Gender equality and female participation in companies: what you need to know
The month of March is widely recognized as International Women’s Day, which is celebrated on the 8th. This date aims to remember women’s struggle for rights and gender equality throughout history, as well as highlighting the importance of female participation in all aspects of social, economic, political and cultural life. It is an opportunity to celebrate women’s achievements, reflect on the challenges that still need to be overcome and promote actions that contribute to building a fairer and more equal society for all people, regardless of gender. Gender diversity and female participation in the corporate world are increasingly relevant and urgent issues. Although there has been some progress in recent years, equal opportunities and treatment for men and women in the workplace is still a challenge to be faced. The presence of women in leadership positions is still very low, even in companies that claim to be committed to diversity and inclusion. According to a survey by the Brazilian Institute of Corporate Governance (IBGC), only 10% of the boards of directors of publicly traded companies in Brazil are made up of women. In addition, women still face obstacles to advancing in their careers, such as unequal pay, a lack of specific training and development programmes and an organizational culture that doesn’t value women’s skills and abilities. For this reason, the UN created the Global Compact 2030, which plays an important role in promoting equal opportunities and treatment between men and women in the business environment. In this sense, companies that join the Global Compact 2030 have the opportunity to commit to concrete measures to reduce gender inequality in their operations and throughout the value chain. This includes promoting equal pay policies, developing training and leadership programmes for women, creating a safe and respectful working environment for all employees, and collaborating with other companies and organizations to promote gender equality. However, gender diversity is not only a matter of social justice, but also a matter of competitive advantage and long-term business sustainability. Companies that value and promote gender diversity tend to have better financial performance, greater innovation and employee engagement. This is because diversity of perspectives, skills and experiences enriches the working environment and allows companies to better adapt to changes in the market and society. Some initiatives that companies can adopt to promote gender diversity and female participation include: Set clear targets for the presence of women in leadership positions and implement concrete actions to achieve them, such as mentoring, coaching and leadership development programs for women. Implementing recruitment practices that avoid gender discrimination, such as reviewing the requirements for positions, publicizing vacancies on different channels and conducting interviews with a multidisciplinary and diverse team. Promote equal pay for men and women who perform the same jobs, in order to value women’s skills and abilities and ensure fairness and equity in the workplace. Create an inclusive and respectful work environment that values diversity of opinions, perspectives and experiences, and has a zero-tolerance policy for harassment and discrimination. Encouraging female participation in traditionally male areas such as technology, engineering and exact sciences, through specific training and mentoring programs. In addition, it is important that companies recognize the importance of gender diversity as a strategic and cross-cutting issue, which must be addressed in all areas and levels of the organization. This requires the commitment and leadership of senior management, as well as raising awareness and training all employees in the importance of diversity and inclusion. In short, companies that adopt inclusion and diversity policies, such as promoting gender equity, tend to have higher performance and more positive financial results. In addition, an inclusive work environment can improve employee satisfaction and engagement, contributing to a healthier and more productive corporate culture. Want to know more? Get in touch with our team of experts!
The discussion on the nature of civil liability in the General Data Protection Act
The General Personal Data Protection Law (LGPD) came into force in Brazil in September 2020 and brought with it a series of changes to the way companies and organizations should handle personal data. Among these changes, one of the most important is the inclusion of civil liability in the processing of personal data. And when we talk about the LGPD, we can’t leave aside other rules of national legislation that are in line with the regulation under analysis. Here we can mention the institute known as the “dialog of sources”, an expression coined by Erik Jayme, which deals precisely with the simultaneous application of more than one law to a specific case. It is from this idea that the normative solution of the General Data Protection Law arises when disciplining civil liability, since it establishes that any breaches that give rise to reparation are subject to the liability rules provided for in the relevant legislation. Civil liability is one of the fundamental principles of Brazilian law. It is the obligation that an individual has to repair the damage caused to another person, whether by action or omission. In the LGPD, civil liability is present in several articles, mainly in articles 42 to 45. According to the LGPD, anyone who suffers damage as a result of the improper processing of their personal data can demand compensation for the damage suffered. This means that companies and organizations that collect, store and process personal data must take all necessary measures to ensure the security of this data and prevent any kind of leakage or improper access. In addition, the LGPD also stipulates that companies and organizations must inform data subjects of the use that will be made of this data, as well as its purpose and how it will be processed. This obligation to comply with the principle of transparency is fundamental to ensuring that data subjects can exercise their rights, such as accessing, rectifying and deleting their personal data. In this sense, the LGPD seeks to ensure mechanisms to safeguard the information of natural persons. The controversy lies, in fact, in the legal