by Antenor Madruga, Ana Belotto and Adriano Teixeira [1]

Obligations and incentives to implement effective compliance programs have increasingly gained importance in Brazil in light of concepts like gatekeepers[2] (professionals with the potential to  identify illicit activities, due to their function and duties in corporations) and strict liability of legal entities (established in the newest Brazilian Anti-Corruption Law that came into effect in 2014 – Law n. 2,613/2013). In this sense, private individuals have also gradually seen their supervisory responsibility increase, especially under money laundering and corruption preventive obligations.

The Brazilian Anti-Money Laundering Law imposes that certain people – legal and natural – have the obligation of (i) identifying their  clients; (ii) maintain records of clients and operations and (iii) report certain financial operations that fit defined criteria.  In turn, the Brazilian regulation of the anti-money laundering law, aside from the law itself, has been inspired by the recommendations of the Financial Action Task Force[3] moving towards the concept of a “risk based approach” -“RBA”[4], allowing individuals subject to the terms of the law to  be more flexible in  their evaluation of the inherent risks of each operation,  and on the prevention measures to be adopted.

As for the Anti-Corruption Law, as previously mentioned, a standard of strict liability of legal entities for acts against national and international public administration has been imposed. In response, compliance programs frequently adopt search and monitoring services –  “screening” – to conduct background researches on employees, suppliers  and others who may act on its behalf, or in its direct or indirect benefit.

As so, the use of search and monitoring private services is expanding in Brazil. These systems and services compile information available in different sources and public databases and build a profile of the targeted person or operation. The results obtained go beyond those achieved through a regular Internet research, many times causing profiles to become indefinitely available. In that sense, although search and monitoring services may meet due diligence and know your client requirements of compliance programs, they may also impede the eventual right of an individual “to be forgotten.”

Recent judicial precedents from Brazil[5], the European Union[6] and England[7] have indicated a certain limit regarding results obtained through search tools, under certain circumstances, granting the individuals the right to have information disassociated from their names.

 “The right to be forgotten” has been regulated in the scope of the new General Data Protection Regulation of the European Union. Under the European legal framework, the “right to be forgotten” is not absolute, it must be weighed with other interests, especially those of the public, and must be decided on a case-by-case basis.

In the United States, case law gives the “right to be forgotten” a more restrictive interpretation. Despite the fact that the Supreme Court has already recognized the right to privacy, as in the famous Lawrence v. Texas case[8], it has not determined whether the right to privacy extends to information available through search tools in the Internet, nor discussed potential limits  of such information.

In Brazil, although the limits to the “right to be forgotten”  have not yet been analyzed by the Federal Supreme Court, three major perspectives arise in this respect: (i) pro-information, which, in accordance with the North American understanding, does not recognize the “right to be forgotten”; (ii) pro-oblivion, in which the “right to be forgotten” is associated with the expression of the right to privacy and to intimacy; and (iii) an intermediary position, that defends a case-by-case assessment, in line with the current position in Europe and the understating of the Brazilian Superior Court of Justice. In 2017, by determining the implementation of keyword filters with the scope of avoiding the association of a person’s name and the search result, the Court limited the results without modifying their source.

The effects of the “right to be forgotten” in measures taken by compliance programs, especially those concerning collection and monitoring of personal information, is still object of little reflection. However, the chosen interpretation to the “right to be forgotten” may have impact on the services of data aggregation and screening traditionally used in compliance programs.

These services are currently rendered without any limitation or regulation from the State, although it may harm the right to privacy, most specifically the  “right to be forgotten”, with the same or stronger  intensity than that of Internet search tools.

Differently from the regular search tools, where general researches, without a specific scope, might result in “inappropriate” information, the private services are conditioned to specifically collect negative information connected with conformity risks. Consequently, this information is not public and people who are affected do not know or have access to the aggregated content gathered against them.

It seems evident that the range of the “right to be forgotten”, whatever it may be, should not be limited to the search tools publicly available on the Internet. A balanced result in the delicate balance between public interest and private protection must be reached in the provision and access to private services of data aggregation, search and monitoring of people, which are now multiplying following the growth in the impositions of compliance programs.

Footnotes

[1] English version by Juliana Mauro.

[2] GAFI, Report on Money Laundering Typologies 2003-2004 (PDF: 186 KB).

[3] GAFI Recommendation – “Assessing risk & applying a risk-based approach” (PDF: 168 MB); FATF Guidance on the Risk-Based Approach to Combating Money Laundering and Terrorists Financing – High Level Principles and Procedures – pages 3 and 4 (PDF: 258 KB).

 [5] STJ, Terceira Turma, voto-vista Ministro Marco Aurélio Belizze, RESP n. 1.660.168-RJ. Rel. Min. Nancy Andrighi. DJ: 17/11/2017.

[6] C-131/12 Google Spain SL, Google Inc. / Agencia Española de Protección de Datos, Mario Costeja González

[7] Supreme Court of the United Kingdom – NT1 &NT2 v. Google LLC ([2018] EWHC 799 (QB))

[8] Lawrence v. Texas, 539 U.S. 558 (2003)

Antenor Madruga is a partner, Ana Belotto is a consutlant and Adriano Teixeira is an associate at Feldens Madruga.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.