Protection of personal data in the globalized society – Part II


By Renato Afonso Gonçalves*

No artigo antecedent we draw a historical overview of the protection of personal data, culminating with the edition of the General Data Protection Regulation – European RGPD, and the Brazilian General Data Protection Law – LGPD.

As seen, the European GDPR, Regulation (EU) 2016/679, is perhaps the most important data protection law at the present time, as it seeks the necessary balance between the development of a huge digital market and the protection of personal data , generating reflexes even for those nations that maintain commercial relations with Europe. This diploma is the result of the process of maturation of experiences in dealing with the matter in the legislative, regulatory and jurisprudential fields.[I] It is the recognition that the matter acquires enormous proportions relative to economic, social and cultural aspects.

The RGPD, which entered into force on May 25, 2018, is composed of 173 Recitals and 99 Articles, which denotes not only the great length of the diploma but the concern of the European legislator in detailing its content in order to facilitate its application , although a legislative and regulatory opening is foreseen for the Member States to improve its application in their respective territories.[ii]

This time the European Regulation tries to establish the material and territorial scope of application of the rules; establish definitions, principles and conditions for the processing of different categories of personal data; confer rights of holders of personal data; establish rules concerning those responsible for handling and their subcontractors; establish rules for the international transfer of personal data; establish public and administrative control mechanisms and sanctions for the violation of its precepts; and standardize data protection within the scope of labor relations.

In a very tight summary, we will try to point out the main aspects of the new European diploma.

It should be noted that the purpose of the RGPD is “to contribute to the creation of an area of ​​freedom, security and justice and an economic union, to economic and social progress, the consolidation and convergence of economies at the level of the internal market and to the well-being of natural persons”.[iii] With this, it is not about prohibiting economic activities in the digital world, on the contrary, it is about ensuring that these activities are carried out with the assumption of respect for the fundamental right to data protection, which, consequently, also guarantees a fair competition among economic agents. As stated in Recital 7 of the RGPD, “legal security and practical security for natural persons, economic operators and public authorities” must be reinforced.

The diploma under examination establishes a broad concept for “personal data”[iv], which are considered to be any information relating to an identified or identifiable natural person (natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, identifiers electronically or to one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

The same breadth was used for the conceptualization of data processing as an operation or a set of operations carried out on personal data or on sets of personal data, by automated or non-automated means, such as the collection, registration, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, erasure or destruction.[v] With this, it is clear that the RGPD has greatly expanded its spectrum of incidence, affecting professional or commercial activities that have as a presupposition or instrument of development some form of manipulation of personal data.

It should be noted that the RGPD established a categorization of personal data and different spectrums of protection, depending on the expression of the subject's privacy or intimacy. These are what the doctrine calls sensitive (intimacy) or non-sensitive (privacy) personal data. For this reason, Article 9 of the RGPD establishes as a general rule that “the processing of (sensitive) personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or union affiliation, as well as the processing of genetic data, biometric data to uniquely identify a person, data relating to health or data relating to a person's sex life or sexual orientation”. , therefore, of greater accountability for their violations.

Another relevant aspect concerns the lawful treatment[vi] of personal data, which only occurs if the respective holder has given due consent for one or more specific purposes, such as the pre-contractual phase or the execution of a contract; for the fulfillment of a legal obligation to which the controller is subject; for the defense of vital interests of the data subject or another natural person; for the exercise of public interest functions or the exercise of public authority vested in the controller; for the purposes of the legitimate interests pursued by the controller or by third parties, unless the interests or fundamental rights and freedoms of the holder that require the protection of personal data prevail, in particular if the holder is a child[vii], hypothesis not applicable if data processing is carried out by public authorities in the pursuit of their duties electronically.

Thus, the processing of personal data can only take place in a lawful, loyal and transparent manner, aiming at specific, explicit and legitimate purposes, and cannot be subsequently processed in a way that is incompatible with these purposes. The data must be adequate, relevant and limited to the intended purposes (data minimization) for which they are processed, and must be kept accurate, updated, and preserved in a way that allows the identification of their holders during the period necessary for the purposes for which which they are treated (conservation limitation), and may be kept for long periods, provided that they are treated exclusively for archival purposes in the public interest, or for scientific, historical or statistical research purposes.

