Data Protection in Brazil

The current legal framework for data protection in Brazil is complex; with more than 40 regulations in force addressing the subject directly or indirectly, some of which are very flexible while others strict. This scenario is challenging to businesses and users, as although most of such rules are sectorial, they cannot be interpreted separately. For instance, how to detach health and financial services from services provided over the Internet? It is in such sense that the General Personal Data Protection Law (“LGPD”), sanctioned on August 14th, 2018, has established a more concrete and harmonious scenario, aligned with economic, technological and innovation development objectives while guaranteeing the individual rights of data subjects. The LGPD will come into effect in February 2020. Such date may seem distant but, in fact there will be little time to adapt. Therefore, the sooner companies comply with the current rules and understand that anticipating future regulation is also a means of investment and gives them the competitive edge, the more advantages they will have in their markets.

What is Personal Data?

Based on the laws currently in effect in Brazil and also on international regulation, personal data may be considered all data that can identify a person directly or indirectly, such as name, Identity Card (RG), Taxpayer's CPF, addresses, cookies or information about a person, even if such information does not identify the person, such as medical data, financial, location, cultural data, or even that which can subject someone to certain practices, such as targeted advertising and directed content, or profiling and prediction methodologies. The concept of what is personal data defines when the law and its rules are applied.

Should I worry about Personal Data Protection?

Regardless of the sector you operate in, if there is processing of personal data, which includes gathering, storage, sharing, i.e., the whole data life-cycle until its disposal, then there is a need to comply with the laws related to personal data protection. For example, the Brazilian Law, regarded as “Marco Civil da Internet”, in force and effect since 2014, which applies to any and all services rendered over the Internet, sets clear rules and very rigid limitations on the gathering and use of personal data. On the other hand, the LGPD has a transversal application, both online and offline, affecting all sectors in Brazil and establishing more flexible, adequate and proportional rules for the processing of personal data.

If your company practices one of the activities listed below, be informed that there is a need to adapt to the laws related to the protection of personal data:

  • My company collect data from clients to send advertising and promote the business through e-mail marketing and targeted advertisements.YES
  • My company collect data through apps to offer products and services.YES
  • My company keeps employee data to process salary payments and help HR. YES
  • The service provided by my company analyzes clients’ behavior to suggest, to them, content based on their interest. YES
  • My company outsources the collection and storage of personal data to cut costs. YES

The New European General Data Protection Regulation (GDPR) and its impacts on Brazilian companies

The General Data Protection Regulation (GDPR) is the new regulation for the protection of personal data in the European Union, that will come into force on May 25, 2018. Although it is a European regulatory framework, any Brazilian company may be subject to it, as the limits of its jurisdiction have been drastically increased to also include those responsible for the processing of personal data, even far beyond the borders of the European Union."

Why regulate the use of Personal Data

Regulating the use of personal data in Brazil, by means of a General Law such as the one currently under discussion, may bring legal certainty to a landscape considered today as boggy and barren, with distinct concepts and conflicting rules that impact the limits of sectorial norms. The General Law of Data Protection brings harmony and balance to the use of personal data, fostering innovation, and contributing to economic and technological development in a data-driven society.

What are the objectives

Right to Privacy

Guaranteeing the right to privacy and the protection of the citizen personal data by allowing better control over their data through transparent and safe practices.

Clear rules for companies

Establishing clear rules on the collection, storage, processing and sharing of personal data by companies.

Promote development

Fostering the economic and technological development in a data-driven society.

Consumers' Right

Guaranteeing the free initiative, free competition and consumer protection.

Strengthen Confidence

Increasing confidence in a society upon collecting and using personal data.

Legal Certainty

Increasing legal reassurance as a whole in using and processing personal data.

What are the advantages

Unify rules

Single and harmonic rules on the use of personal data regardless of the sector in the economy.

Greater flexibility

Authorizing more flexible ways for the processing of personal data, such as legitimate interests, which consider a data-driven society in the Big Data era.

Cost Reduction

Reducing operational costs caused by systemic processing incompatibility made by different agents in addition to the fostering of a higher quality of the data in circulation within the ecosystem as a whole.

