At last, we can celebrate. The General Data Protection Act (Lei Geral de Proteção de Dados – LGPD, Law Nº 13.709/18), which will regulate the processing of personal data, has finally come to the world last year, Sept, 18th. However, by establishing how we can all exercise our rights, it brings in its wording a challenge that oscillates between the impracticable and the reckless.
It is impracticable when it comes to determine that the entity responsible for processing must immediately respond to the data subject’s request. Any European who is experiencing there the real ordeal of answering such requests under GDPR (General Data Protection Regulation), even a simple “yes/no” about the existence of data in their databases, would be astonished reading our law.
Reckless because in the continuation of what is foreseen in the LGPD, in principle with no chance of reprieve, there is a period of 15 days for “by means of a clear and complete declaration, indicating the origin of the data, the inexistence of registration, the criteria used and
the purpose of the treatment”.
And there it is where resides another great risk and problem. Taken isolated, it may not seem so.
Despite the originality of LGPD for us, Brazilians, we have an equivalent law in Europe in validity
since May 2018, the GDPR. Contextualizing, in May 2020, Sapio Research found that in the UK only 52% of data subjects’ requests are met within the initial 30 days. There, different from Brazilian’s law, the deadline is 30 days, extendable for another 60 days.
Making a simple “rule of three” comparatively, it would be miserably optimistic 26% of
requests met within the LGPD deadline. The remaining 74%? A concrete risk of lawsuits on the
way. Neither the costs of potential actions should be considered negligible, nor should they be considered unlikely.
Not to mention that the major source of this type of requests came from “outside”, costumers, but the employee’ requests are just behind, in terms of volume.
Plus, the average cost of a data subject access request (DSAR), still according to Sapio’s study, is US$ 6,330, something around R$ 33,000 reais. Add to this in the future the cost of the sanctions, for the time being suspended, because the law as it stands today predicts that they can only be applied on August 2021.
However, as can be seen, the eventual sanctions become “a mere detail” and the slicing of the LGPD with the effectiveness of all the articles from now except those that establish sanctions can lead to the false feeling that “more time has been obtained” and this is far from the truth.
Maybe we have a “perfect storm” appearing on the horizon. In the midst of the well
deserved commemoration, we need to discuss these points, otherwise we will have effects on
the credibility of the law itself and a burden not yet foreseen by the vast majority of the business
community at Brazil that does not even know about the existence of LGPD.
The legal security desired with LGPD for the public and private sectors is unavoidable for
Brazil’s alignment with the rest of the world. At the same time, the effective guarantee of the
rights of all of us, citizens and data subjects, need to be urgently established. But this balance requires consideration of all the practical aspects involved: technical and administrative, inclusive.
Persisting as it is, a single LGPD article could severely hurt the law’s structure. A construction of years, being compromised.
It is therefore urgent that this true “Trojan Horse” be dismantled as soon as possible,
otherwise at the end of the day we would see Trojans attacking themselves.
Author: Marcilio Braz Jr – Lawyer, IT Project Manager and Privacy Academy founder