A practical guide for
Brazilian companies
facing GDPR and
comparison GDPR x
LGPD
Name : Manouk Ekkerman
E-mail : manoukekkerman@gmail.com Student number : 10512845
Mastertrack : European Private Law
Name of supervisor : Professor Candida Leone Date of submission : 26th of July 2019
Table of contents
Abstract
p.4
Resumo
p.5
Introduction
p.6
Chapter 1 Introduction of the Law and Material Scope
p.12
1.1 Emergence of privacy laws p.12
1.1.1 General Data Protection Regulation (GDPR) p.12
1.1.2 Lei Geral de Proteção de Dados (LGPD) p.13
1.2 Material Scope p.14
Chapter 2 Applicability of the GDPR to Brazilian companies :
Territorial Scope and International Data Transfers
p.18
2.1 (Extra-)Territorial scope p.18
2.1.1 Public International Law p.19
2.1.2 Establishment or Representative in the EU p.19
2.1.3 Offering goods or services to subjects in the EU or monitoring subjects in the EU p.20
2.1.4 EU Nationality ? p.22
2.1.5 Enforcement p.23
2.2 International Data Transfers p.24
2.2.1 Adequacy Decision or Treaty p.24
2.2.3 Consent p.27
2.2.4 Legitimate Interest of the Controller p.27
Chapter 3 Comparison between GDPR and LGPD
p.28
3.1 General considerations p.28
3.2 Specific provisions p.30
3.2.1 Individual rights of the data subject p.30
3.2.2 Obligations of the controller p.31
3.2.3 Penalties p.33
3.2.4 Definition personal data p.33
Chapter 4 Effects of the differences between
the GDPR and the LGPD
p.35
4.1 What extra guards do the Brazilian companies have to implement ? Is it possible to comply
with both (GDPR and LGPD)? p.35
4.2 What will these differences mean in the light of adequacy ? p.36
4.2.1 Differences of non-business topics relevant for adequacy decisions and similarity
of laws p.37
4.2.2 Authority p. 37
4.2.3 Possibility for a adequacy decision ? p.38
Conclusion
p.39
Abstract
In 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR is
replacing Directive 95/46/EC that regulated data protection in Europe since 1995. The GDPR is an actualized version that tries to respond to technological progress. One of the important differences is the extended territorial scope of the GDPR that provides a worldwide influence. This amplication is helpful to guarantee effective data protecting, considering today data’s
transnational character. This means that also Brazilian companies, although this is not a Brazilian law, can be affected. The aim of this thesis is to create a practical guide for Brazilian companies that are facing the GDPR.
The situations in which the GDPR applies to Brazilian companies will listed, in the first part of the thesis. In order to provide an answer to this question of applicability, the material scope and the territorial scope will be studied, using the classical legal method. During this analysis, topics as adequacy decisions for international transfers of data will be discussed. These are important, since free data flow are allowed to third countries that the Commission considers to have a similar level of data protection. Brazil did not receive such a decision yet, but with the coming of Brazilian data protection law ‘Lei Geral de Proteção de Dados (LGPD)’ and the Executive Order ‘Medida Provisória 869/18 (MP 869)’, I will argue that Brazil is eligible for the status of ‘adequate level country’. High similarity between the GDPR and the LGPD and creation of the Brazilian supervisory authority ‘Autoridade Nacional de Proteção de Dados (ANPD)’ are crucial.
In the second part, the consequences of the applicability of the GDPR to Brazilian companies will be set out. The consequences can be found in the extra obligations that the GDPR imposes compared to national legal requirements that the company is already complying to. Therefore, it essential to draft a comparison between the GDPR and LGPD. Here for the comparative method will be used. This allows the company to prepare itself for several extra steps that it has to take, once it falls into the scope of the GDPR.
Key-words : GDPR; LGPD; Data Protection; Brazilian companies in the EU; Adequacy
Resumo
Em 2018 a nova lei de proteção de dados da União Europeia, intitulada ‘General Data
Protection Regulation (GDPR)’, entrou em vigor. A GDPR substituiu a Diretiva 95/46/EC que regulamentava a proteção de dados na Europa desde 1995. A GDPR é uma versão atualizada que procura atender ao progresso tecnológico. Uma diferença importante é o escopo territorial que foi estendido e que proporciona uma influência mundial à GDPR. A amplificação do escopo é útil para garantir uma proteção efetiva, considerando o caráter transnacional de dados na atualidade. Mediante esta mudança, mesmo não sendo uma lei brasileira, empresas brasileiras podem ser afetadas. O objetivo desta dissertação é elaborar uma guia prática para empresas brasileiras que enfrentam a GDPR.
Na primeira parte deste trabalho, descreve-se as situações nas quais a GDPR se aplica às empresas brasileiras. Para responder a questão da aplicabilidade, estuda-se o escopo material e territorial, fazendo uso do método jurídico clássico. Ao longo desta análise, aborda-se também assuntos como ‘decisões de adequação’ para a transferência internacional de dados. Estas decisões são importantes para poder gozar de um fluxo de dados livre. Só pode haver fluxos de dados para países terceiros que a Comissão julgue como tendo um nível similar de proteção de dados. O Brasil ainda não recebeu uma resolução assim, mas com a chegada da Lei Geral de Proteção de Dados (LGPD) e a Medida Provisória 869/18 (MP 869), se argumenta que o Brasil pode alcançar a categoria de ‘país adequado’. Isso é devido à grande semelhança entre a GDPR e a LGPD e a criação da Autoridade Nacional de Proteção de Dados (ANPD).
Na segunda parte, destacam-se as consequências da aplicabilidade da GDPR às empresas brasileiras. Estes resultados se mostram em obrigações adicionais às exigências legais nacionais que a empresa já esteja cumprindo. Consequentemente, é essencial a elaboração de uma
comparação entre a GDPR e a LGPD, usando o método comparativo. Isto permite que a empresa possa se preparar para tomar medidas apropriadas para estar em compliance, uma vez que ela enquadrar-se-á no escopo do GDPR.
Introduction
Cambridge Analytica
Cambridge Analytica is a company that has been hired to intervene in the presidential campaign of Donald Trump in 2016. The company used personal data to feed algorithms that facilitate the creation of profiles of data subjects. Then, they made posts on Facebook and made sure that this message was adapted to the type of person, according to the profile. In this way they tried to have a greater influence on the voting attitudes of all these persons. It is supposed that the same company was involved in influencing Brexit.1 This kind of analysis is only possible because of the ‘datafication’ of the society –one’s life will be described by data; by collecting data of all kind of activities the puzzle of the personality can be completed.2
Of course, this method can be used for other purposes than the political ones like in the Cambridge Analytica case. The most important category is that of commercial strategies. The process works as follows. If you know to what profile a person belongs, you can reach that person better. One way of passing a message will influence person A, but not necessarily person B. Therefore, if you know better the person you want to reach, your changes to convince this person are bigger. If you know what way will be mostly likely for a certain ‘type of person’ to react to, you can start to send an adapted message to all the persons that belong to that specific group. Therefore, making profiles, is very useful for the ones that want to reach a large public, since it is not possible to know all these millions of people. Now, with the help of profiles, you can send a message to an individual based on his profile ; the message you will send will probably correspond best to the individual since you know more or less his personality through the profile.3 He states that in case of commercial use, this could be positive, since we have to see a lot of announcements, on Facebook for example, it is better to see relevant ones. But he also
1
https://www.theguardian.com/uk-news/2018/mar/23/leaked-cambridge-analyticas-blueprint-for-trump-victory
accessed 18/06/2019 ; https://tecnoblog.net/236612/facebook-cambridge-analytica-dados/ accessed 18/06/2019; Reuben (2018), pp. 10-11 ; Monteiro (2018-2), p. 5.
