Protection of personal data in Brazil: differences in the scope of the LGPD and the new penal practice
Brazil’s Lei Geral de Proteção de Dados Pessoais (or LGPD), similar to GDPR, CCPA and PIPEDA, regulates personal data protection. For example, the LGPD also has an extraterritorial effect, and it can apply to any company, regardless of location. If the company does not process personal data in Brazil but still processes data to offer or supply goods or services to Brazil, the LGPD also applies in this case.
However, there are still regulatory differences, as the LGPD does not contain any provisions on the processing of data to monitor the behaviour of individuals in Brazil, unlike the GDPR. We have previously explained the difference between the LGPD and other laws protecting personal data.
In this article, we will explore the latest updates on personal data protection in Brazil and its potential impact on companies.
Scope and differences of the LGPD
The definition of personal data under the LGPD is also quite general and covers information about an identified person or an identifiable person.
The LGPD applies to data controllers and processors, collectively named processing agents. Processing agents can be government bodies, institutions, and other companies.
The LGPD states that the data processor must carry out the processing in accordance with the instructions provided by the controller, who is responsible for the compliance. According to the LGPD, processors are not required to enter into a contract for processing.
The LGPD does not expressly provide that the act will apply regardless of a person’s nationality or place of residence. However, according to the Brazilian Constitution, the protection extends to any person, regardless of the nationality or residence of the data subject. In addition, Article 3 states that the LGPD will apply even if the personal data being processed of a person is in Brazil at the time of their collection.
The LGPD applies to all data processing. Unlike the GDPR, there is no detail regarding automated or non-automated means. In addition, the LGPD states that data can be considered personal if they are used to form behavioural models of a specific person if this person is identified.
New cases and fines
Telekall Infoservice
The supervisory authority that monitors compliance with the LGPD is the Autoridade Nacional de Proteção de Dados (ANPD). And for the first time in three years after the entry into force of the LGPD, the ANPD imposed fines for violations of articles 7 (permissible processing events) and 41 (DPO) of the LGPD, as well as article 5 of the ANPD Inspection Regulation. The penalties for the violations reached BRL 14,400 (approximately US $3,000).
The company’s investigation was launched after receiving a complaint that Telekall Infoservice was offering a list of voters’ contacts on WhatsApp to distribute campaign materials. This happened in 2020 during the local elections in Ubatuba.
Telekall Infoservice claimed that they were not selling any services and had temporarily suspended their bulk messaging operations.
However, ANPD established that voters’ personal data was processed without a legal basis, and it was confirmed that the company did not appoint a data protection officer (DPO) as needed.
Telekall Infoservice can still appeal the decision of the ANPD, so it is worth continuing to monitor for new changes.
Meta Threads
Everyone has already heard about the new app Threads, which was launched on July 5 and reached millions of users in a matter of days. Threads is a platform that allows you to publish short posts, but the app also connects to your Instagram account. The integration between applications owned by Meta raises additional questions about properly protecting users’ data.
Are all users aware of what personal data apps collect and how they may share it in connection with integrations? Apparently not. But it is worth paying additional attention to this.
Such a rapid development of Threads caused delight among users and questions among experts on personal data protection. For example, Meta suspended the launch of Threads in the European Union due to privacy concerns with the application. The Privacy Policy states that Meta may collect large amounts of information, including sensitive personal data.
Previously, in a recent decision of the EU Court of Justice (Case C-252/21), Meta was already required to process personal data for ad targeting only with the consent of the data subject (the company’s legitimate interest in the absence of the subject’s consent is not a appropriate legal basis in this situation).
In addition, the new Digital Markets Act (DMA, Law on Digital Markets) sets new restrictions on Big Tech companies, the so-called “gatekeepers”, may also be the reason for the suspension of the launch.
The question of compliance with the new application with the requirements of the LGPD was also raised in Brazil. ANPD has also started its investigation to analyze how Meta processes personal data.
As reported, the ANPD has concerns that the platform may process personal data without a specific purpose (or not in proportion to the purpose of the processing), including health data, banking (payment) data, web browsing and purchase histories. The supervisory authority’s analysis will include an assessment of the consequences of the collection and use of personal data, as well as an assessment of compliance with Brazilian law and the rights of data subjects concerning the processing.
Conclusion
Although the LGPD shares some similarities with the European Union’s GDPR, it has its specifics and requirements. New technologies create new challenges in the field of privacy, which requires vigilance and adaptation of personal data protection methods for proper compliance. The imposition of the first fine for a breach of the LGPD additionally underlines the importance of taking a responsible approach to protecting personal data and compliance with the applicable law.
Zoryana Buravtsova
IT lawyer at Legal IT Group