Breaking Down LGPD, Brazil’s New Data Protection Law
Brazil's GDPR-like data protection law, LGPD, owes a lot to the EU regulation but has several key differences that organizations that do business in the country should be familiar with.
Like any data protection legislation, Brazil's new data protection law, the LGPD, is too far-reaching to recap in full but we'll brief some of the law's biggest talking points before it goes into effect in 2020, including who needs to comply with it, what type of data is protected, how to meet its requirements, and where it diverges from GDPR, below.
What is the LGPD?
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by The National Congress of Brazil on August 14 last year, is slated to come into effect on August 15, 2020, six months after the initially scheduled date of February 2020. The legislation - similar to the General Data Protection Regulation (GDPR) - creates a new legal framework for the use of personal data processed on or related to individuals in Brazil, regardless of where the data processor is located.
As part of Provisional Measure No. 869/2018, Brazil established its own Data Protection Authority, Autoridade Nacional de Proteção de Dados, a.k.a. ANPD, in December, 2018, to oversee and enforce the guidance. While a handful of LGPD's provisions were vetoed by Brazil’s president in August 2018, the December order reinstated them. The measure - and the was eventually finalized by the Brazilian Federal Senate last month, on May 29, 2019. At the onset the DPA will be tied to the Presidency of the Republic, but will likely become autonomous in two years.
Prior to the LGPD's passage, data protection in Brazil was primarily enforced via a collection of frameworks, including the country's Civil Rights Framework for the Internet (Internet Act) and Consumer Protection Code.
Who Does the LGPD Apply to?
Much like GDPR, the LGPD has an extraterritorial application, meaning the law applies to any individual or organization, public or private, that collects or processes personal data in Brazil, regardless of where that organization is based. It also applies to organizations that intend to offer services to individuals in Brazil.
What Doesn't the LGPD Apply to?
The LGPD doesn't apply to:
- Data processed by a person for strictly personal purposes;
- Data that's exclusively for journalistic, artistic, literary or academic purposes;
- Data that's exclusively for national security, national defense, public safety or criminal investigation or punishment activities.
Data Subject Rights
Under Article 18 of the LGPD, data subjects have nine rights over their personal data, including:
- Anonymization, redaction or elimination of unnecessary or excessive personal data, or of data that is not being processed in compliance with LGPD;
- Deletion of personal data being processed based upon consent;
- Disclosure of subprocessors and other third parties with whom personal data is shared;
- Information about consent choices and the consequences of refusing consent; and
- Revocation of consent.
Under LGPD, controllers and processors need to adopt security, technical and administrative measures able to protect personal data from unauthorized access, as well as accidental or unlawful destruction, loss, alteration, communication. Once off the ground the ANDP will establish minimum technical standards, likely to be informed by the Brazilian Internet Act, as well.
How is LGPD Different From GDPR?
While largely informed by the European Union’s GDPR, the LGPD does have some differences.
Unlike the GDPR, which has which has policy set around how to process marketing data, the LGPD does not specifically address electronic marketing. GDPR, of course, gives individuals the right to object to the processing of their personal data; in Brazil, the way the LGPD is worded suggests implied authorization. Until further clarification, organizations in Brazil will likely want to confer with the Consumer Protection Code, the main law regulating advertising in the country.
The GDPR and LGPD define personal data differently as well.
The LGPD’s definition of “personal data” is broad and covers any information relating to an identified or identifiable natural person.
Under the LGPD, anonymous data is exempt but can be protected as “personal data” when used for profiling. According to Article 12, it can be considered “personal data” when it is used to enhance, build upon or create behavioral profiles on individuals.
Additional restrictions around the processing of sensitive data, like data on racial or ethnic origin, religious beliefs, political opinions, membership of syndicates or religious, philosophical or political organizations, data relating to health or sexual life, and genetic or biometric data when linked to a natural person, are in place as well.
The LGPD also doesn’t contain an incentive for data controllers to pseudonymize data, Under Article 13 of the LGPD, public health research bodies are encouraged to anonymize or pseudonymize health data whenever possible.
While the LGPD mandates companies to appoint a data protection officer (DPO) to communicate with the DPA and field complaints from data subjects, unlike the GDPR, which requires a data protection officer in certain circumstances, the LGPD says the DPO is mandatory, although the job can be outsourced to a third-party legal entity or individual, and doesn’t even have to technically be located in Brazil.
Unlike the GDPR, the LGPD does not permit cross-border data transfers based on the controller's legitimate interest. Articles 33-36 dig into the restrictions around this topic further.
In the GDPR, the deadline for data breach notification is 72 hours; in the LGPD, the deadline is loosely defined. There are no time frames given; instead organizations are encouraged to notify authorities of incidents in a "reasonable time." While the DPA is expected to provide additional guidance on the timing and nature of security incident notifications, in its current state, the vagueness could lead to legal confusion unless refined closer to the go-live date.
If an organization violates the LGPD, the legislation establishes simple fines of up to 2% of the sales revenue of the company, group or conglomerate in Brazil, and fines of up to 50 million Brazilian Real (approximately EUR 11,395,140, or USD $12,894,500) per violation.
In the months leading up to the LGPD go-live date, organizations that have operations in Brazil are being encouraged to determine which data the law applies to, ensure they have a legal basis to collect and process that data, establish a legal basis for international data transfer, and appoint a data protection officer.