Amendment to Fair Credit Reporting Act
S.2155, which was enacted in May of this year, amends the Fair Credit Reporting Act (FCRA) to allow consumers to request a security freeze, free of charge, from the nationwide credit reporting agencies (Equifax, Trans Union, and Experian). S.2155 also extended the length of time for initial fraud alerts from ninety (90) days to one year. As a reminder, a consumer may request an initial fraud alert from the nationwide consumer reporting agencies when they believe that they have been or about to become a victim of fraud or identity theft.
S.2155 also includes a new notice that must be provided to consumers “[a]t any time a consumer is required to receive a summary of rights required under section 609.” Therefore, as of September 21, 2018, consumer reporting agencies must provide this new consumer notice (see below) whenever the consumer is required to receive a summary of rights under Section 609 (§1681g) of the FCRA (either the federal Summary of Rights notice or the “Remedying the Effects of Identity Theft” notice). Thus, even though the requirement to place a security freeze under federal law applies only to nationwide consumer reporting agencies, all consumer reporting agencies must provide the additional notice.
The notice required by the new provision that applies to any circumstance in which the consumer is required to receive a summary of rights under Section 609 is as follows:
Consumers have the right to obtain a security freeze
You have a right to place a ”security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. As an alternative to a security freeze, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years. A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.
California Employers Must Get Applicant OK for Background Check
California employers, lenders, and landlords must obey the tougher of two privacy laws and inform applicants before investigating their background, the state Supreme Court ruled Aug. 20. The 7-0 decision affects the thousands of credit, employment, and housing decisions made daily in California under two laws. One of them requires prior notice and authorization before certain types of background investigative reports are ordered. The other covers more consumer-oriented information that doesn’t require advance disclosure or consent. The justices upheld a lower court ruling that school bus transportation company First Student Inc., part of FirstGroup plc, failed to adequately notify and obtain consent from former Laidlaw International Inc. bus drivers and aides before it conducted background checks on 54,000 workers. The reports were ordered after First Student bought Laidlaw in 2007. First Student had to comply with the more protective Investigative Consumer Reporting Agencies Act-designed to give consumers a chance to correct information and address identity theft-regardless of the company’s compliance with the less-stringent requirements in the Consumer Credit Reporting Agencies Act, the California Supreme Court said. “The implications are that these two laws are relatively straightforward and easy to follow. So landlords, employers, banks, anyone seeking to run a background check that falls in one or both of these statutes will continue have to comply with them,” Hunter Pyle of Hunter Pyle Law in Oakland, Calif., representing plaintiff Eileen Connor, told Bloomberg Law. “Employees will have their privacy rights protected, and the worst types of abuses where entities run background checks on people without telling them will be illegal under California law,” Pyle said Aug. 20.
Compliance Consent Required
In interpreting the two laws, “we agree with the Court of Appeal and find that potential employers can comply with both statutes without undermining the purpose of either,” the Supreme Court said. Connor’s case involves a report that falls under the scope of both laws and “is simply one that contains information bearing on both a consumer’s credit worthiness and on her character. It seems to us that such a duality does not make legal compliance particularly difficult, much less impossible,” Justice Ming Ching wrote for the court. The ruling covers a single Laidlaw employee in the bellwether case for more than 1,200 former workers alleging that First Student needed their approval for the background checks. The case now returns to an appeals court and then to the Los Angeles trial court. “Finally the bus drivers and aides involved can have their cases resolved on the merits,” Catha Worthman, Feinberg Jackson Worthman & Wasow LLP partner and co-counsel for Connor, told Bloomberg Law. Violations of the Investigative Act carry a $10,000-per-violation penalty, so for the remaining 450 plaintiffs who didn’t accept settlements, that is a “potentially life changing amount” for drivers and aides, Worthman said.
