Can Brazil’s first omnibus data protection law bring the country’s
many-headed consumer privacy protection system into line, or will it just add
to the confusion? Brazilian lawyers discussed the implications of the landmark
legislation at a GDR roundtable in São Paulo.
Fragmented enforcement has been a fact of life for Brazilian lawyers for as long as many of them can remember. In the tentacular Lava Jato corruption probe, for example, negotiating settlements with investigating authorities has been a nightmare – companies could reach an agreement with one, only to continue being pursued by others. Bid rigging in public contracts, meanwhile, can see a slew of different enforcers pile in.
Observers say data protection enforcement faces a similar fate. Currently subject to a patchwork of different sector-specific laws, data protection should, from January 2020, be governed by the General Data Protection Law (LGPD).
Approved by Brazil's outgoing president Michel Temer in August, the new law should in theory concentrate enforcement power into the hands of one authority, the National Data Protection Authority. Temer vetoed the creation of the authority, but observers are confident his successor will push something similar through in separate legislation. Indeed, most welcomed the veto, as there were fears that the authority in its original form would have been challenged: Brazil's Congress had proposed creating the new body by amending existing law – but constitutionally, only the president can establish new public authorities.
Despite the good intentions of the LGPD, there is a sneaking suspicion among the legal community that the new authority's power will not be absolute. Patrícia Marta at TozziniFreire Advogados, for one, has doubts. "It's clear from the law that our future DPA is entitled to rule data protection matters," she says. "But in practical terms, I wonder whether the consumer authorities will be involved."
"It's going to be a mess"
At issue for Marta and others are parts of the law that seem to suggest that consumer protection authorities are entitled to a piece of the action. Article 45 says that when data subjects' rights are violated in the scope of consumer relations, the "relevant" law applies. This could mean consumer law still applies, she says. Similarly, article 18 gives data subjects the right to lodge complaints with consumer authorities, as well as the DPA. "It's unclear what exactly that means," says Marcel Leonardi, who was Google Brazil's policy chief at the time of the August roundtable, but is now a counsel at Pinheiro Neto Advogados. "My interpretation is that the consumer authorities should act like a router, receive the complaint and then send it to the data protection authority . . . but it's pretty obvious to everybody in this room that the other interpretation is very possible in the sense that the consumer agency will say, 'no, no me as . . . the consumer agency, I'll actually decide'. That's very dangerous."
Marta thinks it is unlikely that Brazil's labyrinthine consumer defence system will step back from data protection enforcement. Indeed, it recently emerged that São Paulo's consumer protection agency would be setting up a data protection division. "The problem is that the Brazilian consumer defence system is already very spread out," Marta says. "We have three or four levels of agencies and authorities entitled to enforce the consumer law . . . those players are already used to investigating and enforcing together. So for them it's not a problem to have a DPA investigating certain matters and also having them investigate as well – it's going to be a mess."
One prominent arm of Brazil's consumer defence system is the public prosecution service, which is also turning its focus to data protection. Frederico Ceroy, a public prosecutor for the Federal District, has taken a particular interest in the area. He has set up a data protection commission within the office that has investigated alleged infractions by Uber, Cambridge Analytica, Facebook and online retailer Netshoes, among others. As well as facing enforcement from the likes of Ceroy, lawyers think it likely that the LGPD will spawn a new breed of professional litigants. One lawyer says that one of their clients is already facing multiple lawsuits after details of a data leak case were made public by an authority.
What is clear to most is that a DPA will have to assert its authority straight away, to minimise the kind of enforcer pile-on that blights Brazil's anti-corruption efforts. It must do this while avoiding overzealousness, which will be a challenge, says Leonardi: a gung-ho and inexperienced enforcer may find its decisions successfully challenged in court. Such an early setback would make the authority "fragile", he says. He adds that it is entirely possible that the first wave of litigation around the LGPD will determine which regulators are actually entitled to enforce it.
No jack of all trades
While enforcers like Ceroy have been praised for raising the profile of data protection in Brazil, there are doubts that they have the technical knowledge needed for a specialist regulator like a DPA.
"One of the biggest challenges is that most of these agencies or authorities don't have the technical expertise to understand what's going on with the data or how the internet works," notes Dennys Antonialli, executive director at InternetLab, a Brazilian tech law thinktank. "With the DPA, we hope . . . [the authorities] will have a technical body they can consult."
Confusion around new concepts, such as the "legitimate interests" grounds for processing, is a powerful argument for why a specialist regulator is necessary, says Marcel Leonardi. According to the LGPD – which took the concept from EU data protection – data processing is lawful if it is necessary for the purposes of the legitimate interests of the controller or a third party, except when the rights or interests of data subjects override them. Though it is the most flexible lawful basis for processing, EU DPAs warn that if data controllers can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
During discussions around the creation of the LGPD, Leonardi says, some consumer defence representatives assumed legitimate interests referred to the consumer's interests, rather than those of the data controller. "We're going to have a long road of getting good interpretation out of that provision just due to the lack of familiarity and expertise on that particular subject," he says, adding that consumer protection agencies are ill-equipped to face that challenge. "The real interesting and challenging things happening in data are not related to consumer legislation at all . . . it's mostly along the lines of AI being used to diagnose medical conditions using images, simple images of like a thousand different patients ... and that obviously goes way beyond what the consumer protection agency could do."
