Data protection regulation in the Brazilian jurisdiction
When looking at the data-driven economy that is currently setting the pace of the global market, new business strategies tend to emerge from companies from various sectors. Regardless of the differences between the players, such strategies tend to be grounded in the same perception that there is one specific asset with increasing potential for the generation of profit: personal data.
Beyond its economic status of being a ‘valuable asset’, however, an individual’s personal data is also his or her individual right, and is thus subject to specific protection, similar to the traditional right to privacy. As a result, the question being posed by regulators at an international level is: ‘How should the right to data protection be structured in jurisdictions around the world?’ In Brazil, for instance, this debate takes shape around the development of the General Data Protection Law (Law No. 13,709/2018 (LGPD)), which was enacted in 2018 as the first normative framework for personal data protection regulation in the country, promoting economic development in association with data subjects’ power to control the use of their personal data.
Prior to the LGPD, several sectorial norms already addressed different aspects of individuals’ privacy and data protection in Brazil, safeguarding issues such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. In this regard, following the Brazilian Federal Constitution (which laid the groundwork for the normative data protection scenario), the following legislation is relevant:
- the Brazilian Internet Act, governing the use of the internet in Brazil;
- the Consumer Protection Code; and
- the Positive Registration Law, regulating the structuring and consultation of databases with information about credit history.
In the face of this set of sparse sectorial norms and inspired by international standards (especially those provided by the European Union’s General Data Protection Regulation (GDPR)), the LGPD was published to reduce legal uncertainty. In general, the LGPD has a broader scope as it regulates the processing of personal data (such as collection, production and classification) in public and private sectors in Brazil.
As a result, even though the LGPD is a Brazilian norm, it is possible for it to extend its influence even when data processing activities take place outside of Brazil. In fact, a data processing agent must comply with the LGPD whenever its data processing activities:
- are carried out in the national territory;
- are pursued with means to offer or provide goods or services to individuals located in the national territory; or
- take place with personal data that has been collected in the national territory.
The LGPD is not applicable, however, when the processing of personal data is made:
- by a natural person for exclusively private and non-economic purposes;
- exclusively for journalistic, artistic and academic purposes;
- by public authorities, and intended to be used for the promotion of public security, national defence, state security or activities of investigation and prosecution of criminal offences; or
- when the data originates outside the national territory and is not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin (as long as the country of origin provides a level of personal data protection adequate to that established in the LGPD).
Regardless of such specific scenarios, it is clear that the LGPD has the potential to impact foreign and local business with its series of safeguards. In fact, compliance with data protection regulation has been a relevant factor in the market when it comes to the establishment of commercial relationships. Not only is there a gradually growing concern from data subjects about how their personal data will be processed by companies, but also from other business partners who tend to demand contractual data protection clauses or even LGPD compliance audits prior to entering into commercial agreements. Arising from such concerns, Brazil’s current data protection litigation framework also promotes companies’ conformity to the data protection regulation insofar as data protection is gradually becoming subject to analysis by the courts (discussed in detail below).
Aside from the Brazilian courts, administrative regulatory bodies such as the recently created National Data Protection Authority (ANPD) have the means to ensure enforcement of the data protection regulation. Just like data protection authorities (DPAs) from other jurisdictions, the ANPD has a central role in structuring the Brazilian data protection culture, as it is responsible not only for imposing administrative sanctions for breaching the LGPD, but also for regulating the normative parameters and guidelines. In line with this, the ANPD’s Strategic Plan sets forth that the ANPD envisions its objective as ‘ensuring the protection of personal data’ (its mission); seeking ‘to become an example to be pursued, in the national and international levels in the Personal Data Protection scenario’ (its vision); and acting, to do so, with ‘ethics, transparency, integrity, impartiality, efficiency and accountability’ (its values).
