*Thomaz Corte Real
After the sanction in 2018 and an uncertain period of vacatio legis, the General Law for the Protection of Personal Data (LGPD) entered into force on September 18, 2020 - with the publication of Law 14.058/20 - remaining in force Articles 52, 53 and 54, dealing with administrative sanctions, which entered into force on August 1st.
After practically a year of the LGPD, we have had significant advances in the data protection scenario in Brazil, but there is still a lot of work ahead.
Creation of ANPD
Lately, by means of Decree No. 10.474/2020, the Federal Government created the regulatory structure of the National Data Protection Agency (ANPD), a body of the Presidency of the Republic, which, among several powers, stand out: i) ensure protection of personal data, under the terms of the LGPD; ii) promote in the population the knowledge of the norms and public policies on the protection of personal data and security measures; and iii) inspect and apply sanctions in the event of data processing performed in breach of the law.
In November/2020, the members of the Board of Directors of the National Data Protection Authority were appointed, a superior collegiate formed with characteristics of plurality and technicality.
In approximately nine months of effective work, ANPD promoted its structuring and evolved into several extremely important topics, such as the holding of a public hearing on Inspection Standards; security incident and microenterprise and small business subsidy takings; technical meeting on personal data protection impact report; formation of triple lists with those appointed to the National Council for the Protection of Personal Data and Privacy – CNPD from different sectors; signing of cooperation agreements; launch of an orientation guide on treatment agents and supervisors, among other relevant points.
It is worth noting that ANPD has shown great interaction between its members, especially its directors, with society, carrying out fruitful debates, in an exchange of extremely relevant knowledge and experiences.
ANPD still has a lot of work to do, but since the beginning, it has shown that it is in tune with its purpose of promoting education, awareness and transparency in matters involving the protection of personal data.
Compliance level of companies
Initially, the companies gained momentum with the extension of the entry into force of the LGPD, as they were fully focused on combating the crisis brought about by the COVID-19 pandemic, reallocating resources and implementing cost-cutting policies to overcome this health crisis. We believe that companies were unable to direct efforts to fulfill the obligations brought by the LGPD.
Despite the difficulties brought about by the pandemic, we understand that, in the current scenario, it is imperative that companies start a journey of implementing governance and good practices for the protection of personal data as soon as possible.
The law provides for the treatment of personal information in order to protect the fundamental rights of freedom and privacy and the free development of the natural person's personality. For this, it proposes the adoption of security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful treatment.
There is no standard adequacy plan applicable to all companies, nor does the LGPD provide a ready-made recipe on how companies should proceed to adapt to issues involving the processing of personal data. But, broadly speaking, the law suggests that data processing agents (Controller and Operator) formulate rules of good practices and governance that establish the conditions of organization, operating regime, procedures, including complaints and petitions from holders , security regulations, technical standards, specific obligations for the various parties involved in the processing, educational activities, internal mechanisms for supervision and risk mitigation, and other aspects related to the processing of personal data.
Companies and other public and private organizations must undergo a major transformation, implementing the culture of privacy and protection of personal data, until then left in the background. They will need to adopt a new posture in the treatment of the voluminous amount of personal data that have always passed through their different areas (and now also in their employees' homes due to remote work), often without proper control and security. They should also think about privacy and data protection from the conception of their products and services to their execution (privacy by design).
According to the LGPD ABES / EY Index , we have a big challenge ahead: only 39,71% of companies are prepared to meet the new rules defined by the LGPD. Also according to this index, it is estimated that 28.3% of companies have suffered some violation in the last 2 years. When we make a cut by size, among companies with more than 500 employees the adequacy index rises to 41,67%, but it is still a low percentage.
Business Front in Defense of the LGPD and Legal Security
The private sector has also moved a lot this past year, through debates, events and training courses. A very interesting movement that emerged in August 2020 was the Business Front in Defense of the LGPD and Legal Security (Front LGPD), made up of around 80 business entities, representing around 70% of the Brazilian GDP. The Front's fundamental pillar is the defense of data protection with legal security for citizens and organizations.
Among the main points that unite the productive sector around the LGPD Front, we have: the autonomy and strengthening of the ANPD; the establishment of the Union's exclusive competence to legislate on the protection and processing of personal data (according to Constitutional Amendment Proposal No. 17 of 2019, which also aims to include the protection of personal data among the fundamental rights and guarantees of the Federal Constitution); harmonization of the regulatory environment, improvement of structural governance and coordination between regulatory authorities; legal security for international data transfers and legacy databases; educational activities of ANPD and the Judiciary; regulation of the Rights of Owners; strengthening of responsive regulation and inspection activities by ANPD and respect for the special condition of small and medium organizations, according to their size, nature and volume of data handled.
What to expect for the next few years?
Perspectives are very good for the subject of data protection in Brazil. A continuous evolution is necessary, which goes through the holder of the personal data, seizing and asserting their rights; data processing agents, implementing governance measures and good practices in data protection, and ANPD fulfilling its educational role, with the definition of clear guidelines on all aspects of the LGPD that need regulation.
The LGPD and its regulation is an issue that affects the entire Brazilian society and all economic sectors in the country. In this context, ANPD is essential for us to achieve a balance between protecting the rights of the holders of personal data and economic and social development. Therefore, it is expected that ANPD will continue to promote dialogue with the entire ecosystem of actors involved in the subject so that there is no risk of excessive regulation, which may inhibit innovation and the development of new technologies.
* Thomaz Côrte Real is a lawyer, specialist in corporate, tax and data protection law. Member of ABES Legal Department and Partner at MASantos, Côrte Real e Associados