In the first publication of the Special Series on Litigation & Data Protection, we took a look at the sanctions applied by the European authorities, highlighting the performance of the German, Irish, and French data protection authorities, and we also mentioned the strong inspection by the ICO, UK authority. The proposal was to open paths to the analysis of the Brazilian scenario.
And here we are. It is a fact that the Brazilian National Data Protection Authority ("ANPD") has not yet applied sanctions of any nature (pecuniary, warning or activity-restrictive), especially because of its recent constitution and structuring, focusing, currently, on the issuance of the regulations and opinions necessary to the national regulatory ecosystem. And it must be acknowledged: the work in this field has been intense.
But so that we could reach the current stage, a long legislative path has been traveled for four (04) years, since the LGPD was enacted back in 2018. And if today we question ourselves about the possible retroactivity of the application of its sanctions, this is due to the path outlined so far. Let’s remember.
The General Data Protection Act (Law No. 13,709/18 – “LGPD”), enacted in 2018, provided for as initial vacatio legis the period of eighteen (18) months from its official publication. Thus, the LGPD would enter into force in February 2020.
However, in December 2018, with the enactment of Provisional Measure No. 869/18, converted into Law No. 13,853/2019, the validity of the LGPD was changed to August 2020, except for the rules regarding the creation of the National Data Protection Authority (“ANPD”). With effect, to enable the proper exercise of the ANPDs advisory role in the process of adaptation of companies to the LGPD, the term for the other legal provisions was no longer 18 months (initial vacatio legis) and it was increased to twenty-four (24) months, with an addition of 6 months in this interval, transferring the validity of the LGPD, as mentioned above, to August 2020.
If the indicated terms were already the object of discussion, at that moment, the new coronavirus (COVID-19) pandemic emerged, with legislative reflexes in all fields. Several bills were proposed by the Chamber of Deputies and the Federal Senate to try to postpone the validity of the LGPD, in addition, of course, to all the other matters that were bubbling up during the health crisis that was starting. The justification was strong: the economy was suffering intense impacts, and eventual sanctions for non-compliance with the law could cause even more harmful results.
Bill No. 1179/2020 (“PL 1179”), which dealt with the Emergency and Transitional Legal Regime of Legal Relations governed by Private Law (RJET) in the period of the coronavirus pandemic, sought to postpone the administrative sanctions of the LGPD to August 01, 2021. With a favorable poll, PL 1179 was sanctioned and gave rise to Law No. 14,010 of June 10, 2020, with the effective postponement of the validity of the chapter of sanctions applicable by the ANPD.
But it was not just that. Still in the context of the pandemic, on April 29, 2020, Provisional Measure No. 959/2020 (“MP 959/20”)
was issued, aiming to extend the vacatio legis of the other articles of the LGPD (those that did not deal with sanctions) to May 03, 2021.
After numerous discussions and developments in the legislative process, the LGPD became effective on September 18 of that year (2020).
In short, it is our understanding that the effective dates of the LGPD should be understood as follows:
- December 28, 2018, regarding the articles referring to the ANPD (55-A, 55-B, 55-C, 55-D, 55-E, 55-F, 55-G, 55-H, 55-I, 55-J, 55-K, 55-L, 58-A, and 58-B);
- August 01, 2021, regarding the articles referring to administrative sanctions (52, 53 and 54), due to Bill 1179/20, which gave rise to Law 14,010/20;
- September 18, 2020, regarding the other articles, due to Law No. 14,058/2020.
And given all these debates, it is questioned: can irregularities committed during the vacatio legis period be punished by the ANPD?
According to a publication on the official website of the ANPD, the sanctions provided for in the LGPD apply to facts that occurred after August 01, 2021, or even to crimes of a continuing nature initiated before that date. Would this provision be related only to sanctioning issues of a regulatory/administrative nature? Or could it also be extended to civil aspects?
How would (or will) perfect legal acts be treated, when consummated according to the law in force at the time they were performed? If the general provisions of the LGPD were in force, not complied with by the processing agents, would we be talking about a perfect act performed in violation of the law, but not punishable by the Regulatory Authority? According to our understanding, yes.
It should be noted that the application of the sanctions provided for in the LGPD is ANPD’s exclusive competency, as can be seen in article 55-K, and its competencies will prevail, concerning to data protection, over the related competencies of other public administration entities or bodies.
But a big gap forms in this context: how will be treated, from the of civil reparation stand point of view, illicit acts caused by voluntary actions or omissions, negligence or recklessness of processing agents and that have caused damage to data subjects, especially in the period between September 18, 2020 and July 31, 2021 (last day before the articles related to administrative sanctions enter into force)? From our point of view, the compensation for pecuniary or moral damages would run in a parallel and independent way, even if there is no sanction for any incident or improper processing by the regulatory body. This because the second paragraph of article 52 of the LGPD provides that the administrative sanctions of the LGPD do not replace the criminal, civil and administrative sanctions of the Consumer Protection Code, and of specific legislation. Article 45, in turn, provides that cases of violation of the subject’s right in the context of consumer relations remain subject to the liability rules provided for in the relevant legislation.
