On May 11, the Brazilian Data Protection Authority (ANPD) issued a technical note regarding the compliance practices for organizations in the pharmaceutical sector. The document is the result of a study on the privacy policies of pharmaceutical groups of economic relevance and a series of meetings held with the representative organizations of the pharmaceutical sector. It is important to highlight that the meetings were held to clarify doubts and suggest good practices for companies, that is, they were educational in nature.
In the summary below, we set out some of the main points of the technical note that include: (1) the demarcation of the relationship between the Consumer Protection Code (CDC) and the LGPD; (2) the indicators of non-compliance listed by the ANPD; (3) the problem of data sharing in loyalty programs and covenants; (4) the problem of the exacerbated use of biometrics as a method of identification.
1) The demarcation of the relationship between the Consumer Protection Code
The synergies of rights and obligations that exist between the Brazilian Consumer Defense Code (CDC) and the LGPD are no big secret. This relationship of proximity is mentioned throughout the technical note, to demonstrate that the impositions of the terms for adjustment of conduct (TAC) signed between the Public Ministry of Minas Gerais and the network of pharmacies in the Minas Gerais Drugstore chain Araújo, stem from the application of the CDC, because the LGPD was not even in full force in 2019.
In addition, the ANPD justifies the need for the study, with reference to the presentation sent by the Brazilian Institute of Consumer Protection (IDEC) to Drogasil, resulting from the use of sensitive personal data (biometrics) in their business practices.
In the case, Drograria Araujo was administratively fined by the Public Prosecutor’s Office, after initiation by the Institute of Reference for the Internet and Society, which offered a representation to the Public Ministry of Minas Gerais (MPMG) seeking greater transparency in the practice of collecting the social security numbers (CPFs) in drugstore networks operating in Belo Horizonte and other cities in the State of Minas Gerais.
Thus, it is important to remember that civil society organizations are organized to provoke this type of administrative enforcement, in the ANPD, in the Public Ministries of the States and in the National Secretariat of Consumer Law.
Nevertheless, it is still important to understand that the LGPD rights can also be sought collectively, through Public Civil Actions, for example. This is precisely what also happened in the case of Via Quatro Amarela of the São Paulo subway, where the company was fined R$500,000 (approx. 100,000 US$), after responding to a lawsuit of the kind also filed by the Brazilian Institute for the Defense of the Consumer (IDEC).
2) The indicators of non-compliance listed by the ANPD
Throughout the note, the ANPD left various clues as to where the authority will look to understand if a company presents minimum standards of compliance. In the case of drugstores, the ANPD looked at the following to discuss standards of nonconformity:
- Privacy Policies
The ANPD analyzed the Policies of the companies and found that:
- Some sites did not even provide such document;
- Pharmacy chains with loyalty programs, did not present the methodology for processing the data of the data subjects;
- Several policies did not correspond to the minimum requirements for this document, set out in Article 9 of the LGPD (specific purpose of the treatment; form and duration of the treatment; identification and contact of the controller; contact information of the controller; information about the shared use of data by the controller and the purpose; responsibilities of the agents who will carry out the treatment; and rights of the data subject);
- Some companies cited consent as the only justification for the processing of data they perform;
- There was insufficiency and lack of clarity of the information presented to the data subject, hindering the exercise of their rights; and
- There was conceptual vagueness.
(b) Dialogue with representatives of industry and business
The ANPD highlighted the use of concepts in an inaccurate and incorrect way by companies to highlight their position regarding the lack of maturity of organizations in data protection. In this sense, the agency recommended the expansion of a dialogue and training agenda for these entities.
(c) Analysis of data streams considered sensitive
The ANPD highlighted its concern with the deviation of the purpose in the use of the data by the sector, as well as the presence of indications of excessive collection of personal and sensitive personal data.
3) The problem of data sharing in loyalty programs and covenants
The ANPD identified in the meetings that pharmaceutical entities do not always employ the same practices and that even pharmacies of the same network can conduct their programs in different ways, acting as controllers. In this sense, loyalty programs, which are the most serious case of data use, exist in three distinct modalities:
- exclusive offers, which allow the pharmacy to achieve greater assertiveness in its interactions with customers, and that customers enjoy content and advantages more compatible with their individual profiles;
- advertising, which allows the targeting of content and more relevant advantages with the preferences of each client; and
- Scoring programs, which allow customers to accumulate and redeem points from their purchases, also called earn and burn.
In the case of such loyalty programs, the main points of attention raised by the ANPD were:
- The management of the program by third parties, companies that have links with other market segments and the fact that they do not always belong to the same economic group;
- The lack of clarity about the flow of data, with whom personal data may be shared and for what reason by both the pharmacy and the company that manages the program;
- The lack of presentation of legal bases that justify the processing of personal and sensitive personal data;
- The production of sensitive inferences about consumers, which they do not even know about;
- The lack of transparency about this type of treatment so that data subjects can exercise their rights.
4) The problem of the exacerbated use of biometrics as a method of identification
The ANPD identified that several pharmaceutical companies began to require biometrics under the legal justification of confirming identity to access benefit programs, discounts and even for payment. In one of the pharmacies that participated in the study, facial biometrics were collected to enable payment. In this case, the ANPD understood that there were less invasive methods of data collection, to confirm the identity of customers in these contexts and that, therefore, the principle of necessity was being disrespected. This is because the compromise of biometric data, for example in a leak, represents a much greater risk for the data subject, since this type of data configures a unique form of identity verification, that is irreplaceable (unlike logins, passwords etc.), which would cause serious damage to data subjects.
Here we should also keep in mind that there is a great deal of discussion about the correct functioning of this type of technology for people of color, so its implementation must consider the fact that this method may make it difficult to verify identity for these groups, leading to a situation of discrimination.
Our team will follow all these developments closely. If you would like to know more about how these topics could affect your business in Brazil, please get in touch with our technology experts at: [email protected]