The Privacy, Data Protection and Cybersecurity Law Review: Brazil

Overview

The concept and protection of privacy is not an innovation in Brazil. The privacy, private life, honour and image of individuals were considered as inviolable as well as fundamental rights by the Brazilian Federal Constitution of 1988 (the Brazilian Federal Constitution).2

After many years of legislative discussions, in 2018 the Brazilian General Data Protection Act (Law No. 13,709/2018 (LGPD)) was enacted.3 This Law is considered the most important data protection law in our jurisdiction, and represents a big advance and an important step for Brazil, to guarantee the protection of individuals, define limits to data processing for companies and enable the expansion of Brazil's digital economy.

The LGPD came into force in September 2020, during the covid-19 pandemic and after a legislative race. At the end of 2020, the regulatory authority was constituted and its regulatory agenda was published, specifying the topics for discussion and the dates on which each will be addressed.

The rights given in Article 5 of the Brazilian Federal Constitution are classified as fundamental rights. As described above, privacy is considered a fundamental right, but data protection is not included in this list, even though there is a legislative initiative – a constitutional amendment proposal – to insert data protection as a constitutional fundamental right (PEC No. 17/19)4 that is currently being voted on at the House of Representatives.

The year in review

The covid-19 pandemic continued to emphasise the exponential growth of technology in people's daily lives, in companies' activities, in governmental roles, and in the fight against coronavirus. Other privacy-related challenges have arisen, as vaccination status and body temperature are considered as sensitive personal health data. Technology has continued to be an important ally in the practice of medicine, in the home office, in online education and in relationships as a whole.

In Brazil, taking into account the context of the LGPD's effectiveness and as companies rush to adapt to the Law's provisions, the Data Protection National Authority (ANPD or the Authority) has taken shape and is acting effectively and with an initial awareness-raising and educational agenda.

In early 2021, the ANPD published Ordinance No. 11/2021,5 making public its regulatory agenda for the 2021–2022 biennium, which includes the main data protection issues such as the LGPD for small and medium-sized enterprises, data subjects' rights, data breaches and international transfers. In compliance with the published agenda, in March 2021 the ANPD published Ordinance No. 1, with the Authority's internal regulation, outlining its entire organisational structure for compliance with its legal attributions, and its activities and the main items that will be analysed in the coming months.

In February 2021, the ANPD took another important step in publishing explanations and notification requirements of data breaches on its website,6 clarifying what constitutes a data breach, what needs to be communicated to the ANPD and in which situations to communicate breaches to data subjects. The web page also includes a template of the communication form.

In May 2021, the ANPD followed up with the publication of two important and robust documents that will guide the actions of the Authority and public and private companies in the processing of personal data, namely: the Guidance on Definitions of Processing Agents and Data Protection Officer;7 and the Enforcement Rule,8 which addresses inspections and application of administrative sanctions imposed by the Authority.

The first document considers the concepts of personal data processing agents (controller and processor) and the data protection officer (DPO). The guideline intends to establish non-binding directives, developing topics such as legal definitions, respective liability regimes, concrete cases and examples, and frequently asked questions. The published version is subject to contributions by civil society (via email) and the guide will be updated periodically.

The published Enforcement Rule aims to regulate the application of Article 52 and following of the LGPD, where the administrative sanctions are provided, which entered into force in August 2021 under Law No. 14,058/2020. The normative is also being submitted for public consultation, which highlights the enforcement mechanism that the ANPD intends to adopt, with monitoring actions, guidance and prevention, but without failing to proceed with the application of more severe sanctions, in necessary cases.

With most of the provisions of the LGPD in force, as well as with the coming into force of the administrative sanctions, there are some developments worth highlighting, as pointed out below. Considering the Brazilian context concerning privacy and data protection, the expectation is that the ANPD will increasingly act by publishing regulations, conducting investigations and applying administrative sanctions, with the exponential increase in the number of cases involving privacy in the administrative and judicial sphere.

Regarding the internal scope of organisations, we observe increasingly structured adaptations to the LGPD, with concerns involving privacy by design, data protection agreements and adoption of robust information security measures.

Regulatory framework

i Privacy and data protection legislation and standards

The Brazilian Federal Constitution establishes the inviolability of its people's privacy, private life, honour and image as fundamental rights. Additionally, the right to compensation for property or moral damages resulting from their violation is ensured.9

Also, Brazil has a civil regulatory framework for use of the internet: Law No. 12,965/2014 (the Brazilian Internet Law),10 which establishes principles, guarantees, rights and obligations for the use of the internet in Brazil. Decree 8,771 of 11 May 201611 establishes procedures related to data retention and protection by connection and application providers, and points out transparency and enforcement measures concerned with personal data and private communications.

