Brazil’s data protection law will transform risk landscape
In 2018, the Brazilian Data protection law (Lei Geral de Proteção de Dados - LGPD) passed by the legislature and, in August 2018, the former Brazilian President – Michel Temer – assented to this law.
The articles concerning the creation of a National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD) and the National Council for Privacy and Data Protection came into force on 28 December 2018, but all other articles of the LGPD are going to come into force on 20 August 2020.
This new legislation is extremely important to Brazil as it creates legal certainty, establishing rules that all type and size of companies should adhere to, and face sanctions in case of breach. There are important terms defined by LGPD, as personal data, sensitive personal data, controller, and so on. Moreover, having a National Authority for Data Protection allows Brazil to be considered adequate for cross-jurisdiction commercial agreements, and it is an important step towards the possibility of including Brazil in the OECD.
Although the articles concerning the creation of the ANPD came into force in December 2018, another law was approved by the current President of Brazil, which modified the original project of the LGPD.
Originally, the intention of the legislative project was the creation of an autonomous agency responding directly to a Ministry. However, the law 13852/2019, that amended the LGPD, ruled that the ANPD should be part of the direct public administration, reporting direct to the Brazilian Executive/President. The possibility of converting the ANPD into an Autarchy is still stated under the LGPD, and according to art 55-A, paragraph 2, if the intention is to do so, such conversion should be taken place within 2 years from the moment that the formal regime of the ANPD came into force.
Following the amendments inserted into the LGPD, the President of Brazil must appoint the five members of the Board of the ANPD, and such appointments must be approved by the Brazilian Senate. Since LGPD will enter into force on 20 August 2020, it is expected that such appointments and approvals will happen prior to this date.
The creation and establishment of the Authority is a vital element of the new system under the LGPD, since various of its articles depend upon secondary regulation that should be issued by ANPD. One of the examples are articles 48 and 49, as follows:
“Art 48. The controller must communicate the National Authority and the owner of the data the occurrence of a security incident that could cause risk or relevant damage to the owner of the data.
1st Paragraph – The communication must be made within a reasonable deadline, as defined by the National Authority (…)
2nd Paragraph – The National Authority must consider the seriousness of the incident and can, if necessary, oblige the controller to adopt specific measures (…)
Art 49. The systems used to storage/deal with the personal data must be developed taking into consideration the security requirements, the good practice standards and the general principles stated in this Law and additional regulatory norms”
Regarding the administrative proceedings that should be conducted by the ANPD, art 52, 1st paragraph, states that the administrative proceedings should allow the implicated companies/individuals to submit their defences and arguments prior to the imposition of any sanctions. The procedural rules of such administrative proceedings still need to be properly regulated by ANPD.
Another point that is still grey is how the ANPD will work together with other Authorities, including the Consumer Watchdog. The application of the sanctions stated under the LGPD is a monopoly of the ANPD and, in dealing with personal data and potential breaches of the LGPD, the legitimacy to deal with the issue lays on the ANPD.
The Brazilian Consumer Code codified minimum guarantees for the consumers, and article 43 establishes consumer’s rights in accessing his/her personal data stored by a company. However, it is important to consider that such code dates back to 1990, and therefore relevant provisions and definitions are not considered under this code, although the principles are general enough to be adapted to the modern B2C relationship.
Anyhow, it is important to take into consideration that the Consumer Code regulates the B2C relationship and the powers to impose sanctions are not as effective as the sanctions detailed under the LGPD.
The idea is that LGPD will complement the Consumer Code, but the respective Authorities must exercise their powers according to the limits established by the law. Furthermore, in Regulated Activities, such as Oil & Gas, the regulations applicable to the specific industry should be considered. Thus, it is expected that ANPD officers will be able to deal with complex matters affecting many different types of regulations and regulators with whom cooperation will be key.
Data protection cases
Whilst many of the relevant articles of the LGPD depend on further regulation, relevant cases concerning data protection are hitting the doors of companies stablished in Brazil and with cross-border exposure. Such cases are normally connected with hackers and niche publications that publicise how vulnerable the servers are and how exposed the personal data stored by these companies can be. The fact that the LGPD is not yet in force provides temporary protection to such companies, as they cannot be implicated in any administrative proceeding nor be sanctioned until the law comes into effect, but it shows how educative the new legislation will be as there is clearly a need for better data protection, and adaptation by Brazilian companies to a more demanding environment.
It is clear that further regulation is necessary in order to instil the principles of certainty and responsibility that the LGPD intends to bring, but the impression is that the process to have the ANPD duly set up and running by 20 August 2020 is not a priority for the Brazilian Government as there is no clear plan being executed, and considering the layers of bureaucracy that proper implementation of the law will take, it is likely that additional time will be required for a proper set up.
This article was first published by Insurance Day on 4 March 2020.