Impacts of the European Union’s General Data Protection Regulation in Brazilian companies


Impacts of the European Union’s General Data Protection Regulation in Brazilian companies


By Paulo Brancher (partner) and Camila Taliberti (associate)

The European Union’s General Data Protection Regulation (EU-GDPR), approved in April 2016, will enter into force on May 25th, 2018 and will change the legal reality of companies that process personal data within the European Union territory or that deal with data from residents of the European Union.

The Regulation will replace Directive 95/46/EC, wrote in the 1990s, an incipient moment of the internet, in which various concepts – such as big data, cloud computing, behavioral marketing, applications and social networks – still did not exist. The main purpose of the GDPR is the protection of personal data with regard to new technologies, ensuring the free flow of such data, and, at the same time, transparency by those responsible for the processing of personal data, and control of European citizens about their own information.

Unlike the Directive — which established guidelines for each Member State of the European Union to adopt their own data-protection law –, the GDPR was developed aiming at harmonizing the data protection laws of the European Union countries, being binding and applicable to all Member States. On the other hand, the GDPR also ensures to the Member States a certain margin of autonomy to develop specific provisions to adapt the application of the rules provided by the Regulation.

One of the main aspects of the GDPR is the concern to protect the privacy of European citizens within an environment of globalization and internet-based economy that increasingly depends on data be supported (data driven economy). The business environment of the internet brings the peculiarity of mitigating conventional physical boundaries, producing great advantages for communication and electronic trade. However, the lack of boundaries of the digital world also presents a major challenge when it comes to the applicability of rules outside of a jurisdiction.

Given this, one of the important innovations of the GDPR is its extraterritorial effects. The jurisdiction of the GDPR is not limited to companies located in the European Union, but it also considers the data subject and the business scope.

The Regulation applies in the following cases:

  • When the data processing occurs in the context of activities established in the European Union, regardless the processing location and the nationality of the data subjects;
  • When a company not established in the European Union carries out the processing of personal data, and offers goods and services, even if free of charge, or monitor the behavior of EU residents.

The consequence of this extraterritorial application is that any company that performs processing of personal data of residents in the European Union may be subject to the rules of GDPR, so the Regulation’s scope of applicability is globally effective.

However, there are still some aspects that need to be clarified as, for example, the definition of the terms “establishment” and “offering goods and services”. The guidelines of the Article 29 Working Party will be crucial to clarify the actual territorial scope of the Regulation.

As a reference, the Court of Justice of the European Union, have already adopted a broad and flexible concept of “establishment”. In the case that became known as Weltimmo v. NAIH (case no. C-230/14)(1), the Weltimmo, a company incorporated in Slovakia was considered to be established in Hungary, as its internet page offered real estate brokerage services in Hungarian language, and the properties offered were located in Hungary; with local representative; local postal address; and an account in a local bank.

The Court held that the term “establishment” must be extensively interpreted, in order to ward off any formalistic approach based on the place of incorporation of the company. Therefore, in order to determine where a company that offers services exclusively on the internet is established, it is necessary to evaluate both the degree of stability of the commercial facility and the real facts of the activities performance.

Another relevant issue is how to define “supply of goods and services” and “monitor behavior”, to determine to what extent a company located outside the European Union is subject to the Regulation(2). Some factors such as use of the language of the Member State; use of Member State’s currency; references to customers in the European Union; and directed marketing to residents of the European Union may be considered evidences of this intent(3).

Despite these unknowns, the Brazilian companies that process European Union residents’ personal data must be prepared for the GDPR, by adapting its internal procedures to the rules and obligations imposed by the Regulation.

Without the pretension to be exhaustive, we have selected some important points to be observed by companies that meet the requirements mentioned above.

Requirements for personal data processing

Article 13 of the Regulation establish six authorizing hypothesis for data processing, namely:

  • The data subject has given consent to the processing of his/her personal data for one or more specific purpose;
  • Processing is necessary for the performance of a contract to which the data subject is party, in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary to protect the vital interests of the data subject or another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Processing is necessary to meet legitimate interests pursued by the controller or by third parties, except if such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially if the data subject is a child.

Only under the grounds of these assumptions, the personal data processing shall be considered lawful and legitimate. Although they were already provided for in the Directive, there is a significant change brought by the GDPR as regards the consent of the holder to the processing of personal data. The Whereas Number 32 of the GDPR establish that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him/her.

The consent must be explicit, in clear and simple language, including by electronic form and by check mark. In cases where the processing suits for a variety of purposes, consent to all of them should be given. Therefore, the consent policy should always be the opt-in, but the opt-out is no longer being accepted. The silence, pre-validated options or omission are not considered appropriate means of consent.

Among the exceptions to the rule of consent, the hypothesis of legitimate interest still requires a clear and precise definition. As provided by the GDPR, the hypothesis of legitimate interest shall be used with limits concerning fundamental rights, so it is not a generic authorization for all kinds of data processing, and until a better legal and case law definition, it must be examined with caution.

Article 29 Working Party believes that the data controller must make an analysis between the fundamental rights and legitimate interest, in order to determine which data may or may not be used lawfully without specific consent for its intended purpose.

Rights of the data subject

The Regulation establish a series of rights to personal data subjects in Chapter III, such as:

Right to information: the data subject has the right to obtain the identity and the contact details of the controller; the contact details of the data protection officer (DPO), where applicable; the purposes of the processing; and any other information necessary to ensure a fair and transparent processing.

