Brazil’s new data protection law, Lei Geral de Proteção de Dados (LGPD), is a comprehensive law similar to the European Union’s General Data Protection Regulation (GDPR).
LGPD requires companies to get consent from individuals before processing their personal data. The law applies to non-Brazilian companies if they have a branch in Brazil or collect and process personal data of individuals located in Brazil (they don’t have to be Brazilian citizens).
The law has a broad definition of what constitutes personal data; it includes any information related to an identified or identifiable individual
Definitions and categories of Personal Data
There are several categories of personal data that are exempt from LGPD requirements: data that is collected for personal uses; for journalistic, academic, or artistic purposes; and for national security, criminal investigations, and public safety purposes. Also, anonymized data is excluded from the law’s requirements.
The LGPD has strict requirements for processing “sensitive data,” which includes data on racial or ethnic origin, religious belief, political opinion, union membership, religious, philosophical, or political organization membership, health and sexual orientation, and genetic and biometric data.
For children between 13 and 18 years old, they can consent to the processing of their personal data if the processing is in their best interest. For children under the age of 13, only a parent or guardian can give consent.
Under the law, it is possible to collect children’s data without consent when required to contact the parents or guardian or for the child’s protection.
The LGPD applies to data processing carried out in Brazil, regardless of the location of the organization processing the data or the location of the data being processed. If the personal data belongs to an individual located in Brazil, or if the personal data was collected in Brazil and the data owner was in Brazil at that time, the law’s requirements apply.
Organizations can transfer Brazilians’ personal data if the country or international organization provides an adequate level of protection of personal data. If this is not the case, then the data controller needs to ensure data protection through contractual clauses or other grounds specified in the law.
If an organization processes personal data, the LGPD requires companies to conduct a data protection impact assessment (DPIA). The DPIA must include at least a description of the types of data processed, the methods used to collect the data, the information security measures used, and a description of the mechanisms used to lessen the data processing risks.
Data Rights under LGPD
Under LGPD, individuals have the following rights regarding their personal data:
- Right to confirm that a company is processing their data
- Right to access that data
- Right to correct incomplete, inaccurate, or out-of-date data
- Right to anonymize, block, or delete unnecessary or excessive data
- Right to the portability of data to another service or product provider
- Right to delete their data
- Right to be informed about third parties with which the controller has shared data
- Right to be informed about the consequences of denying consent
- Right to revoke consent
Companies that handle Brazilian personal data must appoint a data protection officer (DPO) to be the point person in communication between the data controller, the data subjects, and Brazil’s data protection authority.
DPO’s duties include accepting complaints and communications from data subjects, providing explanations, and adopting measures; receiving communications from the supervisory authority, advising an organization’s employees and contractors regarding data protection practices; instructing employees and contractors about ways to protect personal data; and carrying out other duties as determined by the data controller.
Data controllers and processors must keep records of personal data processing operations, especially if the processing is based on legitimate interest.
They are also obliged to adopt security, technical, and administrative measures to protect personal data from unauthorized access, as well as from destruction, loss, alteration, communication, or any other type of improper or unlawful processing.
Data Breach Notification
Data controllers are tasked with communicating to the ANPD and the data subject(s) in the event of a data breach or other security incidents.
The LGPD requires organizations with a data breach to notify regulators within a “reasonable” period of time, although no specific deadline is set.
There are significant fines for violation of LGPD’s requirements, up to 2 percent of the company’s revenue in Brazil, with a R$50M per violation limit. However, penalties will only be assessed after Aug. 1, 2021.
Individuals can also seek civil damages for LGPD violations in court. Civil damages can be sought through individual or collective legal instruments, such as collective actions by consumer rights associations, even if the data subject has not agreed to this action.
Autoridade Nacionalde Proteçãode Dados (ANPD)
The LGPD established a data protection authority, Autoridade Nacionalde Proteçãode Dados (ANPD), that has the responsibility of interpreting, applying, and enforcing the law. The ANPD is tasked by the law to prepare a national policy for privacy and data protection, promote best practices for data processing activities, establish data sharing and processing rules, procedures, and guidance for organizations to comply with LGPD.
