At the moment, it is thought that any Brazilian resident who is registered with a bank, commercial establishment or public agency is likely to have been victims of the recent mega leaks. With the information that has been leaked, Brazilian consumers are at risk of becoming victims of fraud, blackmail, or theft. Two recent examples are sales of data:
- From 112 million people for R$38 thousand (USD$24,752.80)
- From 223 million people
- These contained:
- Individual taxpayer number (CPF)
- Full name
- Date of birth
- Phone number
- Address (actual and email)
- Salary range
The ANPD are being called on to provide a more practical mechanism for consumers to see who has what information about them. A database where all internet application users are required to disclose what data is stored and other information regarding the processing of personal data is being called for to stop future mega leaks happening.
The firm calling for this are asking that all internet application providers are required to make available:
- The number of existing accounts used in their name
- A list of what processing activities are carried out with their data
- Any information that is incorrect is corrected under the principle of data quality provided for in the LGPD.
They also want to create an integrated channel with information from all application providers that have more than 50,000 users in Brazil. They also want this channel to show the user:
- By whom,
- On which platform, and
- To what extent their data was leaked or used irregularly.
The ANPD should also be making public service companies such as public electricity, water and sewage services maintain a record about all products and services that are contracted in their name. This record needs to be easily and safely accessible for consumer consultation. It’s being said that the ANPD need to create regulatory mechanisms that make is possible to establish the obligation for public service companies to correct any error or misuse of a customer’s personal data.
Another option being discussed is looking at the possibility of improving the National Financial Data Registry (“Registry”) through integrating it with communication tools. These tools could then be used by both public and private entities to allow immediate access by consumers if there are any irregularities, suspensions, or corrections in relation to their personal data in the Registry.
Measures like these would mean all personal data controllers would be required to:
- Take immediate measures to mitigate security incidents
- Disclose the occurrence of any data leaks through:
- Social media
- Social communication vehicles (regardless of whether the risk or damage to personal data is apparent)
With the introduction of the LGPD in Brazil the law has changed for Brazilian organization’s on how they can handle data and how they can contact consumers. With all the new rules it can be hard to know whether your company is complying or not. Let Value Privacy do a Data Health Check for your company, and we can tell you where and what you need to improve. Contact us now.