The justices rejected reasoning in a separate 2007 appellate decision in Ortiz v. Lyon Management Group Inc. involving tenants that concluded the Investigative Act was unconstitutionally vague. First Student argued that it relied on Ortiz in its decision to proceed with processing the records. The California Supreme Court, however, agreed with the appeals court in Connor’s case. Chad Saunders with Hunter Pyle Law and Genevieve Casey with Feinberg Jackson also represented Connor. Ronald Peters and Benjamin Emmert, shareholders with Littler Mendelson PC in San Jose, Calif., represented First Student. The case is Connor v. First Student Inc., Cal., No. S229428, opinion 8/20/18 (http://www.courts.ca.gov/opinions/documents/S229428.PDF)
Vermont Bans ‘No Rehire’ Clauses
Vermont is the first state to outlaw “no rehire” clauses in agreements which bar workers who settle discrimination and harassment cases from working for that employer again.
The provision is part of a law addressing sexual harassment protections for employees that went into effect last month. The law, inspired by the #MeToo movement according to its sponsor:
- Improves and streamlines sexual harassment reporting and creates a hotline and web portal for the reporting of sexual harassment complaints to the Vermont Human Rights Commission or the Attorney General’s Office.
- Bans nondisclosure agreements that preemptively prohibit employees from reporting sexual harassment and prohibits the use of no rehire clauses in settlement agreements that critics say punish the victim.
No rehire agreements typically extend to a company’s parent organization and affiliates as well.
Including no rehire clauses in separation agreements is fairly common across the country, said Susan Gross Sholinsky, an attorney in the New York City office of Epstein Becker Green. She said the clause is meant to protect the company from being sued again in the future by a former employee who claims retaliation for not being rehired. Former employees could potentially reapply for a job and allege retaliation for prior legal claims if they are not rehired, and a no rehire provision is not included in the settlement agreement. When signing an agreement with a no rehire clause, the employee typically agrees that employment has ended and promises not to seek reemployment with the company. In some cases, the employee agrees that their employment may be terminated immediately without any legal recourse if they are rehired by the company or any related entity. In 2016, the Equal Employment Opportunity Commission (EEOC) issued guidelines warning companies against practices that could be seen as retaliating against employees who file discrimination or harassment claims, which could include no rehire clauses. “There are EEOC interpretations, and some employment lawyers have started advising their employer clients that use of no rehire clauses could be considered retaliatory against plaintiffs,” said Cary Brown, executive director of the Vermont Women’s Commission, a nonpartisan state agency advancing rights and opportunities for women and girls. “We’re following that line of thinking and looking at this [law] as way to ensure fairness, particularly in a small state like ours,” Brown said. “The repercussions could be significant to somebody signing one of these agreements and then finding their local employment options severely curtailed. There are only so many jobs people can choose from, and only so many employers available.
District Court Dismisses FCRA Disclosure Claim Against Casino in Absence of Concrete Injury
Under the Fair Credit Reporting Act, a potential employer generally may not procure a consumer report on an applicant unless the employer provides a disclosure, in a document that consists “solely of the disclosure,” informing the applicant that a consumer report may be obtained. In Williams v. TLC Casino Enters., the District Court for the District of Nevada has joined a growing chorus of courts finding that a plaintiff cannot bring a “solely of the disclosure” claim in federal court when he or she has suffered no actual harm separate from the perceived failure to properly format the disclosure. Specifically, in Williams, the plaintiff alleged (on a class basis) that TLC Casino Enterprises violated the FCRA by obtaining a consumer report on her without providing her with a “stand-alone document of a legal disclosure.” According to Williams, TLC only provided her “with a written conditional offer to hire that included, inter alia, the following statement: ‘Continuation of this position and your employment is dependent upon your passing any Background Check or Drug Screen that may be required for your position.’” This document, in Williams’ view, was not a disclosure that consisted “solely of the disclosure” that a consumer report may be obtained for employment purposes. TLC Casino Enterprises moved to dismiss Williams’ complaint for lack of standing, arguing that her claim amounted to nothing more than a bare procedural violation of the FCRA. According to the defendant, Williams could not state a claim in federal court because the bare procedural violation of a statute alone does not satisfy the injury-in-fact requirement for Constitutional standing. The Court agreed with TLC Casino Enterprises. In its decision, it drew on the Supreme Court’s decision in Spokeo, Inc. v. Robins to conclude that Williams must allege a “concrete injury in fact” separate from the procedural violation of a statute in order to demonstrate standing. Williams could not do that here. According to the Court, Williams framed TLC Casino Enterprises’ alleged FCRA violation as having “failed to provide the disclosure in a format required by the FCRA.” But “[a] formatting error such as this is a procedural issue that does not satisfy the requirement that plaintiff demonstrate a concrete, particularized injury.” Although plaintiffs’ counsel often argue that disclosure claims are straightforward and easily certifiable as a purported class action, the Williams decision demonstrates that this is not the case. Indeed, courts are increasingly dismissing disclosure claims when plaintiffs allege nothing more than the violation of a procedural FCRA requirement.
