The European GDPR (General Data Protection Regulation) has brought the importance of privacy legislation into public consciousness all over the world. Prompted by increasing privacy concerns with Big Tech (Facebook, Google, Apple etc.) shamelessly impinging on user privacy, the drafting of GDPR soon inspired other countries to follow with their own data protection laws. The US came with CCPA, Australia with Privacy Amendment, Japan with amendment on Act on Protection of Personal Information, as well as Thailand, South Korea, Canada, and others.
The most recent of such GDPR-inspired laws is the Brazilian General Data Protection Law, Lei Geral de Proteção de Dados Pessoais (LGPD). Set to introduce in August 2020, the LGPD is expected to streamline and unify fragmented nature of privacy laws in Brazil, with some 40 such legal statutes that govern data protection in the country in an industry-wise manner.
This article briefly outlines the main points of the law, its differences with GDPR, and issues pertaining to the enforcement and government of the LGPD. Much of what follows was co-authored by Mr. Leandro Chahde, a Brazilian Advocate at Advogado Zona Norte who is directly familiar with the LGPD.
Who Does the LGPD Apply To?
Like GDPR, the LGPD applies to any individual located in Brazil regardless of nationality. This means that any company or website in the globe that processes data of an individual living in Brazil must comply with LGPD. The extraterritorial nature of the law makes it just as important as GDPR, since all companies, national or multinational, big or small, are held to the same standards and penalties. under LGPD.
Rights of Consumers Under LGPD
The LGPD consists of 10 chapters with a total of 65 articles. These articles define the rights and provisions covered by the LGPD. Although a complete treatment of the law isn’t possible here, the following are the key rights of people under LGPD:
Explicit consent: the data subject must be clearly informed about the reason for the collection of personal data and the purpose of use.
Correction: the holder can request changes to his data (corrections, updates and deletions).
Right to be forgotten: regardless of the reason, the holder can request the deletion of his data within a certain system.
Portability: it must be possible for the holder to be able to export his personal data from one system to another.
Right to explanation: the holder can request information on all algorithms that interact with his data to understand, for example, why a bank loan was denied.
How Does it Differ from GDPR?
The GDPR and LGPD share many points of similarity but they also differ in several important ways:
- Treatment of Sensitive Data: European law prohibits the processing of sensitive data, establishing some exceptions to the ban. Two of them were not included in Brazilian law: (i) Data made public by the holder; (ii) Data relating to current or former members of foundations, associations or non-profit organizations, treated for legitimate purposes and with appropriate security measures.
- Direct Marketing: Brazilian law applies the general rules of consent, transparency and right of objection to the holders of personal data. The European, on the other hand, presents specific forecasts. The data subject has the right to object at any time to the processing of his personal data, which includes the definition of profiles to the extent that it is related to direct marketing.
- Relationship between Controller and Operator: Although Brazilian law establishes that the operator must carry out data processing in accordance with the instructions of the controller, there is no requirement for formalization through a contract. In turn, European law provides that data processing carried out by an operator must be governed by a contract or other legal act that links the controller to the operator.
- Impact Report: Brazilian law has not made it clear in which situations the controller will be required to carry out an impact report on the protection of personal data, delegating to subsequent regulation the treatment of this matter. European law provides that the controller must provide an impact report on the protection of personal data, when the treatment results in a high risk to the right and freedom of individuals. GDPR also provides a detailed description of what should be covered in this report.
- International Data Transfer: Brazilian law allows the transfer of personal data to countries or international bodies that provide adequate protection for personal data. The law is brief regarding this procedure and elements to be considered as adequate. The LGPD establishes only generic guidelines to be observed by national authorities. European regulations argue that the international transfer of data can be carried out independently of specific authorization if the European Commission recognizes that the third country ensures an adequate level of protection. If not, the international transfer will be subject to adequate guarantees, which must be guaranteed by the Agent. All procedures and elements that are taken into account by the Commission for the authorization of the transfer are described in the GDPR.
- Supervision of Law Enforcement: The bill that originated the LGPD provided for the creation of the National Data Protection Authority, following the same line as the European regulation. However, the provisions that provided for its creation and responsibilities have been vetoed, as they incur unconstitutionality in the legislative process. European regulations establish the creation of the European Data Protection Committee, responsible for ensuring the consistent application of GDPR.
When GDPR came into effect, VPN providers had to revamp their privacy policies to accommodate the provisions of the new legislation. It will be interesting to see if the LGPD will be treated with the same respect by the VPN industry.
How Effective Will it Be?
The authority responsible for regulation and enforcement o LGPD is the National Data Protection Authority (ANPD). However, no members of the body have been appointed yet. Moreover, the fact that ANPD will be closely linked to the government raises serious concerns about fair enforcement of the law.
In Brazil, the major regulatory agencies are state owned. The consequence of this is the politicization of these bodies and, consequently, corruption. Favoritism towards powerful businesses and unfair interference from the government that further their political interests isn’t, therefore, out of the cards.
The fact that GDPR itself has largely failed to hold companies accountable, after two years now of its passing, is hugely discouraging. The web browser company Brave filed a complaint to the European Commission, asserting that European governments have failed to provide the necessary resources for data protection authorities to perform their duties.
As such, fears that LGPD will suffer the same fate as GDPR are completely valid. At the same time however, we have positive examples of state agencies that work in an exquisite manner in Brazil, such as PROCON, which acts in the defense of consumer rights.
Brazil is a country known for having laws that work and others that don’t. Based on previous experiences, the belief that the law will partially fulfill its role isn’t too far-fetched. There will be interest from the government in obtaining funds through fines that will be applied to companies that do not comply with the parameters established by the General Protection Law of Data.
Finally, there will certainly be a great judicialization of the issue, by companies that feel unfair due to illegal or abusive fines. It remains for us to know whether the Brazilian judiciary will be technically able to resolve such conflicts.