🔒 Vanessa Pareja & Tilly Lang Fireside Chat

Hi, everyone. Welcome to International Data Privacy Day. And I'm very, very excited to have Vanessa here.

She's a partner who specializes in technology and data protection at the law firm Canaro based in Brazil.

Welcome, Vanessa. Great to have you.

And I'm super, super excited to talk about the LGPD, which I know a lot of us sort of in the data protection world has sort of had a lot of discussions and also read a lot of information about.

So I was wondering, Vanessa, if you'd be so kind just to kind of start us off with a little bit of history around the growth and awareness of data protection in Brazil.

Thank you, Tilly. It's a pleasure to be here.

So just providing a little bit of background on data protection in Brazil.

In a lot of terms, Brazil followed Europe in protecting image and protecting privacy.

But until the Internet Framework law, which was enacted around 2011, we really did not have any law regulating data protection.

So this act was the first law to actually regulate the use of data in an online environment.

But it still had very restricted regulations with regards as to when it applies.

And actually, we did not have any authority that enforced regulation internally and administratively.

So for that matter, the law was enforced, but it was really never respected and you did not have any culture surrounding data protection in Brazil.

The LGPD was enacted in 2018.

And when the law was approved, what we noticed, this was an immediate change on how authorities interpreted data protection in Brazil.

So despite the fact that the law had around two years until the time that it actually entered into force, September last year, we noticed a huge change on regulations and actual judicial decisions surrounding data protection.

So they would say applying consumer law or applying the Internet Framework Act, this data breach should be punishable.

So it's interesting to see that using the current framework they had at the time, just the change on a line of thought on how to interpret data protection that changed fairly quickly as well.

Perfect. And I know as well, 2020 was a big year in Brazil for the LGPD.

I was wondering if you could just talk us through, because you mentioned that the LGPD was actually passed in 2018.

But I know there was a lot of sort of confusion and talk about sort of when it was actually going to force, some due to COVID, but then also I know there was a lot of changing sort of within political decisions.

And I was just wondering if you'd be so kind as to walk us through kind of what happened there and also when it came into force, and then also when enforcement from the regulators could have stopped it.

So I think the best way to understand the confusion in Brazil is to understand that the GDPR in Europe was the culmination of years and decades of data protection that resulted in one of the most comprehensive regulations regarding data protection.

The LGPD in many ways is a copy of the GDPR, but without this tradition and without and without legal entities able to regulate the law and provide further guidance.

So only now we have a national data protection authority that's starting their job and starting to issue regulations and instructions regarding data protection.

So the law, when it was enacted, it was supposed to come into force one year and a half after it was enacted, which was in the middle of 2000 and 2020.

It was then delayed to September this year, but there was a lot of expectations that this deadline might be further delayed.

And the main reason being COVID, of course, on the one hand, but to be honest, on the other hand, the fact that we really did not have a national data protection ready.

So because of all this insecurity, and it came to a point that even I thought that the law was going to be delayed again to January this year, a lot of companies did not start adjusting their operations in Brazil.

And of course, on the one side that had to do with the uncertainty generated by the law, but on the other side as well, COVID came and there were limited resources and they chose not to apply them towards a law that was more likely to be delayed.

Come September, the House actually approved delaying the law, but the Senate was against it.

And in their saying said, it's important that the law comes into force immediately.

But we understand that most companies are not adjusted yet. So what we're going to do is the administrative penalties, we're not going to change and they're going to come into force August 2021.

But the law is going to start, we're going to start enforcing the law as of now.

Because of that, in Brazil, currently, we have the judicial issuing several rulings regarding violations of the LGBT and even public prosecutor, prosecutors also prosecuting based on the law.

But the national data protection authorities, they're not able to issue sanctions until August this year.

Perfect. I know. And thank you so much for clarifying that because I know there was a lot of sort of different opinions and news articles coming out, especially in 2020 around that.

So really appreciate that. And I was also wondering if you just be so kind just to give us kind of an overview of sort of the good, the bad and the ugly with the LGBT.

And also just highlighting areas that the LGBT similar to the GDPR, but also areas where it's where it's different.

