By Luca Belli, Nicolo Zingales, Erica Bakonyi, Yasmin Curzi and Walter B. Gaspar
In August 2021, the National Data Protection Authority (ANPD) started a public consultation for a proposal to regulate the application of the General Data Protection Law (LGPD) to small and medium-sized companies and start-ups.
In addition to being an important initiative for companies who fit this profile, the regulation is equally necessary for others who, although more complex or larger, may eventually hire service providers or provide services to customers who may benefit from the special regime.
Given the relevance of the matter, and in order to contribute to the improvement of the regulation, the Center for Technology and Society at FGV Direito Rio (CTS-FGV) provided some suggestions in the course of the public consultation – see the technical note that consolidates our contributions.
On January 24, the Authority adopted the Regulation that resulted from this public debate, incorporating some of the suggestions received. In this text, we seek to highlight positive aspects of this and to point out controversies that, potentially, will deserve attention from the Authority in the future.
Firstly, the possibility that businesses organize themselves in representative bodies for the negotiation, mediation and settlement of complaints presented by data subjects is a step forward. The measure, provided by Article 8 of the Regulation, opens a path for smaller actors, with less capacity to respond individually, to rely on collective arrangements that balance the interests of data subjects and controllers. Such provision aligns, due to certain synergies, with the possibility for such bodies to adopt rules of good practices and governance that, according to article 50 of the LGPD, can be recognized and disseminated by the ANPD.
A second highlight is the waiver of the indication of a Data Protection Officer (DPO) brought about by article 11, on the condition that a communication channel with the data subject is provided. Although not mandatory, the appointment of a DPO can still be carried out and will be considered a policy of good practices and governance, which can be a mitigating factor for administrative sanctions.
In our contribution, we suggested an intermediary position, as the role of the DPO is important to intermediate the relations between, on the one hand the controller, and, on the other, the data subject and the Authority. It remains to be seen how these communication channels will be structured in practice. Nevertheless, it is crucial that they be easily accessible and that they also perform a pedagogical function, making clear what the controller’s responsibilities are regarding the rights of the data subject.
The third highlight is the possibility of keeping simplified records of data processing activities, as well as simplified information security policies, fully contemplating the elements suggested in our technical note for articles 9, 10, 13 and 15 of the Regulation. On this point, we are yet to see the templates that the Authority will provide, which will ultimately determine the extent of the controllers’ obligations.
A final element that provides more flexibility for small and medium-sized controllers is the doubling of the available response time for data subject requests, and for communicating with the ANPD and the data subject in the face of a relevant security incident.
In addition to these highlights, and coming back to one of the topics reported in our technical note, the complete removal of the mention of data portability is another point that deserves attention.
Although the right to portability has been enshrined in article 18, item V, of the LGPD, its specific content has not been defined in the law, and, therefore, a position by the ANPD would be welcome to clarify its scope and identify the standards that should be followed to effect it.
In the European General Data Protection Regulation (GDPR), in particular in its article 20, the concept encompasses two obligations: both the right of data subjects to receive their data in a structured, commonly used and machine-readable form, and the right to transmit their data in a structured, commonly used and machine-readable form to another controller (another company, service, social network, etc.). Can it be inferred from the text of the LGPD that the legislator, strongly inspired by the GDPR, wanted to include both?
A possible compromise would have been to require the most complete form of portability only by large controllers, and relieve small and medium-sized companies of the burden of having to transfer data to another controller. Without this differentiation and without the establishment of interoperability standards, there is a risk that the right provided for by article 18 be implemented in an ineffective way or that, if interpreted broadly, it generates significant costs for small businesses. Note that the ANPD’s regulatory agenda, published in January 2021, does not include the definition of interoperability standards as requested by article 40 of the LGPD. This fact, together with the postponement of the definition of the subject in this Regulation, raises some concern, because, without such regulations, the right to data portability risks remaining empty, and effectively impossible to be implemented.
The initial wording proposal on the subject totally exempted small entities from the necessary obligations to guarantee the full enjoyment of this right. As we pointed out in our contribution, such a measure could significantly undermine the exercise of this right by data subjects. As an alternative, we indicated an intermediate path through which the Authority, exercising its pedagogical role, could list simplified portability standards for the entities contemplated. Given the complexity of the matter, which is still related to data interoperability issues, the postponement of a definition on the subject seems to be a prudent solution. However, we hope that the Authority does not neglect the issue and that, in the near future, it can establish regulations aimed at implementing this type of mechanism in order to ensure legal certainty and concrete standards for interoperability.
Finally, reference should be made to the concept of “high risk” data processing. In our contribution, we document possible risk rating criteria applied in foreign jurisdictions, to illustrate a complex scenario that requires further reflection and detail. As an example, we cited the crossing of different databases, the processing of data that conditions access to essential rights or services and situations in which the data processing itself constitutes the main activity of the controller in question.
The idea was to structure a sufficiently specific scope so that small entities that treat personal data as a mere by-product of their main activity could benefit from a regime more suited to their reality, excluding from this list those situations that could expose the rights of data subjects to disproportionate risks (either by their nature or by the volume of data processed).
At this point, the Authority chose to scrutinize the risk classification system, giving it its own article in the Regulation and creating a system of general and specific criteria for its classification. The system did not completely change the criteria of the original text, but its wording gained consistency and clarity.
Although the suggestions offered, of a classification guided by the nature of the activities undertaken, have not been assimilated, it is important to highlight that the separation of the general criterion of “processing of personal data that can significantly affect the interests and fundamental rights of the holders”, defined by Article 4.I.b, in its own paragraph is a significant development, as it establishes the observance of fundamental rights as a central element in the application of the rule.
Regardless of opinions of agreement or disagreement with the new regulation, the fact is that we are moving towards a secure data processing ecosystem, which strengthens the fundamental rights of individuals. We look forward to the next steps of our authority and, of course, the conformity of the personal data processing agents.