International transfer of personal data may soon be regulated in Brazil

International transfer

A public consultation was opened – a mechanism for sending contributions to the Brazilian National Data Protection Authority (“ANPD”) – on rules for international transfers of personal data. Its opening took place in the week of the Brazilian General Data Protection Law (“LGPD”) 5th anniversary, in August this year.

 

The LGPD defines the international transfer of personal data in its article 5, item XV, considering this transfer to a foreign country or international organization of which the country is a member.

 

The ANPD objective is to regulate the matter, in addition to creating standard contractual clauses, which are provided for in article 33 of the LGPD as an alternative for carrying out an international transfer of personal data, if the controller offers or proves guarantees of compliance with the principles, the data subject rights, and the data protection regime provided for in the LGPD itself.

 

International transfer

 

The LGPD enables the international transfer of personal data in other cases, such as to countries or international organizations that provide a degree of protection of personal data adequate to the provisions of the Law; when the transfer is necessary to protect the life or physical integrity of the data subject or a third party; when the data subject has provided its specific and highlighted consent for the transfer, with prior information on the international nature of the operation, clearly distinguishing it from other purposes; among other hypotheses.

 

With this regulation, therefore, it will be possible to regulate the transfer of personal data to foreign countries or international organizations of which Brazil is a member.

 

Author: Caroline Muniz and Cesar Peduti, Peduti Advogados.

Source: Aberta Consulta Pública sobre norma de transferências internacionais de dados pessoais (https://www.gov.br/anpd/pt-br/assuntos/noticias/aberta-consulta-publica-sobre-norma-de-transferencias-internacionais-de-dados-pessoais)

 

“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”

“Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.”

The importance of security measures and the personal data protection in maintaining business

Data leaks, phishing, ransomware, viruses, among other terms, have become recurrent and much talked about in recent years. With the entry into force of the recent Brazilian General Personal Data Protection Law (Law No. 13.709/2018), also called “LGPD”, on September 18 of 2020, attention is focused mainly on the data of individuals and the incidents that may occur involving these data.

 

There is no precise definition in Brazilian law on what would specifically be a personal data breach. Despite this, there is a great influence of international data protection law, mainly from the European Union. According to article 4 of the General Data Protection Regulation, such a breach can be understood as a “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

As an example, malware can be cited, which is a malicious program, ransomware being one of the best known. It can be understood as a malicious code to hijack data – after infecting a computer, access to a company’s files can be blocked, for example, in order to demand a ransom to release this access. The theme generates great concern because as exposed by “Jornal Hoje”, in the case of the city of São Paulo, cybercrimes recorded in six months of this year exceeded the total of last year. Furthermore, studies revealed that 54% of global organizations assessed admitted that their methods of assessing cyber risks are not sufficiently sophisticated, leaving them vulnerable to potential threats.

 

 

With an essentially preventive character, the LGPD determines that “the processing agents shall adopt security, technical and administrative measures that are capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, modification, communication or any other form of inappropriate or unlawful processing.” (Article 46, LGPD). It is therefore understood the importance of implementing security measures by those responsible for processing personal data. The consequences of underestimating the relevance of these measures can be extremely harmful to a company’s business and can result in financial and reputational losses. The security measures will, above all, help in business continuity, that is, not allow its unplanned interruption or, even, ensure its resumption in a timely manner, if necessary.

 

Finally, it should be noted that those responsible for the processing of personal data undertake to guarantee the information security provided for by the LGPD in relation to personal data, so that if the law is not complied with, such agents are liable to suffer administrative sanctions by the Brazilian National Data Protection Authority (“ANPD”), including a fine of up to 50 million reais.

 

For more information on how to keep your company in compliance with the LGPD, contact Peduti Advogados.

Author: Caroline Muniz, Junior Associate at Peduti Advogados.

Source: Mais da metade das empresas globais enfrentam exposição ao risco cibernético; Why global organisations are struggling to manage cyber risk; Artigo; GDPR.

“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”

“Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.”

The arrival of 5G in Brazil and its impact on personal data protection

5G in Brazil

With the recent arrival of 5G in Brazil, much has been said about the perspectives for improvements brought by this technology. As the world moves towards faster connections, however, its impact on personal data protection must be considered.

The capital, Brasília, was the first city in the country to receive 5G and the forecast to arrive in all cities in Brazil is only at the end of 2029. It is unquestionable that it is a process of changes, with some limitations, such as the fact that the technology can only be used in the areas where it was released or by specific devices that can receive it.

Despite some obstacles to the complete adaptation of this technology in Brazil, there are countless benefits that can be brought by it, such as: faster and more stable connection; advances in telemedicine and technologies involving self-driving cars; greater interactions in the metaverse; improvement in response time between the origin and destination of information; among others.

