Data Protection & Privacy 2021

Last Updated March 09, 2021

Brazil

Law and Practice

Authors



Kasznar Leonardos Intellectual Property provides tailored solutions to the most complex IP issues, both nationally and internationally, with a deep understanding of different cultures and business industries. The team has 22 partners and more than 240 employees, with correspondents in every state of Brazil and a broad international network, and specialises in the management of intellectual assets. The firm acts as legal adviser on contractual matters, as industrial property agent with the Brazilian Patent and Trade Mark Office, and as lawyer, arbitrator and mediator in litigation and extrajudicial dispute resolution. The firm's main areas of practice are patent and trade mark prosecution, industrial designs, regulatory law, life sciences, digital law, marketing and entertainment law, sports law, biodiversity, copyright, unfair competition, plant varieties, technology transfer, geographical indication, trade secrets, franchising and licensing, fashion law, licence compliance and anti-piracy.

Enacted in 1888, the Brazilian Federal Constitution protects the fundamental rights of privacy, honour and image in Article 5, and addresses the inviolability of private life and intimacy in item X and the right to secrecy of correspondence and of telegraphic, data and telephone communications in item XII. Crimes related to wiretapping are addressed by Law No 9296/96, while Law No 12737/2012 criminalises the act of hacking electronic devices with the aim of obtaining, modifying, destroying or disclosing data or information without the owner’s authorisation.

The Brazilian Civil Rights Framework for the Internet (Law No 12965/2014 – Internet Act) also addresses the right to privacy, data protection and secrecy of private communication, according to its Article 3, section II, and Articles 8 and 11. The Internet Act also sets forth the obligation to comply with standards related to the security of data and network functionality.

The Brazilian General Personal Data Protection Act (Law No 13,709/2018 – LGPD) was enacted on 14 August 2018, and came into force on 18 September 2020, but its sanctions will only be enforceable as of 15 August 2021. Provisional Measure No 869/2018 was turned into Law No 13853/2019 and created the Data Protection National Authority (ANPD), which will be entitled to regulate, enforce and apply penalties based on the LGPD. The ANPD’s directive body was recently appointed and is structured as follows:

  • President: Waldemar Ortunho (an engineer with a military career and more than 40 years of experience in information technology);
  • Arthur Sabat (a member of the National Chamber of Security since 2018);
  • Joacil Rael (an expert in computer science and Data Protection Officer (DPO) of Telebras – Telecomunicações Brasileiras. S.A.);
  • Nairane Rabelo (a lawyer specialising in Tax Law, Privacy and Data Protection); and
  • Miriam Wimmer (a lawyer specialising in Public Law, a former agent of the National Telecommunications Agency (ANATEL), a former agent of the Management Committee for the Internet in Brazil and current director of the Ministry of Communications).

In general terms, the LGPD applies to all personal data (defined as “information related to an identified or identifiable natural person”) undergoing processing operations, whether performed by an individual or company, online or offline, in the following locations:

  • in Brazil;
  • abroad, if the purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in Brazil; or
  • abroad, if the personal data being processed was collected in Brazil.

The exceptions are listed in Article 4, which sets forth that the LGPD will not apply if the data processing is carried out exclusively for private and non-economic purposes (if performed by an individual), or for artistic, journalistic, academic, public security, state security, national defence and/or criminal repression purposes.

Since the LGPD was inspired by the General Data Protection Regulation in force in Europe, it also provides for basic proceedings in case of a data breach. The controller must send a notification (which must contain all details about the incident) to the ANPD and to the data subject if the incident is significant enough to pose any risk of damage to the data subjects.

The administrative penalties set forth by the LGPD for the infringement of a data subject’s rights range from warnings to fines, depending on the degree and recidivism of the controller or processor. Administrative penalties do not prevent infringing entities being held civilly liable.

Other Brazilian legislation that also addresses the protection of the right to privacy, intimacy and freedom of expression includes:

  • the Brazilian Civil Code, addressing personality rights and liability;
  • the Child and Adolescent Statute, addressing specific issues and enhanced protection applicable to minors’ image and privacy; and
  • laws and regulations on telecommunication, consumer and financial aspects, addressing the secrecy of communications, as well as credit, financial and tax information.

The ANPD has been created but is not yet in full operation. On 27 January 2021, the ANPD issued Decree No 11, which made public its regulatory agenda for 2021-2022. The activities are divided into three phases, as follows.

  • Phase 1:
    1. draft of the ANPD’s Internal Regulation;
    2. the ANPD’s strategic management;
    3. regulation about data protection for start-ups, small and medium companies;
    4. regulation for better understanding about the applicable sanctions (from article 52 on);
    5. communication of security incidents and deadline for notification; and
    6. Data Protection Impact Assessment.
  • Phase 2:
    1. DPO; and
    2. international transfer.
  • Phase 3:
    1. compliance with data subjects’ rights; and
    2. legal basis.

The issuance of regulation on such topics will be highly significant for the correct enforcement of the LGPD and effective data protection in Brazil.

Considering the significant amount of data collected and processed in commerce, the National Consumer Protection Secretariat (SENACON) and the Protection and Consumer Protection Foundation (PROCON) must also be considered as regulators when there is personal data involved. ANATEL oversees data protection issues related to telecommunications services. Public prosecutors may also initiate proceedings to investigate potential infringements in the civil and criminal spheres, in addition to individual claims. In such cases, an inquiry is initiated upon the prosecutor’s request, and the investigation may be followed by a judicial proceeding.

It is important to highlight that the ANPD cannot audit controllers or processors, but is able to request information through administrative proceedings.

Although the LGPD is already in force, the administrative sanctions will only be enforceable as of 15 August 2021. Additionally, the ANPD already has plans to address the enforceability of such sanctions in the first semester of 2021 (Decree No 11/2021).

Regardless of this, the administrative consumer protection entities and public prosecutors are bound to act in accordance with general procedures. In short, such procedures may be initiated by a complaint from the offended parties or ex officio, and the investigated entity is entitled to access all documents and to present its defence. Once a decision is rendered by the authority, the parties may file an appeal, which will be analysed and ruled on by or on behalf of the president or governing body of such authority. Considering that most of the authorities entitled to pursue data protection claims are part of the federal public administration, decisions rendered thereby are subject to revision by a Federal Court; if rendered, for example, by the Federal District Public Prosecutor’s Office, which is part of the State administration, then it shall be reviewed by the State courts.

Once in force, the ANPD will be bound by the rules on general administrative procedures, but some specific provisions set forth by the LGPD will apply. Oversight, enforcement and sanctioning will be conducted through an administrative proceeding, making sure that the investigated party has the right to an adversary system and full defence.

According to Article 52, 1st Paragraph, the penalties for infringement of the law shall be enforced according to the following criteria:

  • the severity and nature of the infractions and the personal rights affected;
  • the good faith of the infringer;
  • the advantage realised or intended by the infringer;
  • the economic condition of the infringer;
  • recidivism;
  • the level of damage;
  • the co-operation of the infringer;
  • the repeated and demonstrated adoption of internal mechanisms and procedures capable of minimising the damage, for secure and proper data processing, in accordance with the provisions of the law;
  • the adoption of a good practice and governance policy;
  • the prompt adoption of corrective measures; and
  • the proportionality between the severity of the breach and the intensity of the sanction.

