In just six hours of deliberation, the Brazilian Senate propelled a measure aimed at protecting its citizens’ data to the desk of the country’s President, an action that’s been two years in the making. Unless vetoed, the Lei Geral de Proteção de Dados Pessoais, or LGPD, Brazil’s General Data Protection Law, will likely become effective by September 16, 2020.
Before the LGPD, data privacy in Brazil was managed by a patchwork of sectoral legislation that created confusion and ambiguity in the rights afforded to Brazilian citizens. In 2018 the LGPD was passed as the country’s first omnibus data privacy measure. Between political turnover and the Covid-19 pandemic getting LGPD implemented has proven to be challenging for Brazil.
On August 26, the country’s Senate put a stop to further deferrals of the LGPD. It rejected a Presidential Measure, Article 4, which would have delayed the effective date of the LGPD until 2021. The Federal Government of Brazil has also approved the creation of the Autoridade Nacional de Proteção de Dados (“ANDP”), the country’s data protection authority, responsible for the enforcement of the LGPD. The creation of the ANDP, and its eventual formation, are the last steps in what was a multi-year political battle to manage the enactment and enforcement of the LGPD. Employers must take action now to understand the impact of the LGPD on their organizations, and concerning background verifications – transparency is vital.
What Is The LGPD’s Reach?
All companies who collect or process the data of individuals residing within Brazil or that offer goods and services in Brazil must adhere to the LGPD. Brazil’s new data protection law has an extraterritorial effect, meaning that it applies to companies that do not have a physical presence in the country. Employers who hire candidates in Brazil or who engage third-party service providers in the country should prepare for compliance with the LGPD.
How Is Data Regulated?
The LGPD broadly regulates personal and sensitive data. Employers should assess how each type of data is collected, used, stored, and retained within their organization. Additionally, employers should become familiar with the obligations facing data controllers and data processors. As data controllers, employers determine why personal data will be collected and how it will be processed. Data processors, which are often service providers to the employer, such as background verification vendors, act at the employer’s direction as the data controller to use the data for the purpose identified by the employer.
Personal data generally relates to information that identifies an individual. While an express definition of personal data is omitted, from the LGPD, information such as an individual’s name, address, and national identification number will likely constitute personal data. Employers should request an individual’s unambiguous consent before requesting that their personal data be processed for a specific purpose, such as a background verification. However, personal data may be processed absent consent in the following circumstances:
- To comply with a legal obligation;
- When it is necessary by the public administration for the execution of public policies, or based on contracts or agreements;
- When it is a study carried out by a research entity where data is anonymized as possible;
- To execute a contract at the request of a data subject;
- To exercise judicial or administrative rights;
- For health care purposes;
- To protect the life or physical safety of the data subject or a third party;
- For the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect the data subject’s credit score.
Suppose an organization chooses to collect and request processing of an individual’s data without consent based on an exception available under LGPD. In that case, they should do so only after considering the effect of other established laws. For example, if data is processed absent consent for the employer’s legitimate interests, could that action impede the individual’s constitutional rights, or rights established under other sectoral laws? If the answer to that question is yes, or likely yes, then the organization should obtain the data subject’s express consent to process their data.
Sensitive personal data is defined as information relating to an individual’s race or ethnicity, religion, health, sexual orientation, genetic and biometric information, labor and union membership, and political views. The processing of sensitive data may only occur with the data subject’s express consent.
What Are The Data Subject’s Rights?
Data subjects are the individuals whose data is collected and processed. In the employment context, these individuals would include candidates for hire, employees, and other workers. The LGPD establishes nine fundamental rights for Brazilian data subjects, including:
- The right to confirmation of the existence of the processing;
- The right to access the data;
- The right to correct incomplete, inaccurate or out-of-date data;
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
- The right to the portability of data to another service or product provider, using an express request;
- The right to delete personal data processed with the consent of the data subject;
- The right to information about public and private entities with which the controller has shared data;
- The right to information about the possibility of denying consent and the consequences of such denial; and
- The right to revoke consent.
