Introduction
Law No. 13,709/2018, the General Data Protection Law (“LGPD“), published on August 15, 2018, established the legal framework for the protection of personal data in Brazil.
The scope of LGPD is as wide as possible, since it is applicable to anyone who processes personal data in the events provided for in the law, including certain individuals, public authorities and domestic and foreign legal entities acting in the most diverse segments in society, both in the physical and virtual environments.
Due to its scope, LGPD will require a general effort from the most diverse sectors of the economy to adapt to the new legal requirements. The adaptation effort should be greater for sectors that were not subject to the rules of Law No. 12,965/2014 (“Internet Law “), which is a precursor to LGPD in several aspects. The deadline for entry into force of LGPD is 18 months from the date of its publication, which should provide a reasonable time to adapt to the new law.
LGPD used, to a large extent, the definitions of personal data and personal data processing provided in Decree No. 8.771/2016, which regulated the Internet Law.
Thus, LGPD defines “personal data” as information related to an identified or identifiable individual and “processing” as the data collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control activities, or personal data modification, communication, transfer, dissemination or extraction.
LGPD also defined “sensitive personal data” as the personal data on racial or ethnic origin, religious belief, political opinion, trade union membership or organization of a religious, philosophical or political nature, health or sexual life data, genetic or biometric data, when linked to an individual.
LGPD applies to the processing of personal data that somehow has points of contact with Brazil. In this sense, its Article 3 provides for the following situations: (i) processing performed in Brazil; (ii) processing aimed at offering or supplying goods or services in Brazil; (iii) processing involving data from individuals located in Brazil; or (iv) personal data subject to processing collected in Brazil.
On the other hand, LGPD does not apply to the processing of personal data aimed exclusively at: (i) private and non-economic purposes; (ii) journalistic, artistic or academic purposes; and (iii) public security, national defense, state security or criminal investigation and prosecution activities. It also does not apply to personal data from outside Brazil that is not the object of communication, shared use of data with Brazilian processing agents or the object of international data transfer with a country other than that of origin, unless the country of origin provides adequate degree of personal data protection as provided for in LGPD.
Relevant Parties
LGPD applies to three relevant parties in the personal data processing relationship: on one side there is the data “holder”, an individual whose personal data is protected under LGPD; on the other side there is the “controller”, an individual or legal entity who makes the decisions regarding data processing, and, therefore, has greater liability under LGPD; and the “operator”, an individual or legal entity who performs any processing activity on behalf of the controller.
Object
The personal data processing, as a general rule, is permitted in ten (10) different hypotheses listed in Article 7 of LGPD. Processing based on free, informed, unambiguous and specific consent of the holder of the personal data is only one of these hypotheses.
Processing is also permitted: (i) to comply with controller’s legal or regulatory obligations; (ii) by public authorities, for the processing and shared use of data required for the execution of public policies provided for in laws and regulations or backed by contracts, agreements or similar instruments; (iii) to carry out studies by a research body, being ensured, wherever possible, the anonymization of personal data; (iv) when necessary for the performance of a contract or preliminary procedures related to a contract to which the data holder is a party, at the request of the data holder; (v) for the regular exercise of rights in judicial, administrative or arbitration proceedings; (vi) for the protection of the life or physical safety of the owner or third party; (vii) for health protection, in a procedure performed by health professionals or by health entities; (viii) for the protection of credit, including regarding the provisions in the applicable laws; and (ix) when necessary to meet the legitimate interests of the controller or third party, except in the case of the data holder’s fundamental rights and freedom that require the protection of personal data.
This last processing case (to meet the legitimate interests of the controller) is the most controversial hypothesis for data processing under LGPD. The concept of “legitimate interest of the controller” involves a certain level of subjectivity and must be determined based on the particularities of each specific case. Thus, the limits of this concept are likely to be determined over the years, based on case law and legal doctrine.
It should also be noted that LGPD does not allow the processing of sensitive personal data based on the “legitimate interest of the controller”, granting greater protection to data of this nature.
Liability
The controller and the operator are liable for material, moral, individual or collective damages caused by the processing of personal data in violation of LGPD. The Operator is jointly liable for damages resulting from non-compliance with LGPD or any failure to comply with the controller’s instructions.
The new law provides that the controller and operator shall not be liable only when they prove that (i) they have not processed the personal data in question; (ii) although they have processed the personal data in question, there has been no violation of the data protection law; or (iii) the damage was caused by exclusive fault of the data holder or third parties. LGPD also establishes cases in which the court may reverse the burden of proof in civil proceedings.
In case of violations of the data holder’s rights associated with consumer relations, the provisions of Law No. 8.078 of September 11, 1990 (the Consumer Protection Code) on liability should be applied.
In case of a security incident involving personal data, the controller shall report the fact to the Public Authority within a reasonable period of time, even though LGPD does not establish a deadline for doing that.
Administrative Sanctions
In the administrative sphere, sanctions applicable in case of breach of LGPD are (i) a warning, with a reasonable time for remediation; (ii) fine of up to 2% of the revenues of the private legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in aggregate, to BRL 50 million per breach; (iii) daily fine, subject to the same limit; (iv) public disclosure of the breach after confirmation of its occurrence; (v) blocking of personal data to which the breach relates until its regularization; and (vi) deletion of the personal data to which the breach refers.
Presidential Vetoes
Certain provisions of LGPD’s original bill of law were vetoed by the Brazilian president, including: (i) certain prohibitions on the sharing of data by the Public Administration; (ii) certain administrative sanctions that determined the suspension of databases, as well as suspension or prohibition of data processing; and (iii) creation of the National Data Protection Authority (“ANPD“).
Prohibition on data sharing within the Public Administration and the duty of the Public Administration to make public all data sharing carried out were vetoed on the grounds that data sharing is a recurring activity essential for the regular exercise of several public activities and, further, that the unrestricted publicity of data sharing among public bodies and entities would make certain activities (such as investigations, audits and policing) impracticable.
Regarding the vetoed administrative sanctions mentioned above, the veto occurred under the justification that these sanctions could bring a high level of insecurity and could hinder the use of data-bases that are indispensable to certain activities, in particular to the national financial system.
Finally, the creation of ANPD, an independent government authority linked to the Ministry of Justice, with the purpose of applying sanctions, supervising and editing rules for the national data protection policy, was vetoed on the ground of unconstitutionality at the origin, since the creation of this type of government authority should be subject to private initiative of the Head of the Executive Branch and requires a specific law. The expectation, however, is that the Head of the Executive Branch will issue a rule creating the aforementioned independent government entity.
This publication is provided by our firm to clients and colleagues. The information contained herein should not be construed as legal advice or legal opinion by our law firm. Questions related to this publication may be directed to our lawyers listed below.
By:
Marcelo Padua Lima, Renato Moraes, Aaron Papa de Morais and Vinicius Venancio Costa