As a result, the macro-strategic objectives that the ANPD aims to achieve in the coming years include:
- the promotion and strengthening of the personal data protection culture, which involves strategic activities to prevent and detect any infringements to the LGPD, and the development of campaigns to promote the training and guiding of data processing agents and society in general (thus enabling a more active dialogue with private and governmental institutions);
- the establishment of an effective regulatory environment for personal data protection, including definition of the ANPD’s priorities in the face of its regulatory agenda, approval of specific regulation topics to be discussed later and establishment of procedures and mechanisms to promptly address identified data breaches and received complaints; and
- the improvement of the conditions for compliance with data protection normative provisions, which brings together, in turn, actions aimed at ensuring an adequate and sufficient structure, as well as physical and budgetary conditions for the proper functioning of the ANPD.
Prior to the establishment of the ANPD, other sectorial agencies have dealt with enforcement of the Brazilian data protection regulation (even before the LGPD’s entry into force), including the federal consumer agency, the consumer protection agency of São Paulo State, and the state public prosecutor of the Brazilian Federal District. How they will work alongside the ANPD is something to keep track of in the upcoming months.
Brazilian general data protection and the LGPD
Personal data processing framework
When diving deeper into the LGPD’s regulatory framework, a preliminary question arises: What is at stake when it comes to the ‘processing of personal data’? Initially, whenever a data processing agent (either a controller or a processor) collects personal data, it is collecting any information related to an identified or identifiable natural person (who is, in turn, the ‘data subject’).
The LGPD has a list of ‘sensitive personal data’ that consists of a specific category of personal information that requires a greater degree of legal protection in the face of the discriminatory potential that may arise from its processing. In this regard, similar to a ‘special category of data’ in the GDPR, the sensitive personal data category includes personal data on:
- racial or ethnic origin;
- religious belief;
- public opinion;
- affiliation to union or religious groups;
- philosophical or political organisation;
- data relating to health or sex life; and
- genetic or biometric data, whenever related to a natural person.
As a result, while personal data is that which can identify or lead to the identification of someone, sensitive data, in addition to identifying an individual, is capable of promoting discrimination of a specific data subject.
Pursuant to such definitions, a series of safeguards are imposed in the data protection regulation legislation in connection with the processing of personal data. For instance, the LGPD provides a list of hypothetic situations where data processing activities take place in a valid and lawful structure. These legal conditions, better known as ‘legal bases’, cover different possible scenarios for legitimising processing activities. Processing agents must perform preliminary assessments aimed at identifying the most relevant legal basis for each of their activities, weighing aspects such as the degree of security of the legal basis against future questioning and any additional measures that are required.
In connection with the data protection assumptions set above, the LGPD sets a series of general principles that should guide the processing of personal data, regardless of the scope of agents’ activities. These principles act as guidelines to ensure that:
- the processing of personal data is within the limits that are conveyed to the data subjects;
- the data subjects can enquire about the processing activities that take place regarding access to their data and information clearly and without difficulty; and
- the data processing agents will adopt concrete and preventive measures to guarantee the security of personal data.
With regard to the limits of data processing (pursuant to the principles of ‘purpose’, ‘suitability’, ‘necessity’ and ‘non-discrimination’), such activities must take place only for legitimate, specific and explicit purposes of which the data subject is informed (without subsequent processing that is incompatible with these purposes). To achieve this, data processing agents should limit the collection of data to the minimum amount necessary to achieve their purposes, using data that is relevant, proportional and non-excessive in connection with the purposes of the data processing. As a result, whenever personal data is no longer needed for the purpose or means previously conveyed to the data subjects, the data processing agents should delete it (or anonymise it) to avoid unnecessary storage of information.
When analysing transparency obligations (taking into account the principles of ‘free access’, ‘transparency’ and ‘quality of data’), data subjects should have easy access to all relevant information about the processing of their data, and data processing agents should present clear, appropriate and complete information on, among other things:
- the specific purpose of the operation;
- how and for how long the data will be processed;
- the processing agents involved; and
- who they will share the data with.
All of these measures are deeply connected with the LGPD’s main goals of granting the data subjects the power to control their personal data; after all, such power can only be made possible with prior access to information about the processing activities in place.
Finally, regarding the need to ensure the security of personal data (in connection with the principles of ‘security’, ‘prevention’ and ‘accountability’), data processing agents should use technical and administrative measures to protect the personal data from unauthorised access and from accidental or unlawful situations that may figure as data breaches. In addition, the agents should be capable of demonstrating that they can adopt effective measures that ensure compliance with the personal data protection rules.
