Hélio Ferreira Moraes – senior partner
On August 15, 2018, the Brazilian General Data Protection Law (in Portuguese, “Lei Geral de Proteção de Dados – LGPD”), Law No. 13,709, has been published, inspired by the European legislation of GDPR (General Data Protection Regulation), which came into force on May 25, 2018, and by other global legislations.
Which is the objective of the Brazilian General Data Protection Law?
The objective of the LGPD is to regulate the processing of personal data, by individuals or by private or public entities, including in digital means, of consumers, employees, regardless of the country in which the headquarter or the data is located, for the purpose of protecting freedom, privacy and free development of the natural person. The LGPD Law is to be applied whenever such processing is carried out within the Brazilian national territory, has as its objective the offer/provision of goods/services to or the processing of data of individuals located within the Brazilian national territory, or whenever the personal data has been collected within the Brazilian national territory.
What is personal data? What is sensitive personal data?
Personal data is the information related to the data subject, who might be an identified or identifiable natural person, and which might include his/her name, address, e-mail, age, marital status and financial standing, obtained in any kind of format (paper, electronic, computerized, sound and image etc.).
Sensitive data is that personal data with regard to the racial or ethnic origin, religious beliefs, political opinions, membership to unions or to organizations of a religious, philosophical or political nature, data referring to health or sex life, genetic or biometric data, whenever connected to a natural person.
Which are the main rights of data subjects? And, in the case of a child, which are the additional precautions?
The data subject should be informed with regard to the purpose of the processing of his/her data, form and period, controller, data sharing, liabilities of entities holding the data and the subject’s rights, which should be transparently, properly and overtly made available.
Personal data subjects are entitled to obtaining from controller (i) a confirmation concerning the processing; (ii) access to the data within the term of 15 days from request; (iii) correction of data; (iv) anonymization, lock or deletion of unnecessary, excessive, or not legitimately processed data; (v) data portability; (vi) deletion of data, even if provided based on prior consent; (vii) information on data sharing; (viii) information with regard to the possibility of not providing the consent and the consequences thereof; (ix) withdrawal of consent; (x) review of decisions made solely based on automated processing, including the definition of a personal, professional, consumption and credit profile or aspects of his/her personality.
Processing of children’s personal data should be carried out with the specific and emphasized consent given by at least one parent or by the legal guardian. Children’s personal data might only be collected without such a consent when required for contacting the parents or the legal guardian, might only be used once and is not be stored, or for their protection, and under no circumstances it might be transferred to third parties without such a consent. Participation in Internet games and applications should not be conditioned to the provision of personal information in addition to those strictly required.
Which are the companies affected by the Brazilian General Data Protection Law? Technology companies only?
The LGPD affects not only technology companies. It affects all companies processing personal data. The LGPD has described the processing agents. They might be both natural persons and public or private legal entities, such as the controller, which is in charge of making decisions referring to the processing of personal data; and the processor, which carries out the processing of personal data on behalf of controller, in the same manner as in the GDPR.
When are the companies allowed to lawfully process personal data? And sensitive data?
Processing agents might process personal data (i) with the subject’s consent; (ii) in order to comply with the processing controller’s legal duty; (iii) in case of public administration, for the processing and shared use in the performance of public policies; (iv) for the conduct of studies by research bodies, provided it is rendered anonymous; (v) for the protection of the subject’s or a third party’s life or physical integrity; (v) for the protection of health, provided being carried out by healthcare professionals; (vii) for the performance or prior to the performance of an agreement with the subject; (viii) for claims in lawsuits, administrative or arbitration proceedings; (iv) in the controller’s legitimate interests, provided not affecting fundamental rights and freedoms; (x) for credit protection.
Processing of sensitive personal data is prohibited, except upon a specific and emphasized consent from the subject for specific purposes; or, without such a consent, when paramount for: (i) the compliance with a legal duty by controller; (ii) the performance of public policies by the public administration; (iii) the conduct of studies by a research body, upon anonymization; (iv) the regular exercise of rights, such as in agreements, lawsuits, administrative or arbitration proceedings; (v) the protection of the subject’s or a third party’s life or physical integrity; (vi) the protection of health, provided being carried out by healthcare professionals; or (vii) ensuring prevention of frauds and the subject’s safety.
Which precautions should be taken by the companies upon receipt of the consent?
The consent should be given for specific purposes, and should not be a general consent, but it might be given by any means displaying pronouncement of the subject’s will, provided being mentioned in a clause distinguished from other clauses. In addition, the consent might be withdrawn at any time, upon the subject’s express pronouncement, by means of a free and easy procedure.
The burden of proving that the consent has been obtained should also rest with the data processing controller. However, waiver of consent will take place whenever the data is manifestly made public by the subject.
Are adhesion contracts allowed to connect use of a service to the provision of personal data?
In adhesion agreements, processing of personal data might be a condition for the provision of a product/service, provided the data subject is informed with emphasis in this regard.
Are the companies allowed to transfer data abroad?
Personal data might be transferred abroad only when: (i) the countries have a degree of personal data protection consistent with the Brazilian law; (ii) controller proves existence of the same guarantees as set forth in the LGPD, by means of: a) specific contractual clauses for a given transfer; b) standard contractual clauses; c) global corporate rules; d) regularly issued seals, certificates and codes of conduct; (iii) required for international legal cooperation among intelligence, investigation and prosecution public bodies; (iv) required for the protection of the subject’s or a third party’s life or physical integrity; (v) the Brazilian national authority authorizes such transfer; (vi) resulting from an international cooperation agreement; (vii) required for the performance of a public policy or of a legal attribution by a public service; (viii) the subject has provided a specific and emphasized consent; or (xi) required for the compliance with a legal duty, for the performance of an agreement or for the regular exercise of a right in proceedings.