2
Rhoen (2016), p. 1 ; Bioni (2019), p. 89.
3
suggest to give users the option to choose whether they prefer to ‘sell’ their data or to pay for applications like Facebook and in that way having guaranteed that their data will not be used.4
The above described case is also referred to as the ‘Cambrigde Analytica scandal’ and was one of the reasons that the European Union drafted the General Data Protection Regulation
(hereinafter ‘GDPR’) in 2016 and Brazil the Lei Geral de Proteção de Dados (hereinafter
‘LGPD’) in 2018.5
Fundamental rights
Due to the datafication of modern life and the profiles that are being made as a consequence of the latter, we have to take great care about fundamental rights of individuals. Today, we do no longer only have a ‘physical’ identity. Citizens in modern society, where the use of the Internet is omnipresent, also have a ‘digital’ identity. Therefore, our personal data can be considered to constitute our personality online. Especially, in the case of automatized decisions based on profiles, there is not only the risk of manipulation by using the ‘right’ method to convince an individual to vote for a specific candidate like in the Cambridge Analytical scandal, but also the risks exists that the ‘wrong’ and discriminatory decision will be made. This can happen since, the profile does not always exactly coincide with the person ; it is only a estimation of what this person probably would be like. For example, if most inhabitants of your region behave in a certain manner, you are also supposed to do so. Then, if you make an decision on this supposed behavior, but the individual in question does not behave in that manner, you are making a wrong decision. This is the risk of automatized decisions based on profiles, since as in this example, not always there is information of good quality available and/or used to base the decisions on. If we do not interfere in this phenomenon, there will be room for a ‘data dictatorship’. Therefore, it is crucial that personal data will be protected by treating it with the greatest attention.6
4https://www.youtube.com/watch?v=Q7a5yQ3Xn44 accessed 18/06/2019. 5
Monteiro (2018-2), pp. 5-6.
6
Data protection derives from the fundamental right to privacy. This idea can be accepted, even more as demonstrated above, if we consider our personal data to be our digital identity. Before the existence of an information society, the right to privacy, logically, did not englobe the protection of personal data. The right to privacy can be found in various official documents. For example in article 12 of the Universal Declaration of Human Rights, article 8 of Convention for the Protection of Human Rights and Fundamental Freedoms, article 7 of the Charter of
Fundamental rights of the European Union and other documents of the European Union.7
Moreover, the data protection measures also indirectly are granting the enjoyment of other fundamental rights than just the right to privacy. As already suggested, this will be relevant especially in the case of automatized decisions. Rights that can be affected are among others: the right to health, the right to education, the right to work, the right to information, the right to liberty and in some countries the right to citizenship. For example, based on one’s profile, mechanisms as Google, will show different results to one’s research inquiry than it would if someone else with a different profile would type the same inquiry. This means that one’s right to information will be limited, since one’s profile determines what information will show up and therefore to what information one will have access.8
EU and Brazil
For data, since it is mostly exists in a digital form, there are no borders.9 Therefore, I consider it important to study the GDPR beyond the borders of the European Union. I choose to make a comparison with Brazil for the following reasons. Firstly, due to the existing interaction between Brazil, being a member of BRICS10, and the European Union (hereinafter ‘EU’), there is a practical importance of gathering knowledge about the laws of these regions.11 The EU created obstacles for data flows to countries that do no have a similar level of data protection, and
7 Krzysztofek (2019), pp. 10, 17-24. 8 Monteiro (2018-3), pp. 2-5 ; Bioni (2019), p. 89-92. 9 https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-extraterritorial-applicability.html accessed 18/06/2019. 10http://www.itamaraty.gov.br/pt-BR/politica-externa/mecanismos-inter-regionais/3672-brics accessed 18/06/2019. 11 http://ec.europa.eu/trade/policy/countries-and-regions/countries/brazil/ accessed 18/06/2019.
established high requirement in order to be allowed to act in its market. This means that trade will be hampered to a certain extent.12 The practical point of view asks for examination whether Brazil has a adequate data protection level and thereby improve the already existing trade between the blocs. Furthermore, Brazilian companies that do wish to maintain business relation with the EU, need to be instructed in order to know how to be GDPR compliant. Lastly, there is also a more academic reason to compare these two pieces of legislation ; the LGPD found its inspiration in the GDPR.13 The LGPD is even nicknamed ‘the Brazilian GDPR’.14 In this aspect it is interesting to discover, since the LGPD copied somehow on the GDPR, in what parts it differs.
Adequacy decision
Another important topic is that of the so called adequacy decision. In order to be allowed to transfer data to a third country, there are several manners that will be discussed in paragraph 2.2.15 In subparagraph 2.2.1, I will explain what an adequacy decision means. I will also provide the criteria that Commission takes into count when it decides in adequacy questions. I will highlight the advantages of being an ‘adequate country’. Finally in paragraph 4.2. I will evaluate whether Brazil has a possibility to obtain this ‘adequate status’.
Structure thesis
As demonstrated in the former paragraph, it is important to study the interaction and differences between the Brazilian LGPD and the EU’s GDPR. Therefore, in this thesis, I will try to respond to the following question, what can be of use for Brazilian companies that have to deal with the new data regulations :
12 http://europa.eu/rapid/press-release_MEMO-17-15_en.htm accessed 18/06/2019. 13 https://www.migalhas.com.br/dePeso/16,MI284723,101048-O+que+voce+precisa+saber+sobre+a+lei+geral+de+protecao+de+dados accessed 18/06/2019. 14 https://www.tecmundo.com.br/seguranca/130778-camara-aprova-projeto-gdpr-brasileira-uso-dados-pessoais.htm accessed 18/06/2019. 15
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en last accessed 26/07/19.
‘When do Brazilian companies have to comply with the data protection rules of the GDPR and what extra implications arise, supposing that they are compliant with the domestic LGPD?’
I will start by introducing the GDPR and the LGPD. Then, I will touch on the material scope, in order to getter an better idea what kind of topics will be concerned (chapter one). Secondly, I will discuss the territorial scope, because it is essential to observe in what cases the Brazilian entities will be affected since they will not always act directly in the EU territory (chapter two). Then, once the business knows that the kind of data that it uses falls within the reach of data protection law (material scope), and that its connection with the European Union somehow makes the GDPR applicable to it (territorial scope), the business needs to know what
consequences this will have. Therefore, I will first make an overview of the differences between the GDPR and the LGDP (chapter three), and after that, I will set out to what issues the Brazilian companies will have to pay attention (chapter four). Finally, I will conclude by giving a practical advise to Brazilian companies that have to deal with the obligation under the GDPR.
