By Dr. Paulo Perrotti and Dr. Davis Alves
As widely known, on September 18, 2020, Law No. 13,709 / 2018 (General Data Protection Law), commonly referred to as LGPD came into force, thereby having legal and practical effects concerning both Legal Entities and Individuals, pertaining to governance, collection, treatment, storage and sharing of personal data of third parties in Brazil, whether Brazilian or foreign.
This regulation has broad scope, prompting companies, regardless of the branch of activity, to begin structuring a planning strategy for safeguarding the processing of personal data of their clients, employees, suppliers and service providers, in order to avoid infractions, which will certainly culminate in financial and reputational impacts and damages.
Although the protection of privacy was already duly formalized in our Federal Constitution, as well as in the Civil Code and the Consumer Protection Code, ensuring the inviolability of privacy, private life, honor and the image individuals, further establishing the right to seek compensation for material or moral damage suffered as a result of violation, the LGPD emerges not only to protect personal data but, above all, to properly scrutinize its specifics in order to preserve the privacy of clients, employees and citizens in general, as well as their respective powers of choice.
In parallel, the province of Québec, Canada, recently approved innovations in its legislation regarding the protection of personal data, known as Law 25 – An Act to modernize legislative provisions as regards the protection of personal information, introducing numerous changes and technical requirements that will come into effect on September 22, 2023, and resemble the guidelines and principles already acclaimed in our LGPD.
According to the provisions of Québec’s Law 25, organizations conducting activities in Québec will be required to appoint a privacy officer to oversee and manage the processing of information and personal data, equivalent to the Data Protection Officer role in Brazil. However, Québec’s Law 25 further states that this function will be assigned, by default, to the company’s chief executive officer, in the absence or omission of a dedicated privacy officer within the organization.
Subsequently, Québec’s Law 25 states that the organization’s privacy data officer, or designated Privacy Officer, as the role of personal data manager is termed in the province, must establish and implement policies and governance practices regarding personal information to ensure the protection of such information. These policies and practices should, specifically, provide a formal and auditable methodology for the safekeeping and disposal of data, define the roles and responsibilities of those involved in the information lifecycle, and provide a process for dealing with complaints related to data protection. The policies and practices should also be proportional to the nature and scope of the company’s activities and be approved by the individual responsible for the management and protection of personal data, who can be the Privacy Officer or, in his/her absence, the company’s chief executive. Detailed information on these policies and practices, especially regarding the required content, should be published in plain and simple language on the company’s website or, if the company does not have a website, made available through any other appropriate means.
In the same way that the Data Officer in Brazil, according to the LGPD, must notify the National Data Protection Authority (ANPD), as well as the data subjects, in the event of a possible breach, in Québec the person responsible for the management and protection of personal data must also notify the Commission d’accès à l’information and the affected individuals of any confidentiality incidents, including privacy data breaches and unauthorized access/use/disclosure of personal information, and keep a record of all security incidents for a period of at least five years.
Thus, the privacy data officer in Québec will have numerous duties and responsibilities, including approving privacy policies and practices, participating in privacy impact assessments, as well as assessing, managing and mitigating the damages caused by a data incident. Above all, the Privacy Officer will be the first person everyone will turn to when there are data protection or privacy breaches.
In this context, Québec’s Law 25 brings yet another innovation, whereby the company’s data privacy officer must conduct a privacy impact assessment on any project involving an information or electronic system that collects, uses, communicates, maintains or discards personal data. For the purpose of this assessment, the individual responsible for protecting the company’s personal data must be involved from the project’s outset. This officer should also ensure that the project allows collected personal data to be communicated to the data subject in a structured and commonly used technological format. Conducting a privacy impact assessment under Québec’s Law 25 must be proportionate to the sensitivity of the personal data, the purposes for which it will be used, the quantity, the distribution of the information and the environment in which it is being stored.
According to Québec’s Law 25, the individual responsible for protecting personal data may suggest applicable personal data protection measures, at any stage of the project, such as (1) the appointment of a person responsible for the implementation of personal data protection measures; (2) measures to protect personal information in any project-related documents; (3) a description of the participants’ responsibilities with regard to personal data protection; or (4) training activities for project participants on personal data protection.
In accordance with Québec’s Law 25, any organization that collects, processes, stores and shares personal data through technological means must publish a confidentiality policy, primarily on the company’s website, written in clear and simple language, and must follow the same procedure in the event of any change to such a policy.
Finally, like the LGPD in Brazil, Québec’s Law 25 did not impose specific technical requirements for performing the activities carried out by the Privacy Officer. However, this does not imply that this professional should be ignorant, omissive, negligent, unskilled or unaware of the best data governance practices. Quite the opposite.
