Tag: Brazil

(Update) Processing of COVID-19 immunization data of employees in non-EEA countries

21. January 2022

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Brazil: According to the Labor Code (CLT), employers in Brazil have the right to require their employees to be vaccinated. The employer is responsible for the health and safety of its employees in the workplace and therefore has the right to take reasonable measures to ensure health and safety in the workplace. Since employers can require their employees to be vaccinated, they can also require proof of vaccination. As LGPD considers this information to be sensitive personal data, special care must be taken in processing it.

Hong-Kong: An employer may require its employees to disclose their immunization status. Under the Occupational Safety and Health Ordinance (OSHO), employers are required to take all reasonably practicable measures to ensure the safety and health of all their employees in the workplace. The vaccination may be considered as part of  COVID-19 risk assessments as a possible additional measure to mitigate the risks associated with infection with the virus in the workplace. The requirement for vaccination must be lawful and reasonable. Employers may decide, following such a risk assessment, that a vaccinated workforce is necessary and appropriate to mitigate the risk. In this case, the employer must comply with the Personal Data Protection Regulation (PDPO). Among other things, the PDPO requires that the collection of data must be necessary for the purpose for which it is collected and must not be kept longer than is necessary for that purpose. According to the PDPO, before collecting data, the employer must inform the employee whether the collection is mandatory or voluntary for the employee and, if mandatory, what the consequences are for the employee if he or she does not provide the data.

Russia: Employers must verify which employees have been vaccinated and record this information if such vaccinations are required by law. If a vaccination is not required by law, the employer may require this information, but employees have the right not to provide it. If the information on vaccinations is provided on a voluntary basis, the employer may keep it in the employee’s file, provided that the employee consents in writing to the processing of the personal data. An employer may impose mandatory vaccination if an employee performs an activity involving a high risk of infection (e.g. employees in educational institutions, organizations working with infected patients, laboratories working with live cultures of pathogens of infectious diseases or with human blood and body fluids, etc.) and a corresponding vaccination is listed in the national calendar of protective vaccinations for epidemic indications. All these cases are listed in the Decree of the Government of the Russian Federation dated July 15, 1999 No 825.

UK: An employer may inquire about an employee’s vaccination status or conduct tests on employees if it is proportionate and necessary for the employer to comply with its legal obligation to ensure health and safety at work. The employer must be able to demonstrate that the processing of this information is necessary for compliance with its health and safety obligations under employment law, Art. 9 (2) (b) UK GDPR. He must also conduct a data protection impact assessment to evaluate the necessity of the data collection and balance that necessity against the employee’s right to privacy. A policy for the collection of such data and its retention is also required. The information must be retained only as long as it is needed. There must also be no risk of unlawful discrimination, e.g. the reason for refusing vaccination could be protected from discrimination by the Equality Act 2010.

In England, mandatory vaccination is in place for staff in care homes, and from April 2022, this will also apply to staff with patient contact in the National Health Service (NHS). Other parts of the UK have not yet introduced such rules.

USA: The Equal Employment Opportunity Commission (EEOC) published a document proposing that an employer may implement a vaccination policy as a condition of physically returning to the workplace. Before implementing a vaccination requirement, an employer should consider whether there are any relevant state laws or regulations that might change anything about the requirements for such a provision. If an employer asks an unvaccinated employee questions about why he or she has not been vaccinated or does not want to be vaccinated, such questions may elicit information about a disability and therefore would fall under the standard for disability-related questions. Because immunization records are personally identifiable information about an employee, the information must be recorded, handled, and stored as confidential medical information. If an employer self-administers the vaccine to its employees or contracts with a third party to do so, it must demonstrate that the screening questions are “job-related and consistent with business necessity.”

On November 5th, 2021, the U.S. Occupational Safety and Health Administration (OSHA) released a emergency temporary standard (ETS) urging affected employers to take affirmative action on COVID-19 safety, including adopting a policy requiring full COVID-19 vaccination of employees or giving employees the choice of either being vaccinated against COVID-19 or requiring COVID-19 testing and facial coverage. On November 12th, 2021, the court of appeals suspended enforcement of the ETS pending a decision on a permanent injunction. While this suspension is pending, OSHA cannot take any steps to implement or enforce the ETS.

In the US there are a number of different state and federal workplace safety, employment, and privacy laws that provide diverging requirements on processing COVID-19 related information.