Brazil has enacted the LGPD, which provides for the processing of personal data, including in digital media, by a natural person or legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and free development of the personality of the natural person.

The LGPD12 contains core definitions related to data protection, such as:

  1. personal data: information regarding an identified or identifiable natural person;
  2. sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organisation membership, data concerning health or sex life, genetic or biometric data, in relation to a natural person;
  3. data subject: a natural person to whom the personal data that are the object of processing refers to;
  4. controller: natural person or legal entity, of public or private law, that has the competence to make the decisions regarding the processing of personal data; and
  5. processor: natural person or legal entity, of public or private law, that processes personal data in the name of the controller.

Furthermore, there are other sectoral laws related to the privacy and protection of personal data, including, but not restricted to:

  1. Law No. 8,078/1990 (the Consumer Protection Code),13 which sets out data protection principles in consumer relations;
  2. Law No. 9,472/1997 (the Telecommunications Act),14 which guarantees measures related to privacy and protection of personal data of telecommunication services users;
  3. Law No. 10,406/2002 (the Civil Code),15 which grants the inviolability of the private life of the natural person; and
  4. Law No. 12,414/2011 (the Positive Credit Registry Act),16 which is responsible for the formation and consultation of databases with data on credit history, of natural or legal persons.

The Authority was created by Provisional Measure No. 869/18 (later converted into Law No. 13,853/2019) and became operational with the appointment of its board of directors on 5 November 2020. No resolution has been issued to date, but the ANPD has taken action to regulate all matters established on the regulatory agenda for this semester (i.e., this half of the year).

During June 2021, the Authority held technical meetings with experts to discuss how to best regulate data protection impact assessments.17

The Authority has recently published a draft of the enforcement rules it intends to adopt and will conduct a public hearing to obtain input from civil society and experts on the matter. This relates to the application of administrative sanctions.

As the regulatory agenda is fulfilled, the standards and resolutions created by the Authority are added to the Brazilian regulatory framework.

ii General obligations for data handlers

Under the LGPD,18 processing agents have a duty to process personal data for legitimate, specific, explicit and informed purposes for the data subject. Also, the processing must be compatible with the purpose communicated to the data subject and limited to the minimum necessary to achieve its purposes. Other duties relate to an assurance of easy consultation by data subjects about the processing, with clear and precise information, in addition to ensuring the accuracy, clarity, relevance and updating of the personal data processed. Also, processing agents must use technical and administrative measures that are able to protect personal data from unauthorised accesses and accidental or unlawful situations and must adopt measures to prevent the occurrence of damages due to the processing of personal data.

Processing agents are obliged to have one of the following legal bases19 for the processing to be lawful:

  1. consent of the data subject;
  2. compliance with a legal or regulatory obligation by the controller;
  3. processing and shared use of data must be necessary for the execution of public policies provided in laws or regulations;
  4. carrying out studies by research entities, ensuring, whenever possible, the anonymisation of personal data;
  5. it must be when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
  6. regular exercise of rights in judicial, administrative or arbitration procedures;
  7. protection of life or physical safety of the data subject or third party;
  8. protection of health, in a procedure carried out by health professionals or by health entities;
  9. it is necessary to fulfil the legitimate interests of the controller or third party;
  10. protection of credit; and
  11. ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems.

In addition to the general duties imposed on data handlers described above, new rules on legal bases might be created. According to its regulatory agenda, the ANPD shall issue the Guide of Good Practices by the second half of 2022, guiding the public on various hypotheses of application of the LGPD, including, but not restricted to, the legal bases described in Article 7 of the Act.

iii Data subject rights

The LGPD establishes in its Chapter III the systematisation of the rights of data subjects, which can be exercised at any time and upon express request of the data subject, or his or her legally constituted representative. The requested processing agent shall attend without costs to the data subject, within the periods and under the terms as provided in the regulation, by Article 18, Paragraph 5 of the LGPD. Among other things, the LGPD provides for the following rights:

