Brazil Adopts Comprehensive Data Protection Law

Katie Hyman, Partner

Brazil’s Lei General de Proteção de Dados (“LGPD”) officially came into effect on Friday, September 18 2020. This Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, was published on August 15, 2018, is heavily influenced by the EU GDPR and is Brazil’s first comprehensive framework regulating the use and processing of personal data. Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation.

The LGPD applies to businesses of all sizes, with only a few listed exceptions, such as where data are collected for artistic or academic purposes, or for national security and public safety. It will apply when data is collected or stored in Brazil or where data is processed for the purposes of offering goods or services to individuals in Brazil.

The LGPD defines “personal data” broadly: it means any information regarding any identified or identifiable natural person, including data that could be aggregated to identify a person. The general principles underlying the LGPD are set out in Article 6, and these will be used by the Brazilian data protection authority to determine a company’s compliance with the law. The principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.

In line with these principles, the rights of the data subject are set out in Article 18, and these are very similar to those in the GDPR, including access to data, correction of inaccurate data, portability, deletion of data processed with consent, information about entities with which the controller has shared data, information about the possibility of denying consent and revocation of consent.

Companies are required to report data protection breaches to the local data protection authority, but no deadline for reporting is included in the LGPD. Guidance on this is to come from the data protection agency, which is yet to be established. Companies that violate the LGPD can be fined up to 2% of the revenue of their organization, up to a total of R$50 million (approximately US$9 million) per violation. However, penalties for infractions will only start to be applied from August 1, 2021.

An official English translation is not yet available, but the IAPP has provided a translation and you can read it here: Brazilian General Data Protection Law.

If you want more information about this article feel free to contact Katie Hyman or me, Joe Rosenbaum or any of the Rimon lawyers with whom you regularly work.

Swiss-US Privacy Shield

In July, we reported that the EU Court had invalidated the viability of the US-EU Privacy Shield (EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!).  A few weeks ago (September 8, 2020), the Swiss Federal Data Protection and Information Commissioner (FDPIC) also decided to remove the United States from a list of nations that are considered to be providing “adequate level of data protection.”

Unlike the EU Court’s decision, decision by the Swiss FDPIC does not automatically invalidate the applicability of the Privacy Shield, because the list of countries on or off the list is technically not legally binding. That said, if your company is relying on the Swiss-US Privacy Shield to continue to transfer data from Switzerland to the United States, it would not be prudent to assume these transfers will continue to be viewed as complying with the adequate protection standards under Swiss law.  It seems to make sense to re-assess the risks and start relying on corporate policies and regulations, as well as legally binding contract clauses to ensure they are consistent with Swiss data protection law.

Even when the company policies and contract provisions are properly constructed, there still remains the risk that even these protections may be considered inadequate.  For example, if local authorities have the right to obtain the data without safeguards and legal protections consistent with those required under Swiss regulation, the transfer may be considered in contravention of Swiss law.  Similarly, if the entity to which the data is being transferred is not legally obligated, for any reason, to cooperate with the enforcement requirements that may apply under Swiss law this too creates a problem.  While encryption technology exists that can ensure no personal data can become available in another country, that approach only makes sense for pure storage capability (e.g., cloud based storage) but NOT if the data is intended to be used, displayed or otherwise handled in another nation.

While further guidance and information may ultimately be promulgated by the FDPIC, at present, a review of current procedures and data transfers, the exercise of caution and consideration of implementing additional steps to deal with this development in Switzerland, as with the EU Court decision, seems to be a prudent course of action.

At Rimon Law, our professionals are available to answer question about these developments, so feel free to contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work for information about this or any other matters.

EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!

Today (July 16, 2020), the EU Court of Justice, (the EU’s highest court) struck down the validity of the Privacy Shield – a mechanism that well over 5,000 U.S. companies have been using and relying upon in order to legally justify the transfer of personal data across the Atlantic into the US.  This same court had previously invalidated the “Safe Harbor” protocol, concluding the Safe Harbor failed to adequately protect privacy rights of EU citizens, since it accorded law enforcement in the United States priority over the rights of EU citizens – permitting law enforcement virtually unrestricted access to the data.

This new case began when Max Schrems, an Austrian privacy advocate, complained to Irish data protection regulators that Facebook’s reliance on standard contract clauses to permit data being transferred from the European Union to the United States did not provide adequate protection. Schrems argued that it didn’t prevent intelligence officials and other third parties in the United States from getting at the information. The Commissioner at the Irish Data Protection Authority took the complaint to Ireland’s high court and they referred certain questions regarding the validity of standard contractual clauses to the EU Court of Justice. Although Schrems’ complaint never raised the Privacy Shield issue, it was raised in oral argument before the court, opening the door for the court to include it in their opinion and decision.

While the European Court invalidated the Privacy Shield, it didn’t buy Schrems’ argument that standard contractual clauses should be deemed invalid as a matter of EU law or regulation. They basically said that standard contract clauses could be among the “effective mechanisms” if they required both sides involved in the transfer to ensure information is accorded the equivalent level of protection as required under EU law. They went on to note that the parties should not use those clauses if they can’t comply with that requirement.

