IMPACTS OF THE GDPR IN BRAZIL
Authors: Fabio Alonso Vieira / Flávio Augusto Spegiorin Ramos / Carolina Barbosa de L. Cunha V. da Costa
In the last couple weeks, recent events have heated up the debates worldwide related to privacy and data protection, turning it into one of the most discussed subjects in various fields. The first is the entry into force of the General Data Protection Regulation (“GDPR”) and the second related to the scandal involving the treatment and release of personal data, illustrated by the testimony of Facebook’s CEO Mark Zuckerberg in his hearing before the United States Congress.
There is a consensus on this matter: although the owner of the data provides the information to the various service or product providers, in most cases he or she does not know how their personal data are used (including commercially), handled or stored by such companies. It is this situation of potential legal uncertainty – for internet users, who provide the data, and for the companies themselves as they are subject to the duty of treating the data – that has worried the whole world.
The debate related to data protection in Brazil, in the National Congress or through judicialization is only beginning.
There is a consensus on the matter: that the GDPR will modify the entire paradigm of the processing of personal data by companies around the world, by offering products and services, or monitoring the behavior of citizens in European territory. For this reason, is had become priority to the legal, compliance and TI departments, since it provides sanctions, such as significant fines and the suspension of electronic operations (via internet).
To illustrate the impact of this regulation on the market, according to results obtained through a global survey conducted by Deloitte at the end of last year, only 15% of the organizations surveyed would be able to comply with the terms and conditions established in the GDPR by May 25, 2018.
One of the main points of the GDPR is the definition of the concept of personal data. In Brazil, PL 5276/2016 and PLS 330/2013, both in progress in the National Congress, seem to follow the same path proposed by the GDPR, including when encompassing the concept of personal data, seeking to complement theBrazilian Civil Rights Framework for the Internetthat does not bring such definition.
The GDPR also allows the international transfer of personal data of European citizens to non-EU countries, provided that these countries meet security requirements such as laws relating to human rights and fundamental freedoms; the existence and efficient operation of an independent supervisory authority; and compliance with the rules laid down in treaties and conventions of which the original country is a signatory.
Another important aspect of the GDPR involves the rights that are given to the holders of personal data: transparency of information; right to rectify improper, irregular or outdated information; the right to impose restrictions on the processing of personal data; the right to portability of personal data; and the right to object to the processing of your data.
The dynamics of action and cooperation provided in the GDPR also draws attention. For example, it provides for a duty of cooperation between authorities responsible for protecting personal data, including the duty to draw up codes of conduct to be observed by all authorities in EU member states. In addition, it seeks to centralize all aspects of data protection in a single agency, which will be responsible for decisions that will guide the conduct of other authorities responsible for protecting the personal data of European citizens.
The bills that have been in progress in Brazil, since their initial drafting, have been based on the rules set forth in the GDPR. As we already imagined, the European regulation will arrive first than the Brazilian regulation and, being this an electoral year and given the political circumstances of the country, it seems to us that the theme will still be going for a long time in Brazil although we cannot ignore that the entry into force of the GDPR could stimulate the Brazilian National Congress to take-up the date.
Despite the issue moving slowly in Congress, the Judiciary has already shown that discussions on data protection in Brazil will also be very heated, especially when prosecuting situations involving data processing by Brazilian companies.
Recently, the Federal Court of São Paulo, in an injunction issued in a Public Civil Action filed by the Federal Public Prosecutor’s Office, determined that, within 30 days, Microsoft should make adjustments to its operating system (in this case, Windows 10) with the purpose of making it clear and simple for the consumer user’s choice not to provide their personal data to the giant Microsoft. The intent is to prevent the user’s personal data from being automatically transferred to the company without the users clear and adequate consent to such transfer.
The discussion about data protection in Brazil, whether through the National Congress or via the judiciary, is just beginning and well away from a scenario that guarantees legal certainty to Brazilian companies and citizens. In this case, the companies leading companies will be those who have already adapte their practices, in accordance with the rules set forth in the GDPR, pondering the rules already drafted in Brazilian bills. And the role of corporate legal areas will be key to a secure transition that will have the least possible impact on the progress of your business.
Fabio Vieira, Flávio Ramos and Carolina Costa are associates at Kestener, Granja & Vieira Advogados
