Banks will have “tasting” of personal data in the government; Does this violate the GDPR? – Brazil – Tecnoblog

An agreement between the Ministry of Economy and the Brazilian Association of Banks (ABBC) was the reason for a note from Idec (from the Brazilian Institute for Consumer Protection) sent to the ANPD (National Authority for Data Protection). The partnership allows the use of the ICN (National Civil Identity), a kind of biometric identification card based on the CPF, by financial institutions. According to the pro-consumer institute, the agreement may violate the LGPD (General Data Protection Law).


Banks will have an “experimental tasting” of the federal government’s service database (Image: Banco do Brasil/ Disclosure)

“Experimental tasting”

The Cooperation Agreement was signed by the Digital Government Secretariat (SDG), linked to the Ministry of Economy, with ABBC, which brings together companies such as Banco BMG, C6 Bank and XP Investimentos.

The document provides for an “experimental tasting” of the APIs used by the government to validate the identity of users accessing the Gov.br platform. The database, the ICN, contains information considered sensitive according to the LGPD, such as biometrics for validation in apps such as e-Título.

On the banks’ side, the use would be to improve their applications. The user could login using the information from Gov.br, as is already done by some institutions. In addition, actions linked to the application may use APIs from the federal government, as long as they carry the Gov.Br logo.

The Idec team, in a letter sent to the Ministry of Economy, believes that the Cooperation Agreement may violate the LGPD, because there is no evidence that the partnership follows criteria established by law. In the document, it is explicit that the “technical aspects” of using government APIs “will be dealt with directly between the SGD and the Banks”.

In the note sent to the ANPD, Idec asks for justifications on the following points:

  • The delimitation of the legal basis for the processing of this data;
  • Justifications for public interests;
  • The right to informational self-determination of data subjects;
  • And guarantees regarding data security.

ICN data is used in ConectSUS and Enem

The ICN is a government database that includes information from the e-Título, from the National Civil Registry Information System (Sirc). The committee behind the ICN is responsible for creating the National Identity Document (DNI), to be produced by Serpro in conjunction with the TSE.

The ICN data is used on the Gov.br platform itself, which gathers information from services such as ConectSUS, INEP — database of Enem, Sisu, Prouni and Fies —, Digital Traffic and Digital Work Cards, in addition to information from the Federal Revenue Service. .

My gov.br App (Image: Gabrielle Lancellotti/Tecnoblog)
My gov.br App (Image: Gabrielle Lancellotti/Tecnoblog)

Recently, the federal government issued a decree to replace the ICN committee with CEFIC, the Federal Executive Chamber for Citizen Identification.

As several banks already have their own customer biometric systems, Idec raised doubts about the private use of this data. The institute did not recognize the government’s interests in promoting and providing the recognition APIs to banks. Idec added in the letter sent to the Ministry of Economy:

“These are extremely broad and abstract objectives, which use the personal data of citizens collected initially for the purpose of implementing public policy for the improvement of government applications, but also for an unjustified and non-transparent improvement of banking applications. ”

The lack of public transparency to carry out the agreement, without public consultation, attests to the holders’ lack of control over their own data, both sensitive and non-sensitive, says Idec.

With information: TeleSynthesis

Leave a Comment