CNPD (Portugal) - Deliberação 2021/1569: Difference between revisions
No edit summary |
No edit summary |
||
Line 77: | Line 77: | ||
With regards to its potential obligation to carry out a Data Protection Impact Assessment (DPIA), the Municipality argued that this obligation had legally prescribed. They also argued that the data shared should not be considered sensitive data under [[Article 9 GDPR#1|Article 9(1) GDPR]] as it does not reveal any of the dimensions protected within this provision, and that the adherence of promoters to the causes defended in the demonstrations were made manifestly public, including on social networks, which constitutes an exception to the processing of this kind of data under [[Article 9 GDPR#2e|Article 9(2)(e) GDPR]]. | With regards to its potential obligation to carry out a Data Protection Impact Assessment (DPIA), the Municipality argued that this obligation had legally prescribed. They also argued that the data shared should not be considered sensitive data under [[Article 9 GDPR#1|Article 9(1) GDPR]] as it does not reveal any of the dimensions protected within this provision, and that the adherence of promoters to the causes defended in the demonstrations were made manifestly public, including on social networks, which constitutes an exception to the processing of this kind of data under [[Article 9 GDPR#2e|Article 9(2)(e) GDPR]]. | ||
Additionally, the Municipality claimed that there was no applicable rule to sanction them, since the imposition of fines only apply to the public sector when established by a national law according to [[Article 83 GDPR#7|Article 83(7) GDPR]], and that there is no sanctioning rule applicable to non-business entities in the public sector in [https://dre.pt/dre/detalhe/lei/58-2019-123815982 Portuguese GDPR National Implementation Law (Law 58/2019)]. The Municipality also requested an exemption of any potential fine against them according to the terms of Article 44(3) of the aforementioned national law. | |||
=== Holding === | === Holding === | ||
The CNDP held that it was unacceptable to claim that the failure to comply with the duty of carrying out a DPIA provided for in [[Article 35 GDPR#3b|Article 35(3)(b) GDPR]] because, among other things, Law 58/2019 does not have any mention of a prescription period, and even maintains this obligation after fines have been imposed. The CNPD also pointed out that the need to carry out a DPIA is not restricted to the presence of processing of special categories of data, and that a potential violation or risk to the exercise of fundamental rights such as freedom of assembly in itself, would justify the realization of a DPIA. | |||
On the allegation by the Municipality that these data sharing practices were based on tradition already established under the jurisdiction of civil governments, the CNDP noted that an initial procedure was established in 2012 by the Mayor of Lisbon at the time through Protocol No. GPCML/1/2012, in which the protest promoter's data was shared with the Prime Minister's Office, the MAI, the PSP, the Lisbon Municipal Police, the Security Coordination Office, the Office of the Deputy Minister for Parliamentary Affairs, municipal services, and in case they were targeted, the Parliament, ministries and embassies. | |||
The CNPD also recalled that the Municipality itself recognized the disorganisation of the data remittance procedure when the Mayor issued the order dated April 13, 2013, in which the aforementioned protocol was amended. This new protocol limited the sending of notices to the Ministry of Internal Administration (MAI) and the Public Security Police (PSP). However, as the facts in the case show, in practice this order was not complied with. Hence, the CNDP held that merely issuing an order without a proper evaluation to ensure its compliance was a clearly insufficient measure. | |||
The CNPD also highlighted a consistent disregard for personal data protection rules and notorious laxity on data protection management. This was exhaustively substantiated by the CNPD wit numerous examples, inlcuding the fact that the Lisbon Chamber remained inactive during the two year GDPR adaptation period, and that the Municipality's action plan for the implementation of the GDPR was approved only until August 2019. | |||
Regarding the subjective elements in the Municipality's conduct, the CNPD held that willful misconduct can be established through inferences from the factual circumstances in the case. The CNPD highlighted a consistent disregard for personal data protection rules and notorious laxity on data protection management. This was exhaustively substantiated by the CNPD wit numerous examples, including the fact that the Lisbon Chamber remained inactive during the two year GDPR adaptation period, and that the Municipality's action plan for the implementation of the GDPR was approved only until August 2019. The CNDP attributes circumstances observed in the operational procedures of the Municipality, including the non-verification of compliance with data protection rules, to an “organizational culture, at the very least, very deficient”, and acting contrary to the principle of responsibility. | |||
