Brazil Passes Landmark Privacy Law: The Lei General de Proteção de Dados (The General Law for the Protection of Privacy)
Insight March 02, 2020
Joining the global trend started in Europe with the GDPR, Brazil recently enacted its own omnibus law (going into effect August 2020 after a recent extension) governing the use of personal data, the Lei Geral de Proteção de Dados (General Law for the Protection of Privacy or LGPD). Similar to the EU’s GDPR and California’s CCPA, LGPD is intended to regulate the processing of personal data. The stated purpose of the law is to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”
This article addresses the most commonly asked questions about the applicability of LGPD, its exemptions and enforcement. The analysis is woven with comparison and contrast to the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA).
TO WHOM DOES LGPD APPLY?
The LGPD applies to any natural person or legal entity, including the government, that processes the personal data of the people of Brazil, even if the entity processing the data is based outside of Brazil. There are some exceptions, however, such as 1) when the processing is done by a natural person exclusively for private and non-economic purposes, 2) when done exclusively for journalistic, artistic, or academic purposes, or 3) when done for purposes of public safety, national defense, state security, or activities or investigation and prosecution of criminal offenses.
WHAT IS PERSONAL DATA AND HOW CAN IT BE PROCESSED?
Personal data in this statute is defined broadly as “information regarding an identified or identifiable natural person.” There are also special restrictions for the processing of “sensitive personal data”, which is data that relates to racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical or religious organizations, health, sex life or genetic and biometric data. To that end, and similarly to GDPR and CCPA, sensitive personal data may only be processed when the data subject specifically and distinctly consents to the specified purposes.
Personal data may be processed without consent for certain specific and limited purposes, including 1) to comply with a legal obligation, 2) when it is necessary by the public administration for the execution of public policies, 3) when it is a study carried out by a research entity, or 4) to protect the life or physical safety of the data subject or a third party.
Companies can collect and use publicly-available personal data under the LGPD only if it is (1) being used for the same purpose that it was originally collected, in which case consent from the data subject is not needed, or (2) for a different purpose, but only if the controller has identified a valid legal basis for the use of the data.
WHAT RIGHTS DOES LGPD GRANT TO DATA SUBJECTS?
The LGPD sets out nine fundamental rights granted to all Brazilian data subjects which are very similar to the eight fundamental rights laid out in the GDPR. The ninth comes from a more specific definition of the “right to be informed” as granted in the GDPR. LGPD separates the right to be informed into 1) the right to “information about the public and private entities with which the controller has shared data” and 2) “information about the possibility of denying consent and the consequences of such denial.” This gives the data subject not only a right to request information the organization collects about the data subject, but also the right to ask about what will happen if the data subject does not give the controller consent to process their personal data. Data subjects are also entitled to an explanation about any automated decision-making carried out by the controller that affects their interests. When the data subject requests a review, the controller must provide “clear and adequate information regarding the criteria and procedures used for an automated decision”
WHAT IS EXEMPTED UNDER LGPD?
While the GDPR has six lawful bases for processing data, the LGPD expands upon those, listing 10 legal bases for justifying the processing of personal data. The ten bases listed in the LGPD generally follow the bases listed in the GDPR, with the exception of the last legal base listed in the LGPD, giving the ability to process data for “the protection of credit.” This implies that consent is not necessary under the LGPD to process data for credit protection purposes, but this section should still be read in the context of two other laws that govern personal data for the protection of credit purposes (the Federal Consumer Code and the Positive Credit History Law).
In addition to the legal basis exempted to process data, like the GDPR and CCPA, under the LGPD data that has been anonymized is generally exempt from the requirements of the LGDP, so long as the process by which the data was anonymized is not able to be reversed applying reasonable efforts. The LGPD defines anonymization as the “use of reasonable technical means available at the time of processing, by means of which the data loses the possibility of direct or indirect association to a natural person.” A key difference here, however, is that per the LGPD some anonymized data may even be deemed as “personal data” if it is used to “formulate behavioral profiles of a particular natural person, if that person is identified.” As such, if the anonymized data is still being used for behavior profiling, it is subject to the restrictions of personal data. Another difference is that, unlike the GDPR, the LGPD does not necessarily endorse pseudonymization as a best practice; in fact, it only addresses pseudonymization once, encouraging public health research bodies to either anonymize or pseudonymize when possible. GDPR, by contrast, frequently references pseudonymization as a best practice in order to assure compliance.
WHAT OTHER KEY REQUIREMENTS DOES LGPD IMPOSE?
Aside from having to identify a legal basis for processing data without consent, companies must also create and maintain a map of the personal data that they collect and process. This requirement is not imposed by CCPA but it does appear under GDPR. Furthermore, organizations must ensure that they are tracking consents and revocations by data subjects, which should be done as a matter of best practice even to establish compliance if it were not specifically mentioned in LGPD.
DOES LGPD REQUIRE A DPO?
Like the GDPR, and unlike CCPA, the LGPD requires businesses and organizations to hire a Data Protection Officer (DPO). However, unlike GDPR, the LGPD does not outline specific cases when a DPO is needed. It simply states that the “controller shall appoint an officer to be in charge of processing personal data.” This implies that any organization that processes the data of people in Brazil will need a DPO. Both controllers and processors need to appoint a DPO.
WHO WILL ENFORCE LGPD?
The LGPD creates an enforcement authority responsible for overseeing the data protection regulation in the National Data Protection Authority (Autoridade Nacional de Proteção de Dados), ANPD. The ANPD has the authority to create separate guidelines, rules, and deadlines applicable to small businesses and startups to make sure that they comply with the LGPD. As the ANPD begins to issue guidance on the provisions of the LGDP, this will affect how they will be enforced and implemented. The LGPD does not give a firm deadline for reporting data breaches to the ANPD; it only states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident…in a reasonable time period, as defined by the national authority.”
WHAT ARE THE FINES FOR NON-COMPLIANCE?
Fines for non-compliance are not as substantial in the LGPD as they are in the GDPR, giving the maximum fine for a violation as “2% of a private legal entity’s, groups or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals.” The sanctions will only be applied after an administrative procedure where opportunity is given for a full defense and taking into account the severity of the infraction and other parameters.
John Isaza is a California-based attorney, CEO of Information Governance Solutions (an Access Company) featuring Virgo™, a cloud-based software for records information management and global research, and partner at Rimon, where he chairs the records management and information governance practice. Mr. Isaza is one of the world’s foremost experts in the field. He has developed information governance and records retention programs for some of the most highly regulated Global 1000 companies. He is co-author of 7 Steps for Legal Holds of ESI & Other Documents, a contributing author to the ABA’s Internet Law for the Business Lawyer, 2nd Edition, as well as Editor-in-Chief and co-author of the recently released, Handbook on Global Social Media Law for Business Lawyers. Mr. Isaza is past co-Chair of the American Bar’s Social Media Subcommittee, a Fellow of ARMA International, and current co-Chair of the ABA’s Consumer Privacy and Data Analytics Subcommittee. Read more about John.
Hannah Katshir is a law clerk at Rimon Law and a second-year student at Boston College Law School, where she serves on the Boston College Law Review. Hannah completed her undergraduate degree in Biopsychology, Cognition, and Neuroscience from the University of Michigan.
Nothing contained herein is to be considered as the rendering of legal advice for specific cases or circumstances. The material herein is intended for educational and informational purposes only.