The General Data Protection Law (LGPD) established 10 (ten) principles that must be observed in the activities of processing personal data:
4. Free access
5. Data quality
10. Accountability and account rendering
Although it is unclear why the legislator emphasizes good faith in the caput of the article of the law that provides for the principles, instead of adding it to the ones listed above, the list of principles greatly assists the interpretation of controversial issues that could render different conclusions.
However, a relevant aspect apparently ignored by the legislator is the matter of proportionality.
According to the principle of legality, inscribed in the Federal Constitution of 1988, as one of the fundamental rights and guarantees, “no one shall be compelled to do or refrain from doing something except by reason of law“. Thus, it is a contumacious and commonplace practice in Brazil to publish laws drafted by legislators which oblige all individuals and legal entities to uniformly comply with them.
As a matter of fact, Article 3 of the Law of Introduction to the Rules of Brazilian Law recommends that "no one refuses to comply with the law, claiming that they do not know it“. It is important to point out that the term “law” mentioned here contextualizes the broad meaning of the rule, that is, it includes constitutional rules, legal rules and infra-legal rules. On the date of writing this article, if we take, as an example, only the federal ordinary laws, there are already a total of 14,187, the last one having been published on July 15, 2021, which provides for the authorization for industrial structures intended to the manufacturing of vaccines for veterinary use to be used in the production of active pharmaceutical ingredients (IFA) and vaccines against covid-19 in Brazil. Thus, from the humblest of individuals to the best structured legal entity, all will have to comply with and respect every rule created to run the Brazilian State, at federal, state, municipal, or district level.
The rationale above was constructed to support the importance of discussing the proportionality’s relevance, with respect to the applicability of the LGPD. Legal entities with sufficient resources to pay specialists to implement LGPD compliance programs know that a reasonable investment must be made to be able to meet all the requirements that the law imposes.
Using the European General Data Protection Regulation (GDPR) as an example, we went all out at once. A layman who intends to read the law and tries to implement it, without legal knowledge, will have great difficulty in doing so, due to its complexity of interpretations and its application to an specific case.
Rightly, the legislator excluded from the scope of the law the processing of personal data carried out for exclusively private and non-economic purposes. However, it did so only for individuals, not exempting non-profit organizations, for example. In this way, NGOs, OSCIPs (Civil Society Organizations of Public Interest), associations, foundations and civil societies literally had to “get by” to adapt the processing of personal data by their staff in accordance with the LGPD…if they actually managed to do so. Additionally, individual micro-entrepreneurs, sole proprietorships, micro-enterprises, and small businesses, considering their concept of engaging in a profitable activity, also had to adapt the processing of personal data by their personnel in accordance with the LGPD.
LGPD’s penalties will come into effect on August 1, 2021. The vulnerability situation of legal entities described in the previous paragraph regarding compliance with the LGPD is indeed worrisome.
Thus, it is imperative to discuss the proportionality of the degree of demand regarding the compliance that will be required of individuals and legal entities; currently, without any gradation, with respect to compliance with all requirements imposed by the LGPD.