Data protection soon to become constitutional right in Brazil

24. September 2021

Last month Brazil’s Chamber of Deputies approved the Federal Senate’s proposal to amend the Constitution making the protection of personal data, including in digital media, a fundamental right for all citizens. According to the proposal, the Federal Government would have exclusive competence to legislate and supervise matters in this area.

The country already has a General Law for the Protection of Personal Data (LGPD) and the National Data Protection Authority (ANPD) as a supervisory body. The deputy Orlando Silva pointed out that the proposal consolidates the regulations for the protection of personal data and justified the need to include data protection as a constitutional right as follows:

All of us here systematically use internet applications, and the management of these applications is based on the provision of personal data, which is often manipulated without each of us knowing the risks to our privacy.

The deputy Isnaldo Bulhões added:

Without a doubt the proposal is a step forward, because we have seen major scandals, major violations, and fraud that have advanced a lot in recent times with technological development in Brazil and in the world.

A peculiarity of the amendment adopted by the Plenum is the deletion of the provision to make the ANPD an independent body, which would be part of the indirect federal public administration and subject to a special autonomous regulation. It was argued that the autonomy of the ANPD is not in question, but a constitutional regulation in this regard has never been adopted for any other agency.

For final approval the deputies’ adjustments require the proposal to return to the Federal Senate.

Giant database leak exposes data on 220 million Brazilians

28. January 2021

On January 19th, 2021, the dfndr lab, PSafe’s cybersecurity laboratory, reported a leak in a Brazilian database that may have exposed the CPF number and other confidential information of millions of people.

According to the cybersecurity experts, who use artificial intelligence techniques to identify malicious links and fake news, the leaked data they have found contains detailed information on 104 million vehicles and about 40 million companies. Overall, the leak poses a risk to close to 220 million Brazilians.

The personal data contained in the affected database includes names, birthdates and individual taxpayer registry identification, with distinct vehicle information, including license plate numbers, municipality, colour, make, model, year of manufacture, engine capacity and even the type of fuel used. The breach both affects almost all Brazilian citizens, as well as authorities.

In a press release, the director of the dfndr lab, Emilio Simoni, explained that the biggest risk following this data leak is that this data will be used in phishing scams, in which a person is induced to provide more personal information on a fake page.

In their statement, PSafe does not disclose either the name of the company involved or how the information was leaked, whether it was due to a security breach, hacker invasion or easy access. However, regardless of the cause of the leak, the new Brazilian Data Protection Security Law provides for fines that can reach R $ 50 million for an infraction of this type.

16 Million brazilian COVID-19 patients’ personal data exposed online

7. December 2020

In November 2020, personal and sensitive health data of about 16 Million brazilian COVID-19 patients has been leaked on the online platform GitHub. The cause was a hospital employee, that uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on the online platforms. Under those affected were also the brazilian President Jair Bolsonaro and his family as well as seven ministers and 17 provincial governors.

Under the exposed systems were two government databases used to store information on COVID-19 patients. The first “E-SUS-VE” was used for recording COVID-19 patients with mild symptoms, while the second “Sivep-Gripe” was used to keep track of hospitalized cases across the country.

However, both systems contained highly sensitive personal information such as patient names, addresses, telephone numbers, individual taxpayer’s ID information, but also healthcare records such as medical history and medication regimes.

The leak was discovered after a GitHub user spotted the spreadsheet containing the password information on the personal GitHub account of an employee of the Albert Einstein Hospital in Sao Paolo. The user informed the Brazilian newspaper Estadao, which analysed the information shared on the platform before it notified the hospital and the health ministry of Brazil.

The spreadsheet was ultimately removed from GitHub, while government officials changed passwords and revoked access keys to secure their systems after the leak.

However, Estadao reporters confirmed that the leaked data included personal data of Brazilians across all 27 states.

Brazil Update: Senate approves President-appointed ANPD Board of Directors

11. November 2020

Since 18 September 2020, the main provisions of the Brazilian Data Protection Law “LGPD” are in effect. At the same time, Brazilian businesses have been facing legal uncertainty because Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional (we reported). The ANPD shall provide businesses with vital guidance, inter alia, by assessing foreign countries’ level of data protection for international data transfers, Art. 34 LGPD.

On 15 October 2020, the President of Brazil appointed the five members for the ANPD Board of Directors. Following the formal approval process of President appointees in Brazil (“Sabatina”), the Infrastructure and Services Commission of Brazil’s Senate approved of the President’s appointees on 19 October 2020.