  1. confirmation of the existence of the processing;
  2. access to data and information concerning the processing of data subjects, which must be made available in a clear, adequate and ostensible manner;
  3. correction of incomplete, inaccurate or outdated data;
  4. anonymisation, blocking or erasure of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD;
  5. portability of the data to another service or product provider, through an express request and subject to commercial and industrial secrecy;
  6. erasure of the personal data processed with the consent of the data subject, when permissible; and
  7. access to information about public and private entities with which the controller has shared data.20

Although the above rights are explicitly stated in the LGPD, several of them lack regulation, such as the right to access (Article 9), the right to portability (Article 18, V) or even the right to review automated decisions (Article 20, V). To address these regulatory gaps, the ANPD has determined in its regulatory agenda that it will address the rights of data subjects in the first half of 2022 through a resolution.

iv Specific regulatory areas

In addition to the LGPD, Brazil has other regulations and laws that address the issue of data protection in specific sectors.

In the financial sector, Resolution No. 4,658/2018 issued by the Brazilian Central Bank (BACEN)21 provides that the financial institutions shall adopt procedures that take into account the quality of the access controls aimed at protecting the data and information of the institution's customers, issuing requirements for the contracting of processing services and data storage.

The Superintendence of Private Insurance issued Resolution No. 382 in March 2020,22 listing the protection of personal data as one of the principles to be adopted by insurance companies, capitalisation companies, open private pension entities and their intermediaries.

The National Agency for Supplementary Health Services enacted Act No. 443/19,23 which provides for the adoption of minimum corporate governance practices, with an emphasis on internal controls and risk management, for the purposes of solvency of healthcare plan operators.

Furthermore, the Administrative Council for Economic Defence (CADE) and the ANPD signed a technical cooperation agreement in May 202124 aimed at combating activities that may be harmful to the economy and at promoting and disseminating the culture of free competition in services that process personal data.

v Technological innovation

Developers of new technologies must incorporate privacy and data protection in their design. The concept of privacy by design is based on the LGPD principles that ensure technical, administrative and security measures to protect personal data, as well as the effectiveness of such measures in observance of personal data protection rules.

Behavioural advertising

Although there is no specific legislation, the Consumer Protection Code25 contains provisions that grant overall consumer protection against fraudulent and abusive advertising and coercive or unfair commercial methods, as well as against unfair or imposed practices and terms in the supply of products and services. In addition, the Internet Management Committee in Brazil (CGI.br) has developed a website that contains guidelines for best practices to inform the user and network administrator about spam, its implications and ways to protect against and combat it.26 Furthermore, the Brazilian Advertising Self-regulation Code27 regulates the ethical rules applicable to advertising and propaganda.

Facial recognition and biometrics

Regarding facial recognition technologies, although there is no specific regulation of such technologies, there are series of legislative bills pending in legislative houses, such as Bill No 4,612 of 2019,28 which provides for the development, application and use of facial and emotional recognition technologies, as well as other digital technologies designed to identify individuals and predict or analyse behaviours.

Artificial intelligence

At the beginning of 2020, a request for a public audience on artificial intelligence was approved by the Commission of Science, Technology, Innovation, Communication and Informatics. The objective is to instruct two bills: one of these introduces the National Policy on Artificial Intelligence (Bill No. 5,691/2019)29 and the other sets out the principles for the use of artificial intelligence in Brazil (Bill No. 5,051/2019).30 Furthermore, Legislative Bill No. 21/2031 aims to establish the legal framework for the development and use of artificial intelligence by public authorities, private companies, entities and natural persons. The Bill determines that respect for human rights and democratic values, equality, non-discrimination, plurality, free initiative and data privacy must be fundamental in the use of artificial intelligence.

International data transfer and data localisation

The Brazilian Internet Law, in its Article 11, provides that in any operation of collection, storage, retention and processing of personal data or communications data by connection providers and internet application providers, where at least, one of these acts take place in the national territory, Brazilian law must be mandatorily respected, including with regard to the rights to privacy, protection of personal data and secrecy of private communications and logs.

Paragraphs 1 and 2 of Article 11 establish that the provision applies to data collected in the national territory and to the content of the communications in which at least one of the terminals is placed in Brazil, even if the activities are carried out by a legal entity located abroad, provided that it offers services to the Brazilian public, or at least one member of the same economic group is established in Brazil.

In a similar way, the LGPD32 applies to any processing operations carried out by a natural person or a legal entity of public or private law, irrespective of the means, the country in which its headquarters are located or the country where the data are located, provided that:

  1. the processing operation is carried out in the national territory;
  2. the purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in the national territory; or
  3. the personal data being processed were collected in the national territory.