Adapting the rules to Brazil

Making Brazil able to process data originated from countries that require an adequate level of data protection, which can fundamentally foster information technology sectors.

Portability

Individuals may transfer their data from one service to another, thus increasing market competitiveness.

Impacts

In order to be compliant with the sectorial data protection regulations and the General Data Protection Law a number of changes are needed in the internal processes and, especially, in the data culture within companies, which can have a great impact on everybody, particularly in the operational costs involved.. At the same time, there will be a large number of new opportunities in the market, especially for companies succeeding in the adaptation procedures as well as for those that already follow internally universal personal data protection principles.

Financial

Nowadays, the financial sector is mainly subject to the rules of banking secrecy (Complementary Law 105/01), the Consumer Protection Code (Law 8,078/90) and the Credit Report Law (Law 12,414 / 2011). It is also under the supervision of the Central Bank of Brazil and the Securities Commission (CVM). Despite being a highly regulated sector, the rules still allow for wide liberality in the use of personal data.The Fintechs boom in the Brazilian market has made use of such liberality to use data in a more flexible manner when it comes to the application of Big Data, Artificial Intelligence, Business Intelligence and Machine Learning to its business models. Hence, this sector will be highly subject to major operational impacts when the LGPD has come into force. However, it will be provided with much more solid legal certainty than the one in force, mainly regarding the sharing of data and automated decisions, such as those related to the granting of credit and the creation of predictive models. Click here and learn more

Health

Despite the inherent sensitivity of health data, this sector lacks proper personal data protection rules, limited to regulations on sharing data between the private and public sector, consent to data gathering so as to include it into databases and electronic medical records, and confidentiality. Precision and diagnostic medicine are among the areas most heavily benefited from Big Data technologies, but by the same token, they may be highly impacted by the new rules and limitations imposed by the LGPD. Preparing in advance, especially by tailoring your procedures based on risk assessments, can be a great competitive advantage. Furthermore, areas such as E-Health and Telemedicine can widely benefit from a preventive approach. Click here and learn more

Marketing and Advertising

The digital advertising and marketing industry is perhaps one of the most impacted by the personal data protection laws, as their business models are based on the analysis of preference, online consumer behavior and the creation of predictive models. Today, they are subject to strict rules on consent and limitations upon the use of personal data as stated in the “Marco Civil of Internet”. Thus, it may be one of the sectors that benefits the most from the LGPD, as it establishes more fluid and harmonic rules that will bring fewer barriers to legitimate and proportional practices of profiling, rendering of targeted content, and the use of data for new purposes. Click here and learn more

Workplace

Today, in Brazil, an employee has no expectations of privacy in the workplace. The use of corporate devices can be monitored, but it is recommended that the employee be informed of such practice. This, however, this does not imply absence of privacy. There are limits, such as the prohibition of monitoring private accounts, including personal email and social networks. Prior to the LGPD, there were no rules limiting the use of employee data, such as the gathering by the employer of information on social networks to aggregate to the database of the Human Resources sectors, and even fewer prohibitions on the practice of sharing such data with stakeholders, such as curriculum companies. Pursuant to the LGPD, all the gathering of personal data must be clear, lawful and legitimate in purpose, thus its use cannot be obscure or prohibited. This is one of the sectors that will benefit from the LGPD, since various activities such as labor outsourcing to other countries due to procedures related to international data transfer will be facilitated by the existence of a specific regulation on the matter. Click here and learn more

Other Sectors

All sectors dealing with personal data are and will be reached, whether online or offline, since the LGPD is applicable in both cases. The educational sector, consumer goods, daily services with no distinction. However, perhaps the most impacted are the developers and suppliers of information technology, whose performance is in all sectors. Nevertheless, they may be the most likely to adapt to new rules, as they are already used to international information security standards and privacy protection. Click here and learn more

Data has long been an important part of the economy. Through data-intensive technologies, it was possible to create innovative products and business models, as well as make headway in research fields such as artificial intelligence and machine learning.

On the other hand, companies are poorly prepared to deal with information security issues, protection of their intangible assets and protection of personal data. This scenario presents insecurity to users, greatly affecting competition.

