In Brazil, similar to the legal tradition of other Western countries, the principle of equality has gone through subsequent "steps'' in terms of recognition, content and entitlement. In particular, the Brazilian Federal Constitution of 1988 lifted equality to a fundamental objective of the Republic (Article 3, II and IV, Brazilian Constitution) and promoted positive differentiation aimed at catalyzing its material effectiveness. For example, Article 7, XX, of the Brazilian Constitution established the "protection of women's labor market, through specific incentives.'' In its Article 37, VIII, Brazilian Federal Constitution also reserved a percentage of public jobs and positions for persons with disabilities.

Additional examples of affirmative actions can be found in Brazilian federal legislation and state laws. For example, Article 1 of Federal Law n. 12.711/2012, known as "Quotas Law," provides that part of federal universities' student spots must be reserved for those with average family income equal to or less than 1.5 minimum wages. Further, the Racial Equality Statute (Federal Law nº 12.288/2010) establishes in Article 4 (II), that the "participation of the black population, under equal opportunity conditions, in the economic, social, political, and cultural life" of Brazil shall be promoted through "affirmative measures, programs, and policies."

Whether in the public or private sectors, employing any such affirmative actions implies processing personal data. Thus, with the Brazilian General Data Protection Law in mind: What legal basis can authorize affirmative actions? Is there any hypothesis that allows the use of sensitive data in their execution?

Affirmative actions in the privacy sector

Not disregarding compliance with other LGPD requirements, when private entities process personal data to implement affirmative actions, they must do so by observing Articles 7 or 11 of the LGPD, according to the categories of personal data involved.

In a scenario where private actors implement affirmative actions handling only "simple" personal data, LGPD Article 7 (IX) — namely, legitimate interest — applies without further controversy. This is because despite a certain degree of subjectivity regarding the definition of "legitimate interest," activities that promote equality and nondiscrimination naturally fall under "legitimate interest" for two main reasons. First, private actors' affirmative actions promote fundamental republican objectives per Article 3 II and IV of the Brazilian Constitution, and guarantee fundamental rights and civil liberties of data subjects having their information processed. Second, LGPD itself lists nondiscrimination as one of its principles (Article 6 (IX)).

In turn, for private actors implementing affirmative actions that handle sensitive data, other legal bases ought to be analyzed. For one, the purpose of an affirmative action can be following a legal (federal, state, or municipal law) or regulatory (decrees or resolutions, among others) determination. If that is the case, Article 11 (II)(a), of the LGPD (complying with legal or regulatory obligation) applies. This is what happens, for example, when companies process health data pursuant to Article 93 of Federal Law n. 8.213/91 to reserve positions for persons with disabilities.

Alternatively, suppose there is no law or regulation specifically obliging companies to implement an affirmative action. In that case, one can still argue the applicable legal basis is “compliance with a legal or regulatory obligation by the controller." The active promotion of material equality is an obligation imposed by the Federal Constitution of 1988 to all natural and legal persons in Brazil, as explained by Justice Carmen Lúcia Antunes Rocha and translated by us:

"All the verbs used in the normative expression — construct, eradicate, reduce, promote — are verbs of action, that is, they designate active behavior. What we have, then, is that the fundamental objectives of the Federative Republic of Brazil are defined in terms of obligations to transform the social and political picture portrayed by the constituent when drafting the constitutional text." (ROCHA, Carmen Lúcia Antunes. Affirmative action: the democratic content of the equality principle. Revista de Informação Legislativa, Brasília, 131:283-295, jul./set. 1996). 

Therefore, regardless of a detailed command enshrined in legislation, private actors can — based on a positive duty to promote equality — process sensitive personal information to attain success in their affirmative actions.

Although the arguments presented above are based on Brazilian legislation, similar reasoning could be replicated in countries that also adopt "legitimate interest" and "compliance with a legal or regulatory obligation by the controller" as legal bases for the processing, respectively, of "simple" personal data and sensitive personal data. This is the case, for example, of the Cayman Islands, Macau, Morocco, Kenya and Russia, as well as Germany, Spain, France, Portugal, United Kingdom and other countries under the EU General Data Protection Regulation, which has similarities to those adopted in Brazil.

Affirmative actions in the public sector

Considering the particularities of the public sector, the LGPD has established additional and specific rules for the processing of personal data in this context. Thus, Article 23 determines such processing must be performed to meet the "public purpose, in pursuit of the public interest, with the aim of executing the legal powers or fulfill the legal attributions of the public service.”

Given these additional requirements, there is no consensus among Brazilian legal scholars as to which legal bases may authorize the processing of personal data by the public authorities. While some consider LGPD Article 23 an autonomous legal basis, this hypothesis is already encompassed by the legal bases listed in LGPD Articles 7 or 11. In particular, provided LGPD Articles 7 and 11 have a closed list of legal grounds, there appears to be little argument for an autonomous legal basis enshrined in another article.

This considered, affirmative actions by public actors take the form of public policy and can use "simple" personal data or sensitive personal data. In either case, these policies can be based on two legal grounds, depending on the case in question: compliance with a legal or regulatory obligation (Article 7 (II) and Article 11 (II) (a)), or the execution of public policies (Article 7 (III) and Article 11 (II) (b)). However, this implies the need for affirmative actions in the public sector to be detailed in their scope. That is because despite the general command of active promotion of material equality, any affirmative action in the public sector must also comply with the principles of public administration, including legality (Article 37, Brazilian Constitution).

Conclusion

Affirmative actions are possible in the public and private sectors and find justification in data protection legislation. However, despite legal bases authorizing these affirmative actions, there is a risk of noncompliance with civil rights and fundamental freedoms of the data subjects involved. The type of data being processed may lead to discrimination if it falls into the wrong hands, or even if well-intended individuals process the information without regard to data protection principles. Therefore, it is wise to consider applying data protection best practices in these cases.

Although not a legal requirement under the LGPD, one may produce a legitimate interest assessment when processing information under a legitimate interest (Article 7, IX). This assessment will verify whether the interests pursued (in this case, an affirmative action) are legitimate and whether they create imbalances to the detriment of data subjects. LIA templates and guidelines were made available by data protection authorities, including the U.K. Information Commissioner's Office.

For affirmative actions that process sensitive personal data, on the other hand, producing an LIA is not an alternative. That is because LIAs are tied with a legitimate interest that cannot be used to justify the processing of sensitive information under LGPD.

The adequate step is to produce a data protection impact report provided for in Article 38 of the LGPD (similar documents may also be named privacy impact assessment). The Brazilian data protection authority, Autoridade Nacional de Proteção de Dados, published a template controllers may use. European authorities such as the Data Protection Working Party and Agencia Española de Protección de Datos have issued practical guides on the matter. This report enables identifying and evaluating processing risks and designing measures to mitigate them. Finally, adequate technical and administrative security measures must be put in place, preferably in accordance with national and international best practices concerning data protection and information security.

Photo by Isabela Kronemberger on Unsplash