Esther Jerussalmy Cunha, Rosana Pilon Muknicka, Alessandra Fortes Lobo
1. Brazil has no personal data protection rule in place.
Myth. The Brazilian General Data Protection Act (“GDPA”) was enacted on August 14, 2018 and will only come into force in August 2020. Important to note, however, is that this Act has only compiled a number of statutory provisions already available in other pieces of legislation in Brazil, such as the Brazilian Internet Act, the Positive Reporting Record Act, the Consumers’ Code, among others. So, any failure to comply with any personal data protection rule may subject the infringing party to the remedies available both at the administrative and the judicial levels, regardless of whether the GDPA is in force. Today, consumer protection agencies and the Attorneys’ Office are seeking to impose substantial fines for non-compliance with personal data protection rules through public-interest civil actions.
2. The GDPA will not be really enforceable because the National Data Protection Supervisory Authority has not been created yet.
Myth. In 2018, Provisory Measure No. 869/2018 was issued at the eleventh hour to create the National Data Protection Supervisory Authority (the “DP Authority”), a government agency linked to the executive office of the President of Brazil. The DP Authority will have the duty to, among other things, interpret and ensure compliance with the personal data protection rules set in the GDPA, as well as to issue additional rules on the subject and impose penalties. The DP Authority will work collaboratively with other regulatory agencies such as the consumer agencies and the Attorneys’ Office. In case of any conflict of authority, the authority of the DP Authority will prevail.
3. My company is headquartered abroad, so we will not be subject to the GDPA.
Myth. For the purposes of the GDPA, any processor of personal data is subject to the Act, be the processor a company or a natural person, a public or a private party, and regardless of the means used for such processing, and wherever the processor’s headquarters or the processed data are located. The GDPA will apply to any processing of personal data in Brazil; to any processing of personal data for the provision of goods or services to individuals in Brazil; to any processing of personal data of individuals located in Brazil; and to any processing of personal data collected in Brazil. So, even though the company processing such data is located abroad, it may be subject to the GDPA, except when the processing is for artistic, journalistic, or academic purposes, for public safety, national defense, or State security purposes, or in connection with an investigation or the imposition of criminal penalties. The GDPA, however, brings no definition of the terms used in describing the exceptions to the rule.
4. The GDPA only protects personal data of individuals.
Fact. The GDPA protects data relating to an identified or identifiable natural person. In other words, the GDPA does not protect the data of legal entities. Nevertheless, the natural persons connected to a legal entity (for example, employees, customers, etc.) must have their data protected.
5. The GDPA only protects personal data processed online.
Myth. The purpose of the GDPA is to protect the data which are kept both in physical and digital media. So, collecting and keeping information on paper and physical documents must also follow the procedures laid down in the GDPA.
6. Non-compliance with the GDPA (after it comes into force) may result in a fine of up to 2% of the company’s revenues, limited to BRL 50 million per infringement.
Fact. The penalties imposed by the GDPA may vary from a warning giving the processor time to adopt corrective measures, to the imposition of a fine, which may reach 2% of the revenues generated by the company, group of companies or conglomerate in Brazil in the previous fiscal year, excluding taxes, and this amount is capped at BRL 50 million per infringement. Important to note is that the Brazilian Act fails to clarify the meaning of “per infringement.”
7. All companies that are subject to the GDPA must appoint someone who will be in charge of the data protection, similarly to the Data Protection Officer (“DPO”) under the European data protection regulation.
Fact and Myth. The GDPA requires that companies appoint a person who will be in charge of data protection. This person cannot be an employee of the processor and will be in charge of receiving any complaints and communications from the data subject, providing clarification and taking steps, receiving any notices from the DP Authority, and instructing the constituents of the company about what practices to adopt with respect to personal data protection. The GDPA allows that the requirement to appoint a data protection representative may be waived. However, this depends on further regulation to be issued by the DP Authority. The decision to hire a third party to act as a data protection representative must take into account, above all, the relevance of the personal data (which, most of the times, are of a confidential nature) that will be accessed by such professional (or committee or department). Another factor that must be taken into account is that this professional will be the direct point of contact between the company and the DP Authority.
8. A document signed by all constituents of the company, stating that the company is in compliance with the GDPA will suffice to mitigate or avoid any penalty for non-compliance.
Myth. The production of documents pertaining to personal data protection is only one of the steps to be taken in order for a company to achieve data protection compliance, including the GDPA. Truth is that achieving GDPA compliance requires an entire corporate culture shift. Companies must now count on multidisciplinary teams to engage all employees, partners and third parties with whom they deal. After all, non-compliance with personal data protection rules may occur anywhere in the chain and, in any case, liability will be imposed on the company. Given the complexity of the process, it is estimated that an average time of 12 months will be needed for companies to achieve GDPA compliance. This is why it is recommended that the estimated costs of GDPA compliance be included in the company’s 2019 budget.