As it has only recently enacted specific legislation concerning data protection, Brazil is still not considered by any foreign data protection body to provide an adequate level of data protection. However, once the law is in force and the national authority starts enforcing it, it is likely that Brazil will strengthen its relationship with data protection entities around the world and be considered as providing an adequate level of protection, especially due to the LGPD’s roots in the GDPR.

As a Federative State, Brazil may have national, State and Municipal laws. However, State and Municipal laws are only allowed to address local aspects of national laws – ie, a federal law must have already been created to legitimise the existence of State and Municipal laws ruling the same matter. Some attempts to implement regional laws on data protection have already been ruled unconstitutional based on such disposition. However, several States have bills pending that aim to govern data processing operations in their respective territories, as State-level general data protection laws. Brazilian cities have also enacted data protection rules or are attempting to pass bills of law addressing the subject.

A significant number of Brazilian companies and foreign companies doing business in Brazil are members of the Brazilian Direct Marketing Association (ABEMD), which is a non-profit entity focused on encouraging, expanding and setting up basic rules related to direct marketing in Brazil. ABEMD issued the Email Marketing Self-Regulatory Code (CAPEM), developed in 1997, and sets forth that companies need to provide an opt-out option in their marketing e-mails. CAPEM is being largely adopted not only by ABEMD members but also by non-members, even though its provisions and resolutions are not binding or mandatory.

Two Brazilian NGOs deserve to be mentioned, as they have been very active in monitoring and promoting discussions in many sectors about data protection, including participating in the public consultations on the bills of law of the Internet Act and of the LGPD.

  • The Institute of Technology and Society of Rio de Janeiro (ITS) is an independent, non-profit research institute studying the impacts of and trends in technology in Brazil and the world. Its team has more than ten years of expertise, analysing matters in several areas and providing independent opinions in partnership with universities, civil society, the private sector and government agencies. Recently, in partnership with the Center of Law, Internet and Society of the Brazilian Institute of Public Law, ITS joined an expert team in privacy and data protection to teach a short-term course about data protection and privacy.
  • InternetLab is a centre of interdisciplinary research, promoting academic debate and knowledge production on legal and technology areas. Constituted as a non-profit research institute, InternetLab acts as a point of connection between academics, civil society parties and the private sector, stimulating the development of projects that address the creation and implementation of public politics in new technologies, namely involving privacy, freedom of speech and gender and identity matters. Supporters include entities like Google, the Ford Foundation and the Open Society Institute.

The current Brazilian legal framework on data protection is similar to the US model, in the sense that it is fragmented into rules applicable to specific situations (consumer protection matters, internet users' rights, etc). Upon the entrance into force of the LGPD, the data protection regulation will be converted into a centralised model, more like the European model. The LGPD was generally inspired by the GDPR and, although it is clearly less detailed and sophisticated than the GDPR, it can be deemed as being very similar thereto.

The similarities between the Brazilian and EU systems are as follows:

  • the processing of personal data must be done on a legal basis;
  • the controller bears the burden of proof of consent;
  • data subjects are granted extensive rights over their personal data;
  • administrative penalties and civil liability are cumulative;
  • processing agents have an obligation to appoint a DPO; and
  • international data transfers are allowed for countries that ensure adequate levels of data protection, among other possibilities.

Although the regulations are functionally similar, the following differences are noteworthy:

  • the GDPR provides the definition of identifiable natural person, while the LGPD only mentions it;
  • while the LGPD does not detail all data considered to be sensitive, the GDPR provides the definitions for health, biometric and genetic data;
  • the GDPR sets forth that the consent for processing children’s data can be given after a subject reaches 16 years of age, while the LGPD follows the Civil Code and the Child and Adolescent Statute, which determine that the legal age is 18 years old;
  • unlike the GDPR, the LGPD waives data processing agents’ liability when damage is exclusively caused through the fault of the data subjects or third parties;
  • the GDPR provides that the relationship between controller and processor needs to be formalised by an agreement or other legal act, while the LGPD has no such specification;
  • the data protection impact assessment report is more detailed in the GDPR than in the LGPD; and
  • the term for a data breach notification under the GDPR is 72 hours, while the LGPD determines that breaches must be notified within a reasonable period.

The entering into force of the LGPD in 2020 is certainly the most important legal development on the matter since the Internet Act (2014).

The creation of the ANPD, the appointment of the board of directors and the disclosure of the agenda for 2021-2022  are also important developments so far. The ANPD is still managing to address important topics, but no specific regulations have been enacted so far.

After the LGPD entered into force, litigation cases started to arise in the Judiciary. The most commented-upon decision was rendered by the 13th Civil Panel of the State Court of São Paulo, due to the sharing of personal data with third parties not related to the agreement. The panel ruled for the payment of BRL10,000 as moral damages.

There are also other lawsuits, including lawsuits filed by the Federal and State Public Prosecutor’s offices, that are willing to enforce the LGPD through public civil actions. Among the matters discussed, the offices question the selling of data and the processing of biometrical data.       

After the entering into force of the LGPD, the appointment of the ANPD’s board of directors and the disclosure of the authority’s main activities for the next two years, the pending developments concern the following:

  • clarification about the liability of and necessity for a DPO in small companies;
  • more details about security standards, including in the drafting of data protection impact assessment reports;
  • regulation for international transfers and a list of countries considered adequate; and
  • a definition of standards for the enforceability of sanctions.

Appointment of Privacy or Data Protection Officers

All personal data controllers must appoint a Data Protection Officer (DPO). This requirement will be further detailed in the first semester of 2022, when the ANPD is planning to issue a specific regulation on the matter.

Criteria to Authorise Collection, Use or Other Processing

The Internet Act predicts the possibility of processing internet users’ data only if the data subject provides consent (online environment). The exception for the consent requirement rests in a preceding Court Order.

Upon the LGPD’s entrance into force, data processing operations are legitimate if they comply with the following legal basis:

  • the performance of a legal or regulatory obligation of the data controller;
  • the execution of public policies by the public administration;
  • the performance of contractual or pre-contractual obligations to which the data subject is a party;
  • the protection of the integrity of the life or health of a data subject or a third party;
  • conducting studies by public or non-profit research agencies;
  • the regular exercise of rights in lawsuits, administrative or arbitration proceedings;
  • credit protection; and
  • the controller’s legitimate interests.

“Privacy by Design” or “by Default”

Although there is no explicit definition of these terms, the LGPD provides that security measures must be adopted from the conception phase of the product or service until and during its operation.

Privacy Impact Analyses

There is currently no legal obligation to conduct a privacy impact analysis. Upon the LGPD’s entrance into force, the ANPD will be entitled to order a data protection impact assessment report referring to the controller’s data processing operations. The report must contain the description of the types of data collected, the methodology used for the collection and the analysis of the controllers regarding adopted measures, safeguards and mechanisms of risk mitigation.