Methology
One of the important methods that I will use, is the comparative method. This will mostly be in a descriptive manner, since I will describe what the law is about and not (that much) go into the question whether the law is good or should be improved, what would lead to an evaluative comparative method. I need to compare the two laws (EU and Brazil), in order to answer the part of the research question about the difference between the two. There are hardly ‘functional approach’ issues, what means that I will take a conceptual approach. The laws of these two ‘countries’ are comparable since as I mentioned above, one (LGDP) has been inspired by the other (GDPR), so they mainly concern the same material.
Also, the classical legal method (doctrinal-positivist) will be of great use for my research since I will give an overview of existing law. Questions like : ‘What are the rules?’ ‘To which rule(s) a company has to obey?’ ‘When will the GDPR apply to Brazilian companies?’, are relevant to be able to answer the research question.
Chapter one that concerns the material scopes and chapter two about the territorial scope of the GDPR, will therefore mainly contain information gathered by the classical method since I will
describe what the law says. Also, when preparing the comparison part (chapter three and four), this method is important, because before going on making the comparison, I will have to make an overview of the existing provisions in both.
I will not do independent case law research, because the GDPR just came info effect (May last year) and the LGPD did not come into force yet and has a vacatio legis of 2 years. I will use books (literature), but also information in the form of articles, given the recent character of the subject.
Chapter 1 Introduction of the Law and Material
Scope
In this chapter I will introduce both the GDPR as the LGPD. First, I will give an overview of how these laws emerged (paragraph 1.1). Then, I will describe the material scope in order to have a better view of what cases will be governed by these data protection laws (paragraph 1.2).
1.1 Emergence of privacy laws
In the era of data based society, also referred to as ‘information society’, the need to regulate the use of personal data becomes more and more vital. Not only the frequency but also the data orientated business models are relatively new and therefore privacy provisions, since they could not have englobed the changes in society and in technology, had to be renewed in order to respond accurately to the actual situation.16
1.1.1 General Data Protection Regulation (GDPR)
Although some Member States already had a (general) data protection law since the seventies, it was only in 1981 that the first mark on the European Union scene, when it comes to data
protection, has been set. It was the adoption of Convention 108, that later became the Convention 108+.17 This convention an international treaty, so not only open to European countries, about data protection in modern society.18 This has been followed in 1995 by the Directive 95/46/EC.19 This Directive has been into force, until due to society changes as described above, the EU found itself under the obligation to adapt an updated version of the Directive. The main changes can be found in the amplification of the data subject rights, in the bigger responsibility for the data controllers and processors20 and the extended jurisdiction.21 In recitals 2 and 13, the GDPR, by
16 Monteiro (2018-3), p. 11 ; Mulholland (2018), pp. 172-173. 17 Monteiro (2019-1), p. 7 ; Krzysztofek (2019), pp. 13-15. 18 https://www.coe.int/en/web/portal/28-january-data-protection-day-factsheet accessed 02/07/2019. 19 Monteiro (2019-1), p.7. 20 Monteiro (2019-1), p.8. 21
which the Directive has been substituted, states that this Regulation aims to guarantee fundamental rights and freedoms and to stimulate the internal market.
1.1.2 Lei Geral de Proteção de Dados (LGPD)
Contrary to Europe, Brazil did not have a general data protection law until the creation of the LGPD. This does not mean at all that before the LGPD, there was no legislation in the area of data protection. Currently, within Latin America, only Argentina, Colombia, Peru, Uruguay, Paraguay, French Guyana and Chile have a general law. The other Latin American countries, except Suriname that does not possess any rules on the subject, do have privacy legislation, but these are constructions of various laws.22 This means that specific rights that protect privacy can be found in distinct laws. This can be national, state or municipal laws. In Brazil, the most important laws that provide protection to data subjects are the ‘Marco Civil da Internet’ (lei n° 12.965), the ‘Código de Defensa do Consumir’ (lei n° 8.078), the ‘Lei do Cadastro Positivo’ (Lei n° 12.414), the ‘Lei de Acesso à Informação’ (Lei n° 12.527). Furthermore, the Federal
Constitution, the Civil Code and the Criminal Code also contain (general) provisions.23 These sectorial laws will still be valid, and co-exist with the LGPD. The coming of the LGPD now offers protection to a broad scale of sectors that were not all covered by the separate laws. Furthermore, it offers explicit legal bases, a clear overview of the rights of data subjects. Any clash between the LGPD and the other laws will have to be resolved by classic conflict rules.24 The objectives of the Law are to guarantee fundamental rights, and to adjust to technological evolution and the globalization.25
The LGPD has gone through a long discussion process of almost a decade. In 2010 the Minister of Justice created a very first project, Anteprojeto de Lei de Proteção de Dados (APLPD), in order to start thinking about what now became the LGPD. After public consulting and debates, two proposals have been made. Academics and other actors among which representatives of the EU, have participated in these discussions. One of proposals that were submitted to the
Congress, the PL5276/16, has been accepted and became the project law PLC53/2018 that
22
Monteiro (2019-1), p.8.
23 Monteiro (2019-1), pp.14-16 ; Cagnoni (2019-1) ; Monteiro (2018-3), pp.5-9 ; Maldonado & Blum (2018), p.27. 24
Monteiro (2019-1), p.16 ; Maldonado & Blum (2018), p.27.
25
resulted in the LGPD on 14th of August 2018. It has been inspired by the GDPR and also been accelerated because of the approaching date of the coming into force of the GDPR.26
A part of the original version of the LGDP was vetoed by the former present Temer for raisons of unconstitutionality.27 This concerns mainly the creation of the ‘Autoridade Nacional de Proteção de Dados’, the Brazilian Data Protection Authority. Therefore, in December last year (27), an Executive Order have been edited, Medida Provisoria 869/18 (hereinafter ‘MP’) in order to establish the data protection authority anyways, sidestepping the constitutional problem. An Executive Order has immediate legal effect but will lose validity if it is not adopted by the Congress within 6 months. The MP established the Autoridade Nacional de Proteção de Dados (hereinafter ‘ANPD’) and made a couple of changes to other parts of the LGPD. On May 29 the MP has been approved in the form of Project Law ‘PLV 7/2019’. The MP has undergone some more changes in this approving period. This means that the original text of the LGPD has been changed two times ; once by the MP and another time by the PLV that amends the MP. Now that the PLV has been approved by the Congress, the next step is the approval or (partial) rejection by the president. A PLV can be vetoed (partly) or simply adopted and then it becomes an ordinary law. On June 9 the actual President Bolsonaro sanctioned the PLV, vetoing it partly, and hereby the PLV has been transformed in the new Lei n°13.853. This means that the law is only waiting for the appreciation of the vetoes by the Congress that decides whether they will be maintained.28
1.2 Material Scope
In article 2 of the GDPR the material scope has been set out : not ‘any type’ of data will be subject to the GDPR, only the data that can be classified as ‘personal data’. In article 4 (1) the GDPR gives a definition of the term ‘personal data’ stated in article 2. The formulation is as follows29 : 26 Monteiro (2019-1), pp.10-14. 27 Cagnoni (2019-1). 28
Cagnoni (2019-2) ; Cagnoni (2019-3) ; Monteiro (2019-3), p. 1 ;
https://www.congressonacional.leg.br/materias/medidas-provisorias/-/mpv/135062 accessed 18/06/2019 ;
https://www.congressonacional.leg.br/materias/medidas-provisorias/entenda-a-tramitacao-da-medida-provisoria
accessed 18/06/2019.
