Over 220 million individuals’ personal information has been exposed in a recent report by various media outlets. A security firm discovered a significant amount of personal data, such as names, CPF numbers, addresses, income levels, credit scores, and even facial photos, circulating online, potentially outside of the deep web where it would typically be found.
How did the General Personal Data Protection Act (Law 13,709/2018 – LGPD) come into effect in September 2020, along with the significant data breach classified as the largest in Brazilian history? Questions arise about the consequences of a data breach under LGPD regulations, potential changes in agreements due to the new law, and the rights of individuals regarding their personal data.
We will discuss the legal implications of personal data breaches under the LGPD and its regulations on data processing in the upcoming sections.
Agent identification
Personal databases are not spontaneously generated online. They are structured collections created with a specific aim in mind, such as economic gain in the case of private databases or public welfare in the case of governmental databases. Unauthorized access to personal information stored in these databases constitutes a common occurrence known as personal data breach.
Determining the source of the leak can be a challenging task, especially for the person responsible, as they often lack the necessary resources or expertise for such an investigation.
LGPD established in Article 55-J that the National Data Protection Authority (ANPD) is responsible for overseeing data processing activities to ensure compliance with the law.
Identifying the processing agent of personal data responsible for the leak is crucial for holding them accountable, whether it be to authorities or data subjects.
The ANPD, which was only formed in August 2020, currently lacks the necessary organization and resources to fulfill its mission effectively, including the ability to suspend the application of administrative sanctions by August 2021.
A personal data breach has resulted in the violation of LGPD regulations.
A personal data breach is a clear violation of LGPD. It is important to specify the key provisions that were breached as they may impact the consequences faced by the responsible party, as discussed in the following section.
Article 6 of LGPD outlines eleven legal principles to be followed when processing personal data, with a focus on preventing unauthorized access. These principles, including Security, Prevention, and Accountability, should be integrated throughout the data processing cycle to ensure safety and appropriate response in case of incidents.
Not reporting a leakage case under the LGPD implies a violation of the three principles discussed. It might appear insignificant, but principles are crucial in legal matters.
LGPD introduces subjective treatment safety criteria which help ensure its provisions remain relevant over time, safeguarding against potential obsolescence due to technological advancements and evolving strategies in data protection.
Article 46 of the LGPD requires data processors to implement security measures to protect personal data from unauthorized access or loss. The level of security should match the expectations of data subjects and the risks involved in the relationship.
If the agent knows about a security breach, they should notify ANPD and the data subjects, based on the seriousness of the incident. The method of communication for this information is yet to be defined by the authority, leading to ambiguity in how it should be carried out.
A personal data breach could be seen as a breach of articles 44 and 46 of the LGPD due to the failure to implement security measures, resulting in unauthorized access to personal data and potential violation of Article 48 if incidents are not reported.
Evaluation of the seriousness of the event
Not all data breaches are the same in terms of severity and potential harm to individuals and society. The exposure of a database containing people’s addresses may vary in impact, depending on the characteristics of the individuals involved. For instance, a database of famous or politically influential individuals could pose significant physical security threats to them, whereas a database of non-prominent individuals may still present security risks but on a smaller scale.
The incident needs to be evaluated to set guidelines for imposing penalties and reducing impacts, as stated in Article 48(2). Following this assessment, ANPD might impose measures like publicizing the incident widely in the media and taking steps to lessen its effects.
If a serious incident warrants severe sanctions, it is crucial to understand and apply the appropriate penalties in accordance with its gravity.
The extent of administrative penalties relies on the ANPD’s execution of public consultations, as stated in Article 53. Thus, evaluating the incident’s seriousness will be facilitated once this parameter is set.
Implementation of penalties within an administrative framework
Sanctions of up to 50 million reais per breach under LGPD may be applied to the treatment agent responsible for personal data leaks, taking into account mitigating and aggravating factors related to their actions or inactions. Negligence, recklessness, or incompetence will lead to more severe sanctions, serving to both punish and educate the agent.
Administrative penalties will not be enforced until August 1, 2021, meaning that ANPD’s ability to regulate and oversee the handling of personal data may be limited during this period.
The clearance is not entirely without value; in fact, its role as a data processing expert can provide assistance to individuals and authorities in legal matters, particularly in individual and collective legal actions. The option to pursue such actions is granted by existing laws like the Consumer Protection Code, the Internet Civil Framework, or the Public Civil Action Act, and is not a new provision introduced by the LGPD.
In the administrative realm, with regard to the LGPD, sanctions against individuals are not anticipated until August 2021. Thus, the LGPD has limited impact currently but may be more influential once its sanctions are enforced.
Is the leak report compliant with the LGPD’s fireproof requirements?
Some argue that the gradual release of this article provides solid support for LGPD and its system for safeguarding personal data. However, considering the current transitional phase and the challenges outlined earlier, it is premature to make such a claim. While the efforts of ANPD are not without merit, the constraints posed by technological capabilities and human resources should not be overlooked.
According to the strategic planning of the ANPD, the growth of the staff will occur within a medium-term timeframe, likely due to budget allocation and public tender requirements. This highlights that there is still a long journey ahead for the personal data protection ecosystem to fulfill its mission.
We shouldn’t expect an ideal situation to assess the effectiveness of LGPD. In reality, there are always constraints and high demands, especially in public contexts. Despite this, we should view this transitional period as a crucial opportunity for LGPD to demonstrate its full potential once challenges are overcome.
In conclusion
Safety issues, such as the exposure of personal information, can have negative effects on individuals, companies, and society as a whole.
LGPD serves as a crucial legal tool to grant rights to individuals and establish a culture of privacy within society by regulating the protection of personal data, with the ANPD playing a key role in addressing data breaches.
We are moving from an unregulated to a regulated environment, facing challenges that are not being resolved quickly. In the medium term, it is expected that the LGPD will be more effective in handling data breaches, which are currently not adequately addressed due to the ANPD’s limited capabilities and the delayed enforcement of administrative penalties until August 2021.
The LGPD and ANPD are important in addressing recent personal data breaches during this transitional period. The LGPD has provided clarity and structure to data protection, defining obligations for data handlers, rights for individuals, and security requirements. The ANPD, although limited, can help assess the severity and accountability of data breaches. However, it will take more time for the full impact of the LGPD to be realized in our legal system and society.
Some areas of the internet are not searchable on common search engines, making them popular for obscure or illicit activities.
We begin with the leak story, but our thoughts can be applied to any kind of leakage.
Other administrative bodies may also play a role in determining responsibility, but we will focus on the changes brought about by the LGPD law.
The source can be found at: https://www.gov.br/anpd/pt-br/documents-e-images/planning-strategic/planning-strategic-2021-2023.pdf. Accessed on February 4, 2021.
Ricardo Alexandre de Oliveira
