What was the situation prior to the LGPD?
Brazilian legislation did not have detailed and inclusive laws regarding safeguarding personal information, aligning and modernizing definitions that were previously limited in various other specific regulations like the Consumer Protection Code, the Internet Civil Framework, and the Positive Registration Law.
The Brazilian Federal Constitution emphasizes the fundamental right to privacy and private life, as stated in Article 5, section X. In May of this year, the Supreme Court made a significant ruling based on this right and other principles, suspending Provisional Measure 954/20, which aimed to share personal data with the IBGE, thus affirming individuals’ right to informational self-determination. This ruling can be seen as a landmark in Brazil’s history of personal data protection.
Amendment Proposal 17/19 to the Constitution introduces protection of personal data as a fundamental right, grants Union private competence for legislation on this matter, and aims to restructure the National Personal Data Protection Authority (ANPD) as an independent entity within the federal public administration.
What is different now that LGPD is in effect?
The LGPD is designed to enhance legal clarity by outlining the guidelines that organizations must adhere to when handling personal data in an ethical, responsible, and secure manner, thereby increasing protection of individual rights and fostering the digital economy.
Brazil now follows top international standards, with the LGPD drawing inspiration from the GDPR to boost foreign investments and facilitate the global flow of data with less bureaucracy.
The key factors to consider for the effectiveness of LGPD are as follows:
- Support for the rights of holders is endorsed (refer to the infographic).
- Holders are provided with clear, accurate, and easily accessible information about the treatment and those involved, ensuring greater transparency.
- Processing of personal data responsibility is discussed in the governance infographic and the DPO infographic.
- In case of incidents involving personal data, it is essential to report them even if administrative sanctions are not yet in place, as sector-specific authorities and the legal system may use the LGPD to impose administrative penalties and civil liability convictions.
The concept of informational self-determination, as outlined in the LGPD’s Article 2, section II, should guide organizations when handling personal data, along with the principles specified in Article 6.
- The treatment should serve legitimate, specific, explicit, and informed purposes to the data subject, without allowing further processing that is inconsistent with these purposes.
- Limit the treatment to the essential minimum required for its intended purposes, ensuring that the data processed is relevant, proportionate, and not excessive.
- Transparency, as previously stated.
- Holders are provided with unrestricted access to easily and freely check the processing methods, duration, and accuracy of their personal data.
- Security involves employing technical and administrative measures to safeguard personal data from unauthorized access and accidental or unlawful incidents like destruction, loss, alteration, communication, or disclosure.
- Prevention involves implementing measures to avoid harm caused by the handling of personal data.
- The agent must show that they have taken effective measures to ensure compliance with personal data protection standards.
LGPD is a law that contains various provisions needing regulation or guidance from ANPD.
- Deadlines for meeting the holders’ requirements.
- Standards for transferring data.
- Regulation of the impact report on safeguarding personal data (refer to infographic).
- To clarify the hypothesis of applying Legitimate Interest (refer to the infographic).
- Anonymizing personal data standards and methods.
- Other countries’ suitability and standard contractual clauses to ease the transfer of international data.
- Simplify and adjust guidelines and procedures, along with deadlines, to help micro-enterprises, small businesses, and startups comply with the Law.
Administrative penalties starting from August 1, 2021. What does this signify?
The ANPD has the sole authority to impose administrative sanctions as outlined in the LGPD. These sanctions can only be enforced starting from August 1, 2021, in accordance with Law 14.010/2020.
- Alert, with a specified deadline for implementing corrective actions.
- A maximum penalty of 2% of the total revenue of a private legal entity, group, or conglomerate in Brazil from the previous year, excluding taxes, capped at R$ 50,000.00 per violation.
- Daily charge.
- The infringement will be published after it has been accurately calculated and confirmed.
- Blocking the personal data mentioned in the violation until it is resolved.
- Deletion of the personal information mentioned in the violation.
- The database’s operation mentioned in the violation may be partially suspended for up to six months, extendable for the same duration, until the controller’s data processing activities are regularized.
- The processing of the personal data related to the violation will be paused for up to six months, with the option to extend for another six months.
- Prohibition of engaging in data processing activities, either partially or completely. (Stated in Law No. 13,853, 2019)
The National Data Protection Authority (ANPD) will establish the methods for determining the base fine amount through a public consultation, ensuring transparency and providing detailed reasoning for any sanctions imposed.
The ANPD is responsible for interpreting the LGPD, setting guidelines for its implementation, and collaborating with other bodies and entities involved in data protection to prevent duplicate administrative penalties for a single offense.
The Authority’s main focus should be on actively engaging with private businesses through communication, assistance, collaboration, advice, education, and sharing information, rather than resorting to sanctions. Sanctions should only be considered as a last resort for severe or repeated violations.
With the LGPD now fully in effect, sectoral bodies and the Judiciary Branch can use it as a foundation for their decisions, implementing current administrative measures and legal rulings for civil liability, aiming to avoid this becoming the standard practice under the LGPD.
What is needed for the ANPD to begin functioning effectively?
ANPD has not yet moved beyond the planning stage. Legal certainty may be at risk until the Authority starts operating and enforcing the Law.
Decree 10.474/2020, issued on August 27 and published in the Official Gazette of the Union, established the organizational structure of the ANPD and outlined the positions and functions within the committee.
The next step for ANPD to commence its operations is for the Presidency of the Republic to nominate the members of the ANPD’s Board of Directors. This board will undergo a confirmation process by the Federal Senate in the following weeks. Additionally, the National Data Protection and Privacy Council, an advisory body associated with ANPD, must also be established.
With the forthcoming ANPD, its Advisory Council, and its enforcement of the LGPD, we are likely to achieve the required legal certainty for the successful implementation of this groundbreaking law, which is crucial for the advancement of a dynamic and robust digital economy in our nation.
