Brazil’s General Data Protection Law (LGPD, its acronym in Portuguese) on Friday came into force after Brazilian President Jair Bolsonaro enacted it. From now on, companies, public and private institutions that have operations in Brazil must comply with the law, similar to protective rules already existing in California and Europe.
LABS talked to Spencer Sydow, an expert in Digital Law and chairman of the Digital Law Commission at the Brazilian Bar Association (OAB) in São Paulo, to find out what the new rules change in terms of corporate responsibility. He explained that companies will have to specify to users how collected data will be used and for how long they will keep possession of it, in addition to destroying the data after its purpose is achieved.
The goal is to prevent companies from having excessive information, exceeding their purposes, as well as to prevent the leakage of users’ personal information. “There is a widespread deviation on usage of information that is collected by firms, an overstep,” says Sydow.
The expert lists, for example, a company that does not explain on its contract terms that it uses only credit card or purchase preference infos, but that it collects all the data from users’ navigation history while the company webpage is open. The move allows the firm to sell that information to third-parties. “This happens with virtually all major tech companies,” he says.
The new regulation requires a legal basis for the processing of personal data. Entities subject to the law can’t carry out personal data operations (such as collecting, storing, and transferring data) unless the data owner expressed consent, or if the data is necessary to fulfill the legitimate interests of the controller or a third party. Sensitive data such as political and religious beliefs, sexual orientation, among others, must be essential for the operation to be collected.
The law defines “consent” as the free, informed and unambiguous manifestation whereby the data subject agrees to his/her processing of personal data for a given purpose. Consent is required to be given in writing – standing out from contractual clauses – or by other means that demonstrates the will of the data owner.
The use of data by individuals for non-economic, academic, artistic, journalistic, or public security issues (used by the government) is not restricted by the law. In his column at Folha de São Paulo, Ronaldo Lemos, a lawyer that specializes in digital law and a professor at the State University of Rio de Janeiro (UERJ), as well as a member of the Facebook Oversight Board, said that the Brazilian law accurately authorizes data that can be used to protect life or physical safety, including from third parties and without the need of prior consent.
Lemos and his team translated the LGPD into English here.
It is effective, but penalties will be applied only next year
With the LGPD in place, companies will have to explain what data they capture, for what purpose, and how it will work on, among other issues, the process of storing and deleting that information when its purpose is completed. “This is a big impact. Companies will have to explain what they get, why they capture it, how long they keep this information, and they have to make sure that the user knows when this information will be erased, and the user can opt for these deletions”, says Sydow.
An agency responsible for guiding and supervising the application of LGPD, the National Data Protection Authority (ANPD) was created by decree on August 26, 2020. But the application of fines for those who do not comply with the standards will begin in August 2021, according to Sydow. “This agency will have supervisory powers, it will determine how transparency is going to happen and it will make sure that data is erased when users request such erasures, among other duties”.
Implications for foreign companies
Foreign big techs that have branches in Brazil are fully subject to the law. But techs that operate in the country and do not have local offices will have to create a way to inform the public and be available to Brazilian officials, according to the expert.
According to Sydow, the Brazilian model of data protection law is even better than the American and European norms because it is more protective – since it demands the purpose, the verification, and erasure of data – and comprehensive – since it applies to foreign companies that process data from Brazilians.
Article 33 of LGPD regulates the international transfers of personal data: In the absence of an adequacy decision, controllers must look to other means such as specific contractual clauses for a given transfer – standard contractual clauses – or binding corporate rules.
If companies don’t comply with the law, among other penalties, article 52 provides that entities are subject to administrative sanctions by the Brazilian authority of up to BRL 50 million (nearly $9.4 million).
Marcel Leonardi, lawyer and professor of digital law and data protection at GVLaw (Fundação Getulio Vargas Law graduate program) said in an interview with Nexo, that companies for the first time will have to organize themselves to make a diagnosis about what personal data the company handles, which involves all areas of a company, from Human Resources to customer service.
“There is structured personal data, organized in databases, but there is also data spread over documents, emails. Being able to separate all of them from non-personal data, which does not identify specific people, is part of this mapping. It is an operational challenge that requires big financial investment, both for employee training and technology acquisition”, he said.