In May 2017, The Economist magazine displayed on its cover the statement that personal data are the world’s most valuable resource, even more so than oil.
This is, without doubt, a very forceful statement, although, as we shall see below, by no means an exaggeration.
In fact, the use of personal data by companies is playing an increasingly important role as regards the income of certain enterprises, which depend on the business model based on the collection and processing of data, necessary for the sale and publicity, as in the case of Facebook and Google, with emphasis also on the healthcare market, which relies heavily on the collection of data.
At the same time as these companies continue relying on the collection of personal data to substantiate their income, there is growing concern regarding the protection of such data. The year 2018 was prodigal in scandals involving leaks of personal data, such as those involving Facebook and Cambridge Analytica, the latter being only the most notorious case among many others, which are becoming more and more frequent, proving that the concern is justified.
For this reason, legislation that regulates the processing of data is gaining in importance, such as the General Data Protection Regulation (GDPR), that came into force in May 2018 in Europe, and in Brazil the General Personal Data Protection Law (LGPD), due to come into force on August 22, 2020, as a result of the issue of Provisional Decree (Medida Provisória) no. 869/2018, which, among other matters, extended the vacatio legis of the LGPD from 18 to 24 months, and also created the National Data Protection Authority (Autoridade Nacional de Proteção de Dados) (ANPD), responsible for regulating and monitoring the effective enforcement of the legislation.
In spite of the fact that the LGPD has still not come into force, it should be noted that, in the European case, there was a vacatio legis of 2 years for companies to adjust. But there had also been a data protection regulation since 1995 (and even earlier, with Convention 108). The Europeans were therefore already accustomed to this earlier regulation, but even so this was not sufficient to prepare them to adapt to the GDPR, after the vacatio. Proof of this is that recently (on January 21, 2019), the French National Data Protection Authority, based on the GDPR, imposed a fine of €50 million on Google, the heaviest punishment imposed up till now in accordance with the new European Union Regulation.
Therefore, if not even in Europe, which already had a certain legislative tradition as regards data protection, are companies prepared for adaptation to the law, what can one say of the Brazilian situation, which had no legislative background in this area (except for a few sparse laws, such as the Marco Civil da Internet)? Note that the Brazilian LGDP follows to a large extent the text of the GDPR.
For these reasons, it is a matter of urgency that companies of all sizes and fields of activity should seek to organize and prepare themselves, and gather all the necessary elements, both from the technical and human capital point of view, in order to avoid being penalized. It should be borne in mind that the LGPD provides for a fine of up to 2% of the sales of a private law legal entity, group or conglomerate in Brazil in its last fiscal year, limited to a total of R$ 50 million per violation, among other sanctions.
One of the first ways of adapting to the new legislation is by creating a privacy policy that is well defined, transparent, easily comprehensible, and in conformity with the new LGPD rules, since the problem lies not necessarily in the collection and processing of data, but rather in the lack of transparency on the part of the companies in relation to the use of such data. This is valid not only for enterprises that depend on the processing of data to earn income, but also for all companies that in some way obtain personal data, and regardless of their size (since the law makes no distinction in this respect). Note also that, even for those entities that already have privacy policies formulated by their European parent companies, based on the rules of the GDPR, adaptation to the LGPD rules is necessary, in order to avoid violation of the Brazilian legal provisions and consequent imposition of penalties.
It is necessary also to have an internal mapping in the company, in order to understand clearly what personal data are being processed, how this is done, for how long and for what purpose, which task will require the integration of various corporate sectors, involving IT personnel, legal, HR, compliance, among other departments.
In addition, all contracts must be reviewed that in any way involve the collection and processing of personal data, including supervision of third party data security systems, such as suppliers and partners, in view of the joint liability introduced by the LGPD. Protection of the data of the company’s employees is also important.
Finally, it is worth stressing that, more than the actual imposition of penalties, the main risk for the company is the damage to its image and the consequent loss of customers (who will increasingly take into account the protection of personal data in their choices), as well as the loss of market value for companies whose shares are quoted on the stock exchange.
Accordingly, those who act straightaway will have, in addition to the protection, a substantial competitive differential by showing themselves to be companies that are committed to transparency and security in the processing of personal data, and especially the establishment of trust with their customers. On the other hand, those who are reluctant to change may expect to provoke increasing suspicion on the part of shareholders, regulators and customers, as well as a greater possibility of exposure to sanctions for any violations of the law.
Frederico Amaral Filho and Charles Wowk Associate lawyer and Partner in the Civil Law Area of Stüssi-Neves Advogados – São Paulo
frederico.amaral@stussinevessp.com.br and charles.wowk@stussinevessp.com.br
0+