Brazil’s recently enacted General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD), as is widely known, covers the safeguarding and treatment of data that identify, or can identify, an individual. Among personal data are, for example, the numbers of the identity card, taxpayer registration, driving license, labor record booklet, passport and voter card, as well as residential and commercial address, telephone, e-mail, cookies, IP address, photos, security camera images, fingerprints, and car license plate. The new Law does not cover the data of companies, such as trade secrets and other intellectual property, which are covered in other laws and regulations.
The part of the LGPD regarding the obligations of individuals and companies to protect personal data will take effect on August 16, 2020. Although there is increasing discussion about the subject, there are still many uncertainties regarding the Law. This has led, in summary, to two common reactions of companies, as observed in my professional practice. First, there are companies that interact with other companies or investors from foreign countries, which are already worried about adopting measures to comply with the LGPD. Second, there are firms that have not yet shown sufficient concern, due to the belief that treatment of data is not that important to their activities, with an impact basically restricted “only” to human resources matters, or even because they doubt there will be effective oversight of data protection. This second group also includes those that hope or bet that the date specified for the law to take effect will be delayed.
Although two years have passed since the publication of the Brazilian Law1 on data privacy, recent surveys have shown that many companies are not yet prepared to face it2. That scenario cannot be attributed only to a supposed laxity of companies, and in this article I present some reasons that this matter should attract the attention and involvement of the decision bodies of companies, for adequate response.
#1 The date when the LGPD will take effect is not all that important
The first uncertainty surrounding the LGPD is the date it will take effect in its entirety. This efficacy of the LGPD was divided into two parts. The part that establishes the obligations of the government to operationalize the Law has been in force since December 28, 20183. This means to say that the rules are already in effect regarding the National Council for Protection of Personal Data and Privacy (CNPDP), a consultative body, and the National Data Protection Authority (ANPD), a guiding body with oversight competence, part of the federal executive branch4.
In turn, the remainder of the Law, covering the obligations related to individuals and legal entities5, is set to take effect 24 months after the Law’s publication.
Twenty-four months counted from publication of the LGPD will elapse on August 16, 2020, and this is the date considered to be the target by most companies for adjustment of their data treatment processes so as to comply with the Law. However, it is necessary to mention that two elements of uncertainty are hovering in the air. The first involves a legal question, namely the starting point of the 24-month interval, since there were modifications in the Law on December 28, 2018 with the publication of Provisional Measure 869/2018 (subsequently converted into Law 13,853/2019)6, which gave new wording to Article 65 of the LGDP. According to this interpretation, the LGPD will take effect on December 29, 20207. The second element of uncertainty regarding when the Law will take effect is eminently political, and refers Bill of Law 5,762/2019, which would extend the entry date for two more years, from August 2020 to August 20228.
Notwithstanding these doubts about the date when the LGPD will enter force, caution recommends planning for all the adjustment measures to be concluded by August 2020. After all, it is necessary to consider the natural difficulties that can arise in a project of this magnitude, as well as the possibility that the ANPD, or more appropriately, the courts, will not clarify the matter in due course. A similar situation occurred with the Civil Procedure Code of 2015, in which jurists diverged regarding the time frame for effectiveness, and this was finally decided administratively by the Superior Tribunal of Justice9 on the eve of the target date set forth in the new Code.10
What I have been saying in my presentations and meetings on the subject is that data protection is already a reality11, and that companies will suffer more the greater their resistance is to the implementation of a new culture for data protection. The set of rules already in force, which cover the protection and rights of internet users, workers and consumers, already authorize the respective oversight bodies to act to protect these rights, both in the individual sphere and in collective actions. For example, the consumer protection agencies, public prosecution offices and courts of various Brazilian states already have taken initiatives about the theme, signaling the incorporation of this agenda and the risk of penalties and damage awards against companies for inadequate data protection, insufficient information to users and transparency. These initiatives are strongly based on protective principles, revealing a trend already seen, including in other countries, of classifying data protection among the fundamental constitutional guarantees of human beings12.
Thus, considering the number of administrative and judicial instances of the three levels of government in Brazil13, I am on the side of those who urge caution and immediate action, because the entry into force of the LGPD, in the final analysis, will not make that great a difference to the scenario of exposure already faced by companies. The differences of exposure, or associated degrees of risk, have more to do with the type of business and the data processes within the company than the date when the LGPD will take effect.
