LGPD Brazil – From August 2020, much will change in Brazil for public and private organizations that collect, treat, store, process, market, among other operations, the personal data of millions of Brazilians. Try our consent management platform and create your custom cookie banner to manage your cookies and third-party scripts on your website compliant with the GDPR and other privacy laws.
Law No. 13.709/18 (Data Protection Law – LGPD) will come into full force, regulating the policy on personal data protection and privacy, modifying some of the articles of the Internet Civil Framework and impacting other rules, drastically transforming the way companies and public agencies treat the privacy and security of user and customer information.
In Europe, the General Data Protection Regulation (GDPR) – the inspiration for Brazilian law – has been in force since May 25, 2018, causing entities and companies in the European Union to adapt before it takes effect.
But you can relax: many of the changes will be positive for both people and business!
This article will answer some fundamental questions, such as: what is the law; how, why and in what aspects it will impact your life; what measures should be taken; who to appeal to in case of violation; among other topics. Come with us!
1. What are LGPD and GDPR?
Both are sets of legal rules for the collection, storage and processing of personal data determined or determinable, carried out by individuals, companies and organizations of the State.
The Brazilian one (LGPD), is not yet in force (it is expected to come into force, with all effects, on 08/15/20). However, some of its legal aspects are beginning to be debated in light of the Internet Civil Framework and, above all, the Consumer Protection Code (CDC), following the example of the recent data leak from the Netshoes company in which the MPDFT agreed on a Conduct Adjustment Agreement (TAC) with the company.
The European Law (GDPR) is in force, establishing the rules regarding the processing of personal data relating to persons located in the European Union. It is worth remembering that Brazilian companies and state bodies that do business with European countries will have the obligation to ensure that their data processing policies comply with GDPR, under the risk of penalties, as well as loss of clientele, brand value and credibility in the international market.
2. How will the General Data Protection Act impact your life? | LGPD Brazil
The LGPD will have an impact of the most significant that a national legislation has ever enacted.
Millions of Brazilian companies work directly or indirectly with personal client data. In a few tens of thousands, this data is vital to the functioning of the business itself, such as banks, insurance companies, e-commerces. It is no exaggeration to say that the security of consumer information is essential to all transactions conducted by these companies.
The legislation is categorical: all data handled by public and private legal entities, whose owners are in the national territory; or their collection took place in the country; or even if the purpose is to offer products or services in Brazil, must be prepared.
Thus, it is not an option, but an obligation of the companies to comply with the Brazilian norms of personal data protection.
Likewise, in the case of a natural person, his/her privacy and freedom will be protected against possible breach of security that may result in risk of exposure or leakage of data, for example; or the right to have his/her data deleted from a certain database, among other possibilities.
The behavior of companies and customers will change dramatically: the former will have to have data protection policies and plans committed to protecting the privacy and security of customers and users; while people will observe the conduct of companies much more and will be more demanding with the security that institutions can offer their data.
3. What should governments, state entities and companies do to ensure privacy? | LGPD Brazil
This question will dominate the ranking of legal, economic and social debates in the coming years, as increasing traffic and the risks of attacks and data leaks affect practically all public and private initiative in a country.
Millions of personal information circulate over virtual networks every day. Data exposure on a large scale is increasingly frequent, showing the weaknesses of systems and protocols, including by those who should oversee the security of operations: the State.
Businesses will be deeply impacted, with companies and institutions being responsible for protecting themselves from eventual penalties and, as important as this, protecting themselves from negative public opinion to those who do not adapt, demonstrating an absence of reliability to the market since they cannot guarantee the protection of their databases.
4. Why the need for a law to protect personal data? | LGPD Brazil
The right to have data protected has a generic basis in the Federal Constitution of 1988. Recently, the Federal Senate approved a Proposal for an Amendment to the Constitution (PEC No. 17/2019) to include the protection of data made available on digital media in the list of individual guarantees in the Magna Carta. The Civil Landmark of the Internet recognizes this right, however, still in a vague way. It was then up to the LGPD to regulate the protection and privacy of personal data so as to make it possible to exercise it.
As already mentioned, thousands of Brazilian companies collect, store and process personal data of millions of users and clients. Have you ever wondered what these companies do with their data? Are they stored in safe places? How is the privacy of your personal data protected? Are there plans and protocols to minimize damage in case of undue exposure, attacks or security breaches?
These and other issues are within the scope of regulatory action of the Data Protection Act. From it, any and all operations involving the treatment of personal data in Brazil – whether in the virtual world or, in fact, with large conglomerates or small companies – will have to adapt to LGDP.
