The IBA’s response to the war in Ukraine
Challenges in using Big Data under the Brazilian General Data Protection Act
Maria Silvia Loureiro de Andrade Marques
Pinheiro Neto Advogados, São Paulo
Luciana Mayumi Sakamoto
Pinheiro Neto Advogados, São Paulo
Camilla Fernandes Cardoso Marcellino
Pinheiro Neto Advogados, São Paulo
Our society has always dealt with several types of data, which has been used for different purposes. However, by and large, people have no idea about the usage of their data. It is also fair to assume that, often, even professionals who request data from individuals do not really understand the purpose of it.
Hence, some important debates arise from this situation, including questions such as: what is the purpose of colleting a huge amount of data from clients; do companies really need all that data; are individuals aware of the purposes of their data; and do individuals agree with the use of their data by companies?
People usually do not even think about these questions until they have been affected by a data breach or misuse. In this context, this reflection is vital for the healthcare industry that constantly deals with sensitive data.
Health techs and the disruption of the market
Over the past decade, health tech startups have launched several new devices and mobile apps that analyse health data for different purposes, including reducing costs and increasing efficiency. There are apps that offer artificial intelligence mechanisms as a tool to develop products for the healthcare market; offer telehealth to deliver healthcare services remotely; aid in the diagnosis, prevention and monitoring of diseases; offer software solutions to organise and analyse health data; and help companies to mitigate expense amounts that are disallowed by operators, among others.
According to the Distrito Healthtech Report Brasil 2020, there were 248 startups offering services in Brazil in 2018. In 2019, there were 386 and in 2020, 542. Moreover, since 2014, US$430m has been invested in health techs in Brazil, and since 2015, more than US$40bn has been invested in health techs worldwide.
It is fair to say that the emergence of Brazilian health techs should be understood in the context in which the public healthcare system is not sufficient to provide services to the whole population, while the private healthcare system is not affordable for most Brazilians. Hence, there is a lot of expectation and pressure for both the healthcare industry and health techs to develop new solutions for this sector in an attempt to solve the failures in the public and private healthcare systems, to mitigate the high costs of the access to health services and to provide access to the Brazilian population. The disruptive innovation is inevitable and new creative solutions are expected.
All these apps, however, have one thing in common: regardless of the type of service that is offered, they need data to improve their services and add value to individuals. Thus, the legal aspect of these apps becomes very sensitive and relevant to protect individuals’ legal rights and, at the same time, to assure that companies will be able to properly develop these apps, conciliating technology advances and data protection.
Brazilian General Data Protection Act
Considering the existence of a massive data flow, especially after the advance of the solutions offered by health techs and other startups, discussions involving the appropriate data protection law were raised to ensure that Brazil has a robust legal framework on this matter. After long and complex legislative work and the contribution of several experts, on 14 August 2018, Law No 13,709 was enacted as the Brazilian General Data Protection Act (LGPD).
Despite the existence of other Brazilian laws that also afford some kind of data protection, it is important to say that Law No 13,709 addresses data protection issues in a very detailed and specific manner. This law provides a thorough review on data processing, which includes the collection, purposes, data flow mapping and erasure of data, among other key aspects.
It is worth clarifying that Law No 13,709 applies to any data processing operation carried out by natural persons or private or public entities, provided that the processing operation be carried out in the Brazilian territory; the purpose of the processing activity is to offer or supply goods or services or to process data of individuals located in the Brazilian territory; and the processed personal data has been collected in the Brazilian territory.
In addition, this law broadly defines processing as any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, erasure, assess or control of data, modification, communication, transfer, dissemination or retrieval.
Law No 13,709 incorporates several fundamental principles to be followed when dealing with data, including: respect for privacy, informational self-determination, freedom of expression, information, communication and opinion, inviolability of intimacy, honour and image, economic and technological development and innovation, freedom of enterprise, free competition and consumer protection, and human rights, free development of personality, dignity and exercise of citizenship by individuals.
Besides these core principles, personal data processing activities must be also conducted in good faith and in keeping with the following principles: purpose, adequacy, data subjects’ free access to their personal data; data quality (that is, data subjects must be assured of accurate, clear, relevant and up-to-date data), transparency, security to protect personal data from unauthorised access and from accidental or unlawful events and to avoid damage, non-discrimination, liability and accountability.
Specifically in relation to data concerning health, the LGPD classified it as sensitive personal data, which means personal data on racial or ethnic origin, religious beliefs, political opinions, membership to a trade union or religious, philosophical or political organisations, data on health or sexual life, genetic or biometric data, whenever related to a natural person. In this case, the LGPD provides a special treatment for this category of data due to the risk of damage in case of misuse.
For instance, sensitive personal data may be only processed with the data subject’s consent. However, such consent may be cancelled at any time upon express notice of the data subject. For this reason and as an attempt to avoid the interruption of activities, there are also other cases where personal data may be processed, such as: whenever they are essential for compliance with a statutory or regulatory obligation by the controller; processing and sharing of data as required for enforcement of public policies under laws or regulations, by the public administration; conducting studies by a research body, ensuring, whenever possible, anonymisation of the sensitive personal data; regular exercise of rights, including in agreements and in judicial, administrative or arbitration proceedings, protection of the life or physical integrity of data subjects or of third parties; health protection, in procedures carried out by healthcare professionals or entities; or guarantee of fraud prevention and safety of data subjects.
It is possible to conclude that the LGPD put together several different aspects of data protection at the very beginning of this law. First, the LGPD established who is subject to this law and defined the main principles that guide the activity to be developed. Then it defined the categories of personal data and the different treatments given to each of them. After that, it required that data processing be classified into one of the legal events set forth therein, which is different to personal data and sensitive personal data.
Consequently, in order to follow these steps, the companies should analyse the service or product to be offered to individuals as a whole and answer the following questions: what kind of data do they really need to access; what are the specific and limited purposes for processing these data; and which legal grounds will they apply to process these data, among others.
Although the LGPD sets out other rules to be applied to data protection, this article does not intend to look at all of them. The reflection proposed here is the first step to be taken by the companies: to have in-depth knowledge of their businesses, the specific purposes of each activity to be developed, the potential damage involved in the processing of data and how to protect individuals from any damage. The more data to which the company has access, the more complex it will be to classify the legal basis for this processing, and to define the protection for this data flow.
This is why a data flow mapping is crucial to understand the whole process of the activity. This mapping may start with the analysis of the type of data that will be necessary to collect from individuals. Then the company should explain to individuals the purpose of such a request, allowing them to understand how their data will be used. The company should track who will need access to this data and the purpose of it, confirming whether a professional will need full or partial access.
The data access control is another key issue to guarantee the protection of individual data. However, this may require investments in specific software or artificial intelligence solutions to help companies to avoid data breach, hackers and other potential damage.
Within this context, it is possible to affirm that the overall development of the data protection environment has been positive and there are many measures to be adopted by companies to become in line with this new legal framework. Although this is something very new, it means a change in the culture, in which individuals are increasingly empowered.
The emergence and development of health techs and startups has sped up technology advances in the healthcare industry. This has been a disruptive innovation process and may add value to the entire population with more affordable and creative solutions. However, this kind of business also implies a massive data flow that must be carefully analysed, especially because most of these companies are not regulated in Brazil, differently from healthcare plan operators, for instance.
Therefore, the LGPD was enacted at the right time, and may be considered an opportunity for society to change the culture, to be more well-informed about its own data and how this data has been used by individuals and even by companies. Individuals can provide data at their discretion, but the awareness of this process is crucial to be empowered to do so.