29
‘‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’
For the LGPD we have to look at article 1 and 3 as to determine the material scope. The definition of ‘personal data’ in article 5 (I) is formulate as bellow :
‘Personal Data : information related to an identified or identifiable natural person;’30
This means that anonymous or anonymized data have been excluded from their scope, since is it not personal in the sense of that it can be related to a identified or identifiable person. Article 12 LGPD and recital 26 GDPR state also expressly that anonymized, respectively anonymous data are not the target of the Privacy Laws. Article 12 LGPD, conditions this exclusion of
anonymized data from the definition, to data that can not be reversed, because being able to cancel the process of anonymization the person can be identified.31 The definition of personal data is very similar, although the GDPR provides for examples and definitions of the examples. The Brazilian legislator did not choose to copy these details, but in the essence the definitions of personal data are the same. 32 Furthermore, the definitions of both the GDPR as the LGPD, refer to data of a ‘natural’ person. Therefore, also according to recital 14 GDPR, legal persons will not enjoy the protective rights that the Regulation grants.33
Also in paragraph 2 of article 2 of the GDPR there are some specific topics excluded from the scope of the GDPR, but those are not directly very relevant for business and for answering the research question, since they concern public law34 except for the household exception. The latter concerns the strict personal use of data, in article 2 (2) (iii), and demonstrates even more that the GDPR is directed to business.35 The LGPD also provides for an so called household exception in article 4 (I) and the public law exceptions can be found in article 4 (III).36
30
‘dado pessoal : informação relacionada a pessoa natural identificado ou identificável;’ Remark : all translations will made by myself.
31 Monteiro (2019-2), pp. 12-13. 32
Monteiro (2019-2), PP. 12-13.
33
Monteiro (2019-2), p.7.
34 This concerns for example national security, external politics etc. 35
Maldonado & Blum (2018), pp.26-28 ; Krzysztofek (2019), pp. 35-36.
36
Even more there is a special category of personal data called ‘sensitive personal data’, that
enjoys an even higher level of protection. The GDPR gives an explanation in article 9 (1) of what this kind of data entails :
‘[…]personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data […], health, […] person’s sex life or sexual orientation […]’
The LGPD on its turns states the following in article 5 (II):
‘sensitive personal data : data on racial or ethnic origin, religious belief, political opinion, union membership or religious, philosophical or political organization, health or sex life, genetic or biometric data, when connected to a natural person.’37
Processing the data has to grounded on a legal base in order to be allowed. For ‘normal’ data, the LGPD states 10 bases and the GDPR only knows 6 of them. In the case of sensitive personal data, since this special category deserves better protection, the bases are different and more restrictive. The consent has to be explicit. Also manifestly made public by the data subject. Contract will only be a base if it deals with the health of the data subject. Legitimate interest of the controller now only will be valid as if it is for establishment, exercise or defense of legal claims. The public interest base will undergo a different proportion test and will be more focused on the health and scientific research. The bases compliance with a legal obligation or protection of vital interests will remain.38
I will elaborate more on the differences in legal bases in chapter 3. But it is important to state here the idea that (sensitive) personal data can only be processed, if it can be justified by relying on a legal basis.39
Both laws are technology neutral, what means that they do not subscribe a specific technological process or device. The controller and the processor are free to choose their method of dealing with the data as long as they do observe the protective obligations of the GDPR or the LGPD.40
37
‘dado pessoal sensível : dado pessoal sobre origem racial ou étnica, convicção religiosa, opinião politica, filiação a sindicato ou a organização de caráter religioso, filosófico ou politico, dado referente à saúde ou à vida sexual, dado genético ou biométrico, quando vinculado a uma pessoa natural’
38
Monteiro (2019-2), pp. 22-24.
39
There are some minor differences between the material scope of the GDPR and the LGPD that will be discussed in chapter 3.41
40
Pinheiro (2018), p.29 ; Maldonado & Blum (2018), p. 26-27.
41
Chapter 2 Applicability of the GDPR to
Brazilian companies : Territorial Scope and
International Data Transfers
In order to be subjected to the GDPR, next to the material applicability of which I gave an overview in first chapter, the company also has to be effected by the territorial scope. Since this is not evident in principle for Brazilian companies, I will elaborate on this subject in this chapter (paragraph 2.1). Something more frequent for a non-EU company will be international transfers of data. This is another way to be touched by the GDPR, and therefore I will also discuss this topic. (paragraph 2.2)
2.1 (Extra-)Territorial scope
To simplify and resume the formal applicability of the GDPR, the Regulation will be effective not only if you are acting in the EEA territory, but also it you are acting from outside, but your actions are indented to interfere in its territory. To define the territory, the Member States’ territory is of course part of it, but also that of Iceland, Norway and Liechtenstein are included. When using the term ‘EU territory’ in the light of the GDPR I will also be including these countries.42 By the term ‘third country’ will be defined as any country that is not part of EEA.43
As mentioned in the previous chapter, the territorial scope of the GDPR is vast. In this paragraph I will set out the cases in which the GDPR will be applicable. There are three imaginable
situations –leaving out the obvious situation of an European Company with European clients that live in Europe44 :
-A third country company that has an establishment or representative in the EU;
42https://planit.legal/blog/en/the-applicability-of-the-gdpr-within-the-eea/ accessed 18/06/2019. 43
Krzysztofek (2019), pp. 228-229.
44
-A third country company that offers goods or services to subjects in the EU or monitors their behavior;
-A third country or EU company processes or stores data outside of the EU territory, although collected on the EU territory, what means that the data subject was on its territory while the data was being collected.
In this paragraph I will start with a short note about public international law (subparagraph 2.1.1) and then I will elaborate on the first two situations (subparagraphs 2.1.2 and 2.1.3). Thereafter, I will give an overview of the academic debate about the question whether the GDPR concerns EU citizens or subjects that are on its territory (subparagraph 2.1.4). Finally, in the last section of this paragraph, I will shortly approach the issue of enforcement of extraterritorial application
(subparagraph 2.1.5). The third option, just like the second hypothesis, concerns companies that do not have physical presence in the EU. But the third possibility is about companies that store or treat the data in a third country, actually concerns the transfer of data. Therefore this third option, besides touching on it briefly in subparagraph 2.1.2, will be discussed in the second paragraph of this chapter.
