Data-driven
Brazil’s data protection law came into effect in August 2020, designed to provide a comprehensive legal framework and which will bring new challenges to companies and law firms as they help their clients navigate the new regulations. We spoke to prominent lawyers in Brazil who are experts in the IT, IP and data protection areas on the implications of the new legislation.
By Adam Critchley
Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD) comes into effect in August, as originally planned, following the Senate’s rejection of a proposed postponement in April as the COVID-19 pandemic took hold. Although the law takes effect this year, fines and sanctions for non-compliance will not be imposed until August 2021, however.
The law was designed along the lines of the European General Data Protection Regulation (GDPR) and sets out a set of rights that can be exercised by individuals, defines what is characterised as personal data, and sets out the legal bases for their lawful processing.
The law has been seen as overdue in a country of around 140 million internet users, making Brazil the fourth largest market in the world in number of users and the largest in Latin America, while the importance of data protection has been highlighted during the ongoing pandemic, with so many activities, from e-commerce and communication, to video conference and transactions now taking place online.
“We believe the LGPD is a milestone in Brazil’s data protection approach, as it is the first comprehensive data protection law in the country,” Pedro Ramos (pictured, left), a partner and head of the data protection practice at law firm Baptista Luz, says.
However, while the legislation is in place, the regulatory body that will oversee it, the Autoridade Nacional de Proteção de Dados, has yet to be created, which leaves the legislation rather toothless until that happens.
“The data protection authority still needs to be created, and fast, since we are less than one year away from the entry into force of the LGPD, and both private individuals and legal entities need to be provided with further guidelines and instructions on the data protection rules.” Ramos says.
As well as providing individuals and companies with a clear set of rights, the LGPD also obliges companies to appoint a data protection officer. But unlike its European counterpart, the law does not take into account the size or revenue of a company, but rather focuses on the information a company holds, and also exercises global jurisdiction. All companies will be subject to compliance with the LGPD when they process data within Brazilian territory, or the data of persons who are within Brazilian territory, irrespective of the location of the data processor, and which process data that is collected in Brazil.
‘ROOM FOR IMPROVEMENT’
“The law was very much inspired by the [European] GDPR, although there are important differences,” according to partner Gabriela Paiva (pictured, left), a partner at law firm Trench Rossi Watanabe’s intellectual property and IT practice.
“Overall, the Brazilian law is much less detailed than the GDPR, delegating authority to the regulator to provide further details on many important aspects and implications of processing activities, such as the international transfer of personal data, circumstances when a Data Protection Officer need not be appointed,” she says.
“The new law is a positive development towards the protection of personal data, and it has been a valuable tool in strengthening an incipient culture of privacy since its enactment,” Paiva says.
“There is, nevertheless, room for improvement. For example, the preceding legislation was entirely consentbased, but during the law-making process the bill evolved and adopted a broader approach, allowing the processing of personal data based on any of ten possible legal bases, with consent being just one of them. However, there are still remains of that initial consent-based approach throughout the law, which may impact how the law is construed and enforced.”
In addition to consent being one of the legal bases for the lawful processing of data, the LGPD also stipulates compliance with regulatory obligations, the execution of public policies, contracts or similar instruments, the carrying out of research, performing judicial or arbitration procedures, the protection of the health of an individual, and to protect credit as being the other bases upon which data is used. Under the new law, the act of processing personal or sensitive data must be documented from initial collection to termination, and it will be mandatory to have a description of what kind of data is collected, the retention time, the purpose of the collection and who that data can be shared with.
While that level of control and protection will be largely welcomed by individuals, particularly as consumers, who are more and more vulnerable to data breaches, the new law could prove more of a headache for corporations as the observance of the new rules could imply higher costs and risks of non-compliance, and they will have to find a way to comply in a smooth and efficient way.
“The LGPD will ultimately make companies conscious that personal data is exactly that, personal, and, most importantly, not up for grabs,” according to Raphael de Cunto (pictured, left), a partner in law firm Pinheiro Neto’s technology practice.
“If the companies want or need to handle personal data, then it must be done with care and under the rules of the new law. We are now seeing what happens to every law after its enactment: certain aspects do not fit the reality, or they cause distortion when applied to real situations. This just makes the role of the data protection authority more important,” De Cunto says.
The need for such a law has also been made more acute by the outbreak of the COVID-19 pandemic, and which has hit Brazil particularly hard, with the second-highest death toll and number of confirmed cases after the US, with no sign of a slowdown of contagion.
“Data protection has gained special attention during the pandemic, since the processing of personal data, specially health data, has been an important tool to develop public health policies and determine preventive measure, such as imposing social distancing or using contact-tracing technology to fight the spread of the coronavirus,” according to Gabriela Paiva from Trench Rossi Watanabe. “Having a data protection law in force would assist companies in taking action consistently with the protection of personal data and privacy,” she says.
However, while the timing is perfect, the economic impact of the pandemic may mean that some companies will be reviewing their investment priorities, she says.
“And which in some cases means that implementation may be suspended or slowed down.”
And the negative economic impact of the pandemic and the subsequent shifting of companies’ priorities as they seek to weather the storm and trim the sails towards economic recovery follows the already uphill task of convincing companies of the importance of investing in compliance with the new law, she says.
“From a business perspective, initially, when the law was first published, in August, 2018, one of the biggest challenges was buy-in: convincing officers and boards that investment – not only financial, but also of time and human resources – in implementation was necessary due to the exposure to non-compliance that the law would bring,” Paiva says.
“Not only in terms of sanctions, but also in connection with the potential for litigation and reputational damage due to a failure to comply. Once the implementation project was approved, the next challenge was to secure proper team engagement, as the project can last from months to a couple of years and be very demanding,” she says in reference to the long preparation required to achieve compliance.
