The Brazilian General Data Protection Law

by Agent Smith (Alessandro Ebersol)

Brazil's general data protection law was drafted in 2018, still under Michel Temer's government.

The Brazilian project comes in the wake of discussions on data protection in Europe, widely publicized with the advancement of digital devices. The European Union law that protects personal data came into force more than two years ago and has heated up debates around the world.

In Brazil, a Provisional Measure (a decree) postponed the entry into force of the LGPD until 2021, but the Senate converted, on August 26, 2020, the PM into the 34/2020 Conversion Bill, and deleted the article defining the postponement. With the change, the new set of rules became effective as of September 18, 2020.

LGPD: What Is It?

The General Data Protection Law (LGPD in Portuguese) is Law No. 13,709, approved in August 2018. It creates rules for the collection and processing of data by companies. The project's objective is to ensure the privacy and protection of personal data, and to promote transparency in the relationship between individuals and companies.

The project guarantees that the collection, processing and commercialization of personal data will be done only with the authorization of the holders. According to the text, the processing of personal data can be carried out "upon the consent of the holder in writing or by another means that demonstrates the manifestation of the holder's will."

The law applies to data that can identify a person. That includes phone numbers, personal characteristics, documents, etc.

How Did The LGPD Come About?

The origin of all this is in information, since it is the most valuable asset for generating business. One of the first to understand the value of the data was psychology professor Aleksander Kogan, who collected data from more than 270,000 users through a Facebook test. He gathered information such as name, surname, location and pages liked on the social network and sold it to a company called Cambridge Analytica.

What followed was the Cambridge Analytica scandal, where personal data from up to 87 million Facebook users was collected. The data was used to influence the opinion of voters in several countries, to help politicians to influence elections in their countries. Following the disclosure of the use of this data in an investigation by Channel 4 News, Facebook apologized and that Cambridge Analytica collected the data "inappropriately".

Even so, politicians like Ted Cruz, Donald Trump and even the Brexit movement have benefited from the improper data collection.

Shortly after this scandal, European authorities created the General Data Protection Rules (GDPR), a set of European Union laws aimed at regulating data privacy. And it was from the GDPR that the LGPD discussion in Brazil emerged, since the country also needs to adapt to the law to be part of the economic bloc.

What Are The Users' Rights?

One of the objectives of the project approved by the Senate is to make consumers feel like "owners" of their data - that is, to increase consumer empowerment in relation to their own data and what companies will do with them.

With this measure, the consumer gains some rights, such as asking companies what data they store, accessing that data or even requiring that information be deleted if obtained in non-compliance with the LGPD.

Data owners can still request the portability of their information to another supplier. This movement is similar to what can be done between telephone companies and allows the holder not only to request a copy of all his data, but also to provide it in an interoperable format, which facilitates the transfer to other services, even if for competitors.

What Changes For Companies?

Compliance with the standard's completeness will need to be proven by all agents who handle personal data, in the light of the principle of accountability.

One of the ways to comply with this principle will be through the elaboration of a Data Protection Impact Report, through which the controllers should evaluate the complete life cycle of the processing of personal data (covering from collection, use, storage, sharing and deletion of data), including the indication of the basis that authorizes the treatment of the data (which will become 10 hypotheses, consent being only one of those possibilities), as well as the implemented information security measures, including procedures to mitigate any incidents that may occur.

In this sense, the stipulation of the Data Protection Officer (DPO - Data Protection Officer), who will be responsible, among others, for creating a culture of data protection within companies (with special attention to good practices and governance), as well as being the bridge with the National Data Protection Authority (ANPD in Portuguese), which was created by means of a Bill of Law initiative by the Executive Branch, given the partial veto presented by the President of the Republic.

National Data Protection Authority: Who Watches The Watchmen?

The ANPD body, which was provided for in Provisional Measure (PM) No. 869, of December 27, 2018. However, it was vetoed by President Michel Temer, because of a defect of origin. The regulatory body could not be part of the legislative, as expected, but from the executive.

