Rio de Janeiro city view showing what to expect from upcoming Brazilian General Data Protection Law, LGPD.

What to Expect From Brazil’s General Data Protection Law?

The European General Data Protection Regulation (GDPR) has set in motion a wave of privacy policies all around the world. One of the biggest laws was the California Consumer Protection Act (CCPA) that went into effect on the 1st of January, 2020. This law has affected 500,000 organizations worldwide. If that wasn’t enough, Brazil is right behind the U.S in introducing its own Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD) in early August, 2020. In this article we will look into the impact of the LGPD law, its differences and similarities with the GDPR and how it is set to further change the paradigm of digital data privacy on a global scale.

Overview of General Data Protection Law

According to a study, Brazil has almost 140 million internet users (these alone could make it the 10th largest country in the world), making it the largest internet market in Latin America and the fourth largest internet market in the world. Brazil has drafted over 40 legal norms on a federal level that deals with data privacy, causing a crosswire legal framework. The only downside of these laws is that they are sectoral, which means they are related specifically to different industries and do not cover all aspects at an overall level. This is why the new data protection law of Brazil known as LGPD that will provide a more comprehensive and overall regulatory framework.

What is General Data Protection Law (LGPD)?

The LGPD will offer individuals a streamlined set of rights which they can exercise, rather than the sectoral federal laws that offer only partial protection. This law is greatly influenced by the EU’s General Data Protection Regulation, so much so, that some people call it Brazil’s GDPR.

The LGPD is closely modelled after the GDPR and contains sixty-five articles. It was passed on August 14, 2018 and sanctioned by President Bolsonaro in July 2019. The enforcement date is set to be August 15, 2020.

Essence of the LGPD law

LGPD gives nine rights to data subjects as well as defining personal data, creating ten legal bases for lawful processing and making it obligatory for organizations to appoint a Data Protection Officer. To enforce this law, Brazil will establish Autoridade Nacional de Proteção de Dados (or ANPD, which can be defined as Brazil’s data protection authority), which will supervise, guide and enforce these laws.

Who needs to comply with LGPD?

Unlike the CCPA and GDPR, the LGPD does not take into account the size or revenue of a company; instead, it focuses on the information a company holds. Under article 3 of the LGPD, any organization that performs the following tasks are liable to comply with the LGPD:

  • Processing data within the territory of Brazil,
  • Processing data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located,
  • Processing data which is collected within the territory of Brazil.

Characteristics of LGPD

  • Personal data under LGPD

LGPD defines personal data broadly. The law simply states that personal data is “information regarding an identified or identifiable natural person” (Article 5, I).

This can include names, ID-numbers, online identifiers and location, to physiological, mental, genetic, cultural, economic or social facts.

  • Sensitive personal data in the LGPD

The LGPD classifies sensitive personal data as a subcategory and applies when the data processed is “racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data” (Article 5, II).

Article 11, mentions the limited situation under which sensitive data can be processed. These are:

    1. When the data subject or her/his legal representative specifically and distinctly consents, for the specific purposes
    2. Without consent from the data subject, in the situations when it is indispensable for:

a. Controller’s compliance
b. Shared processing of data for public administration
c. Studies carried out by research entity
d. Regular exercise of rights
e. Protecting the life or the safety of an individual
f. Ensuring the prevention of fraud

  • LGPD fines

The LGPD is clear when it comes to the consequences of non-compliance with the law.

The penalty system ranges from –

    • Warnings issued in case of violations and non-compliance with the intent of having the entity adopt corrective measures.
    • Daily fines.
    • Fines up to 2% of annual turnover in Brazil or R50 million per violation, which approximates to €11 million.

Maximum fines can reach up to 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation. It will be the ANPD’s responsibility to enforce such sanctions, when the LGPD comes into effect.

The LGPD was designed in accordance with the EU’s GDPR. The LGPD has global jurisdiction, which means that any website that processes personal data from individuals in Brazil has to comply.

  • Rights of the data subject

LGPD gives nine fundamental rights to its consumers. If we look deeper, the LGPD has only split the GDPR’s right of “right to be informed” under two clauses which are “right to be informed of the parties the controller has shared the data with” and the “right to be informed about the possibility of denying consent”.

  • National Data Protection Authority (NDPA)

The NDPA is the federal administration body directly connected to the President of Brazil. It is a regulatory entity for both public and private data processors, and can act in matters such as providing technical standards and rules, asking for data protection impact assessment reports, evaluating best practices, supervising, and imposing sanctions.

  • Data Deletion

The personal data must be deleted by the controller after the end of processing. However, data subjects can also ask for the deletion at any point in time, with some exceptions.

  • Extraterritorial application

Personal data processors, whether or not physically present in Brazil, are subject to the Law if one of the following conditions is fulfilled:

(i) the data is processed within national territory

(ii) the purpose is providing information or offering goods or services to individuals located in the national territory

(iii) the personal data was collected in the national territory.

Additional definitions important to the LGPD

Under Article 5, there are several terms that need to be defined for proper understanding of LGPD laws:

  • LGPD defines processing as “any operation carried out with personal data”.
  • LGPD defines consent as “free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose”.
  • Database is defined as a “structured set of personal data, kept in one or several locations, in electronic or physical support”.
  • Controller in the LGPD is defined as a “natural person or legal entity, public or private law, that has competence to make decisions regarding the processing of personal data”.
  • The LGPD defines processor as a “natural person or legal entity, public or private law, that processes personal data in the name of the controller”.
  • LGPD defines an officer as a “natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority” (the ANPD).

LGPD’s legal bases for processing

Under Article 7, LGPD defines the ten legal bases for lawful processing of personal data as:

  • With the consent of the data subject
  • To comply with a legal or regulatory obligation of the controller
  • To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments
  • To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data
  • To execute a contract or preliminary procedures related to a contract of which the data subject is a party
  • To exercise rights judicial, administrative or arbitration procedures
  • To protect the life or physical safety of the data subject or a third party
  • To protect health, in a procedure carried out by health professionals or by health entities
  • To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail
  • To protect credit

The act of processing personal or sensitive data must be documented from initial collection to termination. It is mandatory to have a description of what kind of data is collected, retention time, the purpose of the collection and who the data can be shared with.

Key Takeaway

The LGPD is a clear indication that countries all across the world are taking data privacy seriously, which means it is only a matter of time before every country of the world will have a specific overall data protection regulation of their own. This may be good news for customers as their information will remain protected, but not so much for organizations, especially global ones as this could translate to increased costs and risk of non-compliance than ever before.

The need for a framework to automate data privacy regulation compliance has never been this severe, and organizations need to find a way to be able to comply with all these regulations in a smooth and efficient manner.