The Brazilian Constitution protects the privacy of all individuals as a fundamental right. The main legislative provisions in Brazil that govern the processing of personal data are:
- the Brazilian Civil Code;
- the Consumer Protection Code;
- the Information Access Act;
- the Banking Secrecy Act;
- the Wiretap Act;
- the Internet Act; and
- the Data Protection Law (effective as of August 2020)
The most recent law on privacy protection will also have the greatest effect on how companies collect, use, process and store personal data in Brazil. In 2018, the Brazilian Congress approved Law 13,709/18, the Data Protection Law (LGPD), which was strongly influenced by the General Data Protection Regulation (GDPR) of the European Union and establishes detailed rules for the collection, use, processing and storage of personal data in Brazil. This statute is applicable to private and public entities in all economic sectors, both in the digital and physical environment. The LGPD will only become effective on 16 August 2020. Until then, the Brazilian Civil Code, the Consumer Protection Code, the Information Access Act, the Banking Secrecy Act, the Wiretap Act and the Internet Act are the main statutes governing the processing of personal data. Note that these statutes apply in specific circumstances, such as in a consumer relationships, in the case of data collected online and in the case of data controlled by the government, and will remain valid post LGPD.
In order to have a clear understanding of the LGPD and its legislation regarding cybersecurity, a few terms of art require clarification, as elaborated below.
This relates to all information related to an identified or identifiable natural person, that is, any data that identifies or can identify a person, such as names, numbers, identification codes, geolocations and addresses.
Sensitive personal data
This includes all personal data on racial or ethnic origin, religious belief, public opinion, union membership, or religious, philosophical or political organisation, as well as health-related data, data concerning a person’s sex life or sexual orientation, and genetic or biometric data when linked to a natural person.
This refers to every operation performed with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control, modification, communication, transfer diffusion or extraction.
The controller is the natural or legal person, whether public or private, who has the power to make decisions regarding the processing of personal data.
The operator is the natural or legal person, whether public or private, that processes personal data on behalf of the controller.
Cybersecurity, data breaches and the LGPD
One of the requirements of the LGPD concerns the processing of personal data securely, using appropriate technical and organisational measures, including protection against illegal processing and against loss, destruction and accidental damage. Having these tools is a requirement from the LGPD to ensure a level of security commensurate with the risk posed by the processing of personal data. Further, controllers and operators must take into consideration the nature of personal data, the scope, context and purpose of the processing, as well as risks that may affect the rights and freedoms of data subjects.
Therefore, the key element of any cybersecurity policy involves its ability to prevent an incident and, if so, to react at the right time.
A security incident may be defined as an activity or conduct that affects the confidentiality, integrity or availability of personal data.
In other words, there will be a security incident when personal data is lost, destroyed, corrupted, improperly disclosed or when personal data becomes unavailable (eg, if encrypted by ransomware). Examples of these security incidents include:
- loss or theft of physical devices (such as notebooks or storage devices), or loss or theft of documents containing personal data;
- unauthorised access to personal data;
- inadvertent disclosure of personal data due to ‘human error’;
- disclosure of personal data due to a scam as a result of improper identity verification procedures;
- unauthorised third-party access;
- accidental or deliberate action or omission of a controller or controller; and
- alteration of personal data without permission.
According to the LGPD, when a data incident occurs that may result in relevant risk or harm to individuals, a report must be sent to the National Data Protection Authority (ANPD) within a reasonable time and, where required by the ANPD or otherwise by law, to the affected data subjects. The ANPD does not prevent other cyber-related statutes from being imposed by sectoral agencies, such as the Brazilian Central Bank with Resolution 4,658/2018.
