Data Protection in Brazil

Privacy and data protection have been in the spotlight in Brazil for the past seven years, ever since sensitive Brazilian government documents were leaked by Edward Snowden in 2013.  The first enacted regulation in the aftermath of the Snowden revelations was the Brazilian Internet Act (Law No. 12,965/2014), whose aim was to regulate the digital environment, but also provide data protection rules. Later, Law No. 13,709/2018 (Brazil’s General Data Protection Law) - commonly called LGPD – was enacted, triggering several developments which changed the data governance scenario for public and private entities in Brazil.

More recently, the coronavirus pandemic has also given rise to new discussions about data protection at Brazil’s Federal Congress, since Covid-19 has had a major impact on the world economy, politics and healthcare. Despite initial uncertainty concerning a possible delay over recent months, Brazil has now officially introduced a regulation devoted to data protection.

Entry into force

The LGPD was enacted in August 2018 with few sections vetoed, the most important of which being the creation of the Brazilian Data Protection Authority (ANPD). In December of the same year, Provisional Measure No. 869/2018 was enacted (PM 869), which created the ANPD and modified a few aspects of the original text. PM 869 was approved in September 2019 and, at that point, the law was set come into force in August 2020.

While waiting for effective measures implementing the ANPD in Brazil, the world was struck by the Covid-19 pandemic, which had considerable impact on the LGPD implementation, since the Government was worried about the capacity of companies to comply with the regulation¹.

For this reason, in April 2020, President Jair Bolsonaro enacted an additional Provisional Measure No. 959/2020 (PM 959) regulating the governmental benefits to be granted during the pandemic and postponing the LGPD’s entry into force to May 3rd, 2020. PM 959 would also need to be approved by the House of Representatives and the Senate.

Subsequently, in May 2020, the Senate approved the Bill of Law No. 1,179/2020 postponing the applicability of the administrative sanctions set forth by the LGPD to August 2021. The main purpose was to grant the government more time to get the ANPD up and running and for private companies to adapt without being penalized.

Finally, in August 2020, the Senate rejected the section about the LGPD’s enforceability as of May 3rd, 2021, and PM 959 was sent back to the president for final ratification.

On September 18th, 2020, the president approved PM 959, but since the Senate had rejected the section about the enforceability date, the LGPD was in force from that date on.

Apart from the political issues that impacted the LGPD, the uncertainty about its enforceability date seems to be over. However, the ANPD’s launch is still pending. 

It is important to mention at this point that a Proposal for Constitutional Amendment is currently being analyzed by the National Congress to incorporate the data protection as a fundamental right in Brazil.

What about the Data Protection Authority?

To this date, the ANDP only exists formally. Decree No. 14,474/2020 approved its regimental structure and the nomination for public positions. Such approval was insufficient considering regulation is already in force and sanctions will soon be enforceable.

According to the LGPD, the authority has an essential role in the protection of personal data in Brazil, ranging from guidance to monitoring, and from regulation to enforcement. In addition, the LGPD has gaps of interpretation that should be addressed by the ANPD through specific regulation.

Since the authority is not yet operational and considering the significant amount of personal data being processed, the main regulators are currently the National Consumer Protection Secretariat (SENACON) and the Protection and Consumer Protection Foundation (PROCON). The National Telecommunications Agency (ANATEL) oversees data protection issues in the telecommunication services framework.

Particularly, public prosecutors may also initiate proceedings [they are already doing so] to investigate potential infringements in the civil and criminal spheres, in addition to individual claims. In such cases, an inquiry is initiated upon the prosecutor’s request, and the investigation may be followed by a judicial proceeding.

It is worth noting that if a lawsuit is filed, the court has no obligation to limit the compensation to be paid, in contrast to administrative sanctions which vary from 2% of the revenue of a private company, group or conglomerate in Brazil for the preceding year, excluding taxes and is limited to R$50 million (approximately $9.3 million) per infringement.

It is important to highlight that, once the ANPD is operational, it will have no powers to audit controllers or processors, but it will be able to request information through administrative proceedings and request the submission of Impact Reports.

Current scenario

The unexpected enforceability of the LGPD has put some pressure on companies which have not yet put a compliance project in place. Although the ANPD is still not acting as it should be, other Brazilian entities can now base their claims on LGPD provisions, and civil penalties may be applied.

Although data protection and privacy are not part of Brazilian culture, the LGPD brought important aspects, as highlighted below:

• Data processing should be based on main principles: purpose, adequacy, necessity, free access, quality, transparency, security, prevention, non-discrimination, liability and accountability;
• Consent should not be seen as the main legal basis, but as residual;
• Compliance with data subject rights: tools need to be made available to provide confirmation of the existence of the processing; access; correction; anonymization, blocking or deletion, portability, deletion of the data processed based on consent, information about data sharing, information about the possibilities when denying consent and its consequences if requested;
• Data processing of sensitive data and minors’ data must be carried out with higher standards;
• Implementation of mechanisms for international transfer;
• Obligations of preparing Impact Reports and to name a Data Protection Officer, among others.
   

The implementation of such measures requires time and dedication from companies, and the involvement of different departments.

Recent decisions

There are still no relevant decisions based on LGPD provisions. However, the Superior Court of Justice (STJ) recently issued two decisions involving internet application providers. According to the court, such companies are only obliged to provide the IP information, upon a court order, being excessive any other information about users.

This decision has implications for many civil cases, which relied on the information provided by internet application providers to identify online infringers. The request for information is still possible, however there is a boundary with respect to the information that must be shared by these companies in law suits.

Although the STJ does not mention the LGPD, such decisions are certainly related thereto, since the sharing of personal data for the purpose of judicial, administrative or arbitral defense is a valid legal basis (article 7, item VI, LGPD).

What to expect?

Now, sectors of economy and private companies are racing to implement LGPD compliance projects, while waiting for the ANPD to be up and running.

Until this happens, legal decisions based on the LGPD and litigation by data subjects should swiftly materialize. Thus, companies should finalize the implementation of their compliance projects or, for the latecomers, begin identifying the riskiest data processing operations within their respective businesses.

Footnotes
1) According to research carried out by the ICTS Protivit, in November 2019, 84% of Brazilian companies had not implemented measures to comply with the LGPD.

ABOUT THE AUTHORS

Claudio Barbosa. Senior Partner. Head of the Digital Law Team of Kasznar Leonardos. Head of Data Protection Commission, ABPI. LLM in International Law from Universidade de São Paulo (USP); LL.M. in Intellectual Property Law, George Washington University Law School (GWU); S.J.D. in Commercial Law (USP).

E-mail: claudio.barbosa@kasznarleonardos.com   Phone: +55 11 2122 6604

Aline Zinni. Senior Associate. LL.M. in Intellectual Property Law (GWU). Post-Graduate in Business Contracts from Fundação Getulio Vargas/SP (FGV/SP).

E-mail:  aline.zinni@kasznarleonardos.com   Phone:  +55 11 2122 6610

Larissa Martins. Associate. Post-Graduate in Intellectual Property in FGV/SP; Short-term intensive course in Data Protection in FGV/SP.

E-mail: larissa.martins@kasznarleonardos.com  Phone:  +55 11 2122 6634