details that can greatly alter the decisions to be made by law enforcers. There are those who believe that the civil liability discussed here is subjective liability, while there are many advocates of classifying this liability as objective. Subjective liability is based on the idea that a person or company can only be held liable for damage caused when there is actual proof that they acted with fault or intent, i.e. with the intention to harm. Objective liability, on the other hand, means that the person or company is responsible for the damage caused regardless of fault or intent, as long as the action or omission that caused the damage occurred. In the General Data Protection Law, strict liability is provided for in article 37, which states that “the controller or operator who, as a result of carrying out the activity of processing personal data, causes damage to property, morals, individual or collective, is obliged to repair it”. In other words, the company can be held liable even if it has not acted with fault or intent, as long as it has caused damage to one (or more) data subjects. On the other hand, subjective liability is defended by some scholars, who argue that the LGPD should not be applied indiscriminately, but in accordance with each company’s responsibility for data processing. In other words, the company should only be held responsible when it is proven that it acted with fault or intent, and not just because it caused damage. Objective liability can be seen as more rigorous, since the company is responsible for the damage caused, regardless of fault or intent. This can encourage companies to invest more in data security to avoid possible damage. On the other hand, subjective liability can be seen as fairer, as it only holds the company responsible if there is proof of fault or intent. This can prevent companies from being unfairly held responsible for damage they did not intentionally cause. With regard to this discussion, the most important thing to bear in mind is that the LGPD is an extremely recent piece of legislation, which is why there are still many doubts about its application. The discussion about subjective versus objective liability is just one of the many questions that arise from interpreting the law. Given all this, it is essential that companies and organizations seek expert legal advice to ensure that they are in compliance with the law and to avoid any kind of sanction or civil liability. Want to know more? Get in touch with our team of experts!
Gonzalez vs. Google case
One of society’s main challenges today is to decide whether and how content should be moderated by digital platforms. Last Wednesday (23/02), the United States Supreme Court began the second hearing of the Gonzalez vs. Google case, the outcome of which may indicate whether or not social networks are responsible for content posted by their users that violates their Policies, as well as their Terms of Use. It is important to note that this case is not to be confused with Google Spain v. Mario Costeja González[1], in which Mario Costeja González filed a complaint with the Spanish Data Protection Agency against La Vanguardia Ediciones SL. and against Google, its Spanish branch and parent company, in which he asked La Vanguardia to delete or alter the pages showing his personal data, so that his personal data would no longer appear, or to use certain tools made available by online search engines to protect his personal data, as well as requesting that Google Spain and Google Inc be ordered to de-index the content showing his personal data. In the case in question, on the other hand, the relatives of Nohemi Gonzalez – a young American woman killed in a terrorist attack claimed by the Islamic State (ISIS) on November 13, 2015 in Paris – filed a lawsuit against Google, Twitter and Facebook, especially because the algorithms of Google’s digital platform “YouTube”, Google’s digital platform “YouTube” recommended content from the terrorist group to certain users, claiming that the platform acted as a “recruitment platform for the terrorist group” when it allowed the broadcasting of content aimed at recruiting members, planning terrorist attacks, issuing terrorist threats, instilling fear and intimidating civilian populations. It is worth remembering that the attacks in Paris resulted in dozens of deaths, with three shootings recorded in different parts of the city – including an attack on the Bataclan concert hall[2]. Gonzalez’s relatives, suing Google and the social networks, claimed that the digital platforms, by allowing users to radicalize their posts, were legally responsible for the damage done to his family – since Google uses algorithms that suggest content to users based on their viewing history and therefore helps ISIS spread its message. With the decision of this lawsuit, the Justices of the Supreme Court of the United States may consider the application of the so-called Section 230 of the Communications Decency Act. This provision protects digital platforms (Facebook, Google, Twitter, among others) from lawsuits over content posted by their users, or from decisions related to the removal of content. Therefore, the US Supreme Court will be able to decide whether these companies can be held responsible for the content their users post, as well as for colluding with extremist propaganda and/or discriminatory advertising. The lawyers for Gonzalez’s family claim that all Digital Platforms (Google/YouTube, Facebook, Twitter) are responsible for aiding and abetting international terrorism. By not taking significant or aggressive measures to prevent terrorists from using their services, even if they did not play an active role in the specific act of international terrorism, by recommending and reinforcing content to users through their algorithms, they are directly involved due to the collusion of speech and, according to the lawyers of Gonzalez’s family, such a right would not be protected by Section 230. Google’s defense claims that the Gonzalez family’s arguments are vague and merely speculative about the algorithms’ recommendations. The lawsuit is not expected to be decided until June 2023. The issue of whether or not to moderate content on digital platforms and social networks is currently challenging governments and civil society, as the central focus is on how to combat hate speech and disinformation. Unesco (United Nations Educational, Scientific and Cultural Organization) even promoted the International