2.1.1 Public International Law
In article 3 (3) read together with recital (25), the GDPR provides an enlargement of the definition of the EU territory. In some specific circumstances, the EU law will apply outside its territory by virtue of public international law. This means that some places, because of their special status will be considered as if they where part of the EU when it comes to the applicable law. Therefore, these cases can be added to the above mentioned category of European
companies acting within Europe. Theses cases mainly concern embassies, consulates and ships of a EU flag that are in international waters.45
2.1.2 Establishment or Representative in the EU
The most obvious form would be to have a formal establishment of your company in the EU. Reading article 3 (1) and recitals (22) together, the term establishment is also extended to a
45
company that effectively do business in Europe, and not just the place of registration. This could be in the form of a branch or subsidiary.46 So this means that in the light of the GDPR the term ‘establishment’ should not be interpreted in this strict way ; if you have a representative in the EU and also a website that is (mainly) directed to EU data subjects, your company have to be compliant with the GDPR.47 It is only the establishment within the EU that has to be compliant ; the other parts of the company that are located elsewhere do in principle not have the same obligation.48 The establishment will have to comply with the GDPR, if it uses the personal data in the context of its activities. Therefore, the mere presence of a establishment in the EU is not enough to subject to the GDPR. On the other hand if all activities and the collecting of personal data take place in third countries, but the processing in an EU Member State, the GDPR will also apply.49
It is important to observe that even companies that are not themselves subject to the GDPR, but if they wish to be contracted by companies that are affected by the GDPR, these companies will
have to ‘voluntary’ comply with the GDPR too.50
This can be concluded from article 3 (1), since it states that the data that has been collected in the course of activities of an establishment, will be in the scope of the GDPR, independently of the place where the data will be processed afterwards. This obligation has been specified in article 28(3).51 This also makes sense, because otherwise companies can just process the data elsewhere in order to avoid the GDPR and in that way the Regulation would be ineffective.
2.1.3 Offering goods or services to subjects in the EU or monitoring
subjects in the EU
An even less obvious way to fall under the scope of the GDPR, what was not the case during the ‘Directive period’, is when companies that do not exist at all in the EU, but do somehow act in the EU market. A good example of this case would be that of a third country web shop that sends
46
Maldonado & Blum (2018), p. 29 ; Guidelines EDPB (2018), pp. 4-5 ; Gabel & Hickman (2019), chapter 4.
47https://www.freshfields.com/en-gb/our-thinking/campaigns/digital/data/general-data-protection-regulation/
accessed 18/06/2019 ; Krzysztofek (2019), pp. 37-39.
48
Maldonado & Blum (2018), p. 30.
49 Guidelines EDPB (2018), pp. 4-8. 50
Monteiro (2018-1), p.1 ; Polido (2018), pp. 16-18.
51
products to Europe. The GDPR, in its article 3 (2) states two options that are considered as participating in the EU market : (a) offering goods or services to data subjects in the EU or (b) monitoring subjects that are in the EU.
As for offering goods and services, the intention of the trader has to have the intention to direct its activity to EU data subjects. Therefore not all kind of goods or services that European data subjects buy will be concerned ; the mere fact that a trader’s website is accessible in the EU is not enough to trigger the applicability of the GDPR. There are several criteria, as in recital (23), in order to determine whether the company has the intention to target EU data subjects. These are criteria such as : website available in EU languages (that are not an official language in a third country or often used in business), currency, the possibility to deliver products to EU
addresses, using EU top level domain names, writing the telephone number with the international country code of one of the EU Member States etc. The analysis has to be a combination of these factors in order to determine whether there is a real intention to enter in the EU market. Even more, the GDPR (article 27) obliges the companies that interfere in the EU market, as described above, to establish a representative in a EU country. Moreover the fact that the service or goods are for free does not exclude the application of the GDPR. 52
In the case of article 3 (2) (b), the GDPR refers the phenomena of profiling, defined in article 4 (4), what is also confirmed by recital (24). There are two cumulative criteria : monitoring EU data subjects and the behavior occurred in the EU. Mostly, monitoring activities are directed to sales goals. In the case of monitoring, different from entering in the EU market in article 3 (2) (a), it is not very likely that you monitor by coincidence. Monitoring already ask for
conscientious action with purpose, and as a consequence there is not a real test that have to be done in order to determine the intent of the monitoring company. As soon as the company is involved in profiling, the GDPR will be applicable.53
Due to the global acting, a lot of entities, like Facebook, adjusted their terms not only for their EU subsidiaries, but for the platform as whole. This means that all Facebook-users, independent of their country of residence, enjoy the protective rights of the GDPR. The reason for doing this,
52 Krzysztofek (2019), pp. 37-39 ; Monteiro (2018-1), pp. 1-2, 9-10 ; Maldonado & Blum (2018), p. 29-36 ;
Guidelines EDPB (2018), pp. 14-17.
53
is to avoid a possible breach of any GDPR requirement, since the platform is globally accessible.54
2.1.4 EU Nationality ?
The GDPR does not explicitly mention that it applies only to the data of EU nationals ; it refers to data subjects that are on its territory. The GDPR states the following in article 3 (2) :
‘[…] data subjects who are in the Union by a controller or processor not established in the Union […]’
Therefore, also natural persons from a third country, that live or even are in the EU on the moment their data is being collected, are included. This scope, as we can see is broader than just EU-citizens. In academia, there are discussions whether EU-citizens, or even Brazilians (or person from other third countries) that also have an EU-citizenship, will be protected by the GDPR outside the EU territory, for the mere fact that they are EU nationals. This would be about cases like Brazilian hotels and restaurants that receive EU nationals or Brazilian domestic
orientated online services and mobile applications that have European users. This are just the most frequent examples, but any company in Brazil that deals with Europeans or with Brazilians that have a double passport, would be subjected to the GDPR according to this point of view in the discussion.55 Others state that nationality is irrelevant for the applicability of the GDPR, mainly for the above mentioned reason that the GDPR does not mention ‘EU citizen’ in its provisions about the territorial scope.56 Even more, in recital (14) the GDPR provides its application to natural person of whatever nationality.57
Moreover, for reasons of international law, sovereignty of every country, it would be very
strange if the GDPR would apply in for example Brazil, just because EU individuals decide to go there. Normally, by virtue of the territoriality principle, the State has exclusive powers on its own territory. This means that GDPR for being a EU law, can not be applicable for the mere fact that
54
https://tecnoblog.net/245101/gdpr-privacidade-protecao-dados/accessed 18/06/2019.
55
https://fia.com.br/blog/gdpr/ accessed 18/06/2019 ; http://www.privacybr.com/dia-mundial-da-protecao-de-dados-pessoais accessed 18/06/2019 ; Pinheiro (2019), p. 37-38 ;
https://www.youtube.com/watch?v=ByhG3E8ltsE accessed 18/06/2019.
56
Albertyn (2017) ; Maldonado & Blum (2018), pp. 29-36 ; Monteiro (2018-1), pp. 8-11 ; Guidelines EDBP (2018), p. 14 ; https://www.freshfields.com/en-gb/our-thinking/campaigns/digital/data/general-data-protection-regulation/
accessed 18/06/2019.
57
its nationals are in Brazil’s territory; independent of the nationality of the individual, the State is sovereign in its own territory.58 Therefore, next to the grammatical interpretation of the GDPR, I would defend the viewpoint of the academics that the GDPR’s applicability does not depend on the nationality of the data subject.
Furthermore, if we would accept the vision that the GDPR’s applicability depends on nationality, a lot of practical problems would arise. A local shop would need to have knowledge about, in this case, the privacy laws of every country, since individuals with a double nationality that live there or tourists can go to that shop. Not only this shop owner should have knowledge about these laws, he also should find out if a client has a double nationality for example. In most cases this would simply be impossible. Therefore, next to legal arguments, also practical arguments can be forwarded.
