The Central Bank and the National Monetary Council (CMN) approved the missing rules[1] in order to regulate the Clean Record Law (Law No. 12,414/11), the wording of which was amended by Supplementary Law No. 166/19. Despite the regulations, there are still doubts about the implications of these laws for the privacy and security of personal data of Brazilian citizens, a topic that requires special attention because of the General Data Protection Law (LGPD). The interface between the Clean Record Law and the LGPD, considering its convergent and divergent aspects, is analyzed in this article.
CONVERGENCES
Effective July 9 of this year, the new wording of the Clean Record Law changes the system for data inclusion for the formation of credit history of Brazilian consumers, which is now automated. This means that the data subject will no longer have to expressly consent to the inclusion. The data will be processed to generate consumers’ credit score based on their history, which will help to inform how much of a “good payer” they are.
The system of the express consent to authorize and legitimize the processing of personal data was taken by many as the golden rule, including for the purpose of the Positive Record, according to the original model of the standard. It so happens that, from a practical point of view, having prior consent as the sole legal basis for processing personal data may end up making important economic activities unfeasible.
For this reason, and as was done in the General Data Protection Regulation of the European Union (GDPR), the legislator softened the leading role of consent in the LGPD by listing, in article 7 of the law, other legal scenarios for the processing of personal data (legal bases), necessarily linking them to the observance of bases (article 2) and principles (article 6). In such cases, the processing of personal data without the consent of the respective owners does not necessarily imply breach of the LGPD.
One of these legal scenarios is protection of credit, established in article 7, X, of the LGPD. According to this article, the processing of personal data without the consent of the holder would be authorized by the LGPD in view of the purposes established in article 7 of the Clean Record Law: i) perform credit risk analysis of the registrant (holder of the personal data); and ii) support the granting or extension of credit and installment sales or other commercial and business transactions that entail risk to the consultant.
The Clean Record Law also provides for the possibility of deleting the information entered in the register upon request by the registrant. The registration system, therefore, ceases to be opt-in, by removing the need for consent, and becomes opt-out, allowing registrants to request their exclusion at any time, in line with the LGPD.
There are other aspects of the Clean Record Law that show the legislator's concern with the principles of the LGPD's purpose, adequacy, necessity, and transparency, such as: i) the guarantee to the registrants that they may demand the correction or cancellation of the registration (article 5, I and III); ii) the possibility of access by registrants to their information in the database (article 5, II); iii) information to registrants on the criteria considered for the credit risk analysis (article 5, IV); and iv) the need for prior information to registrants regarding the identity of the manager responsible for the data and regarding the storage and the purpose of the processing of the personal data (article 5, V), which must be in accordance with fulfillment of the purpose for which the personal data were collected (article 5, VII).
DIVERGENCES
Although the legal basis of article 7, X, of the LGPD supports the format for collection of personal data proposed by the new Clean Record Law, there was no concern in this latest legal text with following the definitions of the LGPD, which, because they are general in nature in relation to the specific laws for protection of data, should be observed.
This is what happens, for example, with the term “sensitive personal data,” defined in article 5, II, of the LGPD, which has the same meaning as the expression “sensitive information,” article 3, paragraph 3, II, of the Clean Record Law:
Sensitive personal data (LGPD) |
Sensitive information (Positive Record) |
personal data on racial or ethnic origin, religious beliefs, political opinion, membership in a trade union or organization of a religious, philosophical, or political nature, data on health or sexual life, genetic or biometric data, when linked to an individual. |
that pertaining to social and ethnic origin, health, genetic information, sexual orientation, and political, religious, and philosophical beliefs. |
Another mismatch occurs as to the legal basis for joint and several liability of the database, the source, and the consultant for damages caused to the registrant. Although the LGPD expressly establishes the possibility for controllers and operators to be jointly and severally liable for damages caused to data subjects, the new wording of the Clean Record Law does not refer to the LGPD, but only to the Consumer Defense Code.
In addition, the new Clean Record Law has some gaps in its text regarding how its obligations should be fulfilled, which may lead to confusion about responsibility for processing personal data.
The first of these concerns the absence of further details about the operation of the channel for cancelling the registration, which must mandatorily be provided by all managers. Nor is there sufficient information about the right of data owners to have easy access to information about the processing of their personal data. According to the LGPD, this processing includes all operations carried out with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, discarding, assessment, or control of the information, modification, dissemination, transfer, diffusion, or extraction.
In this sense, although the Clean Record Law provides for the obligation to clarify which elements and criteria will be used to make the credit score, which is also a form of data processing, there is no obligation to provide transparent information about the life flow of the personal data of the owner.
And that is not all. The lack of designation of a single competent authority to oversee compliance with the Clean Record Law is another problem.
Although many of the legal relationships of registrants consist of consumer relationships, which attracts the oversight of the bodies of the Brazilian Consumer Protection System, the central body in this process should be the National Data Protection Authority (ANPD), responsible for ensuring for the protection of personal data.
The figure of the ANPD was created by Presidential Decree No. 869/18, which was recently converted into Law No. 13,853/19. Among the new features included by the law in the text of the LGPD, it was established that the rules on the ANPD have been in force since December 28 last year, while the other provisions of the LGPD enter into force in August of 2020.
In this sense, the legislator was inattentive with respect to the provisions on the ANPD, as it could have used them in the drafting of the Clean Record Law, published in the Official Gazette on April 9 of this year.
Even if the new Clean Record Law enters into effect almost a year before the LGPD's entrance into force, the designation of the ANPD would undoubtedly demonstrate a more effective concern by the legislator regarding the protection of Brazilian consumer data in the process of formation of credit history. Even so, considering that it will be incumbent on the ANPD to supervise data processing operations and promulgate supplementary norms on the subject, it will probably be incumbent upon it to impose additional measures of care and transparency to clarify the legality or illegality of certain conduct under the new Clean Record Law.
CONCLUSIONS
Interestingly, among the laws dealing with personal data protection around the world, Brazil is the only one to provide for protection of credit as one of its legal bases for the processing of data.
This provision has allowed the new Clean Record Law to be in line with the LGPD, as it is no longer necessary to obtain the consent of the data subject/registrant to use the data in accordance with the purposes of the law. In this respect, the two texts converge and talk to each other.
However, this conversation could be clearer. Even if the LGPD were not in force when the new Clean Record Law was enacted, it could have used concepts from the LGPD without any prejudice.
After all, the adjective “general” contained in the LGPD should not be overlooked: this law is the normative basis for the Brazilian personal data protection microsystem, which can lead to debates regarding the legal regime applicable to the Clean Record in which the two laws otherwise conflict or are not perfectly harmonized.
[1] Resolution No. 4,737 and Circular No. 3,955 regulate the operation of the system for registration with the Central Bank and the formation of the registration form.