Internal or External Privacy Policies

In order to comply with the obligation set forth by the Internet Act and the LGPD to obtain a data subject’s clear, free and informed consent, it is recommended to adopt external privacy policies. There is no such obligation to adopt internal privacy policies, although doing so is also recommended, especially due to Article 50 of the LGPD, which refers to having internal policies in place as a “good practice”.

Data Subject Access Rights

Although it is applicable to the use of personal data in the digital environment, the only legislation currently in force that more extensively provides for data subjects’ access rights is the Internet Act, which sets forth that the data subject has the right to request the definitive elimination of the personal data provided to a certain internet application at the end of the relationship between the parties, except in cases of mandatory log retention.

Sector-driven legislation also provides for specific rules, such as the Consumer Protection Code, the Access to Information Act (applicable to the public sector), the Tax Code, the Bank Secrecy Act and the Compliant Debtors List Act.

Once the LGPD is in force, data subjects’ access rights will be more extensive, since the LGPD explicitly provides for the right to the following:

  • confirmation of the existence of the processing activity;
  • the access to personal data;
  • correction of incomplete or out-of-date information;
  • the anonymisation, blocking or deletion of unnecessary or excessive data or data processed contrary to the LGPD;
  • the deletion of personal data processed with the consent of the data subject (unless the law provides otherwise); and
  • access to information about public and private entities with which the controller has shared data.

Use of Data Pursuant to Anonymisation, De-identification and Pseudonymisation

Brazilian legislation does not provide a definition of de-identification and pseudonymisation, but anonymisation is defined by the LGPD as the “use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to an individual.” According to the LGPD, anonymised data can be freely processed – ie, the processing does not need to be endorsed on a legal basis, provided that the anonymisation process cannot be reversed with reasonable efforts.

It is also up to the ANPD to regulate standards and techniques to be used in anonymisation processes, and to make verifications about the security thereof.

Restrictions or Allowances

The data subjects have the right to request the review of decisions made based only on the automated processing of personal data that affects their interests, including decisions made in the sense of defining their personal, consumption and credit profile or aspects of their personality. The ANPD will be entitled to audit the automated processing if it suspects the processing is discriminatory.

The Concept of “Injury” or “Harm”

The LGPD does not provide any definition or idea of “harm”, apart from the one already stated in the Brazilian Civil Code, according to which one who causes harm to another, by action or omission, commits an illicit act, and is liable therefor. In this sense, indemnification is due from any harm arising from a violation of data privacy rights.

The LGPD reiterates such provision in its Article 42: controllers or processors are liable for any harm caused to data subjects in violation of their rights and their indemnification obligation. The processor will be jointly liable if it violates data protection legislation or acts contrary to the controller’s instructions. All controllers directly involved in the violation of data protection rights will also be jointly liable therefor. Additionally, Article 45 provides that the consumerist legislation is applicable when data protection is violated in the consumerist context.

The LGPD sets forth the following liability exception when a controller and/or processor can prove that they did not participate in any of the processing activities, that their participation in the processing activity does not violate any data protection legislation, and that the harm arises exclusively through the data subject’s fault.

The LGPD determines that “sensitive personal data” is “personal data concerning racial or ethnic origin, religious belief, public opinion, association to any trade union or religious organisation, philosophical or political organisation association, data concerning health or sex life, genetic or biometric data, whenever related to a natural person.”

According to the LGPD, the processing of sensitive personal data is legitimate only in the following cases.

  • When specific and express consent is obtained from the data subject or her/his legal representative, for specific processing purposes.
  • If there is no consent from the data subject, when the processing is indispensable for:
    1. compliance with a statutory or regulatory obligation by the controller;
    2. the joint processing of data when necessary by the public administration for the execution of public policies provided for in laws or regulations;
    3. studies by research bodies, ensuring, whenever possible, the anonymisation of the sensitive personal data;
    4. the regular exercise of rights, including in contracts, lawsuits and administrative or arbitration proceedings;
    5. protecting the life or physical safety of the data subjects or third parties;
    6. the protection of health, exclusively in a procedure carried out by health professionals, health services or a health authority; or
    7. ensuring the prevention of fraud and the safety of the data subject, in the processes of identification and certification of records in electronic systems, except in the event of the prevalence of fundamental rights and liberties of the data subjects that require protection of the personal data.

Financial Data

Although financial data is not specifically addressed by the LGPD, confidentiality obligations regarding this type of data are provided for in the Brazilian Federal Constitution and the Bank Secrecy Act.

Health Data

The health sector in Brazil is highly regulated, so health data is addressed by different laws and regulations.

Rule No 124/2006 issued by the Brazilian National Supplementary Health Agency (ANVISA) determines that private healthcare services providers must not share data subjects' personal data with third parties without obtaining previous consent, under the penalty of BRL50,000 (approximately USD12,000).

The Code of Medical Ethics, drafted by the Brazilian Federal Medicine Council, sets forth that healthcare professionals must protect patients’ data.

Law No 13,787/2018, enacted in December 2018, addresses the digitalisation, retention, storage and handling of patients’ records. The law establishes that the records of all patients must be digitalised, and the physical files discarded, unless they have historical value. The digitalised records may be deleted 20 years after the last update.

Furthermore, within clinical trials, ANVISA’s Board of Directors Resolution RDC 09/2015 and Resolution No 466/2012 of the National Council of Health provide that the data and privacy of clinical trial participants shall be protected.

With the LGPD in force, health data is being treated as sensitive personal data and the processing thereof is subject to stricter rules, as noted above.

In this sense, the group of pharmaceutical companies (Sindusfarma) created a guideline about data protection, in order to provide companies with general information and sectorial advice on pharmacovigilance.

Communications Data

The Brazilian Federal Constitution provides that the privacy of communications is a fundamental right and, therefore, is granted a special level of protection. The Internet Act also grants the inviolability of the user’s communications through the internet, except when supported by a court order.

The Brazilian Telecommunications Act (Law No 9,472/1997) also provides that users of telecommunications services are protected by the inviolability of their communication and privacy, unless otherwise determined.

The LGPD does not list communications as sensitive data, but they could be considered as such if they contain any of the specific matters considered as sensitive.

Voice Telephony and Text Messaging

Voice communications and text messages are protected under the fundamental right of privacy granted by the Federal Constitution and applicable to communications. In this sense, Law No 9,296/1996 allows for a breach in communication only in cases where such information is needed to help a criminal investigation and is supported by a court order.

Content of Electronic Communications

The same protection granted to private communications is applicable to electronic communications. Additionally, Law No 12737/2012 criminalises the act of hacking electronic devices with the aim of obtaining, modifying, destroying or disclosing data or information without the owner’s authorisation.