2.1.5 Enforcement
Since, in a lot of the above approached cases of extraterritoriality, companies, or at least their assets are not fiscally localized on the territory of the EU, problems of enforcement of penalties in case of non-compliance, could occur. The most difficult situation will be the one when the companies does not exist at all in the EU, but also in cases that the penalties will be higher than the assets the companies own in the EU territory. This happens since the penalties, according to article 83 (4-5), concern the global annual turnover instead of just that of the subsidiary of the company in the EU. The cases will mostly be resolved by international cooperation, but this of course will depend on the willingness of the authorities the enforce the judgements and it will also be a slow process.59 Furthermore, there are other measures that can stop infringements of the GDPR than monetary ones. For example, it is possible to block the access to website of the trader in the EU.60
58 Shaw (2016) ; Polido (2018), pp. 17-18. 59 Monteiro (2018-1), p. 12 ; https://g1.globo.com/economia/tecnologia/noticia/lei-da-uniao-europeia-que-protege-dados-pessoais-entra-em-vigor-e-atinge-todo-o-mundo-entenda.ghtml accessed 18/06/2019 ; http://www.mjilonline.org/fines-under-eu-gdpr-in-non-eu-jurisdictions-enforceable-or-mere-reputation-risk/ accessed 18/06/2019. 60 Monteiro (2018-1), p. 11.
2.2 International Data Transfers
Especially, companies from third countries will be affected by rules on the data flux outside the EU. As described in the previous paragraph, also ‘EU’ companies possibly want to make data transfers if they consider that it will be more efficient to store or process the data outside Europe. This can be the case if the company uses a cloud in a third country for example. But, naturally, this will be more likely to happen in the case of countries that have their (main) establishment outside Europe or even subcontracted companies that do the processing part of data for an EU company. In all those cases, before being able to process or store the data in a third country, first there have to be made a transfer of this data to the third country. This is already the case if you provide the third country company with access to your EU data base. The mere fact that the data flows out of the EU territory is sufficient to be considered as an international transfer of data. In order to be allowed to benefit from an international data transfer, some rules set by the GDPR have be observed, according to article 44. An authorized transfer is necessary to process, treat or store or any similar action, the data in a third country.61 I will describe the possibilities to be allowed to make such a transfer : adequacy decision or treaty (subparagraph 2.2.1), standard contractual clauses or BCR (subparagraph 2.2.2), consent (subparagraph 2.2.3) and the legitimate interest of the controller (subparagraph 2.2.4).
2.2.1 Adequacy Decision or Treaty
The easiest and best working way of data flows are those that are based on treaties between the EU and the third country and that are based on a so called ‘adequacy decision’ accorded by the European Commission.62
The EU has treaties with a few third countries about data protection. This is the case of Japan. The ‘Japan EU Economic Partnership Agreement’ is essentially a business treaty63 but it also provides for mutual recognition of data flows.64 The EU also established a treaty with the United States. The US has a very different legal system as it comes to privacy, but due to the economic
61 Krzysztofek (2019), p. 230. 62 Monteiro (2018-1), p. 5. 63 http://ec.europa.eu/trade/policy/in-focus/eu-japan-economic-partnership-agreement/ accessed 19/06/2019. 64
interests between the EU and the US, a data flux provision had to be made. It was not possible, due to these significant differences, to allow a general flow. Therefore, several rules have been drafted and companies that engage to comply with these rules and conditions will be found compatible, and for that reason the transfers to these companies will be permitted. The set of rules are laid down in the Privacy Shield decision.65 The EU does not have (yet) such a treaty with Brazil.
An adequacy decision is a resolution of the European Commission in which it decides, based on article 45, that a specific third country has a similar level of data protection. Possessing such a decision, you can freely transfer data to these approved places without needing a prior
authorization for every transfer.66 The adequacy decision can be accorded to a country or to specific sectors like we just saw the example of the US.67 Also, the decision can be changed when the legal situation of an adequate country changes.68
Currently, Brazil does not have an adequacy status. The Commission declared the following countries to have a similar level of data protection : Andorra, Argentina, Faroe Islands,
Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay. Canada and the United States received only a partly adequacy status. 69
In order to be able to receive such a decision, the third country’s legislation should provide for a level of data protection that is comparable with the EU, according to recital (104)70. There are several criteria of article 45 (2) that have to be observed : 71
-The rule of law, human rights and fundamental freedoms have to be guaranteed and the data protection rules have to be effectively enforced. This concerns the domestic law.
65 Krzysztofek (2019), pp. 266-272 ; https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en. 66https://edps.europa.eu/data-protection/data-protection/glossary/a_en accessed 19/06/2019. 67
Gabel & Hickman (2019), chapter 13.
68 https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en accessed 19/06/2019. 69 https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en accessed 19/06/2019. 70 Monteiro (2018-1), p. 4. 71
Krzysztofek (2019), p. 233 ; https://edps.europa.eu/data-protection/data-protection/glossary/a_en accessed 19/06/2019 ; Maldonado & Blum (2018), pp. 219-220.
-The existence of a data protection authority that monitors and has legal powers to enforce data protection rules. This concerns the supervisory authority.
-The country participates in international obligations especially those related to data protection. This concerns the international commitments.
Moreover, the Commission also takes into account if the law is materially similar to the GDPR in the essence; it does not need to be identical, but it has to be equivalent. The article 29 Working Party elaborated on these specific criteria.72
Article 46 gives the options to transfer data in the absence of an adequacy decision, what is the actual case of Brazil. Article 44 states that the intention of the rules in the chapter is provide effective protection ; since protection would not be granted if you can send data to third countries where companies are not bound by a similar set of strict rules. Therefore, the GDPR only allows to transfer data to countries that do not a have adequate data protection legislation, if special safeguards are granted.73 The safeguards of article 46 will be discussed in the next subparagraph.