Bank of America Customers Win Final OK For $1.8M FCRA Settlement
A class of Bank of America NA customers won final approval Thursday for their $1.8 million Fair Credit Reporting Act settlement over allegedly unauthorized soft credit report inquiries, with a California federal judge saying that though it offered a small $4 payout per class member, the deal was fair. Under the settlement, each class member will be entitled to a $4.06 claim. Class counsel have said the deal is “among the highest dollar settlement[s] per class member that has ever been reached” in an impermissible access…
New Jersey Federal Court: Employer Need Not Waive Drug Test for Medical Marijuana User
Despite the legalization of medical marijuana in a majority of states, marijuana remains illegal under the federal Controlled Substances Act (“CSA”), which lists cannabis as a prohibited Schedule 1 illegal drug.
What does it mean to be a Schedule 1 drug?
“Schedule I drugs, substances, or chemicals are defined as drugs with no currently accepted medical use and a high potential for abuse,” according to the U.S. Drug Enforcement Agency. In light of this federal prohibition on marijuana, employers have professed confusion over what exactly they can prohibit when so many states have legalized medical marijuana. I emphasize medical because in the employment arena, “medical” may connote a “disability” under the Americans with Disabilities Act (the “ADA”). We discussed that employers must engage in an interactive process with an employee who has, or may be perceived as having a disability, or has a record of a disability, so the critical question becomes: does the ADA require an employer to provide a reasonable accommodation to medical marijuana cardholders?
As I explained here, the ADA excludes from protection “an individual who is currently engaging in the illegal use of drugs” from its definition of an “individual with a disability,” with one very limited but significant exception. As a Schedule 1 drug under the CSA, taking marijuana excludes an employee from ADA protection.
Let’s see how one New Jersey court handled a reasonable accommodation request under the state’s medical marijuana law.
New Jersey’s Medical Marijuana Law
Like the Pennsylvania medical marijuana law, New Jersey’s Compassionate Use Medical Marijuana Act (“CUMMA”) is silent as to an employer’s obligation to make any accommodation for the use of medical marijuana on the property or premises of any place of employment. Despite cannabis’ categorization as a Schedule 1 drug under the CSA, when enacting CUMMA, the NJ legislature found that “[m]odern medical research has discovered a beneficial use for marijuana in treating or alleviating the pain or other symptoms associated with certain debilitating medical conditions.” Thus we see the dichotomy when federal law claims the opposite of state law.
NJ Federal Court Ruling – No Reasonable Accommodation!
Anyway, so, the employee in question, a forklift operator, possessed a doctor’s recommendation for medical cannabis (and Percocet) to treat his neck and back pain. The employee had an accident at work and saw a doctor, who placed the employee on “light duty.” Upon his return, he could still perform all the essential functions of the job, but his employer required that he pass a drug and urine test. Knowing that if he failed the test he would be fired, the employee sought a waiver of the drug test as a reasonable accommodation. The employer balked and argued that CUMMA did not require such a waiver. Did the court agree and require that the employer waive its drug-testing policy as a reasonable accommodation? Not so much. In an Opinion last week, which you can read in full here. (https://images.law.com/contrib/content/uploads/documents/399/14598/med-mar.pdf), the federal District Court stated that CUMMA does not require an employer to permit the use of medical marijuana in the workplace. Fine. Makes sense. Significantly, the court also noted that CUMMA specifically excluded employers from its scope. Then, the court sided with the employer, determining that NJ’s narrower law (in comparison to other states) did not require an employer to waive its use of a drug test as an accommodation. Judge Kugler seemed to base his holding on a “plain language of the statute argument” and a prediction, as he explained: Unless expressly provided for by statute, most courts have concluded that the decriminalization of medical marijuana does not shield employees from adverse employment actions.
