Brazil: General Data Protection Law in Force: What to Prioritize?

Brazil now has an effective privacy legislation, inspired by the General Data Protection Regulation (GDPR) and in line with the best international standards: on September 18, 2020, the Brazilian General Data Protection Law (LGPD) came into force (almost entirely).

The rights of the data subjects can be exercised as of now, including requests to access, correct, block and anonymize their personal information. Controllers and processors must process personal data in accordance with one of the legal bases provided by the LGPD and comply with their respective obligations established in it. The violation of legal duties by controllers and processors can lead to court liability.

Although the articles of the LGPD related to the Brazilian National Data Protection Authority (ANPD) have been in force since the end of 2018 and its regulatory structure has been defined by Decree 10,474/2020, ANPD has not yet begun its activities.

ANPD will have an important role in the “privacy ecosystem” created by the LGPD. ANPD will be responsible for regulating issues open (such as the criteria for the international transfer of personal data), guiding data subjects, controllers and processors, monitoring compliance with the LGPD, investigating security incidents and applying administrative sanctions in case of non-compliance with privacy rules.

These administrative sanctions can lead to fines of up to 10 million dollars per infraction, or even the prohibition to process personal data. The sanctions may be applied as of August 2021, when the LGPD will in force in its entirety.

Even if the ANPD has not yet been effectively created, and controllers and processors are not yet subject to the administrative sanctions of the LGPD, it is important to consider that consumer defense authorities have been applying administrative fines based on the Consumer Defense Code and that the Brazilian Ministry of Public Prosecution has already filed more than 50 civil and administrative investigations between 2017 and 2020 in situations involving the breach of consumer data. Recently, the Public Prosecutor of the Federal District of Brazil (MPDFT) and the National Consumer Secretariat (SENACOM) went public to defend that they have concurrent jurisdiction with the ANPD when it comes to the protection of consumers personal data.

Therefore the compliance with the LGPD is an immediate concern, especially because a large part of Brazilian companies has not yet completed, or even begun, the procedure for adequacy to the LGPD. This delay is understandable considering that the efforts of the productive sector were focused on facing the pandemic of COVID-19 during the last months. However, as part of the discussions regarding the return of economic activities, companies should prioritize the conformity of their activities involving personal data and sensitive information with the LGPD.

B2C companies or other companies that do businesses with some degree of data intelligence are usually those with more activities to be reviewed and adjusted during the conformity procedure. However B2B companies that do not process personal data as part of their core activities should also be concerned here. Virtually all companies carry out activities with personal data, even on a limited basis, for instance, in relation to the management of their employees personal data, the control of visitor access or the monitoring of security cameras. All of these activities must comply with the LGPD.

Other urgent measures involve the appointment of a Data Protection Officer (that may be individual or a legal entity), the review of documents, including privacy policies, privacy notices and contracts with customers and suppliers, the management of processing activities based on the data subject’s consent (since the consent may be revoked at any time by the data subject, in which case the processing must cease immediately), the definition of the role that will be assumed by the company in its processing activities (the qualification as a controller or a processor leads to different obligations), as well as the creation of procedures for responding to security incidents and mechanisms that allow timely and free response to data subjects requests.

Creating and managing a privacy governance involves significant costs and efforts for the companies. An investment that is justified, in part, by mitigating the risk of liability for non-compliance with the LGPD, but that will also add value and create competitive advantages for those who are recognized as “privacy champions”.

We live in a connected economy and we have the permanent challenge to ensure protection of personal data, while not restricting the free flow of data. That is essential to the functioning of social networks and applications that are part of our routine, but also essential for the development of new technologies like the Internet of Things. Those following the GDPR standards, and from now on the LGPD, will have better chances of success.

Marcela Waksman Ejnisman, partner at TozziniFreire Advogados

Carla do Couto Hellu Battilana, partner at TozziniFreire Advogados

Felipe Borges Lacerda Loiola, senior associate at TozziniFreire Advogados