The website datosperu.org, which publishes information about people and businesses, was fined with S/.228,000.00 (approximately US $78,620.00) for breaking the law of personal data protection, or Law 29733, created in Perú in 2011.
Datosperu.org has different sources of information, most commonly public entities such as the Perú-based SUNAT, as well as legal regulations that are published daily at the official newspaper El Peruano. These sources generate income from the owners of the website through Google Adsense and other services.
The penalty was issued by the National Authority of Personal Information Protection (APDP) due to complaints against the site for publishing information that affects the applicants. The website has documents of sanctions of these two people, but not the documents that cancel those administrative acts which obviously cause trouble for these users.
One of the points of the specific penalty (Page 6) is that “the published resolution is still hosted on the website ‘http://www.datosperu.org/'—according to the claims of Internet users—without previously making their personal data anonymous, which constitutes an infringement of the fundamental right to protection of personal data.”
On the website Iriarte y Asociados, laywer Cinthya Téllez analyzes:
How did datosperu.org obtain that information? Because first that was published in the newspaper El Peruano […] and it is argued that this penalty is given to datosperu.org for using data without the owner´s agreement. The public information previously published in El Peruano does not constitute information about information publicly relevant or with general interest, because the claimants do not participate in public activities. So, there is no justification which affects privacy of the claiming citizens and the web site had to anonymize it.
Although the APDP could not find the website responsible because the address does not belong to them and there is no corporate owner of datosperu.org, the business responded after the penalty was imposed and it argues, among other things, that in the sanction against them there is “abuse of power” from the State or a public employee. It also indicates that publishing public information is not a crime. Nevertheless, it will delete that information and probably close the site. This generated a debate about datosperu's refusal to address the complaints at the time, and the validity of some of the arguments made by the APDP in applying the fine.
The discussion about datosperu.org in the Peruvian blogosphere is not new; in March of 2012, some entities from civil society were alerted by the site's lack of transparency, demanded to know from the APDP the name of the domain owner or those responsible for the site, because a list from an American official website stated that they were a “Peruvian government initiative to promote open data from public administration”, which was obviously wrong. It is worth mentioning that the claim had a negative response because it did not contain “important data within the jurisdiction of the National Authority for the Protection of Personal Data”.
Arturo Díaz commented in a personal way on his blog:
When I visited datosperu.org I got the unpleasant surprise of finding some of my personal information posted there without my permission. Not even on Facebook do I do I have to post my information in such a precise way and now a site with dubious origin has posted it as if I asked them to. With regard to this, it is insulting that when you intend to try to find those responsible for this page through Facebook, they give us a little “special window” to which if we agree, could well capture your username and password.
In 2012, the lawyer Miguel Morachimo gave some legals clarifications about the privacy of some published data. He thought that:
At first, DatosPerú does not contain secret or prohibited information. In fact, It contains information with free access. It only has information which was already available in SUNAT as well as on some other websites of public institutions, that is to say, public information […] Our Law of Personal Data Protection (.pdf) defines personal data as any information that identifies a natural person or that it makes him identifiable, distinguishing from sensitive data as biometric data that can identify the owner.
Additionally, the engineer Dámaso Fonseca talked this year in his blog about the anonymity of the site datosperu.org, through dissection and data tracking which could reveal those responsible. In the process, he found connections with Peruvian and Spanish sites that work or worked “publishing information related to personal data and obtaining profits from the visits of Google AdSense”, being that some of these Spanish sites were also sanctioned for various reasons.
As regards this last penalty, Miguel Morachimo wrote again about emphasizing if the APDP's resolution was really appropriate now, since the APDP determines that the legal standards reported in El Peruano can only be published after being anonymized.
Apart from multiple execution problems that tried to enforce a decision from a ghost company, it is problematic to orient it against publicity of normal standards. First, because there are many situations in which the violation of personal data information is unquestionable and it constitutes generalized practice in the market. But also because the criteria that says public information of the State can only be replicated when it is anonymous seems excessive from a point of view which values transparency and access to public information.
In another article he comments, referring to datosperu.org, that “it is still disappointing that a project that promotes transparency is so little transparency regarding its administration,” concluding:
both sides were fundamentalists. On one side, the two or three people who tried to defend the APDP decision caricatured the critical voices as insensitive to privacy and/or law of State. On the other side, Datos Perú and the administrators tried to make this into a personal fight between the State and them being a sort of transparency example.
Finally, we talked with Casas, Director of Suma Ciudadana, an organization that in 2012 claimed to know the names of the administrators, and he said this:
Datosperu.org did nothing wrong, but because there is a law about personal data (with its pros and cons), that is why at Suma Ciudadana we were worried that because of the anonymity of this site and having nothing that links it back to Peru beyond the origin of the published data, the right to informative auto-determination could be damaged without any chance of claiming. It is important to remember that when we went to the Authority who protects the personal information to examine this case, it was impossible to talk to the administrator to complain damaging personal information. After we made our complaint public, the administrator included a complaint space, but it did not work out. We were surprised at the authority position against Datosperu.org, since they initially refused to address the problem and then it was discussed, although we are in disagreement about the weighting of rights from his decision.
The site datosperu.org is no longer providing access to data and instead, it shows a farewell message.
3 comments