These changes applied from 25th May 2018 and are applicable to all.

Business,Law

Sanchit Alekh

DOI: https://doi.org/10.48550/arXiv.1806.03253

2018-06-01

Computers and Society

Abstract:The GDPR, or the Datenschutz Grundverordnung (DSGVO) in German, is an EU Law which addresses the subject of safeguarding privacy of personal data of the citizens of the EU and EEA. It also specifies how data the collected data might be transported out of the EU/EEA. It is the first genuine effort to unify the plethora of disparate privacy regulations put forward by different regulatory bodies. The GDPR aims to not only give more control over their personal data to the citizens, but also make conformance for businesses easier by defining unified guidelines. It also presses businesses, especially those dealing with sensitive personal data, to build their information systems in a way that confirms with Privacy by Design. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e., the data owner as well as the controllers/processors.

Seun Solomon Bakare,Adekunle Oyeyemi Adeniyi,Chidiogo Uzoamaka Akpuokwe,Nkechi Emmanuella Eneh

DOI: https://doi.org/10.51594/csitrj.v5i3.859

2024-03-09

Computer Science & IT Research Journal

Abstract:This Review provides an overview of the comparative review of data privacy laws and compliance, focusing on the European Union's General Data Protection Regulation (EU GDPR) and data protection regulations in the United States. The analysis explores key similarities and differences, emphasizing their implications for businesses and individuals. The EU GDPR, implemented in 2018, stands as a landmark regulation governing data protection and privacy for individuals within the European Union and the European Economic Area. In contrast, the United States lacks a comprehensive federal data privacy law. Instead, it relies on a patchwork of sector-specific laws and state regulations, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA). One major distinction lies in the overarching principles of these regulations. The EU GDPR adopts a comprehensive and rights-based approach, emphasizing individual rights to privacy, data portability, and the "right to be forgotten." In contrast, the U.S. system often focuses on specific industries or types of data, leading to a more fragmented regulatory landscape. Both regulatory frameworks incorporate principles of transparency, consent, and data breach notification. However, differences in enforcement mechanisms and penalties exist. The EU GDPR imposes significant fines for non-compliance, reaching up to 4% of a company's global annual revenue. In the U.S., penalties vary by state, and enforcement is often reactive, triggered by data breaches. Businesses operating globally must navigate these distinct regulatory landscapes, necessitating a nuanced approach to data privacy compliance. Multinational corporations must adhere to the more stringent requirements when handling EU citizens' data while also considering the diverse regulations within the U.S. This review underscores the ongoing evolution of data privacy laws worldwide and the critical importance for organizations to stay abreast of these developments. It emphasizes the need for a proactive and adaptive approach to data privacy compliance, taking into account the unique requirements and expectations of both the EU GDPR and U.S. regulations. Keywords: Data Privacy, Laws, Compliance, EU GDPR, Regulations.

Elder Elisandro Schemberger

DOI: https://doi.org/10.55905/oelv22n2-025

2024-02-07

Abstract:Data management is a comprehensive process that includes data collection, storage, organization, and maintenance for efficient data analysis and use. With data generation at unprecedented volumes and at breakneck speed, effective data management has become an operational necessity and a competitive advantage. In the context of Data Science, data is the raw material for insights and innovations, making its proper management fundamental to ensure reliability and accuracy. This article stresses the importance of data governance, security and privacy, especially in view of the increase in data protection regulations such as the LGPD. It also addresses efficiency in data management as essential to driving innovation and facilitating data-driven decision-making in organizations and academia. The ability to manage large volumes of data is unique because well-managed data provides a valuable source of information, enabling trend identification, process optimization and strategic decision making, leading to innovation and competitive advantages. Also, this article discusses LGPD compliance, not only as a legal issue, but also as an opportunity for companies to build trust with their users by demonstrating a commitment to data security and privacy. Efficient data management also involves choosing appropriate tools and technologies and implementing policies that ensure data compliance and security.

