ARTICLE
9 September 2024

Glass Half Full Or Half Empty: An Overview On The Brazilian Data Protection Landscape Since Its Hallmark Act

MB
Mayer Brown

Contributor

Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
The Brazilian General Data Protection Act (Law No. 13,709), given the acronym "LGPD" in Portuguese, was enacted in August 2018 and now reaches its 6th anniversary.
Brazil Privacy

The Brazilian General Data Protection Act (Law No. 13,709), given the acronym "LGPD" in Portuguese, was enacted in August 2018 and now reaches its 6th anniversary. It is undoubtedly the most significant milestone for data protection in the country.

The Act aims to protect the fundamental rights of privacy and freedom of individuals, establishing various rules and principles on data processing, for companies and organizations, both public and private, regardless of their size and scope. This includes any and all processing (i.e., collection, processing, storage, sharing, international transfer, among others) of data directly or indirectly related to an individual.

Personal data can be classifies as data directly linked to individuals, such as: email address, identity, social security number, passport number, bank details, photos, biometrics, car license plate, or any data that indirectly identifies the individual: consumption preferences, political affiliation, salary, job position, health data, gender, age, location information, religious beliefs, political opinions, data revealing racial or ethnic origin, among others.

Since the LGPD was enacted, data protection has been deemed as a fundamental right by both the Federal Constitution and the Brazilian Supreme Court. From these milestones, a greater awareness of the value of our personal data has been set, which strengthened the individual's right to demand the proper and transparent use of their data by companies and institutions.

From the perspective of organizations (i.e., companies, agencies etc.), the LGPD is of utmost importance, as it has driven organizations to rethink how they have been handling personal data and to build efficient data governance and a more robust data protection culture. Companies have come to better understand the flow of data within their organization (i.e., employees, contractors, workers) and outside it (i.e., suppliers, contractors, regulatory agents, partners), as well as the importance of adopting a robust adequate LGPD compliance program aimed at transparent, secure, and appropriate processing of their consumers, employees, suppliers, and stakeholders personal data.

Inspired by the European Union's General Data Protection Regulation (GDPR), the Brazilian Act also has its nuances and differences. Unlike Europe, where data protection has been widely discussed at least since the 1995 European Directives (before the GDPR), Brazil still has a long way to go in maturing its data protection culture. Despite the advances and even some awareness among companies about the advantages of adopting an LGPD compliance project, many have not yet given the appropriate attention to the issue, which usually leads to an inefficient ––and, sometimes insufficient–– data protection program. The LGPD compliance project needs to be constantly reviewed and updated. For instance, ongoing training and audits are indispensable.

In this still arid terrain due to the absence of a solid culture, one must keep in mind that the LGPD also suffered huge impacts brought by the 2020 Covid-19 pandemic. At the time, we accelerated and then suddenly were told to hit the brakes. The need to monitor and control the spread of the virus highlighted the importance of the issue and brought additional challenges to personal data protection. The pandemic also increased our online activities and lead to a complete shift: everything was remote. We experienced a true digital transformation: the international market also demanded that Brazil structured data protection policies compatible with international standards, requiring Brazil to create a safe and responsible environment for data protection, increasing its competitive advantage and consumer confidence in the security and transparency of their personal data processing.

In this scenario, the LGPD's entry into force was postponed to August 2020; the National Data Protection Agency ("ANPD"), which acts as a communication channel between data subjects and data controllers, helping to resolve conflicts and handle complaints, was created only in November 2020; and the administrative sanctions provided by the LGPD were postponed to August 1, 2021. Undoubtedly, the pandemic and the financial difficulties of companies in investing in a robust LGPD compliance project impacted the construction of a data protection culture in Brazil and, of course, prevented some companies from diving into the LGPD compliance project.

Only from August 1, 2021, did the ANPD gain the power to apply administrative sanctions; which include warnings; fines that can reach 2% of the company's revenue ––limited to R$ 50 million per administrative infraction––; publicizing the infraction through the ANPD's media; blocking and eliminating personal data held by the organization; partial or total suspension of database operations; and even partial or total prohibition of activities related to data processing.

Furthermore, the ANPD is not just a regulatory and supervisory body. Beyond being the guardian of the General Data Protection Act, the ANPD also plays a fundamental role in disseminating guidelines and guides to educate companies and citizens regarding the application of the LGPD. The ANPD guides data controllers on practices to be adopted to comply with the LGPD, such as the Regulation on Dosimetry and Application of Administrative Sanctions; the Technological Radar on Biometrics; the Regulation on Security Incident Communication; and, the most recent, Regulation on the Data Protection Officer, which establishes detailed rules on the role of the data protection officer, as well as the Public Consultation on the processing of children's and teenagers' data, which has been, above all, a social agenda.

The ANPD has taken several regulatory actions in the last 4 years since its establishment. The Agency's actions lead to a significant progress in Brazil's data protection culture, which may be seen as the aforementioned glass half full, resulting from the serious work of the ANPD, which maintains an important relationship with Agencies from other jurisdictions. From the perspective of supervision and application of sanctions to ensure compliance with the LGPD, however, Brazil's data protection landscape may represent the glass half empty, as the first fine as a penalty due to an infraction was only imposed in July 2023, considered by some as insignificant, even considering the data controller in question (an individual entrepreneur).

In this sense, the Brazilian General Data Protection Act is still in its maturation phase. Several gaps and ongoing debates are still unsettled, notably on the following topics: international data transfer; data protection impact assessment; data subject rights; further detailing of personal data processing hypotheses; processing of children's and teenager's data; and how artificial intelligence (AI) will interact with personal data protection in Brazil – including whether the ANPD itself will be responsible for regulating and supervising AI. The coming years promise many more debates, regulations, and a constant need for companies to pay attention so that their compliance, guaranteed in the numerous "compliance projects" carried out in recent years, is not lost. The trend is for the glass to keep filling up, and soon we will have a lot of material for discussion, attention to the data protection culture in Brazil, and relevant judicial precedents on the subject.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More