Data subjects’ rights
Pursuant to the LGPD’s primary goal of ensuring data subjects’ control over their personal information, the legislation also sets out specific rights that are inherent to an individual’s status of being a ‘data subject’. In this regard, at any time and with a free and facilitated procedure, data subjects may request from controllers that their rights be fulfilled, including:
- the right to confirm the existence of processing, that is, to confirm whether personal information about the data subject is being processed by the controller;
- the right to access, which includes the request that the controller disclose, in a clear, adequate and ostensible way, information regarding the personal data being processed (such as what personal information is being used, for what purposes, for how long will be stored and with whom it is shared);
- the right to correction, that is, to request that the controller correct any incorrect, incomplete or out-of-date information it has about the data subject;
- the right to anonymisation, that is, to request that the controller depersonalise the data subject’s personal data (so there is no possibility of direct or indirect association);
- the right to block, that is, to request that the controller no longer process the data subject’s personal data;
- the right to delete, that is, to request that the controller delete any personal information about the data subject that it had previously collected (insofar as the personal data in question was collected with the data subject’s consent or if such information is considered unnecessary, excessive or was processed in non-compliance with the LGPD’s provisions);
- the right to portability, that is, to request that the controller provide the data subject with their personal data in a structured, commonly used and machine-readable format in order to transmit that data to another controller;
- the right to information, that is, to request that the controller provide details of any public and private entities with which the personal data has been shared, as well as inform about the possibility of denying consent and the consequences of such denial;
- the right to opt-out, that is, to request that, from the moment of revocation of consent onwards, the data controller no longer process any data that the data subject had once consented to; and
- the right to review decisions based on automated processing, that is, to request that the data controller provide clear and adequate information regarding the criteria and procedures used to generate a decision that was taken solely on the basis of automated processing of the consumer’s personal data that might affect the data subject’s interest.
The data protection officer
Another figure created by the LGPD to promote the local development of a data protection culture and to assist data processing agents in compliance with the LGPD is the data protection officer (DPO). The DPO acts as a communication channel between the data controller, its data subjects and the ANPD. In this regard, the DPO is responsible for providing necessary clarifications and receiving complaints and other requests from data subjects (as well official notices from the ANPD).
In addition to being an external presence, a DPO is a leading figure in the development of a data protection culture, and features strongly in a data processing agent’s daily activities (a ‘privacy by design’ culture). There are various strategies that can be pursued to achieve this, such as standardisation and consolidation of internal procedures, and development of data protection awareness and training.
Regardless of the provisions already set forth, there is still uncertainty in the LGPD regarding the role of the DPO. As a result, the ANPD has established that, in Phase II of its Regulatory Agenda, it will regulate the extent of DPOs’ activities, specifying the scope of their actions as well as the possibility of a controller’s waiver from having a DPO.
Violations to the data protection regulation
Should a data processing agent fail to adopt the expected and necessary measures to prevent a data breach from arising as a result of their processing activities, additional procedures should be in place. A data breach is understood to be any unauthorised access or accidental or unlawful situation of destruction, loss, modification, communication or any form of inappropriate or unlawful processing of personal data.
When facing a data breach, the LGPD establishes that there are specific situations in which the data controller needs to notify both the affected data subjects and the ANPD about the incident’s occurrence. Broadly, the LGPD provides that notifications should be made whenever the data breach creates a risk or relevant damage to the data subjects.
As the definition of risk or harm remains unclear (in order to identify a data breach that leads to ‘relevant risk or damage to the data subjects’), the ANPD provides preliminary criteria for such evaluation in its Data Breach Notification Guidelines (prior to official regulations on the matter). In this regard, even though the ANPD has not yet regulated detailed procedures on how data processing agents should proceed when facing a data breach, its Guidelines serve as a standard of best practices that data processing agents can use when evaluating the best strategy to notify of data breaches.
According to the ANPD’s Guidelines, the probability of a breach resulting in risk or damage to the data subjects will be greater when it involves sensitive personal data and data from legally vulnerable individuals (eg, children and adolescents). In addition, the Guidelines set forth that a data breach shall be considered relevant whenever it has the potential to inflict material or moral damage on the data subjects, for example:
- leads to discrimination;
- violates their image rights;
- impacts their reputation; or
- results in financial fraud or identity theft.