The LGPD's Article 33 provides that international transfer of personal data to foreign countries or international organisations of which the country is a member is only allowed when:

  1. it is to countries or international organisations that provide a level of protection of personal data that is adequate to the LGPD's provisions;
  2. the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided by the LGPD, in the form of:
    • specific contractual clauses for a given transfer;
    • standard contractual clauses;
    • global corporate rules; or
    • regularly issued stamps, certificates and codes of conduct;
  3. the transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies, in accordance with the instruments of international law;
  4. the transfer is necessary to protect the life or physical safety of the data subject or a third party;
  5. the national authority authorises the transfer;
  6. the transfer results in a commitment undertaken through international cooperation;
  7. the transfer is necessary for the execution of a public policy or legal attribution of public service, which shall be publicised;
  8. the data subject has given their specific and highlighted consent for the transfer, with prior information about the international nature of the operation, with this being clearly distinct from other purposes; or
  9. it is necessary for the controller to comply with a legal or regulatory obligation, for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party (at the request of the data subject) or for the regular exercise of rights in judicial, administrative or arbitration procedures.

The level of data protection in the foreign country or international organisation shall be evaluated by the ANPD. Furthermore, the definition of the content of standard contractual clauses, as well as the verification of specific contractual clauses for a particular transfer, global corporate rules or stamps, certificates and codes of conduct will be carried out by the ANPD in the second phase of its regulatory agenda,33 scheduled for the first half of 2022.

Company policies and practices

Article 50 of the LGPD suggests that data controllers and processors should create standard data protection policies and procedures to mitigate liability. Article 51 of the LGPD also provides that, in the future, the ANPD should establish technical standards in connection with data privacy issues. Nonetheless, it is considered the best practice for companies (also to mitigate liability) to have a broad number of policies and procedures in place for compliance purposes, as set out below:

  1. a data privacy policy, which regulates data processing by the company. There may be two different policies in place: one about data protection in general (relating to customers, clients, etc.) and another specifically related to data protection inside the company (regarding company's employees, which should provide training mechanisms, for example). The rules established by this policy have to comply with all the rules provided by the LGPD and the Brazilian Internet Law, as applicable;
  2. an information security policy and an information and communications technology policy, which establish internal rules for the use of technology devices (computers, mobiles, etc.), cybersecurity standards and guidelines, among other provisions;
  3. specific policies related to areas that usually process a lot of personal data (e.g., human resources departments, with guidelines on the processing of personal data of candidates pre-hire, during the admission phase and during the employment relationship);
  4. an employees' monitoring policy, establishing terms, conditions and limits for monitoring employees and their work tools;
  5. a 'bring your own device' policy, regulating the terms and conditions in the case of employees using their own devices for work activities;
  6. privacy policies and terms of use for the company websites;
  7. a cookies policy; and
  8. a data breach policy and response plan to set forth company procedures in the event of a data security breach, among other things.

Discovery and disclosure

The Brazilian Internet Law establishes rights and guarantees for all users of the internet in Brazil, such as the inviolability and confidentiality of the flow of users' communications through the internet and their stored private communications, except by a court order.

According to Article 22 of the aforementioned Law, any interested party may request a judge to order the entity responsible for keeping the records to provide the connection or access logs to internet applications, for the purpose of creating evidence in civil or criminal legal procedures. This request should contain, under penalty of inadmissibility:

  1. justified evidence of the occurrence of the offence;
  2. motivated justification of the usefulness of the requested records for investigation; and
  3. the period of time to which the records correspond.

It is important to highlight that the judge needs to take the necessary measures to ensure confidentiality of received information, as well as the preservation of intimacy, private life, honour and image of the data subject. The judge may determine the secrecy of justice,34 including with respect to requests for record retention.

Furthermore, the Brazilian Code of Criminal Procedure (Law No. 3,689/1941)35 states that judges may request information, including personal data, during criminal investigations and criminal proceedings. Pursuant to Article 3-B, XI, items (a) and (b), examining judges have the power to decide on requests to disclose personal data of users of electronic communications services, including internet, email, telephone and financial data.

Regarding the interception of telephone communications, this may be determined for evidence in criminal investigations and proceedings by the examining judge, ex officio or upon request of the competent police authority or the representative of the public prosecution. The interception should comply with the provisions of Law No. 9,296/1996,36 and will depend on an order of the competent judge of the main action,37 under the secrecy of justice.