As a result, while neutering the Privacy Shield, they did uphold the validity of the use of standard contractual clauses to legally move personal information outside the European Union, if these clauses were effective in providing the same level of privacy protection as the EU requires.

The case is Between the Data Protection Commissioner and Facebook Ireland Ltd. and Maximillian Schrems (Case Number C-311/18) and as always, if you have any questions or need more information about this posting, feel free to contact me, Joe Rosenbaum, or any of the lawyers at Rimon with whom you regularly work.

Cinco de Mayo

Today is May 5th – Cinco de Mayo!
Many people mistakenly believe Cinco de Mayo is Mexican Independence Day, but Día de la Independencia in Mexico is commemorated on September 16th.
In fact, Cinco de Mayo commemorates the Battle of Puebla de Los Angeles which took place on May 5, 1862, in which defending Mexican forces, led by General Ignacio Zaragoza, defeated the invading French army of Napoleon III. Puebla de Los Angeles was subsequently renamed for General Zaragoza who died of typhoid fever months after his victory.
Cinco de Mayo is a relatively minor holiday in Mexico, but is celebrated with much more fanfare in the United States and has evolved into a commemoration of Mexican culture and heritage, particularly in areas with large Mexican-American populations.

Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation

For those of you interested and available, on Thursday, April 23rd at 1 PM ET, Joe Rosenbaum, NY Partner at Rimon Law and chair of Rimon’s Global Alliance will be conducting a one hour seminar entitled Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation touching on some of the current issues in marketing, privacy, public relations, cybersecurity & reputation management arising from the COVID-19 pandemic.

While the issues raised may well apply in many crisis situations, now, more than ever, as increased numbers of people are working, schooling and playing at home or at other remote locations, the value of online and mobile advertising and promotions has increased substantially. At the same time, the amounts of information being made available by people scrambling for information, trying to keep up with breaking news, and signing up for online, digital services and information, present legal challenges for compliance with both old and newly enacted privacy and data protection regulation. Not coincidentally, online and mobile scammers are seeking to capitalize on the growing number of inexperienced web surfing consumers and cyber criminals are using the opportunity to capture valuable personally identifiable as a result of lax or relaxed security measures. The inaccurate perception that strong security may be an obstacle to utility or speed and simply the increased number of inexperienced users accessing the Internet, provide fertile ground for exploitation. What you should know? What you can do? What you should be telling your clients and employees? What can we all do to help?

To register simply go to REGISTER: Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation

The course is open to lawyers and non-lawyers, is approved for New York bar members who are eligible for 1 CLE credit per course through NY’s Approved Jurisdiction Policy and approved by the California State Bar for 1 hour of CLE credit.  Most other states recognize CA accredited courses and if you would like credit in any other state, please check your local state bar’s regulations.

COVID-19: May the Force (Majeure) Be With You

The strain of of the corona virus pandemic is not only a threat to our health and safety, but it is also creating economic hardship for people, businesses and entire industries.

As the ability to perform obligations under existing contracts are being strained, whether for supplies, paying rent or making payroll, parties to agreements are doing more than exercising self-help or looking to the government for assistance. They are also calling their lawyers to find out if anything in their contracts will allow them to legally extricate themselves from the obligations that may have seemed routine only a few months ago.

One of the primary areas of contractual inquiry has focused on the force majeure or excusable delay clause that is ‘boilerplate’ in many agreements. Force majeure literally translated from the French means ‘superior force’ and refers to situations in which some external intervening event has impaired a party’s ability to perform its obligations under the contract and allows that party’s performance to be excused.

For some insight on how effective, applicable and even understandable these so-called ‘standard clauses’ are, you can take a look at my Insight Note: Managing Contract Risks & Remedies in a Time of Coronavirus.

You might also check out a similar Insight Note from my partner and colleague, Juan Zuniga entitled:  Memo on Force Majeure and COVID-19 which goes into great detail as to how the law in California might be interpreted in light of the current health crisis.

In fact, you can find all of the recent Insights from Rimon Law professionals on our Insights & Analysis page and once again a reminder that Rimon lawyers and legal professionals are always available to help.

 

During this time of year our thoughts turn gratefully to our relationships and to all those who have helped enrich our lives personally and helped make our business progress and professional growth possible.  To all my family and friends, loved ones, colleagues, connections and contacts, the holidays and new year seem like perfect times for me to say ‘thank you’ and express appreciation to each of you.

There are so many things we can be thankful for and among them I count your friendship and support, as well as your contributions to my growth as a person and professional – in short, our relationship, whether near or far, close or casual, constant or sporadic.

In the year ahead, I look forward to being better at staying in touch with many of you whose time and schedules have not intersected with mine as often as I might like;  to facing challenges together and in the process, learning and growing; to listen more to those who mean well, to ignore those who don’t and to try and have the wisdom to know the difference.

Most of all to appreciate the countless blessings around us every day that we far too often take for granted. Thank you!

I wish each of you a new year filled with health, happiness and prosperity.

Best wishes,

Joe Rosenbaum