#2 The ANPD might not be the greatest cause of concern
The LGPD determines that the ANPD is the body of the public administration responsible for vouching for, implementing and overseeing compliance with its rules throughout the country.14 Some companies believe that the federal government’s delay in starting the effective operation of the ANPD will benefit them. Hence, there are risky bets in the sense that the oversight authority, at least in the first months after the Law takes effect, will not be ready to exercise its powers and to penalize companies.
On the other hand, all data owners, i.e., all individuals, are the holders of a subjective right to obtain information about the treatment of their data by companies. This means that lawsuits and administrative complaints about data treatment, as is the case of labor and consumer claims, can be filed by individuals in the competent instances.
Since the Federal Constitution assures that all are entitled to access the courts to obtain protection against threats to or injury of rights15, there is no obligation or legal requirement for the owners of data to begin complaints or exhaust all remedies in the administrative sphere before seeking recourse to the judiciary. Therefore, the activity of the ANPD will not have a practical effect on the level of exposure of companies to the risk of demands involving questions of the protection and treatment of data.
#3 The reversal of the burden of proof requires companies to be prepared
According to the LGPD16-17-18, if there is a dispute involving the treatment of data, the companies (either as controllers of the data or operators of the data treatment) have the burden of proving they acted correctly, or at least adopted sufficient measures to safeguard the personal data19. The parallel with the rules on diffuse rights, such as envrionmental and consumer protection, is inevitable. Therefore, once again I believe that the date the Law will take effect has relativized importance, in light of the existence of other laws that can apply to a situation involving exposure of data, depending on the case.
Furthermore, the current Civil Procedure Code, in effect since 2016, already establishes that when it is extremely difficult for one of the parties to produce evidence, the judge can dynamically reverse the burden of proof20.
In practice, the existence of these other rules indicates the need for companies to keep track of their data flows (mapping), and evaluate what reasonable protection measures need to be implemented or improved, based on a multidisciplinary diagnosis. This means establishing an ongoing cycle of review and improvement, as already occurs in the audit rounds and processes for compliance monitoring. These measures can protect firms from penalties, or attenuate those applied, an also enable faster and more assertive replies to people who request information about the treatment of their data.
# 4 (Bonus) A reason not to despair
A surprising aspect of the LGPD is that its application is so broad, possibly impacting all the segments and sectors of companies, that compliance may initially appear to be virtually impossible to attain. Hence, questions arise regarding how best to abide by it.
Besides the three reasons described above why the topic should be included in the agenda of actions and strategic planning for 2020 and thereafter, there is at least one reason to act without despair, or to avoid the paralysis that not infrequently emerges in the face of huge challenges: sufficient adjustment is possible! In other words, I believe that there is still time to achieve a satisfactory level of compliance with the rules on data privacy by August 2020, whether or not the LGPD is in full force.
Without losing sight that the cultural transformation of the company may be more or less difficult, but is always a process that deserves permanent attention, there are some practical steps that can be adopted, or planned, now.
The first step is to obtain the involvement of the top executives, by sensitizing them to the main legal obligations, current and future.
The second step can be the designation of a multidisciplinary team, guided by people from the legal, technology and process departments, to be responsible, at the outset, for evaluating the resources the company has at hand for this undertaking. It is not rare for companies to discover after the mapping is started that they do not have sufficient people to carry out this task, leaving this initial endeavor with “blind spots” that will only be exposed later. Another common mistake is to believe that magic software exists that will resolve all the adjustment problems, and that the LGPD is a topic exclusive to the informatics people (information technology sector).
The third step would be to designate a person to be in charge of managing the project and communicating between interested parties. Although the formal designation of a data protection officer will only be required when the LGPD takes, it is wise to define someone to assume this responsibility beforehand. This person should have good knowledge about the people, processes and technology of the company, enabling the learning curve and assumption of management of the project to occur smoothly.
Therefore, the time is ripe to start mapping the data, which will make possible not only the preparation of future measures, but also subsequently help define the company’s levels of exposure and prioritize the most relevant measures. Here a caveat is in order: the mere translation or adaptation of the company’s existing privacy policy is not sufficient to protect personal data. Instead it is necessary to establish a privacy policy oriented by default and suitable to the company’s business, so that data protection is considered in all the firm’s products and services, with redesign when necessary (privacy by design).
In conclusion, the steps mentioned above are only general, so they may not apply to all companies. The pertinent measures can be detailed and divided into other actions, and planned to be more adherent to each reality. As the saying goes, there is no magic recipe, but action is needed.
