As companies prepare to adapt to Brazil's new GDPR-style data protection law, local GCs highlight the benefits of greater data protection legislation for businesses, but suggest the lack of an appointed authority to oversee and enforce the law will create major compliance challenges for legal teams.
After eight years of discussions in congress, on 14 August 2018, Brazil became the latest Latin American country to implement an overhaul of its data protection laws governing how companies collect, use, disclose and process personal data. The Latin American Corporate Counsel Association (LACCA) and TMF Group take a look at Brazil's new laws as well as some of the compliance challenges facing GCs and their teams.
The Lei Geral de Proteção de Dados (LGPD), which will come into effect in February 2020, reproduces some of the central points of the European General Data Protection Regulation (GDPR) and imposes significant compliance obligations on companies that process data or offer services to individuals in Brazil. "The law is about the protection of all personal data, similar to the GDPR, affecting all companies that deal with data," says Vanessa Mello, director of client legal compliance operations at TMF Group Brazil.
The LGPD applies to all legal entities that process personal data, whether public or private, operating in Brazil or that supply goods or services to individuals located in Brazil. Companies must expressly seek consent from the owner of the data, informing them exactly what data is being collected, why, and for how long it will be stored. In addition, the data must be destroyed when the company no longer has any need for it. As under most privacy frameworks, additional protections apply to certain categories of data, such as the personal data of minors and "sensitive" data. "This will have a big impact on businesses in Brazil," says Mello. "Companies used the information they collected as they wanted before, such as for commercial purposes, pricing or survey or market research type purposes but they will not be able to do that anymore."
Similar to the EU's GDPR provisions, the scope of the new law also applies to global businesses that are headquartered abroad but that affect or target Brazilian citizens.
The law also outlines fines for non-compliance; however, unlike the GDPR penalty, which can reach up to 4% of a company's global revenue, Brazil's law is less severe, reaching up to 2% and limited to 50 million reais (approximately US$13.5 million) per infraction. Each infraction will be analysed and applied proportionally to the resulting damage.
Until now, Brazil did not have a general data protection law that could be applied across all business sectors. Instead, there were different rules for different sectors of society, including the financial sector, the credit sector, the health sector and the internet sector, which can often be confusing for companies. "Currently, there are a few instances in which a company will have to choose which rule it will comply with, and that creates much insecurity because one can never be fully in compliance with all applicable laws and regulations," says Thaïs Sá Ramos, privacy coordinator at insurance provider Prudential do Brasil.
For many, the lack of certainty regarding which laws apply creates major problems for legal teams, so providing clearer and more standardised rules for companies as well as more comprehensive protections for user data is a major step forward for Brazil's regulatory environment. "Before this law came into place there were approximately 40 different regulations about data protection, but this law will consolidate them all into one law," says Mello.
The compliance challenge
Many multinational companies will already have to adhere to international standards and will have many of the necessary protections and policies in place, so tailoring their compliance programmes to fit new requirements in Brazil should be relatively simple. "For companies that want to do business in Brazil or already do, they are used to international legislation – like ones in the EU understand the GDPR laws. There are more than 100 countries with this type of legislation in place, so it's unlikely to be a big impact on multinationals," says Mello. "Instead, it will be a new big challenge to the companies that are already doing business in Brazil. Companies will have to make sure their systems are compliant."
Indeed, while greater standardisation has been welcomed by corporate lawyers across Brazil, many point out that some local companies are likely to face challenges when it comes to ensuring compliance with the new legislation. "Compliance will be costly and take up a lot of effort, small companies may not be able to keep up," says Ramos. "If anything, the new regulation is oversophisticated for our landscape, where we went from zero to 150%."
Despite having nearly 16 months to adapt to the new law, many local companies are expected to need a lot of support. "Systems and technology have to adapt and in Brazil there are many bureaucratic systems," says Mello. "Adapting to the laws will be a big exercise for companies in order to perform day-to-day activities without breaching the requirements."
