Implementing New Data Protection Law May Fall to Incoming Brazilian President

ALM Media
Updated
Jair Bolsonaro
Jair Bolsonaro

Jair Bolsonaro takes part in the first debate of the 2018 elections for president of Brazil at the headquarters of Band TV. Photo: plopes/Shutterstock.com.



With a new president, Jair Bolsonaro, soon taking over in Brazil, the incoming administration may likely have to take several steps to implement a new data protection law.

Known in Brazil by the acronym LGPD, the General Personal Data Protection Law calls for private companies and public bodies to be prevented from using or collecting personal data without consent, including on digital media, according to a government document. The law also increases transparency and strengthens protection of personal data, the government says.

The LGPD was signed into law in August, and from that date becomes effective in 18 months.

Bolsonaro, whose administration takes office on Jan. 1, may implement much of the law, especially if the current president opts not to follow up in the remainder of his term. But so far, much remains to be done.

“Right now, the most pressing issue is to make sure a proper Data Protection Authority is created and staffed by people with the necessary legal and technical backgrounds to enforce the law in a balanced way,” Marcel Leonardi, an attorney at the Brazil-based Pinheiro Neto Advogados law firm, told Legaltech News. “Once that happens, quirks with the legislation may become more apparent and, if not resolved by DPA decisions, may warrant changes in the law itself.”

André Giacchetta, an attorney who also works at Pinheiro Neto Advogados, says the incoming administration may be the one to “create the Brazilian … DPA and nominate its commissioners, if the current administration fails to do so.”

As far as the actual law, Bolsonaro’s administration “could change nothing” after it takes office and leave “the law exactly as enacted.” Or, it “may introduce a bill to change small details of the law, or even present significant material changes to the legislation,” Giacchetta said.

“The core challenge is the lack of a Brazilian Data Protection Authority,” Giacchetta adds, “particularly because the law leaves up to the DPA key aspects of its implementation, from the interpretation of what constitutes legitimate interests to analyzing codes of conduct, issuing standard contractual clauses for international data transfers, reviewing data protection impact assessments and, of course, establishing sanctions and fines in cases of noncompliance.”

The new law impacts U.S.-based companies, with Leonardi explaining the new law will impact U.S. companies and multinationals in a very similar way as the European General Data Protection Regulation in Europe. He advised U.S.-based corporations or multinationals that compliance with the new law should “start sooner rather than later.”

“Larger, multinational companies which prepared for the GDPR over the past two years will have an easier task as several processes and requirements are similar,” he explained. “Companies that are not familiar with a comprehensive data protection regime will have a lot of work to do to be compliant by February 2020.”

The companies must change their mindset about use of personal data for their business, Giacchetta added. “It is not only a matter of having proper documents and contracts, but, in essence, how to interact with the users, providing them with clear information about data processing, using personal data within the limits of authorization given by their users.”

He also explained that under the new law, the concepts of personal data and processing are very broad, and “the law establishes clear legal bases that must be followed for the processing to be considered lawful, in addition to requiring compliance with several principles and data subject rights.”

Currently, Giacchetta said that only “consent from the users should be considered a legal bases for data processing based on the Internet Civil Rights Framework. However, from February 2020 on, companies will have 10 different legal bases for data processing. Therefore, companies will have to understand which should be the correct legal bases for data processing under the penalty of such data processing being considered illegal.”

Notably, penalties for noncompliance can be of up to 2 percent of the turnover of the local economic group in Brazil, limited to $13.5 million.

Leonardi said the core challenges related to the new law for corporations include:

  • Operational, which involves the need for mapping data flows throughout the whole business and understanding what the life cycle of data is within the operation.

  • Legal, which involves understanding, documenting and implementing in practice all the different legal requirements for the processing of personal data.

  • And cultural, which involves changing the mindset within the company and embracing privacy by default as the right way of doing business.