Finally, on 20 October 2020, the Senate’s plenary approved of the five appointees. This marks another major step in the ANPD becoming fully operational. The serving terms of the Board of Directors will be staggered:

  • Serving a six-year term: Waldemar Ortunho, current president of Telebras, a state-owned telecommunications company
  • Serving a five-year term: Arthur Pereira Sabbat, currently the Director of the Institutional Security Office (GSI) for the Government’s cybersecurity
  • Serving a four-year term: Joacil Basilio Rael, currently advisor at Telebras
  • Serving a three-year term: Nairane Farias Rabelo, currently Partner at a law firm specialized in Tax Law and Data Protection Law
  • Serving a two-year term: Miriam Wimmer, currently a Director of Telecommunications Services at the Brazilian Ministry of Science, Technology, Innovation and Communications

However, Annex II to the Presidential Decree 10.474 establishing the ANPD sets forth that many more yet vacant positions of the ANPD will have to be filled before it may be fully functional. Until then, Brazilian businesses remain waiting on guidance from the ANPD.

Brazil Update: Rapid Developments regarding Brazil’s LGPD come with legal Uncertainty

28. August 2020

Earlier this year, in April, the President of Brazil issued Provisional Measure #959/2020, which dealt with emergency measures in face of the pending Coronacrisis. The Provisional Measure (“PM”) did not only set rules for the federal banks’ payments of benefits to workers affected by the reduction in salary and working hours and the temporary suspension of employment due to the pandemic, but also postponed the effective date of Brazil’s first Data Protection Law (“LGPD”) from the 14 August 2020 to the 3 May 2021 (we reported).

In Brazil, PMs serve as temporary law and are valid for a maximum period of 120 days, in which both chambers of the National Congress must approve of the PM in order to become permanent law.

As the 120 days period was coming to an end, the House of Representatives approved of the PM on 25 August 2020, but included an amendment to delay the effective date only to the 31 December 2020. One day later, on 26 August 2020, the Senate approved of the PM, but provided yet another amendment to not include any delay of the LGPD’s effective date at all. The Senate’s amendment rather postulates that violations against the LGPD shall not be santioned by the Data Protection Authority until 1 August 2021. Thus, neither the House of Representative’s postponement to the 31 December 2020 nor the President’s intial postponement to the 3 May 2021 were approved of. This development came to a great surprise because in April, Brazil’s Senate itself introduced  Law Bill “PL 1179/2020” which aimed at postponing the effective date of the LGPD to 1 January 2021.

After all, the LGPD will become effective very soon. Upon the rapid developments regarding the LGPD, legal commentators from Brazil still share some confusion to when the law will become valid exactly. They report that the law will become effective either when the President signs it into law or retroactively on 14 August 2020. In any case, many Brazilian businesses are reportedly not ready for the LGPD whilst also facing a very difficult economic environment, as Brazil is suffering from the consequences of the pandemic.

Moreover, Brazilian businesses are also facing legal uncertainty because Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional. Only on 26 August 2020, Brazil’s President passed Decree 10.474 to establish the ANPD. However, the new Data Protection Law gives the ANPD many vital responsibilities that it has not been able to fulfil, because it hadn’t been established yet. These responsibilities include

  • Recognising good practices and best-in-class examples of accountable privacy programs,
  • Establishing rules, procedures and guidance for organisations as required by the LGPD,
  • Clarifying LGPD provisions,
  • Providing technical standards to organisations, and
  • Enabling international transfers of personal data.

As the recent developments and the status quo of the national Data Protection Authority suggest a rocky road ahead for Brazil’s privacy landscape, the fundamental milestones of making the LGPD effective and establishing the ANPD have been passed now. At the same time, Brazilian businesses can draw hope from the fact that they have time to become compliant until 1 August 2021.

Enforcement of Brazil’s new Data Protection Law postponed due to COVID-19

8. May 2020

The Coronavirus is affecting South America, like the rest of the world, and it is spreading rapidly in its largest country: Brazil. Brazil’s Government and Legislators try to handle both the public health crisis and the economic crisis that the country is facing. Now both branches have adopted emergency measures to alleviate the effects of the virus, even impacting the enforcement of the country’s new national Data Protection Law (“Lei Geral de Proteção de Dados Pessoais” or “LGPD”).

