definition of personal information under LGPD is also broader. The law will be enforced by Brazil’s new National Data Protection Authority, and carries penalties that are similar to GDPR. Before the law goes into effect, it is expected that the data protection authority will issue regulations.
PUTTING IT INTO PRACTICE: As we await implementing regulations for this new law, companies with global reach will want to start thinking about how they will provide rights in Brazil, if they are not already doing so already.
French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data
Posted on July 29, 2019
CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.
CNIL also knocked the company for keeping users’ information for longer than it was needed for the purpose of processing the user’s real estate rental application. The company did not disclose that it would keep or use the information for another purpose, and did not properly archive the data after the purpose was finished. The fine assessed by CNIL came to nearly 1% of revenue. The maximum GDPR fine considered was 20 million euro or 4% of revenue.
PUTTING IT INTO PRACTICE: This fine is a reminder for companies that operate in the EU to review their data protection assessments, as EU privacy regulators field and investigate complaints about data security vulnerabilities and continue to enforce GDPR.
Privacy Developments in China, Singapore and Hong Kong
Posted on July 24, 2019
International companies should keep in mind recent developments coming out of Asia on the privacy front. Chinese authorities are reported to be confiscating smartphones at the border to install surveillance apps. Companies will want to think carefully about the assets they bring into the country. They will also want to keep in mind the Chinese Ministry of Public Security’s ability to conduct remote penetration tests, perform in-person network security inspections (which may involve local police), and prosecute organizations if state-prohibited or unlawful data is discovered during inspections. The state maintains a right to copy data, including proprietary information like IP and trade secrets, discovered during inspections without disclosure. These responsibilities come under the “Regulations on Internet Security Supervision and Inspection by Public Security Organs,” which expanded China’s 2017 privacy law.
On the data breach investigation front, Singapore and Hong Kong have agreed to a memorandum of understanding to a shared personal data protection program to make it easier to go after cyber threats. This comes after two major data breaches in 2018. As part of this joint program, the two have developed a publicly available joint guide to data protection for info-communications and technology systems.
PUTTING IT INTO PRACTICE: These developments are a reminder both that data security remains an issue of concern worldwide, and that companies should think about the corporate assets they have that governments may access.
  13 Eye on Privacy 2019 Year in Review