So far, there has been little guidance for companies. Although the bill originally included provisions creating a national Data Protection Authority (DPA) to oversee and enforce the legislation, President Michel Temer vetoed this section before signing it into law. The president has stated publicly that a new bill will be sent to congress establishing the DPA, but so far, no action has been taken. While this means that the specific steps necessary to comply with the LGPD remain relatively unclear without a DPA to issue interpretive guidance, it is also creating confusion for companies in terms of how things will be enforced in the meantime, according to Dirceu Santa Rosa, partner at Montaury Pimenta, Machado & Vieira de Mello. "Without a regulator or authority for privacy and data protection, state-based public prosecutor offices and consumer protection 'watchdogs' are taking action in any data breach cases, even before the LGPD is enforceable. This is creating a very hostile environment for data privacy in Brazil and might require immediate attention from authorities," he says.
Many others agree and say while the lack of an enforcing body leaves room for public prosecutors and individual states to rule independently, it also creates major burdens for companies. "It's creating a patchwork of different applications of the law throughout the country and exponentially increasing everyone's efforts to comply," says Ramos.
Preparing well in advance
With little guidance from authorities so far, companies should try and look to the high-level principles set forth in the law as they prepare for the LGPD's effective date and start preparing well in advance. "From a compliance perspective, the moment to start preparations for the LGPD is now," says Santa Rosa. Part of this is getting the company's board of directors and/or leadership on board. "Most company leaders and even many legal directors are still only slightly aware of the changes that the LGPD could bring to the Brazilian legal environment. Therefore, the biggest challenge for legal teams is informing company leadership correctly and raising awareness that the compliance efforts should start as soon as possible," he points out.
Patricia Barbelli, GC and legal and corporate security director at Diageo in Brazil, Uruguay and Paraguay, says that while it is important for the legal team to headup compliance efforts, it should not be the sole responsibility of the department. "Data privacy is a subject that is relevant to the company as a whole, so all teams and areas of the company should behave as data privacy officers. For example, HR deals with relevant sensitive private information and it will be a key player in following the data privacy obligations," she says. "In addition, the tone must come from the top, as it does for other compliance matters and data privacy must be a priority in the agenda of company management."
The new law also states that companies must appoint a data processing officer (DPO) to receive complaints and communications from data subjects, communicate with the DPA, train employees and carry out other duties relating to the company's personal data processing activities. Although the yet-to-be-formed DPA is expected to clarify the requirements of the DPO, Barbelli highlights that there continues to be a lack of expertise in Brazil since the topic is a relatively new one. "This is a very specialised role," she says. "It requires knowledge in technology, management and corporate governance and it is hard to find a professional already prepared in the market to be the spearhead of data privacy in such a short period of time."
For Santa Rose, the key for many local companies may be getting someone trained internally for the role of DPO as soon as possible, particularly since companies may not have the budget to hire someone with the relevant expertise. "Many companies in Brazil have limited budgets for their legal and compliance teams, which means that the opportunity to become a DPO might be handled internally by existing in-house counsel from related areas, or compliance professionals," he says. "Companies and legal counsel should look to build expertise and start now."
In short, businesses from all sectors will need to adapt over the next 16 months and a new culture about the appropriate use of data must be formed. While the LGPD is likely to create a number of compliance challenges for local companies, those that are able to see the protection of personal data as an investment and competitive advantage rather than a cost and compliance burden, will be able to use it as a market differentiator. In a time of major information leaks and high-profile scandals over the misuse of data, complying with clear and transparent rules can increase consumer confidence in companies and the marketplace. "If a company can see the opportunity that comes with the new rules, it can turn things entirely to its advantage and become more competitive by advertising its improved privacy practices, offering new privacy-related services and creating an image of credibility and data safety," says Ramos. "The new law may, in fact, open many new doors for our economy, if Brazil can eventually become a country considered safe for data processing."
TMF Group has the local knowledge to help you navigate these complexities. Whether you want to set up a new venture in Brazil, or just want to streamline a partnership between the US and Brazil, talk to us. Learn more about TMF Group in Brazil.
This article was originally published on laccanet.com on 19 October 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.