Data protection in Brazil: Why is the LGPD so important?
In the so-called “Internet Era”, our personal information is more exposed, so the protection of personal data has become, more than ever, essential to safeguard and ensure the rights of individuals as data subjects, especially because of the “data-driven” society in which we live in, which enhances the circulation of people’s data by physical and digital means. For this reason, companies must adopt information security and corporate governance practices to avoid data breaches, fines, and possible reputational damage.
General Data Protection Law LGPD
In Brazil, this concern was materialized through the Brazilian General Data Protection Law (Law No. 13,709/2018 aka “LGPD”), which is the first general law on data protection published in the country and entered into force on September 18th, 2020, except for administrative sanctions, which became enforceable on August 1st, 2021. In this sense, what is the LGPD? Why is LGPD so important? What rules do companies have to follow? What to expect in the future regarding data protection in Brazil?
The LGPD is the regulatory framework for the protection of personal data in Brazil, which regulates the processing activities involving personal data, whether through digital means or otherwise, within and outside of the internet. The Law covers, among other issues, the rights of data subjects, the obligations of the data processing agents and of the data protection officer (in Portuguese, “Encarregado”), the parameters for information security, the requirements for the international transfer of personal data and even the instructions regarding the performance of the National Data Protection Authority (“ANPD”). The LGPD was largely based on the European General Data Protection Regulation (Resolution 2016/679 aka “GDPR”), which governs the same subject, so Brazil is now part of the group of Latin American countries that has a general data protection law.
In this respect, the LGPD is important because, since its publication and subsequent entry into force, the law has had a huge impact on the way companies use individuals’ personal data in the course of their activities. Since the legislation is very protective of data subjects and considering that it classifies the data processing activity as a ‘risky operation’ – with the imposition of strict liability on the agents –, the LGPD requires attention and careful planning on the part of companies that carry out data processing. Thus, to ensure compliance with the LGPD, Brazilian companies or those that process data from individuals located in Brazil, will have to adopt several technical and administrative measures, as well as update their internal policies and protocols concerning the processing of their customers’, suppliers’, and employees’ data.
Contents of LGPD
It is worth noting that the Brazilian law provides for the principle of extraterritoriality in its application, which means that not only companies established in Brazil are subject to the rules set forth in the LGPD, but also entities that process or have collected data within the Brazilian territory, and companies that aim at offering or supplying goods and services to individuals located in Brazil. In addition, the processing of consumer data will demand extra care from companies, since, beyond the LGPD, it is necessary to comply with the provisions of the Brazilian Consumer Protection Code (“CDC”) and all other rules of the National Consumer Protection System, which is already being monitored by regulatory authorities and consumer protection (SENACON, PROCONS, Federal Public Ministry, etc.).
That said, the LGPD applies to any agent (individual, legal entity, or public agency) who performs data processing – a term defined in the text of the law as “any transaction carried out with personal data” – ranging from simple access to the data of employees, vendors, and consumers to storage, transfer, classification, deletion, or any other handling of such personal data. In this regard, the legislation will certainly affect several internal areas of companies, such as the Marketing, HR, IT, Legal, and Compliance sectors.
With regard to the rules that companies must comply with when processing personal data under the LGPD, we highlight the following: (i) the observance of the principles provided for in the LGPD throughout the processing of personal data of individuals, such as the principles of purpose, necessity, adequacy, and transparency, according to which the processing of personal data must have a justified and specific reason, be previously informed to the data subject, may only be conducted when necessary for the fulfillment of the purpose and appropriate to it, and provided that the data subject is guaranteed access to clear, precise, and easily accessible information; (ii) the framing of the processing activity in one of the legal bases listed in the LGPD (i.e., consent, compliance with a legal or regulatory obligation, execution of a contract, legitimate interest, etc.); (iii) the creation of mechanisms to enable the exercise of the rights of the data subjects (i.e., access to data, portability, correction, anonymization, etc.); (iv) compliance with the rules for international transfer of data; and (v) the adoption of security measures and best practices.
Processing of personal data with LGPD
The processing of personal data that fails to respect the LGPD, especially as to the rules pointed out, or when it does not provide the security that the data subject may legitimately expect from the processing agent, be it controller or processor, considering the relevant circumstances, will be considered irregular from the point of view of the Law and will subject the processing agent to the administrative penalties provided for in the LGPD, which range from a warning to a simple fine of up to 2% of the turnover of the private legal entity, group, or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to R$50,000,000.00 (fifty million reais) per violation.
In other words, in this new scenario, the culture of data protection in Brazil is undergoing perceptible changes, not only from the point of view of data subjects – who, in turn, are increasingly aware of their rights – but also of companies and public agencies, primarily responsible for data processing in the country, that have been demonstrating efforts to adapt their practices to the provisions of the LGPD, in order to promote greater security for data that passes through Brazil, favoring commercial agreements and contracts, based on clear rules for the processing of personal data and even through contractual provisions regarding the obligations of the controller and the processor.
Data protection in Brazil
And this is exactly the future that is expected with regard to data protection in Brazil, that is, a society that is more aware and better prepared to guarantee the fundamental right to data protection, able to demand, create, and monitor the processing of personal data by design.
The ANPD, in this sense, is already operational and recurrently releases information and guidelines regarding the processing of personal data through documents made available on the official website in Portuguese, in order to facilitate and encourage society to adapt itself to the parameters of the LGPD, such as the Orienting Guide for the Definition of the Personal Data Processing Agents and of the Data Protection Officer. In addition, the ANPD published, on January 28th, 2021, Ordinance No. 11 of 2021, which creates the regulatory agenda and establishes and lists the 10 priority topics for the biennium 2021/2022, among which are the regulation of the procedure for reporting security incidents, which effectively has already been done by the National Authority, and the parameters for international data transfer, whose regulation is expected for the first half of 2022.
Therefore, the LGPD is and is being responsible for generating a huge impact on the way companies use the personal data of individuals in the performance of their activities. For this reason, it is imperative that companies begin to adopt efficient information security and corporate governance practices as soon as possible, in order to avoid the occurrence of security incidents, the imposition of sanctions, and possible damage to their reputation.
Sources:
- Veirano Advogados (2021). Resource Kit LGPD.
- Brazil (2018). Brazilian General Data Protection Law.