Data protection laws in COVID-19 times
The world saw in 2018 data protection laws being approved on both sides of the Atlantic. In the US, the ‘California Consumer Privacy Act of 2018’ was adopted, and in Europe the ‘General Data Protection Regulation’ (GDPR) came into effect. Brazil was also among the global leaders in privacy regulation, the ‘Lei Geral de Proteção de Dados Pessoais’ (LGPD – 13.709/18) was approved in August 2018.
The new law is a specialisation for other specific laws such as the Código de Defesa do Consumidor (Consumer Defense Code). Meanwhile, LGPD has seen several adjustments on its content and effective date. After having considered postponing the effective date of LGPD due to the COVID-19 pandemic, on 19 May 2020, the Senate approved a recommendation. It was presented by Senator Weverton Rocha, for the effective date to be established for August 2020. This last recommendation is currently waiting for the president’s approval.
The main goal of the LGPD is to guarantee the privacy of people’s personal data and allow greater control over them. The law preconizes norms, standardisation and clear rules for the processes of collection, storage and sharing of this information. In addition, the law aims to help to promote economic and technological development. Somewhat similar to GDPR, the Brazilian LGPD law applies to all sectors of the economy, and it is mandatory to Brazilian companies but also to foreign companies that operate within Brazilian borders. Rules include the holder’s right to rectify, cancel or even request deletion of their own personal data. It also includes the need to create a National Data Protection Authority (ANPD). LGPD also makes it mandatory to notify affected individuals in case of any incident involving personal data.
The drafting of the Brazilian LGPD was clearly inspired by the European GDPR. But it is important to note that there are also some differences. For example, holders’ right of information, personal data consent and proof of consent obtention as well as security parameters for treatments, storage and handling of data are topics that are dealt with by the LGPD and are very similar to how the European GDPR addresses them. Differences, on the other hand, can be found with regard to specific types of data – health, biometric, and genetic data, among others. Most of these differences relate to the differences in the legal system between Europe and Brazil, with Brazilian law being less specific in areas like healthcare that, in Europe, is regulated in great detail on a national level.
Overall, the main challenge for making the Brazilian LGPD a success is investment. The reality on the ground is that, two years after it was approved, many companies still don’t comply with the LGPD rules. Among the reasons for this are not only adjustments in software, but also in security tools, security processes, and privacy-related staff training. The recent recommendation for postponing the effective date of the LGPD was due to the impact of the COVID-19 pandemic on the Brazilian economy. There is clearly the fear to overwhelm companies if one more challenge is presented in such a short period of time.