May 25, 2019 is the one-year anniversary of the entry into force of the European Union's General Data Protection Regulation - known as the "GDPR". This global milestone in data protection legislation served as inspiration for Brazil's General Data Protection Law - the "LGPD" - and guided a shift in the way regulators view privacy and the protection of personal data. Let's see what this year of the GDPR can bring examples and predictions for our LGPD.
Since the GDPR went into effect to date, there have been 144,000 petitions to national data protection authorities and 89,000 notifications of data leaks, leading to fines totaling more than €56 million (IAPP, GDPR at One Year: What We Heard from Leading European Regulators, 2019). While the largest of these fines, imposed by the French authority on Google, Inc., alone amounts to €50 million, we have at least four more that exceed €100,000 in various countries, and thousands of smaller punishments, including for small businesses and individuals acting on their own (CMS Hasche Sigle, GDPR Enforcement Tracker, 2019).
While adherence to GDPR is already commonplace in Europe, today in Brazil we have a difficult scenario for compliance. Except for the largest companies and members of international groups, there is little movement to complete the adaptation to the LGPD within the deadline that ends in August 2020. The scenario is even worse for small and medium-sized companies, where data protection is hardly ever talked about. Expectations are that only a few companies will actually be compliant by the time the LGPD comes into force.
This is largely due, at least in Brazil, to a perception that compliance - or, rather, non-compliance - with the new law will not have a material impact on the company's business. This is not what European practice shows.
As in Europe, it is expected that in Brazil even small companies will be subject to fines as soon as the LGPD comes into force, depending only on the complaints of those affected and the efficiency of the Brazilian Data Protection Authority, which has not yet been established. We expect the same sectors that received the largest fines in Europe to be the targets of the largest penalties in Brazil, namely, big data, health, public data treatment, and the government itself and its utilities. In fact, when it comes to leaking personal data, Brazilian companies are already exposed to the risk of public civil actions, some of which were filed this year by the Special Unit for Data Protection and Artificial Intelligence of the Public Prosecutor's Office of the Federal District and Territories with claims for multi-million dollar collective damages.
