In a recent decision, the Federal Court of the 2nd Region (TRF2) established that companies can use revenues (PIS and Cofins) credits on expenses related to the Brazilian General Law of Data Protection (LGPD). In such case, a digital payments company received a favorable decision for that matter. The Court considered that the requirements of the LGPD are related to the activity of that company. In the decision, the judge rapporteur of the case highlighted that the expenses with the implementation of the measures provided for in the LGPD are essential to the company and can be considered inputs, according to a previous decision of the Superior Court of Justice (STJ). Even though there were contrary precedents in other Courts, the specific circumstances of the case justified the decision favorable. Other Courts have also had decisions contrary to the crediting of PIS/Cofins on LGPD expenses.
Last May 10, the Court of Justice of São Paulo (TJSP) established that the company that manages one of the São Paulo subway lines will have to pay a R$500,000 fine for moral damages after it included a camera system that performed facial recognition and collected detailed information such as emotions, age and gender to be used for advertising purposes. In 2018, the amount stipulated to be paid by the company was R$100,000. However, in the view of the rapporteur of the case, “the possibility of facial recognition for commercial purposes demonstrates a very reprehensible conduct capable of affecting the collective moral”. The rapporteur evaluates the collection as “a black box”, since it is not known how the data will be used. The judge, on the other hand, revealed that the action is a “misuse of purpose”.
On May 12, Brazilian Data Protection Authority (ANPD) released a technical note that reveals irregularities in the processing of personal data in the pharmaceutical sector. The study found that some data processing practices were not in compliance with the law, such as the use of data for purposes other than those informed to the data subjects and the excessive collection of personal data, including sensitive data, without transparency about its processing. A lack of transparency was also identified in the sharing of data with business partners, such as loyalty programs. The study concluded that there is low maturity in the protection of privacy and personal data in the pharmaceutical sector. The ANPD is committed to ensuring legal compliance in the treatment of data by pharmacies through monitoring, enforcement, and standardization. CGTP will hold dialogues with industry associations to understand the operations of personal data and guidance measures will be taken directed to the industry based on the analysis performed.
On May 24, the Brazilian Data Protection Authority (ANPD) published a statement to standardize the interpretation of the General Law on Data Protection (LGPD) in relation to the processing of data of children and adolescents. The statement emphasizes that the processing of this data must be based on legal hypotheses, such as consent, compliance with legal obligations, protection of life, or legitimate interest of the controller, always prioritizing the best interest of children and adolescents. The ANPD received contributions from society on the subject and is now developing a guideline on legitimate interest for processing data of children and adolescents. The statement is binding on the ANPD and seeks to increase legal certainty on the protection of children and adolescents’ personal data.
On May 31, the ANPD released a list of ongoing inspection processes. The list contains 16 processes and the 27 institutions that are under investigation by the ANPD regarding their compliance with the General Law of Protection of Personal Data (LGPD). The list is available here. In a parallel with international authorities, we observe that in Brazil the focus of the first processes is on the public sector, bigtechs, healthcare, and the telecom sector.