Children’s or Students' Data

The Civil Code and the Child and Adolescent Statute establish 18 years as the legal age, so any act practised by anyone under this age will be null if not preceded by the authorisation of a responsible person. The Internet Act establishes parental disclosure, since the user (responsible person for the minor) will have the opportunity to choose the content they find appropriate (or not) for the child or adolescent.

The LGPD introduced further provisions on the processing of data involving children and adolescents, establishing that such data must be processed in the best interests of the children and must be preceded by obtaining separate consent from one of his or her parents or legal representatives.

There are no provisions involving educational or school data specifically. When related to under-age individuals, the same rules apply as above.

Employment Data

There is no specific law regarding the protection of employees' data. The LGPD only determines that data about participation in trade unions is considered sensitive.

The obligation to respect the privacy of communication – according to the Federal Constitution and Internet Act – is applicable. However, the employer has the right to use technologies to identify content accessed by its employees using workplace devices (eg, corporate e-mail, company’s internal systems, etc). In this case, it is recommended that employees are previously informed that the devices used during the employment relationship will be monitored.

Internet, Streaming and Video Issues

The use of tracking and behavioural technologies implies the storing of data to offer customised information to the user. However, according to the Internet Act, this kind of processing must be preceded by the user’s consent and, to do that in a practical way, companies generally use technologies such as cookies (with a warning on the initial screen of their website), beacons, etc. Because much information obtained from users’ access to the internet is able to identify them, it should be considered as personal data and, therefore, incurs the same need for consent or other legal basis for processing personal data as under the LGPD.

Additionally, the Internet Act provides an obligation for internet connection and application providers to refrain from disclosing connection, access, personal data and private communications without a supporting court order. Connection records must be kept for one year, while access records must be kept for six months – both periods of time may be increased upon the request of the police authority or the Public Prosecutor’s office.

Hate speech, disinformation, abusive material or political manipulation is more relevant to personality rights than data protection rights under Brazilian legislation. There are penalties in the civil and criminal spheres for those who disseminate hate speech, spread disinformation or attempt political manipulation over the internet. Specifically, when the abusive material contains sexual content (eg, revenge porn), the Internet Act establishes that the internet provider must remove the content immediately, upon notification by a party (with no need for a court decision).

Data Subject Rights

The Internet Act sets forth that data subjects have the right to request the definitive elimination of the personal data provided to a certain internet application at the end of the relationship between them, except in cases of mandatory log retention.

Sector-driven legislation also provides for specific rules, such as the Consumer Protection Code, the Access to Information Act (applicable to the public sector), the Tax Code, the Bank Secrecy Act and the Compliant Debtors List Act. All these rules are basically founded on the data subject’s right to information.

The data subjects’ rights are more extensive, since the LGPD explicitly provides for the right to the following:

  • confirmation of the existence of the processing activity;
  • access to the personal data;
  • correction of incomplete or out-of-date information;
  • the anonymisation, blocking or deletion of unnecessary or excessive data or data processed contrary to the LGPD;
  • the portability of the data to other service providers or suppliers of product, at the express request, in accordance with the regulation of the controlling body, observing the commercial and industrial secrecy;
  • the deletion of personal data processed with the consent of the data subject (unless the law provides otherwise);
  • access to information about public and private entities with which the controller has shared data;
  • access to information on the possibility of denying consent and on the consequences of the denial; and
  • revocation of the consent.

Data subjects also have the right to be informed in a clear and ostensive way about:

  • the specific purpose of the processing;
  • the type and duration of the processing, with commercial and industrial secrecy being observed;
  • the identification of the controller;
  • the controller’s contact information;
  • information regarding the shared use of data by the controller and the purpose; and
  • the responsibilities of the agents who carry out the processing.

Right to be Forgotten

Currently, there is no specific legislation in Brazil providing for the “right to be forgotten”. According to the LGPD, erasure will be one of the statutory rights of data subjects. After the controllers/processors have processed the data, they will need to erase the personal data, unless:

  • it is necessary to comply with legal or regulatory obligations;
  • it is needed for study by a research entity, ensuring, whenever possible, the anonymisation of the personal data;
  • it is to be transferred to third parties, provided that the requirements for data processing are obeyed; and/or
  • it is for the exclusive use of the controller, with access by third parties prohibited, and provided the data has been anonymised.

The Brazilian Supreme Court of Justice is deciding about the concept and the boundaries for the application of the right to be forgotten. This decision will provide more legal certainty in cases regarding such matter.

Data Access and Portability

Data subjects have the explicit right to obtain confirmation of the existence of the processing activity, to access the personal data, and to transfer the data to other service providers or suppliers of product, at the express request, in accordance with the regulation of the controlling body, observing commercial and industrial secrecy.

Right of Rectification or Correction

Data subjects have the explicit right to correct incomplete or out-of-date information, and to revoke consent.

There is no specific law in Brazil governing online marketing. However, certain legislation may apply, as follows.

Companies must comply with the Brazilian Consumer Defence Code (Law No 8,078/1990 – CDC), which is the general set of rules governing consumerist relations in Brazil. The CDC provides that marketing activities must not be abusive or deceiving and, for this reason, companies should refrain from sending unauthorised marketing communications to customers. There are many official entities responsible for enforcing the rules set forth by the CDC in different levels of the public administration (public prosecutors, local and state PROCONs, public attorneys, police stations and civil organisations for consumer defence), and they are all part of SENACON.

As marketing activities are based on the use of personal information (e-mails and telephone numbers – even if related to a business), the LGPD is also applicable in the sense that the use of e-mails or telephone numbers must also comply with the rules set forth by the LGPD (data subjects’ rights, legal basis for processing).

The Internet Act is also applicable to e-mail marketing since it governs the relationships among internet users. It provides for the need of previous and unequivocal consent from data subjects previous to sending e-mail marketing.

Although Brazil does not have a specific e-marketing law, a significant number of Brazilian companies as well as foreign companies doing business in Brazil are members of ABEMD, which is a non-profit entity focused on encouraging, expanding and setting up basic rules related to direct marketing in Brazil. ABEMD issued CAPEM, which is being largely adopted not only by ABEMD members but also by non-members, even though its provisions and resolutions are not binding or mandatory.

Many companies are also members of the National Council of Self-Regulation in Advertising (CONAR), which is a non-governmental entity aimed at promoting freedom of speech and defending constitutional rights applicable to advertising. CONAR has also published a set of rules applicable to advertising activities, the so-called Brazilian Code of Self-Regulation in Advertising (CSRA). Although it has no legal effects since it has not been enacted by a governmental entity, the CSRA is considered a cornerstone in the marketing business by members and non-members, who generally comply with such rules.

SMS/MMS marketing by telecommunications service providers is governed by telecommunication rules, more specifically by Ordinance No 632/2014 issued by ANATEL. Among other provisions, the Ordinance sets forth that the telecommunication services user has the right not to receive marketing messages unless they are preceded by previous, free and unequivocal consent (Article 3, XVIII). Complementary to the Ordinance, through Circular Letter No 39/2012/PVCPR/PVCP, ANATEL sets forth general rules for sending advertising messages using personal mobile telephone services, which require that all companies that send SMS/MMS marketing messages make an opt-out function available to the customer.