Public and private enforcement

i Enforcement agencies

The ANPD was created by Law No. 13,853/2019,38 and is an entity that is a part of the federal public administration, pertaining to the Presidency of the Republic. According to Article 55-J of the LGPD, the ANPD has the following duties, among others:

  1. to prepare guidelines for the National Policy for the Protection of Personal Data and Privacy;
  2. to supervise and apply sanctions in the case of processing of data carried out in violation of legislation, through an administrative process that ensures to the adversary broad defence and the right to appeal;
  3. to promote in the population the knowledge of the norms and public policies on the protection of personal data and security measures;
  4. to promote cooperation actions of an international or transnational nature with personal data protection authorities of other countries; and
  5. to edit simplified and differentiated rules, guidelines and procedures, including deadlines, so that micro and small companies, as well as incremental or disruptive business initiatives that self-declare as start-ups or innovation companies, can adapt to the LGPD.

The ANPD has recently commenced its activities. Some steps were taken after its creation, such as the structuring of the Directing Council and the National Privacy and Data Protection Council (through Decree No. 10,474 of 2020),39 the nominations of its members and the presentation of its regulatory agenda for 2021 to 2023 (through Ordinance No. 11 of 2021),40 which aims to prioritise the awareness of data protection in the market and society. The sanctions are enforceable by the Authority from August 2021.

Despite this, it is important to mention that other government authorities are already acting on behalf of the data protection principles. To illustrate this, the major consumer defence body in Brazil (Procon) and public prosecution (Special Unit of Data Protection and Artificial Intelligence – Espec)41 are notifying, investigating and even applying fines42 to companies that act in an unlawful or abusive manner, based on other laws, such as the Brazilian Consumer Code. In addition, the ANPD has confirmed the following cooperation agreements:

  1. at the end of March 2021, with the National Consumer's Office (SENACON),43 attempting to improve investigations and better address consumers' rights in data breaches; and
  2. at the beginning of June 2021, with CADE,44 aiming to promote free competition culture in services that claim the protection of personal data.

In May 2021, WhatsApp committed to collaborate with CADE, the Public Prosecutor's Office (equivalent to the US Department of Justice), the ANPD and SENACON in relation to concerns raised by these public bodies about the messaging app's new privacy policy.45

ii Recent enforcement cases

Considering that the provisions of the LGPD on administrative sanctions entered into force in August 2021, no sanctions have been imposed by the ANPD to date.

However, other agencies have already imposed fines on the grounds of sectoral legislation. In this regard, in August 2019, Google and Apple were fined close to 18 million reais by Procon-SP, owing to abusive clauses in the terms of use and privacy policy of the FaceApp application, as well as only being available in the English language, in violation of consumer rights.46 In the same year, another significant case resulted in a fine being imposed by the Consumer Protection and Defence Authority on Facebook for improperly sharing data from 443,000 Brazilian users in the Cambridge Analytica case.47

Also, the Brazilian judiciary provided recent enforcement cases related to privacy and data protection. In May 2020, the Federal Supreme Court granted a writ of prevention suspending the effectiveness of Provisional Measure 954 on data sharing of telecommunication users with the Brazilian Institute of Geography and Statistics for the production of official statistics during the covid-19 pandemic. The trial contributed to the expansion of debates on the acknowledgment of the fundamental right to personal data protection in the Brazilian jurisdiction.48

In September 2020, a lower court of São Paulo found for the plaintiff and ruled that sharing consumers' personal data with companies outside the contractual relationship violates provisions of the LGPD, as well as constitutional principles, such as the right to privacy.49 Real estate company Cyrela was awarded 10,000 reais for pain and suffering in the same decision, which prohibited the defendant from passing on the personal data to third parties. The decision considered not only the provisions of the LGPD, but also of the Brazilian Federal Constitution and the Consumer Protection Code.

In May 2021, the São Paulo Appeals Court50 fined ViaQuatro, the company that manages the yellow subway line of São Paulo, 100,000 reais. The Court confirmed that the payment is for collective pain and suffering – to be destined to a collective investment entity – and ordered the deactivation of the facial recognition system for data subjects using the yellow subway line of São Paulo. The decision was based on the LGPD, recognising data as sensitive biometric personal data and acknowledging the need to obtain consent from the data subjects and provide details of the processing, in compliance with the principle of transparency. The case is currently on court appeal.