2.2.2 Standard Contractual Clauses or BCR
A safeguard that can ensure the protection of the data, once transferred to a third country in which the company is not obliged by law to comply with similar data protection as the GDPR provides, is to let to third country company formally promise that it will dedicate itself to the GDPR rules. The formal promise will guarantee that it will comply with the GDPR as if GDPR would be applicable. This can be done by using standard contractual clauses or by adopting Binding Corporate Rules (hereinafter : ‘BCR’).74
For the in article 46 (2) (b) mentioned BCR, article 47 will give more detailed information of what these should look like. Also recitals (108) and (110) provide a description of the BCR.75 BCR are used for transfer within the same
economic group or for business that use could computing in third countries. The advantage of BCR is they are legally binding. Standard contractual clauses for transfers to companies that are not part of the same economic group. These clauses are designed or at least approved by the 72 Krzysztofek (2019), pp. 233, 236-239. 73 https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en accessed 19/06/2019. 74 Monteiro (2018-1), p. 5 ; Krzysztofek (2019), p. 240. 75
European Commission. Article 46 (2) (f) states a last option in this category that would be the use of certificates as described in article 42.76
2.2.3 Consent
If there is nor an adequacy decision neither standard contractual clauses or BCR, the controller needs a specific authorization to make the transfer. Article 49 provides this option. One of the possiblities is that of express consent of the data subject as in article 49 (1) (a). The safeguards of article 46 depends on the will of the company, different than consent that is a provision that condition the transfer on the data subject action what would be to consent with the transfer. In order the consent to be express, the controller should provide the data subject with information, in such a manner that he or she can make an informed choice. The choice, aside from being informed also, has to be given in a distinguishable way from other topic, in order to be sure that the data subject was aware for what kind of matter he is giving consent. Furthermore, the controller has to prove that the consent has been given freely .77
2.2.4 Legitimate Interest of the Controller
Besides the consent of the data subject, there are some other derogations for exceptional
situations. The most important of these can be resumed as the legitimate interest of the controller or another party. Examples can be found in article 49 (1) (b-g). But these basses, as article 49 (1) single paragraph read together with recital (47) states, can only be executed in a very limited context. The reason for this extra prudence is the deviation of the principle that data can only leave the EU if it will be protected. Since these derogations concern cases in which the data flow goes to a non-adequate country and there are no safeguards like in subparagraph 2.2.2, extreme precaution is demanded. This is about cases like necessity of the performance of a contract with the data subject (c), public interest (d), legal claims (e) and vital interests (f).78
76 Maldonaod & Blum (2018), pp. 220-221 ; Gabel & Hickman, chapter 13 ; Krzysztofek pp.242-244, 252-253. 77
Monteiro (2018-1), pp. 6-7 ; Krzysztofek (2019), pp. 230, 258-259.
78
Chapter 3 Comparison between GDPR and
LGPD
In the first chapter, I introduced the two legislations. In paragraph 1.2, I described the material scope and in paragraph 2.1 the territorial scope. Once a company based on that information finds itself under the obligation to comply with the GDPR, it is useful to know and necessary to answer the research question, what extra obligations, assuming that the company is compliant with the LGPD, it has to observe. Therefore, in this chapter, I will set out the differences between the two laws. I will start to draw a more general comparison (this chapter), and then in the next chapter (chapter 4), I will provide an analysis of those extra obligations that matter in practice.
In the comparison, I will only take into account differences that concern business, therefore provisions about subjects like public organs, health and academic research will mostly be left out. Also, due to the scope of this thesis, I will try to set out the most important points ; the aim is not the be exhaustive.
In this chapter using the term LGPD, the MP will have been taking into account.
3.1 General considerations
The first fact that strikes the attention of the reader is that the GDPR is more detailed than the LGPD ; the GDPR is much longer, looking at the number of articles and pages of the
regulation.79 This is not only due to the number of articles but also because the GDPR has recitals. Recitals function like an explanation to the articles. The LGPD provides more general provisions that leave room for interpretation. The ANPD will have to clarify the some abstract definitions. It is possible due to the fact that unlike in Europe, Brazil does not have a long tradition of data protection culture and therefore, for being the first general law in the field, the law is not that extensive. Mostly, the GDPR also provides for definitions, where the LGPD only sums without providing explanations. To give an example, the GDPR states what kind of data
79
can be considered as sensitive data and then defines all categories in order to know what data is concerned, but the LGPD only list the categories without definitions, leaving it to
interpretation.80 Further, it is important to note a difference in the states of the law in the legal order to which it belongs. The GDPR is one regulation although in some few aspects the Regulation defines that Member States can regulate. The LGPD is the first general law on the topic, but the new law is additional to the already existing sectorial laws.81
As to prevention and good practice, the LGPD suggests in article 50 that the controller can draft a privacy policy, being this an optional measure, but the GDPR provides for specific compulsory framework in its article 24, §2. This means that on this point the GDPR is stricter.82 The in article 25 stated concepts of privacy by design and privacy by default are crucial and obligatory in subject.83
In order to be allowed to process data there has to be a ground to do so. Both legislations formulate legal bases that serve to justify the fact that you are processing personal data. The GDPR contains 6 legal bases for data processing : Consent, public interest, legitimate interest of the controller/third party, performance of a contract, compliance with legal obligation, protection of vital interests.84 The LGPD also know these, but formulates 4 more : study of research organs, judicial, administrative or arbitral process, health issues and credit protection. 85 When it comes to sensitive personal data , both legislations have a strict regime ; only in some specific and more restricted cases the data may be used. The LGPD formulates this as ‘allowed on specific
grounds’ and the GDPR as ‘exception to the prohibition of processing sensitive data’.86
There are some of these that only one of them contain. The GDPR, in article 9, §2, ‘d’ and ‘e’, defines that the exception to the prohibition of processing sensitive data entails data manifestly made public by the data subject and data used in the legitimate interest of entities listed in sub ‘d’. The LGPD on its turn does not know these exceptions but provides in its article 11, II, ‘b’ and ‘g’, for a
80 Kauer ; Machado (2018) ;
https://marketinganalitico.com.br/qual-a-diferenca-da-lei-geral-de-protecao-de-dados-brasileira-lgpd-para-a-europeia-gpdr/ last accessed 22/07/19.
81
Maldonado & Blum (2018), p. 26-27.
82 Machado (2018) ; https://www.drz.global/blog/diferencas-entre-a-gdpr-e-a-lgpd last accessed 24/07/19. 83
Monteiro (2019-2), p. 37 ; Krzysztofek (2019), pp.189-214.
84
Monteiro (2019-1), p. 30-32.
85 Monteiro (2019-1), pp. 31-32 ; Kauer ;
https://marketinganalitico.com.br/qual-a-diferenca-da-lei-geral-de-protecao-de-dados-brasileira-lgpd-para-a-europeia-gpdr/ last accessed 17/07/19.
86
permission of processing data in public administration or for public policies. These have to be codified and to serve to prevent fraud and guarantee the security of the data subject, in process of identification or register in electronic systems. 87
When it comes to children, the laws differ on some aspects of the legal basis ‘consent’. Although the idea that children can give their consent is common, the age and to what exactly they can independently consent is not the same. The GDPR states in its article 8 (1), that in order to able to give consent, a teenager has to be 16 years old. The Member States are allowed choose for a different age, but this can not be younger than 13. This means that this age is between 13 and 16 depending on the Member State. In Brazil, the age of 18 has been established by thee Federal Children and Adolescent Statue (Estatuto da Criança e do Adolescente – ECA). Data subjects between 13 and 18 only can give consent under some conditions. The LGPD addresses the consent of children in its article 14. Also, the GDPR, when it refers to consent of children, only addresses information society services consent issues, while the LGPD concerns all kind of consent.88
3.2 Specific provisions
3.2.1 Individual rights of the data subject
Direct marketing is a concept that is only been regulated by the GDPR. In article 21, §2, it codifies the right to the data subject to object to this kind of practices. In the case of the LGPD, since there is no specific provision, general rules like consent, shall have to be used in order to object to this way of doing business.89
The right of access laid down in 15 GDPR and 18 (II) LGPD, has different period to provide access to the personal data to the data subject. In the case of the GDPR, that will be within 1
87
Machado (2018) ; https://www.drz.global/blog/diferencas-entre-a-gdpr-e-a-lgpd last accessed 24/07/19.
88 Machado (2018) ; https://www.drz.global/blog/diferencas-entre-a-gdpr-e-a-lgpd last accessed 24/07/19 ;
Pinheiro (2018), pp. 73-75 ; Maldonado & Blum (2018), pp.139-164.