Fernando Filgueiras,Lizandro Lui

DOI: https://doi.org/10.1080/25741292.2022.2065065

2022-04-15

Policy Design and Practice

Abstract:Data governance is a decision-making process focused on authority building to specify decision rights and accountability that encourage desired behaviors regarding data use, security, integrity, and availability. The emergence of big data technologies to design public policy and deliver public services requires governments to design data policy and governance. This paper analyzes the dynamics of data governance design in the Brazilian Federal Government, based on institutional analysis and policy development. The paper reports a series of interviews with Brazilian Federal Government policymakers to frame the data policy design dynamics. The paper concludes that the policy design dynamics to data governance are path dependent and shape actions situations that reinforces previous institutions. In the case of the Brazilian Federal Government, the institutional framework is ambiguous, creating situations of conflict and ineffectiveness in the design of the data policy.

Paulo Henrique Alves,Isabella Z. Frajhof,Fernando A. Correia,Clarisse de Souza,Helio Lopes

DOI: https://doi.org/10.48550/arXiv.2010.11677

2020-10-22

Computers and Society

Abstract:Data privacy is a trending topic in the internet era. Given such importance, many challenges emerged in order to collect, manage, process, and publish data. In this sense, personal data have got attention, and many regulations emerged, such as GDPR in the European Union and LGPD in Brazil. This regulation model aims to protect users' data from misusage and leakage and allow users to request an explanation from companies when needed. In pandemic situations, such as the COVID-19 and Ebola outbreak, the action related to sharing health data between different organizations is/ was crucial to develop a significant movement to avoid the massive infection and decrease the number of deaths. However, the data subject, i.e., the users, should have the right to request the purpose of data use, anonymization, and data deletion. In this sense, permissioned blockchain technology emerges to empower users to get their rights providing data ownership, transparency, and security through an immutable, unified, and distributed database ruled by smart contracts. The governance model discussed in blockchain applications is usually regarding the first layer governance, i.e., public and permissioned models. However, this discussion is too superficial, and they do not cover compliance with the data regulations. Therefore, in order to organize the relationship between data owners and the stakeholders, i.e., companies and governmental entities, we developed a second layer data governance model for permissioned blockchains based on the Governance Analytical Framework principles applied in pandemic situations preserving the users' privacy and their duties. From the law perspective, we based our model on the UE GDPR in regard to data privacy concerns.

Elif Erdemoglu

DOI: https://doi.org/10.1007/978-94-6265-144-9_7

2016-01-01

Abstract:The discussion on the regulation on citizens’ right to privacy grows parallel to the widespread usage and collection of Big Data. This chapter analyses from a law and economics perspective the discussion on the European Union (EU) citizens’ rights to privacy with regards to collection, retention, analysis and transfer of personal data in light of the EU General Data Protection Regulation (GDPR). The GDPR is drafted in coherence with the EU Digital Market Strategy, which aims to create the correct incentives for digital networks and services to flourish by providing trustworthy infrastructure supported by the right regulations. A significant part of achieving this aim would require the EU citizens to trust in using digital services. The GDPR is designed to increase the citizens’ trust to use online and digital services by obliging the service providers to comply with the GDPR. This chapter analyses two key compliance requirements of the GDPR through the economic analysis lens and proposes possible changes to the GDPR in line with the Digital Single Market Strategy of the EU. The scope of this chapter’s analysis is limited to how to cure information asymmetries between the citizens and the data collectors in order to increase the citizens’ trust in using digital services given the fast-changing and delicate legal issues arising from collecting the personal data of the EU citizens. This chapter concludes by suggesting three improvements to the GDPR; more frequent controls for issuing the EU Data Protection Seal, increased independence of the Data Protection Controller and issuance of publicly available, frequent privacy ratings.

