Companies and banks are now dealing with demands regarding the LGPD (Brazilian General Data Protection Law).

Companies and financial institutions are beginning to deal with the first demands arising from the entry into force of the General Data Protection Law (LGPD). Data subjects are starting to request information, and in the courts, there are at least two lawsuits. One is a public civil action by the Public Prosecutor's Office of the Federal District (MP-DF) against a company that allegedly traded personal data, and the other is a lawsuit filed by a student who does not want to provide facial biometrics to a transportation company.

Initially, the Judiciary seems cautious. The Public Prosecutor's action (no. 0730600-90.2020.8.07.0001) was dismissed because the website was no longer accessible. "With the recent entry into force of Law 13.709/18, which occurred on September 18th, those responsible for the aforementioned website must be seeking to adapt their services to the legal norms for the protection of personal data," says Wagner Pessoa Vieira, judge of the 5th Civil Court of Brasília, in the ruling. The Public Prosecutor's Office of the Federal District is analyzing the possibility of an appeal.

In the student's case, the judge asked those involved to respond before granting the preliminary injunction. By refusing to provide his biometric data, the young man was unable to recharge the card that entitles him to pay half the fare for public transportation in the Recife metropolitan area (case no. 0060336-35.2020.8.17.2001).

Keeping up with case law regarding the LGPD (Brazilian General Data Protection Law) is important because, although the established fines can only be imposed from August 2021 onwards and the National Data Protection Agency (ANPD) does not yet exist, it will be the Judiciary that will provide the first parameters for the law in practice.

Companies that have adapted to the law are seeing the effectiveness of the tools they created. Daniel Arbix, legal director of Google Brazil, says that users could already, for example, activate or deactivate ad personalization, configure automatic data deletion, and perform data migration. "Now, according to the LGPD (Brazilian General Data Protection Law), they have access to online forms through which they can submit requests for information about their data, corrections, or deletion," he states.

But Arbix points out that, since the law still depends on regulation in more than 20 areas, there is no clear definition on important items, such as criteria for the international transfer of personal data. "In this sense, a strong, proactive, and open-to-dialogue ANPD (National Data Protection Authority) will be fundamental."

In a statement, Vivo highlights the company's "Privacy Center," where the account holder, using their login and password, can access their data, and which also serves as a communication channel for questions and requests. "For Vivo, the protection and privacy of personal data of customers and employees has always been a priority, which intensifies with the entry into force of the LGPD," it says.

However, there are large companies that are still not in compliance with the LGPD, according to Marcela Ejinisman, partner in the Technology, Cybersecurity & Data Privacy area at TozziniFreire. "Whether B2B or consumer-focused, these are companies that decided to wait, due to the possibility of the LGPD only coming into effect in 2021, and now they've rushed back to follow their initial plan," she states.

Marcela says that requests for information about data subjects are already popping up everywhere, especially in the financial sector. "For example, requests for information about credit history," she states. In these cases, the lawyer has been advising on the need to verify if the person requesting the information is indeed the data subject.

The trend is towards an increase in the volume of notifications. According to research conducted by Sapio Research in the United Kingdom, between April 29th and May 5th, with 100 directors in medium-sized industries, an average of 28 requests per month are received from data subjects. The average cost to fulfill each request is £4,800, and 48% take more than 30 days to complete. The European LGPD, called GDPR (General Data Protection Regulation), has been in effect for two years and four months.

“The survey indicates that problems will arise here. In Europe, they are unable to meet the deadline, which is 30 days, extendable by another 60, while in Brazil this same deadline is 15 days, without extension. In other words, this right could turn into an avalanche of lawsuits,” says Marcílio Braz Jr., lawyer and founder of Privacy Academy Brazil.

Given this scenario, fearing a court order, companies that had stopped investing in adapting to the LGPD (Brazilian General Data Protection Law), some due to tight budgets resulting from the pandemic, are now being forced to do everything in a hurry, according to José Eduardo Pieri, partner responsible for the privacy area at Palma Guedes Advogados.

Even data from potential consumers can be subject to the LGPD (Brazilian General Data Protection Law). Online consumption habits, monitored by marketing departments, are considered personal data, points out Pieri. "The LGPD makes it clear that consent for obtaining cookies [digital traces] needs to be easy to read and understand," he says, adding that conditioning the application of discounts on the CPF (Brazilian taxpayer ID number) also requires caution. "It needs to be clear to the consumer what the purpose of using the CPF is that justifies the discount."

In addition to advising retail clients who have received requests to correct or delete data after the LGPD (Brazilian General Data Protection Law) came into effect, Flávia Rebello, a partner at Trench Rossi e Watanabe Advogados, has also begun receiving inquiries from foreign companies seeking to comply with the new law, even if they are already adapted to the GDPR (General Data Protection Regulation). "There are differences, and, for example, the portability of personal data from one service provider to another will still be regulated."

The start of the notifications also provokes fear among companies of sanctions from different agencies for the same reason. "It is under evaluation whether, in the case of penalties from a Procon [consumer protection agency] and Senacon [National Consumer Secretariat], the value of one fine can be deducted from another," says Juliana Domingues, head of Senacon, which is part of the Ministry of Justice.

This same fear also caused the demand for cyber risk insurance to grow by about 40% shortly after the president sanctioned the LGPD (Brazilian General Data Protection Law), according to Marta Schuh, cyber superintendent at the brokerage firm Marsh Brasil. "Because of this, companies are requesting increases of up to 25% in the coverage limits of cyber risk insurance, in order to have a higher compensation value."

Source: Valor Econômico