Personal information belonging to over 220 million individuals has been exposed, as reported by various media outlets. A security firm has discovered evidence indicating that a significant amount of personal data, such as names, CPF numbers, addresses, income levels, credit scores, and even facial photos, was being transmitted online. This data was found to be circulating on the internet rather than solely on the deep web, where one might expect it to be located.
What are the consequences of a personal data breach under the General Personal Data Protection Act (Law 13,709/2018 – LGPD), which came into effect in September 2020, and in the wake of the largest personal data leak in Brazilian history? How will the application of the new law impact legal proceedings? What rights do individuals have concerning their personal data according to LGPD?
We will discuss the legal consequences of personal data leaks and the rules set by LGPD on data processing.
Agent identification
Personal databases are not spontaneously generated online. Instead of being random, they are structured collections created for specific reasons, typically economic in private settings or for public benefit in government databases. Unauthorized access to personal data in these databases represents a common instance of data breach.
Determining the source of the leak can be a challenging task, especially for the individual responsible, who often lacks the necessary technical or financial resources for such an investigation.
LGPD Article 55-J gives the National Data Protection Authority (ANPD) the responsibility to oversee and penalize data processing that violates the law, as well as to conduct audits to ensure compliance with data protection regulations.
Identifying the processor of personal data responsible for the breach is crucial for their accountability, whether to authorities or data subjects.
ANPD, established in August 2020, has limited structure to fulfill its mission and lacks the resources to effectively carry out its work, potentially leading to the postponement of administrative sanctions by August 2021.
LGPD regulations were breached due to a leak of personal data.
A personal data breach is a clear breach of LGPD regulations. It is important to identify the specific provisions that have been violated, as these could impact the penalties faced by the responsible party, as discussed in the following section.
Article 6 of LGPD outlines eleven legal principles for handling personal data, including Security, Prevention, and Accountability principles focused on preventing unauthorized access by third parties. These principles guide the secure processing of data and require measures to be taken in case of incidents. The data controller must demonstrate the effectiveness of protective measures taken.
Failure to report a leakage under the LGPD implies a breach of the three principles outlined. This might appear insignificant, but principles hold utmost importance in legal matters.
Fortunately, the LGPD introduces subjective treatment safety criteria to ensure its provisions remain relevant over time, considering technological advancements and evolving strategies used in protecting and breaching database systems.
Treatment agents are required to implement security measures to protect personal data from unauthorized access or any form of improper treatment, in accordance with LGPD Article 46. The level of security should correspond to the expectations of the data owner and the risks involved in the specific legal relationship, as outlined in LGPD Article 44.
If the agent becomes aware of a security breach, they should notify ANPD and data subjects based on the seriousness of the incident. However, the method of reporting such information is yet to be determined by the authority, leading to a lack of specific guidelines for communication as outlined in the article.
A personal data breach could be seen as a breach of Articles 44 and 46 of the LGPD due to the failure to implement security measures leading to unauthorized access to personal data. This could also potentially violate Article 48 if there is no incident reporting after the regulation is in place.
Assessment of the seriousness of the incident
Not all data breaches carry the same weight in terms of their potential impact on individuals and society as a whole. For instance, a breach involving the addresses of famous or politically prominent individuals poses greater physical security risks compared to a breach involving ordinary individuals.
The incident needs to be evaluated to set guidelines for imposing penalties and minimizing impacts, as stated in Article 48(2). Following this assessment, the ANPD could decide on measures like disclosing the incident widely in the media and taking steps to undo or lessen its consequences.
If a serious incident warrants severe sanctions, it is essential to understand what these penalties are and how they will be enforced. This highlights the importance of aligning the gravity judgment of an incident with the appropriate level of sanctions.
The extent of administrative penalties is determined by how the ANPD conducts public consultations, as stated in Article 53. Therefore, evaluating the seriousness of the incident will be straightforward once this criterion is in place.
Implementation of penalties for administrative violations
The responsible party for the data leak will face administrative penalties under LGPD regulations, with fines potentially reaching up to 50 million reais per breach. Sanctions will take into account mitigating and aggravating factors related to the actions or oversights of the party involved to prevent future incidents. Negligence, recklessness, or incompetence will lead to more severe penalties, serving to both punish and educate the party responsible.
The enforcement of administrative penalties has been postponed until August 1, 2021. This means that ANPD’s ability to oversee and regulate the handling of personal data may be compromised if it cannot penalize those responsible.
The clearance still holds value by providing data processing expertise to support individuals and authorities in legal matters, particularly in individual and collective actions. These actions can be pursued under other laws like the Consumer Protection Code, Internet Civil Framework, or Public Civil Action Act, and are not directly associated with the LGPD.
In the administrative field, under the LGPD, sanctions for non-compliance are not expected until August 2021. Thus, the LGPD has minimal impact currently but may be more influential once its sanctions are enforced.
Is the leak report compliant with the LGPD in terms of fire safety?
Some argue that the gradual release of this article provides a safeguard for LGPD and its personal data protection framework. However, given the current circumstances outlined earlier, we are hesitant to fully endorse this view. The implementation of the new law is still in progress, with obstacles hindering its intended data protection outcomes. While the actions to be carried out by ANPD are not without merit, it is important to acknowledge the constraints posed by technical capabilities and human resources.
According to the ANPD’s strategic planning, the server team will expand within a medium-term timeframe, likely due to budget constraints and the need for public tenders. This indicates that there is still a long way to go in building an effective personal data protection ecosystem.
We should not expect ideal conditions to assess the effectiveness of LGPD. Limited resources and high demands are common, especially in the public sector. Despite this, we must view the current transition period as a special opportunity. Once we overcome this phase, there should be no hindrance to LGPD achieving its intended impact.
Conclusion
Safety breaches, particularly the exposure of personal information, can be detrimental to individuals at risk of fraud or privacy breaches, as well as to businesses losing a significant asset, and to society as a whole, which values social harmony and peace, key components for safeguarding rights like privacy protection, free enterprise, and innovation.
LGPD serves as a crucial legal tool that not only grants rights to individuals but also aims to establish a culture of privacy within society through regulation. The effective organization of its principal entity, ANPD, will be key, particularly in addressing data breaches.
We are currently moving from an unregulated to a regulated environment. Challenges are not being addressed as quickly as society would prefer, but in the medium term, the LGPD is expected to be more effective in handling data breaches. This is currently not happening due to the ANPD’s lack of proper resources and the fact that administrative sanctions can only be enforced in August 2021.
The LGPD and ANPD are important in addressing recent personal data leaks during this transitional period. The LGPD has provided clarity and guidance in data protection, defining responsibilities for data handlers and rights for individuals. While the ANPD may help assess the severity and accountability of data breaches, it will take time for the full impact of the LGPD to be realized in our legal system and society.
A section of the internet that is not searchable on common search engines, often utilized for hidden or unlawful activities.
We begin with the mentioned leak as a starting point, but our thoughts can be applied to any forms of leakage.
Other parts of the administration can also be involved in determining responsibility, but we will focus on the changes brought by the LGPD law.
The source can be found at https://www.gov.br/anpd/pt-br/documents-e-images/planning-strategic/planning-strategic-2021-2023.pdf. It was accessed on February 4, 2021.
Ricardo Alexandre de Oliveira