Viva a revolução? Brazil’s new data protection regime

October 12, 2020

By

Catherine Wycherley

As the LGPD finally came into effect last month, PrivSec Report explores the new law and the impact it could have on the Brazilian data protection ecosystem and culture.

The new Brazilian data protection law, Lei Geral de Proteção de Dados Pessoais, or “LGPD”, has received much recent attention on the global privacy stage. Passed in 2018 and uniting over 40 different statutes governing personal data in the country under one comprehensive mechanism, its entry into force was somewhat tumultuous in the final strait. The law was eventually signed off by President Bolsonaro on 18 September 2020 after initial delay and then an attempt to push implementation back until 31 December, which was overruled by the Senate.

Brazil has come late to the data protection field in some respects. While many Latin American countries followed the 1995 EU Directive with legislation – often consent-based with exceptions – of their own, Brazil for many years lacked such a law.

“For such a big market player… it was odd that Brazil didn’t have their own law,” says Camila Tobón, a Denver-based privacy and data security lawyer at Davis Graham & Stubbs LLP.

The country had a constitutional right to privacy for Brazilians and adhered to Habeas Data – a right for a subject to know what information about them is being held by the government and public sector agencies. Sectoral laws existed governing aspects of personal data, although these were “sometimes conflictive, marshy, without legal certainty”, according to a 2018 article for the International Association of Privacy Professionals.

In 2014, the government passed an Internet Bill of Rights, containing privacy protections online as well as dealing with issues such as net neutrality.

“People thought that that was going to maybe spur a comprehensive data protection law, but it still took a while longer,” says Tobón.

A culture of “freedom of expression” has undermined moves towards a one of data protection, and fostered naivety among citizens in an environment of growing commercial big data use, in the eyes of Andrea Willemin, Chief Data Privacy Officer and international privacy lawyer at software developer Softplan. She recalls a time when she was even asked for her blood type on entry to a conference.

“Here, if you ask people for data, people give you data. It’s normal, for them it’s not something that you don’t have to say, it’s something that’s normal to give you all my data, here they are,” she says.

“People are starting to understand better about this change. And they are starting to say, oh no why do you want my data? … For me, it’s a revolution when I see someone asking why are you asking me about that? Because until now it was not something relevant and now it starts to be relevant for Brazilians. And it’s very nice.”

But why now?

The shadow of the European GDPR, and its implications for international trade, loom large.

“From a trade perspective and a commercial perspective, one of the main tests for data transfers, for whitelisting from the EU, is the adequacy test. So far only one country in the region has had an adequacy determination, and that’s Argentina. I think that if a country is going to come up with legislation, they should go for the adequacy, because then if their law is deemed adequate by the European Commission, they’re white-listed and you can transfer data freely from the EU to that country. So I think that anyone who now wants to pass legislation, have comprehensive privacy laws in their country, they’re probably looking at that adequacy and what kind of framework do they need to build in order to be able to achieve that adequacy determination,” says Tobón.

“I think for Brazil, maybe it worked out really well for them by waiting, because then the GDPR came out in 2016 and then there was time to 2018 when it took effect, and so Brazil was able to model their law on the GDPR.”

“Here, if you ask people for data, people give you data.”

The LGPD itself is very similar to the GDPR in its privacy-preserving principles of accountability, transparency and data minimisation. Like the GDPR, it endows data subjects with rights and certain controls over their personal data, and contains a controller-processor dynamic, with the right to process data dependant on specified legal bases (of which consent is one) – although the LGPD has additional bases to the GDPR. The LGPD also has extra-territorial reach, bringing entities offering goods or services to Brazil within its scope.

“From a trade perspective and a commercial perspective, one of the main tests for data transfers, for whitelisting from the EU, is the adequacy test.”

There are some current issues, says Willemin, who points to the remaining power of credit agencies (protection of credit is a legal basis for processing data under the LGPD – unlike the GDPR). She also questions the extent to which the government itself would be subject to the new law:

“That’s not very clear, the limits of the government with the law, because the government try to be off the LGPD, so it’s very complicated. They started to do new instructions about data and tried to say that the data used for governmental proposes are not under LGPD. It’s a very big, a huge problem, for Brazil,” she says.

The elephant in the room, however, is the fact that the LGPD enforcement regime is not yet fully operational. A National Data Protection Authority (ANPD) has been created, but the administrative sanctions of the LGPD do not come into effect until August 2021.

“We can say that there will be an enforcement authority but the regulator, the main person who’s going to oversee, has not yet been appointed. And even though the law is now in effect, the fines don’t kick in until August of next year. So it gives time to set up the enforcement authority but that just means that if it’s set up between now and then, really the enforcement activity can’t begin until August of 2021, which is when the administrative fines kick in,” Tobón explains.