Right of access: the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him/her are being processed; access such data; receive information about the processing and its purpose; be informed for which third party the data will be disseminated and If there are decisions taken automatically from the processed data.

Right of rectification: the data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him/her.

Right to data portability: The data subject shall have the right to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided at first.

Right to object: The data subject shall have the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject.

Right to be forgotten/erasure: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him/her and the controller shall have the obligation to erase personal data when it is no longer necessary for the purpose for which they were collected; and when the data subject withdraws consent on which the processing is based and where there is no other legal ground to justify the processing.

The right to be forgotten shall not apply to the extent that processing is necessary for exercising the right of freedom of expression and information; for reasons of public interest; or for compliance with legal obligation provided for by the law of the European Union or Member State to which the controller is subject.

International data transfer

As a rule, the data transfer to countries outside the European Union or international organizations can only occur to countries that ensure an adequate level of data protection. The assessment on the adequacy is held by the European Commission and takes into account several elements. Once the third country adequacy is recognized, the personal data transfer may occur without specific authorization of the data protection authority, neither protective measures will be needed later. The list of countries with recognized adequacy is assessed periodically, every four years, and is available at the European Commission’s website http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm. In South America, only Argentina and Uruguay have an adequate level of protection.

In the absence of an adequacy decision, it is necessary that the controllers and processors provide the so-called “appropriate safeguards” such as adoption of binding corporate rules; execution of standard data protection contractual clauses; adoption of codes of conduct and certifications.

In the absence of an adequacy decision, as well as appropriate safeguards, the transfer can only occur under certain authorizing hypotheses, such as the consent of the data subject; execution of contract; reasons of public interest; establishment, exercise or defense of legal claims; protection of vital interests of the data subject or any third party; intention to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by the European Union or a Member State law for consultation are fulfilled in the particular case.

In above mentioned cases, the Regulation requires that the transfer to a third country or an international organization can only take place if it is not repetitive, concerns only to a limited number of data subjects, is necessary for the purposes of the legitimate interests pursued by the controller, provided that such interests do not overlap the rights and freedoms of the data subject, and the controller has assessed all the circumstances relating to the data transfer and, based on such assessment, perform the appropriate safeguards with regard to personal data protection.

Privacy by Design and Privacy by Default

The Regulation expressly incorporates the principles of privacy by design and privacy by default as a legal obligation to those responsible for processing personal data. Under these principles, it is the duty of the data controller to implement technical and organizational measures to ensure that the rights of the data subject are respected throughout the processing cycle, such as pseudonymisation and minimization of data.

Companies must take into account the type of data being processed to adopt the technical and organizational measures compatible with the risks applied to the data subjects. The more sensitive personal information is processed, the greater should be the concern about the risks to privacy and fundamental rights of the data subject.

The intention is to ensure that personal data will not be processed for any purpose without the consent of the user. That is, only the personal information necessary to fulfill a particular service must be collected.
These principles must be applied to the whole process, to the amount of personal data collected; to the time of storage of the data; to the extension of data processing; to and accessibility of the data.

Responsibilities and Penalties

Several articles of the GDPR deal with the obligation of the controller itself to provide evidence that is working in accordance with the Regulation. That is, the data controller has the obligation and responsibility to apply the technical and organizational measures necessary to demonstrate that all data processing procedures are in accordance with the Regulation.

The GDPR exemplifies what can be considered as evidence of compliance, such as documents and tracking logs. In addition, the controller must retain processing records under its responsibility and must cooperate with the data protection authority, providing the records, when necessary, to supervision of processing operations.

For companies with more than 250 employees or that have data processing as its core activity, it is required to indicate an in-house person responsible for personal data protection (Data Protection Officer), which will have several tasks, including monitoring the fulfillment of the GDPR and cooperation data protection authority and other government agencies.

In case of data breach, companies are obliged to notify the supervisory authorities and communication to the data subjects within 72 hours after becoming aware of it, unless the controller demonstrate that the breach is unlikely to result in a risk to the rights and privacy of data subjects.

Supervisory authorities have jurisdiction to investigate those responsible for the processing of personal data and may request information, access the company’s facilities, and determine measures concerning the compliance with the Regulation. Such authorities also have the prerogative to impose administrative sanctions, which may reach EUR 20 million or 4% of the annual global turnover of the company.

Conclusion

It is extremely important that Brazilian companies that process data of European Union residents be prepared to GDPR until May 18, 2018.

As regards Brazilian companies that do not process personal data of European Union residents, it is worth remembering that the Bill of Law 5276/2016 is being currently discussed at the National Congress, which aims to implement in Brazil a General Data Protection Law inspired by the GDPR. With the approval of the Bill, Brazilian companies will be subject to the adequacy within a period from 3 months to a year.

Although the compliance with the data protection rules involves a series of complexities, must be seen by companies not as a cost but as a distinguishing element to compete in the market. Besides, the company may be able to construe an image of trust with their employees and customers. This is a consequence of the new data based economy .

*This article counted with the valuable contribution of Vitor Koketu da Cunha, legal intern of Azevedo Sette Advogados.

1 – Available at http://curia.europa.eu/juris/liste.jsf?num=C-230/14#
2 – Considering 23 of the GDPR.
3 – Case Pammer vs. Hotel Alpenhof (Case no. C-585/08). Available at http://curia.europa.eu/juris/liste.jsf?num=C-585/08&language=pt#