Security gains centrality in the RGPD, aiming to protect personal data from unauthorized or unlawful treatment, as well as its accidental loss, destruction or damage, with the adoption of appropriate technical or organizational measures, which is why all data controllers are held accountable. co-responsible for the manipulation, requiring the registration of all risk treatment and management activities, with the appointment of a person in charge and the notification to the competent authorities of any violations.

To make its rules effective, the RGPD establishes powerful sanctions for its violation, allowing Member States to regulate the matter at all times to broaden the spectrum of effectiveness. That is what its Article 58 provides, granting each authority of its Member States the power of correction through warnings, reprimands, determination for the adoption of specific procedures, withdrawal of certifications, application of large pecuniary fines (Article 83[viii]), and determination of suspension of sending data to recipients in third countries or to international organizations.

Lastly, attention is drawn to the aspect of territoriality which aims to protect the personal data of European residents anywhere in the world. Article 3 of the RGPD prescribes that the diploma is applied to the processing of data of European residents, regardless of whether the processing takes place inside or outside the European Union.

It also provides for its application when the controller or processor, not established in the Union, offers goods or services in the Union, or intends to control the behavior of the data subject, provided that this behavior takes place in the European Union. For these reasons, all persons who establish any type of economic relationship with the European Union must necessarily observe the RGPD.

As a result of this scenario, the same applies to the transfer of data of people residing in Europe. This is what Article 44 of the GDPR determines, by prescribing that “any transfer of personal data that are or will be subject to treatment after transfer to a third country or an international organization is only carried out if, without prejudice to the other provisions of this regulation, the conditions laid down in this chapter are respected by the controller and the processor, including with regard to onward transfers of personal data from the third country or international organization to another third country or other international organisation. All provisions of this chapter are applied in such a way as to ensure that the level of protection of natural persons guaranteed by this Regulation is not compromised”.

After a quick analysis of the GDPR, let's move on to the new Brazilian LGPD.

As seen, the LGPD came to integrate the existing legislative framework until 2018 for the protection of personal data, therefore reinforcing the Brazilian protection of privacy, intimacy, honor, image and dignity of the human person.

Brazilian society has long wanted a specific diploma on the subject, and the edition of the European RGPD precipitated its approval, insofar as it has become strategic and vital for our economy to establish levels of protection similar to the European one, so that to contribute to the international competitiveness of Brazilian companies.

Initially, it should be noted that LGPD will only come into force in February 2020, precisely so that Brazilian society and the market can adapt to the new requirements.

It is a law that institutes principles to be observed in the matter, stipulated in the exemplary list of Article 6, and which contemplates the figure of good faith, outlined and consolidated in civil law.

Thus, the principles expressed in the LGPD are: goal – the processing must be carried out for legitimate, specific purposes, and without the possibility of manipulation incompatible with those purposes; adequacy – the treatment must be compatible with the purposes informed to the data subject; need – the processing must be limited to the minimum necessary for the fulfillment of the purposes; free access – holders must be guaranteed easy and free consultation on the form and duration of treatment, as well as access to all of their data; data quality – the accuracy, clarity, relevance and up-to-dateness of the data must be guaranteed; transparency – the provision of clear and easily accessible information by holders must be guaranteed; financial security – technical and administrative measures capable of protecting data from unauthorized access must be adopted; prevention – measures must be taken to prevent the occurrence of damage due to the processing of personal data; non-discrimination – impossibility of processing for discriminatory purposes; accountability and accountability – demonstration of effective measures to observe and demonstrate compliance with personal data protection regulations.

These principles guide all activities that handle personal data and are combined with the duty to privacy by design e privacy by default. privacy by design or privacy from conception, is a concept related to systems engineering, which takes into account privacy throughout the construction and execution process (adopting, for example, pseudonymization and encryption), respecting human values ​​throughout the process. Privacy by default or protection by default, implies that the handlers must ensure that personal data are treated with the highest privacy protection (only necessary data must be processed for a short retention period and with limited accessibility) so that, by default, the data personal data are not made available to an indefinite number of people. The RGPD, in its Article 25, positively outlined these concepts, which did not happen with the LGPD. However, the conjunction of Articles 6 and 46 of the LGPD allows us to infer that these principles/concepts were adopted by our law.

Like the GDPR, our law sets out the scope of its material and territorial application, establishing definitions, principles and conditions for the treatment of different categories of personal data. It also grants rights to holders of personal data, establishing rules for those responsible for handling and their subcontractors, and outlining public and administrative control mechanisms and sanctions for violation of its precepts.