7. Regarding the lack of a sanctioning rule applicable to the Municipality of Lisbon, the CNPD argues that the imposition of fines on public entities is regulated in Law No. this law apply equally to public and private entities”. | 7. Regarding the lack of a sanctioning rule applicable to the Municipality of Lisbon, the CNPD argues that the imposition of fines on public entities is regulated in Law No. this law apply equally to public and private entities”. |
Revision as of 21:07, 25 January 2022
CNPD (Portugal) - Deliberação/2021/1569 | |
---|---|
Authority: | CNPD (Portugal) |
Jurisdiction: | Portugal |
Relevant Law: | Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 9(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 35(3)(b) GDPR Article 83(5)(a) GDPR Decreto-Lei n. 433/82 Lei n. 58/2019 |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 21.12.2021 |
Published: | 14.01.2022 |
Fine: | 1250000,00 EUR |
Parties: | n/a |
National Case Number/Name: | Deliberação/2021/1569 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Portuguese |
Original Source: | CNPD (in PT) |
Initial Contributor: | Jennifer Vidal Ferreira and Giovanna Lahude |
The Portuguese DPA imposed a €1,250,000 fine on the Lisbon Municipality for sharing personal and sensitive data of protestors with third parties, including the embassies and foreign ministers of the countries targeted by the protests.
English Summary
Facts
The case has its origins in what became known in the Portuguese media as “Russiagate”, when it became known that the Lisbon Municipality (the Municipality) had collected and shared personal data belonging to a promoter of a demonstration in Lisbon in favour of Russian dissident Alexei Navalny, and whose personal data was subsequently shared with Russian authorities. It was then revealed that data from many other protest promoters had been shared with a vast set of third parties in the past, including the offices of the Portuguese Prime Minister, the Minister of Internal Administration (MAI) and the Public Security Police (PSP), as well as embassies and foreign ministers from third countries targeted by protests in Lisbon.
Although this practice was carried out at least since 2012, and up until 2021 (as an internal database of the Municipality showed), the decision focuses on cases that occurred from 2018 and onward, corresponding to the entry into force of the GDPR. Within the decision is a list of 111 specific protests, and the data that was collected and shared in each case. The data collected from the protestors included name, address (postal or electronic), profession, telephone number, nationality, date of birth, affiliations, marital status, tax identification number, civil identification number, residence permit details, and sometimes even copies of civil identification documents.
After an initial draft decision by the Portuguese DPA (CNPD), the Municipality presented its defense, in which they argued, among other things, that their actions did not constitute willful misconduct but rather based on a per-existing tradition within civil governments, and the execution of "bureaucratic procedure" that was not detected as problematic when evaluating internal conformity with GDPR. They also stated that the Mayor had issued an order dated April 3 2013, in which it was established that the data collected on protestors should only be shared with the MAI and PSP, which was justified in order to ensure not only the safety of the protest, but also the provision of additional public services such as electricity and urban cleaning. The Municipality claimed that any sharing of data beyond these agencies was attributable to officials acting contrary to the Mayor's order, and that any assessment on the subjectivity of these actions should find them to be slightly censurable, but not malicious.
With regards to its potential obligation to carry out a Data Protection Impact Assessment (DPIA), the Municipality argued that this obligation had legally prescribed. They also argued that the data shared should not be considered sensitive data under Article 9(1) GDPR as it does not reveal any of the dimensions protected within this provision, and that the adherence of promoters to the causes defended in the demonstrations were made manifestly public, including on social networks, which constitutes an exception to the processing of this kind of data under Article 9(2)(e) GDPR.
Additionally, the Municipality claimed that there was no applicable rule to sanction them, since the imposition of fines only apply to the public sector when established by a national law according to Article 83(7) GDPR, and that there is no sanctioning rule applicable to non-business entities in the public sector in Portuguese GDPR National Implementation Law (Law 58/2019). The Municipality also requested an exemption of any potential fine against them according to the terms of Article 44(3) of the aforementioned national law.
Holding
The CNDP held that it was unacceptable to claim that the failure to comply with the duty of carrying out a DPIA provided for in Article 35(3)(b) GDPR because, among other things, Law 58/2019 does not have any mention of a prescription period, and even maintains this obligation after fines have been imposed. The CNPD also pointed out that the need to carry out a DPIA is not restricted to the presence of processing of special categories of data, and that a potential violation or risk to the exercise of fundamental rights such as freedom of assembly in itself, would justify the realization of a DPIA.
