Adriana S. L. Esper and Rony Vainzof
There are several relevant regulatory milestones in the history of privacy and protection of personal data around the world (and in Brazil), following the dynamics of social desires and aiming to generate the necessary legal certainty for a solid growth of an increasingly digital and data-driven economy.
The month of August 2018 certainly brings a unique symbolism to the country on the topic, with the enactment of the General Data Protection Law (Law 13.709/18), the LGPD, which as of next 1st will also count with the effectiveness of its administrative sanctions - which range from a warning to fines that can reach the amount of R$50 million per infraction.
It is important to remember that the LGPD is an extremely important legislation for the desired legal security of organizations, by harmonizing and updating concepts (previously sparse) in other sectoral norms. It is a "map" to be followed that seeks the ethical, responsible and safe use of personal data. It also increases the possibility of foreign investments, since we follow the robust model of the General Data Protection Regulation of the European Union (RGPD), being side by side with hundreds of countries with correlated norms. In other words, overseas investors know the level of legislation we have in place.
Furthermore, the greater society's awareness of privacy and data protection, the greater the demand for ethical, transparent and secure treatment. And if data is the currency of the digital economy - and we as individuals, knowing that the treatment of our data represents practically an extension of our personality, only share our information with those we trust - complying with LGPD is a matter of competitiveness.
These sanctions fall under the jurisdiction of the National Data Protection Authority (ANPD), a body created less than a year ago, which, in addition to the supervisory function, is also responsible for regulating the LGPD.
The line that the ANPD has been following in its public manifestations and its official documents, which increase market confidence, is to prioritize a constructive engagement with private initiative. This means that, instead of inquisition and sanction, giving priority to dialogue, support, mutual cooperation, guidance, awareness raising and information; as well as stimulating open and constructive relations with businesses that deal with personal data, priming the good faith of the companies and their efforts to comply with the law; in addition to emphasising that companies make an effort to act in a responsible manner, are attitudes highly encouraged. Thus, these companies present their privacy, information security, codes of conduct and risk management programs, aiming at generating market recognition for their good practices, including certifications, among other accountability standards.
Furthermore, it seems that the inspection and fine application rule will correctly follow a responsive model, privileging performance based on evidence and risk management, with focus and orientation to the result; adoption of measures proportional to the identified risk and the attitude of the administered persons; stimulus to direct conciliation between the parties and prioritization of the resolution of the problem and the repair of damages by the processing agent; mechanisms of transparency, feedback and self-regulation; stimulus to the promotion of the culture of protection of personal data; integrated and coordinated performance with agencies and entities of the public administration; and requirement of minimum intervention in the imposition of administrative conditioning factors to the processing of personal data.
This model is coherent, above all because Brazil does not have the same data protection culture as the European Union, where the subject has been present since the middle of the last century. This culture is established, above all, with disclosure, orientation, education and awareness.
Also, a survey conducted in 2020 by Deloitte, entitled "Agenda 2021: Recovery, Sustainment and the Legacy for Businesses", pointed out that only 38% of businesses are prepared for the standards required by LGPD, while 46% are partially prepared and 16% are not. Brazil also has a considerable number of small businesses. According to the Ministry of Economy, micro-entrepreneurs now represent 56.7% of the companies active in Brazil; and 79.3% of businesses opened last year. Most of these companies have been using digital tools and data to survive, which is why the instruction of basic measures to adapt to the law are also necessary.
In this scenario, the ANPD is expected to have a supervisory role that promotes a regulatory environment of greater compliance through guidance, awareness and education measures of good data protection practices.
Sanctions should be the last resort, mainly and only when there is a wilful violation - or exponentially negligent practices, repeated or extremely serious conduct - with ongoing guidance as one of the ANPD's instruments to help the regulated have the knowledge and tools to put the LGPD into practice. In this way, regulator and regulated will move in the same direction: creating and promoting a culture of data protection. Everyone will win, because privacy and protection and protection of personal data are fundamental rights and guarantees that transcend mere compliance with a legal duty.
Adriana S. L. Esper is coordinator of the Data Protection Committee of the Electronic Commerce Council (CCE) of FecomercioSP, partner at MSY Advogados and professor of Compliance and Digital Ethics at Fundação Instituto de Pesquisas (Fipe).
Rony Vainzof is a Data Protection consultant at FecomercioSP, partner at Opice Blum, Bruno e Vainzof Advogados and coordinator of the Digital Law post-graduate course at Escola Paulista de Direito (EPD) and the LGPD Extension course at Fundação Instituto de Administração (FIA).