Unlike the RGPD, our law posits the fundamental right to informative self-determination (Article 2, II), which in our opinion is a positive aspect, as it consolidates this important achievement of humanity in the face of new technologies in the national legal culture.

The novel Brazilian law for the protection of personal data becomes the general law in the matter, which radiates commands to all areas of law and must be applied and interpreted systematically from the constitutional precepts of the matter. Therefore, the LGPD has a matrix character that will impact multiple sectors of the economy and state activity.

This time, as a general rule, any handling, collection or processing of personal data carried out in the national territory, whose holders are in Brazil, are subject to Brazilian law, regardless of the location or nationality of the person handling them. Exempt from its application is manipulation by a natural person for private purposes; carried out for journalistic or artistic or academic purposes; carried out for the purposes of public security, national defense, State security or investigation and repression of criminal offenses, hypotheses that will be subject to their own rules, observing due legal process, the general principles of protection and the rights of the holder.

The manipulation of personal data of children and adolescents was contemplated in the LGPD, which deals with the subject in Article 14, remembering that in these cases the law must be applied and interpreted in line with the Statute of the Child and Adolescent - ECA, and the Civil Code . Unlike the RGPD, our law has not fixed the age limit for the data subject to promote consent autonomously, only establishing that “the processing of personal data of children must be carried out with the specific and prominent consent given by the least one of the parents or legal guardian”(§ 1 of Article 14). Thus, we understand that Art. 2 of the ECA, which considers a person to be up to twelve years of age as a child.

In the wake of the RGPG, Brazilian law did not shy away from facing the issue of anonymization of data, that is, the use of reasonable technical means available at the time of processing, through which data loses the possibility of association, direct or indirectly, to an individual. As noted, this data is not considered personal except when the anonymization process can be reversed, using exclusively own means or through reasonable efforts, considering objective factors such as cost and time to reverse the anonymization process (pseudoanonymization).

Another noteworthy aspect is that which refers to civil liability for damage to personal data, a matter treated in a very similar way to that provided by the Consumer Protection Code - CDC. Incidentally, the text of the new diploma was right to emphasize that injuries to personal data in consumer relations will be investigated in integration with the CDC (Article 45 of the LGPD).

Thus, recognizing the possibility of the occurrence of pecuniary, moral, individual or collective damages by the processing agents, Article 40 of the LGPD establishes the general rule of solidarity between the controller and the operator when the latter fails to comply with the obligations of the data protection legislation or when he has not followed the lawful instructions of the controller. The controllers are also solidary when they are directly involved in the treatment which resulted in damage to the data subject.

Exceptions to this solidarity rule are provided for in Article 43 of the LGPD. These are: when the processing agent (controller or operator) proves that it has not processed the personal data assigned to it; when it proves that, although it has carried out the processing of personal data assigned to it, there has been no violation of data protection legislation; or proving the damage is due to the sole fault of the data subject or third parties. For this system, the law reserves the possibility of return action, and collective protection in court with the application of the CDC and the Public Civil Action Law.

Another measure similar to that recommended in the CDC is the one that provides for the reversal of the burden of proof in favor of the data subject, when the allegation is credible, there is a lack of sufficiency for the purpose of producing evidence, or when the production of evidence by the data subject results in excessively burdensome.

Unlike the RGPD, which provides for a period of 72 hours, the LGPD only provides for the duty of the controller to communicate, within a reasonable period, to the National Authority and the holder about the occurrence of a security incident that may entail significant risk or damage. Our law has failed at this point as there are no elements for defining a reasonable period, which will possibly be in charge of regulation by the National Authority. In this case, the National Authority may adopt measures similar to the recall consumerist, such as wide dissemination of the fact in the media (a very embarrassing hypothesis for the controller's image), as well as other measures it deems necessary to reverse or mitigate the effects of the incident.

As for the international transfer of personal data (Articles 33 to 36), Brazilian law followed the path of the RGPD, allowing it only for those countries or international organizations that provide a degree of protection of personal data adequate to that provided for in the LGPD or when the controller offers and prove compliance, through contractual provisions, corporate standards, seals, certificates and codes of conduct regularly issued, with content defined or verified by the National Authority.

Another indispensable requirement for the international transfer of personal data is the need for specific consent from the data subject, which must be highlighted and distinct from other purposes.