There is no specific law regarding the protection of employees' data. The obligation to respect the privacy of communication applies, according to the Federal Constitution and the Internet Act. However, according to case law on this matter, the employer has the right to use technologies to identify content accessed by its employees using workplace devices (eg, corporate e-mail, company’s internal systems, etc). In this case, it is recommended that employees are previously informed that the devices used during the employment relationship will be monitored.

The Role of Labour Organisations or Works Councils

Labour organisations and work councils are not yet sufficiently engaged in privacy protection matters, so there are still no relevant actions from these entities providing for the protection of employees’ data. However, as soon as such entities realise the importance of this matter, it is possible that they will include privacy protection clauses in their collective labour agreements or collective labour conventions.

Whistle-Blower Hotlines and Anonymous Reporting

Currently, there is no law in Brazil specifically addressing whistle-blower hotlines or anonymous reporting; there is also no specific reference in the LGPD. However, companies can include whistle-blowing provisions in their internal security policy, to identify, among other things, data breaches, hate speech, abusive material or content involving sexual acts or nudity.

E-discovery Issues

There are certain legal procedures that could give rise to an injunction or a court order determining the disclosure of specific data located in servers, if connected to a given criminal investigation or civil lawsuit. Such data is requested by a court or a competent authority, and is disclosed voluntarily by the data controller. Penalties may arise for non-compliance with the court order or the injunction, including daily fines, interruption of services and the imprisonment of corporate officials in Brazil.

Other Issues

There are no specific provisions about digital loss prevention technologies or scanning/blocking websites. The only rule related to digital loss prevention is the obligation to implement minimum standards of security in order to avoid data loss, as set forth by the Internet Act and the LGPD. Except for websites disclosing personal sexual material, the request for blocking websites must be preceded by a court order.

Currently, claims regarding violations of privacy and data protection rights basically arise from the lack of consent to data processing. When it comes to privacy specifically, the standards will also depend on the specifications of the case, according to the Internet Act.

Now that the LGPD is in force, the ANPD must establish standards to claim violations by controllers and/or processors, on the basis of the violation of data subjects’ rights according to the law.

Potential Enforcement Penalties

Current administrative penalties established by the Internet Act are as follows:

  • warnings, with an indication of the deadline for a corrective action to be taken;
  • fines of up to 10% of the revenues of the economic group in Brazil in its last financial year, excluding taxes, considering the economic condition of the offender and the principle of proportionality between the seriousness of the misconduct and the intensity of the penalty;
  • temporary suspension of activities involving any operation of gathering, storage, custody and treatment of records, personal data or communications by connection and internet application providers; and
  • prohibition from carrying out activities involving the acts listed above.

In the case of penalties enforced against a foreign company, any subsidiary, branch office or establishment in Brazil will be jointly liable for the payment of the fines. Such penalties are currently being enforced by the rules of civil liability (Articles 186 and 927 of the Civil Code). Depending on the specifics of each case, additional criminal and civil liabilities may also apply.

The penalties applicable for infringing the LGPD are as follows:

  • warnings, with an indication of the time period for adopting corrective measures;
  • a simple fine of up to 2% of the revenues in Brazil of a private legal entity, group or conglomerate, for the prior financial year, excluding taxes, up to a total maximum of BRL50 million per infraction;
  • a daily fine, subject to the total maximum referred to above;
  • publicising of the infraction once it has been duly ascertained and its occurrence has been confirmed;
  • blocking the personal data to which the infraction refers until its regularisation; and
  • deletion of the personal data to which the infraction refers.

These penalties do not exclude the judicial compensation of moral and material damages to the data subject, in a value that will be determined by a judge and can be – or not – based on the administrative fines.

The value of daily fines applied to violations of the LGPD shall be subject to the severity of the infraction, the extent of damage or losses caused, and grounded reasoning by the national authority. In its agenda for the next two years, the ANPD has already stated it will establish the calculation methodology for administrative fines and the circumstances and conditions to enforce such sanction.

Leading Enforcement Cases

The Public Prosecution has – more than once – opened investigations against the credit bureau SPC Boa Vista, mainly in 2018 and 2019.

In the action, the Public Prosecutor’s Office of the Federal District (MPDFT) highlights that Boa Vista SCPC is considered a manager by the Positive Registry Law and, as such, has objective and joint liability for the material and moral damages it causes to those registered on its platforms.

MPDFT is also investigating the data leakage of health data from approximately 16 million patients infected with COVID-19. The information was publicly available for one month after passwords were discovered and enabled the access to such sensitive data. MPDFT is still investigating the case with the Brazilian Ministry of Health and the hospital involved.

Private Litigation

Legal standards are set by the Civil Procedure Code. The plaintiff must be the legitimate party to file the lawsuit, and must have the interest to act and demonstrate on the legal possibility of its request. The plaintiff must also demonstrate the defendant’s illicit conduct, the damage borne by the plaintiff and the causal link between them.

Although Brazilian law does not allow class actions as they are known in the United States, if there is a massive data breach the public prosecutor or another specific organisation can initiate an investigation and civil actions against the controller/processor of data, according to the Public Civil Action Law (Law No 7,347/1993).

Due to the entering into force of the LGPD, private litigation cases are on the rise. The main request is the compensation of moral damages after illegal data processing operations by controllers and processors.

As a general rule, access to any data requires court authorisation. However, in the case of criminal investigations, Law No 12,850/2013 allows for the public prosecutor or the chief police officer to have access only to the data containing personal qualifications, affiliations and addresses maintained by the electoral justice, telecommunication companies, financial institutions, internet providers and credit card administrators. In addition, according to Brazilian case law, the Brazilian Federal Revenue Office may request data from banks when necessary to investigate financial crimes against the public administration, under Complementary Law No 105/2001. The entry into force of the LGPD is not expected to change the application of such prior laws, as the law will not apply to processing operations carried out for law enforcement purposes.

Since privacy is safeguarded by the Federal Constitution and the Brazilian Civil Code, every time that law enforcement runs against individuals’ privacy rights, it gives rise to a lot of discussion in courts. The Brazilian Supreme Court has ruled that internet service providers of messaging services are not bound to reveal the content of those messages to public authorities. In addition, there is an ongoing discussion regarding the legality of police authorities analysing the contents of cell phones of people under investigation.

Please see 3.1 Laws and Standards for Access to Data for Serious Crimes.

There are currently no obstacles to an organisation invoking a foreign government access request as a legitimate basis to collect and transfer personal data. Under the LGPD, from August 2020, the collection and transfer of personal data upon the request of a foreign authority will only be considered licit if such request constitutes a legal or regulatory obligation.

There are few public debates on government access to personal data. Since the public is still unaware of its data protection rights (both existing and upcoming), government actions to process additional data from citizens are rarely contested. The upcoming LGPD is likely to change that. In this regard, some caution-inspiring legislation has recently been passed in Brazil, including a national decree issued in 2016 (Decree No 8789/16), which authorises all government bodies to share their databases with other government bodies, to simplify the offering of public services.

