Brazil and India Act to Protect Employers and Employees During the COVID-19 Pandemic

The COVID-19 pandemic has altered the global workplace and international employer-employee relations in profound ways. As COVID-19 continues to spread, countries are enacting legislation and issuing guidance to support employers and employees as they confront the global crisis. In particular, Brazil, with a population of over 211 million, and India, with a population of approximately 1.3 billion, each has enacted measures to combat the ongoing economic and financial troubles caused by the COVID-19 pandemic.

Specifically, Brazil has issued federal provisional measures, including Provisional Measure No. 936 (“MP-936”) and Provisional Measure No. 927 (“MP-927”), to socialize the idea that employers may seek to reduce employees’ pay in exchange for greater job security. MP-936 provides for an Emergency Employment and Income Maintenance Program, including an Emergency Employment and Income Preservation Benefit (the “Benefit”), as well as policies for reducing salary and working hours and suspending employment agreements, and provisions for collective bargaining agreement (“CBAs”) meetings by virtual means. In particular, MP-936 and MP-927 provide for the following:

  • Salary and Hourly Reductions: MP-936 allows salary and hours reductions for up to a 90-day period. Each employee’s pay rate, hours and tenure must be preserved and reinstated upon the employee’s return to work. In the event of a reduction in salary and/or hours, the government is responsible for paying the Benefit. Employees who receive the Benefit still may receive unemployment insurance benefits. The amount of the Benefit that employees receive is based upon the amount of unemployment insurance to which they are entitled. For employees who earn less than R$3,135 or more than R$12,202.12 there is no obligation to have collective negotiations. There are various notice requirements for any salary and hours reduction, and an employer’s failure to comply may result in legal sanctions or fines. The presence of a CBA may provide for different reduction and notice requirements.
  • Suspension of Employment: MP-936 provides for suspension of employment agreements (e.g., furlough) for a period of up to 60 days, with the government paying a Benefit of 100% of the unemployment insurance to which employees are entitled. Employers are required to preserve employees’ current pay rate, hours and tenure, and employees are entitled to all employer-provided benefits. For employers who earned a gross revenue exceeding R$4,800,000 in 2019, the government will pay a Benefit of 70% of the employment insurance that employees are entitled to, provided that during the suspension period, employers pay to employeesfinancial support equal to 30% of employees’ salary. There are various notice requirements for any reduction. If employees work during a suspension, including engaging in any telework, then the suspension will be deemed not to have occurred, and legal sanctions and fines may be imposed upon employers. For employers whose income tax is calculated on the basis of actual income, financial support is deductible from the net revenue for purposes of calculating employers’ income tax. Note that redundancy terminations are considered terminations without cause, and employers have the sole discretion to determine selection criteria and severance packages.
  • Use of Accrued, Unused Paid Leave: MP-927 authorizes not only the use of accrued but unused paid leave, but also the use of holidays still being accrued, as well as holidays for which the accruing period has not even started.

India has imposed even broader employee protections that require employers to bear the heavy economic burden to support employees during the national lockdown. In response to the COVID-19 pandemic, the Indian government invoked special provisions of the Disaster Management Act, 2005 (the “DMA”) to implement a series of orders under the DMA (“Orders”) to impose a 21-day nationwide lockdown, effective March 25, 2020.

To counter the negative impact of the COVID-19 pandemic on India’s labor force, the Orders include strict directives for employers. The Orders prohibit employers from terminating any employees or contract labor during the lockdown, except for disciplinary reasons. In addition, the Orders bar employers from reducing employees’ wages. In addition, the Indian government has addressed the following issues that affect employers and employees:

  • Maintaining the Workforce: During the lockdown, employers should not reduce or stop salary payments or terminate employees. Similarly, employers may not reduce work hours and wages during the lockdown. Employers, however, may temporarily halt non-statutory benefits and postpone incentives until the business normalizes, provided that such measures adhere to employers’ internal policies, employee handbook provisions and/or employment agreements. In addition, employers may defer or suspend bonuses and annual increments for employees, subject to some narrow exceptions.
  • Paid Leave: Employers are prohibited from requiring employees to use paid time off during the lockdown. Employees, however, are entitled to use their accrued annual leave at their discretion, subject to internal policies. Employers cannot mandate that employees take unpaid leave.
  • Medical Checks: Employers may take steps to verify employees’ health, as long as such measures protect the health, safety and well-being of other employees. Such steps include, for example, requiring medical check-ups for employees who have travelled internationally. If employers pursue such measures, they must ensure that they have systems in place to ensure that employees’ medical records remain confidential and secure. Employers should be mindful not to discriminate against employees by selecting employees for medical checks based upon race or nationality.
  • Sick Time for Employees with COVID-19: Certain state governments have issued notifications/orders requiring employers to grant 28 days of paid leave to employees who have been infected with COVID-19. Employers may encourage, but not require, employees who have contracted COVID-19 to use their accrued sick leave. If necessary, employers may require COVID-19-positive employees to continue to take leave until such employees medically certify that they may return to work, during which time employers should continue to pay employees’ full wages and benefits.

©2020 Epstein Becker & Green, P.C. All rights reserved.

For more employment considerations amid the COVID-19 pandemic, see the National Law Review Coronavirus News section.