In addition, other protective bodies are acting on the grounds of the LGPD. After wide media coverage, Procon-SP notified a data bureau that it is seeking clarification on the alleged leak of 220 million Brazilian citizens' personal data.51 The data bureau provided its response in April 2021 in which it claims not to have identified any irregularity. However, the investigation has not yet been closed.

Another case under investigation by Procon-SP relates to Brazil's main telecommunication companies' potential leak of more than 100 million telephone numbers.52

In April 2021, Procon-SP notified Facebook to confirm the news of a data leak that allegedly exposed information – such as full names, telephone numbers, dates of birth and email addresses – of more than 500 million users, including more than 8 million Brazilians, in online hacker forums.53 The agency required responses on Facebook's measures to contain the leak, strategies to deal with the damage and prevent further failures, as well as the lawfulness of processing the personal data of Brazilian citizens and the measures adopted to comply with the LGPD.

In June 2021, the Brazilian Consumer Protection Institution (IDEC) notified Raia Drogasil, a drugstore group, to present information regarding the collection and use of customers' biometrics data.54 IDEC is currently investigating this group's activities, following complaints. Consumers reported that they were barred from taking advantage of promotions unless they registered their fingerprints. The extrajudicial notification also required that the group ceased the collection of fingerprints and Individual Taxpayers Registry Numbers and explained the purpose of the data collection.

iii Private litigation

Before any judicial remedies, interested parties and authorities may seek for administrative remedies for breaches of privacy and data rules. The LGPD provides for the data subject's right to petition, regarding their data, before the ANPD.

Furthermore, the Brazilian Federal Constitution55 provides that the right to judicial assistance is a fundamental guarantee for individuals, as it is universal, inalienable, unavailable, and unwavering.

For civil procedures, the Brazilian liability is subjective and the data subject shall prove the commitment of an unlawful conduct (by an act or an omission), the damage and the causal link. For consumer affairs-related cases, the law foresees that the agent is submitted to strict liability, provided that the liability exceptions are more restrict in these cases.

The LGPD provides that the controller or processor that, as a result of carrying out the activity of processing personal data, cause material, moral, individual or collective damage to third parties, in violation of legislation for the protection of personal data, is obligated to redress it.56

The LGPD also provides that the judge, in a civil lawsuit, may reverse the burden of proof in favour of the data subject when, at its discretion, the allegation appears to be true or when production of evidence by the data subject would be overly burdensome. Lawsuits for compensation for collective damages may be filed collectively in court, subject to the pertinent legislation.57

Regarding class actions, collective interests are mostly regulated by the Brazilian Law of Public Civil Action (Law No. 7,347/1985),58 which foresees the protection of diffuse and collective interests related to the environment, the consumer, goods and rights of artistic, aesthetic, historical, tourist and landscape value, among other goods and rights listed in its article.

Considerations for foreign organisations

As per its Article 3, the LGPD shall apply to any data processing operation performed by any person or entity, public or private, provided that the processing operation is carried out in the Brazilian territory; the processing operation entails the offer or provision of goods or services or data processing for individuals located in Brazil; or data collection that was carried out within Brazilian territory.

Thus, in general, all foreign companies that process, in any way, personal data from Brazilian individuals should comply with the LGPD. Also in this regard, the Brazilian Internet Law had a very similar provision (Article 11), which resulted in the same conclusion.

These provisions were clearly provided by such laws because in the past there were many judicial discussions involving the data processing of Brazilian individuals occurring abroad. Some foreign companies tried to avoid the enforcement of Brazilian laws and judicial orders, arguing that the data processing was performed outside Brazil. To avoid this kind of problem, these recent legal provisions reiterate that any action involving personal data from Brazilian subjects or from individuals located in Brazil shall trigger the application of Brazilian laws.

Cybersecurity and data breaches

The Brazilian Internet Law provides that the discipline of internet use in Brazil should preserve the stability, security and functionality of the network, via technical measures consistent with international standards and by encouraging the use of best practices. Decree No. 8,771/2016, which regulates the Internet Law, also establishes some guidelines on security standards that connection and application providers must observe when processing personal data and private communications, such as strict control over access to data, authentication mechanisms for access to records, inventories of access to records and use of record management solutions such as encryption or equivalent measures.

Furthermore, the LGPD59 provides that processing agents shall adopt technical and administrative security measures and are able to protect personal data from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.