Lastly, with regard to administrative sanctions, the LGPD has done well in setting large sums. Thus, in accordance with each specific case, the National Authority, after concluding the administrative procedure and guaranteeing full defense, may fix the warning; simple fine of up to 2% of the billing of the private legal entity, group or conglomerate in Brazil in its last fiscal year, limited in total to R$ 50.000.000,00 per infraction; daily fine; publicizing the infraction and blocking of the personal data to which the infraction refers until its regularization.

As seen, the digital world has reached an extraordinary degree of development. Humanity's growing technological dependence only increases the amount and flow of personal data available to disruptive technologies. Protecting privacy, intimacy, image and personal data is an indispensable task for the necessary balance in the post-modern world.

Therefore, following the example of what happened in Europe, civil society and Brazilian companies must adapt to the LGPD, as an urgent need in the growing globalized world of the digital economy.

Thus, companies should institute or review the way they collect, manipulate, store and process personal data. This adaptation is very valuable in every sense, from consolidating the reliability of these companies before consumers and clients, to the possibility of equal conditions for international competition. In this sense, data protection and compliance are basic assumptions of business activity in the XNUMXst century.

The LGPD in many respects is close, because to some extent it was inspired, of the European GDPR. However, despite representing a good start, we think that the new law left something to be desired in many respects, not regulating or regulating insufficiently, matters such as: personal data in labor relations; in the spectrum of criminal investigations and administrative offences; video surveillance; right to oblivion; biotechnology; profiling; subcontracting; technical aspects of safety, conduct and certification; cooperation and coherence; freedom of expression and information; public documents; treatment carried out by religious entities, among others.

It is true that it will be up to the doctrine and jurisprudence to overcome any gaps and antinomies resulting from this situation. The very creation of the National Data Protection Authority linked to the direct administration, together with the Presidency of the Republic, highlights the sea of ​​difficulties that will arise ahead. It was imperative to create a special autarchy with more institutional, functional and financial independence, for adapting our system to international standards.

We will very possibly see the conflicts of economic interests arising from the application of the LGPD knocking at the doors of the superior courts, as happened with the civil landmark of the internet and the relations around the whatsapp, which discusses the limits of state intervention in the development and use of cryptography. The positive registration law is the clearest and most flagrant example of conflict with the LGPD, especially with regard to the subject of consent of the holder of personal data.

Issues such as those involving the activity of Cambridge Analytica in the process of Brexit and in the US elections, are beginning to be raised in Brazil with accusations of the proliferation of fake news in the 2018 presidential elections. The American legal influence that deals with the subject in the light of the right to property contrasts with the European conception of framing the right to protection of personal data within the scope of human rights. Schizophrenia lived in the legal world of the country (civil law x common law) will greatly influence the future of the LGPD.

Brazil is going through a profound political, economic, social and institutional crisis rarely seen in our history. Authoritarianism by public agents, blatant disrespect for the constitutional order and human rights, hatred and intolerance, spring up night and day in the streets and especially in the digital world.

It is in this scenario that the LGPD is born. A good start, which could be better. A future to be built along tortuous lines, which will require a lot of work and overcoming from the legal world to implement the full protection of personal data in Brazil.

*Renato Afonso Goncalves, a lawyer, is a doctoral candidate in Historical-Legal Sciences at the Faculty of Law of the University of Lisbon.

[I]Pay attention to the paradigmatic judgments of the Court of Justice of the European Union: Digital Rights Ireland, 2014 – Cases C-293/12 and C-594/12; Google Spain SL and Google Inc, 2014 (Case C-131/12); and Maximillian Schrems, from 2015 – Process C-362/2014. COURT OF JUSTICE OF THE EUROPEAN UNION. Available at:

[ii]By way of example, in Portugal, Law nº 58/2019, of August 08, 2019, was enacted, which ensures the implementation, in the national legal order, of Regulation (EU) 2016/679, on the protection of natural persons with regard to concerns the processing of personal data and the free movement of such data. Available at:

[iii]Recital 2 of the GDPR.

[iv]Article 4, 1, GDPR.

[v]Article 4 of the GDPR.

[vi]Article 6 of the GDPR.

[vii]Article 8 of the GDPR requires the consent of parents or guardians for the handling of personal data of persons under 16 years of age. On the other hand, the regulation allows the laws of the member states to reduce this limit, which cannot be less than 13 years.

[viii]They can range from €10 million or 2% of the company's global annual turnover, to €20 million or 4% of the company's global annual sales.

See this link for all articles