The entry into force of the General Data Protection Law (Law No. 13,709/18 - LGPD), on September 18 of this year, had impacts on various sectors of society. By regulating practices related to the processing of personal data in Brazil, the LGPD has established new process management requirements for the public and private sectors.
Much of the private sector has expressed difficulties in meeting obligations imposed by law, and the reality of the public sector does not seem very different: the adequacy initiatives are still timid and there are concerns about the understanding of the new legal framework brought about by the LGPD.
This issue becomes even more troubling in the courts and administrative bodies, which should be prepared not only to fulfil their obligations, but also to decide on and demand proper enforcement of the rights under the LGPD.
Privacy policies and the 7 errors game
Among the obligations related to the processing of personal data that the public sector needs to comply with is the adoption of measures guaranteeing data subjects "clear and updated information on the legal provision, purpose, procedures, and practices used to carry out these activities, in easily accessible vehicles, preferably on their websites", in compliance with the principles of transparency and free access to information on the LGPD.
This information should be provided in a manner that is easy, clear, and accessible by the public sector, especially as privacy policies on their websites. The LGPD itself lists what information and requirements must be stated in these documents.
The appointment of the “responsible person" and the provision of the respective contact information are also requirements of the LGPD for those who process personal data. The responsible person's role is to act as a data protection focal point, with competence to report to the National Data Protection Authority (ANPD), guide other employees on the subject, and receive complaints from users.
However, the mere availability of such information is not sufficient to comply with the law: its content must necessarily reflect the concepts of the LGPD and, consequently, highlight the measures adopted throughout the adaptation project. In practice, the privacy policies ultimately demonstrate how each organization has done its "homework" to comply with the LGPD.
When the legislation became mandatory, it was expected, among other measures, that such information would start to be made available on websites. In practice, however, few public bodies have fulfilled this obligation. Fewer still are those who have done so in a correct and satisfactory manner.
The National Telecommunications Agency (Anatel), for example, has published a specific page on personal data processing on its website with misconceptions regarding the cases of processing. The agency stated that all processing of personal data carried out by Anatel would be based on consent, which was said to be "the only legal basis for the LGPD".[1] The law, however, provides for ten cases for processing of non-sensitive data, including consent, and eight cases for processing of sensitive data. The website was subsequently updated and the text adjusted, however, there is a lack of clearer information on how the data processing is performed by Anatel. And it is a fact of concern, above all, that Anatel has still made the mistake of publishing a guideline so far from the model of the law.
The privacy policy disclosed by the Court of Appeals of the Federal District and Territories (TJ-DF) is another example of misapplication of concepts of the LGPD. The document, published on September 8 through Resolution No 9/20, mistakenly defines the terms "controller" and "operator"[2] and does not present the information it should, such as the rights of the data subject and the channel of contact with the person in charge.
A similar mistake occurs in Ordinance No. 68/20, which governs the application of the LGPD within Rio Grande do Sul Public Prosecutor's Office and defines its members, public servants, and interns as personal data operators of the institution.
Fortunately, there are exceptions. This is the case of the São Paulo Court of Appeals (TJ-SP), which has developed a specific webpage for LGPD related subjects and on it it released the organizational structure of its adaptation project. The TJ-SP went further still and implemented new procedural categories in its computerized system with the aim of improving statistical studies on the judicialization of matters involving the LGPD, according to CG Notice No. 663/20.
Along the same line, the National Council of Justice (CNJ) sought to guide the bodies of the Judiciary with the publication of a recommendation on initial measures for compliance with the LGPD.
LGPD arrives at the courts. Now what?
Although organizations are not yet fully compliant with provisions of the LGPD, the issue of data protection is on the rise in society. The application of the law has already become the subject of lawsuits questioning the purpose and security of personal data processing.
In the last month, some of these lawsuits have been highlighted in the media, such as the first public lawsuit based on the LGPD, filed by the Federal Prosecutor's Office for the Federal District to question possible improper marketing and sale of personal data by a website. The suit, though, has been extinguished, as the judge found that the plaintiff had no procedural interest, since the website in question was under maintenance.
