Approved in 2018, the Brazilian Data Protection Law (LGPD), Law N. 13,709/2018, has its effective date divided in three phases until its complete validity. In the same year that the Law was enacted, the part referring to the organization of the National Data Protection Agency (ANPD) came into force due to the need to structure the supervisory body. The rest of the legislation came into effect in September 2020, while the enforcement of fines came into effect only in the first day of this month. On the same date, Ordinance N. 16/2021 entered into force, approving the regulatory process within the scope of ANPD.
Therefore, the articles referring to administrative sanctions, Articles 52, 53 and 54 of the LGPD, came into effect and contemplate from warnings to more severe sanctions, such as the total prohibition of the exercise of activities related to data processing. However, it is still expected the publication of ANPD’s own regulation on the subject, containing internal procedural rules to guide its actions. In addition to this regulation, a specific rule to deal with sanctions and dosimetry of fines will still be submitted to public consultation.
Even though the LGPD came to be fully effective as of August of this year, we can already feel its impact on court decisions, as the data owner has gained power to demand its protection, as is the case in Article 42 of the LGPD, which provides for compensation for pecuniary and moral damages.
Therefore, the Union of Food Industry of Montenegro, state of Rio Grande do Sul, filed a class action against the Cooperativa dos Citricultores Ecologicos do Vale do Cai Ltda. (“Ecocitrus”) on behalf of the workers of the company, whose object was the systematic non-compliance with the protection of employee data by the company, claiming that Ecocitrus shared de data with several controllers and operators without the necessary precautions, in addition to claiming that there the company did not indicate a designated person, all of these, requirements of LGPD.
According to the decision issued by the Labor Court of Rio Grande do Sul, the cooperative failed to demonstrate elements that proved its ability to handle employees’ data safely, that is, to have implemented the LGPD guidelines correctly. Therefore, the Court determined that Ecocitrus nominate a data protection officer, implement and prove in the records the practices related to data security and confidentiality.
Diversely, the Court did not grant the request for moral damages based on Article 52 of the LGPD, under the justification that failure to implement the legal requirements does not, by itself, justify damage to the rights of the data owner, since, according to the decision, there is no demonstration of data leakage or other illegal use capable of affecting the sphere of privacy/dignity of the workers.
On the other hand, the lawsuit filed by the union against JBS Aves Ltda. on behalf of the company’s workers in this same sense was dismissed, understanding that the company had a designated person and a data privacy manual.
Therefore, these two lawsuits reaffirm to the need for Brazilian companies to adapt to LGPD. Additionally, compliance with the standards established by the LGPD should not be seen as mere compliance with legislation, as it can also strengthen the trust of customers, suppliers and business partners, considering, for example, that companies tend to look for partners with maturity in terms of data protection, as the operator and controller can jointly respond in order to ensure the effective compensation to the data owner, based on Articles 42 to 45 of the LGPD.
It is also noteworthy that the improvement of internal structures with the implementation of processes for data protection can mean the maintenance of a company’s image. The application of a sanction due to an eventual infraction, as in the case of Ecocitrus before the Labor Court, can mean a reputational damage, which can lead to loss of business and consequently affect the company’s profit.