Following the recent MEF Connects Digital on the subject, and Member Meet-ups in São Paulo, Rafael Pellon, MEF LatAm advisor and partner at Focaccia, Amaral, Salvia, Pellon & Lamonica Advogados discusses the continuing developments in Brazilian legislation regarding data privacy and the adoption of GDPR-like rules.
After the discussions held on the Data Privacy in LatAm Workshop that MEF promoted last month, it became clear that the online industry is evolving with more respect towards privacy, electing such value as a strategy asset that can differentiate business and who wins or not the digital customer of the twenty first century.
After all, the panorama of data privacy laws is spreading quickly. After Europe implementing GDPR laws back in May, Latin America followed in mass, with Brazil approving its data privacy law in August, to be valid in 2020. Argentina and Colombia updated its privacy laws to preview some regulations of GDPR. Mexico, Chile, Peru are discussing reforms to its privacy laws.
The digital life of the second decade of the century will probably be marked by such milestones and a broader respect with user’s rights, supplying them the choice on how to manage their data.
Although the Brazilian law is heavily based upon GDPR, what proves that the European law became the golden standard for such regulations; there were some particularities on the Brazilian data privacy regulation, specially the lack of consent for the collection and processing of financial data.
Considering the unprecedented economic crisis that Brazil is just now leaving, such provision was needed to avoid the growth of financial risks for local companies.
Although the Brazilian law is heavily based upon GDPR, what proves that the European law became the golden standard for such regulations; there were some particularities on the Brazilian data privacy regulation, specially the lack of consent for the collection and processing of financial data.”
The other big difference from GDPR was the veto from Mr. Temer, Brazilian President, to the creation of the Data Privacy National Authority, citing concerns on its legitimacy given that the law wasn’t proposed by the Executive branch and thus couldn’t preview the creation of any government body.
The promise of sending a specific bill of law creating the national authority wasn’t fulfilled either, being on the hands of the next government that starts in January to define on the matter. Right now, without a specific public body to engage with data privacy practices, it will be up to public attorneys, consumer defence public bodies, NGOs and independent lawyers to demand the compliance of companies to the law.
There’s the risk, though, that a tsunami of judicial demands invades companies and courts, discussing the same issues. It could become an issue to courts that will have to deal with data privacy lawsuits and will have to stimulate harmony amongst the decisions to come.
Aside from such Brazilian particularities, the other requirements are pretty similar to the ones on GDPR, being worthwhile mentioning the non application of the data privacy law to anonymized data, something that will probably be the big exemption from compliance with the law, allowing companies process and gather insights from databases that do not allow the identification of any users.
Another similar disposition is the need for companies to appoint a data privacy officer (or DPO) to engage with the Government on data privacy topics. Such DPO will need to either be a Brazilian or speak Portuguese, since all Government relations should be done in the local language. It isn’t clear yet if the DPO should be an employee of a company or a third party, something that would be defined by the national authority.
Without it, it is probable that anyone related to a company that presents itself as a DPO will be identified as such by the Government.
With all of that in mind, the panorama for the implementation of the Brazilian Data Privacy Law is favorable for companies that are already in compliance with GDPR and will only need to tweak minor adjustments, since both regulations are really similar. For Brazilian companies, it’s going to be a lot of work and the next 16 months are going to fly, given the amount of procedures to be implemented up to February of 2020.
They can face the same that happened in Europe, with companies struggling to be GDPR ready in the last days before it became effective. With the lack of clarity on how to apply the law and who are its sheriffs, it is certain that some confusion will arise before there’s any harmonization of its procedures. In the meantime, the big behemoths of the online industry can expect sweep investigations once the law is effective, whilst smaller companies will count with Government sympathy at least in the first months of 2020.