In this regard, when the subject is LGPD, it is possible to attribute to the Controller, as well as their senior executive, direct responsibility for the processing performed by the Data Controller, when this role is filled by someone unprepared or lacking the technical and regulatory knowledge required to perform this activity.
From a legal point of view, it is possible to infer that the LGPD, indirectly, established the guilt in eligendo and in vigilando to the Controller, as well as to its main executive, regarding any infractions committed by the Data Controller in the scope of security and protection of personal data, if he/she has been appointed without any type of preparation or minimum training necessary for the performance of his/her duties.
Similarly, in Québec, corporations will be required to be more selective and judicious when nominating, appointing or delegating personal data processing tasks to professionals who will hold the position of Privacy Officer, under the risk of being held responsible for negligence, recklessness or incompetence committed by their chief executive.
For this reason, it is of utmost importance that there exists some minimum legal guidance in order to preserve the technicality of both the Privacy Officer in Québec and the Data Officer in Brazil when they are regulated in their respective countries.
In order to carry out a bibliometric analysis and drawing from comparisons, the National Association of Data Privacy Professionals (ANPPD), the largest representation of LGPD experts in Brazil, published Technical Opinion No. 2/2022/ANPPD on “REGULATION OF THE PERSONAL DATA PROTECTION OFFICER (DPO)” in which it proposed contributions to complementary rules on the definition and attributions of the DPO (Art. 41 §3 – LGPD, 2018), and which can be used as a “state of the art” evaluation mechanism for the province of Québec, as follows:
- The DPO shall provide guidance to the controller’s employees and contractors on privacy practices. Reference: Art. 41, § 2, III – LGPD (BRAZIL, 2018)
- The DPO is the individual responsible for ensuring the compliance of an organization with LGPD, public or private. Reference: Item 67 – ANPD – Guide for Data Processing Agents (BRAZIL, 2021).
- The DPO shall ensure that the privacy policies as described in Art. 50, §2, I, d, make explicit the activity described in Art. 41, §2, III of the LGPD. Reference: LGPD. (BRAZIL, 2018)
- The DPO shall provide guidance for the proper implementation of the principles of the LGPD as described in Art. 6 of the LGPD, as well as best practices and during the planning of systems used for the processing of personal data. Reference: Art. 49, LGPD. (BRAZIL, 2018)
- The DPO can guide employees and contractors in compliance with the recommendations already defined in the Guide for Data Processing Agents published by the ANPD. Reference: ANPD. (BRAZIL, 2021)
- The DPO must hold a hierarchical position that allows him/her to give impartial and independent guidance to achieve compliance with the legislation. Reference: Item 71 – ANPD – Guide for Data Processing Agents (BRAZIL, 2021).
- It is considered important and a preventive good practice for the DPO to demonstrate knowledge of data protection and information security at a level that meets the organization’s operational needs. Reference: Item 72 – ANPD – Guide for Data Processing Agents (BRAZIL, 2021).
- The DPO should stay updated on LGPD or other applicable regulations, as well as best practices in data protection, in order to be more assertive in his/her professional guidance. Reference: GT29 Guidelines on the DPO, p.17 – GDPR (EUROPE, 2016b)
- As a complementary norm, the DPO can demonstrate through professional courses and certifications their technical capacity for data protection guidance as defined. Reference: Lachoud (2020) CNIL (FRANCE, 2020)
- The DPO must have his/her guidelines formalized and disseminated to the organizational areas that perform personal data processing activities. Reference: Art. 41, §1 – LGPD (BRAZIL, 2018)
- The DPO must be sole point of contact of the controller or operator with the National Data Protection Authority, duly appointed by the institution to which he/she will represent. Reference: Art. 5, VIII – LGPD. (BRAZIL, 2018)
- The DPO must verify that his/her activities foreseen in Art. 41, §2 are included in the internal policies. Reference: Art. 50, §2, I, a – LGPD. (BRAZIL, 2018)
- The DPO shall verify whether the guidelines on data protection practices have been adopted by the organization, or adequately justified the non-adoption. Reference: Privacy Act 2020 (NEW ZEALAND, 2020)
- The DPO shall verify and formalize guidance to the controller and operator regarding data protection practices in order to promote the accountability of the organization to the ANPD and to the data subject. Reference: Art. 6, X – LGPD (BRAZIL, 2018)
- In compliance with Art. 5, VIII, the DPO may cooperate with the ANPD or other competent bodies by providing requested documentation in case of investigation. Reference: Chapter 5, Part B – POPIA (SOUTH AFRICA, 2013)
- The DPO shall provide guidance to employees on data protection practices through educational actions and training that encompass all stages of personal data processing. Reference: Art. 31 – PIPA (SOUTH KOREA, 2011)
- The DPO must perform other duties determined by the controller or established in complementary norms (Art. 41, §2, IV) that do not conflict with the duties outlined in LGPD. References: Sections 41 and 42 – PDPA (THAILAND, 2019).