As a result, whenever the breach involves risk or damage to the affected data subjects, it should be notified to both the ANPD and the individuals. Depending on the impact that resulted from the violation in analysis, the ANPD may also impose sanctions such as a warning, public disclosure of the infraction and fines of up to 50 million reais. Given that the provisions that set forth sanctions in the LGPD entered into force in August 2021, the ANPD is currently invested with the power to sanction data processing agents if necessary. In any case, in order to do so, the ANPD shall first regulate the specific criteria and proceedings that will be adopted when applying the sanctions set forth in the LGPD, which is set to take place by the end of 2021 (pursuant to its Regulatory Agenda).
Data protection and public health during the covid-19 pandemic
In the midst of the global coronavirus pandemic, a new set of concerns has arisen in the operation of various public and private entities. For this reason, preventive measures such as the mapping of potential positively diagnosed employees has become a recurrent practice when it comes to facing the highly contagious traits of the virus. Such analysis cannot be made, however, without the processing of individuals’ health conditions data, which falls under the ‘sensitive personal data’ category (including information concerning health or sex life and genetic or biometric data, when related to a natural person).
In spite of the noted need for a higher level of special protection to be upheld by controllers (due to the discriminatory potential that arises with the processing of such types of data), it is clear that those preventive operations can be rendered as long as they are grounded in the normative legal basis outlined in the LGPD. Still, considering the specific characteristic of this type of data, it should not be used for any purpose other than the implementation of preventive measures against covid-19, and should be disposed of after the situation has been resolved.
Concerning the particular measures to be taken with the collected data, it is important that no illicit or abusive discriminatory methods guide those operations. For that reason, the controller’s use of its employees’ or visitors’ health data for the maintenance of a safe environment meets the Brazilian normative framework when facing the dispositions of Law No. 13,979/2020. This regulation was incorporated in the Brazilian legal system as a response to recommendations established by the World Health Organization, establishing the necessary measures set to deal with the public health emergency derived from the coronavirus outbreak.
Data protection litigation scenario
From a litigation perspective, administrative and court enforcement of data protection violations is a worldwide trend.
Internationally, we have seen an explosion in enforcement cases and some figures show that DPAs have imposed more than 500 fines under GDPR. In Brazil, the LGPD has been in effect for just over one year but we already have a significant number of enforcement cases. The Brazilian DPA has only recently been created, and is expected to take action in the near future. However, some consumer authorities, at both federal and state levels, are currently enforcing the LGPD. Brazil has more than 5,000 authorities in the consumer protection system, some more active than others in terms of privacy and data protection. Among them, three authorities are very active in this field:
- the federal consumer agency (SENACON);
- the consumer protection agency of the São Paulo state (PROCON São Paulo); and
- the state public prosecutor of the Brazilian Federal District.
At both levels, consumer agencies can start administrative investigations and impose sanctions. The most common penalty is a fine, and amounts can reach up to 10 million reais. However, other penalties can also be imposed, such as restrictions on commercial practices or activities.
Recently, SENACON and ANPD signed a Cooperation Agreement to effectively join forces regarding data protection issues. Both entities will share information and statistics regarding consumer complaints related to personal data and educational initiatives, and work closely in cases of privacy violations of consumers. The Cooperation Agreement also reinforces that the Brazilian system for consumer protection is decentralised, namley, all the competent authorities have jurisdiction to investigate and sanction companies even if they refer to the same facts. Consequently, controllers and processors are subject to administrative procedures and potential penalties applied by both ANPD and SENACON whenever there is an illegal practice involving consumers (ANPD concerning the provisions set by the LGPD; and SENACON concerning the consumer protection legal provisions).
Court litigation is also of great concern because there are certain conditions in Brazil that stimulate litigation, such as free litigation if individuals claim up to 40 minimum wages, including non-material damages, and free litigation for class actions; in other words, those entities that are entitled to file class actions under the law do not need to pay court fees or attorney fees even if they lose the case.
