LGPD - A Law to be practiced
August may go down in Brazilian history as the month of personal data protection. It was in August 2018 that our General Data Protection Law (Law 13.709/18) - LGPD was enacted and it will also be this August 2021 that its administrative sanctions will start to be applied.
The sanctions, which can reach up to R$50 million per violation, will be applied by the National Data Protection Authority - ANPD, a body created less than a year ago, which in addition to its supervisory function is also responsible for regulating the LGPD. The ANPD is making a Herculean effort to put into effect the necessary complementary rules of the law, including those relating to the application of sanctions, an important component to bring greater legal certainty to society, which still does not seem to have awakened to the importance of regulating the protection of personal data.
Brazil does not have the same data protection culture as the European Union, where the subject has been present since the middle of the last century. This culture is established, above all, with disclosure, orientation, education and training. Even in the European Union, before the General Data Protection Regulation, known as GDPR (source of inspiration for the LGPD) came into force, there was an intense dissemination of the subject, through awareness campaigns on the subject. But, unfortunately, we did not have the same timing here in Brazil, even with the vacatio legis of almost 3 years of LGPD. And the COVID-19 pandemic may have contributed to that.
The subject, despite being of general interest, seems to be unknown to the population, including in the business world. Brazil has a considerable number of small companies. According to the Ministry of Economy, micro-entrepreneurs currently represent 56.7% of companies in activity in Brazil and 79.3% of companies opened last year. Most of these companies have used digital tools to survive and, depending on their nature, may have a much higher volume of personal data processing than a large company.
In addition, the LGPD is still being regulated by the ANPD. No matter how advanced they are in their compliance processes, companies have not yet completely finalized them. In fact, as new technologies appear daily, the adaptation will be constant. It's like they say - the future has arrived, it just hasn't been evenly distributed.
Compliance is a one-way road, regulator and regulated, although in separate lanes, must go in the same direction, otherwise they will be on a collision course. Enforcement also has an educative role and the ANPD may use this premise so that its enforcement functions are an important tool to achieve LGPD compliance. The regulated are not fully compliant with the law, some do not even know how to do it, or are even unaware of it. A survey recently conducted by international consulting firm Deloitte showed that only 38% of businesses are prepared for the standards required by LGPD, 16% are not prepared and 46% are partially trained.
Given this scenario, what is expected of the ANPD is that its supervisory activities promote a regulatory environment of greater compliance through guidance, awareness and education measures on good data protection practices. In this sense, a healthy path to be taken by the ANPD is to prioritize the dialogue with the regulated, encouraging prevention, leaving the application of sanctions for the most extreme cases, involving wilful and/or negligent conducts.
Prevention is always better than cure. Thus, it is also necessary to ensure that the proceeds of the sanctions applied are allocated to the promotion of educational events for the dissemination of the data protection culture, both among regulators and the regulated.
Continuous guidance as one of the forms of oversight will help the regulated have the knowledge and tools to put the LGPD into practice. Let this be one of the ANPD's flagship initiatives and one of the main criteria to be adopted by the authority. This way, regulator and regulated will be walking in the same direction - creating and promoting a culture of data protection. Everyone will win, since privacy is a universal value.
LGPD is a law to be practiced - it is a legislation, for a new era - Big Data era. The ANPD and the regulated have a key role in this story.
Adriana S. L. Esper is coordinator of the Data Protection Committee of the Electronic Commerce Council (CCE) of FecomercioSP, partner at MSY Advogados and professor of Compliance and Digital Ethics at Fundação Instituto de Pesquisas (Fipe).