Brazil's Best Counsel 2023: Chapter Opening: Data Protection

The partner Claudio Barbosa and associates Aline Zinni and Fernanda Polloto, from the renowned law firm Kasznar Leonardos Advogados, talks about Data Protection

Posté le vendredi, mai 12 2023
Brazil's Best Counsel 2023: Chapter Opening:  Data Protection

In September 2022, the Brazilian Data Protection Law (Law No. 13,709/2018, hereafter the “LGPD”) completes 2 (two) years of effectiveness, after a rough path towards approval by the Brazilian Congress and President.

 

The past two years have brought substantial changes to Brazilian society, including increased awareness of the dangers of providing one’s personal data at public and private establishments. This cultural shift is now bolstered by ongoing recommendations and technical notes offered by the Brazilian Data Protection Authority (“ANPD”).

 

Now-Operative ANPD

 

While created as part of the LGPD, the ANPD began its operations following the appointment of its Board of Directors in November 2020. During its first year of activity, the ANPD sought internal consolidation, while strengthening partnerships with other institutions, such as the National Consumer Protection Secretariat (SENACON) and the Brazilian Network Information Center (NIC.br). In its second year, the ANPD has assumed a more active posture by publishing LGPD-related instructions, such as those outlined below:

 

  • Guidelines on Public Authorities’ Processing of Personal Data (1)
  • Guidelines on Definitions for Data Controllers and Data Protection Officers (DPOs)(2)
  • Terms of Use, Privacy Police and Cookies Policy on the gov.br site (3)
  • Regulatory Impact Analysis Report (4)
  • Subsidies for processing of high-risk personal data

 

In June 2022, Provisional Measure (MP) 1,124/22 was published, thereby transforming the ANPD into a special nature autarchy. With this change, the ANPD will no longer be temporary in nature, as originally established by LGPD art. 55-A §1, and will instead exercise autonomy on technical, decision-making and budgetary matters.

 

Despite its activities, the ANPD has not yet fined any companies for violating the LGPD, leaving this task to other government entities, such as SENACON, the Brazilian Consumer Protection Agency (“PROCON”) and the National Telecommunications Agency (“ANATEL”). The ANPD is currently seeking public feedback on a draft resolution to expand its authority to fine LGPD violators. Upon publishing the Resolution, the ANPD may soon begin levying the fines provided by the LGPD.

 

General Aspects of Privacy and Personal Data Protection

 

The impact of the LGPD was also reported by the United Nations, which, through its specialized telecommunications agency the International Telecommunication Union ("UIT"), released a new ranking of 194 countries surveyed on cybersecurity governance. In this ranking, Brazil improved 53 positions in the world, from 71st to 18th place. Among countries in the Americas, Brazil holds 3rd place, surpassed only by the U.S.A. and Canada.

 

The UIT's methodology for measuring the Global Index in tackling cyber risks takes into account five aspects: legal, technical, cooperative, organizational and capacity-building measures. The main objectives are to increase countries' awareness of cybersecurity, identify good practices and areas for improvement and share updated results.

 

This ranking demonstrates the positive impacts that the LGPD has brought to Brazil and continuous efforts to reach a higher level of protection for personal data subjects’ privacy.

 

Another important development area was ANATEL’s decision (based on Act 10,413/2021) (“Act”) to implement “prefix 0303”, as applicable to companies offering active telemarketing services. As blocking the use of “prefix 0303” remains a form of opt-out already in effect, a decision by a user to block the number must be respected in compliance with the Act. Companies not honoring opt-out requests may face ANPD and PROCON complaints submitted by personal data subjects, as well as lawsuits with claims for damages.

 

On February 14, 2022, Constitutional Amendment 115/2022 was enacted and listed the protection of personal data as a fundamental right. With this constitutional shift, Brazil has further strengthened its commitment to maintaining privacy through the LGPD. This development stands in contrast to other countries often still in the initial stages of implementing or overhauling privacy laws. Without a doubt, the LGPD has afforded Brazilians greater legal security by allowing them to assert or defend those enshrined rights more effectively.

 

LGPD in an Electoral Year

 

The second anniversary of the LGPD is also commemorated during a year of presidential elections in Brazil. Given the increased use of digital media, the LGPD may play a key role in curbing practices involving "fake news", "deep fakes" and mass email blasts, particularly when voters' personal data are at stake.

 

To that end, the Superior Electoral Court (TSE) and the ANPD have joined forces to publish guidelines entitled “Application of the Brazilian General Data Protection Law by Data Processing Agents in the Electoral Context”, which aim to instruct candidates, parties, and other electoral participants on applicable information security measures when handling voter data.

 

According to the LGPD, personal data for electoral campaign purposes must  meet a legal obligation, receive the data subject’s consent and follow a legitimate interest. Based thereon, it remains extremely important to describe the processing of personal data within established legal bases to avoid future complications.

 

Recent Decisions

 

The LGPD allows for several types of claims by data subjects alleging unlawful data processing by companies. In April 2022, a company was ordered to compensate its former employee for having leaked personal data found on the employee's medical certificate in a WhatsApp group. In the decision (5), the judge noted that the transfer of an employee’s medical information requires express authorization by the data subject, with the lack of authorization having violated that person’s right to privacy.

 

The aforementioned decision demonstrates a proper balance of rights, application of the law and correct understanding of the LGPD by the State Court of São Paulo.

 

In May 2022, a court in the State of Rio de Janeiro ordered a telemarketing company to compensate one of its customers for a LGPD violation (6). Having sent several marketing e-mails without the consumer’s consent, the company was required to exclude the e-mail address from its mailing list and pay R$2,000 to remedy the customer's pain and suffering.

 

What lies ahead

 

Companies in all sectors should continue to implement and adhere to compliance measures, while promoting a culture of data protection and privacy. As the ANPD issues increasingly specific regulations, companies should follow those developments and evaluate their potential impact on business

In September 2022, the Brazilian Data Protection Law (Law No. 13,709/2018, hereafter the “LGPD”) completes 2 (two) years of effectiveness, after a rough path towards approval by the Brazilian Congress and President.

 

The past two years have brought substantial changes to Brazilian society, including increased awareness of the dangers of providing one’s personal data at public and private establishments. This cultural shift is now bolstered by ongoing recommendations and technical notes offered by the Brazilian Data Protection Authority (“ANPD”).

 

AUTHORS:                                                                                                                             

Claudio Barbosa: Senior Partner, Head of the Digital Law Team at Kasznar Leonardos and Head of the Brazilian Intellectual Property Association (ABPI)’s Data Protection Commission, with an LL.M. in International Law (USP), an LL.M. in Intellectual Property Law (GWU Law School) and a S.J.D. in Commercial Law (USP)

Aline Zinni: Senior Associate with an LL.M. in Intellectual Property Law (GWU Law School) and a Post-Graduate Degree in Business Contracts (FGV/SP)

Fernanda Polloto: Associate

 

(1) Guia de tratamento de dados pessoais pelo poder público (www.gov.br)

(2) Guia de agentes de tratamento e encarregado (www.gov.br)

(3) Termo de uso, aviso de privacidade e cookies (www.gov.br)

(4) 2002-06-30 Air Reg Dosimetria (www.gov.br)

(5) Matter No. 0011249-22.2021.5.03.0092

(6) Matter No. 0812337-48.2021.8.19.0001