Welcome to Compliance & Corporate Ethics in Practice!

* * *

After Dataprev, Federal Government includes Serpro in the National Privatization Program – Replicating the procedure adopted one week ago with Social Security Technology and Information Company (“Dataprev”), President Jair Bolsonaro signed Decree n. 10.206/2020 and officially allocated Federal Data Processing Service (“Serpro”) in Brazilian privatization agenda, qualifying the company for the Investment Partnership Program (“PPI”) from the Presidency of Republic. Despite being foreseeable, the decision arouses controversies, because the two state-owned companies concentrate sensitive information of millions of Brazilian citizens. They are responsible by the management of data systems such as Individual Taxpayers’ Register (“CPF”), Digital Drivers’ License (“CNH Digital”) and registration before the Brazilian Social Security Institute (“INSS”). (Tecnoblog; 01.23.2020)

* * *

Spotify will employ users’ data to display targeted ads in podcasts – After becoming an ordinary feature on websites and social networks, targeted ads start to pursue ground on another media: podcasts. Aware of this tendency, Spotify has announced that, through a technology called Streaming Ad Insertion, it will commence to display real-time ads during the reproduction of its podcasts, based on saved data of each user, as broader web channels already do. So, if two individuals simultaneously listen to the same Spotify exclusive podcast, each of them will receive different ads, because there are interests, age, gender, location, among several factors that distinguish one person from the other. One important advantage for the success of this project is that Spotify knows more about its users than other podcast players, which places the company on the position of an attractive showcase for advisers, listeners and content creators. Furthermore, the company has already made clear that it believes in the growth of podcasts industry, because of its investments on startups in that sector.(The Verge; 01.08.2019)

* * *

New law of Minas Gerais State enhances transparency and publicity on bids – According to publication on 01.14.2020 edition of Minas Gerais State Official Gazette, State Law n. 23.569/2020 has already came into force and effect, providing the application of publicity, transparency and information access principles to local bidding proceedings. The new law determines that agencies and entities from State Public Authority shall publish and disclose, on their official websites, governmental actions and documents in connection with bids, waiver and exemption of bidding proceedings, public-private partnership (PPPs), concessions, permissions and covenant agreements. The disclosure of these information on the internet does not exempt publication on Official Gazette, whenever stipulated by law. To access the legislation, click here. (Migalhas; 01.15.2020)

* * *

In times of “LGPD”, Direct exposes client’s data saved for approximately 5 years – Have you ever imagined accessing information from 2015 to 2020, knowing just one person’s Individual Taxpayers’ Registry Number (“CPF”) and his Zip Code (“CEP”)? What should be inconceivable became reality on the webpage of Direct, a carrier company that belongs to B2W (ecommerce company that holds “Americanas.com”, Submarino and Shoptime websites. Amazon clients have also been affected, because the company only terminated its contract with Direct on 2018. Among disclosed data, there are complete names, addresses, telephone numbers, prices paid in products, amount of purchases of each client, delivery dates. Even the name and ID number of concierges authorized to receive packages have been revealed. On the other hand, specific descriptions of purchased products have not been exposed. And, in this scenario of insecurity and concerns, Brazilian companies gear up for the last seven months prior to Data Protection General Law (“LGPD”) enters into force. (Diário da Amazônia; 01.17.2020)

* * *

Implementation of Integrity and Compliance Program starts in 60% of State of Paraná’s departments – Twelve departments, two agencies and “Paranacidade” social service. With these entities, State of Paraná’s Government has started the implementation of its Integrity and Compliance Program. The first stage consists on carrying out interviews with public servants of different hierarchy levels. From information collected, a map of vulnerabilities will be drafted to point out scenarios of possible failures and misconducts. In the aftermath, State’s Comptroller General Office (“CGE”) will be in charge of creating specific integrity plans, along with public servants of each entity, establishing protocols for activities developed by the Public Administration. Henceforth, Integrity and Compliance Centers of each State agency will monitor the fulfillment of plans – six of them have already been concluded and delivered to the respective departments. (Agência de Notícias do Paraná, 01.14.2020)

* * *

One year and a half of GDPR in numbers: fines totalizing €114 million and 160 thousand violation cases registered – In force and effect since 05.25.2018, the European General Data Protection Regulation (“GDPR”) has not been able to stop incidents involving data security in the continent, which number of occurrences increased during the 18 months of rules application. Cases of world-class companies as British Airways and Marriott Hotels cause some stir. Experts say there is no lack of clearness or severity in GDPR, but regulation agents have to adapt themselves to explore the maximum of regulation’s potentialities. While our Data Protection General Law (“LGPD”) provides fines corresponding to 2% of companies’ annual income, GDPR envisages penalties twice higher than that. (Olhar Digital; 01.22.2020)

* * *

Project Zero seeks more safety to users with a new proceeding to disclose vulnerabilities – “90 complete days by default, regardless of when the bug has been fixed”. This is the slogan of new policy of vulnerabilities disclosure that is being tested by Google’s Project Zero team. In the former system, if anyone released a patch for a bug within the 90 day period, the vulnerability would be disclosed to the public as soon as possible, prior to the end of such term. So, users had to run against the clock to correct failures before hackers explore them. Now, Project Zero will respect the 90 days until expiration, even if patches come up during the course of the term. Google believes that, with more time, vendors will be able to engineer more mature and complete solutions. (The Verge; 01.08.2020)

* * *

Safety crack, exposure of sensitive data and denial: the drama of the State of Goiás’ Public Security Department (“SSP/GO”) – At the beginning of this year, a serious failure in the access control system used by SSP/GO, which allows any person to freely access data contained in judicial orders, investigations and lawsuits in progress on the State department. The user just had to interrupt the loading of “MPortal” page prior to the exhibition of login screen. The platform downloaded directly in the user’s computer and he had the database of SSP/GO at his disposal, without any credential check. The problem is solved, but the State department denies the existence of any crack in the system, so it hasn’t carried out any procedure to check the occurrence of unauthorized accesses. Experts say there is another vulnerability on “MPortal”. Unfortunately, users of the platform shall be on permanently standby, because criminals use arrested data for racketeering, social engineering and all kind of tricks. (Canal Tech; 01.24.2020)

* * *

To learn more
The use of integrity programs is becoming a more common practice in corporate environment. In this edition, we recommend reading the text “Compliance: Garante integridade e previne corrupção em empresas”, which points out the main advantages of implementing compliance tools.

* * *

To send your suggestions/opinions to our newsletter, click here.
To receive our newsletter, please, click here.

And don’t forget: stay in compliance!
See you in our next edition!

Compliance Desk