News

Consent in the New Personal Data Law

February 12, 2019

 

By Leonardo Neri

One of the most important characteristics of the processing of personal data arises from the user's consent, as established by the General Personal Data Law (LGDP), defined as the free, informed and unequivocal manifestation by which the holder agrees to the processing of his/her personal data for a specific purpose.

It is therefore a broadly qualified consent, since the expression of will must be:

  • free and unequivocal;
  • formed through knowledge of all the information necessary for this purpose, which includes the purpose of data processing; and
  • restricted to the specific and determined purposes that were informed to the data subject.

In this regard, there is congruence in the intention of the rule to link the validity of the legal act to the principle of purpose, since the purposes of data processing must be legitimate, explicit, specific and informed to the holder, without the possibility of subsequent processing in a manner incompatible with these nuances, in accordance with what is described in the law.

Article 8, § 4 of the LGPD itself is uncontroversial when it states that “Consent must refer to specific purposes, and generic authorizations for the processing of personal data will be null and void.”

It is worth noting that the LGPD does not determine that consent must be consolidated in writing. However, the expression of will must be legitimate, in line with the guidelines of European legislation (GDPR), which indicates that the will must be explicit, declared or originate from an unequivocal positive act.

Therefore, although the will does not necessarily have to be defined in a written document, it can never come from implicit or omitted conduct by the user, but from a positive act that effectively exercises their consent.

However, it is important to highlight that the criteria that underpin the formation of free will must be fully transparent in the aforementioned positive act carried out by the data subject, since even the written declaration will not necessarily meet, in itself, the legal requirements of consent.

For the purpose of equality in the relationship between the parties, so that the free exercise of consent prevails, the rule also took care to assign the burden of proof of consent to the controller. Such caution is even more sensitive in employment or consumer relations, where the vulnerability of one of the parties is presumed.

Furthermore, § 3 of article 9 of the law expressly states that “When the processing of personal data is a condition for the provision of a product or service or for the exercise of a right, the data subject shall be informed in a prominent manner about this fact and about the means by which he/she may exercise the rights of the data subject listed in article 18 of this Law.” It should be noted that the information needs to be highlighted, as well as the means by which the user may exercise his/her rights provided for in the aforementioned article 18.

Regarding data sharing, note that any operation that implies access to data by another controller is subject to specific authorization by the user – data subject, under the terms of § 5 of article 7 of the LGPD, according to which “The controller who obtained the consent referred to in item I of the caput of this article who needs to communicate or share personal data with other controllers must obtain specific consent from the subject for this purpose, except in the cases of exemption from consent provided for in this Law.”

This extends the duty to those who will have access to the data to verify the lawfulness of the access or sharing procedure, including with regard to the specific consent of the holder.

Another healthy aspect of the rule involves the concept that consent is always temporary and can be revoked regardless of the period.

What needs to be highlighted and clarified, with the exception of that which may be considered a business secret, is that all other information regarding data processing must be provided to the data subject, otherwise the requirement for informed consent will not be met.

In this sense, § 1 of article 9 of the law corroborates that “In the event that consent is required, it will be considered null and void if the information provided to the holder has misleading or abusive content or has not been previously presented transparently, in a clear and unequivocal manner.”

Remembering that consent is specific to the purpose for which it was given, § 2 clarifies that “In the event that consent is required, if there are changes in the purpose for processing personal data that are not compatible with the original consent, the controller must inform the data subject in advance about the changes in purpose, and the data subject may revoke consent if he or she disagrees with the changes.” This is a provision linked to the considerations of article 8, § 6, of the LGPD.

In detail, these are the main issues that drive the determination of valid consent to authorize the processing of personal data, which deserve further debate by legal practitioners, with the aim of contextualizing people's everyday practical situations with the normative attributions.

 

This communication, which we believe may be of interest to our customers and friends of the company, is intended for general information only. It is not a complete analysis of the matters presented and should not be considered legal advice. In some jurisdictions, this may be considered lawyer advertising. Please see the company's privacy notice for more details.

Related Areas

Privacy and Data Protection

Related Professionals

Leonardo Neri

Professionals

Practice Areas

Offices

Publications

Receive Insights from Mazzucco&Mello

Webinars and Videos

Overview

Diversity and Inclusion

Experience

Pro Bono

News

Contact

Overview

Lawyers and Interns

Administrative Professionals