septembre 03 2024
Glass Half Full or Half Empty: An Overview on the Brazilian Data Protection Landscape since its Hallmark Act
Related People:
Télécharger le PDF
Pour lire l’article: O Estado de S. Paulo
The Brazilian General Data Protection Act (Law No. 13,709), given the acronym “LGPD” in Portuguese, was enacted in August 2018 and now reaches its 6th anniversary. It is undoubtedly the most significant milestone for data protection in the country.
The Act aims to protect the fundamental rights of privacy and freedom of individuals, establishing various rules and principles on data processing, for companies and organizations, both public and private, regardless of their size and scope. This includes any and all processing (i.e., collection, processing, storage, sharing, international transfer, among others) of data directly or indirectly related to an individual.
Personal data can be classifies as data directly linked to individuals, such as: email address, identity, social security number, passport number, bank details, photos, biometrics, car license plate, or any data that indirectly identifies the individual: consumption preferences, political affiliation, salary, job position, health data, gender, age, location information, religious beliefs, political opinions, data revealing racial or ethnic origin, among others.
Since the LGPD was enacted, data protection has been deemed as a fundamental right by both the Federal Constitution and the Brazilian Supreme Court. From these milestones, a greater awareness of the value of our personal data has been set, which strengthened the individual’s right to demand the proper and transparent use of their data by companies and institutions.
From the perspective of organizations (i.e., companies, agencies etc.), the LGPD is of utmost importance, as it has driven organizations to rethink how they have been handling personal data and to build efficient data governance and a more robust data protection culture. Companies have come to better understand the flow of data within their organization (i.e., employees, contractors, workers) and outside it (i.e., suppliers, contractors, regulatory agents, partners), as well as the importance of adopting a robust adequate LGPD compliance program aimed at transparent, secure, and appropriate processing of their consumers, employees, suppliers, and stakeholders personal data.
Inspired by the European Union’s General Data Protection Regulation (GDPR), the Brazilian Act also has its nuances and differences. Unlike Europe, where data protection has been widely discussed at least since the 1995 European Directives (before the GDPR), Brazil still has a long way to go in maturing its data protection culture. Despite the advances and even some awareness among companies about the advantages of adopting an LGPD compliance project, many have not yet given the appropriate attention to the issue, which usually leads to an inefficient ––and, sometimes insufficient–– data protection program. The LGPD compliance project needs to be constantly reviewed and updated. For instance, ongoing training and audits are indispensable.
In this still arid terrain due to the absence of a solid culture, one must keep in mind that the LGPD also suffered huge impacts brought by the 2020 Covid-19 pandemic. At the time, we accelerated and then suddenly were told to hit the brakes. The need to monitor and control the spread of the virus highlighted the importance of the issue and brought additional challenges to personal data protection. The pandemic also increased our online activities and lead to a complete shift: everything was remote. We experienced a true digital transformation: the international market also demanded that Brazil structured data protection policies compatible with international standards, requiring Brazil to create a safe and responsible environment for data protection, increasing its competitive advantage and consumer confidence in the security and transparency of their personal data processing.
In this scenario, the LGPD’s entry into force was postponed to August 2020; the National Data Protection Agency (“ANPD”), which acts as a communication channel between data subjects and data controllers, helping to resolve conflicts and handle complaints, was created only in November 2020; and the administrative sanctions provided by the LGPD were postponed to August 1, 2021. Undoubtedly, the pandemic and the financial difficulties of companies in investing in a robust LGPD compliance project impacted the construction of a data protection culture in Brazil and, of course, prevented some companies from diving into the LGPD compliance project.
Only from August 1, 2021, did the ANPD gain the power to apply administrative sanctions; which include warnings; fines that can reach 2% of the company’s revenue ––limited to R$ 50 million per administrative infraction––; publicizing the infraction through the ANPD’s media; blocking and eliminating personal data held by the organization; partial or total suspension of database operations; and even partial or total prohibition of activities related to data processing.
Furthermore, the ANPD is not just a regulatory and supervisory body. Beyond being the guardian of the General Data Protection Act, the ANPD also plays a fundamental role in disseminating guidelines and guides to educate companies and citizens regarding the application of the LGPD. The ANPD guides data controllers on practices to be adopted to comply with the LGPD, such as the Regulation on Dosimetry and Application of Administrative Sanctions; the Technological Radar on Biometrics; the Regulation on Security Incident Communication; and, the most recent, Regulation on the Data Protection Officer, which establishes detailed rules on the role of the data protection officer, as well as the Public Consultation on the processing of children’s and teenagers’ data, which has been, above all, a social agenda.
The ANPD has taken several regulatory actions in the last 4 years since its establishment. The Agency’s actions lead to a significant progress in Brazil’s data protection culture, which may be seen as the aforementioned glass half full, resulting from the serious work of the ANPD, which maintains an important relationship with Agencies from other jurisdictions. From the perspective of supervision and application of sanctions to ensure compliance with the LGPD, however, Brazil’s data protection landscape may represent the glass half empty, as the first fine as a penalty due to an infraction was only imposed in July 2023, considered by some as insignificant, even considering the data controller in question (an individual entrepreneur).
In this sense, the Brazilian General Data Protection Act is still in its maturation phase. Several gaps and ongoing debates are still unsettled, notably on the following topics: international data transfer; data protection impact assessment; data subject rights; further detailing of personal data processing hypotheses; processing of children’s and teenager’s data; and how artificial intelligence (AI) will interact with personal data protection in Brazil – including whether the ANPD itself will be responsible for regulating and supervising AI. The coming years promise many more debates, regulations, and a constant need for companies to pay attention so that their compliance, guaranteed in the numerous “compliance projects” carried out in recent years, is not lost. The trend is for the glass to keep filling up, and soon we will have a lot of material for discussion, attention to the data protection culture in Brazil, and relevant judicial precedents on the subject.