This Court predicts that the New Jersey judiciary would reach a similarly obvious conclusion: the LAD does not require an employer to accommodate an employee’s use of medical marijuana with a drug test waiver. Although no court has expressly ruled on this question, New Jersey courts have generally found employment drug testing to be unobjectionable in the context of private employment.
Wait, what happened to the interactive process? Isn’t that a requirement? Didn’t the employer have to engage in a discussion with the employee to determine whether an alternative accommodation existed to accommodate the employee’s disability? Apparently not, and that process is not referenced in the Opinion (perhaps because it was not pleaded in the complaint). What does this tell us?
How these cases are treated may depend on your state. Under similar circumstances, courts in other states have determined that an exception to an employer’s drug policy could constitute a reasonable accommodation, but in any event, the employer was required to engage in the interactive process to determine whether there were any alternatives for the employee’s medical marijuana use.
New Jersey law does not require private employers to waive drug tests for users of medical marijuana. Will it in the future? Judge Kugler thinks it unlikely, but, just in case, employers may want to consider initiating the interactive process to determine if a reasonable accommodation or an alternative to its drug-free policy exists.
Biometric Data Privacy Act Class Action Dismissed for Lack of Actual Injury
A federal district court in the Northern District of Illinois dismissed a putative class action alleging violations of the Illinois Biometric Information Privacy Act—known as the BIPA—holding that the allegation of a mere procedural violation of the statute did not establish Article III standing. The July 30 ruling in Johnson v. United Airlines furthers the split among trial courts on whether allegations of technical violations of BIPA allege the concrete injury necessary for federal subject matter jurisdiction. Ultimately, Illinois’ highest court will take up the issue and its decision will likely substantially impact pending and future BIPA litigation.
Illinois Biometric Information Privacy Act
BIPA is the nation’s toughest law regulating the collection and use of biometric information. Under BIPA, a “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA requires organizations to provide written notice prior to their biometric information collection, storage and use practices, and to obtain written consent before collecting an individual’s biometric data. The notice must include the purpose of the collection and the duration that the organization will use or retain the data. Once an organization has collected biometric data, BIPA requires that the data be protected in the same manner as other sensitive and confidential information using the reasonable standard of care in the organization’s industry. BIPA also requires organizations to have a publicly available written policy stating how long the organization will retain the data and rules governing its destruction. Unlike other state biometric data laws, BIPA provides a private right of action to any “person aggrieved” by a violation of the law.
The plaintiff, David Johnson, is a baggage handler for United Airlines. Johnson and other United employees are subject to a collective bargaining agreement between United and International Association of Machinists and Aerospace Workers. Under the CBA, United requires fingerprint scans as a condition of employment and mandates that its employees swipe their fingerprints as a means of clocking in and out and for timekeeping purposes. Johnson filed a putative class action in Illinois state court challenging United’s collection and use of his fingerprints as a violation of BIPA. Specifically, Johnson alleged that United had failed “to obtain consent from its workers prior to capturing and collecting their biometric information and similarly failed to provide workers and the public with a retention schedule and detention policies which detailed how and when Defendants would retain and then destroy their workers’ biometric information and/or biometric identifiers.” United removed the action to the Northern District of Illinois on the basis of federal question jurisdiction pursuant to the Railway Labor Act, and the diversity of the parties. United then moved to dismiss Johnson’s complaint for lack of subject matter jurisdiction.
The district court dismissed Johnson’s complaint, holding that Johnson’s BIPA claim was preempted by the RLA and that, even if it was not, Johnson had failed to establish an injury sufficient to establish standing.
