by Filipe Fonteles Cabral
July 22, 2019
Share
The General Data Protection Law (LGPD) will only come into force on August 15, 2020, but has already caused a lot of buzz in the legal community. In the corporate environment, doubts are raised about the scope of the new Law and mistrust about the real need for compliance. In this brief article we have selected 10 recurring statements among businesspeople on the topic, not all of them true. Between facts and myths, our comments follow.
1. The law will not be enforced.
This possibility is remote, from whatever angle it is analysed. To mention three reasons: a) an actual data protection law is a requirement for Brazilian companies to continue receiving personal data from foreign individuals without bureaucratic obstacles, in other words, this law is na important pillar for the development of the economy; b) Brazil has strong institutions for protecting diffuse rights (such as the consumer law and environmental law), and the right to personal data protection is unlikely to remain unsupported; c) the duties set out in law have the potential to mobilise a new “damage claims industry”, equivalent to the volume of labour and consumer claims. With so many factors in its favour, it is unlikely that the law will lack authority or be ignored.
2. Privacy “died” in the information society.
This is not true. Its is a fact that there has been a proliferation of abusive uses of personal data, for technological and sociological reasons, that fall outside the scope of this brief text. However, consumer confidence in the legitimate use of personal data is the driving force for the digital economy. New data protection laws have been approved around the world, with the creation of regulatory agencies and the role of the “Data Protection Officer”, that is, new institutions and professionals dedicated exclusively to the topic. More alive than ever, privacy is expanding.
3. Data made available on the Internet is in the public domain.
The myth of the “lawless Internet” has been debunked since the mid-2000s by the contente industry and some iconic copyright protection lawsuits. The same reasoning can be applied to personal data protection. The voluntary disclosure of personal data does not imply the termination of rights nor does it authorise its use for purposes other than those intended by its owner.
4. Obtaining consent is essential for the collection and processing of personal data.
Common mistake. The LGPD sets out 10 situations for the lawful use of personal data, and the owner’s consent is only one of the alternatives. Data can also be collected and processed for the execution of a contract, to comply with legal obligations and even for uses resulting from “legitimate interests”. It is recommended that personal data flows are reviewed and the respective categorising into the legal bases are ascertained by specialised professionals.
5. The duty of legal compliance is limited to the companies’ internal processes.
Certainly not. The LGPD is governed by the principle of accountability (among others). This means that in addition to being held liable for its internal processes, the company must also take precautions and adopt measures to ensure compliance with respect to its suppliers and business partners with whom it shares data.
6. Privacy violations do not always result from data leaks to external environments or hacker intrusions.
True. The LGPD sets out various duties that must be observed by any individual or company that collects and/or processes personal data. Failure to fulfil obligations implies violation of the LGPD rules. Examples of violations include the storage of personal data for an indefinite period after termination of an agreement, as well as access to personal data by employees that do not carry out the professional duties that motivated the data collection.
7. A privacy policy review is not sufficient to comply with the LGPD.
Correct. As has been seen in the previous item, there are several duties set out in law, including issues of a technical nature (such as data management and information security) and of a legal nature (such as the definition of legal bases, review of agreements, conducting Data Protection Impact Assessments, etc.). Therefore, a privacy policy review is only one of several measures that should be adopted by companies that process personal data.
8. The LGPD will demand a change in corporate culture beyond the completion of the compliance project.
Yes, no doubt. The duties arising from the LGPD extend for as long as the company collects and processes personal data, that is, potentially forever. For example, when managing personal data protection, a company must be able to respond to the demands of the data subjects, supplying reports and excluding or making information anonymous, in the situations set out in Law. In addition, as a general rule, new products or services that use personal data must pass through the scrutiny of a Data Protection Impact Assessment.
9. In-house Data Protection Officer is not mandatory.
Indeed. The LGPD sets out that the role of DPO can be carried out by individuals or companies that are capable of performing its function. There is no obligation in the Law for the DPO to be Brazilian or even headquartered in Brazil. The choice of DPO profile should observe the characteristics of each company and, in particular, the volume and complexity of data processing operations.
10. The storage of data in foreign servers may shield the companies from the reach of the LGPD.
Fortunately not. The LGPD, like other laws (such as the General Data Protection Regulation – the European GDPR), has “extra-territorial” effects. The Law is applicable to all who carry out the operations involving the collection and/or processing of personal data, provided that the collection and/or processing is carried out in Brazil, that the processing aims to supply of goods or services in Brazil, or that the data being processed belongs to individuals located in Brazil. In practice, even foreign companies that are not represented in Brazil may be subject to the LGPD.
Conclusion.
The law requires that good practices are adopted for protecting personal data by companies that offer goods or services to individuals located in Brazil. Consequently, the regulatory framework for personal data will enable the trust of Internet users to be regained with respect to the responsible use of their information in exchange for increasingly personalised and less costly goods and services. There will be more users supplying personal data, more processing carried out, more algorithms in development and more innovative and disruptive business models. The LGPD has come to build the foundations of a solid and sustainable digital economy. Whoever is capable of understanding the new reality, transforming the duty of legal compliance into a competitive advantage, will come out on top.