Since the creation of the Brazilian General Data Protection Act (LGPD) on August 14, 2018, the comparison with the European GDPR was inevitable, after all, the Brazilian LGPD was greatly influenced by the similar law published just over two years earlier in Europe. While the LGPD had ten legal bases to support the processing of personal data, the GDPR had only six legal bases.
The LGPD, in short, follows the same philosophy as the GDPR with some differences, such as the fact that criminal records are considered sensitive personal data for Europe, but not in the Brazilian case. Another interesting aspect is that the LGPD is silent regarding individuals' financial data, as such data is not considered sensitive personal data. Such data is not even mentioned as personal data, with the exception of the legal basis of credit protection for the processing of personal data. Here it would be appropriate to discuss whether financial data could be considered personal data or not. To this end, the definition of personal data given by the law itself, as information related to an identified or identifiable natural person, would apply.
On the other hand, an aspect of the law that has always sparked a lot of controversy was the legal basis of legitimate interest to justify the processing of individuals' personal data, eliminating the need to obtain their prior consent.
There are doubts regarding the applicability of the law on the part of the ANPD (the Brazilian data protection authority), due to the agency's actions in monitoring the law occurring as a reaction to a complaint, and Brazil does not have a culture of encouraging whistleblowing, even more so in the field of personal data protection. Despite this, the valuable effort undertaken by ANPD in creating guides and handbooks to guide society and the corporate world to appropriately adapt to comply with the LGPD is undeniable. Thus, the ANPD published, in February 2024, an Instructional Guide on legitimate interest, demonstrating the vision of its managers through some practical examples, which will be explained below.
Example 1 – Personal Health Data and Legitimate Interest
In example 1, the ANPD presents the following case: A medical clinic collects and stores personal data relating to the health of its patients, including medical history and test results. The clinic decides to use the legal hypothesis of legitimate interest for the processing of this data, claiming that it is necessary for the purpose of improving the clinic's administrative flows and the services provided.
In this example, the process is made easier for experts in privacy and personal data protection, but not for the rest of society. This ease is due to the legal basis of legitimate interest existing in the law only to justify the processing of personal data, but not the processing of sensitive personal data, with data relating to an individual's health being considered sensitive. Thus, two legal bases could justify this processing: (i) the specific and prominent consent of each patient or (ii) without consent, but justifying health protection, exclusively, in a procedure carried out by health professionals or health services.
Example 2 – Personal Data of Children and Adolescents, and School Wi-Fi Network
In example 2, the ANPD presents the following case: A school collects personal data from students when they access the Wi-Fi network available on-site. The collection of personal data is carried out with the aim of enabling access to the network and ensuring the safety of children and adolescents in the digital environment. The school assesses whether it would be necessary to obtain the consent of the parents or legal guardians or whether it would be possible to use another legal hypothesis, such as legitimate interest.
In this case, ANPD understands that the legitimate interest could justify the collection of such personal data from students, due to the aim of ensuring the security of the subjects and adequate authentication on the school network in order to prevent undue access to certain content or to identify a child who accessed a certain page at a specific time. However, to confirm the adequacy of the legitimate interest and justify such data collection, the ANPD adds that it is necessary to assess whether the best interests and fundamental rights of children and adolescents prevail, which can be done through a balancing test.
This means that the justification for legitimate interest eliminates the need for consent, which would be given by parents or guardians in the case of children and adolescents. The LGPD also excludes the processing of personal data of children and adolescents without consent when collection is necessary to contact parents or legal guardians, as long as they are used once and without storage, or necessary for protection. And it is precisely when it comes to protection that legitimate interest applies.
Example 3 – Using Children and Adolescents’ Data for Advertising
In example 3, the ANPD presents the following case: A startup in the educational sector develops an application for teaching geography to children and adolescents. To run it, the app requests information such as: user name, date of birth and home address. While using the app, advertisements about ultra-processed foods with a high sugar content are shown to users. The privacy policy available on its website only states that the legal hypothesis used is the legitimate interest of the controller and that such data is used to improve the application.
In this case, the ANPD considers that the purpose of the data processing in question involves targeting advertising to children and adolescents. Consequently, the agency's interpretation is that legitimate interest will not be the most appropriate legal hypothesis, given that there is no legitimate expectation on the part of the data subject regarding the processing of their personal data for advertising purposes, including because nothing is informed about it. The agency also highlights the risk to the health of children and adolescents due to the fact that what’s being advertised are ultra-processed foods with a high sugar content. A balancing test is recommended, considering that it will demonstrate the impossibility of using legitimate interest.