Finally, the body, in its current form, was defined in Law No. 13,853, of July 8, 2019. What are its duties? According to the law, the ANPD has, among other duties:

• Ensure the protection of personal data, under the terms of the legislation;


• Ensure the observance of commercial and industrial secrets, observing the protection of personal data and the confidentiality of information when protected by law;


• Develop guidelines for the National Policy for the Protection of Personal Data and Privacy;


• To supervise and apply sanctions in case of data processing carried out in breach of legislation, through an administrative process that ensures the right to counterclaims, the broad defense and the right to appeal;


• Consider petitions from holder to controller after the holder has proved the submission of a complaint to the controller that has not been resolved within the period established by regulation;


• Promote the population's knowledge of the rules and public policies on the protection of personal data and security measures


• Promote and prepare studies on national and international practices for the protection of personal data and privacy;

These are just a few of its 25 assignments (the full text can be read here: http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2019/lei/l13853.htm)
The writing is simply fantastic, with a text that empowers the users, granting them the means to claim their rights to privacy, anonymity, and, above all, freedom of expression on the internet.

Everything would be incredible, were it not the way it was done. I'll explain.

Art. 55-A, which created the ANPD as a federal public administration body, was very different from what had been projected in the original bill, which gave rise to Law 13,709 / 2018. Thus, the authority that would be born with special autarchy status, was suddenly "demoted" to an organ. Despite art. 55-B trying to remedy the issue, expressing the technical autonomy of the ANPD, it is certain that the change in the legal nature is not a just academic debate. The effects of the ANPD being a body instead of a special autarchy, a legal nature typical of regulatory agencies, imply very practical reflexes that can have a substantial impact on the regulation of the topic.

The limitations of being a single body, and not an autarchy, become apparent, after a first inspection: public bodies do not have autonomy, their own assets and perform only what is determined by the State, with the ANPD in this category, the entity is in danger of becoming an authoritarian and undemocratic body. I explain: the authority, as a major regulator of personal data in Brazil, should have the maximum legitimacy, being independent, and should not suffer total political control, as, in fact, it can happen.

However, things have gotten worse since its inception: President Jair Bolsonaro (without a party) has appointed five names, including three military, to form the board of the ANPD (National Data Protection Authority). This appointment, right away, drew attention and raised doubts about what the ANPD is and what is its importance for data protection. But why? Because a survey by Data Privacy Brasil points out that only Russia and China have the presence of military advisers in bodies responsible for data protection and the internet. The survey took into account the 20 most developed economies in the world based on the IMF (International Monetary Fund). And to note that both Russia and China have a very high surveillance on social media, even with a social score, that measures the loyalty of its citizens.

With respect to the right to the protection of personal data, which may soon be included in the country's Federal Constitution, the performance of the Brazilian Authority cannot end up supporting the public authorities in possible violations of the LGPD.

In addition to the Directing Council, the ANPD will have an advisory body, the National Council for the Protection of Personal Data and Privacy. According to the law, the multisectoral Council will be composed of 23 members and must include different voices for the regulation of data protection in the country. The decree that created the ANPD, however, violates this principle indicated in the law by establishing that the representatives of the different sectors will be chosen by the President of the Republic. In other words, it will not be a de facto representation, but another definition of the federal government, which will have the final say on these appointments.

The Good Guys Can Be The Villains, In The End ...

As already criticized previously, such a government option demonstrates a clear confusion between the attributions of bodies with completely different, if not opposite, purposes. Privacy guarantees and protection of personal data must not be confused with the defense of national security and the protection of strategic information for the country. On the contrary, surveillance activities conducted by bodies of national defense and public security can often jeopardize rights and guarantees that should justly be protected by the ANPD, aiming at the constitution of a balanced system within the Democratic Rule of Law.

Thus, it sounds strange that the entity has, since its inception, so many military personnel in its composition. Would they be present to cover illegal access to Brazilians' personal information, conducted fraudulently by orders from the president?

We cannot forget that the rigging of the state is a hallmark of totalitarian regimes, and it has already happened in Venezuela by Hugo Chavez, a person whom the current president said he admires very much, for his firmness in guiding the destinies of Venezuelans.

Very Beautiful On Paper, But ...

Its effects will only be felt over time, but the way it was created puts in doubt whether the new agency and the LGPD are not just government propaganda pyrotechnics, with no positive effect for Brazilians, or worse, a body to cover up illegal government surveillance activities. Only time will tell.