Brief notes on the duty of data protection in Brazil – why, who should, how and when to adapt?

The new General Brazilian Data Protection Law – in this text called “law” to facilitate reading – is already partially in force. It originates from the European General Data Protection Regulation – GDPR – in force since 2018 in the European Union, in which it has many similarities. Our purpose here is to seek to answer very briefly the most objective questions about the Law in order to provide the reader with an introduction to the subject.

This law exists with the objective of increasing the security of data of individuals and its protection, which is in possession of entities and professionals, in order to protect one’s fundamental rights of freedom and privacy and to allow the free development of one’s personality. Concretely, the law seeks to protect people’s data from unauthorized violations, collections or exchanges and the improper use of such data, amidst a digital environment that is increasingly eager to treat and process information for the most diverse reasons, many times beyond the control of laypersons.

It is important to clarify that natural persons, if they use data for professional or commercial purposes (lawyers, accountants, doctors, dentists, psychologists, body therapists, commercial representatives, private teachers, among others), as well as all legal and collective entities (such as such as limited liability companies and their subsidiaries, stores, factories and also companies, commercial representations, clinics, hospitals, churches, political parties, universities, schools, associations, etc.), must comply with the law. There are very few exceptions that apply.

The answer on how to adapt to the law means, above all, to understand what data is currently being treated and how it should be treated based on the law. The criterion that determines adequacy to the current treatment system is the nature of the data under analysis, which is directly related to one’s professional activity. This is because the law clearly establishes two sets of data to be processed differently: the most common standard – “personal data” and, contained therein and as its subset, subject to even more strict rules of treatment, the standard of “sensitive personal data”.

“Personal Data” according to the law is the one related to identified or identifiable natural persons. That is, everything that is known of a person to potentially allow us to individualize her. Thus, the Brazilian taxpayer registry number (CPF), personal and professional addresses, full name, telephone number, but also particulars that support further identification, such as membership in a club or brotherhood, are personal data.

“Sensitive personal data” according to the law refers to data on the individual’s racial or ethnic origin, religious belief, political opinion, union membership or organization of a religious, philosophical or political nature, data relating to his health or sexual life, or genetic or biometric data, when linked to a natural person. We obviously deduce that the information from medical and dental records are to be regarded as “sensitive”, but also photos, images, voice, iris and fingerprints, for example.

Once the typology has been clarified, the lawyer will be able to counsel the client in consultation as to the measure and the need to change processes in order to respect the duty to protect personal data and the duty to protect sensitive personal data. There will be cases in which it will be enough to establish simple protocols for protection, others that will require new internal rules, new procedures and new contracts with third parties. The client will define the investment to be assumed for the recommended treatment and protection. The measure subject to implementation must be directly related to the objective of the law, that is, to ensure security and privacy to the data that it protects.

There is still a perception – which is wrong – that the law is not exactly in force. This is because in the law the supervisory authority to be established (National Data Protection Agency – ANPD) would have only recently been appointed and installed to fulfil its duties, and also because the law does establish the application of legal reprimands and administrative fines provided (which may arrive up to R $ 50 million) starting only by August 2021. Nevertheless, this interpretation is dangerous and exposes persons and companies to unnecessary legal risks.

The law applies immediately to the processing and exchange of data in the private sector and to commercial and professional relations between persons and legal entities located in Brazil and abroad, and establishes the principles, duties and rules for the treatment of the data to which it refers, all currently in force. And since each duty corresponds to a responsibility (and, technically, a liability), in all cases the violation of the duty of protection required by the law, once the cause and damage has been proven, will compel the indemnity of the injured party.

It will be up to the judge, in the specific case, to decide whether to assign responsibility for the violation despite proof of guilt by the company, when requesting from the injured party only the evidence of the damage itself, or whether the aggrieved person will be required to provide evidence of the violation as a probable cause of the damage. In the latter, the aggrieved person will have to demonstrate the violation as arising from an involuntary (but predictable and preventable) act or omission, or negligence in the treatment or lack of correct technique applied to the case that, due to non-complied with legal obligation, is in turn proven to be the cause the damage.

In practice, we foresee a tendency for a greater number of decisions to require the aggrieved person only to have to prove the damage suffered, and to exempt her from having to prove the guilt of the entity causing the damage. In fact, there are many situations in which it is relatively easy to demonstrate with documents the disclosure or leakage of previously protected data, without necessarily resorting to more complex procedures with experts, witnesses and evidence. It should be noted that the liability arising from this breach, in any case, will be attributed to the legal entity that controls the data, despite any outsourcing commitments.

The law also allows the judge and the supervisory authority to mitigate penalties in cases of violations by entities that prove fairness, compliance and good faith in their operations, that is, if despite the violation, the entity is able to demonstrate that it has employed the best practices and systems in the opposite direction. Timely implementation is therefore also an effective argument to mitigate financial risks.

We understand that the potential for future administrative sanctions by the supervisory authority, applicable from August 2021, is not the absolute and relevant framework for seeking compliance with the law. We recommend that entities subject to the law must review – with their trusted lawyers – how they treat and protect the data of third parties in their custody, to reduce or even eliminate the risk of possible violation of a legal duty already in force.