Conference “For a Trustworthy Internet” from February 21 to 23, 2023. The event took place in Paris and brought together representatives of governments and civil society to discuss how the UN agency can contribute to creating guidelines to regulate digital platforms, combating disinformation and hate speech while protecting freedom of expression and human rights. In a nutshell, UNESCO’s aim with this conference was to encourage governments to promote and protect freedom of expression and human rights on the Internet, and for regulatory systems to guarantee independence and adequate supervision. In this way, it is up to regulators to establish targets and processes, specifying human rights-sensitive issues that digital platforms need to follow. Even recently, Supreme Court Justice Luís Roberto Barroso, participating in this Conference, stated that digital platforms should have a duty to act even before a court order in cases of illegal posts, especially in the face of content that violates the law of the democratic rule of law, which prohibits calls for the abolition of the rule of law, encouragement of violence to depose the government or incitement of animosity between the Armed Forces and the Powers. [3] “In the case of clear criminal behavior, such as child pornography, terrorism and incitement to crime, platforms should have a duty of care to use all possible means to identify and remove this type of content, regardless of (judicial) provocation,”[4] Barroso stressed. But in the case of the United States, the existence of the First Amendment makes this issue even more complex to decide, since this provision does not allow the American Congress to enact laws that restrict freedom of expression or of the press. For critics of Section 230, this provision allows digital platforms to avoid being held responsible for damage to the community, even if such occurrences could be avoided if the digital platforms moderated the content (such as removing a publication that supports a terrorist act, for example). Proponents, on the other hand, claim that if the Supreme Court relaxes this understanding, digital platforms, fearing liability and more lawsuits, could remove even more content, thus resulting in a greater threat to freedom of expression. Finally, it is worth noting that the US Supreme Court’s ruling has the power to impact on the responsibility of digital platforms for
Improper data processing and just cause
In the Labor Courts, for some time now, precedents have been created in which the improper use of personal data leads to dismissal for just cause. The increase in the number of dismissals for this reason tends to grow more and more, along with the monitoring of compliance with the General Data Protection Law that began in January 2022, and this is precisely what happened with the 10th Chamber of the Regional Labor Court (TRT) of Campinas (15th Region) confirming the dismissal for just cause of a banking correspondent who sent to her private email, and copied to third parties, personal data of clients, such as documents, CPFs, amounts of payroll loan contracts and telephone numbers. The employee also claims that she wanted to check that she was actually receiving the commission for the sales correctly. However, regardless of the justification, it is worth noting that when an employee is dismissed for just cause, they lose their unemployment insurance and other severance pay. Acts that lead to a lack of security and privacy for customer data have become the focus of concern for companies, which in turn need to implement effective Privacy and Personal Data Protection Programs in their organizations, which should involve the application of training and the development of internal and external policies aimed at internalizing a culture of responsibility in the handling of data. This enables strategic decision-making and, at the same time, prevents episodes of data leakage or improper data processing. Employees generally have access to customer data, as well as that of the companies in which they work. The data processed must be guaranteed in terms of confidentiality, secrecy and security, within the limits established by law. The larger the company, the more complicated it becomes to control the activities carried out by employees, which makes the company’s preventive measures even more cautious. Furthermore, the security of this data should not only be restricted to criminals, but also to misuse, as in this case. Thus, one of the measures adopted by companies, for example, is to restrict access to data only to authorized people within the company, in order to reduce risks and guarantee greater security for their customers’ data. This concern has grown exponentially in recent years as a result of Law No. 13,709/2018, which regulated the processing of personal data and determined penalties to be met by companies in default. Among these penalties, the National Data Protection Authority can impose a fine of up to 50 million reais per violation. Its enforcement had not begun until January 2022, but the law had already been in force since 2020, which gave companies a reasonable amount of time to adapt. It can therefore be inferred that decisions have already been handed down authorizing the dismissal for just cause of employees who send personal data about employees or clients to their personal emails and/or to third parties. In this way, the attitude in question is seen as serious misconduct, regardless of the purpose alleged by the employee during the sharing, indiscipline, violation of secrecy and internal company rules, which, according to the CLT, constitutes just cause: Art. 482 – The following constitute just cause for termination of the employment contract by the employer: g) violation of company secrets; h) an act of indiscipline or insubordination; It is therefore understandable that the LGPD was created precisely because personal data has gained enormous economic importance these days, becoming digital assets. Companies like Google and Meta are some of the most valued in the world for being able to capture data from billions of users. Finally, it is understood that the cases that have been judged make it clear that the LGPD is not just the company’s responsibility, but also has direct implications for the life of the employee, who must respect the confidentiality and data protection policies established by the company. Do you want to comply with the LGPD? Talk to PDK Advogados’ team of experts.