Along the same line, a student from Pernambuco went to court to question why he was forced to provide his biometric data to recharge an electronic bus ticket. The suit is in progress before the Court of Appeals of Pernambuco (TJ-PE).
The principles of the LGPD were also cited in a court judgment ordering a construction company to pay R$ 10,000 for sharing personal data of its client with third parties outside the contractual relationship, which caused unwanted contacts with this client by financial institutions, consortiums, and other companies.
These cases illustrate that the rights and obligations of the LGPD are now enforceable in court, despite the postponement of sanctions under the LGPD to August 1, 2021.[3] The Judiciary is now exercising more active control and examination of cases related to data protection, which until then had been carried out by consumer protection agencies, which examined cyber-security issues on the basis of the sparse and industry-specific laws and regulations on data protection still in force, such as the Consumer Protection Code and the Brazilian Civil Rights Framework for the Internet.
In this scenario, two concerns arise. The first related to the late structuring of the ANPD, a unified and organized regulatory authority for the purpose of personal data protection, whose executive board members the Federal Senate recently approved.[4] In addition to the challenge with quickly structuring the ANPD, it is also expected that the authority will quickly fulfill its pedagogical role of guiding and coordinating application of the law, including in relation to the government sector, in order to avoid conceptual errors such as those pointed out earlier in this article.
Without the ANPD and its guidelines, government agencies and entities from other sectors would assume the role of enforcers of application of the LGPD and begin to impose sanctions measures which may have a high degree of arbitrariness and legal uncertainty.
The second concern relates to the misconceptions committed by the public sector already addressed. They show how little preparation some agencies have doing their "homework" and question how they will deal with these issues. This applies especially to courts and administrative bodies, whose obligations also include instructing magistrates in order to properly decide how to apply the LGPD. After all, if the public sector is not prepared to fulfil its obligations, would it be ready to demand application of the rights provided for in the LGPD?
Conclusion
In general, the public sector has been slow to adapt to the terms of the LGPD, even in the face of the various impacts that its entrance into force has brought about for society. The situation is even more delicate for the courts and administrative agencies. While they needed to demonstrate the implementation of the obligations under the LGPD, they began to exercise, in part, the role of monitoring and guaranteeing the rights of the holders of personal data.
These obscure points should guide discussions during and even after implementation of compliance rules in the public sector, especially until the ANPD begins its work, since it is tasked with providing guidance and determining many requirements on the application of the LGPD.
Nevertheless, it must be recognized that there are good initiatives taking place in the public sector, such as the TJ-SP, which has shown ability in fulfilling its obligations, and the CNJ, which took the initiative in guiding the bodies of the Judiciary.
At this moment, it is expected that the public sector will adopt a mediation posture and stimulate the settlement between the parties in the event of disputes related to the protection of personal data, exactly because of the novelty of the law and in line with the guidelines to be issued by the ANPD.
[1] "Consent. The basis of the LGPD is consent, i.e. authorization from the data subject must be sought before processing takes place. And this consent must be received explicitly and unequivocally." Excerpt of text published in September 23, 2020, on Anatel's website. <https://www.anatel.gov.br/institucional/component/content/article/104-home-institucional/2666-portal-da-anatel-tem-pagina-sobre-tratamento-de-dados-pessoais>
[2] Resolution No. 9/2020. “Article 5. At the Court, the Controller and the Operators are respectively the Chief Judge of the Court, assisted by the Information Security and Personal Data Protection Management Committee - CGSI, and the public servants and employees who carry out personal data processing activities at the institution or third parties, in similar contracts and instruments signed with the Court.
Paragraph 1. The Deputy Chief Judges and the Ombudsman of the Judiciary shall be the Deputy Controllers.
Paragraph 2. The Committee shall be formed by a technical and multidisciplinary team, which shall perform legal, information, and technology security, internal and external communications, human resources, document and strategic management functions."
[3] Articles 52, 53, and 54 of the LGPD, which deal with administrative sanctions under the law, will enter into on August 1, 2021, in the manner set forth in Law No. 14,010/2020.
[4] On October 20, 2020, the Senate approved via a floor vote the five names nominated to sit on the ANPD’s Executive Board. The candidates were indicated in the publication of the extra edition of the Official Gazette of the Federal Government on October 15, 2020.