Oluwatosin Reis,Nkechi Emmanuella Eneh,Benedicta Ehimuan,Anthony Anyanwu,Temidayo Olorunsogo,Temitayo Oluwaseun Abrahams

DOI: https://doi.org/10.51594/ijarss.v6i1.733

2024-01-25

International Journal of Applied Research in Social Sciences

Abstract:As the world becomes increasingly interconnected through digital technologies, the protection of individuals' privacy has emerged as a critical concern. This paper conducts a comprehensive global review of privacy legislation and enforcement mechanisms, shedding light on the challenges posed by the digital age. With a focus on the intricate balance between technological advancements and the fundamental right to privacy, the study explores the evolving legal landscape and its implications for individuals, businesses, and governments. The analysis encompasses diverse jurisdictions, highlighting the variations in privacy laws and enforcement approaches across regions. From the European Union's robust General Data Protection Regulation (GDPR) to the nuanced approaches in Asia and the Americas, this review synthesizes the evolving regulatory frameworks. Special attention is given to emerging issues such as the use of artificial intelligence, biometrics, and surveillance technologies, which pose unique challenges to existing privacy paradigms. Moreover, the paper investigates the effectiveness of enforcement mechanisms in ensuring compliance with privacy laws. It examines the role of governmental agencies, regulatory bodies, and international collaborations in addressing cross-border data flows and global privacy challenges. The study also evaluates the impact of recent high-profile privacy incidents on shaping legislative responses and enforcement strategies. By presenting a holistic view of privacy law challenges in the digital age, this research contributes to the ongoing discourse on safeguarding individuals' privacy rights in an era of rapid technological innovation. The findings provide valuable insights for policymakers, legal practitioners, businesses, and individuals seeking a deeper understanding of the evolving dynamics surrounding privacy legislation and enforcement on a global scale. Keywords: Law, Privacy Law, Digital Age, Review, Data Protection.

Adriane Garcel Chueire Calixto,Sergio Moro

DOI: https://doi.org/10.37497/corruptionreview.6.2024.80

2024-06-04

Abstract:Objective: This study aims to investigate the regulation and applicability of the whistleblower institute in Brazil, focusing on a critical analysis of existing legislation and examining the potential impact of Bill No. 2581/2023 on promoting an ethical culture in publicly traded corporations. Method: The research employs a logical deductive method to analyze legislative documents and conduct a bibliographic review of specialized literature on law and business ethics. Additionally, it incorporates illustrative case studies, such as the recent Lojas Americanas scandal, to contextualize and deepen the discussion. Results: The analysis reveals significant gaps in the legal protection and incentives for whistleblowers in Brazil, which contribute to an environment where fraudulent practices can persist due to insufficient reporting. The study identifies Bill No. 2581/2023 as a promising legislative initiative that outlines specific measures to protect whistleblowers. The bill is seen as crucial for developing a more ethical organizational culture, aligning Brazil with international anti-corruption practices, and improving the overall business environment. Conclusions: The proposed Bill No. 2581/2023, by addressing the deficiencies in legal protections and incentives for whistleblowers, has the potential to significantly enhance internal control mechanisms within companies, boost investor confidence, and foster a more stable and fair capital market. Effective whistleblower protection is essential for combating corporate fraud and fostering a transparent and ethical business environment in Brazil.

Domingos Soares Farinho

DOI: https://doi.org/10.53116/pgaflr.7134

2024-01-01

Abstract:The new EU Digital Services Act (DSA) is intended to regulate intermediary service providers, with particular attention to online platforms and search engines. The core activity of such platforms and engines is personal data processing, pursuant to the tasks of content moderation and recommendations. This means that regarding personal data, there is an interconnection between the GDPR and the DSA, and it is a matter of law to determine how they interact in the EU digital space. This paper endeavours to draw a comprehensive picture of how the GDPR and the DSA seek to provide better guidance on the adequacy and enforcement of personal data protection. It is argued that their relationship is best described as the DSA being the lex specialis vis-à-vis the GDPR, but this is somewhat blurred by instances where the latter is mostly complementing the former, such as 1. specific legal basis for data processing in compliance with new legal obligations for platforms; 2. a new articulation between both regulations concerning dark patterns; 3. new prohibitions on personal data processing ; 4. new duties for the protection of personal data; and 5. a new ancillary institutional framework to regulate data protection by online platforms in collaboration with national data protection authorities.

Sean Sirur,Jason R. C. Nurse,Helena Webb,Jason R.C. Nurse

DOI: https://doi.org/10.48550/arXiv.1808.07338

2018-08-22

Computers and Society

Abstract:The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.