Posted on

Brazil Adopts Comprehensive Data Protection Law

Katie Hyman, Partner

Brazil’s Lei General de Proteção de Dados (“LGPD”) officially came into effect on Friday, September 18 2020. This Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, was published on August 15, 2018, is heavily influenced by the EU GDPR and is Brazil’s first comprehensive framework regulating the use and processing of personal data. Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation.

The LGPD applies to businesses of all sizes, with only a few listed exceptions, such as where data are collected for artistic or academic purposes, or for national security and public safety. It will apply when data is collected or stored in Brazil or where data is processed for the purposes of offering goods or services to individuals in Brazil.

The LGPD defines “personal data” broadly: it means any information regarding any identified or identifiable natural person, including data that could be aggregated to identify a person. The general principles underlying the LGPD are set out in Article 6, and these will be used by the Brazilian data protection authority to determine a company’s compliance with the law. The principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.

In line with these principles, the rights of the data subject are set out in Article 18, and these are very similar to those in the GDPR, including access to data, correction of inaccurate data, portability, deletion of data processed with consent, information about entities with which the controller has shared data, information about the possibility of denying consent and revocation of consent.

Companies are required to report data protection breaches to the local data protection authority, but no deadline for reporting is included in the LGPD. Guidance on this is to come from the data protection agency, which is yet to be established. Companies that violate the LGPD can be fined up to 2% of the revenue of their organization, up to a total of R$50 million (approximately US$9 million) per violation. However, penalties for infractions will only start to be applied from August 1, 2021.

An official English translation is not yet available, but the IAPP has provided a translation and you can read it here: Brazilian General Data Protection Law.

If you want more information about this article feel free to contact Katie Hyman or me, Joe Rosenbaum or any of the Rimon lawyers with whom you regularly work.

Posted on

Advocate General Asks EU Court of Justice WHAT?

The Advocate General of the Court of Justice of the European Union recently announced that it had delivered an opinion in connection with a number of proceedings calling for a preliminary ruling in cases involving Ireland and Austria. In Ireland, the owner of a mobile phone submits that the Irish authorities have unlawfully processed, retained and exercised control over data related to its communications. In Austria, three cases brought by the Province of Carinthia have alleged the Austrian Law on telecommunications is contrary to the Austrian Constitution.

Essentially, the top EU legal advocate is asking the EU court NOT to enforce a bad law so the legislature is afforded a chance to fix it. Seriously? That is like asking the U.S. Supreme Court not to strike down discriminatory laws and give Congress a chance to fix them. Seriously?
 

Continue reading “Advocate General Asks EU Court of Justice WHAT?”

Posted on

Monitor Postings in Europe or Face Liability

So you operate a website or have a blog in Europe. You allow others to post comments and interact with your website or blog postings. There is, after all, freedom of expression in Europe, isn’t there? Well on October 10 (2013), the European Court of Human Rights (ECHR) ruled that if you don’t monitor, censor or moderate postings by others on your website or blog, you may well have legal liability and responsibility – especially if the visitors post offensive comments.

In the case of Delfi AS v. Estonia, the Estonian news website (Delfi) ran a story about a ferry that provoked heated controversy in the nation. Many posts and comments contained threatening and offensive language, and many were anonymous. The ferry operator sued Delfi for failing to prevent these comments from becoming public and for protecting the identity of the individuals who posted such threats and abusive language. The Estonian court agreed with the ferry operator and ordered Delfi to pay damages.

Delfi appealed and the ECHR upheld the decision, noting: "The comments were highly offensive; the portal failed to prevent them from becoming public, profited from their existence, but allowed their authors to remain anonymous; and, the fine imposed by the Estonian courts was not excessive." In case you are wondering, Delfi’s terms of use state that individuals who comment were liable for the content they posted. The court stated that since Delfi allowed many anonymous postings, it was reasonable to hold Delfi responsible.

What should you do? Call us and we’ll advise you. As always, if you want to know more about the information in this post, how to address the legal risks, or any other matters that could benefit from experienced legal counsel and representation, please contact me, Joe Rosenbaum, or any of the Rimon attorneys with whom you regularly work.