One year before the Brazilian Data Protection Law becomes enforceable, the limits on privacy for the advertising industry are already being tested.

One year before Brazil’s Data Protection Law enters into full force, Public Prosecutors decided to demand a Data Protection Impact Assessment from Brazil’s leading mobile operator, in an unprecedented move, raising awareness within our country’s privacy community.

The Public Prosecutor's Office of the Federal District in Brasilia (MPDFT) filed, on July 30, through their Special Unit for Personal Data, a class-action lawsuit against Telefônica Brasil S.A. (Telefônica) due to possible transgressions of their services.  Telefônica is the parent company of Vivo S.A. (VIVO) and Brazil´s market leader in mobile communications. In this lawsuit, the MPDFT is seeking a temporary injunction to suspend the “Vivo Ads” service, provided by the company, based on privacy violations.

“Vivo Ads” is a B2B tool that provides marketing services to advertisers, using VIVO’s client base, estimated at around 70 million Brazilians. When a customer’s data usage plan is running low or about to expire, VIVO redirects the customer to a page that offers free data to continue browsing, in exchange for client watching selected commercials from companies that acquire access to “Vivo Ads”.

There is a significant concern regarding data protection in the “Vivo Ads” service. Telefônica represents to advertisers that its service can be adapted to lead and direct mobile advertising to very specific audiences, using a database that already subdivides VIVO´s clients by geo location, user behavior, gender and age, amongst other criteria. With such database, the company claims that “Vivo Ads” would help identify, with a high level of accuracy, the desired audience for a campaign. Also, it is unclear whether VIVO’s clients are aware that, when acquiring mobile services, their personal information could be in use to feed “Vivo Ads” marketing and behavioral databases.

The MPDFT is accusing VIVO of profiting from the personal data of its customers, such as profile, geo location and places visited or patronized, and requested an injunction to suspend the commercialization, in the entire Brazilian territory, of the “Vivo Ads” platform and its geo locational media offerings.

Moreover, Public Prosecutors requested a court order to compel VIVO to deliver a specific Data Protection Impact Assessment (DPIA) for VIVO’s services, which is questionable since the Brazilian Data Protection Law (LGPD), which will only enter in force on August 2020, provides that such document can only be requested by the forthcoming Brazilian Data Protection Authority (ANPD), recently approved by the Brazilian Government, but not yet established.

Brazil´s Data Protection Law has sparse provisions on conducting a DPIA, which is referred to in the law as an “Impact Report”.  LGPD provides a reference that only the national authority would have the right to request the Impact Report from a company being targeted for investigation. Also, the same national authority has a legal obligation to create the mandatory guidelines for such reports. Article 38 of the LGPD is a clear example of such requirement.

Nonetheless, until LGPD enters into force, and Brazil´s national authority is not yet properly instituted, consumer protection authorities and public prosecutors have been “taking the driver’s seat” in conducting investigations. Both are actively engaged in privacy and data protection matters, and might be fully entitled to do so even after ANPD is fully operational, based on their right to examine possible consumer protection violations and to enforce consumer rights in general.

Therefore, regardless of whether LGPD is already in full force, companies doing business in Brazil already need to be cautious. They should consider, among other things, whether a data protection incident could trigger the attention of the existing Brazilian authorities, even if ANPD is still dormant, and that the possibility exists that such authorities may request a DPIA or “Impact Report”. This conclusion is important for companies in the financial, insurance, technology, healthcare, and telecommunication sectors, which are among those that will face substantial compliance obligations with LGPD. If an incident occurs, or is made public, Brazilian authorities will not wait until August 2020 to take action.

Meanwhile, if your client or company is a data controller and needs to prepare DPIAs regularly for internal purposes, adopting standards and procedures similar to the ones in use, and approved, for compliance with GPDR should be strongly encouraged. Right now, the Brazilian authority is inactive and establishing their “Impact Report” guidelines might take years. Adapting an existing DPIA to the LGPD standards can be tricky, but not an impossible task with the help of professionals specialized in Brazilian data protection laws.

On August 07, 2019, a Federal District Court denied the MPDFT´s request for a DPIA report from VIVO. However, the decision is still subject to appeal.