On the other hand, citizens are entitled to request full access to their personal data held by government bodies, under Law No 12,527/2011.

Data processing operations carried out by the government must be interpreted under Articles 23 to 32 of the LGPD. The government has to process data based strictly on the public interest, if it communicates the situations in which, in the exercise of its competences, it carries out the processing of personal data, supplying clear and up-to-date information about the legal basis, purpose, procedures and practices used to carry out these activities in easily accessible media, preferably on its websites.

According to the LGPD, international data transfers are allowed in the following situations:

  • to countries or international organisations that provide adequate levels of data protection;
  • when the controller offers and proves compliance with the principles and rights of the data subject and the regime of data protection, upon specific contractual clauses, standard contractual clauses, global corporate rules or regularly issued stamps;
  • when the transfer is necessary for international legal co-operation between public intelligence, investigative and prosecutorial agencies;
  • when the transfer is necessary to protect the life or physical safety of the data subject or of a third party;
  • when the ANPD authorises the transfer;
  • when the transfer results in a commitment undertaken through international co-operation;
  • when the transfer is necessary for the execution of a public policy or legal attribution of public service;
  • when the data subject has given his or her specific consent for the transfer, with prior information about the international nature of the operation, with this being clearly distinct from other purposes; and
  • when it is necessary to satisfy compliance with regulatory obligations by the controller, execution of a contract or preliminary procedures related to it and the regular exercise of rights in judicial, administrative or arbitration procedures.

The ANPD's agenda suggests that such topic will be correctly regulated in the first semester of 2022.

Please see 4.1 Restrictions on International Data Issues.

A current best practice adopted by companies is to ensure data is encrypted on an end-to-end basis when it is transferred abroad, to reduce the probability of hacking or leaks.

According to the LGPD, international data transfers will be allowed under certain circumstances, one of which is the granting of an authorisation by the ANPD.

The Internet Act does not require data to be maintained in the country, so the data can be stored in cloud storage in another country, for example. However, storing the data abroad does not stop the Brazilian law from being applicable. The LGPD does not have any requirements to maintain the data in-country, but the requirements for international transfer (see 4.1 Restrictions on International Data Issues) will need to be complied with in order to validate the data transfer.

There is no current or upcoming regulation that determines the sharing of algorithms or technical details with the government.

International data transfers are allowed for foreign data requests, litigation proceedings or internal investigations if:

  • the transfer is necessary for international legal co-operation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
  • the transfer results in a commitment undertaken through international co-operation;
  • the transfer is made to ensure compliance with a legal or regulatory obligation by the controller; and
  • the transfer is necessary for the regular exercise of rights in judicial, administrative or arbitration procedures.

Brazilian legislation does not provide for blocking statutes specifically related to privacy or data protection.

Generally, as provided for by the Federal Constitution, international treaties, conventions and international acts must be executed by the President and approved by the Congress in order to be valid in Brazil.

There is no legislation addressing the term "Big Data". The Internet Act prohibits the storing of excessive personal data in relation to the purpose for which the data subject gave their consent, so it is important to observe the correct processing of this data. Such obligation is more explicit with the application of the LGPD, especially due to the principle of necessity.

Automated decision-making entails a right of the data subject to request a review of decisions taken solely on the basis of the automated processing of personal data, including decisions related to the personal, professional, consumer or credit profile and personality.

Data used for profiling can be considered personal data under the LGPD and, therefore, the purpose of processing such data will only be legitimate if it is carried out under one of the legal bases.

Currently, artificial intelligence and the Internet of Things are not addressed by law. Under the LGPD, the ANPD may issue regulations on such matters.

Facial recognition is not currently addressed by law. Under the LGPD, it is highly likely that the face will be considered sensitive personal data, and will therefore be subject to special protection.

Biometric data is considered a type of sensitive personal data and, therefore, will be subject to special protection.

Geolocation is able to identify or make a natural person identifiable, so the requirements of the LGPD are applicable to that processing of data.

The operation of drones is regulated by the Brazilian Civil Aviation Special Regulation No 94/2017, enacted by the National Agency of Civil Aviation (ANAC). Unmanned aircraft operations (for recreational, corporate, commercial or experimental use) must follow ANAC rules, which are complementary to the regulations of other public agencies, such as the Air Space Control Department and ANATEL. The LGPD does not have any provisions regarding drones.

Although many organisations are starting to implement protocols for digital governance, or fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies, such practice is not legally mandatory. However, with the LGPD in force, data processing agents are obliged to adopt security measures to protect databases, and to implement a governance programme for privacy that establishes adequate policies and safeguards based on a process of systematic evaluation of the impacts and risks to privacy.

In January 2021, the database of Serasa Experian (a well-known credit bureau in Brazil) was leaked, and data about 223 million Brazilian citizens was made available. PROCON and SENACON have already notified the bureau for clarification on the matter, but the incident is the most significant security breach in Brazil to date.

There are no legal requirements applicable to due diligence or the oversight and monitoring of vendors or service providers. However, data processing agents must be reasonably diligent to avoid claims of gross negligence or joint liability in the case of security breaches caused by or with the contribution of a related third party.

There are no non-privacy/data protection-specific laws that mandate the disclosure of an organisation’s cybersecurity risk profile or experience.

There are no further significant issues.

Kasznar Leonardos Intellectual Property

Teófilo Otoni St, 63/ 5º-7º floor
ZIP code: 20090-070

+55 21 2113 1919

mail@kasznarleonardos.com www.kasznarleonardos.com
Author Business Card

Trends and Developments


Authors



Lopes Pinto, Nagasse is based in São Paulo and has extensive expertise in corporate and business law, tax and planning, data protection (LGPD and GDPR), contracts, digital assets law, blockchain, transportation, logistics, labour, infrastructure, agribusiness, banking and finance, life sciences, civil law, corporate governance, compliance, technology law, and legal risks. The team is composed of respected professionals with strong experience in national and multinational organisations and law firms, who are accustomed to dealing with matters and challenges facing companies and businesses.

On 5 October 2018, Brazil celebrated three decades of its Federal Constitution, whichestablished in Article 5, X that "intimacy, private life, honour, and the image of people are inviolable."

The principles of the inviolability of intimacy and the privacy of the individual should not be too much affected by the course of time. However, a lot has happened to the world since 1988. Technology, for example, has evolved, gained ground and assumed high dominance, and what was "intimate" and "private" in the twentieth century has been super-amplified, losing almost all of its local character.

This was the case with "personal data", which details the characteristics peculiar to each individual, such as habits, beliefs, preferences and consumption decisions.

Therefore, the constitutional canon of privacy protection, although unsurpassed and indispensable, called for a legislative framework to regulate the processing of personal data from a procedural perspective.

From this need came the General Personal Data Protection Act (Lei Geral de Proteção de Dados – LGPD) (Law No 13,709), which is the legal framework for personal data in Brazil, inspired by the European General Data Protection Regulation (GDPR). The LGPD was approved in 2016 and implemented two years later, changing everything that was known and practised in terms of personal data treatment. It brought enormous challenges, especially in the legal, ethical and technical fields, since most law firms had to incorporate new skills.