“Under the LGPD, the regulator has certain things that it can establish. For example, for data transfers, you can have standard contractual clauses, so the regulator is supposed to determine standard contractual clauses, the regulator is supposed to determine any countries that are deemed adequate, that type of thing. That obviously can’t happen until the regulator is set up.”

“The elephant in the room, however, is the fact that the LGPD enforcement regime is not yet fully operational”

And, for Willemin, a question mark remains over the eventual independence of the ANPD, which is part of the government and linked to the office of the President. She believes that the aim is for the agency to remain this way initially, before becoming independent. But, for the moment, that is not the case.

Yet despite the lack of immediate administrative procedures – and therefore administrative fines – the Brazilian system also provides for recourse through litigation.

“Individuals with their constitutional right to privacy can sue companies, and then public prosecutors can also sue companies. So, it’s kind of a word of caution, that even though the regulator isn’t set up and fines aren’t available until next year, the rights that are contained in the LGPD can still be enforced through litigation in the courts,” says Tobón.

The first action over an alleged LGPD violation is already in progress, according to law firm McDermott Will & Emery reporting in Lexology, with a public civil suit filed by the Ministério Público do Distrito Federal e dos Territórios’ (MPDFT) Special Data Protection and Artificial Intelligence Unit against a data services company.

Such actions are a warning for organisations that might be tempted to sit back and wait until next year before taking the law seriously. But, the real test of the LGPD’s mettle will ultimately come next year.

“Right now there’s the private enforcement that can happen, but until the regulator is up and running and until the regulator has the capabilities and the capacity and the legal ability to issue fines, that’s when you’re going to see whether the law really has teeth because then you have the regulator going after systematic practices that are harming consumers,” says Tobón.

“The true test of the law is going to happen once the regulator’s set up and can issue fines. So that’ll happen in the late summer of next year.”

“If companies hadn’t done anything yet, now’s the time to act, and if you have already a compliance programme in place and it’s GDPR focused, I think it’ll be easier to pivot than if it’s not GDPR-focused.”

Since the passing of the LGPD in 2018, companies have had lead time to implement compliance procedures, particularly as the law bears such similarities to the GDPR. But with this year’s global pandemic and the delays and turnarounds in bringing LGPD into effect, there remains the possibility that some could have been caught off guard, even if their implementation efforts were underway.

“The pandemic hit and everything just went crazy and companies were faced with things that they hadn’t foreseen that they would have to face, and so the legislature was like, well let’s postpone. And so there were attempts to postpone the implementation of the law. But then, the way that it just worked out, it happened really quick and from one day to the next, the law was in effect. So for companies that hadn’t done anything, that was sort of a surprise because they went from: Yes we can we can foresee when the law is going to take effect to: Oh my gosh, it just took effect,” Tobón says, referencing the Senate’s decision to overrule more proposed delays, meaning that the law eventually came into effect in mid-September.

“If companies hadn’t done anything yet, now’s the time to act, and if you have already a compliance programme in place and it’s GDPR focused, I think it’ll be easier to pivot than if it’s not GDPR-focused.”

Willemin suspects that some organisations might have underestimated the extent of the changes that would have to be made.

“And now, what happen with the companies and with institutions is that they don’t believe that it’s really big as it is. They thought it was just something like, oh I need to adapt, or I need to read something here and it will be fine. And now that they are understanding that it’s not like that, and how huge is it, they are kind of crazy, because it’s very impressive the change that they needed to face off. For example, all institutions need to create new processes, they needed to change systems, they need to establish new policies – and to be in compliance with the LGPD is not easy because it’s not something traditional for the Brazilian culture. So everything here is brand new,” she says.

For SMEs lacking the internal governance structure to implement major changes and who have been less impacted by GDPR, this could be particularly challenging.

“We need these new professionals, we need the judges who understand more about data protection, we need the prosecutors that understand more, lawyers that understand more about data protection, to create the environment to operate it. Even IT people here in Brazil, they understand a lot about data security, but not about data protection, and they all need to understand more about privacy by design and other engineering techniques to put in place new systems using data protection,” says Willemin.

“They are trying to professionalise more, spending more, creating more. But it takes time in this space. It’s normal.”

Whether other Latin American countries will choose this time to refresh their own data protection regimes remains to be seen, and even in Brazil there are issues still to iron out. But for data protection professionals like Willemin, these are exciting times.

“It’s really a revolution for Brazilian people. For me, I’m very happy to see this revolution and be in the middle of that. But it’s like a puzzle, because you have to elaborate different interactions now, because it’s something so brand new and so different for this population… But it’s very nice. It’s very nice for me – I’m very happy to be to be part of these moment here in Brazil.”

To hear more about privacy in Latin America, register for PrivSec Global on 30 November.