As well as the general provisions of the Brazilian Internet Law and the LGPD, there are several sectoral laws and regulations concerning cybersecurity requirements for specific regulated sectors, including:

  1. Resolution No. 4,893/2021 of BACEN,60 which provides for the cybersecurity policy and the requirements for contracting data processing and storage and cloud computing services to be observed by institutions authorised to operate by BACEN. This Resolution entered into force on 1 July 2021;
  2. Resolution No. 85/2021 of BACEN,61 which provides for the cybersecurity policy and the requirements for contracting data processing and storage and cloud computing services to be observed by payment institutions authorised to operate by the Central Bank of Brazil. This Resolution entered into force on 1 August 2021;
  3. Ordinance No. 271/2017,62 which provides the Information Security and Communications Policy of the Ministry of Health; and
  4. Ordinance No. 1,966/1863 defines information and communication security standards within the Ministry of Health.

Also, in the public sector:

  1. Decree No. 9,637/2018 approves the National Information Security Policy64 within the federal public administration, to ensure the availability, integrity, confidentiality and authenticity of information at the national level; and
  2. Decree No. 10,222/2020 approves the National Strategy of Cybersecurity (E-Ciber),65 a government plan on the main actions, nationally and internationally, that it intends to apply in the cybersecurity area.

Regarding data retention, there are no specific periods provided; however, the LGPD66 establishes that the ANPD may provide standards about the retention period of records, especially considering the need for the data and transparency to the data subjects. Also, there are many diverse specifications related to the retention period of records in sectoral laws, such as the legal obligation of storage of connection records by connection providers for one year and the storage of access records by application providers for six months, according to the Brazilian Internet Law,67 for example.

As regards data breach reporting requirements, the LGPD68 establishes that the controller should communicate to ANPD and the data subject the occurrence of any security incident that may cause risk or relevant harm to data subjects. This activity may be executed by the DPO, as the DPO is the person indicated by the controller to act as a communication channel between the controller, the data subjects and the ANPD.

In February 2021, the Authority added brief explanations and notification requirements of data breaches to its website.69

The ANPD defines a data breach as any confirmed adverse event related to a breach in the security of personal data. The website also provides a template form for reporting incidents to the Authority. The ANPD also indicates the steps it takes upon notification of a data breach: (1) internal assessment of the incident (nature, category, number of holders affected, probable consequences); (2) communication to the DPO; (3) communication to the controller, if the affected entity is the data processor; (4) communication to the ANPD and the data subjects, if applicable; and (5) preparation of internal documentation following the principle of accountability.

The ANPD also indicates that if the incident is reported by the data processor, the Authority will analyse it on a subsidiary basis. The Authority indicates that more objective criteria for notifying the data subject may be issued in the future, but that for the moment the controller should adopt a cautious stance, communicating the incident to the data subjects if there is any risk of relevant damage to them, such as when the incident involves sensitive personal data, children's personal data or image violation, among others.

Finally, the Authority recommends that the incident be reported within two working days of the data controller becoming aware of it, pending the Authority issuing binding regulations to that effect, which are expected by early 2022.

Outlook

The entry into force of the EU's General Data Protection Regulation70 in 2018 contributed to the endorsement of the LGPD in the same year in Brazil, as the same way as it has already had a significant impact on Brazilian companies that process the personal data of persons located in the European Union, or that transfer data internationally. In this regard, the free flow of data between EU countries and Brazil is conditioned by the level of adequacy of data protection, which must be similar to that in the EU. Furthermore, Brazilian companies have been conducting adaptation projects to comply with the data protection legislation through the adoption of best practices for processing personal data grounded on LGPD authoritative hypotheses and personal data protection principles.

The LGPD came into force in September 2020, with the exception of the administrative sanctions, which entered into force in August 2021. However, the efficacy of some of the provisions provided by the LGPD requires regulation by the ANPD, which is expected to take place, according to the ANPD regulatory agenda for the 2021–2022 biennium, established by Ordinance No. 11/2021.71

Footnotes

1 Ricardo Barretto Ferreira is a senior partner, Lorena Pretti Serraglio is a senior associate and Camilla Lopes Chicaroni and Nariman Ferdinian Gonzales are associates at Azevedo Sette Advogados. The authors would like to thank the following for contributing to this chapter: Juliana Sene Ikeda, senior associate, and Isabella da Penha Lopes Santana, Mariana de Carvalho Rici and Laís Litran Motta, associates at Azevedo Sette Advogados.

2 Brazilian Federal Constitution of 1988 (CF/1988). Available at www.planalto.gov.br/ccivil_03/constituicao/constituicao.htm.

