PERGUNTE AO GURU
Continuing the analysis of future (but not distant) impacts in view of the current wording of article 19 of the LGPD, unfortunately little attention to the rights of holders although it appears precisely the opposite, now the focus is on the reality experienced in 2021 by organizations in the USA, Europe , even from Brazil and the challenges it has been facing in responding to DSARs.
Even though the lights have been almost completely focused lately on recurrent and ever-increasing data leaks, the reality with regard to requests for the rights of data subjects has shown an even more worrying side.
In September 2020 , amid the well-deserved celebrations for the entry into force of the General Data Protection Act (LGPD), I warned of a true “Trojan horse” hidden in art. 19 of the law, more precisely, which determines that companies and public bodies guarantee holders the rights to information and access to their data immediately or within 15 days, depending on the level of detail requested.
Almost six months after the article and the entry into force of the law, the subject is summarized with the aim of ratifying the alert, and now in a sustained manner by data obtained in almost half a year of the law being in effect.
Even though the lights have been almost completely focused lately on recurrent and ever-increasing data leaks, the reality with regard to requests for the rights of data subjects has shown an even more worrying side.
Not without surprise, companies from outside Brazil that operate in our market are quite apprehensive about the impracticality of meeting the claims of holders in a meager 15 days. So let’s look at some examples:
Adriana Antunes Winkler, Data Protection and Governance Manager at Reyes Holdings LLC – 8a. largest company in the US -, which deals daily with Data Protection legislation ranging from the European GDPR to the Californian CCPA, passing through laws in Asia, the Middle East and Africa, is concerned about how, in fact, to meet our deadlines. If a company of this size sees this as a problem, what about the vast majority of Brazilian companies, the same majority that does not even know about the existence of the law?
Add to that another relevant aspect of these requests: where they come from. It is natural to think at first of external customers, however, in the same study by Sapio referred to in the September 2020 article, the number of demands arising from employees in the face of their companies are in a volume almost equivalent to that of their customers.
A DPO operating in a large European company reported that there was a 5-fold increase, between 2019 and 2020, in the volume of demands of this nature by employees (and former employees) there. Crossing the Atlantic and looking inside, another professional from a multinational company in the area of technology services reports the same phenomenon, but this time with her collaborators in Brazil.
Considering the “dilemma” that exists between ensuring that the level of awareness on the part of employees regarding the LGPD is high in order to mitigate the risk of non-compliance with the law by the organization and being afraid about the empowerment of these same employees that is reflected in the increase in DSARs (Data Subject Access Requests) against the company itself, it is clear that the least that can be done is an urgent review regarding the deadlines of our law.
In the midst of so many natural challenges for new legislation, still unknown in terms of existence and content by the majority, added to “manufactured” ones, such as the myth of consent as the only form of legitimizing the processing of personal data or the interpretation of basic and simple concepts such as that of treatment agents (controller/operator) based on the Russian concept of ostranenie – explaining the unknown by the known, in this case, mistakenly taking a new concept in our system for an existing one, that of the hierarchical relationship), an urgent legislative reform is necessary.
Thinking about the viability of the object of art. 19, at least an extension of that period, perhaps mirroring the European law, to 30 days with the possibility of extension for another 60, would be the right decision.
It is now up to our legislators, instead of worrying about the start date of sanctions as we have seen recently, to pay attention to something more relevant, fundamental in any law: that the beneficiaries of these have their rights, but that they are obliged to provide them , are actually able to do so.
Marcilio Braz is a professor, data protection professional, lawyer, IT project manager and founder of Privacy Academy.
Originally published on Jota , 03/16/2021:
https://www.jota.info/opiniao-e-analise/artigos/o-calcanhar-de-aquiles-da-lgpd-16032021