Data Protection and Privacy: Overview

The idea that personal data integrates the concept of self-determination is new in Brazil, and only gained momentum throughthe Consumer Defence Code (Código de Defesa do Consumidor – CDC) (Law No 8,078/90), especially Articles 43, 72 and 73 thereof, and the Civil Rights Framework for the Internet (Marco Civil da Internet – MCI) (Law No 12,965/14), although neither brought enough material specificity to discipline the handling of personal data, which was only possible through the LGPD.

The structure of the LGPD is based almost entirely on the GDPR, from the legal outline of the expression "personal data" to the need for a centralised regulatory entity. 

The LGPD came into force in September 2018, but penalties can only begin to be enforced from 1 August 2021 (Law No 14.010/20, Article 20). Finally, Decree No 10,474/20 recently approved the structure of the Data Protection National Authority (Autoridade Nacional de Proteção de Dados – ANPD), under the provisions of Chapter IX of the LGPD.

But many measures are still expected, including normative and procedural measures, not least because other countries have moved forward, approving rules on matters such as international transfers, the economic sharing of data and intellectual property linked to data.

Stratification

Neither the GDPR nor the LGPD could foresee the advances of recent years in terms of technology, new virtual tools or the profusion of applications and platforms.

The personal data classification proposed by the LGPD (Article 5, I and II) is being overtaken by reality. There is already talk of adopting the principle of discrimination, or stratification, which can provide a more reliable way of allocating data into categories that best reflect the way they are used and their purpose, providing a more rational framework for personal data.

For example, some data requires more protection than others, and some data requires more restrictions on its use and treatment, due to its identifying potential. This is the case with sensitive data. Although it is neither sensitive nor lacking in high protection, profilers' data should also have more careful treatment, because its associated interpretation presents a myriad of options, from routine profiling to debatable practices.

To stratify data is basically to take the categories predetermined by the law and expand them, without altering their substance, in order to create additional filters that favour control and safety, considering the individualities of each business environment.

Therefore, for example, companies that store health data can establish subcategories of sensitive data, assigning them safer handling, and companies can segregate part of their employees' data to improve the efficiency of their treatment. The idea is to redesign the map of personal data, increasing its visibility and improving its management.

The advantages are many:

  • centralised processing control, which is a requirement of both the LGPD and the GDPR, and is considered good practice;
  • improvements in efficiency and effectiveness;
  • greater selectivity in accessing databases;
  • more focused effectiveness of security procedures;
  • data governance planning can be refined; and
  • the cost profile throughout the control process does not differ much from the traditional system.

Biometrics

In essence, biometrics works with the capture and analysis (associative or combinatorial) of elements and the physical and behavioural characteristics of people, in order to identify them or make them identifiable. Examples include vocal, finger and palm prints, iris and retinal maps, and facial geometry, and can be divided into definitive (ie, those that do not change over time) and unstable (ie, those that can change with age or external interventions).

Biometric data is on the rise, with things like heart rate, body mass and eye scanning – even DNA – gaining more use every day. However, this brings unknown and unmeasured risks, which soon turn into costs, impacting people, business and companies.

An example of this is that biometric data is being used to allow users to log in and access devices, applications and programs, even though it does not yet replace passwords. In fact, such data provides an additional method of approving or disapproving log in attempts by triggering the password more quickly.

The problem is that biometrics has at least two points of attention:

  • a change in the individual's physical characteristics, even if minimal or ephemeral, can affect biometric identification and even render it impractical; and
  • unlike a password, biometric data cannot be changed at the touch of the user, and is therefore intrinsically insufficient for a very high level of security.

Another point is that a password can disappear without many problems, but biometric data creates a greater vulnerability because it is part of a person. After all, an individual cannot change the geometry of his face or the ray of his iris, at least not at a level that allows protection against hacking or the hijacking of information.

This is exactly why attention is turning to multibiometrics – a variant of routine biometrics, whose most prominent advantage is to increase the security and granularity of a person's identifiability. In addition, some developers are already working with another new concept in biometrics: traceable redundancy. This system allows biometric data to be logically combined with each other – or “swap trace” – and compared, so that changes in physical characteristics are detected and stored, as soon as the holder makes the first access. As a result, changes in an individual's personal characteristics can no longer have such a decisive influence on security and privacy, providing more protected and consistent access.

But new challenges are on the horizon, such as how companies can simultaneously ensure compliant treatment of their employees' biometric data (sensitive data, LGPD, Article 5, II) and protect their own strategic information.

Some trends call for more effective regulation, such as the use of facial recognition at work (remote or not) to "judge" employees' emotions, interest and commitment, which may lead to accusations of discrimination and breaches of "essential privacy". This technology – "data processing for affect recognition" – could identify people by their intimate feelings, behavioural traits, emotional health and professional commitment, which critics say risks the isonomy of individuals, including access to opportunities. Critics say that the trend could even make it easier to monitor employees at work to see whether they engage in activities that are private or contrary to their employer's interests – a reference to "people analysis" using biometric data.

In a less controversial vein, the following three trends have stood out.

  • Homomorphic Cryptography: called dynamic cryptography, this envisions protecting personal data in the "in-process" position, making the processor handle the data without accessing its contents, as it will not need to decrypt and re-encrypt it, as in old cryptography.
  • Secure Multiple Processing (SMP): organisations generally want to protect data in its static or in-transit position, but the biggest challenge is to protect it during processing. In SMP, the processing is distributed between a focal processor and some "contributor" processors, which allows the creation of a more effective safety net ("notoriety").
  • Verifiable Logical Processing: the processing of the data is shared between at least two organisations, the sharer and the receiver, whose processing activities are governed by verification frameworks that are under the domain of the former. This means that the latter will always depend on parameters that only the former owns.

Despite these trends, one problem will persist for a long time yet: the regulatory ethics of handling biometric data. Both the GDPR and the LGPD have tried to address this, but with little success. Issues such as service biometrics (the processing of personal data to provide facilities and conveniences) and business biometrics (which aims to protect sensitive organisational data from prying eyes and malicious parties by using biometric data as a security framework) are still far from a consensual legal basis.

The Pandemic and Remote Work

The practice of remote working existed long before the global COVID-19 pandemic, which served to accelerate the pace of its uptake.

Trends on data protection and privacy

Remote work performed outside the company's ordinary physical base, including options for home working and extended offices, maintains the same relationship with personal data – ie, nothing changes in terms of the stationary or processing position. But when it comes to data traffic (movement), everything changes.

The following four trends are key.