5. And what are data violations? | LGPD Brazil
There are several types of cyber attacks and the databases connected to the Internet are in a certain degree of vulnerability. One of the most emblematic cases of information negligence was the data leak of millions of Facebook users to the British political marketing firm, Cambridge Analytica.
In Brazil, two recent cases have been confirmed: Netshoes (seen above) and Banco Inter; and another in investigation, the credit protection company Boa Vista.
Personal data violations, according to European legislation, are characterized by:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed”.
Even if the incident only resulted in the visibility of the data to third parties, the security breach to which the law refers has already occurred.
Therefore, the company or organization should ensure that the damage caused is minimized and meet the expectations of stakeholders and society in a satisfactory manner.
6. What are your rights protected by law? | LGPD Brazil
LGPD provides full protection of your freedom, privacy, security, express consent, access to your information for correction and prompt service if you want to delete your data, among others.
Personal information protected by law are those determined or determinable. That is, any data that allows the identification of a natural person or makes it possible, such as:
- Last name;
- Document and credit card numbering;
- Bank details;
- Medical information;
- IP addresses;
- And so-called “connection statements”, better known as cookies. (if you want to know more about cookies, read our article: What are cookies ?)
Also included are “sensitive personal data” (those potentially susceptible to discrimination if exposed or leaked) such as racial or ethnic origin, religious conviction, political opinion, union membership or religious, philosophical or political organization, relating to health or sexual, genetic or biomedical life.
Your rights are: access to all personal data, enabling (via simple request) the rectification, updating, deletion, blocking, portability (the forwarding of your personal information to other companies), the listing of public and private entities with which you shared your data, among others. Without prejudice of eventual reparation of damages in Justice.
The law will not only protect digital personal data, but also those originating from paper collections, such as registration forms and promotional coupons. Data collected through images and sounds will also be included in the protection.
7. What does “consent” to the law mean and what does it have to do with your rights? | LGPD Brazil
Consent” to LGPD is a fundamental condition for the viability of an individual’s data processing operations. It represents a “free, informed and unequivocal statement by which the data subject agrees to the processing of his/her personal data for a specified purpose”.
Therefore, users must have at their disposal expressly, clearly, with accessible language, all information about the treatment their data will have, such as: the purpose for which they are being collected; the means of capture; the period of time in which they will be stored; the identification of the controller with the respective contact; whether they will be shared with third parties; what are the responsibilities of the agents who will perform the treatment; among others.
It is the data owner’s right to withdraw or revoke consent, as well as if there is a change in the purpose of the data originally collected, to give new consent.
Likewise, the owner has the right to correct or change his data. Such options available to the user or customer must be facilitated and made available free of charge.
8. How to know if your personal data is safe? | LGPD Brazil
It is the duty of companies and organizations to provide secure technologies for the protection of personal data, to use anonymization process without reversion and other techniques such as: encryption and pseudonymization. In case of leaks, communicate to the data subjects as well as maintain a data protection officer, develop risk plans and try to anticipate the impact of the incident, among other measures.
One of the most immediate actions in case of exposure and leakage is to notify the National Data Protection Authority (ANPD) within a reasonable time (to be defined by the authority itself).
It is important to mention that there are already companies working with digital certification for corporate and institutional websites, as a way to improve reliability during navigation, by attesting that the website is LGPD compliant.
9. What do I do to report irregular or illegal practices? | LGPD Brazil
Any natural person who holds personal data may petition the company or the government institution that controls their data to ANPD about violation of data protection rules.
It is recommended to first try to contact the company or organization upon express request for information or other action regarding their data. Such request shall not bear any burden to the holder. Likewise, it is possible to petition consumer protection bodies in case of silence or omission.
Companies may be held administratively liable with penalties ranging from a warning to a simple fine of 2% of annual revenues up to a limit of R$ 50 million per violation. In addition, of course, to the negative exposure in the media, a side effect of the publication of poor data management.
Finally, in cases of irregularities, legal inconformities or illicit acts, the holder of the data may also exercise his rights in court, if there is a need for compensation for material or moral damages suffered.
10. What is the National Data Protection Authority? What is it for? | LGPD Brazil
Law 13.853/19 created the National Data Protection Authority (ANPD), previously established in Provisional Measure 869/18, as part of the National Policy on Personal Data Protection and Privacy.
It is an indirect federal public administration body, under a special authority, linked to the Presidency of the Republic with the objectives of: watching over the protection of personal data; inspecting and applying administrative sanctions; promoting and disclosing information on public rules and policies regarding the protection of personal data and security measures; and promoting cooperation actions with personal data protection authorities of other countries; among other competencies.
The same rule also established the National Council for Personal Data Protection and Privacy, with representatives from the Executive, Legislative and Judiciary; the Public Prosecutor’s Office; civil society; scientific institutions; and the business sector.
