Bienvenue

Bienvenue sur le Blogue du CRL du Jeune Barreau de Montréal (JBM)! Ce blogue est dédié à la diffusion de contenu juridique pour tous les avocats du Québec et plus spécifiquement pour les membres du JBM. Le contenu est offert grâce à une communauté d'avocats bénévoles impliqués sur le Comité recherche et législation du JBM. Si vous désirez devenir auteur ou contribuer au succès de ce blogue, faites-nous part de votre intérêt.

vendredi 4 septembre 2020

Chronique du CTI – Are you ready for the LGPD: Brazil’s version of GDPR?

Tara Mandjee, avocate


 

 

In the last few years, companies have been forced to rethink their data gathering practices with new privacy regulations coming into force, broadening the definition of what constitutes “personal data” and extending their territorial reach beyond borders. It all started with the coming into force of the General Data Protection Act (“GDPR”) in May 2018, which not only disrupted customer engagement strategies but also stirred privacy overhauls in several jurisdictions. Signed in June 2018, the California Consumer Privacy Act (“CCPA”) was the first major US privacy legislation adopted in the wake of the GDPR, with other states now following the course. In the last two months, Canada has also manifested its intention to bring its privacy laws in line with GDPR with the introduction of Bill 64 - An Act to modernize legislative provisions as regards the protection of personal information by Quebec’s government in June 2020 and the launch of a privacy consultation by the Ontario’s Ministry of Government and Consumer Services in August 2020.

While everyone’s focus has been on this side of the continent, the Lei Geral de Protecao de Dados (“LGPD”) - Brazil’s General Data Protection Law strongly inspired by GDPR - has gone somewhat unnoticed. Yet, it will come into force any day now and although its sanctions are postponed to 2021, by now we all know that 12 months can fly by when it comes to data privacy compliance. So what do you need to know now and what should you start doing tomorrow?

Some uncertainties as to timing

Immediate effective date…

After years of debate and consultation, the LGPD was finally implemented on August 14, 2018 with the objective of unifying over 40 different statutes governing personal data in Brazil. Heavily mirroring its EU counterpart, this legislation was supposed to come into force in February 2020 but in light of the crisis caused by the COVID-19 pandemic and the delay in operationalizing the National Data Protection Authority (“ANPD”) - the body responsible for regulating, interpreting, defending and applying this law - the LGPD’s effective date was postponed until 2021. 

A complex interplay of provisional measures and proposals from various governmental bodies then ensued, followed by a major plot twist on August 26 2020 when the Senate reversed the planned postponement and set an immediate date of enactment of August 27 2020. As a result, the LGPD will become effective as soon as the Brazilian President sanctions the Senate’s proposal or, if the President does not veto it within 15 days of receiving it, it will take effect automatically on September 16, 2020.  

… with delayed administrative penalties

GDPR caught everyone’s attention in part due to its stiff fines that can go up to 20 million euros or 4% of a company’s entire global turnover of the preceding fiscal year, whichever is higher (Article 83). In comparison, the LGPD’s fines can go to the highest of 50 million reals (approximately $12 million CAD) or 2 percent of the company’s or economic group’s gross revenue in Brazil in the preceding fiscal year (Article 52). Although substantially lower than under GDPR, the LGPD fines are not negligible and is it important to note when they will become enforceable.

President Bolsonaro issued Decree 10,474 on August 26 formally creating the ANPD, establishing its governance structure and granting it investigation and enforcement rights but the ANPD does not have the ability to bring enforcement actions under the LGPD until August 1, 2021. Nevertheless, private lawsuits and public prosecutor actions based on LGPD violations are possible as of August 27, 2020 under Brazil’s Consumer Rights Law, Internet Law, or Civil Code.

Next steps

Preliminary questions to consider

               In the face of uncertainty around the effective date of the LGPD, many companies have not paid much attention to this new privacy regulation. They would however be well advised to at least answer the following 3 preliminary questions given the fast-approaching enforcement date of August 1, 2021:

1.      Are you subject to the LGPD?

Similar to GDPR, the LGPD has an extraterritorial reach: it applies to all companies offering goods or services to data subjects located in Brazil, regardless of where the company is headquartered.

In general, you should assume that the LGPD applies to your company if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory.

2.      What are your processing activities governed by the LGPD & what was your gross revenue in Brazil last year?

Companies processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities and taking into consideration their risk exposure.

