The General Law for the Protection of Personal Data, well known as GDPL, legislation with the longest vacatio legis time in our legal system, is about to have in force the fullness of its provisions, that is why, in its article 65, the administrative sanctions provided for in Articles 52, 53 and 54, take effect from August 1, 2021. The countdown has already begun!
However, it is worth remembering that the Brazilian legal system already has legislation that protects certain rights of data subjects such as the Consumer Defense Code – Law No. 8.078/1990 and the Marco Civil Law of the Internet – Law No. 12.965/14. The GDPL is a special legislation; however, this specialty does not prevent the commission of sanctions provided for in other legal texts by agencies affected by sanctioning and normative powers related to the subject of personal data protection. If there is still doubt about the applicability of the sanctions contained in the GDPL, they no longer sustain themselves in this current scenario of growing consolidation of rights related to privacy and data protection.
In addition, although this is not the focus of this article, it should be noted that the GDPL brought with it the civil liability of data processing agents for property, moral, individual or collective damages caused to the data subject. On the subject, there was news published this month that the Brazilian Justice has already rendered 600 decisions involving the law in question. Although from the perspective of the total process in progress in the country, this number is not so alarming; it is enough to indicate the beginning of an already expected culture change: data subjects are and will be increasingly aware of their rights.
Having made such considerations, in relation to administrative sanctions, pursuant to the provisions of article 52 of the law in question, the company that does not comply will be subject to the sanctions to be applied by the National Data Protection Authority, which can range from a warning with deadline for correction until the total or partial prohibition of the exercise of activities related to data processing, including pecuniary penalties, such as a simple fine of up to 2% of the revenue of a private legal entity, group or conglomerate in Brazil, limited to BRL 50,000,000.00 (fifty million reais) per infraction, and daily fine that obeys the same limit in millions indicated in the Law[1].
Therefore, it is not too much to say that the adaptation of companies to the GDPL is a path that no longer admits a return.
In this context, the National Authority is in the process of approving its Inspection Regulation, providing for the inspection and application of the aforementioned administrative sanctions. The Regulation is based on the following values: i) evidence-based regulation; ii) proportionality between risks and allocated resources; iii) transparency and permeability, which allow society not only to monitor, but also to contribute to the improvement of ANPD’s performance; iv) transparent and fair processes; v) promotion of compliance through the most diverse instruments and approaches.
The objective is to motivate the regulated to maintain an adequate behavior, that is, in compliance with the legal provisions regarding the processing of personal data, through monitoring, guidance, prevention and also punishment actions. From the perspective of the holder of personal data, it is expected that the so-called data protection culture will increasingly develop, as the law, with its proper regulations, is of no use if the recipient does not know how to use it. However, this scenario is luckily not a distant reality.
As it is a multidisciplinary law in its essence, the adaptation to the GDPL requires companies to invest in information technology together with specialized legal monitoring, a set of actions that will allow a proper understanding of the legal scope, evaluation and adequacy within the possibilities and reality of each company.
By the way, the question is: what are the advantages of adequacy? The answer is not limited to complying with legal requirements and mitigating the risk of incurring a pecuniary penalty. Business adaptation creates an opportunity for the company’s internal reorganization, in addition to creating an environment of trust with partners, suppliers and customers, factors that, together, culminate in the creation of a competitive advantage for the company.
In this sense and from a practical and optimistic point of view, concludes Saad and Hiunes (2020, p.28):
[…] The GDPL will also give companies more flexibility in their performance, allowing, in addition to the consent, already provided for today in the MCI[2], nine other legal bases can be used to legitimize data processing. In addition, adapting to the GDPL represents a valuable opportunity for internal reorganization and alignment regarding the processing of personal data, in addition to allowing for the strengthening of trust on the part of partners and consumers and the consequent achievement of relevant competitive potential with respect to those who still falter in embracing respect for privacy as a principle inherent to their daily activities. (Our emphasis)
In view of the advantages pointed out as well as the values that permeate the aforementioned ANPD Inspection Regulation, it is worth highlighting the provisions of §1 of the aforementioned article 52 of the GDPL, which lists parameters and criteria to be observed by the National Authority when application of administrative sanctions. Let us see it below:
Art. 52. Data processing agents, due to infringements committed to the rules provided for in this Law, are subject to the following administrative sanctions applicable by the national authority:
[…]
- 1 Sanctions will be applied after an administrative procedure that allows for the opportunity of ample defense, in a gradual, isolated or cumulative manner, according to the peculiarities of the specific case and considering the following parameters and criteria:
I – the seriousness and nature of the violations and the personal rights affected;
II – the offender’s good faith;
III – the advantage gained or intended by the offender;
IV – the economic condition of the offender;
V – the repeat offenses;
VI – the degree of damage;
VII – the offender’s cooperation;
VIII – the repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing damage, aimed at the safe and adequate treatment of data, in accordance with the provisions of item II of § 2 of art. 48 of this Law;
IX – the adoption of good practices and governance policy;
X – prompt adoption of corrective measures; and
XI – the proportionality between the seriousness of the offense and the intensity of the sanction.
(Our emphasis)
It is noted, therefore, that, if the company adopts the necessary measures for legal adequacy, both in its governance structure and in its systems related to information technology, even if any sanction is applied due to the violation of the rights of the holders of personal data, will certainly be mitigated, taking into account items VIII, IX and X of the above-transcribed legal article. Also, for this reason, cyber risks related to the GDPL have for some time been a concern of the risk management of companies, which increasingly allocate them in their risk matrices.
