Main Authors: Rita Meneses (TRUST-IT), Regina Moraes (UNICAMP), Vasiliki Diamantopoulou (UPRC), Ignacio Blanquer (UPV)

Additional Authors: Francisco Brasileiro (UFCG)

Focus Area: 

Common EU-BR Regulation for Trust in Digital Environments

Who stands to benefit and how: 

International collaboration consortium between Europe and Brazil that require the treatment of sensitive information through cloud services.

Position Paper: 

The generalisation on the use of cloud services has created highly complex scenarios for customers and providers. The globalisation of the service providers, the use of provider complex Application Program Interface (API) stacks, the lack of knowledge of the backends directly affect the protection of the citizens concerning the management of their personal data. There is a concern on the international dimension of the cloud, the combination of multiple providers (services, resources, network, etc.) and the lack of control, especially in the liability, isolation and intervention.

Moreover, in the scenario of international collaboration projects, researchers may have to face multiple regulations. In the frame of Europe and Brazil, several regulations have emerged recently in both regions. On the European side, the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons and on the free movement of personal data was published in the Official Journal of the European Union on April 27th 2016. This law repealed Directive 95/46/EC with effect from May 25th 2018. This regulation has 11 chapters, 99 articles and 172 recitals aimed of defining a normative “relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.”. On the Brazilian side, the idea of the development of a national data protection law in Brazil has also been under governmental discussion and public consultation in various forms since 2010. The approval of Marco Civil da Internet in 2014 (law No 12.965/2014) was an important landmark, after more than five years of public debates between the Ministry of Justice, the Labour Party, the opposition, non-governmental organizations, activists and scholars. In the following years, Brazilian legislature have debated three proposals (Draft Law N 5276/2016, Draft Law N 330/2013 and Project Law 4060/2012) that could radically reshape the country’s data protection landscape. The PLC 53/2018, known in Portuguese as “Lei Geral de Proteção de Dados Pessoais” (LGPD), was approved by Brazilian Senate in July 2018 and by the President in August 2018, coming into force in February 2020.

The LGPD draws heavily on the provisions of the recently introduced European General Data Protection Regulation (the “GDPR”). It is organised into 65 articles and is similar to the GDPR in its expansive scope. The processing of personal data (with special protections carved out for sensitive personal data and children’s personal data) is being covered, while a fundamental right of privacy for data subjects is being established, including the right to obtain information about data processing from data controllers. The concept of extra-territorial application is also similar to the GDPR as the rules contained in the LGPD will be applicable not only to companies based in Brazil but also to businesses outside of those countries that are processing personal data of Brazilian citizens, just like GDPR requirements apply to organisations outside of the EU, but process personal data of EU citizens. Additionally, the concept of consent is described in LGPD, which is considered as one of the most important points of the GDPR, as it constitutes one of six possible legal grounds for lawful personal data processing. However, the LGPD regulation has received a lot of debate on the “personal data will be treated fairly and in good faith to meet the legitimate interests of the owners’ (article 9)” part. Statements as the above have been added to provide greater flexibility, however, the provision of the legitimate interest was a source of concern from different stakeholders. It has been argued by experts that it is relevant as it recognises that other parties - apart from the owner themselves - may have legally protected interests in the processing, use or transfer of certain information. As for the fines of non-compliance is concerned, failure to comply with the LGPD could result in a fine of up to 2% of turnover, or revenue, limited to 50 million reais (approximately USD 12.9 million) per violation. Fines under the GDPR are set at EUR 20 million (approximately USD 23 million) or 4% of turnover, whichever is higher. However, apart from the similarities that these two regulations have, the analysis also reveals some differences between them, while some concepts are still vague in the LGPD, and require further elaboration by the corresponding bodies before this law comes into force. Regarding the data retention period, in the GDPR, there is neither a specific retention period recorded nor focus on specific applications or so. The requirement is more generic, to find a broader application. In LGPD, telephone records and personal data must be stored for five years and Internet connection logs must be retained for one year.

ATMOSPHERE is a joint European and Brazilian research project funded under the fourth Europe-Brazil joint call. ATMOSPHERE focuses on trustworthy federated clouds for critical applications, such those in the medical sector, and therefore the application of GDPR and LGPD is crucial. From the trustworthiness attributes stated in ATMOSPHERE (Security, Privacy, Coherence, Isolation, Stability, Fairness, Transparency and Dependability), particular attention is paid to the privacy assurance. Along with the development of guarantees to enhance privacy, there are several specific aspects in the regulations that are addressed in ATMOSPHERE. The deployment of a federated infrastructure opens the door to international data transfers, which may not be allowed for specific data items. The federation services must provide means to impede such actions. Second, ATMOSPHERE implements a metric for the privacy, which could provide a quantitative mechanism to evaluate the inherent privacy and the re-identification risk for an anonymised dataset, which could lead to applying the same privacy protection techniques as in the case of critical data. Finally, ATMOSPHERE will provide measures for fairness and transparency, quite aligned with the request of lawful processing and non-discrimination of these regulations.

The contribution of ATMOSPHERE to the implementation of the GDPR faces areas that are less covered by the conventional approaches, such as the generation of quantitative evidence of the privacy risks, the adoption of advanced techniques to reduce the vulnerabilities and the consideration of transparency and fairness at the same level as other properties. First, ATMOSPHERE will provide monitoring evidence of the trustworthiness of the services, thus being able to restrict the access to sensitive data to high-trustable services. Second, ATMOSPHERE introduces techniques based on the execution in encrypted memory areas through the SGX extensions. This way, non-trustable cloud infrastructures can be used without increasing the risk of information disclosure. Third point, the consideration of transparency and fairness, is the most novel one. ATMOSPHERE works on providing trustworthiness scores on complex matters such as how ethical a service could be by analysing the bias of specific critical data as the one reflected in article 9. ATMOSPHERE aims to provide information on how a data profiling decision is taken and the impact of this critical data. In some cases, a profiling algorithm may provide a bias on gender (e.g., when a classifier identifies the risk of developing breast cancer, between 70 and 100 times less frequent in males) or a consequence of a biased population sample (e.g., when collecting data from Internet-connected mobile phones on a developing country). As the subjects have the right to revoke the processing permission (art. 18), mainly when used for profiling in an automated way (Art. 22), this information can convince the data subjects that the processor uses their data lawfully and ethically. Finally, ATMOSPHERE will pay attention to the access and transfer of data in an international context, beyond the borders of Brazil and the European Union.