20 Sep INTRODUCTION TO BRAZILIAN GENERAL DATA PROTECTION LAW (“LGPD”)

What is it?

With the entry into force of the General Data Protection Regulation (“GDPR”) in the European Union in May 2018 and due to the international scandals related to the improper processing of personal data, on August 14, 2018, Brazil enacted the LGPD: this law provides for the processing of personal data, including by digital means, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of a natural person’s personality.

On the one hand, the LGPD is based on the principle of respect for privacy and the inviolability of intimacy, honor and image, while on the other hand, it also takes into account the economic and technological development, innovation, free initiative and free competition.

The LGPD must be applied, analyzed and studied considering these principals, otherwise the investments needed for Brazil to achieve the necessary technological advances – i.e. the use of Artificial Intelligence – shall be lost.

According to the LGPD, personal data means any information related to an identified or identifiable natural person. Examples of personal data are: first name, last name, age, address, e-mail address, ID, taxpayer ID/social security number, location data (such as GPS), internet protocol (IP) number and even some data collected through cookies or similar tools.

The LGPD also defines sensitive personal data as any personal data regarding racial origin or ethnicity, religious conviction, political opinion, syndical or organization of religious, philosophical or political character affiliation, data referring to health or sex life, genetic or biometric data, when linked to a natural person.

While it was enacted on August 14, 2018, the LGPD will only enter into force in August 2020. At that time, the LGPD will become part of a number of Brazilian rules which refer to data protection, such as, the Federal Constitution, the Consumer Protection Code, the General Law on Telecommunications, Internet Civil Mark, and Access to Information Law, among others.

Will the LGPD apply to me?

The LGPD applies to any person natural or legal from public or private law who performs any treatment operation, regardless of the means, as long as (a) the treatment operation is performed in Brazil, (b) the treatment activity aims to offer or to provide goods or services or data treatment for individuals located in Brazil; or (c) the object of the personal data treatment has been collected in Brazil.

The LGPD makes no distinction as to whom it applies; any and all companies, regardless of size, micro companies, startups, even individual businesspeople are subject to the LGDP.

Remember that treatment refers to the complete operation performed with personal data, such as those referring to collection, production, reception, classification, utilization, access, reproduction, transmission, distribution, process, filing, storage, elimination, information evaluation or control, transferring, diffusion or extraction.

What should I do?

To answer this question, one must actually answer 2 (two) questions: (a) what risk are you willing to take in view of the type of data being treated; and (b) what will your role be in relation to the data treatment involved.

Regarding item (b) above, the LGPD determines that two agents of data treatment exist: the controller, a natural or legal person, from public or private law, who is responsible for making decisions regarding personal data treatment; and the operator, a natural or legal person, from public or private law, who performs the personal data treatment on behalf of the controller.

Under the LGPD, the controller has several responsibilities, including drafting a report on the impact of data protection, obtaining the owner’s consent, as well as communicating to the owner in cases where there is a change of purpose for the data treatment and handling.

In addition, both controller and operator must maintain a registry of treatment operations, indicating purpose, time and process deadline, safety, confidentiality and privacy, given consent, or reason for non-consent.

For such reasons, some practical advice, about what to do and what not to do during the implementation of data protection compliance programs is important: (a) adopt a multidisciplinary committee for project monitoring since all areas of the company must be in compliance; (b) have an in-house leader for project coordination; (c) guarantee legal and technological professional and data safety support; (d) guarantee a specific budget for the project; (d) observe sectorial aspects, this is, regulatory rules which may assist on the identification of treatment basis; (f) establish a timetable; and (g) perform training sections for all employees.

What happens if I do not comply with the LGPD?

The treatment agents are subjected to the following administrative sanctions applicable by national authority: (a) a warning, indicating the deadline for adoption of corrective measures; (b) a simple fine, up to 2% (two per cent) of the income of the private law legal person, group, or conglomerate in Brazil in the last fiscal year, excluding taxes, limited to a total of BRL R$ 50,000,000.00 (fifty million Reais) per infraction; (c) a daily fine limited to the value of item (b) above; (d) publication of the infraction after its occurrence has been duly verified and confirmed; (e) blockage of personal data related to the infraction until the issue is resolved; (f) deletion of the personal data to which the infraction relates.

In addition to administrative sanctions, non-compliance with the LGPD may result in blocking of M&A transactions, investment opportunities or participation in bidding processes.

All companies will face their own unique challenges with implementation and compliance. For that, the Kestener, Granja & Vieira Data Protection and Privacy team remains at your disposal for further clarification.

This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener, Granja & Vieira Advogados.