After a long journey,[1] Law No. 13,709/18, the General Personal Data Protection Law or simply the LGPD, as it is popularly known, entered into force in the Brazilian legal system.[2] Its approval represents a paradigmatic change in the logic of personal data protection in Brazil, with the main purpose of giving broad protection to the informational self-determination of individuals, covering the security and predictability of the treatment given to their data.[3]
The data processing agents,[4] from both public and private spheres, then mobilized to comply with the new legal provisions, especially while the penalties for non-compliance are still under the regime of vacatio legis.[5] In this context, compliance professionals, more precisely those responsible for conducting so-called "internal corporate investigations", fear that their professional scope of action will be somewhat "hindered" by the enforcement power of the LGPD's own rights and principles, namely, the right to access, explain, rectify, delete, and explain data collected, as well as the principles of transparency, security, and accountability.
In fact, the performance of extensive analysis and data collection by private entities on various fronts is of the essence of the investigative activity, such as corporate e-mails, background checks, documentary analysis, assessment of the life style of the investigated party, exploratory and/or confirmatory interviews, among others, and even, during the investigation, sensitive data may be collected.[6] Depending on the interpretation of the law, one can conclude that the LGPD has created obstacles to conducting internal investigations carried out by the organizations. This is because paragraph 2 of article 4 of the law provides that "processing of the data referred to in section III of the head paragraph (processing of data for the purposes of public security, national defense, State security, or the investigation and prosecution of criminal offenses) by a person governed by private law is prohibited, except in proceedings under the supervision of a legal entity governed by public law.”
However, this interpretation would be inappropriate for two reasons. On the one hand, because today there are numerous private, serious, and responsible entities that provide investigative services collecting personal data and information within their clients or publicly available, with the objective of preventing, mitigating, or solving incompatible and/or unlawful conduct engaged in by members of an organization. On the other hand, due to the fact that, in certain situations, this action even results from a legal imposition.[7]
In addition, there are some understandings provided for in the European Personal Data Protection Regulation on the subject of "corporate investigations vs. processing of personal data.” Article 29 WP, in its Opinion 2/2017,[8] has consolidated understandings on corporate investigations in the workplace, providing that the legitimate interest of employers may be invoked as a legal basis for such processing, provided that, among other requirements, the processing is strictly necessary for a legitimate purpose and respects the principles of proportionality and subsidiarity.[9] Along the same lines, recital 47[10] of the European General Data Protection Regulation (GDPR), which expressly states that “the processing of personal data strictly necessary for the purposes of fraud prevention and control also constitutes a legitimate interest of the person responsible for processing such data", should be noted.
It turns out that, according to European understandings on the issue, there is nothing to be said of a prohibition on the processing of data for corporate research purposes. What is discussed there is how these data are processed within the organization and on what legal basis such processing should be rely.
Considering the notable influence that the GDPR exerts on the Brazilian data protection law,[11] nothing allows us to say that internal corporate investigations can no longer be conducted by private legal entities, in obedience to article 4, paragraph 2 described above. On the other hand, it is indisputable that such activities must respect the new law.
Thus, the work of the corporate investigator, specifically regarding the LGPD, must be exercised in good faith and, above all, the principles determined by law, such as transparency, necessity, prevention, and security.
In addition, depending on the type of investigation, it is necessary to choose the most appropriate legal basis for the processing. In most cases, it will be the one provided for in subsection IX of article 7 – “legitimate interest”. But it is possible to envision other scenarios, such as an investigation based on an accusation of committing sexual harassment, made through the entity's reporting channel. In this case, the legal basis provided for in subsection VII of article 7, “for the protection of the life or physical safety of the owner or a third party”, could be properly invoked.
