Data Protection in Brazil

In 2020, the coronavirus (Covid-19) pandemic changed the way in which people connect, making technology and data more important in both personal and professional relationships. This development also heightened the need to regulate certain aspects of communication in Brazil. With the Brazilian Data Protection Regulation (Law No. 13,709/2018, hereafter the LGPD) now in effect and enforced by the Data Protection Authority, the country remains more prepared than ever to handle privacy and data protection matters in an effective manner.
 

Starting Date

The LGPD had a rough path receiving the approval of the Brazilian Congress and President. The political divisions exacerbated by the coronavirus complicated approval of the LGPD by both the Brazilian Congress and President.

The LGPD was enacted in August 2018 with a few sections vetoed, such as the creation of a Brazilian Data Protection Authority (ANPD). In December 2018, Provisional Measure No. 869/2018 (PM 869) was implemented, which created the ANPD and modified a few aspects of the original text, including the LGPD’s delayed start date of August 2020.

Newly established rights under the LGPD allowed for numerous claims by data subjects alleging unlawful data processing by companies

Following additional legislative action, the application of administrative sanctions was postponed to August 2021 so as to offer more time for the ANPD and private companies to adapt without being penalized. By September 2020, the LGPD was in effect, backed by administrative sanctions since August 2021.

Despite this progress, the Brazilian Congress continues to analyze a proposed constitutional amendment that would classify data protection as a fundamental right.
 

Now-Operational Data Protection Authority

While created as part of the LGPD, the ANPD began operating after the appointment of its Board of Directors in November 2020. Since then, it has undertaken the following:

a) Approval of its 2021-2022 regulatory agenda, specifically: (i) drafting of internal regulations; (ii) strategic planning; (iii) specific rules for data protection at small- and medium-sized companies; (iv) guidelines on data subject rights; (v) specific rules for applying administrative penalties; (vi) notice of data incidents and deadlines for providing official notification; (vii) specific rules for Data Protection Impact Assessment (DPIA); (viii) definition and functions of the data protection officer (DPO); (ix) definition and rules governing international data transfer; and (x) an assessment of the legal basis for data processing;

b) Disclosure of the ANPD’s internal regulations and strategic planning;

c) Appointment of representatives to the Brazilian Council for Data Protection of Personal Data and Privacy,

d) Public discussions of specific rules for small- and medium-sized companies and DPIA structure;

e) Partnership with other institutions, such as the Brazilian Network Information Center (NIC.BR) to launch a Security Guidebook and the National Consumer Protection Secretariat (SENACON) for a Guidebook on Data Protection for Consumers; and

f) Review of measures directed at specific industries, including discussions with pharmaceutical associations.

The ANPD’s stated goal remains to educate and collaborate. At these initial stages, it seems more intent on solidifying the most important aspects of data protection than on applying penalties. However, other entities such as the National Consumer Protection Secretariat (SENACON), the Consumer Protection Association (PROCON) and the National Telecommunications Agency (ANATEL) also exercise regulatory functions by overseeing data protection issues and may choose to act more aggressively.

While created as part of the LGPD, the ANPD began operating after the appointment of its Board of Directors in November 2020

Besides individual claims, district attorneys may also initiate (and have brought) proceedings to investigate potential civil and criminal violations. Such cases begin at the prosecutor’s request and may culminate in a judicial proceeding.

General information on ANPD Director activities and schedules is found on its website¹, with footage of public discussions available on its YouTube channel².
 

Current Status

While the ANPD appears committed to promoting a favorable business environment for companies, other entities (including the courts) already face mounting pressure from data subjects. Against this background, we recommend implementing LGPD compliance programs particularly geared to the following priorities:  

i) Data processing based on purpose, adequacy, necessity, free access, quality, transparency, security, prevention, non-discrimination, liability and accountability;

ii) Consent not seen as the main legal basis, but rather as residual;

iii) Compliance with data subject rights, consisting of tools confirming the existence of data processing; access; correction; anonymization, blocking or deletion, portability, deletion of the data processed based on consent, information on data sharing, information about the possibilities of denying consent and the consequences thereof, if requested;

iv) Data processing of sensitive data and minors’ data must be carried out with higher security standards;

v) Implementation of international transfer mechanisms;

vi) Various obligations, including preparation of Impact Reports and the appointment of a Data Protection Officer, among others.

In our experience, adopting and instituting these measures require time and dedication from companies, as well as participation from various company departments. Most importantly is the change in the data protection culture, since this is a relatively new subject in Brazil that might face considerable issues when being enforced internally.
 

Recent Decisions

Newly established rights under the LGPD allowed for numerous claims by data subjects alleging unlawful data processing by companies. In September 2020, shortly after the LGPD became effective, the São Paulo Court of Appeals issued its first LGPD-related decision³ in September 2020, reversing a R$10,000 damage award. In doing so, the court found that the data subject had not submitted sufficient evidence to prove that the real estate company had illegally shared personal data. Such decision demonstrates a proper balance of rights, application of the law, as well as good understanding by the State Court of São Paulo. However, companies should not assume similar results by other Brazilian courts, and instead should institute a comprehensive compliance program.

Following a credit bureau leak in April 2021 affecting the personal data of approximately 200 million Brazilians, the Brazilian Consumer Protection Agency (PROCON) initiated an investigation, which is considered one of the most relevant personal data leaking casas in Brazil. Once it receives additional information, PROCON will decide the case and whether to impose penalties in accordance with the Brazilian Consumer Protection Code.
 

What lies ahead

Companies in all sectors should continue to implement compliance measures, while promoting a culture of data protection and privacy. As the ANPD issues more specific regulations, companies should follow those developments and consider their potential impact on business.