Security incidents and the LGPD

Act no. 13709/2018, known as the Brazilian general data protection law, provides the regulation for the processing of personal data, including in digital media (art. 1). The law, among other things, determines security obligations for data processing agents, as well as regulating the chances of security incidents occurring and their consequences. The LGPD imposes security obligations on data processing agents and reporting to the ANPD and data subjects in the event of security incidents, although there are still uncertainties about how this process will take place. The intention here is, therefore, to draw some general lines about the idea of security in this law. 

Security obligations in the LGPD 

The LGPD appears as a result of years of debates about the need to put a brake on the use of data by companies and to grant greater autonomy to the data subjects through the legal affirmation of informative self-determination, that is, the power of choice on what can or cannot be done with their information. In addition, the law ends up increasing legal certainty for companies, since it is a specific law on the use and treatment of personal data. 

This legal diploma elevates security to a guiding principle for the processing of personal data, contained in art. 6, VII, according to which security constitutes “the use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination”. The LGPD, therefore, seeks to level the processing of personal data, adding protections to those already existing in the Brazilian legal system. Security measures, in addition to providing greater protection for data subjects, are based on the premise that the benefits of processing personal data must be accompanied by obligations for companies, for States and for people themselves, ensuring effective protection of privacy of the subjects. 

Thus, from the time the LGPD is in force, it becomes an obligation of companies that carry out the processing of personal data to adopt mitigating measures in this process. But the list of security measures is not limited to restricting access by unauthorized agents. There are other measures that can be taken by data processing agents who are able to comply with legal requirements. 

One of these measures is the anonymization of data. At this point, it is worth mentioning that the LGPD opted for the broader concept of personal data, that is, it encompasses both the information that identifies or can identify a natural person (art. 5, I). As for anonymised data, the law provides that “data relating to a subject that cannot be identified, considering the use of reasonable and available technical means at the time of its treatment” (art. 5, III). 

In addition, art. 12 of the LGPD except the anonymized data of law enforcement, considering that such data are not personal data for legal purposes, except when the technique used to anonymize can be reversed, with reasonable efforts to do so.Therefore, from a technical point of view, anonymization can be achieved through several different techniques. What the anonymization techniques have in common is the fact that they promote changes in the original data, making them, when anonymized, not look like the originals, but having similar semantics and syntax. 

Anonymization techniques are used for several purposes, especially for making open databases available for research purposes or public policy transparency. However, they have undergone reviews in the field of computer science, since studies are recurrently demonstrating that the anonymization process is fallible, that is, there is still no possible data anonymization technique that is 100% reliable, due to increasingly powerful machine learning and data mining algorithms. Therefore, the idea of pseudonymization was created. 

The Article 29 Data Protection Working Group of the European Union conceptualizes the pseudonymization process as the act of “replacing one attribute (typically a single attribute) in one record with another”, in a masking or disguise action. 

This distinction is placed in the LGPD itself. In art. 13, § 4, it is possible to verify the definition outlined above regarding pseudonymization, in addition to the fact that additional information must be kept separate by the controller in a controlled and safe environment. Thus, an extra layer of difficulty and, consequently, security, is imposed at the junction of the two databases. 

Another measure that can be taken is data encryption. Encryption is an important tool in building a secure system for handling personal data. It guarantees the confidentiality, integrity and authentication of messages exchanged between two or more people or between applications. Although not explicitly addressed in the text of LGPD, the GDPR, data protection regulation of the European Union, states in art. 32 the encryption of personal data as one of the “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. For this reason, and due to the properties ensured by cryptography, it is recommended to adopt this technique as a security measure in the processing of personal data. 

The LGPD also includes, among arts. 46 and 49, which deal with the security provisions that must be adopted by personal data processing agents, privacy by design provided for in art. 46, § 2º. It is the need to adopt, from the conception of the product or service to its execution, the security measures referred to in the caput of the device, which guarantee the privacy and protection of personal data from the early stages. 

Security Incident Reporting 

Recently, the ANPD opened a call of contributions on the topic of security incidents. The objective was to receive inputs from the community on the procedures for reporting security incidents, both for the ANPD and for data subjects, so that the Authority can draft regulations on this point of the law. 

As previously stated, the LGPD determines, in art. 48, that security incidents are reported to the Authority and to the subjects and, in paragraph 1 of the same article, determines the minimum requirements that must be present in the said communication. But the legal provision also refers to the possibility of the incident causing “relevant risk or damage” to the data subject, although there is no definition of what is meant by “relevant risk or damage”. 

At this point, it is important to note that the risk or damage must be assumed to be the risk of the operation, and here the provision in the Consumer Protection Code on the service provider’s strict civil liability must be considered.

In addition, the risk and damage assessment must take into account the extent of fundamental rights related to the protection of personal data. It must cover the possibility of immaterial damages, such as moral or psychological / emotional (discrimination, defamation, damage to reputation); material (loss or damage to property), or physical integrity (such as damage to health, physical harm to the risk of death). An expansionist reading with regard to the rights of data subjects would also assess the possibility that security incidents are capable of causing situations of public calamity (eg damage to the energy supply of a region) or risks to national security (eg names and addresses of agents infiltrated intelligence agencies). Any layers of damage to the subjects’ rights are also relevant to the ANPD’s immediate involvement in the issue. 

In relation to communications about security incidents, in addition to the information provided in art. 48, § 1, the controller must inform the nature of the leak, that is, if it is a breach of confidentiality (when the disclosure of confidential data is not authorized or was accidentally violated); breaches of integrity (when there is an unauthorized or accidental change of personal data) or if there are breaches of availability (when there is an accidental or malicious loss of access or destruction of personal data). Likewise, the reason for the leak should be informed, if it was, for example, due to fault or willful misconduct, due to bad faith of an internal staff or access by an unauthorized third party. This information will assist the ANPD in determining the best course of action in resolving the incident.

On the perspective of the data owners, direct and individual communication is necessary, whenever possible, as a general rule. Communication in media outlets should be treated as an exception or complement to individual communication, in cases where it is not possible to contact data subjects or when they are in large numbers. 

Additionally, one should adopt the notion that the public is not a specialist on the topic, who may not understand very technical messages, which is why communication should be done in clear and accessible language, avoiding technical terms whenever possible. It should also be guided by transparency, informing all the terms of the occurrence, how it happened and what was or will be done to mitigate the problem, in addition to the possible consequences that data subjects may face. Finally, we understand that there must be a form of contact between the data subject and the controller, in case any doubts remain to be resolved. 

In general, security incidents must be reported, both to the ANPD and to the data subjects, with the greatest possible transparency. In addition, the Authority must always value the protection of the rights of data subjects in their work, in order to safeguard the most vulnerable party and, thus, establish, as much as possible, a balanced relationship between the parties.

The views and opinions expressed in this blogpost are those of the author. 
Illustration by Freepik Stories.