Brazil’s General Data Protection Law and diversity and inclusion initiatives in the legal sector

Carolina Schuttoff M Barreto
Mattos Filho, São Paulo
carolina.barreto@mattosfilho.com.br

Laura Davis Mattar
Mattos Filho, São Paulo
laura.mattar@mattosfilho.com.br

Rafhael Romero Bentos
Mattos Filho, São Paulo
rafhael.bentos@mattosfilho.com.br

Introduction

Historically, the legal sector has been characterised in many jurisdictions as a traditional profession, accessible only to a reduced group, part of the socioeconomic and cultural elite. As a result, the legal profession tends to be, even today, predominantly occupied by white, cisgender, heterosexual men without disabilities.

In the last two decades, however, this scenario has been changing. In Brazil, the change is due to social demands, the empowerment of marginalised groups, and the increased access of these same groups to higher education courses – either through social and racial quotas or student financing programmes.

Despite the increased access of these groups to higher education, entry into the legal market remains a challenge. There is a significant number of people in Brazil graduating from law schools but who face difficulty in entering and remaining in the legal market. Opportunities, even today, are not the same for individuals of diverse genders, races/ethnicities, sexual orientations and other identity characteristics.

It is in this context that diversity and inclusion (D&I) initiatives and programmes began to emerge in the legal sector, aiming to attract, develop, retain and promote diverse talents. The teams responsible for such initiatives need to process personal data and sensitive personal data, as defined by applicable privacy laws. Consequently, there is a clash between the requirement for data processing while implementing D&I initiatives and the need to comply with such data protection obligations.

This article aims to evaluate the interactions between D&I initiatives and programmes in the legal sector, particularly those focused on the LGBTQI+ community, and the legal obligations related to the protection of personal data.

LGBTQI+ individuals in the workplace

In Brazil, people facing the most difficulties in the workplace, specifically in the legal market, are women and transgender individuals, non-heterosexual individuals, the Black and Indigenous populations and people with disabilities. However, this article will specifically address people with diverse gender identities and sexual orientations.

LGBTQI+ persons usually experience discrimination, violence, stigma and prejudice on a daily basis, which limits their opportunities in life in general and, specifically, in the job market. A 2022 survey[1] by the social network LinkedIn about the LGBTQI+ population in the Brazilian workplace indicated that 43 per cent of people in this group claimed to have experienced discrimination in the professional environment, especially through queerphobic comments. Furthermore, the survey reports that although eight out of ten LGBTQI+ individuals feel comfortable sharing their gender identity and/or sexual orientation at work, only 50 per cent actually shared this information with their organisations. Among the reasons for this, 57 per cent believe there is no perceived need to share this information, 23 per cent fear negative impacts on their careers and 20 per cent fear reprisals.

According to the 2022 guide Inclusion of lesbians, gays, bisexuals, transgender, intersex, and queer (LGBTIQ+) in the world of work: A learning guide by the International Labour Organization, this reality is reflected in legislations around the world, as ‘[…] until 2021, only 29 countries legally recognized marriage equality, while 34 only offered some recognition of same-sex marriage. Eleven countries specifically mentioned sexual orientation in non-discrimination constitutional clauses’. Fortunately, the guide informs that in 81 countries, from all regions of the world, there is ‘[…] legislation that prohibits discrimination in the workplace based on sexual orientation’.

Even though the world, including the workplace, is evolving, patience is needed as change is slow. As indicated in the survey, LGBTQI+ individuals – especially in the legal market which is perceived as conservative – choose not to disclose their sexual orientation or gender identity at work out of fear of undue exposure or negatively impacting their careers. They prefer to let colleagues assume that they are cisgender and heterosexual. Despite the high personal cost of keeping their true identity hidden, we all have the right to safeguard our privacy, intimacy and informational self-determination. There are many reasons, therefore, for the legal protection of people’s gender identity and sexual orientation, which promotes respect for their individual human rights – both within society and in the workplace.

Brazil’s General Data Protection Law and D&I programmes

In 2018, Brazil approved the important and necessary General Data Protection Law No 13,709 (Lei Geral de Proteção de Dados, or LGPD) aiming to regulate the processing of personal data and establish general principles and obligations that apply across multiple economic sectors and contractual relationships. Personal data is defined, according to Article 5(I), as ‘information regarding an identified or identifiable natural person’ (‘data subject’). Article 5(II) defines sensitive personal data as ‘personal data related to an individual in connection with racial or ethnic origin, religious belief, political opinion, trade union, philosophical or political organisation affiliation, health data, sexual life, genetic or biometric data’.

