LGPD optimizes the scenario for a connected economy
In force for four years, the General Data Protection Law has transformed the data handling landscape in Brazil, bringing both challenges and benefits. Understand the responsibilities and advantages it offers for businesses.
By Gustavo Sumares
On November 5th, the National Data Protection Agency (ANPD) celebrated its fourth year of activity. The agency was born two years after the effective date of the General Data Protection Law (LGPD), which marked a shift in the behavior of companies and customers regarding the processing of personal data in Brazil.
Promulgated on August 18, 2018, the LGPD is the primary text that outlines the correct way to collect, store, and process user data. It came into force in September 2020 and can be compared to legislations in other countries such as the GDPR of the European Union, and some state laws in the United States, like the CCPA in California.
According to Luiz Augusto D’Urso, a lawyer specializing in digital law, this law benefits not only users – who have recognized their right to privacy and control over their information – but also companies that process this data.
“When the Consumer Protection Code came into force, companies had difficulty understanding the importance of that law, thinking that it only benefited consumers. After 34 years, both the supplier and the consumer understood that it is a law that protects both. And the LGPD can be seen in the same way,” argues Luiz Augusto.
“The Internet of Things scenario is super positive, the user experience today is super cool, automation is something of the future, and the LGPD has prepared the moment for this evolution to happen in a promising way.”
This is because the law’s text clarifies the responsibilities and obligations of companies that process data in Brazil. “When there is no law, you have doubts about what you can and cannot do. The LGPD has cleared up all these doubts and balanced this scenario, making both Big Techs and national companies feel secure in doing this type of management,” he adds.
Types of data
Any company that collects data about its users or potential customers must follow the provisions of the LGPD when processing this information. However, there are different types of data, and certain information requires special treatment.
The law defines “personal data” as any “information related to an identified or identifiable natural person.” For example, an email address, a CPF (Brazilian social security number), a cell phone number, or any other information that can identify a person.
However, information “about racial or ethnic origin, religious beliefs, political opinions” and some other topics are considered “sensitive personal data.” Chapter II of the LGPD describes the specific treatment that this data must have, including the situations in which they can be collected and how this collection should be done. Data of children and adolescents also have a dedicated section.
“For the processing of IoT (Internet of Things) data, it is very likely that the data processed is not sensitive. For example: when the homeowner opened a lock or turned on a smart light in their room,” explains Luiz Augusto.
But some devices, such as smartwatches and devices focused on health and wellness, can collect sensitive data. This is the case, for example, of the Apple Watch, which is capable of monitoring and storing data such as heart rate and blood pressure of its user. “The company that collects it has to make a distinction in its database between the way it will handle personal data and how it will treat sensitive personal data,” the lawyer indicates.
These obligations, however, do not extend to companies that resell products that collect data but do not participate in the management of that data. For example, if a Brazilian store resells an imported smartwatch and the manufacturer of the product violates the provisions of the law, the reseller cannot be sanctioned.
Compliance with the law
Knowing the LGPD and the obligations it brings, for Luiz Augusto, is the first step for any company that intends to process user data for any purpose. If the company already processes data, it is important to highlight, in its Terms of Use, how this processing is carried out. “The LGPD makes it clear how data management can be done. So, just respect these provisions of the LGPD,” he adds.
Whenever data is collected, the data subject must know the purpose of that collection. According to the lawyer, it is essential that the company always respects the purpose. “If the system of an electronic lock, for example, informs that it will collect data to improve performance, then it is only for that. It cannot, tomorrow, sell this data to someone.”
In addition, the law also guarantees the “informational self-determination” of the data subject. Therefore, companies that process or control data must always respond clearly when data subjects question this processing or even request the deletion of their information from the database.
Possible sanctions
Companies that violate the law are subject to a series of sanctions, ranging from warnings to the exclusion of their database. There are also fines, which can reach 2% of the legal entity’s turnover in the last fiscal year, limited to R$ 50 million. The sanctions, according to the law, are increased depending on the conduct of the infringing organization. They tend to be increasing, starting with the warning.
The law also provides for the publication of the infraction, which can be extremely serious for businesses. “Today you build credibility by treating data well, with security. So, publicity is very harmful and is provided for by law,” highlights Luiz Augusto.
It is worth mentioning that a possible data leak is not enough for the company to be punished, according to the lawyer. For a company to have to compensate a data subject, it is necessary not only that it be responsible for the leak but also that this leak has caused some damage, moral or material, to the data subject.
Changes and challenges
“When there is no law, you have doubts about what you can and cannot do. The LGPD has cleared up all these doubts and balanced this scenario, making both Big Techs and national companies feel secure in doing this type of management.”
In Luiz Augusto’s view, “since the LGPD was enacted, we have had a change in behavior in Brazilian society.” This change was in the direction of empowering data subjects and leading companies to worry about processing. By bringing clarity on how the government deals with data, the lawyer believes that “it is an exceptional law for the entrepreneur.”
On the other hand, he considers that the positive effects of the legislation could be amplified with a strengthening of the ANPD’s performance. In fact, although it was created in 2020, the agency only applied its first fine in July 2023. Since then, it has only involved public institutions, which are not subject to fines.
Even so, the lawyer believes that, with the popularization of smart devices that process personal data, the law represents an important framework to guide the development of business. “The Internet of Things scenario is super positive, the user experience today is super cool, automation is something of the future, and the LGPD has prepared the moment for this evolution to happen in a promising way,” he assesses.
Source: Eletrolar News Ed. 164