6 Months Until Brazil’s LGPD Takes Effect – Are You Ready?

In August 2018, Brazil took a significant step by passing comprehensive data protection legislation: the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – Law No. 13,709/2018, as amended) (LGPD). The substantive part of the legislation takes effect August 16, 2020, leaving fewer than six short months for companies to prepare.

While the LGPD is similar to the EU’s General Data Protection Regulation (GDPR) in many respects, there are key differences that companies must consider when building their compliance program, to be in line with the LGPD.

Application

The LGPD takes a broad, multi-sectoral approach, applying to both public and private organizations and businesses operating online and offline. The LGPD applies to any legal entity, regardless of their location in the world, that:

  • processes personal data in Brazil;
  • processes personal data that was collected in Brazil; or
  • processes personal data to offer or provide goods or services in Brazil.

Thus, like the GDPR, the LGPD has an extraterritorial impact. A business collecting or processing personal data need not be headquartered, or even have a physical presence, in Brazil for the LGPD to apply.

Enforcement and Penalties

After many debates and delays, the Brazilian Congress approved the creation of the National Data Protection Authority (ANPD), an entity linked to the executive branch of the Brazilian government, which will be tasked with LGPD enforcement and issuing guidance.

Violations of the LGPD may result in fines and other sanctions; however, the fine structure is more lenient than the GDPR’s. Under the LGPD, fines may be levied up to 2% of the Brazil-sourced income of the organization (which is considered any legal entity, its group or conglomerate), net of taxes, for the preceding fiscal year, limited to R$ 50,000,000.00 (app. $11 million), per infraction. There is also the possibility of a daily fine to compel the entity to cease violations. The LGPD assigns to ANPD the authority to apply sanctions and determine how the fines shall be calculated.

Legal Basis for Processing

Similar to the GDPR, an organization must have a valid basis for processing personal data. Personal data can only be processed if it meets one of the 10 requirements below:

  • with an individual’s consent;
  • when necessary to fulfill the legitimate interests of the organization or a third party, except when the individual’s fundamental rights and liberties outweigh the organization’s interest;
  • based on a contract with the individual;
  • to comply with a legal or regulatory obligation;
  • public administration and for judicial purposes;
  • for studies by research entities;
  • for the protection of life or physical safety of the individual or a third party;
  • by health professionals or by health entities for health care purposes; or
  • to protect an individual’s credit.

Sensitive personal information (race, ethnicity, health data, etc.) and children’s information may only be processed with the individual or a parent or legal guardian’s consent, as applicable, or as required by law or public administration.

Individual Rights

Brazilian residents have a number of rights over their personal data. Many of these rights are similar to those found in the GDPR, but the LGPD also introduces additional rights not included in the GDPR.

Established privacy rights, materially included in the GDPR

  • access to personal data
  • deletion of personal data processed with the consent of the individual
  • correction of incomplete, inaccurate, or out-of-date personal data
  • anonymization, blocking, or deletion of unnecessary or excessive data or personal data not processed in compliance with the LGPD
  • portability of personal data to another service or product provider
  • information about the possibility of denying consent and revoking consent

Additional rights provided by the LGPD

  • access to information about entities with whom the organization has shared the individual’s personal data
  • access to information on whether or not the organization holds particular data

Transferring Data Out of Brazil

Organizations may transfer personal data to other countries that provide an adequate level of data protection, although Brazil has not yet identified which countries it considers as providing an adequate level of protection. For all other transfers, organizations may not transfer personal data collected in Brazil out of the country unless the organization has a valid legal method for such transfers. There are two main ways organizations can transfer data internationally:

  • with the specific and express consent of the individual, which must be prior and separated from the other purposes and requisitions of consent;
  • through contractual instruments such as binding corporate rules and standard clauses, committing the organization to comply with the LGPD principles, individual rights, and the Brazilian data protection regime.

Governance & Oversight

In addition to the requirements above, under the LGPD, organizations must, in most circumstances:

  • Appoint an officer to “be in charge of the processing of data,” who, together with the organization, shall be jointly liable for remedying any damage, whether individually or collectively, in violation of the personal data protection legislation, caused by them (there is little specificity around the role or responsibility of the data processing officer; however, it is not mandatory for the officer to be located in Brazil);
  • Maintain a record of their processing activities;
  • Perform data protection impact assessments;
  • Design their products and services with privacy as a default;
  • Adopt security, technical, and administrative measures able to protect personal data from unauthorized access, as well as accidental or unlawful destruction, loss, alteration, communication (likely similar standards to those established under the Brazilian Internet Act); and
  • Notify government authorities and individuals in the case of a data breach.

Meeting these requirements will likely be a significant administrative burden for organizations, especially as they work to meet varying documentation and governance requirements between the GDPR, CCPA, and LGPD. This effort is made more complicated by the lack of clarity in some of the LGPD administrative requirements. For example, while the LGPD requires a record of processing, it does not delineate what should be included in the document, and while it establishes that privacy impact assessments should be carried out, it does not indicate when such assessments are required.

Final Thoughts

Given August 2020 is right around the corner, global organizations processing personal data from or in Brazil should consider immediately moving forward with a review of their current data protection program to identify and address any LPGD compliance gaps that exist. As privacy law changes and global compliance requirements are top of mind for many clients operating global operations, we will be sure to provide timely informational updates on the LGPD, and any ANPD guidance issued.

Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.


©2020 Greenberg Traurig, LLP. All rights reserved.

For more privacy laws around the globe, see the National Law Review Communications, Media & Internet law section.