Upon the data subject’s request, if an employer utilizes automated means for decision making, the employer must provide clear information concerning the criteria and process used to make the automated decision. In practical terms, employers who use automated adjudication processes or other automated processes to assess an individual’s fitness for employment should prepare model responses for data subject inquires to comply with LGPD.
A Culture Shift Towards Transparency
While employers have been on notice of the impending approval of LGPD, many have been hesitant to take substantive steps to comply without knowing what the legislation will entail. Further, many employers are deeply rooted in a belief system that fosters secrecy when inquiring about personal data. The LGPD dismantles any such practices.
“In Brazil, it’s not uncommon for an employer to perform a background check without the knowledge or appropriate consent from a job applicant. The LGPD is likely to force a culture shift where employers must be transparent with their candidates in collecting and using their data,” said Ryan Christensen, Director of Latin America at HireRight, a global background verifications firm.
Even though Brazil’s Data Protection Authority will not begin enforcing the LGPD until August 2021, citizens may bring a private right of action in court for noncompliance with the law once it becomes effective, “although such actions are not likely to move quickly through the Brazilian Court System,” said Christensen.
Preparing For Compliance
The time to place long-standing cultural norms by the wayside and to comply is now. Here’s how employers should prepare:
In preparation for LGPD, an employer should appoint a Data Protection Officer (“DPO”) as required by LGPD. The DPO’s purpose is to act as an intermediary between the employer, their candidates and workers, and the ANDP. The DPO’s function can be managed by an individual within the company or a third-party agent. However, it is unclear if the DPO must be based in Brazil. The DPO should be clearly identified on the employer’s website and prominently listed on employment applications, background verification disclosures, or other documents where an individual’s personal or sensitive data is requested.
Data mapping exercises should be undertaken so that an employer understands the specific types of data collected, the purposes for collecting that data, and how the information is used and managed. Under LGPD, personal data should only be retained by the data controller for as long as necessary to achieve the purpose for which it was collected. Therefore, many employers will need to purge their systems of data that are no longer relevant. To the extent that data is stored with third-parties, employers will likewise want to ensure that any irrelevant data is correctly disposed of.
Employers should prepare compliance documentation that aligns with LGPD’s requirements. A disclosure that identifies the specific legal basis for collecting and processing a candidates’ and workers’ data, and is unambiguous in its intent or reach must be presented to the data subject before processing their data. In terms of background verifications, this would include identifying the reason under LGPD that the request is valid, the specific ways the data subject’s information will be used, if data will be transferred outside of Brazil, and the terms of the data’s retention. Consent must be freely given by a data subject and can be withdrawn at any time. An employer cannot retaliate against an individual who refuses to give consent, and data subjects must be apprised of the consequences of not consenting.
Although the LGPD does not explicitly require data processing agreements between employers as data controllers and their service providers as data processors, many employers may choose to request data processing agreements to clearly outline the responsibilities of all parties involved in the collection, use, and management of a data subject’s personal or sensitive information. Employers who choose to forgo data protection agreements should still engage their vendors in discussing their vendors’ policies and processes and ensuring that they are prepared to comply with LGPD.
As the ANDP prepares for enforcement next year, they will issue formal guidance and rules on the implementation of the LGPD. In the interim, we know that noncompliance with the LGPD may result in fines of up to 2% of a private legal entity’s revenue in Brazil for the prior fiscal year up to 50 million Reais. We don’t know to what degree the ANDP will promulgate additional rules that constrain compliance with some of the broad and uncertain terms currently listed in the regulation.
The LGPD is evidence of the importance lawmakers impart on protecting their constituents’ data. While moral and right for private citizens, these laws can create challenges for organizations that are simply trying to get people hired. However, by taking logical and reasonable steps towards promoting transparency, an organization can not only further compliance with the law but also improve its relationship with data subjects and their brand’s image by adopting well-reasoned and compliant data privacy practices.