District Court Decision
The district court began by noting that Congress had enacted the RLA to “promote stability in labor-management relations by providing a comprehensive framework for resolving labor disputes.” It held that any dispute between labor and management whose resolution required interpretation of the collective bargaining agreement between the parties fell within the scope of the RLA and was subject to preemption. Because Johnson’s BIPA claim required interpreting the CBA to determine whether United’s use of fingerprint scanning for a timekeeping system fell within the scope of the CBA, the court held the BIPA claim was preempted. In addition, Johnson’s claim that United failed to obtain a written release before using its employees’ fingerprints also required interpreting the CBA to determine if it provisions directly contradicted BIPA’s requirements. Thus, the district court found that the RLA stripped it of subject matter jurisdiction. The district court next addressed Johnson’s standing to bring his BIPA claims, finding that “[n]ot only does preemption support dismissal in the underlying matter, but so too does the issue of Article III standing.” It held that “although injuries may be intangible harms or purely statutory procedural harms, the harm alleged by Johnson fails to rise to the level of an injury-in-fact without more.” The district court found that “notice and consent violations do not without more create a risk of disclosure,” and “Johnson alleges a statutory violation based entirely on United’s failure to obtain consent but provides no factual basis to show there was any subsequent disclosure that would form the injury.” Accordingly, the district court granted United’s motion to dismiss for lack of subject matter jurisdiction.
Although BIPA limits private actions to individuals who are “aggrieved” by a violation, the law does not define that term. This omission has led to conflicting decisions concerning whether an injury beyond a procedural violation is required for statutory standing. In McCollough v. Smarte Carte (N.D. Ill. Aug. 1, 2016) and Santana v. Take-Two Interactive Software (2d Cir. Nov. 21, 2017), BIPA actions were dismissed because there was no actual injury separate and distinct from the alleged procedural statutory violation. In contrast, in Monroy v. Shutterfly (N.D. Ill. Sept. 15, 2017) and in re: Facebook Biometric Information Privacy Litigation (N.D. Cal. Apr. 16, 2016), the courts found that allegations of a BIPA violation without an actual injury were still sufficient to establish standing. The United Airlines decision weighs in firmly on the side of those courts requiring an actual injury for standing in BIPA cases and provides defendants with additional ammunition to challenge BIPA plaintiffs whose claims only include a technical or procedural violation of the statute.
However, it should be noted that the BIPA case of Rosenbach v. Six Flags Entertainment which directly addresses whether an actual injury is required in BIPA cases is currently pending before the Illinois Supreme Court. In Rosenbach, the plaintiff alleged that the theme park violated BIPA by collecting fingerprints in connection with the purchase of a season pass and not obtaining written consent or disclosing how the collected fingerprint scans would be used, stored, and/or destroyed. The Appellate Court of Illinois found that a plaintiff who alleges only a technical violation of the statute without also alleging some injury or adverse effect is not an aggrieved person under BIPA. How the Illinois Supreme Court rules will likely decide the issue and substantially impact pending and future BIPA litigation.
Privacy Shield Guidance When Personal Data Transferred from the EU to the U.S. for Processing Purposes
If you operate as a processor under the Privacy Shield Program, you should familiarize yourself with the guidance released by the Privacy Shield Framework related to processors’ access obligations, which can be retrieved at https://www.privacyshield.gov/article?id=Processing-FAQs. The document provides guidance with regard to the following questions:
- When personal data is transferred from the European Union (EU) to the United States for processing purposes only, what contractual requirements are mandated by the Framework(s)?
- How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Notice Principle?
- How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Choice Principle?
- How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Data Integrity and Purpose Limitation Principle?
- How can a participant acting as a processor adhere to the Frameworks’ Access Principle?
Brazil General Data Protection Law
August 14, 2018, Brazil approved the General Data Protection Law (in Portuguese). The law will come into effect after its 18th adaptation period, in early 2020. The LGPD creates a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors. It is important to note that the country already has more than 40 legal norms at the federal level that directly and indirectly deal with the protection of privacy and personal data in a sector-based system. However, the LGPD is replacing and/or supplementing this sectoral regulatory framework, which was sometimes conflictive, marshy, without legal certainty and made the country less competitive in the context of an increasingly data driven society. These are the main points of the new law:
- Scope of application: The LGPD will have transversal, multi-sectoral application to all sectors of the economy, both public and private, online and offline. With few exceptions, such as national and public security; pure research, artistic and journalistic purposes; any practice that process personal data will be subject to the law.