The National Congress of Brazil only passed the LGPD in August 2018. It was originally scheduled to come into effect on 15 August 2020 (we reported). As the effects of the Coronavirus began to impact Brazilian businesses, many companies called for the postponement of the LGPD’s effective date due to the difficult economic environment and due to the fact that Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional.

On 3 April 2020, the Senate of Brazil unanimously approved of the Law Bill “PL 1179/2020” which includes a provision to delay the effective date of the LGPD until 1 January 2021. Furthermore, the Bill sets forth that non-compliance with the LGPD shall not be sanctioned by the Data Protection Authorities until 1 August 2021.

The second chamber of Brazil’s National Congress, the House of Representatives, debated “PL 1179/2020” all throughout April 2020 and considered the implications of the LGPD’s postponement for the privacy rights of individuals, especially with many emergency measures on the way that were increasingly restrictive on privacy rights. A vote on “PL 1179/2020” by the House of Representatives was still pending by the end of the month.

On 29 April 2020, the President of Brazil took matters into his own hands when he issued Provisional Measure #959/2020. The measure postponed the effective date of the LGPD to 3 May 2021, without segmenting the postponement into two stages like the Senate’s Law Bill “PL 1179/2020” stipulated.

Provisional Measures issued by the President of Brazil serve as temporary law and are valid for a period of 60 days which the President may extend for another 60 days. During this time period, both chambers of the National Congress must approve of the Provisional Measure in order to become permanent law. If Congress disapproves, the measure will be invalidated.

LGPD – Brazil’s upcoming Data Protection Law

28. November 2019

The National Congress of Brazil passed in August 2018 a new General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”). This law is slated to come into effect in August 2020. Prior to the LGPD, data protection in Brazil was primarily enforced via a various collection of legal frameworks, including the country’s Civil Rights Framework for the Internet (Internet Act) and Consumer Protection Code.

The new legislation creates a completely new general framework for the use of personal data processed on individuals in Brazil, regardless of where the data processor is located. Brazil also established its own Data Protection Authority, in order to enforce the guidance. Although the Data Protection Authority will initially be tied to the Presidency of the Federative Republic of Brazil, the DPA will become autonomous in the long term, in about two years.

Like the GDPR, the new framework has an extraterritorial application, which means that the law will apply to any individual or organization, private or public that processes or collects personal data in Brazil, regardless of where the Processor is based. The LGPD does not apply to data processing for strictly personal, academic, artistic and journalistic purposes.

Although the LGPD is largely influenced by the GDPR, both frameworks also differ from each other a lot. For instance, both frameworks define personal data differently. The LGPD’s definition is broad and covers any information relating to an identified or identifiable natural person. Furthermore, the LGPD does not permit cross-border transfers based on the controller’s legitimate interest. In the GDPR, the deadline for data breach notification is 72 hours; in the LGPD, the deadline is loosely defined, to name just a few.

Category: General · Personal Data
Tags: ,

Brazil changes new Data Protection Law and creates a Data Protection Authority

15. January 2019

On August 14, 2018, Brazil’s former president Michel Termer signed the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (we reported). Although the law enlarges the country’s data protection framework, the final text did not contain the creation of a data protection authority.

On December 28, 2018, Temer signed a last-minute executive order (Medida Provisória no. 869/18), which made important changes to the LGPD including the implementation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).

Despite the ANPD being an independent entity and being capable of freely handling and evaluating data protection and privacy issues, the authority still is part of the federal government and linked to the office of the President of Brazil.

According to the Executive Order no. 869/18 the ANPD has, among other things, the authority to:

  • Release rules and regulations regarding privacy and data protection;
  • Exclusively be responsible for monitoring and applying fines to non-compliant organizations;
  • Within the administrative field, exclusively interpret the LGPD, including cases in which the law remain silent; and
  • Promote privacy and data protection within the Brazilian society.

The new agency would consist of 28 members, five of them to be chosen by the president to constitute the board of directors and 23 members including public, private and third sector representatives to constitute an advisory board.

The order also establishes other important changes to the LGPD. For example that:

  • The LGPD will come into force in August 2020, six months after the originally scheduled date. Until then the ANPD will have an advisory and collaborative function.
  • The Data Protection Officer does not need to be an individual person. The tasks could be performed by an internal committee or department or could be outsourced to third parties such as specialized companies and law firms.

The executive order came into force immediately but must be voted into law by the Brazilian Congress to remain valid and become permanent.