7/29/2022
On 27th July, the Brazilian National Consumer Secretariat (“Senacon”) initiated 26 administrative proceedings against companies that were allegedly incurring in abusive telemarketing activities. Those proceedings resulted from recent steps taken by the Brazilian Ministry of Justice and Public Security (“MJSP”), which ordered the suspension of telemarketing activities of 180 Brazilian companies also last month (July 18, 2022).
These suspensions were based on 14,547 complaints filed with the authorities by consumers over the past three years (according to National Consumer Defense Information System (“Sindec”) and consumidor.gov.br platform. From the analysis of these complaints, Senacon concluded that the data used by the companies for purpose of telemarketing practices were not provided by consumers and were processed by them without any reference to a legal basis. In other words, Senacon found evidence that illegal trade on personal data took place. . In view of such events, 180 companies that provides telemarketing services are permanently suspended. Any failure to comply with the decision may result in a daily fine of BRL 1,000.00, which could reach up to BRL 13 million per company, if there is a decision on penalties at the end of the processes initiated by – and still pending – Senacon and Procons across the country.
In those recent administrative proceedings, the Ministry of Justice found that the practice of abusive telemarketing violates statutory laws in Brazil, namely Consumer Defense Code, the General Data Protection Law (“LGPD”) and the Civil Rights Framework for the Internet (”Marco Civil da Internet”). In order to remedy such practices, Chief officers of Procons, the National Telecommunications Agency (“Anatel”) and the National Data Protection Authority (“ANDP”) have been notified of those proceedings, so that the authorities shall take the appropriate measures. In addition, the MJSP provided an online gateway for citizens to report further abusive practices carried out by telemarketing companies.
Coincidentally (or not), also last July (07/27/2022), the new rules for telemarketing operators came into force in Italy (Presidential Decree nº 26/2022), which established, among other provisions, the creation of the Do Not Call Registry (“DNC Registry”). The service designed and offered by the Italian government allows citizens to register through official gateways to automatically revoke consent to the processing of personal data for commercial purposes, for an indefinite period. Once registered, citizens will be able to object to the use of their telephone numbers for marketing and market research purposes.
Likewise, in recent months, the Spanish Data Protection Authority (“AEPD”) fined Casamar Telecom S.L. (€15,000), Zcall Levante S.L. (€20,000) and Esvetel Sociedad Limitada. (€40,000); all for the misuse of the telemarketing service, based on the breach of relevant provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) – “GDPR”) and the General Telecommunications Law (“LGT”). Such fines resulted from a millionaire fine imposed by the AEDP on Vodafone España, S.A.U, in 2021, also imposed for the misuse of telemarketing. The last three companies sanctioned by the AEPD traded Vodafone products, being responsible for filtering potential customers in the databases and making marketing telephone calls. It so happens that the AEPD understood that such processors violated the right to privacy and data protection by not respecting the manifestations of the data subjects to cease processing their personal data.
As a result of the actions of data protection authorities in Brazil and Europe, there is no doubt that companies should be concerned with adapting their products and services that involve customer assistance, especially telemarketing. As mentioned, Brazilian MJSP – jointly with other authorities such as the ANPD – has considered consumer complaints and adopted sanctions or educational measures to remedy the violation of the data subjects/consumers rights. Likewise, international experience emphasizes that all processing agents (controllers and processors), within the limits of their functions, are responsible for processing and demonstrating that the processing of personal data takes place based on the legitimate data subjects’ consent on another applicable legal basis.