- Extraterritorial application: In a similar way to the European Union’s General Data Protection Regulation, the LGPD will have extraterritorial application, that is, the duty of compliance will exceed the geographical limits of Brazil. Any foreign company that has at least a branch in Brazil or offers services to the Brazilian market and collects and treats personal data of data subjects located in the country, regardless of the nationality, will be subject to the new law.
- Concept of personal data: The LGPD provides for a broad concept of what should be deemed personal data related to an identified or identifiable natural person. That is to say: any data, isolated or aggregated to another, that may allow the identification of a natural person or subject them to a certain behavior (interpretation possible from an integrative reading of the text). In this time of big data, which allows the rapid correlation of large, structured and unstructured databases, virtually any data can eventually be considered personal, therefore subject to the law.
- Concept of sensitive personal data: Sensitive personal data is data that, by its very nature, may subject the data subject to discriminatory practices, such as data on racial or ethnic origin, religious belief, political opinion, health or sexual life data; or allows unequivocally and persistent identification of the data subject, such as genetic data (this with both facets, discrimination and identification) or biometric. Such data should be treated in a differentiated manner, with additional security layers, and with different legal bases, such as the express consent of the data subject.
- Anonymized data: Anonymized data refers to data on a data subject that cannot be identified considering the use of reasonable time, cost and technical means available at the time of the data treatment. In this way, anonymized data would be outside the scope of application of the law, except if the anonymization process can be reversed or if the data is used for behavioral profiling purposes. Effectively, anonymized data is essential for technologies within the scope of internet of things, artificial intelligence, machine learning, smart cities and analysis of large behavioral contexts.
- Public data: There has been a great deal of discussion about the limits on the use of publicly accessible personal data, such as those contained in databases managed by public bodies, official publications and notarial records, or those expressly made public by their data subjects, such as public profiles on social networks. The LGPD deals with such situations, treating them in different ways, and imposing certain limitations, such as limiting the use to the purposes that led to the disclosure of the publicly accessible personal data. That does not mean that public data can no longer be used for other purposes, only that business models that rely on this type of data will have to adapt.
- Legal grounds for data processing – consent and legitimate interests: In order to treat personal data, which includes the practice of collecting it, it is always necessary to have a legal basis. The LGPD lists 10 hypotheses that authorize the use of personal data, and unambiguous consent is only one of them. It should be noted that the legal basis known as “legitimate interest,” which did not exist in the prior Brazilian legal data protection framework, would allow the use of the data for purposes other than those originally authorized by its data subjects or those that led to its disclosure. Through a proportionality test that considers the interests of the controllers and the rights of the data subject, this hypothesis would allow for new uses for the data, making it essential in times of big data, artificial intelligence, machine learning, and innovative business models based on the use of personal data.
- General principles of data protection: The LGPD lists 10 principles that should be considered in the processing of personal data, such as purpose limitation, necessity, transparency, security, non-discrimination and – the new – principle of accountability, which makes it mandatory for the data controller and data processor to fully and transparently demonstrate the adoption of effective measures capable of proving compliance with the rules for the protection of personal data. This can be done through data protection assessments, methodologies also provided for by law.
- Data subjects’ basic rights: Data subjects will have their basic rights expanded, and they must be guaranteed in an accessible and effective manner. Among the listed rights, it is important to highlight the right to access to data, rectification, cancellation or exclusion, opposition to treatment, right to information and explanation about the use of data. The great novelty is the right to data portability, which allows the data subject not only to request an entire copy of their data, but also to have them provided in an interoperable format, which aims to facilitate their transfer to other services, even for competitors. Due to its nature, this new right has been seen as a strong element of competition between different companies offering similar services based on the use of personal data.