89
months and eventually 2 extra months for very complex cases. The LGPD provides for a shorter period : 15 days.90
Data portability is the right of the data subject take his data to another entity. This is for example the case when one switches from one insurance to another ; it is useful to be able to simply request your file in avoid to have to gather that information again. Article 20 (1) of the GDPR states even that this file as to be ‘structured, commonly used, and machine-readable format’. The LGPD its article 18 (V) does also create the right to data portability, but does have a specific requirement of what the file should look like. 91
3.2.2 Obligations of the controller
When it comes to a data breach the GDPR stipulates 72 hours to report the lack while the LGPD defines for the same action a ‘ reasonable time’.92 This is another example of the both legislation having the same principle, but the GDPR being more precise. In both cases the law requires that the authorities and eventually the data subject that is victim of the lack will be informed, but the GDPR says very exactly that the data controller has to do this in within 72 hours.93
The GDPR declares itself applicable to actors that are not established in the EU, but do monitor behavior of EU data subjects in its article 3 (2) (a). The LGPD silences on this point.On this point the territorial scope of the GDPR is broader. 94
The GDPR, in its article 27, §1, provides for an obligatory representative if the controller is not based in the EU. The LGPD instead, only states that any person or entity that represents the controller in Brazil, will be hold responsible and this will be the case even if contractually or statutorily they are not (article 61). But there is no obligation to have such a representative in Brazil.95 90 Monteiro (2019-2), p. 43. 91 Monteiro (2019-2), p. 45. 92 Pinheiro (2018), p. 22 ; Monteiro (2019-2), pp. 35-36.
93 Assis and Mendes Advogados (2019-1). 94
Monteiro(2019-2), pp. 8-9.
95
Article 28, §3 GDPR obliges the controller and processor to have a formal relation, for example a contract, whereas article 39 LGPD on the same topic, only stipulates the hierarchy ; the processor has to follow the instructions of the controller. In the case of the LGPD there is no additional form to formalize this. The Brazilian Consumer Protection Code for a joint liability of the controller and processor in the infringement concerns a consumer case, what is very likely to occur.96
In article 35 the GDPR defines when a Data Protection Impact Assessment (DPIA) is compulsory and what content is required. In article 38 the LGPD also addresses impact
assessments, but it only states that the ANPD is empowered to ask for this report without saying anything about the content or in what situations the authority shall ask for such a report.97
Furthermore, the GDPR through its article 36 obliges the controller to consult the supervisory authority pior to precessing data that according to the DPIA would be of high risk. Such a provision does not exist in the LGPD.98
Article 30 and recital 82 of the GDPR and article 37 of the LGPD require the controller and processor to keep a record of their data processing activities. This is one more example of how the GDPR is more detailed than the LGPD.
The GDPR allows data flows to third countries if there is a adequacy decision for that country (or sector), of the specific transfer contains adequate safeguards to maintain a similar protection ones the data leaves the EU territory. The LGPD also defines that data flows exits Brazil, is only permitted when the other country has a adequate level of data protection, but there is no detailed description of what that should look like in order to be named ‘adequate protection’. 99
96
Machado (2018) ; https://www.drz.global/blog/diferencas-entre-a-gdpr-e-a-lgpd last accessed 24/07/19 ; Monteiro (2019-2), p. 16-17.
97 Machado (2018) ; https://www.drz.global/blog/diferencas-entre-a-gdpr-e-a-lgpd last accessed 24/07/19. 98
Monteiro (2019-2), pp. 31-32.
99
3.2.3 Penalties
Now the differences in obligations of the controller have been set out, it is important to know what happens if the controller does not meet these obligations. Therefore in this subparagraph the consequences of non-compliance will be set out. 100
Both the GDPR as the LGPD contain provisions on penalties in case of non-compliance. Although both will take into account the turnover of the company, the GDPR considers the global turnover, while the LGPD only the national turnover. The fines of the LGPD are
maximum 2% of the turnover in Brazil, up to 50 million reais. If there are several infringement, these maximum will running again. Also, the texts states ‘up to’, what means a maximum. The GPDR states that or the percentage or the amount will be applied ‘whichever is higher’. The GDPR calculates higher fines of 4 % or 2% instead of only fines up to 2%. In case of the GDPR, the fine is 4 % or 20 million euros. Therefore it can be concluded that regime of the GDPR is more severe.101
3.2.4 Definition personal data
Different than the LGPD, the GDPR states explicitly that pseudonymized data can be considered to be personal data. This happens when the process of reidentification can be executed by using additional information. Because in this way the data can lead to the natural person to whom the data belongs. The LGPD does not have any provision that clearly states the general principle. 102 But as mentioned in paragraph 1.2, when it comes to anonymized personal data, the LGPD, contrary to the GDPR that does not address the topic, mentions that process of reidentification will provide again the status of personal data.103
100
https://marketinganalitico.com.br/qual-a-diferenca-da-lei-geral-de-protecao-de-dados-brasileira-lgpd-para-a-europeia-gpdr/ last accessed 24/07/19.
101
Assis e Mendes Advogados (2019-3) ; Cordeiro (2019) ; https://marketinganalitico.com.br/qual-a-diferenca-da-lei-geral-de-protecao-de-dados-brasileira-lgpd-para-a-europeia-gpdr/ last accessed 24/07/19 ; Monteiro (2019-2), pp. 47-48.
102
Monteiro (2019-2), p. 14-15.
103
The GDPR excludes deceased persons from its scope, but leaves rooms for additional legislations on Member State level.104 In the LGPD there is not such an exclusion.
104
Chapter 4 Effects of the differences between the
GDPR and the LGPD
In chapter 3, I made a general comparison between the GDPR and LGPD, but some results do have academic relevance but are not that important in practice. This is for example the case, when I discussed subjects like the format and structure of the laws. So, in this chapter I will make an analysis of the comparison in chapter 3, and I will make a ‘shopping list’ of aspects that do matter in practice, in order to help the companies to have a clear overview what they actually do have to change. Next to this list, I will also respond to the question whether it is possible to be compliant to both the GDPR as the LGPD. (paragraph 4.1) Secondly, I will discuss the
differences between the two laws in the light of adequacy decisions that were introduced in paragraph 2.2.1. Here for, I will also briefly touch upon other aspects than just the ones that concern business, since the Commission considers the whole law in order to decide about a possible adequacy decision. I will argue that the coming of the LGPD with the MP will open doors to such a decision for Brazil. (paragraph 4.2)
4.1 What extra guards do the Brazilian companies have to
implement ? Is it possible to comply with both (GDPR and
LGPD)?
As we can observe from the comparison in chapter 3, on some points the LGPD is more rigid than the GDPR. This in an interesting finding, since as described in the introduction and in chapter 1, the LGPD found its inspiration in the GDPR, and one of the reasons that this
legislation has been created is the coming of the GDPR. Although, these extra obligations set out by the LGPD are not causing violations to the GDPR and they are therefore compatible; it is possible to be compliant to both. This means that if a Brazilian company that is compliant to the domestic legislation, and also falls in the scope of the GDPR, will be able to operate in one way, taking into account the extra requirements, and does not need to work with two different business