  • ENELP Criterion (Essentiality, Necessity, Legitimacy and Proportionality), under which four questions are asked:
    1. what data is essential for remote work?
    2. what is the need to process personal data in that work?
    3. on what is the processing based?
    4. how is proportionality established between remote work and the data processed in it?
  • Invasive Protocol, where what matters is to create and implement a set of rules – and not just talk about "additions" or "complements" to the employment contract – that regulate the exact nature of remote work and its relationship with the need, or not, to process personal data (if determined or not).
  • Notorious Service Level Agreement (NSLA), under which the organisation and its employees must establish the procedures for processing personal data, considering aspects such as retractability (suspension of irregular processing before it causes damage to the holder), what to do in case of a data breach and how the periodic control of processing should be done.
  • Prevalence Rule, which is a mechanism according to which the organisation continues to act as the controller responsible for the treatment of personal data carried out by its employee in the modality of remote work, in order to assure the holder of the data that the company's acts prevail over those of its employees and contractors.

Trends on Legal Compliance

Data processing agents, controllers and operators must comply with the LGPD (Article 5, IX), so must actively monitor their practices and the exercise of the activities they perform or delegate. The LGPD does not make explicit reference to compliance, but covers this by stimulating the implementation of rules of good practice and governance (Articles 49 and 50), whose alignment with legislation is necessary and indispensable.

The following trends stand out in remote work.

  • Each employee or provider (service or work) is a personal data processing agent, so their activities must be aligned with the company's protocols.
  • Dissemination of Privacy on Board – the activity performed by an agent (employee or service provider) must incorporate the protection of personal data.
  • Institutional Symmetry (an evolution of the concept of “corporate symmetry”) – the activity of an employee that involves the treatment of personal data must be conceptually linked to the parameters established by the company.
  • Strengthening of Normative Stability – for the holder, the regulatory agent and other characters, the employee's (or provider's) actions in relation to personal data are disciplined, positively or negatively, within the company rules.
  • Senior Level of Commitment – employees and work agents should know what they can and cannot do, in terms of processing personal data, especially sensitive and critical data.
  • Responsive Monitoring – the company must have mechanisms in place for remote verification of the employee's or provider's adherence to personal data protection and privacy rules.
  • Consistent Data Governance – the company's routine governance must evolve to include tools for the centralised control of personal data being processed through remote work, notably sensitive and critical data, with the inclusion of regulations in institutional, external and public relations documents.

Data Policy

Some time after the implementation of the GDPR, surveys were undertaken to assess the extent to which organisations had responded to the legislation, with surprising results. Some companies reacted slowly, arguing against the high costs of adaptation and the complexity of standards; some 30% were only close to acceptable compliance, and another 28% declared only minimal compliance. The scenario was similar in Brazil: a 2019 study concluded that 53% of companies were not prepared for the LGPD, although 73% admitted they expected it to have an impact on their business.

Currently, there seems to be most concern about the LGPD's penalties, which cannot yet be enforced. Demanding legal compliance is not the exclusive domain of the ANPD, since other entities – such as the National Consumer Protection Secretariat (SENACON), the Public Prosecutor's Office (Ministério Público) and regulatory authorities – may require a fast response to demands related to the LGPD. The basic idea at this point is to identify two key questions:

  • how organisations intend to deal with personal data issues; and
  • what organisations cannot fail to do in order to achieve legal compliance.

Personal Data Directive (PDD)

In personal data, especially in its interface with governance and compliance, the principle to be considered is that of institutionality: the organisation must create and implement a company framework, with standards that commit the senior management to certain levels of execution.

Personal Data Policy (PDP)

It is not always clear what a Personal Data Policy entails. Therefore, it is best to know what it is not: it is not a Privacy Policy, or Security, or Treatment, or Compliance, but a structure that covers all these aspects.

This is in line with Part 3 of Chapter 2 of the GDPR, when it comes to the company's responsibility, which is to demonstrate that it complies with the legal precepts and to acknowledge its obligations as a controller, and with Article 24, (1), which states that "the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation.”

The difficulty in implementing a true Data Policy may be partly due to legal obstacles or long-established practices.

But one thing is certain: the adoption of the Data Policy is a trend that is growing in many countries, and its development can already be felt in Brazil.

Because of this, some "trends of trends" can be noted:

  • a greater focus on the company's relationship with the preservation of processed data, accountability, legal compliance and governance;
  • close relationships with the practice of data governance;
  • the adoption of the privacy standard by project and by goals;
  • alignment with the beliefs and values of the organisation;
  • a greater focus on accountability;
  • the processing of data based on protocols; and
  • the creation of a personal data reference.

Data Protection Officer and Data Consent Officer

As soon as the LGPD came into effect, it became clear that the control and monitoring of the processing of personal data would depend on a dedicated structure. The LGPD itself foresaw the figure of the Data Officer (encarregado) (Article 5, VIII), or the Data Protection Officer (DPO) as it is in the GDPR.

Some organisations soon realised the scope and relevance of the DPO, and many included it in their staff, with the following good practices for the subject:

  • a direct link to the highest level of management;
  • procedural autonomy;
  • previously defined status;
  • minimum staff; and
  • continuous updates on legislation, good practices, and their own role in the organisation.

However, one trend has been highlighted, especially in companies that undertake massive processing of personal data or that process data that is sensitive to the basis of their core business: the adoption, next to the DPO, of a Data Consent Officer (DCO). Although there are no records of occurrences in Brazil, the DCO has been viewed with good will – not only because of its strategic role in the control and monitoring of consent processes, but also because its performance in conjunction with the DPO can refine internal controls on personal data, favour greater protection and security and mitigate risks, in the case of the management of data collected under the consent of its owner (LGPD, Articles 5, XII, 7, I, and 11, I).

Lopes Pinto, Nagasse

Rua Helena . 235 . 4º andar
Vila Olímpia . cep: 04552-050
São Paulo, SP
Brazil

+55 11 2665 9200

contato@lopespinto.com.br www.lopespinto.com
Author Business Card

Law and Practice

Authors



Kasznar Leonardos Intellectual Property provides tailored solutions to the most complex IP issues, both nationally and internationally, with a deep understanding of different cultures and business industries. The team has 22 partners and more than 240 employees, with correspondents in every state of Brazil and a broad international network, and specialises in the management of intellectual assets. The firm acts as legal adviser on contractual matters, as industrial property agent with the Brazilian Patent and Trade Mark Office, and as lawyer, arbitrator and mediator in litigation and extrajudicial dispute resolution. The firm's main areas of practice are patent and trade mark prosecution, industrial designs, regulatory law, life sciences, digital law, marketing and entertainment law, sports law, biodiversity, copyright, unfair competition, plant varieties, technology transfer, geographical indication, trade secrets, franchising and licensing, fashion law, licence compliance and anti-piracy.

Trends and Development

Authors



Lopes Pinto, Nagasse is based in São Paulo and has extensive expertise in corporate and business law, tax and planning, data protection (LGPD and GDPR), contracts, digital assets law, blockchain, transportation, logistics, labour, infrastructure, agribusiness, banking and finance, life sciences, civil law, corporate governance, compliance, technology law, and legal risks. The team is composed of respected professionals with strong experience in national and multinational organisations and law firms, who are accustomed to dealing with matters and challenges facing companies and businesses.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.