‘A CULTURE OF AWARENESS’
As with many new laws, the LGPD will likely imply teething troubles and a process of adaptation, and will even be unpopular in some quarters, as companies and directors become wary of compliance and make internal adjustments to ensure it, although many would agree that the timing is good.
“LGPD is not a law that was pushed by crowds in the streets, there was no popular claim for it, and yet, it came at the right moment, sponsored by several different stakeholders that embraced the idea that we would better off having a discussion in Congress than a regulatory void that inevitably would cause each aspect of data protection to be fought in the trenches of the judicial system,” according to Pinheiro Neto’s Raphael de Cunto.
“Banking today is heavily data-driven for example. It needs legal certainty to thrive.” But imposing that legal certainty brings its challenges to those that will be subject to the new law, he says. “Probably to a great majority of clients, especially those Brazilian companies that were never exposed to data protection issues like multinationals, there will be several challenges,” De Cunto says. “Getting to understand the law, creating a new culture of awareness of data protection within the working environment, and perhaps even having to develop new business models in order to be LGPD-compliant. It’s similar to when companies had to wake up, but in a harder way then, to the need to build internal structures and practices to be in compliance with anti-corruption laws.”
And, according to Pedro Ramos of Baptista Luz, it is precisely that need to create a new culture of awareness that will be one of the first challenges for law firms’ clients to overcome.
“Brazil is a country newly introduced to the culture of data protection, therefore one of the main challenges the new law brings is the need to change the mindset of the local market about what privacy and data protection relate to, and how personal data should be processed,” Ramos says.
The same challenges among clients are anticipated by Rafael Pistono (pictured, left), the founder of Brazilian law firm CTA, which was recently integrated into Spanish firm ECIJA, marking the latter’s entry into the Brazilian market, at the same time as it entered Ecuador with the integration of GP&A González – Peñaherrera & Asociados Abogados.
“For the clients, the main challenges are to educate and raise awareness throughout the organization,” Pistono, who is a partner in CTA ECIJA’s TMT and privacy and personal data practice, says. “Do the mapping, inventory and recording of the personal data processing activities, assess the risks of the operation, keep up the monitoring and control of regulatory compliance, adjust contractual relationships with third parties to mitigate legal and regulatory risks, and develop a plan for incident assessment, response and remediation,” he says.
‘THE TIME IS NOW’
But despite the fact that penalties will not be imposed until after August 2021, companies must not delay their preparation for its enactment, even though this may now be hampered by the adverse economic effects of the pandemic, according to Pedro Ramos of Baptista Luz.
“We believe that the postponement of the law, at least for a short period, is a good idea, since, in addition to not yet having a functional data protection authority, the pandemic has significantly impacted business in Brazil,” he says.
“Companies, unfortunately, are unable to focus their efforts on conducting an adequacy program, due to the major financial and managerial impact.” “However, the postponement of the law does not mean that companies need to disregard the data protection rules. The time to conduct an adequacy program and implement a privacy governance program is now. It is, as we have said, a significant cultural change, and consequently changes the way work is perceived. Companies have to act fast and get their businesses in compliance with the data protection rules. That is important not only from a legal perspective, but also from a business perspective: we have noticed that clients respond better to, and have more confidence in, companies that market and disclose their privacy program,” Ramos says.
Time is also of the essence to ensure that the law becomes part of the national fabric, and people begin to use it and abide by it, according to Pinheiro Neto’s Raphael de Cunto. “I don’t particularly like having LGPD postponed. Especially in Brazil, it may create the unhealthy perception that ‘this law will not stick’, a euphemism for lack of enforcement,” he says.
But the priority is the creation of the regulatory body, the lawyers agree.
“Many aspects of the law have been left for the regulator to detail, but the regulator is not yet active,” Gabriela Paiva of Trench Rossi Watanabe says. “Consequently, companies are facing difficult decisions, choosing between the risks of not implementing the law, or implementing the law in a way that may not be how the regulator will construe it, and which could result in the need for new investments and further changes to the companies’ activities.”
“However, the Authority is not yet active, rendering many elements of the law unenforceable or, at least, questionable, and jeopardising an effective protection of privacy and personal data,” she says. While the Data Protection Authority is not yet completed and in place, the uncertainty remains,” according to CTA ECIJA’s Rafael Pistono.
“The expectation is that the additional regulations that will be provided by the yet to be created regulator will bring more structure and provide guidance to the sector,” he says.
‘A WHOLE NEW LEGAL PRACTICE’
And despite the lack of a regulator to enforce the new law, law firms have already begun to see an increase in their workload, and a change in their clients’ demands.
“There is much demand among companies relating to the implementation of the law, and which includes conducting data mapping exercises, defining the legal bases for processing activities, reviewing data protection/privacy related documentation, as well as developing a data protection program for the company,” Trench Rossi Watanabe’s Gabriela Paiva says.
“I think we were already seeing a steady increase in work related to privacy as the economy and communications more and more turned online,” according to Pinheiro Neto’s Raphael de Cunto. “The LGPD itself was necessary given this shift from offline to online. But with the LGPD a whole new legal practice is already a reality.” “I believe the LGPD will generate different types of work,” he says. “There will be a first phase, where the basic need is to assist clients on how to adapt their business to the new rules, then we will see a wave of issues arising out of compliance with the law when it enters into force. The work will both be on the consulting and on the litigation side.”
“The increase in work due to the LGPD is already a reality in the market,” Baptista Luz’s Pedro Ramos says, and in which the challenge, he says, is “interpreting and suggesting recommendations to our clients without the widely anticipated guidelines from the data protection authority.”
