International companies more prepared than local companies for Brazilian data protection law, Alves says

International companies are much more prepared for Brazil's new data protection law than Brazilian firms because they have already to comply with similar legislation in other countries, said Fabrício da Mota Alves, a senate representative appointed to the Brazilian national council of data protection.

But, he said, overseas businesses also have the challenge of checking compliance of their Brazilian suppliers — a difficult task required by the law.

Alves told MLex in an interview that overseas companies’ experience and maturity regarding data protection and privacy issues make it easier for them to comply with Brazil’s new law. Local companies, however, unfortunately can’t say the same as they never had to worry about data protection before and their attention is inevitably turned to the effects of the health crisis on their businesses at the moment, he said.

“International companies, which are already largely subject to foreign data protection regulations, are at a much higher level of maturity [than national firms] because they already have experience. There's no comparison,” Alves said.

He also said a delay to implement the National Authority for Data Protection, or ANPD, in the country makes it even worse for local businesses, which must deal with the legal uncertainty of making significant investments to comply with a law that hasn’t yet been interpreted by the authority that will enforce it.

“For instance, our law provides that every company needs a DPO [data protection officer] and that certain companies can be spared from complying with this rule, depending on determinations from ANPD,” Alves said.

“What if companies with low revenues are spared from complying with this provision in the law but they have already hired their DPOs because they are afraid? It is a subject of absurd complexity," he said. He said Brazil can't continue to go without the ANPD.

Alves said that companies’ current interpretation of the law is based mostly on foreign authorities’ orientations, which puts them at risk of having to “redo all the work” in the future.

“Companies spend millions of reais to make adjustments without any guarantee that they are doing what is right,” he said, adding that they could be doing much more than necessary, especially if they are following the European General Data Protection Regulation, which is “a much more complex model.”

“A very useful argument from the radio and TV communications sector is that there is a risk of following the European model that is much more complex, broader and more mature than the Brazilian one and wasting unnecessary resources,” Alves said.

Companies also face the risk of taking actions now only to have them be deemed insufficient in the future, he said.

As things stand, the General Law for Data Protection, or LGPD, will come into force on May 3, 2021 because of a provisional measure from Brazilian President Jair Bolsonaro delaying the law's implementation, which was originally set for Aug. 16, 2020. The provisional measure, however, must be voted on by Congress within 120 days of when it was published in the country's Official Journal to become permanent. That deadline will expire on Aug. 28.

Separately, the assessment of data-privacy fines has been delayed to Aug. 1, 2021, meaning the law could come into force months before companies can actually be sanctioned for violating it.

— International companies’ challenges —

Though overseas businesses are at a more advanced stage than national companies regarding the data protection law, they face the challenge of ensuring that their suppliers are also up to date with the law.

“They [international companies] are complaining that they aren’t finding suppliers in the national market that comply with the law,” Alves said. “It gets to a point where they have to make a choice: they close their eyes to their suppliers’ noncompliance issues, or they stop operating in the country because they won’t be able to hire services from anyone.”

Under the new data protection law, companies are responsible for checking the compliance of all their business partners, including suppliers.