Another example is the processing of data necessary for the controller to comply with a legal or regulatory obligation, as mentioned above. Even sensitive data could be handled in the context of a corporate investigation, as in the case of an investigation initiated based on the suspicion of presenting a false medical report by an employee in order to obtain leave from work. Whatever the legal basis used, however, it is of paramount importance to have documented all data processing records used during the investigation through the preparation of a personal data protection impact report (RIPD).[12] The RIPD has the objective of mitigating risks to civil liberties and fundamental rights of investigated persons and shall contain, at a minimum, a description of the types of data collected, the methodology used to collect and to guarantee the security of the information and the controller's analysis of the measures, safeguards, and risk mitigation mechanisms adopted.[13][14]
Another relevant point is the finding that corporate fraud, at some point, is committed in the digital environment of the organization. Thus, it is essential that some technical care be used to preserve the traces and integrity of the data extracted from the digital environment, in order for the result of investigations to not be questioned in the courts.[15]
In fact, during the process of internal corporate investigations, various kinds of personal data can be accessed and analyzed by a legal entity, in apparent conflict with the provisions of paragraph 2 of article 4 of the LGPD. However, investigating ethical violations and illegal acts proves to be not only an organization's compliance duty but also a legitimate interest in detecting and stopping illegal conduct by the agents involved. The objective is to allow any recovery of damages and losses caused to the organization and to mitigate risks of liability in the criminal, labor, competition, corporate, and other spheres.
In summary, the entry into force of the LGPD appeared at first sight to have created substantial limitations to internal corporate investigations. In truth, however, the law has not brought in limitations, but normative parameters capable of giving legitimacy to the conduct of these activities. Principles such as transparency ensure that investigated parties have clear and accurate information about the data being processed in the course of the investigation. However, the provision and granting of access to such information and data may undoubtedly be delayed if, and for as long as, it is necessary and proportionate to avoid prejudicing the investigations.
In short, it is all a question of adapting and adapting to the new reality. In view of this, the adoption of good practice and governance mechanisms by the organizations is crucial to avoid the risks arising from the massive processing of data carried out during the corporate investigation procedure.
[1] The public and legislative process began in 2010, with the opening of a public consultation on the subject, promoted by the Ministry of Justice, which subsequently resulted in the proposal of PL 5,276/16, annexed to PL 4,060/12, to the House of Representatives.
[2] The LGPD entered into force on September 18, 2020, 24 months after the date of its publication (article 65, as amended by Law No. 13,853/19).
[3] BIONI, Bruno et al (Coords.) Tratado de Proteção de Dados Pessoais [“Treaty on Personal Data Protection”], Rio de Janeiro: Forense, 2021. See p. 327.
[4] According to the law, agents are (i) the controller: the competent authority responsible for decisions concerning the processing of personal data; and (ii) the operator: an individual or legal entity, whether governed by public or private law, who carries out the processing of personal data on behalf of the controller; (article 5, subsections VIII and IX).
[5] The date set for application of the sanctions provided for in the law for companies that fail to comply with the rules, ranging from a warning to a fine of up to R$ 50 million, remains the same as in the original text of the LGPD: August of 2021.
[6] "Article 5. For the purposes of this law, the following definitions shall apply:
[...]
II - sensitive personal data: personal data on racial or ethnic origin, religious beliefs, political opinion, membership in a trade union or organization of a religious, philosophical, or political nature, data on health or sexual life, genetic or biometric data, when linked to an individual;”
[7] As an example, we may cite the provisions contained in article 7, subsection VIII, of Law No. 12,846/13 (the Anti-Corruption Law) and in article 10 of Law No. 9,613/98 (the Anti-Money Laundering Law).
[8]Data Protection Working Party is an advisory body consisting of a representative of the data protection authority of each Member State of the European Union, the European Data Protection Supervisor and the European Commission.
[9] Available at: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169
[10] Available at: https://gdpr-text.com/read/recital-47/
[11] The influence of the GDPR on the LGPD is evident. Both texts converge on the limitation of data processing to restricted scenarios, the assertion of data subjects' rights to anonymization and deletion of their data and the strict legal framework of processing possibilities.
[12] According to article 5, XVII, of the LGPD, the personal data protection impact report is the "controller's documentation which contains a description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms.
[13] Article 38, sole paragraph, of the LGPD.
[14] In the GDPR, the minimum compulsory elements, as per article 35 (7), are:
- a systematic description of the processing operations intended and the purpose of the processing, including, where appropriate, the legitimate interests of the controller;
- an assessment of the necessity and proportionality of processing operations in relation to the objectives; an assessment of the risks to the rights and freedoms of holders of rights;
- an assessment of the measures envisaged to address the risks, including safeguards, security measures, and procedures to ensure the protection of personal data and to demonstrate compliance with the Regulation, taking into account the rights and legitimate interests of the data subjects and other interested persons.
[15] According to the ISO/IEC 27037:2013 standard, the classification of digital/cibernetic traces must be done through identification, isolation, recording, collection, and preservation of digital evidence.