Data protection and Brazil's LGPD
Data has been referred to as the ‘oil of the digital era'.1 As data progressively plays a central role in nearly all human activities and assumes unprecedented levels of both social and economic relevance, a pressing call for regulation and adequate legal protection has surged across the world. Unlike traditional commodities, data can be effortlessly collected and transferred across borders. The challenges for a harmonious coexistence of legislation from different jurisdictions are even greater than in other areas.
Over the last few years, data protection laws have been enacted all around the globe.2 Their effects are only starting to be fully understood and assimilated. Brazil's recent Data Protection Act (‘Lei Geral de Proteção de Dados', or simply “LGPD”), came into force on 18th September 2020, prompting businesses and professionals in general to face significant new duties and responsibilities in their usual activities. Arbitration practitioners must pay particular attention to the new legislation.
Material and territorial scope
The statute applies to any data treatment operation carried out by natural persons or legal entities (as per the definition provided for by Article 5, item X of the LGPD), thus affecting virtually all Brazilian public or private organizations. As a fact-finding proceeding with inevitable data-sharing obligations, arbitral activity triggers LGPD rules and principles pertaining to data security (see Article 6, item VII of the LGPD).
Other than data-processing operations ordinarily implemented in Brazil, the statute's territorial scope encompasses extra-jurisdictional situations in which data-processing – although not executed within the national territory – aims to supply goods or services to people located in Brazil or relates to individuals located within its territory at the time of the data collection (see Article 3 of the LGPD). Such approach is notable as it may turn not only Brazilian, but also international economic operators, into possible addressees of LGPD's provisions (and therefore this might include, i.e., foreign arbitral tribunals, as well as foreign arbitral institutions dealing with proceedings in any way related to Brazil).
Data-processing agents: controller and processor
The LGPD makes an important distinction between the roles of the data controller and of the data operator/processor, both types of ‘data processing agents' under the statute. This is particularly relevant for arbitration participants in order to allocate responsibilities upon their respective functions.
Pursuant to Article 5, item VI of the LGPD, the data controller is any person who determines key elements of data processing, such as its purposes and means. The data operator/processor, as per Article 5, item VII of the LGPD, deals with more practical aspects of such implementations, on behalf of the controller or their instructions. Either under the LGPD or the European Data Protection Regulation (‘GDPR'), that inspired Brazil's statute, there is no limitation as to the type of entity that may be considered a controller. For instance, Guidelines No. 7/2020 on the concepts of controller and processor, designed for the GDPR3, acknowledges that it is usually an organization. Similarly, considering the European context, arbitrators, arbitral institutions and counsel are all deemed to be data controllers by its data protection authorities. ICCA-IBA Roadmap to Data Protection in International Arbitration, taking into consideration Brazil's LGPD structure, considers that arbitral actors ‘are likely to be considered data controllers for their processing (but not that of others) because the nature of their function is such that they control the purpose and means of the data they are processing in the context of an arbitration'4.
LGPD lays down that ‘data processing agents' – as well as any person who intervenes with third-party's data – undertake to ensure the security of the information in relation to personal data (see Article 47 of the LGPD). Either before, during, or after the arbitral proceeding, this duty is understood to be directly applicable to parties, arbitrators and arbitral institutions, as well as any person or entity holding a legitimate interest in the proceeding (i.e. counsel, external service providers, experts, witnesses, consultants, clients, employees, secretaries, among others), whose failure to comply with lawful, transparent and secure data processing may give rise to fines and the blockage or exclusion of the personal data to which the infraction refers (see Article 52 of the LGPD), as well as ordinary civil liability.
Grounds for data-processing
Both LGPD and GDPR similarly provide for an exhaustive list of cases in which data-processing is deemed lawful (respectively on Articles 7 and Article 6), with numerous situations falling under the ‘consent' provision.
The Brazilian LGPD takes a step further in relation to the European legislation and enshrines arbitral proceedings as a sole and express end to which data-processing is allowed, adding to an extra layer of certainty and protection to arbitration (see Article 7, item VI of the LGPD). Legal or natural persons involved in an arbitration proceeding are all entitled to process personal data due to this legitimate purpose, but only for that specific end, pursuant to legal principle of limitation of purpose. Thus, Articles 15 and 16 of the LGPD determine that the processing of personal data shall be terminated as soon as its purpose has been achieved, which naturally includes a reasonable time after the termination of any arbitration (inter alia, to allow future conflict checks or for legal/regulatory compliance, among other legitimate necessary actions).
Arbitral activity undoubtedly triggers significant LGPD rules implying responsibilities and obligations to individuals and legal entities. As a safeguard, arbitration participants are encouraged – either by guidelines or local arbitral institutions – to agree and insert provisions in writing on the terms of reference governing aspects such as the personal data that will be collected, the purposes and legal ground under the LGPD for its use, and the main responsibilities of the parties, counsel, arbitrators and institutions in the managing of data.
A joint approach by arbitration participants – including individual professionals, arbitral institutions and other organizations – is and will continue to be essential towards identifying and effectively addressing further data protection issues in the context of arbitration. It is essential that all stakeholders in the arbitral arena contribute to align the practice with the legal framework applicable to data protection, so that all can work within safe and secure structures, in spite of the challenges of a highly dynamic data-driven reality.
1 “The world's most valuable resource is no longer oil, but data”. Access on June 19th, 2021 https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
2 “128 out of 194 countries had put in place legislation to secure the protection of data and privacy”. Access on June 19th, 2021 https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
3 Guidelines No. 7/2020 on the concepts of controller and processor in the GDPR. Access on June 21st, 2021 https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf
4 ICCA-IBA Roadmap to Data Protection in International Arbitration. Acess on June 21st, 2021 https://www.arbitration-icca.org/icca-iba-joint-task-force-data-protection-international-arbitration
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.