The LGPD defines personal data as ‘information related to an identified or identifiable natural person’. Data processing activities are subject to the principles set out in the LGPD and must be founded on one or more of the following legal bases set out in that legislation:
- the data subject consents to the processing;
- the data processing is required to comply with a legal or regulatory obligation;
- the processing is necessary for the performance of a contract or preliminary procedures related to contract of which the data subject is a party, at the request of the data subject;
- the processing is necessary to meet the legitimate interest of the data controller or third parties;
- the processing is for the purposes of the regular exercise of rights in judicial, administrative or arbitral proceedings;
- the processing is for the purposes of the protection of the life or physical safety of the data subject or third party;
- the processing is for the protection of health, in proceedings carried out by health professionals or by health entities;
- the processing is carried out by research bodies, to carry out studies, ensuring, whenever possible, the anonymisation of personal data;
- the processing is by the public administration, for the execution of public policies; and
- the processing is for the protection of credit.
There are factors to consider in a risk assessment; for example, depending on the type of data processing, the controller should carry out a permanent risk assessment of transactions by means of a Privacy Impact Assessment (PIA) report. Further, the risk assessment should consider the likelihood and severity of damage to data subjects’ rights and freedoms in possible cases of personal data security incidents. This evaluation should cover:
- systematic description of the intended processing operations and the purpose of the treatment, including, where appropriate, the legitimate interests of the processing agent;
- assessment of the need and proportionality of treatment operations in relation to the objectives;
- risk assessment for individual rights and freedoms of data subjects; and
- the measures envisaged to address risks, including guarantees, security measures and procedures to demonstrate LGPD compliance.
Security incidents under LGPD
When to notify an incident?
Whenever an incident takes place, a notification must be sent from the controller to the ANPD and the holder of the personal data. This must be sent within a reasonable time frame. If the breach of personal data does not pose a relevant threat to rights and freedoms of the data subject individuals (such as anonymised or encrypted data), it may be considered an exception to the need of notifying the holders of personal data.
If the notification to the sectoral regulators, the data protection authority and the holder is not transmitted within a reasonable time, and if no consistent justification is provided, sanctions may be applicable. The continued monitoring of protective and organisational measures to ascertain the occurrence and causes of a security incident is of particular pertinence.
What to expect from the controller and operator?
The LGPD is consistent and clear about the need for the controller to forward security incident notification to the ANPD and data subjects within a reasonable time frame after having knowledge of the incident.
The first step to be taken by the controller is to investigate in conjunction with a technical adviser on the incident to identify whether actual personal data has been compromised and, if so, to take appropriate action.
Further to the general plan for conducting the investigation, contingency and damage mitigation, it is recommended that the controller have an action plan and communication with the operator, considering their joint responsibility for the event.
As it is the responsibility of controllers and operators to put in place the appropriate measures to prevent, react and remedy a safety incident, there are some practical procedures that should be taken by both, such as gathering information regarding all security events and directing them to a responsible person (data protection officer), who should assess the risks and be the point of contact with the authorities and regulatory bodies; assessing risks involving individuals and reporting them to only a restricted core of managers in the company; and notifying the ANPD and affected individuals if and when necessary.
At the same time, the controller must act to contain the incident and produce a record and documentation while the incident is developing.
Notification of competent authorities and regulatory bodies
Information to be provided
When the controller notifies the data protection authority or regulatory body of a potential security incident, the content of this notification must contain at least:
- a description of the nature of the personal data involved, including, if possible, the categories and approximate number of affected data subjects as well as the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point with whom further information may be obtained;
- the likely consequences of the security incident; and
- the measures taken or proposed by the controller to contain the incident and to remedy the breach of personal data.
The forms of notification vary according to the complexity of the cases, so that delay is only allowed when plausible and consistent justification is provided. It is, therefore, recommended that the first notification to the supervisory authority be sent with the available details of the incident, with the consequent explanation of the impossibility of providing prior information, which must be communicated as soon as it is identified. It is of great importance that, whenever possible, findings throughout the investigation are reported immediately.
Depending on the nature of the incident, the ANPD may determine further investigations by the controller to know all the relevant facts related to the incident.
Thus, the LGPD recognises that data controllers will not always have all the necessary incident information within a short time after becoming aware of it; it is possible that the notification may be carried out in stages. Notifying the ANPD and regulatory body also involves thorough analysis of the relevance of notifying holders immediately. In exceptional cases, notifying individuals may even be carried out before notifying the ANPD.
