Since adapting to GDPR in 2018, companies, people and governments have been concerned with protecting private data and adapting the rules of each country. In the United States, the California Consumer Privacy Act (CCPA) came into effect in 2020. In Brazil the General Data Protection Act (LGPD) comes into effect August 2020 and many companies are rushing to adapt. One reason for concern is the possibility of heavy sanctions. The law requires companies to be warned, penalized and have their infringement published, and even fined up to 2% of their annual turnover, limited to fifty million reais (BRL).
It is not possible to say, in Brazil, how the National Data Protection Authority, the body responsible for overseeing and enforcing sanctions, will react, whether large and heavy fines will be imposed from the beginning, or whether enforcement will begin with warnings and other lighter sanctions.
We can use the application of GDPR (General Data Protection Regulation), a data protection law applicable in the European Union and the inspiration for legal wording as a parameter over the world, which came into force in 2018 and in its first effective year was responsible for approximately 56 million euros in fines, without rights of appeal. It is very interesting that the effects of GDPR were not limited to companies that base their business on data processing; companies of all segments and sizes were inspected.
Fines issued so far under the GDPR (still subject to appeal)
From this analysis, we could expect a moderate to high risk scenario for the activities of Brazilian companies from August, but at the end of 2019, prognosis became more complicated.
A veto of President Jair Bolsonaro was overridden, and items X, XI, and XII became part of Article 52 of the General Data Protection Law:
Art. 52. Data processing agents, due to violations of the rules provided for in this Law are subject to the following administrative sanctions applicable by the national authority:
X — partial suspension of the operation of the database to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period, until the treatment activity is regularized by the controller;
XI — suspension of personal data processing activity related to the infringement for a maximum period of 6 (six) months, extendable for an equal period;
XII — partial or total prohibition on the exercise of activities related to data processing.
In general terms, these items bring new sanctions, which make it possible for the National Data Protection Authority to suspend the operation of the database related to an infringement, to suspend the processing activity related to an infringement, or to partially or totally prohibit the exercise of data processing activities.
There is no similar punishment provided in the GDPR, for good reason: the total prohibition of activities related to data processing, in an economy increasingly based on data processing, can make business continuity unfeasible, bringing about a notorious legal uncertainty.
While there is a lot of discussion about the legality and constitutionality of these new sanctions, and although the new sanctions can only be applied in cases of recurrence on the specific case, truth is that they constitute the LGPD now, and while they are not reformulated or modified, companies should consider them as a possibility and be prepared.
Currently, it is estimated that 84% of companies in Brazil are not adequate or pursuing compliance with the General Data Protection Law. The recent substantial change in sanctions highlights the dangers of leaving adequacy to the last minute. A company that does not adapt soon may not have enough time to face the unpredictable changes that our legislative system imposes; thus takes the risk of ending its activities.
Other Latin American countries are also aware of developments in the GDPR and LGPD, and many already have data protection laws and proper regulatory bodies, such as Argentina, Mexico, Peru, Colombia and Chile, which regularly meet at the Ibero-American Congress on Law and Informatics to debate the topic.
We can see that the protection of data privacy will be a global concern in the coming years, causing companies to change the way of collecting and managing user data, transforming what is considered today as adequate, into a common standard for processes.
Companies still have a long journey to make this a reality, but at everis this reality already exists, and we can help you in this transformation.