It is important to note that the new General Data Protection Law does not make legitimate business models impossible. Conversely, the LGPD provides more legal grounds that authorize and enable personal data processing. The biggest challenge now is the adaptation time, i.e. the period between the implementation of the law and its entry into force in February 2020.

Why and how should companies be prepared

Protection of personal data and information security should, and can, be seen not as a cost, but as a competitive advantage, a market differential. In a time of major information leaks and scandals over data misuse, adapting to clear, transparent and harmonic rules can restore or increase the consumer confidence in companies and the market.

WHY?

Adaptation time

Companies will have to adapt to the General Data Protection Law before February 2020, when the LGPD enters into force. This means that the adaptation time may be short due to the amount of changes needed.

Preparation

The earlier companies get prepared, the better they will be when the new law comes into full force and effect.

Competitive advantage

While the rest of the market will be rushing to adapt, anyone who anticipates the changes may already offer their services and products more adequately and efficiently.

Reputation

Protecting the privacy and personal data of consumers and employees is paramount to build an image of trust. The capacity to transmit security, anticipate risks and manage occasional problems may affect companies’ reputation.

HOW?

Getting ready in advance

Comply with the current rules, anticipate the regulatory demands, and getting prepared based on existing data protection principles and rules and on those that will not change, in addition to adopting the best practices of countries that influence the future Brazilian law. This will be a competitive advantage when everyone else is still striving for adaptation.

Perform Privacy Impact Assessment - PIA

Privacy Impact Assessment (PIA) is a methodology used to identify risks to privacy and the protection of personal data by means of data mapping and analysis of the company processes, in order to adapt them to the best practices and regulatory obligations.

Privacy program

Based on the results of the PIA, establishing and implementing a privacy program that should consider designing and implementing solutions and processes to address the identified risks and areas of non-compliance and conduct awareness and training actions.

Maintenance

Periodically conducting new privacy assessments and ensuring that new risks are identified and addressed in a timely manner

Incident response

In a crisis, companies are judged by their stakeholders not just by the incident itself, but by their response to the situation. Simulating potential data protection issues improves companies' ability to respond effectively to a crisis by protecting their reputation.

Participate in the discussions

Actively participating in discussions and debates on protection of personal data in Brazil. The bills are still under discussion and there is still room for proposal adjustments based on what went good and what went wrong in the domestic and international market.

The risks of of not complying with the laws

The LGPD seen in the molds of more than 100 countries in the world, the creation of an independent and autonomous National Authority for the Protection of Personal Data ("ANPD"), which would act as a regulatory agency with competence to oversee compliance with the law in all sectors, conducting investigations and imposing administrative penalties. As it turns out the devices created by the ANPD were vetoed at the time of the LGPD sanction. However, it's been promised that in the near future the ANPD is to be created. However, this does not prevent other bodies from conducting investigations to look into possible incidents involving personal data, such as the Public Prosecution Body. So, it is important to have the following penalties on the radar:


Penalty

Fines should be applied by the National Authority for the Protection of Personal Data, individually or cumulatively, according to the specific circumstances of the case and with the seriousness and nature of the infractions, the personal rights affected, the recurrence of an offense, the situation of the offender and the damages caused. The fines range from simple, up to 2% of the company or economic groups’ sales limited to R$ 50 million reais determined by penalty.

Publicity

Whenever information security incidents must be reported to the National Authority for the Protection of Personal Data and data subjects the Authority may determine the publication of the events, as a reminder and a means of prevention and punishment to those responsible for such data incident.

Exclusion

The National Authority for the Protection of Personal Data may determine the exclusion of the data related to the infraction by those responsible for its treatment as a form of punishment, so it is no longer used.

Suspension

In more serious cases, the National Authority for the Protection of Personal Data can determine the administrative suspension of all personal data operations regarding gathering, processing and suspension, which in many cases may imply the suspension of almost all company operations.

Reputation

Regardless of any administrative penalty, perhaps the hardest damage to a company is reputational, affecting its credibility to the market and society and loss of confidence. Once trust is lost, the cost and time to recover from such can be a lot greater than any secondary damage.