For years, Brazil has been debating the general regulation of data privacy, involving both government and the public sector. Although many laws in Brazil have specific articles that mention and even protect such rights on the books already, Brazil has lacked a legal provision focused specifically on data protection broadly speaking, as the existing regulations focus on various subjects, where privacy is merely one aspect or simply incidental to the law.
One of the existing laws that deals with data protection indirectly is the so-called Brazilian Internet Bill of Rights. This law covers the protection of personal data as a fundamental right, but its focus is limited to internet-related rights (such as net neutrality, for example).
After a number of debates, and consideration in the Brazilian Congress in 2018 (thanks not only to the social pressure the government was facing to approve a new law, but also due to the GDPR effect), the President finally, on August 14, 2018, sanctioned the Brazilian Data Protection Law or LGPD, the acronym used to refer to the law in Portuguese.
The bill was not approved in its entirety, though. As expected, the President vetoed the section that would have created the National Authority on Data Protection or ANPD, the acronym in Portuguese. This veto could affect data protection in Brazil in general, but it is firmly believed throughout the data privacy community in Brazil that the executive branch will remedy this issue by proposing a bill for the creation of the ANPD in the near future.
Other parts of the law were also vetoed. Aside from a few articles of the law that had to do with the interaction of the government with personal data, the President also vetoed the possibility that the (future) ANPD would have the authority to suspend, even for a short period of time, companies from processing personal data.
- The road so far
In a world where data protection is increasingly important, when new cases of data breach appear every year, it is understandable that the Brazilian Congress would rush to pass the LGDP bill. This is aggravated by the fact that Brazil is one of the few countries in South America that previously lacked any specific law focused on the subject.
Many bills were proposed on the topic of creating a general data protection law in Brazil, including one from the former President of Brazil. Many aspects of the bill that originated from the executive branch of the government were incorporated into the Congressional bill that ended up becoming the current LGPD. Regarding the specific creation of the ANPD, the former President’s proposal had already stipulated that a body would be “designated” to implement and supervise data protection. In the final version of the bill, though, the proposal of a Congressman prevailed, which actually proposed the creation of an independent public body, the ANPD. Eventually, the bill was passed by both the House of Representatives and the Senate, and then sent to Brazil’s current President for executive approval. [1]
However, as the final version of the bill was officially brought by a Congressman, rather than being proposed by the President, the ANPD could not be created. That is because, according to the Brazilian Constitution, the creation of a public body falls under the executive branch, so the proposal regarding the creation of the ANPD technically had to come from the President, in order to proceed into law. Veto of the ANPD was then necessary to preserve constitutionality.
The ANPD would be highly beneficial for the protection of personal data in Brazil. Not only because Brazil would have a central public body responsible for regulating data privacy, but it would also have centralized expertise, capable of handling such regulation and the enforcement that goes with it.
Nonetheless, the majority of the law was approved, and in 18 months, Brazil shall have a general data protection law in effect.
- What to expect moving ahead in Brazil
In February 2020, the LGPD enters into force in Brazil. The processing of personal data should then be rigorously enforced by public bodies that, despite not being specialized in data protection, are responsible for protecting society, such as the Public Prosecution Office and the PROCON, the Brazilian public body charged with defending consumer rights. Those public bodies should act within the scope of their specific mandates to provide data protection, eventually filling lawsuits to force companies to comply with the LGPD.
No doubt this job would be better off with the ANPD. A look back at the vetoed section of the LGPD shows that the ANPD would have been responsible for promoting data protection in Brazil, issuing regulations about the law, protecting trade secrets when they clash with personal data protection, processing complaints from data titleholders, and supervising and issuing penalties for non-compliance.
Those premises given by law to the ANPD cannot be, at first, executed by other public bodies, as it would require that a specific law give them such rights, which currently does not exist. Multiple articles of the LGPD reference future regulation by the ANPD. Those articles, despite validity, are ineffective without the public body.
A good example of how the lack of a data protection authority in Brazil is prejudicial to the effectiveness of the law is the lack of penalties for non-compliance. The ANPD would be responsible for issuing penalties that could range from warning notices to issuing fines.
Without the regulations envisioned as part of the ANPD, companies will ultimately find it harder to operate with legal certainty in Brazil on matters of data privacy. Ultimately, companies will have to strive to comply with the LGPD on merits of, for instance, transparency and consent, without the assistance of even the minimal standards that the ANPD could offer.
Regardless, as of February 2020, companies that operate in Brazil will have legal obligations when it comes to processing data, and they must be followed, with or without a governmental body to oversee it.
The rights guaranteed to data titleholders by the LGPD, such as the right to consent to processing, right of erasure, data portability, and others are not dependable on a data protection authority. The principle of transparency, which governs the LGPD, is mandatory and can be enforced anytime, once the law is in force, even if it needs to be done by filing a lawsuit.
- Looking ahead
It is clear that a data protection agency is necessary to fully develop an environment in Brazil that fosters the protection of personal data.
Solutions are being considered to overcome the lack of the ANPD. The President is expected to issue a bill creating the body. Ultimately, the next President will be in charge of seeing this process through, considering that the Brazilian general elections will take place in October, 2018. If it does not happen by the end of this presidential term, then the next President should be pressed by civil society to do so before the LGPD goes into effect in February 2020. With or without the ANPD, companies will have to work to update their data privacy policies in Brazil.
[1] A thorough analysis was presented in Portuguese by GALVÃO, Ilmar Nascimento; GALVÃO, Jorge Octávio Lavocat, and can be found at <https://www.jota.info/docs/ex-ministro-diz-que-nao-ha-vicio-de-inconstitucionalidade-na-criacao-da-anpd-31072018>.
RODRIGO CANTARINO Advogado, associado ao escritório Di Blasi, Parente & Associados, graduado pela Universidade Federal do Rio de Janeiro (UFRJ), pós-graduado em Direito Público pela Universidade Cândido Mendes. Atualmente, cursa o mestrado em Propriedade Intelectual e Transferência de Tecnologia pela Universidade Federal do Rio de Janeiro (UFRJ) e pós-graduação em Direito Digital & Compliance na Damásio Educacional.