Brazil’s LGPD now in effect — what does this mean for enforcement?
Brazil is at a historic moment regarding its General Data Protection Law. The LGPD is taking effect Sept. 18, 2020, after facing an uncertain and confusing scenario, since all indications were that the law’s effective date would be postponed to 2021. Instead, the LGPD is entering into force now, although the penalties for infractions will only start being applied Aug. 1, 2021.
In practice, many doubts have arisen about the consequences involving its taking effect now but with the application of penalties only starting in August 2021.
What does the latest news mean for companies?
Simply and objectively speaking, the entry into force of the LGPD now generates the immediate need for companies to adjust their practices to the law because its rules are valid without delay.
The LGPD, strongly inspired by the EU General Data Protection Regulation, establishes various obligations and principles regarding the treatment of people’s personal data. A relevant point refers to the national data protection authority, Autoridade Nacional de Proteção de Dados, which will have the function of implementing and overseeing compliance with the law, as well as imposing administrative penalties for infractions committed involving the law’s provisions, as described below:
- Warning, with an indication of a time limit for taking corrective measures.
- Fines of up to 2% of the gross revenue of the company, limited to R$50 million per infraction.
- A daily fine for noncompliance, cumulatively up to the same limit.
- Public disclosure of the infraction after proper investigation and confirmation of its occurrence.
- Blocking of the personal data involved in the infraction until regularization of the situation.
- Elimination of the personal data involved in the infraction.
- Partial suspension of the functioning of the database involved in the infraction for the period until regularization.
- Suspension of treatment of the personal data involved in the infraction.
- Partial or total prohibition of engaging in activities related to the treatment of personal data.
These penalties will only take effect in August 2021 and be applied directly by the ANPD. However, this body is not yet up and running since the relevant regulation on its internal structure and staffing by civil servants and political appointees was only issued at the end of August this year. The ANPD will thus be fundamental in regulating and issuing guidance about the various provisions and themes covered by the law.
Even without the activities of the ANPD and with the postponement of the penalties until 2021, companies need to be aware that the law can already be applied by the courts or other competent authorities, making it a valuable instrument to protect personal data.
In this respect, any person can rely on the law to assure their rights, as can consumer protection agencies, public prosecution services and other representatives of the public interest on behalf of groups. The Public Prosecution Service of the Federal District and Territories and various consumer protection entities are already active in cases involving the protection of data without the effectiveness of the LGPD because it basically consolidates and specifically defines the rules on data protection already established in general by the Federal Constitution, Consumer Defense Code and Internet Civil Framework (Law 12,965/2014).
As an example, we can refer to the suit filed by a customer of a famous Brazilian real estate development company, Cyrela, seeking to forbid the company from sharing his personal data with third parties without his authorization. The plaintiff alleged he was contacted by several companies that had access to his sensitive personal data after buying a residential unit from the company. According to the plaintiff, the act of sharing his personal data without his consent violated several legal provisions contained in the Federal Constitution, Credit Whitelist Law (Law 12,414/2011) and Internet Civil Framework, in addition to the principles of the LGPD and Consumer Defense Code.
The Public Ministry of the Federal District and Territories has also been active in questions involving the protection of data, especially in matters of secure treatment to guarantee privacy. Since 2018, it has established various public civil inquiries into the practices of technology companies in collecting Brazilians’ personal data.
An emblematic case in this respect involved Netshoes, which negotiated an administrative consent decree with the MPDFT to avoid a collective civil action and pledged to pay R$500,000 as indemnity for moral damages caused by the leakage of data in 2017 and 2018. Besides this, the company promised to implement measures, in addition to its data protection program, including updating its cybernetic security policies, adjusting its behavior to the LGPD and engaging in public awareness campaigns to teach customers how to protect their personal data.
In this line, consumer defense bodies have also been active, as was the case of the fine imposed on Facebook by the National Consumer Secretariat, part of the Ministry of Justice and Public Safety, for improperly sharing the data of users with the political marketing consultancy Cambridge Analytica. The penalty was imposed in an administrative proceeding and is still subject to appeal.
These examples demonstrate that the rule on the application of penalties only in August 2021 just refers to administrative cases under the aegis of the ANPD and does not prevent investigations and imposition of penalties by other public authorities due to violation of the obligations established in the LGPD.
It will be important to monitor the developments regarding the measures that will be taken in the administrative and judicial spheres with the entry into force of the LGPD.