You may have heard expressions like “data is the new oil” in explanations of the size of Facebook and Google, for example. But, this statement also applies to other companies, from banks to a department store that asks for customer registration. It was thinking about regulating the use of this information that Brazil created the General Data Protection Law in 2018. It turns out that, two years after its approval, the question still remains: when does the LGPD come into force?
The answer may be August 14, 2020 or May 3, 2021. Yes, the term of the LGPD may begin on the day that this article was published or only a few months from now. That’s because Congress has yet to define the future of Provisional Measure 959/2020, published in April by President Jair Bolsonaro. The text sets out details of aid payments during the new coronavirus pandemic, but also determines the postponement of the data protection law to May 2021.
The deadline for approval of the original text of MP 959/2020 – and confirmation of the postponement – is August 26. If it is not fulfilled, the document loses its validity and the deadline for the LGPD is 14 August again. The parliamentarians who defend more time for the application of the law must still plead for changes in the report of Deputy Damião Feliciano (PDT-PB), which proposes the removal of the section on the postponement.
The move to 2021 is defended by a business front, which claims it for some deputies and senators. This group includes entities such as the National Confederation of Shopkeepers (CNDL), the Brazilian Chamber of Electronic Commerce (camara-e.net), the Brazilian Internet Association (Abranet), the Brazilian Association of Radio and Television Broadcasters (ABERT) and the Brazilian Association Online to Offline (ABO2O2).
Another entity that participates in the front is the Brazilian Association of Software Companies (ABES). In an interview with Tecnoblog, the president of ABES, Rodolfo Fücher, admitted that the postponement of LGPD is not the best solution, but claimed that companies depend on the creation of the National Data Protection Authority (ANPD) to comply with the rules created by law.
“It is a high risk that the LGPD will enter into force without having defined authority and proposals on the horizon, a defined north to the market,” he said. “There are several details of procedures that the authority has to define, as the text of the law says. Without this definition, companies have no direction to follow. They can spend fortunes of money thinking that they have to fit in one way and, in the end, the authority can come and propose a different way ”.
According to Fücher, the sector is in favor of the data protection law, but expected the ANPD to be created in early 2020, which did not happen. For him, there is a disorientation of the market, which fears legal uncertainty. Although the LGPD determines that the authority will apply sanctions only as of August 1, 2021, bodies such as Procon and the Public Prosecutor’s Office could point out violations in the processing of data before that deadline.
“The risk that we are already realizing is that other consumer protection agencies are starting to speak up and are trying to penalize the market on this topic,” said Fücher. “The lack of a single direction can cause chaos in the market.”
Should Congress vote by the May 2021 deadline, the LGPD would be postponed a second time. Initially, the data protection law would come into force in February 2020. The deadline was extended to August 2020 after the publication of the law that determines the creation of the ANPD. Again, it is worth remembering that, with the new postponement or not, sanctions will only be applied by the authority as of August 2021.
In addition to working for the postponement, the business front asks parliamentarians to approve PEC 17/2019, which includes “protection and treatment of personal data” as a fundamental right provided for in the Constitution. The group also demands that Bolsonaro create the ANPD as soon as possible and indicate five technical names for the authority’s Directing Council.
Why is ANPD so important?
The effort to create the National Data Protection Authority exists because it will be responsible for regulating a number of points of the LGPD. The law has dozens of articles that reserve the body the task of defining the details. Among other tasks, the ANPD should also create guidelines for the National Policy for the Protection of Personal Data and Privacy.
Professor of Digital Law at Mackenzie Campinas Presbyterian University, Marcelo Chiavassa, explained to the Tecnoblog that the validity of the LGPD and the suitability of companies necessarily involves the creation of a national authority, given the number of articles that provide for subsequent regulation and the provision that the agency apply sanctions in case of non-compliance with the rules.
“To demand an adjustment without the National Data Protection Authority is to demand an adjustment blindly. Companies can even do it, but we will not necessarily have guarantees that they will be doing what the ANPD will want them to do ”, said Chiavassa.
ANPD will have a Board of Directors made up of 5 members, all of whom will be appointed by the President of the Republic. The body will also have the National Council for the Protection of Personal Data and Privacy. With 23 unpaid members from different parts of society, the group should contribute to the creation of the National Policy for the Protection of Personal Data and Privacy.
The General Data Protection Law also provides that the ANPD may apply to the company that breaches the rules a warning or a fine of up to 2% of revenues, limited to R $ 50 million, for an infraction. The text does not specify whether the authority will consider non-compliance as just an infraction or as a separate occurrence for each affected user, which could substantially increase the fine limit.
Chiavassa believes that the authority will have more of a regulatory than a police character, but adds that companies should follow the LGPD to avoid penalties by other means. “The focus has to be exactly on the concern to comply with the law, because that way you avoid individual actions, collective actions and eventually administrative notices from Procon and the Public Ministry”, he said. According to him, these procedures can lead to fines that are much higher than that predicted in the LGPD. At the same time, the ANPD can cause losses in other ways.
“There are worse sanctions, such as blocking or even deleting the database. There are companies that only exist because of the database they have. If the ANPD orders to block or eliminate the database, these companies lose everything ”, he highlighted.
After all, what changes with the LGPD?
The law establishes rules for the processing of personal data to be complied with by companies and public bodies. One of the main changes is that, in most cases, cardholders will have to allow the use of their information. This consent will not be necessary in cases such as public policies. Even so, the holders can ask at any time to access data controlled by the establishments and request the correction or deletion of the information.
Data processing must also respect principles such as purpose, that is, data subjects need to know why the information is being collected. A good example is that of pharmacies that offer discounts if customers inform their CPF. The establishments must indicate exactly what they intend to do with this data. If they say that it will be used only to offer the discount, they will not be able to use it for any other purpose.
The LGPD further states that consumers have the right to request a review of decisions taken solely on the basis of automated processing. This will lead to changes in analysis of loan offerings, for example. If the credit application is disapproved by the software of a financial institution and the process does not involve a human being, the customer may demand that the decision be reassessed.
Another change made by the law is the right to data portability after requesting the holder of this information. This is one of the points that will still be regulated by the National Data Protection Authority, but it could allow, for example, application drivers to transfer their travel history from one platform to another.
The law also formalizes the requirement for companies to communicate customers and the ANPD within a reasonable time if they have recorded a data leak. The statement should inform the data that was affected, the risks related to the incident and the measures that will be taken to minimize the effects of the leak for the information holders.
With doubts about when the LGPD will take effect, it is certain that the new rules will represent a significant change in the relationship between companies and consumers. The new requirements and the prediction of penalties for those who violate what is determined by law should make companies have more discretion before asking for so much personal information.