The ANPD is also directed to develop rules on the timeframe and means for organizations to respond to data requests, on the rules and duties of the data protection officer, on risk assessments and criteria for “high-risk” data processing, and on the timeframe for data breach notification. While the law does not have a data breach notification deadline, the ANPD has the authority to set a deadline.
The data protection authority has investigatory powers that include requesting information from data controllers and data processors, and corrective powers that include issuing warnings and fines, publicizing violations, and blocking the processing of personal data that is subject to an infraction.
In August, Brazilian President Jair Bolsonaro signed a decree establishing the ANPD and delineating its structure and process. Under the decree, the data protection authority must conduct public consultations, public hearings, and analyses of impact before issuing regulations and standards.
A council of directors will be the ultimate decision-makers within the ANPD, though it can delegate decision-making to other departments. The council will include a president-director, four directors, and five project managers, who will be appointed for a term of four years.
The council will be responsible for executing most of the ANPD tasks outlined in the LGPD, including providing guidance, establishing further rules governing the ANPD, defining mechanisms to enable international transfers of personal data, requesting organizations to conduct DPIAs, and encouraging best practices for data governance.
LGPD versus GDPR
Let’s look at some of the similarities and differences between Brazil’s LGPD and the EU’s GDPR. Both laws apply to companies outside the geographic scope of the law that process personal data of residents of the countries within the scope of the law. The GDPR goes a step further and includes companies that monitor EU residents’ behaviour, while LGPD does not have such a provision.
The LGPD has a broader definition of personal data covered by its requirements than the GDPR, but the LGPD includes more exceptions to its coverage.
In terms of data subject rights, the list of rights is similar in LGPD and GDPR. One difference is that the LGPD grants to the data subject a right to information about third parties that the organization has shared personal data with. GDPR has a broader right to be informed, which includes information about third parties.
The LGPD requires a company to appoint a DPO if it processes personal data on Brazilian residents. The GDPR outlines instances where selecting a DPO is required, which is not in every case. Both the LGPD and the GDPR require an organization to carry out a DPIA.
The GDPR has much higher fines for violations than the LGPD. GDPR violations can cost an organization up to €20 million ($24 million) or 4 percent of annual global revenue, whichever is higher. As noted above, LGPD violations can cost up to 2 percent of the organization’s revenue in Brazil, with a R$50M ($9 million) per violation limit.
The GDPR sets a strict deadline for reporting a data breach—within 72 hours of its discovery. The LGPD contains no deadline, although the new data protection agency may set one.
Both laws exclude the processing of anonymized data from their scope. However, the LGPD says that anonymized data can be considered personal when it is used to create behavioural profiles of a particular person if that person can be identified.
There are some differences regarding the legal basis for processing personal data between the LGPD and the GDPR. The LGPD lists ten legal bases for processing data: with the consent of the data subject; to comply with legal or regulatory obligations; to execute public policies provided in laws or regulations or based on contracts, agreements, or similar instruments; to carry out research, if the data is anonymized; to execute a contract to which the data subject is a party; to exercise rights in judicial, administrative, or arbitration procedures; to protect life or physical safety; to protect health in an operation carried out by health professionals; to fulfil the legitimate interests of the controller or a third party; or to protect credit.
The GDPR has six legal bases for processing data: with the consent of the data subject; to comply with a contract to which the data subject is a party; to process the data to comply with a legal obligation; to save somebody’s life; to perform a task in the public interest or to carry out an official function; if the organization has a legitimate interest to process someone’s personal data.
Perhaps the most significant difference is that the LGPD allows the protection of credit as a legal basis for processing personal data, something the GDPR does not mention.
It is clear that the LGPD is based on the GDPR, with some differences that arise from Brazil’s unique circumstances and culture. Organizations that have achieved compliance with GDPR are well on their way to complying with LGPD. As noted in this article, there are differences that need to be taken into account.
For organizations that have yet to comply with GDPR or are not covered by its requirements, it is time for them to beef up their data privacy protections because more privacy protection laws are on the way in many countries.