The composition of the regulator will be key to its success, observers say. "I'd like to see a balance between people that have some kind of personal rights, advocacy background, and those with a business background. Something of a blend that keeps the equilibrium at the authority," says Raphael de Cunto, a partner at Pinheiro Neto Advogados. For many observers, this balance is crucial: they want to avoid Brazil aping Europe's approach – where DPAs are seen as defenders of human rights first and foremost – too closely. Leonardi says European regulators "don't necessarily think of data usage from a business perspective."
InternetLab's Antonialli echoes this sentiment, and says it is important that would-be regulators consider approaches other than Europe's too. "Sometimes consumer law people rely on the European model and they disregard completely the particulars of the American system and I think it's really important, since most of the companies that we deal with are American, that they have an understanding of how the [US Federal Trade Commission] works, what are the standards there and what is the system there, so that we don't have an authority that is just eager to go after big companies and forget about everything else, because I think that's problematic."
Different attitudes to privacy is one reason why Brazilian regulators should forge their own path, observers say. Recalling a social experiment by InternetLab that involved secret filming in a pharmacy, Antonialli says customers were happy to hand over troves of personal data – including social security numbers, fingerprints and friends' names – when asked. Similarly, Leonardi says that when Google launched Street View in 2012, many people were disappointed when they discovered their faces had been blurred. He contrasts this to Germany, where people even asked for their houses to be blurred, and Japan, where Google agreed to position its cameras so that they could not look into people's front gardens after a public outcry.
It is clear from anecdotes like these that a big part of the Brazilian DPA's role, at least in the early days, will be as an educator, both to the general public and to companies. Fabio Kujawski of Mattos Filho Veiga Filho Marrey Jr e Quiroga Advogados says many companies are in denial about their duties under the new legislation. "Some clients treat data in way that is very flexible and making them compliant with this new legislation will cost a lot of money because you will have to change systems and policies," Kujawski says. "We always have this discussion with the commercial guys who are angry because you tell them they can no longer hold this data in their system." Similarly, Opice Blum Bruno Abrusio e Vainzof partner Renato Opice Blum says that when it comes to consumers, "everybody is clicking and no one is reading or understanding what they are doing", especially in Brazil.
Others have had similar experiences, saying that many companies in Brazil haven't even begun thinking about needing to have a legal basis for processing, ensuring that vendors are compliant, or being able to map out where all their data is.
Keep it civil
There are also questions around which other rules may come into conflict with the LGPD. One of the most likely to do so is the Civil Rights Framework for the Internet, which is generally known as Marco Civil. Approved in 2014, the legislation has so far acted as a data protection law by proxy. According to Mattos Filho's Kujawski, specific provisions in the Marco Civil around consent conflict with the LGPD. "In the Marco Civil, consent has to be express. We don't have that obligation in the new law and then the question is: should the new law actually supersede the Marco Civil, meaning that we don't need express consent for collecting data online anymore, or is it the other way around?" he says.
The lack of clarity over which regime should govern is intentional, says Leonardi, who played a key role in negotiations around both laws.
"Congress did not say directly that those specific provisions of Marco Civil were being considered null and void, because Marco Civil is still perceived, especially by certain people in Congress, almost like the Holy Bible – you can't touch it," he says. Although the LGPD should overrule the Marco Civil, he continued, some might still argue that the older framework applies. To do so, however, would exclude the legitimate interests grounds for processing and much else about data protection that the LGPD seeks to modernise.
There is another cautionary tale associated with the Marco Civil: some judges "simply ignore" the legislation, according to Kujawski. "It's going to be awful if we have that situation here, but that's something that could actually take place," he says.
A growing army of advisers is helping clients navigate these choppy waters. As with the GDPR, the LGPD has led to a boom in purveyors of data protection advice. But according to some observers, many are overestimating the size of the market. "At least most companies, big companies, would rather train their in-house staff on data protection rather than just rely on outside counsel all the time. As more and more internal expertise exists, less and less of that's going to be sent through to law firms," says Leonardi. However, he expects outside counsel will be useful when it comes to having "difficult conversations" with the DPA, and in training in-house teams.
Data protection is expected to become a standard part of corporate law firms' services alongside the likes of tax and employment. But while a large number of specialised privacy lawyers in private practice have emerged in the US and Europe, observers doubt that Brazil will follow that trend. Pinheiro Neto's de Cunto says larger firms can't afford not to have privacy teams at this point, but he thinks that may change in a few years' time. "Long term, it's going to blend to something else. It's just like all of us. We evolved from, I don't know, from telecoms, from IP and then we moved up in the chain, value added chain, into internet and then something else."
Some, such as Fábio Pereira, a partner at Veirano Advogados, see a parallel between data protection work now, and white-collar crime work that followed the introduction of Brazil's Clean Company Act in 2014. Pereira predicts an initial wave of compliance work, followed by litigation and the handling of investigations by the authorities. He adds that the compliance wave may last for a while as companies had not expected the law to be introduced this year, and had not budgeted for it.
For all the concerns of a fractured enforcement landscape, clashes between conflicting laws, and insufficient technical know-how in Brazil, there is an overwhelming feeling that the LGPD will be good for the country.
"Brazil needed this legislation," says Kujawski. "I think the lack of a specific law dealing with data protection, probably put us on a negative path in terms of international data transfers. So, the fact that our legislation is quite similar to the GDPR is good for international trade – having something that is similar to other jurisdictions makes companies' lives easier."
Roundtable hosted, with GDR's thanks, by Mattos Filho.