Choosing consent as a standard legal ground for processing personal data can be misleading
As from August 2020, every company processing data in the Brazilian territory or offering goods or services to individuals in Brazil, must comply with the recently enacted General Data Protection Law (LGPD).
Unlike the European Union, where a regulation on data privacy – Directive 95/94/EC – was in force even before the General Data Protection Regulation (GDPR) took effect, in Brazil data processing activity was based on general principles and regulation applicable to specific industries. Part of that experience will serve as a parameter for the implementation of the new law. However, the Brazilian LGPD has important peculiarities, which will require an additional effort from lawyers and judges.
Choosing consent as a standard legal ground for processing personal data can be misleading. Companies willing to comply with the GDPR elected consent as the best possible legal ground for processing data. The result was promptly noticed by the data subjects right before the GDPR entered into force: their mailboxes were flooded with consent requests.
Brazilian companies tend to follow the same path, but what may seem at first the most reliable option can result in unintended consequences and risks.
Consent is only one of the legal grounds for processing personal data, according to the LGPD (as well as in the case of the GDPR). Other legal grounds include the compliance with a legal or regulatory obligation by the controller; the execution of a contract; the regular exercise of rights in judicial and administrative or arbitration proceedings; the protection of health, among others.
Also, nothing in the law allows for the conclusion that consent should be regarded as a stronger “legal ground” than others.
On the contrary. Differently from other legal grounds, consent can be revoked at any time by the data subject. In that case, the processing activity must cease immediately (although this subject’s right may be made relative when there is a public interest involved).
For those reasons, consent should not be regarded as the standard legal ground for processing data by the data controller (the one who decides regarding the processing of personal data) since it can leave the controller in a vulnerable position.
Consent also has other limitations. The first one is that it must refer to specific purposes – and the LGPD prescribes that general authorizations are not valid. Moreover, general rules must be met when processing data based on subject’s consent. Two of them are the principle of suitability (requiring compatibility of the data processing with the purposes informed to the subject) and the principle of necessity (limiting the data processing to the minimum necessary to achieve its purposes).
When the data processing does not fit in any specific legal ground at hand the controller has to resort to the basis of “legitimate interest” instead, which is subjective to a certain degree.
Legitimate interest works as a safety valve to the law. Research conducted within the scope of the GDPR shows that this basis stands out as the most invoked legal ground by controllers for processing data in Europe, and that may occur in Brazil as well.
In summary, experience shows that, as a rule, processing personal data based on legal grounds other than consent has the advantage of limiting the subject’s right to oppose to the processing; this right will exist in those instances when the controller has violated the law.
That said, a proper interpretation of the new law requires the analysis of a concrete case and the whole legal framework, including other rules that may apply jointly with the LGPD.