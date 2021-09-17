Lus Osvaldo Grossmann … 15/09/2021 … Digital Convergence

The second day of public hearing promoted by the National Data Protection Authority, this Wednesday, 15/9, on special rules for small businesses, maintained the critical tone of the previous day with respect to the main measures of the proposal: the exemption from registration of treatment , in charge of data and portability for SMEs and startups.

In particular, the very criteria to define which institutions would be exempted from part of the rules of the General Data Protection Law (13,709/18) or could comply with them in a simplified way raise concerns for DPOs, technologists, scholars and lawyers. The reading that the proposed text, by pointing to the Legal Framework of Startups (LC 182/21), opens a gap for companies with revenues of up to R$ 16 million per year to be exempted from the LGPD.

“As proposed, it will be easy to circumvent the supposed small size rule. We must remember that there is no social or business maturity for good practices and compliance with the LGPD, and the role of the person in charge is fundamental for promoting this legal and social environment in favor of data protection in Brazil. If the proposed wording is maintained, the companies’ budgets will certainly be redirected and investments to adapt ALGPD will go to accounting and tax strategies with the objective of qualifying as a small-sized agent”, pointed out lawyer Rodrigo Gomes.

By pointing to the same problem, different manifestations reinforced that layoffs weaken the still nascent LGPD and can harm the very companies that the resolution under debate seeks to help. “All the companies had two years to adapt to the legislation, but they didn’t give a damn about it. Thinking as a data owner, and when we say that small companies, MEIs, or startups with revenues of up to R$ 16 million, therefore nothing small, we will generate a commercial impact. The data subject will stop doing business with companies that are not suitable”, said the CIO of the company Softsat, Fernando Fornazieri.

For Walter Gaspar, from CTS-FGV, “exemptions from portability, maintenance of operation records and appointment of supervisor are undesirable. These are three pillars for the exercise of rights by the holders, and their mere dismissal risks seriously violating the original intention of the legislation”. It would be better to maintain obligations, even if they are simplified.

“Different levels of portability, with the establishment of simplified standards and especially of practical tools and educational initiatives by the Authority, would represent a more effective middle ground between the proposed total abandonment and the requirement of a complex system of portability and interoperability required for large actors. As for records, the dispensation renders the efforts for an active posture of care with the processing of personal data meaningless. a cornerstone both for the fulfillment of the controller’s obligations and for the exercise of rights by the holder. And the same goes for the nomination of the person in charge”, he defended.

As the DPO and IT professional Mauro Santos also pointed out, the measures may even affect the relationship with other markets. “You cannot derail companies, but we cannot let the law fall into disrepute, both internally and internationally. The draft considers startups to be small, with sales of up to R$16 million. Does a company with this income not have the resources to promote its adequacy? If made inefficient, the LGPD may limit the performance of Brazilian economic agents in countries with better-established privacy laws.”

He insisted that the focus of the rules, although differentiated, must be on data subjects, not companies. “When discussing the mandatory use of seat belts in cars, there was even discussion of allowing a two-point seat belt on popular vehicles, and three-point seatbelts on luxury vehicles. As the focus was on the user and not the automakers, the three-point belt was defined for all vehicles. The same security for all users.”