- The DPO must supervise the application of data protection practices directed toward the employees and contractors of the organization. Reference: Art. 40 (URUGUAY, 2008)
- The DPO should be involved in activities processing personal data, providing technical opinion on processing risks. Reference: Art. 37-39 – GDPR (EUROPE, 2016a)
- The DPO shall provide advice, when requested, on the data protection impact report and coordinate its completion in accordance with Article 38 of the LGPD. Reference: Art. 39, 1c – GDPR (EUROPA, 2016a)
- The DPO must be bound by the obligation of secrecy or confidentiality in the exercise of his/her duties regarding the guidelines on data protection practices described in Art. 41, §2, III of the LGPD. Reference: 38, 5 – GDPR (EUROPA, 2016a)
For all these reasons, both in Québec and in Brazil, no formal qualification for the DPO has been established yet. However, by observing those already set forth in the international scenario, they can serve as a guideline for the updates in Québec.
All these technical observations are important because appointing an unprepared professional to fulfill the role of Data Protection Officer or Privacy Officer will impute direct responsibility to the organization’s major figure, at the very least indicating clear negligence, recklessness or incompetence regarding the fulfillment of legal requirements.
Furthermore, it is necessary to reinforce the fact that the function of the Data Protection Officer and Privacy Officer is not exempt from any other type of functional responsibility, including civil infractions and criminal offenses, which may arise from acts of negligence, recklessness and malpractice due to their activities, or even in the case of direct intent, when the officer actively seeks to commit the violation, or in the event of possible intent, when she/he assumes the risk of producing it.
In this context, it is necessary to understand that the role of the DPO and the Privacy Officer is considered a means, not an end. In other words, the expected outcome of the Data Protection Officer and Privacy Officer’s service may not necessarily be achieved, although it should always be pursued. Therefore, the obligation is limited to a duty of performance, that is, there is a commitment to act with zeal, professionalism, impartiality and diligence, applying the best technique and expertise to achieve a specific goal, but without obliging the actual realization of the result.
Analogously, the DPO and the Privacy Officer must apply their knowledge, training and expertise to ensure the availability, preservation, integrity and security of personal and corporate data, especially in the digital environment. However, it is impossible to predict or establish with certainty that all efforts made by the DPO and Privacy Officer will be sufficient to prevent the company from suffering a data breach. It must be emphasized that the implementation of a corporate personal data governance mainly involves three pillars: people, processes and technology.
Authors:
Paulo Perrotti: Lawyer and CEO of LGPD Solution, Honorary Member of the National Association of Data Protection Professionals (ANPPD), President of the Chamber of Commerce Brazil-Canada from 2017 to 2021, ISO 27001 Lead Auditor (ISO international certification regarding Information Security), Professor of Cyber Security at the Postgraduate Program of the Faculty of Engineering of Sorocaba (FACENS), Professor of Offensive Cybersecurity with Certification (CEH) by ACADI-TI, with specialization in Canadian and Québec Law from Université de Québec à Montreal – UQÀM, MBA from Fundação Getúlio Vargas of São Paulo, specialization in IT Law (LLM) from IBMEC / SP, Financial Market from Instituto Finance, Social Responsibility from ESPM / SP, Certified Secure Computer User (CSCU) by EC-Council and member of the Special Commission on International Relations and the Data Privacy Commission of OAB / SP, graduated in law from Pontifícia Universidade Católica de São Paulo – PUC / SP. Recognized as one of the “Most Innovative Heads” of 2022 by AAA Innovation (https://aaainovacao.com.br/). Enrolled in the OAB São Paulo section, he worked for 5 years as a lawyer at Pinheiro Neto Advogados, was a legal consultant for a company belonging to the Information Technology sector under the control of Bank of America and worked in the area of Mergers and Acquisitions in his own company and third parties. He also served as executive director of the Marketing Development Institute – IDM. He was a member of the Board of the Software Technology Institute – ITS and Secretary of the Information Technology Committee of the Chamber of Commerce Brazil-Canada. He is a member of the Group of Excellence in Strategy and Management