Cooperation: the key to a sustainable personal data protection ecosystem
The protection of personal data is an institute that depends on cooperation, contribution and collaboration between the parties involved in a personal data processing activity. In my day-to-day life, I often come across situations in which one of the parties, that is, one of the Processing Agents, is unwilling to cooperate, contribute or collaborate with the other, be it a Controller – who determines the purposes and means by which the operation with the data will take place, or an Operator – who carries out the operation based on the Controller’s instructions. It is necessary to start from the premise that in order to build a sustainable ecosystem, with regard to the legal requirements of the General Personal Data Protection Act (“LGPD”), as well as international best practices, a balance is needed between the responsibilities and tasks of the Processing Agents. When two or more Processing Agents act in an operation with personal data, cooperation is an essential part of building the legitimacy and legality of the activity. Regardless of the classification of the Processing Agent, as well as the processing in question – e.g. collection, storage, sharing, use, processing, disposal – in order to comply with the fundamentals and principles of the LGPD, it is necessary for all the Agents involved to contribute – within the limits of their responsibility, and actively collaborate – by carrying out a common job. Therefore, cooperating here means having the main objective of guaranteeing the legitimacy and legality of a given personal data processing operation. An operational and practical example, as well as a classic and routine one – especially in the oil and gas industry – is the application of resources by an oil company to Research, Development and Innovation (RD&I). Research, Development and Innovation Technical Regulation No. 3/2015 of the National Agency of Petroleum, Natural Gas and Biofuels (ANP), which establishes definitions, guidelines and standards for the application of resources, as well as rules for proving R,D&I activities and the respective expenses incurred, Chapter 06 makes it a legal and regulatory obligation to keep information and documents for a period of 5 (five) years – counting from the end date of the project, including contracts and tax documents relating to the transfer of funds and payments, as well as expenses incurred within the scope of R,D&I projects or programs. It also establishes that institutions accredited by the ANP, i.e. universities or research and development institutions, as well as Brazilian companies, must send the contracting oil companies information and documents relating to the projects or programs they carry out. Due to the lack of clarity in the Technical Regulations, and especially with regard to the rendering of accounts for personnel expenses and their supporting documents, which does not detail the data, information, documents and records that must be filed and kept for a period of 5 (five) years, the Oil Companies can and must request from the Accredited Institutions and/or Brazilian Companies contracted for R,D&I the personal data they deem necessary and appropriate to comply with their legal and regulatory obligation, with the aim of supporting and promoting their own activity, as well as guaranteeing, in the event of an inspection, a suitable and effective record capable of proving the contributions made. In this sense, it is up to the Treatment Agents involved in RD&I to act in a cooperative manner, guaranteeing reciprocal access to information and documentation on the project or program. Personnel costs are also included in this list, and it is not up to either party to oppose or deny access to information and data, or not to share it. On the other hand, it is always the duty of all Processing Agents to collaborate and contribute to guaranteeing the application of the general principles of personal data protection, especially transparency and free access to such operations, each within the limits of their responsibility and their respective relationships with the data subjects involved. Regardless of the economic segment or regulatory framework, cooperation is fundamental to achieving a sustainable personal data protection ecosystem.