Example 4 – Security Camera in Shopping Center
In example 4, the ANPD presents the following case: A shopping mall intends to install cameras in order to better protect the location and prevent the occurrence of illegal activities. The legal basis for the processing of the collected personal data is legitimate interest. Prior to installation, it was verified that personal data of children and adolescents who attend the mall would also be processed. Such information could be used, for instance, when necessary to locate children who got lost from their parents. The responsible team carried out a balancing test, in which they assessed that the processing of these data would be compatible with the principle of the best interests of the child. However, it recommended the adoption of risk mitigation measures, including strict control over access to videos, reducing the storage period for data, and providing information about the camera system at strategic points throughout the shopping mall cameras. Additionally, it advised to avoid using technologies that process images at a biometric level, as this could lead to the processing of sensitive data. Furthermore, in consideration of the principle of necessity, it recommended careful security planning, aiming to reduce the number of cameras to be installed.
Given all the mitigation measures and considering the safety of everyone, including children and adolescents, the ANPD considered the hypothesis perfectly applicable under the legal basis of legitimate interest, without the need for consent, therefore, from the data subjects that may be filmed by such cameras. However, it also recommended the preparation of an impact report on the protection of personal data, considering the high risk that this processing may pose to the guarantee of the general principles of protection of personal data and civil liberties and fundamental rights of data subjects.
Example 5 – Sending Special Offers for Books and Cultural and Artistic Products to Students
In example 5, the ANPD presents the following case: A private higher education institution provides students, teachers and other employees with special offers and discounts relating to books and cultural and artistic products from its publisher. Messages are forwarded via email and notifications on the institution's mobile app. The processing of personal data was carried out based on the legal hypothesis of legitimate interest. The institution understood that it could not find a less intrusive way to make these disclosures. Furthermore, in order to mitigate the risks to data subjects, the institution does not share the data in its database with third parties, as it understands that it is unnecessary for the purpose of processing in the specific case, and provides a mechanism for unsubscribing from the e-mail list by pressing “unsubscribe” in the emails or in the mobile app itself.
ANPD agrees with the use of the legal basis of legitimate interest, to the extent that the processing of personal data is compatible with the legal system, meets specific situations and is linked to legitimate, specific and explicit purposes. In addition, as it is an educational and publishing establishment, it is reasonable to assume that the dissemination of books and and cultural and artistic products is part of the support and promotion of its institutional activity, and this dissemination to the academic community meets the legitimate expectations of the data subjects, with whom it has a prior relationship. Furthermore, the purpose of discounts and rebates may benefit personal data subjects and the possibility of unsubscribing from the e-mail list mitigates possible risks to these data subjects.
Example 6 – Legitimate Third-Party Interest: Advertising Language Courses
In example 6, the ANPD presents the following case: A private higher education institution offers higher education and postgraduate training. The institution has around 1,600 students and 200 employees. Based on the legitimate interest of a third party and seeking to enhance the skills of the faculty and administrative staff, the institution announced a promotional campaign to its employees for a language school. In this campaign, they will receive a 10% discount on the monthly fees for English and Spanish courses. In this case, the action was undertaken only once and for a specific purpose, but the institution conducts campaigns of this nature to encourage the professional development of its employees.
The ANPD understands that the justification based on the legitimate interest of third parties, in this case, the language school, is perfectly appropriate. The institution’s support in the pursuit of training and benefiting its employees is legitimate, and it also benefits the third party by expanding its clientele. Once again, in this case, the ANPD recommends conducting the legitimate interest balancing test to ensure transparency in its implementation, as well as providing the option to unsubscribe if the personal data subject no longer wishes to receive this type of message.
Example 7 – Installing Software to Track Activities and Measure Employees’ Productivity
In example 7, the ANPD presents the following case: A company uses the legal hypothesis of legitimate interest to justify the use of software that tracks employee activities, including webcam use and the record of everything that is typed on the company's computers. The purpose of the collection is to measure employee productivity and provide a means of identifying the undue sharing of information of a confidential nature.
In this case, the ANPD concludes that the data collection carried out by the software, which includes images and texts, intrudes excessively and disproportionately on the fundamental rights and freedoms of the data subjects. This intrusion contradicts their legitimate expectations, even if they were previously informed about this activity and it is included in the privacy policy. The ANPD also understands that employees are in a more vulnerable position vis-à-vis their employer, not having effective means of opposing such processing. Consequently, such a measure could not be justified on the legal grounds of legitimate interest.
Conclusion
After describing all these examples that indeed occur in the daily lives of individuals and companies, we should congratulate the ANPD for the initiative. The examples hit the mark and will undoubtedly be beneficial for companies dealing with cases that mirror or closely resemble the ones presented.
It is important to note that even if a particular situation cannot be justified based on legitimate interest, the LGPD provides other legal grounds to validate the corresponding data processing. Although it is much easier for a company to try to justify the processing of personal data on the legal grounds of legitimate interest, this approach bypasses the need for prior consent from the personal data subject. However, as seen in the examples above, this is not always possible.