Home of internet privacy

Big changes to data protection laws in the EU and Brazil

If you’re one of the 656 million people who live in the EU or Brazil, then a series of recent developments might impact the way companies like Facebook and Google handle your data.

The first, a ruling by the Court of Justice of the European Union, which is Europe’s top court, directly impacts the flow of data between the EU and the U.S., previously covered under an agreement called Privacy Shield.

[Interested in more data privacy news? Sign up for the ExpressVPN blog newsletter.]

The court was responding to a complaint by Austrian national Maximillian Schrems, who argued that his personal data is transferred by Facebook Ireland to servers operated by Facebook in the U.S.

That, he said, was in violation of the EU’s General Data Protection Regulation (GDPR), which maintains that transfer of EU data to a non-EU country may only take place if the country in question is able to maintain an adequate level of data protection.

Maximilian Schrems is well known in European activist circles for being the chief reason behind the enactment of the GDPR itself. He started a movement called “Europe vs. Facebook” after first being alerted to the amount of data collected by tech companies.

The ruling by the Court of Justice says U.S. national security and law enforcement takes precedence over the privacy rights of European citizens and that the EU-U.S. Privacy Shield fails to establish significant safeguards to prevent such transgressions.

In the ruling, the reasons for striking down Privacy Shield included widespread digital surveillance in the U.S. following the 2013 Snowden revelations, the data capture powers in Section 702 of the Foreign Intelligence Surveillance Act, as well as U.S. Executive Order 12333, which compels federal agencies to cooperate with the CIA when it comes to information sharing.

The ruling maintained that these laws and practices in the U.S. were in direct violation of European fundamental rights such as the citizen’s right to privacy included in the GDPR, the European Convention on Human Rights, and the EU Charter.

The immediate implications of the decision are not wholly clear. Over 5,300 companies make use of Privacy Shield to transfer data on EU citizens to data centers in the U.S., and it will take time to retool these flows.

However, it can be reasonably expected that some data processing will start to pivot back to the EU, and affected data centers in the U.S. will invariably be shuttered. It also means that U.S. federal bodies won’t have full access to the data through any of the laws or executive orders mentioned above.

Brazil enacts its version of the GDPR

Brazil’s Lei Geral de Proteção de Dados (LGPD) is widely regarded as the country’s version of the EU’s GDPR. It comes into effect in August 2020, after the law was promulgated in August 2018, giving companies two years to prepare for the changes.

The LGPD aims to bring clarity to the Brazilian legal framework, unifying nearly 40 different pieces of legislation that pertain to the use of personal data.

Once the LGPD comes into effect, Brazilian citizens will have nine fundamental rights that include:

  1. The right to access all data held on them
  2. The right to update information and fix inaccuracies
  3. The right to confirm the existence of their data
  4. The right to anonymize or delete excessive data
  5. The right to port data to another service
  6. The right to delete personal data
  7. The right to information about all the entities that store their data
  8. The right to revoke consent to data sharing
  9. The right to information about the consequences of denying consent

Similar to the GDPR, the LGPD also applies to all companies that process data of Brazilian residents, whether the company is incorporated in Brazil or not. Fines for non-compliance are less severe, however, with a maximum fine of 2% of the organization’s revenue in Brazil, up to approximately 11 million EUR. Under GDPR, the maximum fine is either 20 million EUR or 4% of global revenue, whichever is higher.

The legal stipulations of the LGPD mean that people must be informed if and when their data is collected and what exactly it will be used for. Individuals retain the right to request access about their data from organizations and that the data must be provided in a readable format.

Companies must also delete the data after it is no longer needed for its original purpose. They’re also legally obligated to de-anonymize the data so that it can’t be filtered by individual characteristics like racial or ethnic origin, religious beliefs, political opinion, health, sex life or genetic factors.