3 Brazilian General Data Protection Act (Law No. 13,709/2018). Available at www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm.

4 Proposal of Constitutional Amendment No. 17/2019. Available at https://www.camara.leg.br/propostas-legislativas/2210757.

7 Guidance on Definitions of Processing Agents and Data Protection Officer. Available at https://www.gov.br/anpd/pt-br/assuntos/noticias/2021-05-27-guia-agentes-de-tratamento_final.pdf.

9 Article 5, X, of Brazilian Federal Constitution.

12 Article 5 of LGPD.

13 Consumer Protection Code. Available at www.planalto.gov.br/ccivil_03/leis/l8078.htm.

14 Telecommunications Act. Available at www.planalto.gov.br/ccivil_03/leis/l9472.htm.

16 Positive Credit Registry Act. Available at www.planalto.gov.br/ccivil_03/_ato2011-2014/2011/lei/l12414.htm.

18 Article 6 of LGPD.

19 Articles 7 and 11 of LGPD.

20 Article 18 of LGPD.

22 Superintendence of Private Insurance. Resolution No. 382/2020. Available at http://www.in.gov.br/web/dou/-/resolucao-n-382-de-4-de-marco-de-2020-247020888.

23 National Agency for Supplementary Health Services. Act No. 443/19. Available at http://www.ans.gov.br/component/legislacao/?view=legislacao&task=TextoLei&format=raw&id=MzY3MQ==.

24 Technical Cooperation Agreement No. 5/2021. Available at https://www.gov.br/anpd/pt-br/assuntos/noticias/act-tarjado-compactado.pdf.

25 Chapter III: Basic Consumer Rights, of Consumer Protection Code.

26 Anti-Spam Working Committee (CT-Spam). Available at https://www.antispam.br/index.html.

27 Brazilian Advertising Self-regulation Code. Available at http://www.conar.org.br/codigo/codigo.php.

28 Legislative House. Bill No. 4,612 of 2019. Available at https://www.camara.leg.br/proposicoesWeb/fichadetramitacao?idProposicao=2216455.

29 Federal Senate. Bill No. 5,691/2019. Available at https://www25.senado.leg.br/web/atividade/materias/-/materia/139586.

30 Federal Senate. Bill No. 5,051/2019. Available at https://www25.senado.leg.br/web/atividade/materias/-/materia/138790.

31 Legislative Bill No. 21/20. Available at https://www.camara.leg.br/propostas-legislativas/2236340.

32 Article 3 of LGPD.

33 ANPD's regulatory agenda for the 2021–2022 biennium, established by Ordinance No. 11/2021. Available at https://www.in.gov.br/en/web/dou/-/portaria-n-11-de-27-de-janeiro-de-2021-301143313.

34 'Secrecy of justice' refers to a situation in which judicial procedures or policial investigations, usually available to the public, are kept under secrecy. This usually happens when there is a risk of exposure of private information related to the defendant or investigated; or when the procedure has confidential documents, such as bank statements or phone tapping, for example.

36 Law No. 9,296/1996. Available at www.planalto.gov.br/ccivil_03/LEIS/L9296.htm.

37 The 'main action' is the action in the procedure that brings the main purpose of the litigation. This main action is independent (i.e., it exists by itself).

41 Brazilian Special Unit of Data Protection and Artificial Intelligence. Available at https://www.mpdft.mp.br/portal/index.php/conhecampdft-menu/nucleos-e-grupos/espec.

46 For additional information about the case, access: https://www.procon.sp.gov.br/aplicativo-de-envelhecimento-2/.

47 For additional information about the case, see Consultor Jurídico, available at https://www.conjur.com.br/2019-dez-30/governo-multa-facebook-compartilhamento-dados.

49 Legal Procedure No. 1080233-94.2019.8.26.0100. Available at https://esaj.tjsp.jus.br/pastadigital/abrirDocumentoEdt.

55 Article 5, XXXV of Brazilian Federal Constitution.

56 Article 42, preamble, of LGPD.

57 Article 42, Sections 2 and 3, of LGPD.

58 Brazilian Law of Public Civil Action (Law No. 7,347/1985). Available at www.planalto.gov.br/ccivil_03/leis/l7347orig.htm.

59 Article 6, VII of LGPD.

66 Article 40 of LGPD.

67 Article 15 of Brazilian Internet Law.

68 Article 48 of LGPD.

Get unlimited access to all The Law Reviews content