In 2018, the Brazilian General Data Protection Law (LGPD), inspired by the General European Data Protection Regulation, was sanctioned by President Michel Temer. Following the global trend to regulate the subject, the LGPD, responsible for creating a new legal framework for the use of personal data in Brazil, both online and offline, in the public and private sectors, came into force, unexpectedly and after a turnaround in the Federal Senate, on September 18, 2020.
The administrative sanctions, it is important to clarify, will only come into force in August 2021. However, lawsuits have already started to be filed based on the LGPD, and it is necessary to adopt compliance practices in order to avoid liability for eventual breaches in the judicial sphere.
Brazil has several sectorial laws and regulations regarding privacy and data protection that directly or indirectly deal with the protection of privacy and personal data, in a sector-based system. The LGPD seeks not to replace those laws and regulations that currently exist, but shall establish general rules and principles so that they can be met in a more beneficial manner for the data subjects.
Regarding the LGPD, the law that will make Brazil enter in the roll of more than 100 countries that may be considered to have an adequate level of data protection and privacy, requires special attention, considering that it establishes a series of obligations related to the processing of personal data, from general ones, up to obligations related to the processing of sensitive data, use of under age’s data, international transfers of data, the need to appoint a data controller and processors and to perform Data Protection Impact Assessments – on a case by case basis – and measures to be taken in case of data breaches.
In general, any practice that process personal data will be subject to the law. Also, the law has an extraterritorial application, that is, any foreign company that has at least a branch in Brazil, offers services to the Brazilian market or process personal data of data subjects located in the country will be subject to the LGPD.
The LGPD establishes that all personal data processing activities must be recorded, from their collection to their exclusion, indicating what kinds of personal data are being collected, the legal basis that authorizes their uses, their purposes, the retention time, the information security practices implemented in the storage and with whom the data can be eventually shared.
In this regard, the LGPD also establishes that both data controller and data processor, despite the lack of obligation to enter into a DPA, shall take appropriate technical, security and administrative measures to protect personal data, subject to being held liable in case of data breach.
Under the LGPD, data subjects have their basic rights expanded, being important to highlight the right to access, which shall be guaranteed free of charge, in addition to the right of rectification, cancellation or exclusion, opposition to treatment, right to information and explanation about the use of its personal data.
Regarding an eventual data breach, the LGPD creates the obligation to notify the National Data Protection Authority (“ANPD”) and the data subject of the occurrence of any security incident that may result in any relevant risk or damage.
The ANPD, already provided for by law, but under a structuring phase, has functions that go beyond the inspection and application of sanctions in case of non-compliance with the law and shall assume a relevant and rigorous role in promoting protection of personal data in Brazil.
The penalties imposed by the LGPD, which are expected to come into force only in August 2021, vary from a simple warning to a fine of up to 2% of the company’s or its business group’s income in Brazil in the previous year, limited to R$ 50,000,000.00 (approximately US$ 10,000,000.00) per infraction, and even to the publication of the infraction, which has potential to cause reputational damages in amounts higher than the fines established by law.
The LGPD will have a relevant impact, since, today, almost every practice of the society deals with the use of personal data. Companies from all sectors shall adapt themselves and a new culture about the appropriate use of personal data must be created, which can be challenging, considering that Brazil only starts to give the right attention to the subject now.
The protection of personal data should be seen not as a cost, but as a competitive advantage and a market differential. In a moment of major data breaches around the world, complying with such rules can restore or increase confidence in the market, being the conduction of a data protection compliance project, from a legal and technical perspective, of main importance in order to avoid particularly rigorous sanctions.
This challenging scenario and the uncertainties surrounding the LGPD should start to become less obscure before long. The expected effective start of the ANPD’s activities, as well as eventual judicial decisions issued in the coming months, should foster the matter and enable us to deepen our analyses and recommendations for compliance with the LGPD. There is no doubt that we will be able to bring more developments on the subject soon, as matters crystallise in Brazil.