See, for example, the decision issued on an Appeal proceeded before the São Paulo Court, which condemned the electric energy provider to the payment of compensation for moral damages because of a data breach that occurred after the entry into force of the LGPD articles, but before the entry into force of the sanctions. The award considered that, given a relationship governed by consumer law, the accountability regime should be extracted, leaving to the LGPD the discipline related to the regularity of data processing itself. It was concluded, in that case, for the existence of a fault in the service, provided without adequate security, especially regarding the method of provision, desired results and the lack of information, to the consumer, regarding the risks to which the personal data submitted to processing is subjected.
Innominate appeal - Leakage of customer‘s personal data by an electric power provider - Consumer relation - Processing of personal data of a person located in the national territory and after 09/17/2020 - LGPD applicable to the case - Leakage denotes that no effective security measures were taken by the controller/provider (art. 46 of the LGPD), which characterizes a fault in the provision of the service - Strict liability of the controller/provider (art. 14 of the CDC) – Action by a possible hacker that constitutes an internal fortuitous event – in re ipsa Moral damages, according to STJ precedent – Indemnity arbitrated in BRL 5,000.00 – Judgment reversed – Appeal provided. (TJSP. Appellate decision. Lawsuit No. 1003086-21.2021.8.26.0003; Court: 4th Panel - Civil Appeal. Reporting Judge: Carlos Eduardo Santos Pontes de Miranda; . Trial date: 10/25/2021. Publication date: 10/25/2021).
The Appellate Labor Court of the 3rd Region issued another interesting judgment. The decision was published on June 10, 2021 and dealt with facts that occurred during 2020; amidst debates typical of the employment relationship, the case also dealt with a claim relating to moral damages, grounded on the exposition, considered to be improper, of the plaintiffs personal data. Even because of the non-effectiveness of the sanctions provided for in the LGPD at the time of the facts and judgment, and even in the absence of specific provision, in the LGPD, regarding the processing of data in the labor relationship, it was concluded that labor relations must observe rules and principles provided for in the LGPD. Thus, based on the LGPD, and also on the Federal Constitution (art. 5, X ), the Court concluded for the maintenance of the condemnation, with adjustment only concerning to the amount imposed:
PRIVATE PHONE NUMBER OF THE EMPLOYEE. DISCLOSURE ON THE EMPLOYERS SALES WEBSITE. INDEMNITY. MORAL DAMAGE. ADMISSIBILITY. The characterization of moral damage presupposes violation of personal dignity - art. 1, III of the Federal Constitution -, by violating the psychic or physical integrity of the person, as well as the fundamental rights provided for in the Constitution of the Republic. And art. 5, X, of the CR/88 provides that “intimacy,
private life, honor and the image of people are inviolable, ensuring the right
to compensation for moral or pecuniary damage resulting from their violation”.
The insertion of the employees telephone number, on the companys website,
without unequivocal proof of authorization, implies disclosure of personal data,
which affronts their private life. Once the essential elements of the duty to
indemnify are configured (unlawful act, damage, and causal relation) in
relation to the right of privacy, the employers condemnation is correct. (TRT-3 - RO: 00103371620205030074 MG 0010337-16.2020.5.03.0074,
Reporting Judge: Ricardo Marcelo Silva, Trial Date: 06/09/2021, Ninth Panel,
Publication Date: 06/10/2021.
In the context of punitive action, the São Paulo Court issued a recent decision emphasizing the application of the LGPD to databases formed on dates before the LGPD:
(...) This is a civil reparation action based on the violation of personal data, filed under the General Data Protection Act - Law No. 13,709/2018, effective as of September 18, 2020, whose protection principle based on good faith applies retroactively to databases preexisting to its validity (art. 6, LGPD), a position contained in related regulations (CC and CDC), even though the specific administrative regulation on the matter has not been prepared (art. 63, LGPD)
TJSP. Judgment. Lawsuit No. 1007913-21.2021.8.26.0506; Judge: Thomaz Carvalhaes Ferreira; Trial date: 01/24/2022. Publication date: 01/27/2022)
Therefore, it seems to us that the protection of rights related to proved offenses to the obligations imposed by the LGPD is not frustrated, even in the face of the period of vacatio legis of the sanctions applicable by the regulatory authority. In addition to the fact that the State cannot remain inert in the face of the required judicial relief, it can be seen that the legal system, such as civil and consumer laws (without prejudice, of course, to the Federal Constitution itself), support indemnity and/or punitive claims from the personal data subjects. Regarding the application of sanctions from an administrative point of view, a more conservative position will defend that they are non-punishable acts, especially in view of given the very position emanated by the ANPD.
Finally, it is worth mentioning that the ANPD will also have to articulate its action with other bodies and entities with sanctioning and regulatory powers related to the issue of protection of personal data, and that the Courts of the country will reflect, in the coming years, the positioning on the subject. It is worth keeping up with the news!