In 2020, in a unique case involving contact tracing mechanisms to slow the spread of the pandemic, the Brazilian Supreme Court ruled to not allow such measures because they would constitute a violation of privacy. The Court affirmed that privacy is a constitutional fundamental right. In the Brazilian legal environment, this message from the Supreme Court and this special and strong concept classifying privacy as a fundamental right can also stimulate litigation. The Superior Court of Justice shares the same concern and officially said it is expected to have a ‘tsunami’ of lawsuits involving LGPD, similar to what Brazil faced 30 years ago when the Consumer Defence Code was enacted.
In brief, current Brazilian privacy litigation indicates some important trends. The main issues disputed in court refer to consent, use of personal public data and the liability of controllers and processors due to data breaches.
Courts understand that consent is a fragile legal basis for data processing, and that it brings many questions, such as choosing between opt-in or opt-out systems, and how to comply with the duty of transparency and clear information. Although the law does not expressly specify, the first cases ruled indicate that an opt-out system would not be appropriate as consent should be freely given. Concerning information and transparency duties, judges and authorities deeply analyse privacy policies to verify if the treatment is perfectly clear to the data subject and, often, they understand that it is not.
As far as the use of personal public data is concerned, the LGPD authorises the use of public data for legitimate purposes and considers it an independent legal basis. In Brazil, it is common to use public data for credit scoring and there is no discussion about it. Potential issues arise when public data used for credit-scoring entities is commercialised for advertising purposes and client prospects. A recent court decision understood that this commercialisation does not match the legitimate purpose requirement.
As is the case worldwide, there are many investigations and lawsuits regarding data breach in Brazil. Although we do not have a final decision on any yet, the discussions are focused on evidence, from the implementation of practices to the extent of the damages and the measures adopted after the incident. The liability regime (subjective or strict) to be applied in such cases is also strongly disputed, including if controllers are subject to indemnification to non-material damages in any case, or only under certain circumstances.
Next steps in data protection regulation
Finally, it should be noted that Brazilian data protection regulation is still under construction. The LGPD acts as a general law that addresses Brazilian demands with regard to the establishment of a normative framework capable of setting the terrain for more legal certainty around the sparse data protection regulation in the country. In any case, further details are still pending regulation for the LGPD to become fully operational, thus mitigating questions that arise from the implementation of its provisions on the market’s daily activities.
Pursuant to such assumptions, the ANPD has stepped up in this discussion – it is collecting civil contributions for the future regulation of unclear issues set forth in the LGPD. Such contributions address, for instance, the metrics to be adopted when assessing risks related to data breaches, as well as the design of specific regulation applicable to micro and small businesses and to incremental or disruptive business initiatives that present themselves as start-ups or innovation companies.
To better establish the schedule of its future activities, the ANPD has published its Regulatory Agenda for the 2021–2022 biennium. The Agenda organised several LGPD topics that are pending regulation by the ANPD in three phases:
- Phase I includes initiatives expected to be implemented in up to a year;
- Phase II includes initiatives expected to be implemented in up to a year and six months; and
- Phase III includes activities expected to be implemented in up to two years.
In Phase I, besides the drafting of the ANPD’s Internal Regulation and Strategic Planning (both of which have already been completed), the ANPD shall discuss:
- data and privacy protection for small and medium-sized companies, start-ups and individuals who process personal data for economic purposes;
- establishment of regulations for the application of article 52 and following of LGPD (legal sanctions);
- communication of incidents and specification of the notification period; and
- the scope and implementation of the Data Protection Impact Assessment.
Phase II shall include further regulation on:
- DPOs; and
- specificities regarding international transfer of personal data.
Phase III shall regulate further aspects concerning:
- data subject rights; and
- the lawful processing of personal data.
Considering the number of relevant topics to be addressed, every six months the ANPD’s General Coordination of Standardisation will prepare a report with the status of each topic.
It is clear that the LGPD will be further defined in the coming years, both by the ANPD and by the courts that shall interpret this norm in future cases. In any case, even though current questions and uncertainties are being addressed, new challenges and opportunities will inevitably come to light, promoting a constant update of Brazilian data protection regulation with the aim of ensuring the pursuance of its goals and safeguards in the national jurisdiction.