So in a lot of ways, as I mentioned, the LGBT was made to mirror the GDPR.

But a lot of the provisions of the law are simpler, meaning they don't provide as much guidance as the GDPR does.

And on the other hand, we have to understand that Brazilian courts are going to be the ones enforcing it.

So we have to apply jurisprudence in Brazil as well into interpreting the law.

So if you want to understand, for example, scope, the same as the GDPR applies, if you're processing data in Brazil, or if your company offered products or services in Brazil, the LGBT is going to apply to you as well.

On the same side, with regard to data subject rights, the same applies with very similar rights.

There are slight adjustments, to be honest, but these are things that we analyze on a case by case basis.

And it's just a matter of adjusting our operations to Brazil.

Where things might change more drastically is with regards to labor rights, because those are going to be ruled by labor courts in Brazil, and they tend to be very conservative.

So we are applying a very conservative interpretation of the LGBT in Brazil with regards to that.

So with regards to how much data that the subjects can obtain, how to provide transparency, then you should really keep in mind local customs in Brazil with regards to that.

Perfect. Thank you so much. And I'm just wondering as well, if you could sort of expand on sort of what the LGBT really means sort of for foreign companies that are looking to invest in Brazil, or are currently have business operations in Brazil, just sort of expand on that.

And then also what it means for Brazilian companies that have sort of a global presence.

So I think the first thing to understand is, as I mentioned, Brazil already had the Internet Framework Law that provided some guidance with regards to data protection.

Whenever we saw deals and transactions involving data protection, even with companies outside Brazil, we would say, well, you should be aware of that protection.

But to be honest, that was not the main concern in any deal that we oversaw.

And most of that could be attributed to the fact that there wasn't really enforcement.

That changed drastically.

If you are a foreign company, and if the transaction involves some sort of processing of data obtained from Brazil, or the offering of products or services to Brazil, the LGPD will apply to the company.

That will imply, for example, that you would have to have international transfer agreements, or you would have to make sure that your foreign policies are nationalized to Brazil.

And as I keep saying to a lot of foreign clients, you have to provide information in Portuguese.

There have been instances where privacy policies were provided in English, and the majority position is that it is not able to provide transparency in Brazil.

So I think the major message here is data protection became an issue. A lot of the concerns you have with GDPR is regarding how to process data from a foreign company, and also with regards to international transfer of data.

That should also apply to Brazil as well, as well with the fact that you would need to appoint a data protection officer as well to manage the LGPD in Brazil.

Perfect. I noticed that you brought up international data transfers.

And obviously, in Europe, we've had sort of the Shrems 2 judgment, which came out in the summer, which we all know about.

Exactly, exactly. It kept us busy. And I was just wondering in terms of, are you sort of having a lot of discussions around international transfers with Brazilian clients?

And also, is there currently, or are there plans to sort of have sort of a set of standard contractual clauses or something along those lines for Brazil?

So international transfers in Brazil may be performed subject to express consent of the data subject, which is of course very hard to get with international transfers.

Our standard contractual clauses are agreements subject to the data protection authority, of course.

What's the challenge? They have not issued standard contractual clauses yet.

They just released the schedule with regards to activity today.

And the prediction is that they would only do so first semester of next year.

So what we have been doing in Brazil is, to the extent possible, copying a lot of the agreements and clauses you have in Europe already.

And there have been widely accepted to that extent.

And figuring out that, to the extent possible, that would also apply in Brazil.

And of course, the national data protection authority is going to have to have a very understanding view of the fact that there was an absence of knowledge on how their position is going to be on the subject.

Perfect.

Thank you. And we're sort of talking a lot about the regulator in Brazil, and obviously the LGPD not coming out, sort of what it was expected to because of the data protection authority wasn't set up in time.

So I'm just wondering if you could kind of talk us through when the data protection authority was established and also any guidance and news that's sort of coming out and any sort of future actions that you, I suppose, expect to come out from the authority.

So in August, when the Senate was discussing the direct enactment of the LGPD, they initially issued the general structure of the organization.

So that was the starting step of the LGPD, I'm sorry, of the national data protection authority.

And from that, we got further guidance on structure, the actual indication of the main positions and officials that are going to work there.