Planning of the Regional Council of Administration – CRA, São Paulo Section. He is an Arbitrator of the International Mediation and Arbitration Chamber, affiliated with the Faculty of Law of the University of Coimbra / Portugal. Awarded with the Commendation of Legal Values by the Brazilian Academy of Art, Culture and History, as well as Noble Knight of São Paulo granted by the Civil Defense of the City of São Paulo. He has a specialization degree in Business Intelligence from the Dominican College of San Raphael and in Negotiation Techniques from Berkley University. He is a consultant for several entities of the Third Sector, with emphasis on ALTIS (High Technology Center for Software Innovation), in Salvador / BA; ITS – Institute of Software Technology – SP, Sucesu / SP – Society of Users of Informatics and Telecommunications of São Paulo, Brazilian Academy of Art, Culture and History; José de Paiva Netto Foundation among others. Professor of Computer Law at Anglo Latino College. Author of the Book “Family Businesses – Legal Aspects and Strategies for Good Management” – Editora Thomson-IOB, 2007. Author of the book “Real Estate Law Manual – How to Avoid Risks in Property Acquisition in Brazil”, bi-lingual – English/Portuguese, jointly with Dr. Nivio Terra. Author of “Forms of Association and Tax System in Brazil”, in English, own edition and “Mergers and Acquisitions Manual”, own edition. Responsible for the ESG (Environment, Social and Governance) theme of the Blockchain Research Institute (BRI) in Brazil and regular columnist of the Portals Procurement Digital (https://procurementdigital.com.br/) and SolutionHub (https://solutionhub.com.br/), also on the ESG theme. Organizer and Author of the book “ESG – Legal Reflections for Your Understanding”, a work produced by the International Relations Commission of OAB / SP, Arraes Publishing. Fluent in English and French.
Dr. Davis Alves: PH.D in IT Administration – Ph.D at Florida Christian University (USA) convalidated in Brazil, Master in Administration with a focus on Green IT (2015), Extension in IT Management by FGV / SP (2011), Postgraduate in Project Management (2009), Graduated in Computer Networks and Internet (2008). Resided in the United States and New Zealand for studies. Holds certifications including PMP® | ITIL® Expert, ITIL® Professional (4 MP), COBIT®, ISO-20000®, ISO-27002®, EXIN® Agile Scrum Master, Lean IT, Green IT, ICS MCSA® Windows Server 2003, Cloud Computing, EXIN® Data Protection Officer (DPO), & EXIN ISO-27001 Professional (ISMP), Cyber Security, Psychoanalyst, Ethical Hacker (Human Hacking through Physiognomy), DAC® Wireless, DCP® Switching, DSS® IP Surveillance. He is an IT Sustainability Management consultant, with products and consultancies in Green IT for municipal public entities in Brazil, as well as a Privacy Data Consultant (LGPD).
🥇In 2019 he took over as President of ANPPD®. He is a pioneering DPO in Brazil in the area of Information Security & Ethical Hacker having trained more than 5.5 thousand DPOs in the country.
🏅In 2020 he was awarded the title of Honorary Member of the Digital Law Academy, joining the select group of the Superior Council, which brings together the most respected federal jurists, judges, and leading figures in Digital Law.
🏅In 2022 he took on the role of Technology & Information Security Columnist at Grupo Jovem Pan, joining Brazil’s top biggest influencers.
🏅Member and Coordinator of the National Data Protection Council (CNPD), appointed by the President of the Republic of Brazil 🇧🇷
🏅In 2023 he founded PrivacyCafé® – an Advanced Debates Club that brings together selected professionals already active in the field to deepen the themes of Privacy, Technology, Cybersecurity and Psychoanalysis (https://privacycafe.com.br). He worked as a managing partner at Millennium Hardware, responsible for the technical coordination of IT infrastructure projects, as well as an academic professor for Service Management, Information Security and Computer Networks at Universidade Paulista – UNIP, Universidade Municipal de São Caetano do Sul – USCS (professor), Universidade Federal de São Carlos – UFSCar and DARYUS / Faculdade Impacta. Academically he is a member of the POMS International Scientific Congress in the United States. In Brazil, he is part of the Structural Developer Center of UNIP’s degree course of Technology in Computer Networks, responsible for the adequacy of the course with MEC. He also responds as an accredited instructor by EXIN / PeopleCert with a focus on ITIL®, GDPR, ISO-27001, Green IT, as well as a researcher and speaker at several international scientific events related to Green IT & GDPR in Spain, the Netherlands and the United States – having his studies published in those countries.