The General Data Protection Law (LGPD), Law 13,709 of August 14, 2018, was enacted after the president’s sanction, on September 18, 2020, converting the Provisional Measure 959/2020 into law, and regulating the protection of personal data of individuals, with a level of detail never before achieved by any other local law.
One of the most important aspects of the measure is that it will serve as a legal foundation for the National Data Protection Authority (ANPD) which in turn provides a mechanism to assess – and potentially disqualify – the framework adopted by a company for the treatment of personal data if it is alleged to violate the new legal norm. These are currently principles which most companies ignore, and which are arguably not accorded their due importance even by some experts on the subject.
The following are the principles that govern the General Data Protection Law:
Furthermore, it is no secret that the LGPD has been heavily influenced by the GDPR, the law on the protection of personal data enacted in Europe. This enables us to observe what regulators have interpreted in situations that will be very similar to those faced by the ANPD in Brazil.
In Finland, for example, Deputy Data Protection Ombudsman, the Finnish regulator, fined a taxi company € 72,000 for violating the principle of minimizing data use, a principle similar to that of need in the LGPD, by installing security cameras in their taxis which also recorded audio of the passengers’ conversations.
Likewise, a large department store was fined by CNIL, the French regulator, € 250,000 for recording and retaining all telephone conversations in full and keeping customer bank data unencrypted, violating principles similar to our principles of need and security, respectively.
Another judgment frequently made by the Spanish regulator AEPD is to disqualify the legal justification for companies using footage from security cameras with coverage of public places adjacent to their property. These rulings have been based on the assessment that such usage violates the principle of transparency because people are not informed by a poster that they may be filmed for security reasons.
Therefore, care must be taken in developing frameworks for the processing of someone’s personal data according to the legal bases provided in the LGPD to ensure that the principles described above are respected.