After making the first notification, the controller may update it if, over the course of the investigation, relevant supervening facts are discovered. Although it should be avoided, there is no penalty for reporting an incident that is subsequently identified to have occurred or not impacted the holders.
Depending on the circumstances, it may take some time before the controller can measure the extent of the damage. In some cases, instead of notifying each individual, the controller may make a general report that will encompass similar data compromise situations, albeit with different causes and consequences.
Notifications to affected individuals
How to act?
As mentioned above, in certain cases, the controller is required to report the incident to the affected data subjects as well as the ANPD. Concerning requirements for the organisations to notify the affected individuals, the bar is set higher from that regarding notifying the ANPD. Owing to this difference, not all incidents must be reported to the data subjects.
The LGPD establishes that reporting an incident to individuals must be made within a reasonable time frame as well. The primary purpose of reporting to individuals is to provide specific information about the actions being taken to mitigate such incident. Depending on the nature of the violation and the risk presented, timely communication will help individuals prevent any negative consequences of the violation.
In the event of a security incident on which a notification to affected individuals is needed, there should be a suitable public communication or similar measure to ensure that the data subjects are equally and effectively informed. Messages dedicated to reporting a data breach may not be sent in conjunction with other information, such as regular updates, newsletters, or standard messages, they must singled out so that they will not unnoticed.
Examples of transparent communication methods include direct messaging (email, SMS, direct messaging), website banners or notifications, postal communications and advertisements.
Information to be made available to individuals
According to the LGPD, the controller should provide:
- a description of the nature of the incident;
- the name and contact details of the data protection officer or other point of contact;
- a description of the likely consequences; and
- a description of measures taken or proposed by the controller to handle the incident, including, as appropriate, measures to mitigate its possible adverse effects.
The controller should also provide specific guidance for data subjects to protect themselves from potential adverse consequences of the incident, such as password reset, system update, data encryption, etc.
Situations where notification is not required
In some situations, after due technical and legal guidance, data subjects may not be notified. For this to be the case, the controller must take appropriate technical and organisational measures to protect personal data before the incident, particularly measures that make personal data unintelligible to those not authorised to access it. This would include protecting personal data with encryption, pseudonymisation and anonymisation, and, immediately following an incident, the controller must take steps to ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialise. For example, the controller may have identified the violation immediately and acted against the offender who accessed personal data before anything was done with that data.
Owing to the right to information, free access and transparency, controllers may demonstrate to the ANPD that they have fulfilled one or more of these conditions. If the ANPD considers that the decision not to notify data subjects was not well founded, it may impose sanctions (see below). Further, if a controller decides not to report an incident to the holders of personal data, the ANPD may evaluate the situation and require notificationif it considers the violation to be of significant risk to individuals.
The LGPD establishes the following sanctions that may be applied by the ANPD:
- a warning, indicating the deadline for the adoption of corrective measures;
- a fine of up to 2 per cent of the revenues of the legal entity of a private company, group or conglomerate in Brazil in its last financial year, excluding taxes, limited to a total of 50 million reais per infringement;
- daily fines, observing the total limit of 50 million reais;
- publicising the infraction after it is duly ascertained and its occurrence is confirmed;
- blocking the personal data to which the infringement refers until its regularisation;
- deletion of the personal data to which the infringement refers;
- partial suspension of database operations for up to six months;
- suspension of the processing activity for the same period; and
- partial or total prohibition of data processing activities.
The rights established by the LGPD may also be pursued and exercised in court.
Going forward, organisations will have to comply with the LGPD, reviewing and changing their processes, privacy policies and notices. Multinational organisations will have to face the additional challenge of complying with more than one regime, such as the LGPD in Brazil and the GDPR in the European Union. In the future, there is likely to be more enforcement action from Brazilian authorities, as the awareness of data subjects’ rights increases.