Data protection and cybersecurity in Brazil

In the years preceding the Brazilian Data Protection Law (Law No. 13.709/2018 or LGPD), there were already legal texts in force that provided for the protection of privacy and personal data in a sparse manner in Brazil, such as the Federal Constitution of 1988, the Consumer Defense Code – Law No. 8.078/90, the Civil Code – Law No. 10.406/2002, the Positive Credit Act – Law No. 12.414/2011, and the Access to Information Act – Law No. 12.257/2011. The LGPD, in turn, was a response to the increase in personal data flow in different types of organisations. It came into force in September 2020 and regulates how organisations can process personal data in Brazil by establishing detailed rules for its use.

In this sense, the LGPD has led to a profound transformation in the Brazilian data protection system. Being reasonably in line with the European legislation (General Data Protection Regulation – GDPR), the LGPD affects all sectors of the economy both inside and outside the digital environment, including relationships between customers and suppliers of goods and services, employees and employers, as well as other relationships in which personal data is collected and processed.

The scope of application covers any personal data processing carried out in Brazil by a natural person or a legal entity, irrespective of where such person is domiciled or where the data is located. It also applies when data is processed in order to offer goods or services in Brazil and the processed data is related to individuals located in the country; and when the personal data subject to processing was collected in Brazil. In view of this, companies targeting the Brazilian market are subject to the LGPD.

In order to process personal data in accordance with the new law, the data processed by a controller shall (a) be supported by a legal basis (including consent, performance of a contract or legitimate interest, for each data processing activity); (b) observe the data protection principles, including the provision of clear, precise and easily accessible information about the processing of personal data to data subjects; and (c) document its data processing activities for accountability purposes, among other obligations.

Mattos Filho’s data protection and cybersecurity practice is well equipped to advise clients in this moment of legislative and cultural change in Brazil with respect to the protection of personal data. With highly specialised partners and lawyers, we assist companies in the necessary adjustments to comply with the LGPD, in structuring compliance programmes focused on data (including assistance on Data Protection Impact Assessments), on the development of products and services in line with privacy by design and privacy by default principles, and in the creation of privacy policies and terms of use.

Our team is often retained to advise on the interaction between foreign and domestic privacy and data protection laws, including the Brazilian Internet Act and the Brazilian Consumer Defense Code and on industry-specific data protection regulations. We also advise clients on the use of databases (market analytics and big data) and the processing of information within online activities and related technologies, including the internet of things (IoT), smart and wearable devices and with legal opinions on the legality of cloud-based solutions for a wide range of regulated industries.

More specifically regarding compliance with the obligations brought by the LGPD, several complex points have gained attention of our team lately. The assistance in the creation of products and services with a focus on such data protection obligations, training and assistance of employees and service providers, analysis of the legality of international data transfers and applicable documents, as well as the preparation of agreements, binding corporate rules, codes of ethics, standard clauses, among others, that include data transfer and/or processing, are common topics.

While the Brazilian Data Protection Authority (ANPD) has not yet regulated most provisions of the law, our solid experience in LGPD compliance allows the firm to anticipate problems, implement solutions and, consequently, efficiently handle the client’s case. Our professionals’ continued development of their technical skills allows us to offer a team with expertise in cybersecurity, data protection and privacy.

Recent materials published by our team cover such topics as (i) the intersection between the LGPD and corporate investigations for compliance purposes, which brings issues related to data retention, data access and incidental access to sensitive third party data; (ii) the recent recognition of personal data protection as a fundamental right in Brazil, in which the Brazilian Congress recognised the importance of data protection for individuals, an issue that has grown in recent decades in light of new technology and information flows in the digital environment; (iii) Brazil’s accession to the convention on cybercrime, which may tackle the deterritorialisation known to be a challenge within cybercrime; and (iv) the recent lessons of the European Data Protection Board to Brazil in relation to international data transfers.

It is also worth highlighting that data breaches and cybersecurity pose a genuine threat to our interconnected world, affecting businesses and individuals alike. This threat has become increasingly relevant over the last few years as it has impacted financial institutions, private organisations, critical infrastructure and government systems. Given this scenario, cybersecurity has become a high-profile issue in Brazil and there is an increasing demand for regulation.

Cybersecurity requirements in Brazil are generally provided by regulatory agencies, such as the Brazilian Central Bank (BACEN), the Securities and Exchange Commission (Comissão de Valores Mobiliários – CVM), the National Telecommunications Agency (ANATEL) and the Brazilian Private Insurance Authority (Superintendência de Seguros Privados – SUSEP).

In view of the above, our cross-disciplinary team works in the prevention, investigation and management of external and internal security incidents, as well as assisting our clients in criminal investigations. Our professionals also support in interactions between clients and public agencies, including public prosecutors, consumer protection authorities and agencies, and other regulatory agencies.

Within this context, we are prepared to help clients in strategic litigation in the technology sector, such as assisting with individual or class actions dealing with undue use of data, civil or contractual liability, or security events.

The penalties brought by LGPD include warnings, fines of up to 2% of the company or group income (limited to R$50m per violation), public communication of the violation, elimination of the data base, temporary or definitive suspension of data processing activities. Moreover, the LGPD turned data protection governance in a relevant asset to be able to enter into agreements in the market. Thus, preparing in advance and building a data protection culture is essential to keep up with the regulatory changes occurred in Brazil.