The Act aims to protect the fundamental rights of privacy and freedom of individuals, establishing various rules and principles on data processing, for companies and organizations, both public and private, regardless of their size and scope. This includes any and all processing (i.e., collection, processing, storage, sharing, international transfer, among others) of data directly or indirectly related to an individual.
Personal data can be classifies as data directly linked to individuals, such as: email address, identity, social security number, passport number, bank details, photos, biometrics, car license plate, or any data that indirectly identifies the individual: consumption preferences, political affiliation, salary, job position, health data, gender, age, location information, religious beliefs, political opinions, data revealing racial or ethnic origin, among others.
Since the LGPD was enacted, data protection has been deemed as a fundamental right by both the Federal Constitution and the Brazilian Supreme Court. From these milestones, a greater awareness of the value of our personal data has been set, which strengthened the individual’s right to demand the proper and transparent use of their data by companies and institutions.
From the perspective of organizations (i.e., companies, agencies etc.), the LGPD is of utmost importance, as it has driven organizations to rethink how they have been handling personal data and to build efficient data governance and a more robust data protection culture. Companies have come to better understand the flow of data within their organization (i.e., employees, contractors, workers) and outside it (i.e., suppliers, contractors, regulatory agents, partners), as well as the importance of adopting a robust adequate LGPD compliance program aimed at transparent, secure, and appropriate processing of their consumers, employees, suppliers, and stakeholders personal data.
Inspired by the European Union’s General Data Protection Regulation (GDPR), the Brazilian Act also has its nuances and differences. Unlike Europe, where data protection has been widely discussed at least since the 1995 European Directives (before the GDPR), Brazil still has a long way to go in maturing its data protection culture. Despite the advances and even some awareness among companies about the advantages of adopting an LGPD compliance project, many have not yet given the appropriate attention to the issue, which usually leads to an inefficient ––and, sometimes insufficient–– data protection program. The LGPD compliance project needs to be constantly reviewed and updated. For instance, ongoing training and audits are indispensable.
In this still arid terrain due to the absence of a solid culture, one must keep in mind that the LGPD also suffered huge impacts brought by the 2020 Covid-19 pandemic. At the time, we accelerated and then suddenly were told to hit the brakes. The need to monitor and control the spread of the virus highlighted the importance of the issue and brought additional challenges to personal data protection. The pandemic also increased our online activities and lead to a complete shift: everything was remote. We experienced a true digital transformation: the international market also demanded that Brazil structured data protection policies compatible with international standards, requiring Brazil to create a safe and responsible environment for data protection, increasing its competitive advantage and consumer confidence in the security and transparency of their personal data processing.
In this scenario, the LGPD’s entry into force was postponed to August 2020; the National Data Protection Agency (“ANPD”), which acts as a communication channel between data subjects and data controllers, helping to resolve conflicts and handle complaints, was created only in November 2020; and the administrative sanctions provided by the LGPD were postponed to August 1, 2021. Undoubtedly, the pandemic and the financial difficulties of companies in investing in a robust LGPD compliance project impacted the construction of a data protection culture in Brazil and, of course, prevented some companies from diving into the LGPD compliance project.
Only from August 1, 2021, did the ANPD gain the power to apply administrative sanctions; which include warnings; fines that can reach 2% of the company’s revenue ––limited to R$ 50 million per administrative infraction––; publicizing the infraction through the ANPD’s media; blocking and eliminating personal data held by the organization; partial or total suspension of database operations; and even partial or total prohibition of activities related to data processing.
Furthermore, the ANPD is not just a regulatory and supervisory body. Beyond being the guardian of the General Data Protection Act, the ANPD also plays a fundamental role in disseminating guidelines and guides to educate companies and citizens regarding the application of the LGPD. The ANPD guides data controllers on practices to be adopted to comply with the LGPD, such as the Regulation on Dosimetry and Application of Administrative Sanctions; the Technological Radar on Biometrics; the Regulation on Security Incident Communication; and, the most recent, Regulation on the Data Protection Officer, which establishes detailed rules on the role of the data protection officer, as well as the Public Consultation on the processing of children’s and teenagers’ data, which has been, above all, a social agenda.
The ANPD has taken several regulatory actions in the last 4 years since its establishment. The Agency’s actions lead to a significant progress in Brazil’s data protection culture, which may be seen as the aforementioned glass half full, resulting from the serious work of the ANPD, which maintains an important relationship with Agencies from other jurisdictions. From the perspective of supervision and application of sanctions to ensure compliance with the LGPD, however, Brazil’s data protection landscape may represent the glass half empty, as the first fine as a penalty due to an infraction was only imposed in July 2023, considered by some as insignificant, even considering the data controller in question (an individual entrepreneur).
In this sense, the Brazilian General Data Protection Act is still in its maturation phase. Several gaps and ongoing debates are still unsettled, notably on the following topics: international data transfer; data protection impact assessment; data subject rights; further detailing of personal data processing hypotheses; processing of children’s and teenager’s data; and how artificial intelligence (AI) will interact with personal data protection in Brazil – including whether the ANPD itself will be responsible for regulating and supervising AI. The coming years promise many more debates, regulations, and a constant need for companies to pay attention so that their compliance, guaranteed in the numerous “compliance projects” carried out in recent years, is not lost. The trend is for the glass to keep filling up, and soon we will have a lot of material for discussion, attention to the data protection culture in Brazil, and relevant judicial precedents on the subject.