This Council has among its competencies: the proposal of strategic guidelines; the elaboration of annual reports evaluating the execution of the actions of the National Data Protection Policy; the carrying out of studies and debates, etc.
The ANPD is in the phase of political conformation for the selection of members, structural guidelines, regulation and technical details for its operation. It is also awaiting full implementation of the LGPD, which will occur in August 2020.
11. Who are the agents responsible for processing personal data and what are their roles and responsibilities?
Brazilian law lists the subjects, charges and responsibilities of the so-called “treatment agents”. That’s them:
The controller – natural or legal person, of public or private law, who is responsible for decisions concerning the processing of personal data. A company or a state body which holds a collection of personal data is an example of a controller.
The operator – natural or legal person, whether governed by public or private law, who carries out the processing of personal data on behalf of the controller. An example of an operator would be a sub-contractor of the controller, contracted to process the controller’s data.
Such agents are the decision-makers for the processing of personal data (the controller) and the actual execution of the processing operations on behalf of another (the operator).
For both, the law assigns important charges, such as: the keeping and maintenance of records of the processing operations they perform; the preparation of impact reports; the communication to the ANPD and to the data subject in the event of a security incident that may cause risk or damage; the implementation of good practices and governance; among others.
As for liability, treatment agents are jointly and severally liable when they cause damage to property, moral, individual or collective, in the event of violation of personal data protection legislation, including compensation. They are also liable when they fail to adopt the security measures provided for in the legislation, in cases of breach of security by third parties, causing the damage.
Agents are not liable only when they prove that they have not carried out the processing assigned to them; that although they have carried out, there has been no breach of the law; or that the damage results from the exclusive fault of the data subject or third parties.
There is also the figure of the Data Protection Officer (Data Privacy Officer for GDPR). It is the intermediary between users (the holders of personal data), companies and government institutions (the controllers) and the National Data Protection Authority, acting as a communication channel between them. This position is fundamental for the company to make right decisions, implementing good practices and adequate institutional compliance.
Faced with so many obligations, it is essential that companies and agencies maintain mechanisms and technical, informational and legal tools to safeguard the organization in case of incidents, irregularities or misconduct.
12. What do the experts recommend for LGPD compliance? | LGPD Brazil
There are still some months for companies and state organizations to comply with the Data Protection Act, implement good and longevous governance and privacy practices, communication protocols inside and outside the institution, among other adaptations.
Experts recommend taking advantage of the scarce time by redesigning organizational management, with emphasis on a few points: the appointment of a data protection officer; conducting a full data audit; compiling temporal or life cycle maps of the data; reviewing security policies; reworking contracts with suppliers and partners; and preparing a privacy impact report.
The good part is that there are law firms specializing in this compliance. When contracting specialists, one can negotiate the implementation in all aspects required by the legislation, plus monitoring for a certain period of time or contracting by acts or phases, which can be a feasible idea when there is not enough cash available at the moment.
13. Relationships between the Data Protection Act, the Civil Internet Framework and the Positive Registration.
LGPD complements the legal scope of the Internet Civil Landmark with regard to rights and guarantees, such as freedom of expression, protection of online privacy and security of personal information.
The application of the Data Protection Law to relations between clients and companies tends to improve services, making them ethically sustainable and facilitating communication channels between all subjects involved.
Regarding the Positive Registration (Law no. 12,414/11), after the changes introduced by Complementary Law no. 166/2019 it will be necessary to be compatible with the LGPD, because in the operations of consultations to the databases of natural and legal persons there is a regular sharing of several personal information gathered from different sources (banking and credit data, from the IRS, from concessionaires, etc.) in a compulsory manner (all consumers are automatically in the registration), unless the consumer expresses otherwise.
Even if one imagines the positive aspects of the register, such as the availability of cheaper and more accessible credit, companies will have millions of personal data of citizens, with all the risks of exposures, leaks and potential committing illicit acts.
It is plausible to foresee the possibility of individual or collective demands before the ANPD and/or the Judiciary, based on the Consumer Defense Code, due to difficulties in exclusion, or even irregularities or violations of LGPD rules.
Conclusion | LGPD Brazil
Adapting to LGPD compliance and homeland regulation will be more than a necessity for all small, medium and large companies. A positive leap will be to resize their data operations, adding to the business and brand values of informational sustainability, ethics and transparency.
For users and customers it will mean the full exercise of informational self-determination about how their personal data is treated. Finally, Brazil will gain international reliability, showing the other nations that it treats its nationals’ personal data with seriousness and respect.
And have you understood everything about the Data Protection Law? What do you think about it?