- Liability: The different agents involved in data processing – the controller and the processor – can be jointly and severally liable for information security incidents and/or improper and unauthorized use of the data or for non-compliance with the law. However, the liability of the processor, that is who practices data processing on behalf of the controller, may be limited to its contractual and information security obligations if it does not violate the rules imposed by the LGPD. It is therefore important to define whether a company should be viewed as a controller or a processor, or both, to set the limits of its liability.
- Mandatory data breach notification: Data breach notifications to the data protection authority becomes mandatory, and must be performed within a reasonable time frame, which may, based on the severity of the case, determine the notification to all data subjects involved and the widespread publicity of the incident.
- International data transfers: LGPD brings a series of legal instruments that allow for the international transfer of personal data, even to countries that are not considered to have an adequate level of protection. It will be possible to transfer personal data internationally based on the specific and express consent of the data subject, which must be prior and separated from the other purposes and requisitions of consent. It will also be possible to carry out the transfer if there is a guarantee, by the controller through contractual instruments such as binding corporate rules and standard clauses, that it will comply with the principles, data subject rights and the data protection regime provided by law. Similar to the GDPR, the law allows for transfer by means of the adoption of seals, certificates and codes of conduct issued and authorized by the Data Protection Authority.
- Data protection officer: The DPO is the natural person, nominated by the controller, who acts as a communication channel between the controller, data subjects and the data protection authority. In addition, the DPO should be responsible within the institution for the company’s compliance with the rules provided by law and guide employees and contractors of the entity regarding the practices to be taken in relation to the protection of personal data. An initial reading of the LGPD allows one to conclude that any entity that treats personal data must indicate a DPO, but the data protection authority may establish complementary norms on the definition and the attributions of the person in charge, including hypotheses on which companies will not need to nominate a DPO.
- Data protection impact assessment: Considered as an impact assessment on the protection of personal data, it refers to the controller documentation that contains the description of data processing activities that may create risks to data subjects, as well as measures, safeguards and mitigation mechanisms implemented. The DPIA may be mandatory in situations already characterized as risky or, at the request of the authority, where the processing of data is based on legitimate interest. The DPIA methodology is widely adopted by the GDPR and allows, in addition to risk mapping, an effective photograph of the entity’s regulatory compliance status.
- Record data processing activities: Any and all personal data processing activities must be recorded, from their collection to their exclusion, indicating what types of personal data will be collected, the legal basis that authorizes its use, purposes, retention time, the information security practices implemented in the storage and with whom the data can be eventually shared, methodology known as data mapping.
- Information security standards: Both data controller and data processor should take appropriate technical, security and administrative measures to protect personal data. The data protection authority may provide for minimum technical standards, considering the nature of the data handled, the specific characteristics of the treatment and the current state of technology.
- Privacy by design and by default: It is mandatory to adopt from the design of services, products and business models the practice of guaranteeing privacy and data protection rights. The general principles of LGPD and safety standards should therefore be observed from conception to execution and offering of the product and service. Also, privacy controls, popularly accessible through dashboards in online platforms, should by default be the most protective, and it is up to the data subjects to make them flexible if they so wish.
- Codes of conduct and certification bodies: The LGPD clearly encourages the adoption of industry codes of conduct and certifications bodies that can ensure compliance with the data protection rules. Certain sectors of society may create their own codes of conduct in the use of data, which may even be higher than the law. These must be previously authorized by the authority and provide methods that demonstrate compliance. Furthermore, entities may qualify before the authority to certify that other institutions follow the general law.
- Penalties: Administrative sanctions may be applied by authority in case of violation of LGPD. Among the sanctions, there are notices and fines, that may vary from 2 percent of the company’s, group’s or conglomerate’s turnover in Brazil in its last fiscal year, limited in total to R 50,000,000.00 (fifty million reais) per infraction. There is also the possibility of daily fine to compel the entity to cease violations.
- Transition and adaptation period: The LGPD will enter into force 18 months after its publication. Therefore, public and private entities will have until February 2020 to adapt. In addition, the national authority, when created, may establish rules on the progressive adaptation of databases created up to the date of entry into force of the law, considering the complexity of the processing operations and the nature of the data.