______________
1 Law 13,709 of August 14, 2018.
2 Clique aqui.
3 LGPD. Art 65. This Law takes effect:
I – on December 28, 2018, regarding Arts. 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58-A and 58-B; (Wording given by Law 13,853 of 2019).
4 At present, the appointment of the members of Board of Directors of the ANPD is pending.
5 Art. 65. This Law takes effect:
I – on December 28, 2018, regarding Arts. 55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58-A and 58-B; and
II - 24 (twenty-four) months after the date of its publication regarding the other articles.
6 Provisional measures (medidas provisórias) are presidential decrees that take immediate effect with status of ordinary law, but then are subject to congressional approval/rejection/amendment, under a priority regime.
7 BRUNA, Sergio Varela. A LINDB e a entrada em vigor da Lei de Proteção de Dados
Quando entrará em vigor a LGPD?
8 The proposal is under consideration in the Chamber of Deputies. If approved, it will be sent to the Senate for action, and if approved there, it will be subject to presidential acceptance or veto (entirely or only some items). Available at: clique aqui.
9 The Superior Tribunal de Justiça (STJ) is the highest court for non-constitutional matters, with responsibility for harmonizing interpretation of federal laws by the state and regional federal courts of appeal.
10 Enunciation approved by the Superior Tribunal of Justice, sitting en banc, on March 2, 2016.
Administrative enunciation 1: The Plenary of the STJ, at an administrative session in which it interpreted Art. 1045 of the new Civil Procedure Code, decided unanimously that the Civil Procedure Code enacted via Law 13,105/2015 shall take effect on March 18, 2016.
11 Clique aqui.
12 Proposed Constitutional Amendment 17/19 would include personal data, including in digital form, on the list of individual guarantees of the Federal Constitution of 1988. The text has already been approved by the Senate and is now waiting for deliberation by the Chamber of Deputies. Clique aqui.
13 Brazil is a federative republic, formed by the Union and 26 federated states, 5,570 municipalities and the Federal District.
14 LGPD, Art. 5, XIX.
15 Federal Constitution, Art. 5º, numeral XXXV – the law shall not exclude consideration by the Judicial Branch of injury or threat to rights.
16 LGPD, Art. 8. The consent specified in numeral I of Art. 7 of this Law must be provided in writing or by other means that demonstrates the manifestation of will of the owner. (...)
§ 2. The controller has the burden of proving that the consent was obtained in conformity with the provisions of this Law.
17 LGPD, Art. 46. The controller or operator that, due to engagement in the activity of treating personal data, causes pecuniary or moral damage, individual or collective, to another party in violation of the legislation on protection of personal data, shall be obliged to repair it. (...)
§ 2. The judge, in a civil proceeding, may reverse the burden of proof in favor of the owner of the data when, at his/her judgment, the allegation is plausible, there is relative weakness of the party for purposes of production of evidence, or when the production of evidence by the owner results in an excessive burden.
18 Art. 43. The data treatment agents shall only be held liable when it is proved:
I – that they did not perform the treatment of personal data attributed to them;
II – that although they did perform the treatment of personal data attributed to them, there was no violation of the legislation on protection of data; or
III – that the damage results from the exclusive blame of the owner of the data or a third party.
19 LGPD, Art. 46. The data treatment agents must adopt security, technical and administrative measures able to protect the personal data from unauthorized accesses and accidental or illicit situations of destruction, loss, alteration, communication, or any form of inadequate or illicit treatment.
20 CPC, Art. 373. The burden of proof rests:
I – on the plaintiff, regarding the facts constituting his right;
II – on the defendant, regarding the existence of a fact that impedes, modifies or extinguishes the right of the plaintiff.
§ 1. In the cases set forth in law or in the presence of peculiarities of the case related to the impossibility or excessive difficulty of complying with the burden under the terms of the main section, or the greater facility of obtaining evidence of a contrary fact, the judge may attribute the burden of proof in another form, provided this is done by a grounded decision, in which case the other party must be given the opportunity to escape from the burden of proof attributed thereto.
______________
*Ana Carolina F. de Melo Brito is a partner and data protection officer with Trigueiro Fontes Advogados, responsible for the diffuse rights practice area (envrionmental, consumer and digital law), and a member of the National Association of Data Protection Professionals (ANPPD®).
