On August 14, the General Personal Data Protection Law (“LGPD”) completed four years of enactment, although it only came into force more than two years later, on September 18, 2020.
Unlike the General Data Protection Regulation - an analogous European Community standard that inspired the national legislator -, which only consolidated the privacy and data protection rules of the member countries in force for at least 50 years, the LGPD is innovative for the Brazilian legal system, which until then did not contain specific rules for the processing of personal data.
The LGPD establishes principles, obligations, and rights inherent to the protection of personal data, which, in line with the advances achieved in the digital age, was recognized by the Federal Supreme Court and protected by Constitutional Amendment 115, dated February of this year, which included item LXXIX in article 5 of the Magna Carta.
Following the enactment of the LGPD, the National Data Protection Authority (“ANPD”) was created, initially linked to the federal government and, since the edition of Provisional Measure 1,124/22, transformed into an autarchy with agency functions, assuring it the same degree of administrative autonomy and technical independence enjoyed by bodies such as the Central Bank, the National Health Surveillance Agency - Anvisa and the National Telecommunications Agency - Anatel.
In addition, in August 2021, the twenty-three members of the National Data Protection Council (“CNPD”) were appointed, formally constituting the body that makes up the structure of the ANPD and serves as a mechanism for society's participation in the authority, with the competence to, among other things, propose strategic guidelines and provide subsidies for the drafting of the National Policy for the Protection of Personal Data and Privacy.
This regulatory and organizational microsystem brought the issue to the fore, requiring all companies to adapt their practices and, thus, significantly accelerating the process of acculturation in society regarding the importance of personal data as a legal asset integral to personality rights and in view of the growing value of information.
Similar to what happened with the entry into force of the Consumer Protection Code - but much more quickly - the enactment of the LGPD has made the population aware of the processing of personal data by third parties, providing tools for exercising the right to its protection.
However, there is still a good way to go: in a survey conducted by Procon in São Paulo, between May and June 2021, with more than seven thousand people, despite the fact that almost 90% of the interviewees said they knew what personal data is, only 45% were correct in the definition of the term and only 35% said they were aware of the LGPD.
These data were confirmed by research conducted at the same time by the Brazilian Federation of Banks - FEBRABAN in conjunction with the Institute for Social, Political and Economic Research - IPESPE2, in which 60% of the interviewees said they knew “just by hearing” or not knowing the LGPD.
On the side of the controllers and operators of personal data, there was concern to adopt measures aimed at complying with the dictates of the law, not only because of the fear of the heavy sanctions provided for in the LGPD, but also in view of the perception that respect for privacy and data protection rules represents a competitive advantage over the competition.
However, as in the case of the holders of personal data, there is still a lot to do: according to the RD Station study from January to April 2021, with almost a thousand companies3, 30% had already started the process of adapting to the LGPD. Among the large ones, the percentage was slightly higher, reaching 39%.
The result was corroborated by a study on the Capterra platform, conducted in June last year with more than three hundred managers or coordinators of small and medium-sized businesses4, of which only 37% considered that they were fully compliant with the LGPD.
As can be seen, at this point there is also room for evolution, and it is certain that the pace of adjustment must accelerate as soon as we have the disclosure, by the ANPD, of the long-awaited methodology for the dosimetry of penalties, allowing for the application of administrative sanctions, and the consequent initiation of inspection procedures by the authority. On the other hand, a regulation is also expected to limit the obligation to adapt, establishing criteria for the exclusion of companies with a low volume of data processing.
On the international scene, the LGPD has been promoting Brazil's alignment with the best personal data protection practices adopted around the world, thus contributing to the country's economic and technological development.
Finally, although we still have enormous challenges ahead of us, the advances in the last four years have been enormous and, despite the skeptical view of many when the LGPD was enacted, they have brought the certainty that privacy and the protection of personal data is a right that is here to stay.
Therefore, for those who continue to bet that the LGPD “won't work”, simply access the Violations Portal of the National Agency for Data Privacy Professionals5 and check the sanctions already applied by the Judiciary as a result of the violation of privacy and the protection of personal data.
Finally, Bill 2,076/2022 is in the process of being approved by the Federal Senate, so that August 14 is officially recognized as the “National Data Protection Day”, encouraging educational and awareness-raising actions on the subject.
The General Personal Data Protection Law - LGPD came into force on September 18, 2020, with the publication of law 14,058/20. The law was partially in force since 2020, but the administrative sanctions were postponed until August 1, 2021, when it then came into force in its entirety. Since then, Brazil has been part of a select group of countries that have specific laws related to data protection and citizen privacy, and experts say that we have already made significant progress in the LGPD compliance scenario.
One of the advances in the adaptation of the LGPD by companies is the action of the ANPD. By means of Decree No. 10,474/2020, the Federal Government created the regulatory structure of the National Data Protection Agency (ANPD), an agency of the Presidency of the Republic that has been attuned to its purpose of promoting education, awareness and transparency in matters involving the protection of personal data.
Actions to comply with the LGPD have created a new culture of privacy in the country, driven by the advance in the use of digital technologies, reflecting the understanding that personal data must be valued as it deserves. The challenges faced are still similar to those that occur in other countries, but it already seems culturally that it is necessary to guarantee the protection of personal data, not only by complying with the Federal Law, but also by focusing on improvements such as the reputation and credibility of companies.
There has also been an advance in the private sector, which is increasingly looking for events and training courses. Compliance with the LGPD does not allow for a standard applicable to all companies, since the LGPD does not dictate a ready recipe for how companies must proceed to adapt to issues involving the processing of personal data. This is because each business needs to be studied in its particularities, so that the best form of adaptation can be found. This factor has also given rise to the need for technical debates on the instrumentation of the law, expanding the dialogue between the various business sectors.
Given this perception during these first years of compliance with the LGPD, there is an understanding that the prospects for the protection of personal data in Brazil are good. However, continuous evolution is necessary to achieve a balance between the protection of the rights of personal data subjects and economic and social development.
Contact TATICCA — ALLINIAL GLOBAL, which has a qualified and experienced multidisciplinary team, tools and methodology for consulting on LGPD and also implementation, in an objective and assertive manner, with: guidance and training, diagnosis, analysis of employee contracts, analysis of supplier contracts, analysis of internal policies, analysis of contracts for the provision of service or sale of products, adaptation of contracts in accordance with the LGPD, data mapping, implementation of the service channel, drafting of a policy of privacy, pre-formatted documentation with all LGPD requirements.