Even before the Brazilian data protection law enforcement provisions come into force on 1 August 2021, the Brazilian Justice Minister, by way of the consumer protection authority Senacon, has issued significant fines to five large banks (Itaú, Safra, Cetelem, BMG and Pan) with a presence in Brazil for the misuse of consumer personal data. Senacon fined these banks for breaches of the Consumer Protection Act and the “Internet Bill of Rights”, Marco Civil da Internet, totalling Brazilian R$ 29.9m (GBP4m).

A third party acting on behalf of the banks contacted vulnerable elderly individuals to offer them loans without any information about how their personal data was being used or recorded. As per the information currently available to the general public, the third party (which seems to have been the same for all banks) used the details in the records of pensioners. Senacon found that there was no legal basis justifying the sharing of the pensioners’ records with the third party. These fines underline the fact that the Brazilian authorities are taking data protection seriously and are creating precedents for breaches of consumer trust in relation to data protection. For context, if these fines were to be issued post 1 August 2021 (when the enforcement provisions of the Brazilian Data Protection Act come into force), this behaviour could be considered a breach of Articles 39 (the obligation for controllers to monitor the activities of their processors) and 9 (transparency), punishable with fines up to 2% of annual profits.

Data protection is more than a mere tick box exercise and businesses should consider carefully how fairly they are treating their customers when using their personal data. It is important to consider both the black letter law obligations and the specific characteristics of the individuals themselves. Are they vulnerable? Do they require additional care? In many jurisdictions, there is a general obligation for large organisations to explain complex terms and conditions to vulnerable consumers – this would likely cover privacy-related provisions.

Monitoring third parties

These fines are also a reminder of how important it is to continuously monitor what third parties do on a company’s behalf. In many jurisdictions, companies may be liable for most of their third party infractions, not just in relation to data protection but also anti-bribery, consumer protection and many other related operations. Accordingly, a solid and holistic programme of continuously checking which third parties are engaged with the business and what they are doing on its behalf is critical for a strong standing accountability framework.

The appointment of Data Protection Officers (DPO), mandatory for all organisations processing personal data of Brazilian residents, is a company’s biggest ally to avoid situations like these. DPOs enable the development and maintenance of a solid and holistic compliance and accountability programme and external DPO service providers like HewardMills offer expert, multilingual and multidisciplinary teams to support businesses in a range of jurisdictions.

Authored by: Monica Almeida & James Abbott-Thompson