On the allegation by the Municipality that these data sharing practices were based on tradition already established under the jurisdiction of civil governments, the CNDP noted that an initial procedure was established in 2012 by the Mayor of Lisbon at the time through Protocol No. GPCML/1/2012, in which the protest promoter's data was shared with the Prime Minister's Office, the MAI, the PSP, the Lisbon Municipal Police, the Security Coordination Office, the Office of the Deputy Minister for Parliamentary Affairs, municipal services, and in case they were targeted, the Parliament, ministries and embassies.
The CNPD also recalled that the Municipality itself recognized the disorganisation of the data remittance procedure when the Mayor issued the order dated April 13, 2013, in which the aforementioned protocol was amended. This new protocol limited the sending of notices to the Ministry of Internal Administration (MAI) and the Public Security Police (PSP). However, as the facts in the case show, in practice this order was not complied with. Hence, the CNDP held that merely issuing an order without a proper evaluation to ensure its compliance was a clearly insufficient measure.
The CNPD also highlighted a consistent disregard for personal data protection rules and notorious laxity on data protection management. This was exhaustively substantiated by the CNPD wit numerous examples, inlcuding the fact that the Lisbon Chamber remained inactive during the two year GDPR adaptation period, and that the Municipality's action plan for the implementation of the GDPR was approved only until August 2019.
Regarding the subjective elements in the Municipality's conduct, the CNPD held that willful misconduct can be established through inferences from the factual circumstances in the case. The CNPD highlighted a consistent disregard for personal data protection rules and notorious laxity on data protection management. This was exhaustively substantiated by the CNPD wit numerous examples, including the fact that the Lisbon Chamber remained inactive during the two year GDPR adaptation period, and that the Municipality's action plan for the implementation of the GDPR was approved only until August 2019. The CNDP attributes circumstances observed in the operational procedures of the Municipality, including the non-verification of compliance with data protection rules, to an “organizational culture, at the very least, very deficient”, and acting contrary to the principle of responsibility.
7. Regarding the lack of a sanctioning rule applicable to the Municipality of Lisbon, the CNPD argues that the imposition of fines on public entities is regulated in Law No. this law apply equally to public and private entities”.
8. Regarding the responsibility of the Lisbon City Council and its employees, the CNPD rejects the Lisbon City Council's attempt to remove responsibility from itself, even more considering that this allegation is based on the non-compliance, by the said employees, of the Order issued in April /2013. The CNPD, on grounds already presented in other topics, considers the order itself insufficient and silent on the destination of the personal data contained in the notices about protesters;
9. Regarding the categorization of personal data as special category data, the CNPD highlights the mistake made by the City Council, including, in defense, of confusing the purpose of the demonstrations with the purpose of the demonstrations notices - as if it were not a problem the issue of notices/reports shared about data from Protestants as they have already gone public expressing their opinion.
The authority considers the fact that more and more protesters around the world are concerned about revealing their identities, since “the growing array of means of identifying, recording and preserving personal information in public places should lead to the updated consideration of the risks that these means pose to freedom of expression and that the fact that a person goes to a demonstration is made public does not authorize any entity to proceed with the processing of that person's personal data" and that publicity should not be taken advantage of. the position of protesters to catalog people according to their ideas, orientations and religions;
10. Regarding the exemption from the application of fines on the grounds of financial difficulties faced because of the pandemic, the CNPD informs that it took this circumstance into account and, if it had not done so, the severity of the fines imposed would certainly be much higher.
FINE: i. Considering that the essential presupposition to carry out the legal accumulation of partial fines is the practice of several infractions by the Lisbon City Council, before the conviction for any of them becomes final, and that the partial sanctions are of the same type, the CNPD, in addition under the combined provisions of article 83 (3) GDPR and article 19 (3) of the Portuguese RGCO, a single fine of € 1,250,000.00 (one million, two hundred and fifty thousand euros), due to the violation the principle of lawfulness, loyalty and transparency, violation of the principle of data minimization, in terms of "need to know", violation of the duty to provide the information provided for in article 13 GDPR, violation of the principle limitation of retention and breach of the obligation to carry out a data protection impact assessment.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.