There is a lot of uncertainty as to when the Brazilian Data Protection Law (No. 13,709 – "LGPD") will come into force. Such uncertainly has been significantly increased due to the current scenario of Covid-19. However, data protection compliance projects should not be postponed or implemented superficially, especially considering (i) their direct impact in a company's reputation towards its employees, suppliers, partners and customers and (ii) their relevance in business relations outside of Brazil, since several countries require an adequate level of data protection to transfer data. Therefore, it is vital that companies do not lose sight of the importance of data protection compliance projects, regardless of the company size.
Impacts of Covid-19 on Data Protection
The sharing of personal data in the midst of the Covid-19 pandemic – especially of individuals who were infected or are under suspicion of being infected by the virus – is not only an obviously known necessity, but also a legal obligation for both public entities and private companies, due to the measures set forth in Brazilian Law No. 13,979, of February 6, 2020 to deal with the new virus outbreak. For instance, Article 6, 1st Paragraph of the mentioned law determines that private entities must share personal data related to health insurances, hospitals, clinics and other medical information if required to do so by health authorities.
In this context, the Rio de Janeiro City Hall has firmed a partnership with a telecommunications company, to provide a data analysis system regarding the local populations commute. This partnership might enable the city to evaluate more effective measures to combat the pandemic. In principle, all information shared with the municipal government will be anonymized.
In light of the scenario above, it is clear that the impacts of Covid-19 in the protection of personal data are numerous. It is a challenge to guarantee the fundamental rights to privacy in a scenario where public calamity has been acknowledged by the National Congress, thus allowing more radical action by the Executive Power, especially the mitigation of other fundamental rights.
Analysing the LGPD, it is important to highlight that not all data shared in the context of the pandemic will be sensitive data. Names, addresses, e-mails, telephones, and others, are not necessarily included in Article 5, item II of the LGPD which establish the concept of sensitive data. On the other hand, health information of patients, such as confirmation of their condition as infected with Covid-19, is sensitive data, and must be processed with more attention.
One possible interpretation is that the processing of personal data in the context of the Covid-19 it outside of the scope of protection of the LGPD, since the processing for purposes of state security or national defence is necessary, which instances excluded from the law, pursuant to Article 4, Item III, a) and b).
On the other hand, if the processing does fall within the scope of protection of the LGPD, it may be interpreted that personal data related to Covid-19 may be processed without the data subject's consent, due to the following articles: (i) Article 7, item VII (protection of life) and VIII (tutelage of health) in relation to non-sensitive data and (ii) Article 11, item II, e) and f) in relation to sensitive personal data. With the LGPD's entry into force, it should be noted that processing that is a consequence of compliance with legal obligations (Articles 7, item II and Article 11, item II, a) of the LGPD) can also be used as a legal basis without need for consent in the Covid-19 scenario.
Impacts of Covid-19 on Data Protection in Labor Relationships
In case of labor law, the obligation to confirm the existence of a confirmed Covid-19 diagnosis within a company to public authorities must be exercised with caution, to avoid the inadequate processing or leakage of health data, thus preserving the identity of the people involved and sharing data only when necessary and for the purpose of protecting public health. Thus, although Law No. 13,979/2020 provides in Articles 5 and 6, Paragraph 1 that it is "mandatory to share information about the knowledge of infected people or their circulation in public and/or private places", if symptoms that point to a likeliness of a COVID-19 diagnosis are confirmed, doctors should contact the employee directly. If the diagnosis is confirmed, the doctor will only communicate the authorities, treating the data in a confidential manner, in accordance with the rules that regulate the medical profession and the guidelines of the Regional Councils of Medicine.
It is also essential to note that, even without the need for consent, the data subject would still have right of access preserved, pursuant to Article 9 of the LGPD, as well as the rights provided for in certain items of Article 18.
Still in the current LGPD scenario, there is an important nuance in Article 21 of the Law No. 13,979/2020, which determines that information from regularly carried-out exams in which a data subject tests positive for Covid-19 cannot be used against said data subject in employment relationships or to restrict entry in certain locations. The infected data subject cannot be discriminated against, regardless of the quarantine determination, which is a principle pursuant to Article 6, Item IX of the LGPD.
Today we are facing an unprecedented scenario, but which has brought an opportunity to rethink business models. With a massive quantity of companies working in a home office regime, it is vital to be concerned about the privacy of personal data, as well as the safety of confidential information. In an intense home office scenario, certain cautions are essential.
Examples of these concerns are the home office policies that some companies have been requesting in an emergency basis, aligning labor issues, ergonomics, privacy and cybersecurity matters. Predicting rules and clear limitations to workers will be very helpful for companies to build a safer and cohesive remote workplace, where employees, for instance, do not discuss clients' confidential information with eventual smart robots nearby, capturing sound and possibly revealing such information to their developers and partners.
With the entry into force of Provisional Measure No. 927/2020, establishing new labor measures to be adopted to face the Covid-19 outbreak, new possibilities have arisen to employers, like the possibility of altering the work regime without the necessity of celebrating amendments to the original employment contract. In this case, although the amendment is not necessary, it is still highly advisable to elaborate a home office policy, predicting obligations and specific rights of employees.
Visit us at Tauil & Chequer
Founded in 2001, Tauil & Chequer Advogados is a full service law firm with approximately 90 lawyers and offices in Rio de Janeiro, São Paulo and Vitória. T&C represents local and international businesses on their domestic and cross-border activities and offers clients the full range of legal services including: corporate and M&A; debt and equity capital markets; banking and finance; employment and benefits; environmental; intellectual property; litigation and dispute resolution; restructuring, bankruptcy and insolvency; tax; and real estate. The firm has a particularly strong and longstanding presence in the energy, oil and gas and infrastructure industries as well as with pension and investment funds. In December 2009, T&C entered into an agreement to operate in association with Mayer Brown LLP and become "Tauil & Chequer Advogados in association with Mayer Brown LLP."
© Copyright 2020. Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.