And today, we had a very important step, which is the issuance of the actual schedule for them to issue normatives and further guidance on data protection.

Recently, there was a major data breach in Brazil that actually disclosed the idea of several thousands of residents.

That was the first time that I saw the national data protection authority say, we're going to investigate that.

So that was an important position for them to have.

And I'm sure that from now on, they're going to have a more active position in data protection in Brazil.

Perfect.

Thanks so much for that. My next question is around the trend towards sort of data localization.

Are you seeing these discussions happening a lot in Brazil and are they gaining momentum?

So when I saw them gain a lot of momentum was right after the Snowden scandal, when we were discussing the Internet framework law, because the Dilma government was very upset regarding things that were said and things that they published.

And at that moment, Brazil was seriously considering data localization.

That was not adopted in Brazil. And the main issue, in my view, is economic, because there is a huge impact on technology companies and their interest to actually operate in Brazil.

So from that moment on, we moved towards a more long arm jurisdiction regarding the enforcement of the law to an international company by alternative means and sanctions.

So for example, they can ban a company from operating with regards to data protection, request the elimination of data.

So I see Brazil moving towards that scenario and less towards data localization.

Perfect. And then just sort of shifting a little bit, just kind of focusing in on organizations, sort of privacy programs, especially if they have operations in Brazil, sort of with the enactment of the new legislation, what would be the core changes or recommendations or views that you would suggest companies look at with their current privacy program or if they sort of are a local organization and sort of don't have mature privacy programs set up yet, what would be your recommendations sort of to that business to make a start?

So I think I would have different recommendations.

So if you are a foreign company and you don't have a local presence and you are processing data from people located in Brazil, the main issue would be first to understand the LGBT and understand the main differences of the law with regards to data subject rights, terms to respond to those rights, how to process, how to respond, transparency requirements, and as I mentioned, translation to Portuguese, and to be able to reply to resident consumers in Portuguese as well.

So I would think I would move towards an adjustment of local policies to Brazil and an understanding of the differences between the LGBT and the GDPR.

If you are a firm company that already has a global data protection program but you have a physical presence in Brazil, a lot of times I started to talk to clients and it was like, well, the company is already adjusted to the GDPR and they already responded to a lot of questionnaires, so I think we are in a more advanced position.

What I found out is when the GDPR was enforced, they may have issued questionnaires and they may have tried to map data from their Brazilian branches, but the general misunderstanding towards what data protection actually means and what personal data actually is might have provided a bit of distortion in those replies.

So my advice for companies that have a local presence is to start from scratch with regard to a first phase, so do the data mapping, do the legal grounds for processing, and then from that moment on, move towards adjustment of local policies to Brazil.

First to understand nationalization due to jurisdiction issues and then nationalization due to operational differences that your local branches might have.

Perfect. That's super helpful and I know that we talked a little bit about enforcement of the LGPD and it's going to start, I believe, in August of this year.

I was wondering if you could talk a little bit about the actual proposed set fines, because obviously when the GDPR came out, there was a lot of attention on the set fines, I mean, for good reason, they're quite high.

So I was wondering if we could just talk a little bit about the proposed fines under the LGPD and also we touched upon as well the Data Protection Authority which has just been set up and also sort of appointments to that Data Protection Authority.

So, with regard to sanctions, the LGPD foresees a penalty of up to 50 million reais, I'm sorry, of 2% of the company's annual turnover limited to 50 million reais, a daily fine of up to 50 million reais, elimination of data and and I'm sorry, suspension of services and also, I forgot the term, just providing a public information that the company actually committed a violation of the law.

So those are the administrative fines.

Those fines are the ones that I mentioned are postponed to August this year.

So we have no guidance on how the National Data Protection is going to issue those penalties.

In their schedule, they're supposed to provide this further guidance until the first semester of this year, so we should have news on that front.

One concern that a lot of companies have been having is what we call the judicialization of the law in Brazil because since the law came into force without the Data Protection Authority, courts in Brazil have been issuing indemnifications based on the law and this was a huge concern to everybody because then you would not have a central entity actually indicating the criteria that should be adopted and even in analyzing the infractions of the law and despite this concern, there have been few rulings on the laws as of now.