Which are the penalties and liabilities for those not complying with the Brazilian General Data Protection Law?
Those not complying with the LGPD will be subject to warning penalties. Penalties are: fines of up to two percent (2%) of their revenues, limited to R$ 50 million per infringement, disclosure of infringement, data lock or deletion.
The data processing controller giving cause to property damage, pain and suffering, individual or collective damage is liable for repair thereof, being also subject to inversion of the burden of proof in favor of the data subject and to joint liability with processor, whenever being directly involved in the processing. Processor is jointly liable for damages caused by such processing when failing to comply with the data protection legislation’s duties or in case of not having acted in accordance with controller’s lawful instructions.
In order to be deemed exempt from liabilities with regard to processing, the companies should prove that: (i) they did not carry out the personal data processing attributed to them; (ii) there was no transgression of the data protection legislation, even if they have carried out such processing; or (iii) the damage results from exclusive fault of the data subject or a third party.
How do companies need to get prepared?
Please find listed below the key points of attention the companies should assess in their personal data processing operations:
Data Protection Impact Report
The data processing controller will be required to prepare a personal data protection impact report (similar to the DPIA [Data Protection Impact Assessment] of GDPR), including with regard to sensitive data referring to operations thereof, upon the Brazilian national authority’s request. Such report should comprise specific descriptions, to wit: personal data processing processes which might give origin to risks to civilian freedom and to fundamental rights, including the nature of the collected data and the methodology employed for such collection, a warranty concerning security of the information and the controller’s analysis with regard to measures, safeguards and risk mitigation mechanisms implemented.
Companies should keep records of personal data processing operations being carried out by them, in particular when based on legitimate interests. The Brazilian national authority might provide rules with regard to interoperability standards aiming at portability, free access to data and security, as well as to the period of records’ storage, in particular in view of the needs and transparency.
Person in Charge of Personal Data Processing
The general rule was that companies should appoint a person in charge of the personal data processing. Notwithstanding, the Brazilian national authority might set forth complementary rules on the person in charge’s appointment and attributions, including cases of waiver of the need of such an appointment, according to the entity’s nature and size or to the amount of data processing operations. In cases when the person in charge’s appointment is required, the company should provide public disclosure of his/her identity and contact information, preferably on its website. He/she will be in charge of: (i) accepting complaints and notices from the subjects, providing clarifications and implementing measures; (ii) receiving notices from the Brazilian national authority and implementing measures; (iii) providing guidance for employees and contracted parties on personal data protection rules; and (vi) carrying out further attributions as set forth by the company or complementary rules.
Companies should ascertain whether the personal data processing is being carried out securely, taking into consideration how it is carried out, the outcome and the reasonably expected risks thereof, or the personal data processing techniques available at the time it is carried out. Processing agents should implement specific security, technical and administrative measures. They should be able to protect personal data from unauthorized access.
They should also take into consideration situations of accidental or unlawful destruction, loss, modification, communication or any kind of improper or unlawful processing. The companies should implement security rules from the product or service conception stage to performance thereof (by design). Systems employed for personal data processing should be structured as to comply with security requirements. They should also comply with good practices and governance standards, with the general principles set forth by the LGPD and with other regulatory rules (by default).
Notice on breach:
Controller should give notice to both the Brazilian national authority AND the subject on the occurrence of a security incident which might pose a relevant risk or damage to subjects. The notice deadline is to be defined by the Brazilian national authority. Public disclosure of the fact in the media might be ordered by the Brazilian national authority, according to the incident’s severity, and it might also set forth measures for reversing or mitigating the incident’s effects.
Autoregulation of Good Practices and Governance
Personal data processing agents might formulate good practices and governance rules. Importantly, they should set forth conditions for organization thereof and the operating regulations. They should also take into consideration the procedures, including complaints and requests from subjects, security rules and technical standards, specific duties concerning the many parties involved in the processing and the educational actions, supervision and risk mitigation internal mechanisms, and other issues related to the personal data processing.
Within the good practices rules, processing agents should prepare and operate in accordance with an effective Privacy Governance Program which: (i) displays the controller’s commitment to data protection; (ii) is applicable to the whole set of personal data under their control, regardless of how collection thereof has been carried out; (iii) matches the structure, scale and amount of their operations, as well as the sensitivity of the processed data; (iv) sets forth proper policies and safeguards based on a process of systematic assessment of privacy impacts and risks; (v) is aimed at establishing a trustworthy relationship with the subject by means of transparent acts, and which ensures mechanisms for the subject’s participation; (vi) is embedded in their general governance structure and sets forth and applies internal and external supervision mechanisms; (vii) relies on plans for the reply to incidents and remediation; and (viii) is constantly updated based on information gathered from continued monitoring and periodic assessments.
Which is the Brazilian national authority and when will the same be established?
This was one of the most controversial issues of such new legislation. The Brazilian national data protection authority was created only on December 28, 2018, when was enacted Provisory Measure No. 869, currently under final legislative debate under the Federal Congress. Therefore, it is not current in place depending on its final approval in Federal Congress. It is an essential part for the citizens’ rights and guarantees. It is important for their data to be effectively implemented and monitored. In addition, the authority would be extremely important for the definition of new policies. Furthermore, it would be important for the inspection’s standardization and for avoiding legal disputes concerning issues involving data protection. It is essential for the settlement of conflicts and the standardization of rights.
When does the Brazilian General Data Protection Law come into force?
The new rules will only come into force after August 16, 2020, depending on final approval of Provisory Measure No. 869, currently under final legislative debate under the Federal Congress, so that the bodies, companies and entities might adapt thereto.