Internal Investigations and the New Brazilian General Data Protection Law

As a result of the widespread investigation and sanctioning of corruption practices over the past few years, companies doing business in Brazil have increasingly adopted rigorous compliance policies. Some aspects of Brazil’s recently approved General Data Protection Law (LGPD) are believed to hinder internal investigations that are typically part of such compliance initiatives. This article discusses why this belief is ill-founded.

Brazil enacted the LGPD in 2018 following the move initiated by the European Union to expand the protection of the personal rights of individuals that led to the EU General Data Protection Regulation (GDPR). Just as the GDPR, the Brazilian law also provides for an extraterritorial reach and entities with no physical footprint in the country will be subject to the new law even if they only collect the personal data in Brazil or use it to offer goods or services in the country.

Although the Brazilian law will take full effect only in 2020, companies should soon start to implement their compliance projects. The relevant timeframe ranges from six months to two years, depending on the characteristics and the amount of data treated, the size of the company and how much has already been done.

Companies that are compliant with the European law are more likely to go through a smoother process when adopting the requirements of the LGPD. However, the Brazilian law presents certain peculiarities when compared to the European regulation and complying with the latter may not always result in being compliant with the new Brazilian legislation.

A broader picture of recent law enforcement in Brazil as regards compliance is warranted in order to understand how a misinterpretation has been leading to a – wrong - belief that the LGPD will hinder internal investigations.

Due to the current rigorous application of the anti-corruption and other compliance laws, companies operating in Brazil started to include among their priorities severe policies aiming to comply with these laws. Also, and as discussed by Marcos Malvar in this issue of LS Brazil Outlook, Brazilian authorities have been increasingly considering an effective compliance program as a mitigation factor upon the determination of sanctions to be imposed in cases related to anticorruption and antitrust law violations

As a result, the practice of conducting internal audits has become widespread by private companies across a range of businesses, especially those that are government-dependent. When a company has any evidence of a violation of the national anticorruption or antitrust laws it will often conduct internal review audits in order to ascertain the facts and, if necessary, take suitable measures. These internal investigations typically involve the processing of personal data from employees or even third parties.

The misinterpretation of the LGPD relates precisely to such internal audits by private companies. Under a provision (article 4) which sets forth the situations under which the law (and the constraints it imposes on the treatment of personal data) shall not apply, activities of “investigation and repression of criminal offenses” are excluded from its scope; private companies shall not be involved in the treatment of personal data in connection with such activities unless they do so in the context of a procedure under the authority of a public legal entity, and as long as it does not relate to the entirety of the database at hand.

These provisions have led many a writer to conclude that the new act will impose unsurmountable hurdles to the conducting of internal investigations by private companies. That is not the case: this provision does not relate to internal audits conducted by private companies, but rather to an investigation conducted by the state where private companies are involved. In such circumstances, the private companies will act under the guidance of public authorities.

This does not mean that investigations cannot otherwise be conducted by private companies. As a rule, the LGPD requires the consent of the individual as the basis for the processing of his/her personal data. However, there are other situations when the personal data may be processed. Two among them stand out: compliance with a legal or regulatory obligation by the controller; or when the data is necessary to fulfill the legitimate interests of the controller or of a third party. That is exactly the case when a company faces evidence of illegal conduct and proceeds with an internal audit, since it is strictly liable in accordance with the antitrust and anticorruption laws.

Hence, internal audits conducted by private companies shall be allowed under the LGPD whenever there is a legal obligation or a legitimate interest of the company. While processing the data, companies must comply with other principles and restrictions determined by the law. These include good faith, transparency, the need to limit the audit to the data necessary to the purpose at hand and to terminate the processing under the circumstances set forth in the law; as well as the need to adopt security, technical and administrative measures which ensure the adequate protection of personal data from unauthorized accesses. (The GDPR seems to have a more straightforward wording on this topic. It explicitly states that the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.)

The protection of the personal right to privacy is of paramount importance, but it is not treated as an absolute right neither in the LGPD nor in the GDPR. Both laws provide a system of checks and balances, as a result of which exceptions to the application of the protective rules will prevail under certain circumstances.