One of the main ones, which was actually one of the first ones, was a company that shared data without providing transparency and legal grounds and even in that case, the courts only granted indemnifications of 10 ,000 reais, which is fairly low.

So our analysis is the courts are trying to provide companies time to adjust their policies, providing indemnifications in a lower amount, but that should change very soon and that is a huge concern we have.

From the next day that the law came into force, we had public prosecutors trying to file actions against companies based on violations and claiming indemnifications around 100 million reais, 2 million reais and of course, courts have been trying to lower that for now, but it is a trend that I see in the future.

So I would say in Brazil that you would have to be concerned of courts indemnifications regarding violation of consumer rights due to breach of data protection and of course, the administrative penalties that are going to be issued by the data protection authority.

Perfect. So I'm shifting a little bit again and was just wondering, sort of where do you see the development of sort of data protection laws in Brazil going within the next sort of five to ten years?

I mean, obviously in the short term we're going to be focusing on the LGPD, but how do you see data protection evolving?

So if you think about the fact that we only started to understand what data protection actually is in 2018, I think Brazil still has a long way to go and one of the main things that I see happening in the next year is data protection becoming commercially important for most companies and for most consumers as well and this is a shift that we see going on now, but I think it's going to go on a lot further in the future and of course, having a national data protection that is more robust and more able to provide guidance to companies with regards to the many doubts we have.

So for now, whenever we have a doubt regarding the law, we have to look to Europe to see what they did and how did they regulate all that.

So we have to move forward to a path where we see what Brazil is doing, what are the regulations, how courts are interpreting those matters.

So I think for now we have baby steps, but of course we had a huge push towards having a more advanced system.

Perfect. And I know this again is sort of a million dollar question that we're all thinking about as well, but do you suspect that Brazil will sort of be seeking adequacy status with the EU once the LGPD gets up and running?

We have to. The LGPD was made to resemble and it really does resemble the GDPR in order for us to have an adequacy status with the EU and other countries as well.

I think a lot of it will have to do with the data protection authority being a stronger entity and actually having guidance and dependency in order to issue their rulings.

So that's certainly something that I see in the future and I think the law was made to allow for that.

Perfect. And then sort of just while we're wrapping up here, if you have to give sort of three tips to organisations to make sure that they're prepared for the LGPD, what would they be?

What would be kind of the golden pieces of information?

I think the first thing is do not assume that your local branch is already in compliance with the LGPD just because you performed some sort of adjustment to the GDPR.

Brazil really did not have a culture surrounding data protection and anything you did locally might not actually be able to provide the protection you think you have.

So I think that would be the first step.

And for foreign companies that do not have a local presence, it's important to analyse each policy in light of the LGPD and I cannot say this enough, if it's not in Portuguese, it's not going to be enforceable.

You cannot provide transparency and make sure that your operations are actually holding up in Brazil.

I think one of the worst things that you can have is have the feeling that you're protected when you're really not and that's something that we've been trying to inform clients about.

Perfect. Well, as always, Vanessa, it's absolutely fantastic to speak to you and thank you so much for taking the time to speak to us on International Privacy Day.

Thank you again.

Take care. Bye, sir. Bye-bye. Bye-bye.

Websites, they all need to be fast to delight customers. What we need is a modern routing system for the Internet, one that takes current traffic conditions into account and makes the highest performing, lowest latency routing decision at any given time.

Cloudflare Argo does just that. I don't think many people understand what Argo is and how incredible the performance gains can be.

It's very easy to think that a request just gets routed a certain way on the Internet no matter what, but that's not the case.

There's network congestion all over the place, which slows down requests as they traverse the world.

Cloudflare's Argo is unique in that it is actually polling what is the fastest way to get all across the world.

When a request comes into Zendesk now, it hits Cloudflare's pop and then it knows the fastest way to get to our data centers.

There's a lot of advanced machine learning and feedback happening in the background to make sure it's always performing at its best, but what that means for you, the user, is that enabling it and configuring it is as simple as clicking a button.

Zendesk is all about building the best customer experiences and Cloudflare helps us do that.