Therefore, although not explicitly listed as sensitive personal data under the LGPD, someone’s sexual orientation is considered sensitive data as it relates to the data subject’s sexual life. Gender identity, in turn, is also not listed as sensitive personal data under the LGPD and there is an ongoing debate on whether it may be considered sensitive personal data under the LGPD. It is important to note that, to date, there is no additional guidance or detailing from the Brazilian Data Protection Authority regarding the scope of such definitions.

With the obligations imposed by the LGPD, when it came into force in 2020 many controversies immediately arose about possible setbacks in D&I programmes due to the supposed impossibility of collecting personal data related to sexual orientation and gender identity. However, in reality, the LGPD was not enacted to prevent the processing of such (sensitive) personal data (including the data related to the identification of LGBTQI+ persons), but rather to enable its processing in a secure, cautious and transparent manner. In this sense, the LGPD stipulates that any processing of personal data must: (1) be carried out for legitimate, specific, explicit purposes, informed to the data subject; and (2) consider technical and administrative measures capable of protecting personal data.

The relevance of collecting and processing diversity-related personal data of professionals in an organisation is related to the fact that D&I programmes aim to promote a change in organisational culture, which depends on numerous factors and takes time to materialise. Moreover, there is no one-size-fits-all approach and the process of change is not necessarily linear. For this reason, it is now widely understood that the monitoring of demographic data of organisations, especially gender identity, race/ethnicity, sexual orientation and disability status, is imperative to continuously evaluate each company’s programme and eventually adjust its D&I initiatives.

To achieve a comprehensive assessment of the organisational environment, apart from the demographic composition of the organisation per se, it is commonly recommended to segment diversity data, in the case of law firms, by practice area and hierarchical level. Additionally, it may be necessary to monitor personal data related to attraction, recruitment, professional development and talent promotion or turnover, as well as performance evaluation results, access to benefits – especially educational benefits – and mental health issues, among others.

The systematic analysis of this information may help monitor organisational policies and correct any distortions. However, due to the LGPD, there are some challenges that data controllers (ie, an individual or legal entity, who/which is responsible for decisions regarding the processing of personal data) need to consider. As mentioned, information related to professionals’ sexual life is considered sensitive personal data, which requires organisations to adopt the measures established by law for its collection and further processing.

Processing of (sensitive) personal data

When processing personal data, organisations need to establish, among the legal bases provided in the LGPD, the one that justifies the processing activity. In the case of sensitive personal data, the LGPD sets forth eight, more restrictive, hypotheses under which the processing of sensitive personal data is considered lawful (Article 11, LGPD). It is important to note that the LGPD does not allow the processing of sensitive personal data to fulfil the legitimate interest of the data controller (in this case, the organisation) or third parties, nor for credit protection – both lawful basis provided by the LGPD to justify the processing of non-sensitive personal data.

The compliance with the fundamental principles of the LGPD shall also be considered, especially those of transparency, non-discrimination and data quality. First, the principle of transparency establishes that the data subjects have the right to clear, accurate and easily accessible information about the processing of their data. The principle of non-discrimination prohibits the processing of personal data for illicit or abusive discriminatory purposes. Lastly, the principle of data quality guarantees, to the data subjects, the accuracy, clarity, relevance and updating of data, and is related to the right of data subjects to correct, delete or object to the processing of their data.

It is also relevant that organisations exercise caution when sharing diversity-related personal data with partners and/or suppliers, regardless of whether they are sensitive or not. In such cases, the possibility of entering into a data sharing agreement between the parties should be taken into consideration, in order to protect both the organisation exporting personal data and the data subjects from potential misuse of such data.

It is clear, therefore, that the processing of personal data, whether sensitive or not, related to the monitoring of D&I indicators, is not prohibited by the LGPD. In reality, the data controller must pay attention to the obligations mentioned above, as well as to other data protection rules and regulations provided by Brazilian law. Ideally, these programmes should be implemented with a ‘privacy by design’ approach, which means that it must consider privacy and data protection, from the moment of the creation of such programmes. Only then will it be possible to ensure that the rights of data subjects, particularly the LGBTQI+ population, are respected while working towards truly inclusive organisational environments.

Conclusion

As previously mentioned, the protection of personal data, whether sensitive or not, safeguards the human rights of data subjects, especially those from marginalised groups, such as the LGBTQI+ population, who need protection against everyday situations of discrimination, violence, stigma and prejudice. In addition, D&I programmes contribute to forming diverse teams and aim to promote inclusive work environments for marginalised identities, including LGBTQI+ persons.

As described in this article, it can be affirmed that the apparent conflict between the LGPD and the processing of personal data of LGBTQI+ individuals related to D&I initiatives and programmes does not exist. The LGPD and D&I programmes both enable the realisation and exercise of human rights in society and the workplace. In this sense, the LGPD only brings some additional obligations for the data controller, so that relevant information related to LGBTQI+ individuals are processed in a secure, cautious and transparent manner.