 

5G in Brazil

 

The advantages exposed above, however, will directly relate to the way people handle and expose their personal data. The fact is that there will be greater data collection, as well as an expansion of services that will make use of facial recognition and artificial intelligence in general. It is therefore essential to pay greater attention to the Brazilian General Personal Data Protection Law (Law No. 13.709/2018), also called “LGPD”.

The LGPD is a recent law, with its entry into force on September 18, 2020, and applies in cases where there is (i) the processing of personal data in Brazil; (ii) offering or providing goods or services to individuals located in Brazil; or (iii) personal data collected in Brazil.

Thus, even though the data protection culture in Brazil is in the dissemination phase, it is extremely important that companies comply with the law, in order to follow all this technological progress, to demonstrate transparency with their data subjects, and also to avoid any type of sanction that may be imposed by the Brazilian National Data Protection Authority (“ANPD”).

For more information on how to keep your company in compliance with the LGPD, contact Peduti Advogados.

Author: Caroline Muniz, Junior Associate at Peduti Advogados.

Source: 5G chega ao Brasil nesta quarta; guia explica o que vai mudar com a nova tecnologia

“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”

“Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.”

Legitimate Interest In Action

With the beginning of the data age, companies and organizations started to store more information about their customers uncontrollably. Papers storing the information became to be digitally retained by organizations.

To comply with the new global trend on processing data, Brazil issued a law known as the General Law for the Protection of Personal Data (LGPD) as of August 14, 2018. This law entered into force in September 2020 to regulate the processing of personal data in Brazil.

Ten legal bases set the conditions for processing personal data. The legitimate interest is one of the most flexible ways of making data processing viable by the controller.

The organization needs to carry out some tests to ensure that the legitimate interest can be applied as a legal basis for data processing, evaluating, and documenting the Legitimate Interest Assessment (LIA).

One should consider some issues to ensure that the legitimate interest is applicable to data processing, such as:

· Why do you want to process personal data?

· What benefit do you expect to obtain from the processing of personal data?

· Do any third parties benefit from the processing of personal data?

· How significant are these benefits?

· What would be the impact if you could not continue with treatment?

· What is the intended outcome for the data subject?

The company needs to balance the factors identified during the assessment and decide whether it still believes that its interests are compatible with the treatment of data taking into account reasonability and ethics as guiding principles of the test.

It is relevant to advise the person in charge of personal data protection or advise a consultant specialized in Digital Compliance, bringing benefits in the evaluation procedure to ensure that the company reaches a satisfactory degree of compliance with the data protection regulations.

Lawyer Author of the Comment: Felipe Liphaus

“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”
“Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.”

The Brazilian Data Protection Act is a bold advance in attracting foreign capital.

Brazilian Data Protection

Brazilian regulatory and legislative approaches towards internet-based and personal data-voracious services are surprising “market-friendly” than most entrepreneurs can think.

It’s a fact that the public opinion and cultural imaginary are very aware of the data-driven business intelligence beneath new services and an urge of privacy arose from the fear of an imminent totalitarian dystopia. Well, if something like that one day may occur, it will be no Brazilian legislation that stops the process.  

The Brazilian General Data Protection Law (LGPD) is a bill that adopts the same framework as the European Union General Data Protection Regulation (GDPR). Structurally the LGPD is very similar to the EU model, however, the similitudes don’t extend in the same way to the semantic content.

Meanwhile, the EU GDPR brings certain protectionism praxis over the citizen’s personal data, for example, the cross borders and extraterritorial limitations on data processing as well as acquisition and usages of such dataset, or the high punitive penalties for data breaches over internet-based services, the BR LGPD stands for economic liberty over individuals rights and restrictions.

The openness of Brazilian law can be shown over the automated decisions on personal data, unlike its EU predecessor, the bill doesn’t impose human supervision/revision of the processor to use algorithm credit scores, nor any automated decision based on personal data analysis. This can sound awful for some but is the deal-breaker for various credit and financial services stimulated by the authorities. 

Brazilian Data ProtectionThe so-called fintechs are one of these expected actors to mitigate the highly concentrated retail bank market, so much to Brazil´s Central Bank create the figure of SCD and SEP. These non-financial societies for microcredit are permitted to operate with less regulatory obligations and 100% foreign capital.

In addition, the basis for open bank initiatives can be found in the LGPD covering financial and credit personal data portability and the freedom of choice of the client. With this, the Brazil Central Bank already anticipate some of its near future regulations in the Comunicado 33.455 of 2019 launching fundamental requirements for open banking implementations.

The 7th biggest economy in the world is broad open arms to the development of personal data-eager services, betting high in these fast-paced technological enterprises with some new youngbloods to bite giants’ financial institutions oligopolies.

Lawyer Author of the Comment: Luiz Henrique Rodrigues de Souza

“If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.”
“Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.”