As a result, you should do an inventory of your personal data processing activities governed by the LGPD, followed by a gap analysis to identify which of those activities and processes might require remediation. Evaluating your gross revenue in Brazil in the preceding fiscal year might also be relevant as part of your risk-based approach, noting however that fines under the LGPD can always go up to 50 million reals, irrespective of your company’s turnover.  

3.      Are you already GDPR-compliant?  

If you are already GDPR compliant, then you have done the bulk of the work necessary to comply with the LGPD. You should make sure however that the processes you have adopted in order to comply with GDPR are also being applied with respect to your processing activities governed by the LGPD or can be easily extended, with some adjustments. There are indeed some differences between LGPD and GDPR that will require some additional work, as highlighted below.

If you are not already GDPR compliant, you should definitely put together a team dedicated to the LGPD compliance and consider hiring external experts to support this important initiative. Indeed, some provisions may require the development of new tools or processes that involve some engineering effort while others will require significant investment of resources and personnel (ie to review your privacy policy or third-party contracts).

 

 

GDPR vs. LGPD: key differences to consider

While we often assume that GDPR is the most exhaustive privacy regulation, GDPR compliance does not ensure LGPD compliance since there are areas where the Brazilian law is stricter than its European cousin. For instance, the LGPD requires companies to answer data subjects’ access requests within 15 days as compared to 30 days under GDPR.

Other differences between these two pieces of legislation should be clarified and further explained in the interpretive guidance to be issued by the ANPD. Indeed, there are many intentionally broad provisions in the Brazilian law that are subject to adjustment from the ANPD in the months leading up to its enforcement. These guidelines will undoubtedly affect how the LGPD requirements will be interpreted, implemented and enforced, but in the meantime, companies should start their LGPD compliance program.

 

GDPR

LGPD

Personal data

Both GDPR and the LGPD protect any information relating to an identified or identifiable natural person.

Pseudonymized data falls under the scope of the GDPR since it is considered information on an identifiable natural person, but the LGPD does not mention it except in the context of research undergone by public health agencies.

(Article 4)

The LGPD does not however have a detailed definition of what is “personal data,” making its scope very broad.

(Article 1)

Territorial scope

GDPR explicitly includes organizations that are not established in the EU but monitor the behavior of individuals located there.

(Article 3)

The LGPD does not include such a provision. The LGPD will also not apply to data flows that originate outside of Brazil and are merely transmitted, but not further processed in the country.

(Article 3)

 

Data subject rights

 Eight fundamental rights

(Chapter 3)

The LGPD has the same fundamental rights, except that it splits “the right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit.

There is also a difference in the cost of requests: the LGPD requires that they be free, while under GDPR, requests may optionally be free (Article 6).

GDPR allows organizations 30 days to answer data subjects’ access requests, while the LGPD only gives them 15 days (Article 19).

Data protection officer (DPO)

GDPR outlines when a DPO is required (processing operations that require systematic monitoring of data subjects in a large-scale, or extensive processing of special categories of data)

(Article 37)

The LGPD suggests that any organization that processes the data of people in Brazil will need to hire a DPO.

(Article 41)

Legal basis for processing data

Six lawful bases for processing data: explicit consent, contractual performance, public task, vital interest, legal obligation and legitimate interest

(Article 6)

The LGPD has the same 6 lawful basis plus another four, for a total of 10:

-        studies by a research body

-        exercise of rights in legal proceedings

-        health protection

-        credit protection

(Article 7)

Reporting data breaches

A company must report a data breach within 72 hours of its discovery

(Article 33)

The controller must communicate to the national authority the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority”. This should be further defined by the ANPD.  

The LGPD requires companies to also notify data subjects of data breaches, something that is not a GDPR requirement (Article 48).

 


Les chroniques du CTI sont rédigées par un ou plusieurs membres du Comité Technologies de l’information (CTI) dans le but de susciter les discussions et de soulever les réflexions au sein de la communauté juridique à propos des nouvelles technologies et le droit. Les auteurs sont donc seuls responsables du contenu des articles et l’opinion qui y est véhiculée n’est pas celle du JBM, mais bien celle des auteurs. Si vous désirez rédiger une chronique, envoyez un courriel au cti@ajbm.qc.ca. 

Aucun commentaire:

Publier un commentaire

L'équipe du Blogue vous encourage à partager avec nous et nos lecteurs vos commentaires et impressions afin d'alimenter les discussions sur le Blogue. Par ailleurs, prenez note du fait qu'aucun commentaire ne sera publié avant d'avoir été approuvé par un modérateur et que l'équipe du Blogue se réserve l'entière discrétion de ne pas publier tout commentaire jugé inapproprié.