Law No. 13,709 / 2018, also known as the General Data Protection Act (LGPD), was passed in 2018, but is not yet in force. The main objective is to give citizens more control over their personal data, restricting the misuse of this information by companies that have their domain.
Although already approved by the then President of the Republic, Michel Temer, the law will only be valid in August 2020. Brazil is one of the few countries that have their own regulations for crimes committed online. The Internet Civil Framework, sanctioned in 2014, regulates this use, defining rights and duties for Internet users. LGPD will amend some of the milestone articles, specifically the 7th and 16th, giving exclusive attention to data protection.
What is the General Data Protection Act?
Law No. 13.709 / 2018 states that any and all personal data collected must be made in a consented manner. Citizens who are being registered with personal information in any system must be fully aware of the reason for entering their data and what it will be used for. This goes for registration on social networks, business systems, etc.
Business is increasingly interesting for cybercriminals
This means that any company that is collecting user information and not explicitly advising users can be prosecuted. Who will regulate and ensure that the guidelines of the law are applied will be the ANPD (National Data Protection Authority). This is an autarchic body – meaning it has the power to make decisions autonomously without having to go through too much government – created specifically to take care of LGPD enforcement.
All data of the natural person, ie the owner of the record is protected by law. It counts as data: ID, marital status, social security number, address, email, sexual orientation, salary range, ethnicity, religion … In order for this information to be acquired by any company, it will be necessary to request it directly from the citizen. Thus, the sale or transfer of personal information from one company to another is prohibited unless explicitly agreed.
Article 1 This Law provides for the processing of personal data, including in digital media, by a natural person or legal entity governed by public or private law, in order to protect the fundamental rights of liberty and privacy and the free development of personality. of the natural person. – Law No. 13.709 / 2018, sole paragraph.
Although some PJ or Corporate data is protected by the same legislation, others are not considered. This is because this information is public and does not enter personal data. Some examples of information that may be freely used are: company name, CNPJ and registered business address. In order to use the information cited, you do not necessarily need an authorization from the company manager.
All uses of the data must be authorized by the user. This includes not only the collection of this information, but also the storage, use, reproduction, transmission, distribution, processing, archiving, and any other use of these records. If the user suspects or discovers that his or her information is being misused, he or she can and should make a report for the investigation.
The law applies to information collected throughout the national territory. Therefore, if data are collected in another country, even from Brazilians, theoretically the regulation cannot be applied.
If any company is found to be in breach of the LGPD regulation, the ANPD will be responsible for applying the appropriate measures. Regulatory enforcement must take place in stages so that the company can adapt to the new law.
Know what information the platform can collect while you are not using it
A warning will first be sent so she is aware of the situation and has time to correct the issues. Within this period, the indicated corrective measures should be taken to prevent further legal proceedings from being applied. If the indicated measures are not taken, a fine of up to 2% of the legal entity's total net revenues will be applied. If this amount is not paid, a daily fee will be added that will add to the fine.
Once the report has been investigated and confirmed, the violation will also be disclosed. After that, the personal data of those involved will be blocked until their regularization. The last stage is the complete deletion of the personal data involved in the infringement.
To prevent this from happening, the company must be fully transparent about the data collection and the uses they will have.
“Companies need to face this process immediately, which does not necessarily mean abandoning all types of procedures and services that are being used. But some attitudes should be immediately reviewed, as they are a real time bomb or risk matrix. For example, avoid asking for information more than necessary: in an event, a presence list subscription is not required; or in some cases have data that is not extremely useful at registration ”- Fabricio Mota Alves, data protection expert lawyer
Changes from August
Although the law came into force only in August, there have been several cases of notifications to companies for misuse of users' personal data. To date, more than 30 public civil inquiries have been opened in the Public Prosecution Service on data protection. Who was responsible for making the legal proceedings were bodies such as PROCON and consumer protection associations, for example. This is because the ANPD, which will be the responsible body, is not yet in force.
The agency says the app stores were allowing data sharing with third parties
One of the cases that had the greatest impact was PROCON-SP's notification to the FaceApp photo editing application, which applied filtering to people's photos, making them look elderly or babies. This app collected a lot of information from users' smartphones without explaining exactly what the uses would be. Another aggravating factor was that the license terms were not translated into Portuguese, which makes it impossible for many Brazilians to understand.
Once LGPD is implemented in 2020 the same situation will occur, the difference being that a specific body will make the regulation. Investigators will be able to engage exclusively in these types of security breaches. Investigation cases may increase, and more companies may be notified.
It is important for business owners to be careful about collecting and processing the collected data. The lawyer Mota Alves also says that “companies have not yet absorbed the idea that the data subject is the citizen. We can be the owners of the intelligence behind the data and solutions that handle that information, but not the data itself. "Remembering that it is best to avoid collecting too much data, which is not necessarily important for the registration of new customers.
After all, why this law?
With the recent advances in online and offline presence integrated into our lives, the data collected from users is very important. Regulating how it is used is important to prevent misuse of people's personal information.
The main purpose is to keep the information secured by law. Thus, companies should be extra careful about what information is being collected, what is the real importance and what will be its uses. If any information is breached, users will have a body available to support them.
According to the company MicroStrategy, which offers data analysis solutions, in Brazil about US $ 1.2 million was spent to solve problems related to data leakage, which corresponds to almost R $ 5,000. This amount corresponds to fines, settlements and legal costs, damages to the company's image and reputation. Regulations may cause the processing of this information to be modified.
Source: Plateau, Crumbs, Internet Civil Framework, SAS
(tagsToTranslate) general data protection law (t) lgpd (t) lgpd brazil (t) lgpd law (t) lgpd what is (t) what is lgpd (t) lgpd general data protection law (t ) which means lgpd (t) law lgpd 2019 (t) lgpd when it comes into force (t) lgpd force (t) lgpd in practice (t) lgpd entry into force (t) lgpd validity (t) anpd