On the subject, in a survey conducted in mid-2019 by Deloitte Brasil in partnership with the Brazilian Institute of Corporate Governance (IBGC) called “Os Cinco Pilares dos Riscos Empresariais 2019” [The Five Pillars of Business Risks 2019], carried out with the participation of 165 respondents, confirms the perception that the market is aware of corporate governance structures, risk management and controls as a response to technological and regulatory changes, and on this point we mention the GDPL, which had an impact on the business environment.
Regarding the implementation of the General Data Protection Law, preparing and revising privacy policies and strengthening internal data access control are the initiatives most adopted by respondents; still, less than 40% perform each of these activities. Actions that involve more robust investments, such as adopting tools and contracting insurance, are still incipient. This is an indicator that companies have been making these investments with caution, seeking to better understand what the regulation advocates and its implications for business (DELOITTE, 2019, p. 32)
Still on the topic under analysis, it is concluded that:
Thus, although macroeconomic factors affect the risk/return ratio of companies, it is possible to conclude that a governance structure offers organizations a better capacity to face both moments of crisis and economic growth (FRAGOSO, Ronaldo, 2019, p. 33).
In this way, it is possible to state that, given the advantages of legal and technological adequacy, and the imminence of the applicability of sanctions for non-compliance with the GDPL, there is no way other than to invest in hiring a professional lawyer specialized in the area, who will show the most appropriate path to perfect business adaptation to the legal standards contained in the law under review, ensuring that, even in the event of judicial or administrative action, the company has evidence that it has taken the required precautions, and much more, will allow companies achieve the advantages related to competitiveness in the market and continuity of business operation even in the event of incidents.
Finally, from a professional perspective, it is clear that the labor market related to data protection is growing and still has a lot to develop, which is why in the coming months and years good opportunities will arise for those professionals who are dedicated to the study of this recent area of legal science.
REFERENCES
BRASIL. Autoridade Nacional de Proteção de Dados. Norma de Fiscalização da ANPD. Disponível em: <Governo Federal – Participa + Brasil – Norma de fiscalização da ANPD (www.gov.br)>. Accessed on July 15, 2021.
BRASIL. Lei nº 13.709, de 14 de Agosto de 2018. Lei Geral de Proteção de Dados Pessoais. Disponível em: < L13709compilado (planalto.gov.br)> Accessed on July 15, 2021.
DELOITTE BRASIL E INSTITUTO BRASILEIRO DE GOVERNANÇA CORPORATIVA (IBCG). Os Cinco Pilares de Riscos Visão abrangente e integrada sobre os principais riscos empresariais 2019. Disponível em: < {2f48c689-0c98-4c24-9636-f154e8252a48}_Cinco-Pilares-Riscos-2019-Deloitte.pdf (en25.com)> Accessed on July 20, 2021.
Lei Geral de Proteção de Dados (Lei nº 13.709/2018): a caminho da efetividade: contribuições para implementação da GDPL/ obra coletiva; Ricardo Villas Bôas Cueva, Danilo Doneda, Laura Schertel Mendes, coordenadores. – São Paulo: Thomson Reuters Brasil, 2020.
Manual de Compliance/ coordenação André Castro Carvalho, Tiago Cripa Alvim, Rodrigo Bertoccelli, Otávio Venturini. – 2.ed. – Rio de Janeiro: Forense, 2020.
SAAD, Andreia; HIUNES, Antonio. Ela, a GDPL, vista pelas empresas: uma proposta de visão prática – e otimista. In: CUEVA, Ricardo Villas Bôas et al. Lei Geral de Proteção de Dados (Lei nº 13.709/2018): a caminho da efetividade: contribuições para implementação da GDPL. São Paulo: Thomson Reuters Brasil, 2020. p. 17-28.
SOPRANA, Paula. GDPL: Justiça já possui 600 decisões envolvendo a lei. Folha de São Paulo, São Paulo, 04 jul 2021. Disponível em: < Justiça já tem 600 decisões envolvendo lei de proteção de dados – 04/07/2021 – Mercado – Folha (uol.com.br)> Accessed on July 15, 2021.
[1] Art. 52. Data processing agents, due to infringements committed to the rules provided for in this Law, are subject to the following administrative sanctions applicable by the national authority:
I – warning, indicating the deadline for taking corrective measures;
II – simple fine of up to 2% (two percent) of the revenue of a legal entity governed by private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to BRL 50,000,000.00 (fifty million reais) per infraction;
III – daily fine, observing the total limit referred to in item II;
IV – publicizing the infringement after its occurrence is duly investigated and confirmed;
V – blocking of the personal data to which the infringement refers until its regularization;
VI – exclusion of personal data to which the infringement refers;
VII – (VETOED);
VIII – (VETOED);
IX – (VETOED).
X – partial suspension of the functioning of the database to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period, until the regularization of the processing activity by the controller;
XI – suspension of the exercise of the activity of processing personal data to which the infringement refers for a maximum period of 6 (six) months, extendable for an equal period;
XII – partial or total prohibition of the exercise of activities related to data processing.
[2] Civil Law of the Internet – Law No. 12.965/2014.
Available at: https://www.conjur.com.br/2021-jul-30/pavon-implacavel-tempo-chegada-hora-sancoes-lgpd
Autor: Raissa Varrasquim Pavon • email: raissa.pavon@ernestoborges.com.br