The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) is a new law that was passed by the National Congress of Brazil on August 14, 2018 and comes into effect on August 15, 2020.
The LGPD creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located. It is closely modelled after the European Union's General Data Protection Regulation (GDPR) and like GDPR, the LGPD has far reaching consequences for data processing activities in and outside of Brazil.
What is the Essence of the LGPD?
The LGPD provides data subjects with nine rights, defines what constitutes personal data and creates ten legal bases for lawful processing of personal data.
It also established Brazil's new national data protection authority, Autoridade Nacional de Proteção de Dados (ANPD), which is responsible for supervision, guidance and enforcement of its administrative sanctions.
Organizations will be required to appoint a Data Protection Officer (DPO ). Additionally, the LGPD introduces mandatory data breach notification.
Who Does the LGPD Apply to?
In Article 3 of the LGPD, it outlines that it applies to:
- Data processing within the territory of Brazil
- Data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located
- Data processing of data collected in Brazil
This means that it is not just Brazilian citizens whose personal information is protected, but any individual whose data has been collected or processed while inside Brazil.
Organization to document the processing of personal data from initial collection to termination, provide a description of what is collected, the purpose of collection and processing, retention time and who the data is shared with.
Data controllers or processors can be jointly or separately liable for data breaches and data leaks, as well as non-compliance with the LGPD.
Who is Exempt from the LGPD?
The LGPD does not apply to:
- Data processed by a person for strictly personal purposes
- Data exclusively for journalistic, artistic, literary or academic purposes
- Data exclusively for national security, national defense, public safety, criminal investigations or punishment activities
What are the Nine Rights for Data Subjects Under the LGPD?
Article 18 of the LGPD outlines that individuals have the rights to:
- Confirm the existence of the processing of their data
- Access their data
- Correct incomplete, inaccurate or out-of-date data
- Anonymize, block or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
- Portability of data, i.e. handed over to another service or processor if requested
- Have their data deleted
- Information about public and private entities with which the controller has shared data
- Information about the possibility of denying consent and the consequences
- Revoke consent
These rights are closely modelled after the rights that European citizens have under GDPR and have direct implications for organizations around the world.
What are the 19 Definitions in the LGPD?
Article 5 of the LGPD has 19 definitions:
- Personal data: Information regarding an identified or identifiable natural person akin to personally identifiable information (PII)
- Sensitive personal data: Personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life (PHI), genetic or biometric data, when related to a natural person.
- Anonymized data: Data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing
- Database: Structured set of personal data, kept in one or several locations, in electronic or physical support
- Data subject: A natural person to whom the personal data that are the object of processing refer to
- Controller:Natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data
- Processor:Natural person or legal entity, of public or private law, that processes personal data in the name of the controller
- Officer: Natural personal, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority
- Processing agents: The controller and the processor
- Processing: Any operation carried out with personal data, such as collection,production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information,modification, communication, transfer, dissemination or extraction
- Anonymization: use of reasonable and available technical means at the time of the processing, through which data loss the possibility of direct or indirect association with an individual
- Consent: Free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose
- Blocking: Temporary suspension of any processing operation, by means of retention of the personal data or the database
- Deletion: Exclusion of data or a set of data stored in a database, irrespective of the procedure used
- International data transfer:Transfer of personal data to a foreign country orto an international entity of which the country is a member
- Shared use of data: Communication, dissemination, international transfer,interconnection of personal data or shared processing of banks of personal data by public agencies and entities, in compliance with their legal competences, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities
- Impact report on protection of personal data: Documentation from the controller that contains the description of the proceedings of processing of the personal data that could generate risks to civil liberties and fundamental rights, as well as measures,safeguards and mechanisms to mitigate the risk
- Research body: Body or entity of the direct or indirect publicadministration or a nonprofit legal entity of private law, legally organized under the Brazilian law, with headquarter and jurisdiction in Brazil, that includes in its institutional mission or in its corporate or statutory purposes basic or applied research of historic,scientific, technological or statistical nature
- National authority: Body of the indirect public administration responsible for supervising, implementing and monitoring the compliance with the LGPD.
What are the Ten Legal Bases for Lawful Processing of Personal Data Under the LGPD?
The ten legal bases for lawful processing are outlined in Article 7 as:
- With consent of the data subject
- For compliance with a legal or regulatory obligation by the controller
- By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements or similar instruments, subject to Chapter IV of the LGPD
- For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
- When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject
- For the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to the Brazilian Arbitration Law
- For the protection of life or physical safety of the data subject or a third party
- To protect health, in a procedure carried out by health professionals or by health entities
- When necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject's fundamental rights and liberties which require personal data protection prevail
- For the protection of credit
What is the Autoridade Nacional de Proteção de Dados (ANPD)?
The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil's new data protection authority.
Its main objective is to set new norms, establish technical standards, supervise and audit, educate, deal with data breach notifications and enforce sanctions.
ANPD will be tied to the office of the presidency and have two bodies:
- Board of Directors: Five members with expertise in data privacy and data protection
- National Council: A 23 member advisory board with representation from government, civil society, research institutions and the private sector
Why is the LGPD Important?
The LGPD is important because it is a privacy law with "extraterritorial application" which means that organizations that process personal data of Brazilians will be bound to comply with the LGPD regardless of where they are owned or operated from just like GDPR or CCPA.
As Brazil has over 138 million internet users, making it the largest Internet market in Latin America and the fourth largest in the world, there is a high chance that your organization will need to comply with the LGPD.
The Brazilian government designed the LGPD to achieve adequacy agreement with the EU to ensure a free flow of data between the two.
Why Was the LGPD Created?
Prior to the LGPD, personal data protection in Brazil was enforced by more than 40 legal norms at a federal level including the Civil Rights Framework for the Internet (Internet Act) and Consumer Protection Code.
The issue with this approach was that it created a complex legal framework where rights applied at a sector-based level, meaning different industries had different regulations.
The LGPD is transversal and multi-sectoral application, so it replaces and/or supplements the sectoral regulatory framework by providing a streamlined set of rights to individuals, by applying across public and private sectors and online and offline sources.
This is akin to GDPR in the EU and CCPA in California, which is why many call the LGPD Brazil's GDPR.
While there are many similarities, there are key differences between LGPD and GDPR.
How Does the LGPD Impact Cybersecurity?
The LGPD requires controllers and processors to adopt technical and administrative measures to protect personal data from unauthorized access, accidental or lawful destruction, loss, alteration and exposure.
Note that organizations may be held liable for the actions of third-party vendors, another reason why vendor risk management is becoming more important.
How is the LGPD Similar to GDPR?
In addition to its extraterritorial application, the LGPD and GDPR agree on several basics when it comes to data protection and their definition of personal data are similar.
The LGPD states in various places that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment, which is one place where it is more expansive than GDPR.
The other similarity is their fundamental rights. The LGPD has nine fundamental rights and GDPR has eight fundamental rights, despite the different count, they are essentially the same rights.
What are the Differences Between the LGPD and GDPR?
Despite similarities and the influence GDPR has had on Brazilian lawmakers, there are key differences between the LGPD and GDPR.
While both acts require organizations to hire a Data Protection Officer (DPO), GDPR outlines when a DPO is require while the LGPD states "The controller shall appoint an officer to be in charge of the processing of data."
This suggests that any organization that processes data about people in Brazil will need to hire a DPO, one of the few places where the LGPD is more stringent than GDPR.
Arguably, the most significant different is between the LGPD and GDPR is what qualifies as a legal basis for processing sensitive data. GDPR outlines six lawful bases for processing and a data controller must choose one of them as justification, while the LGPD lists ten. The LGPD's tenth lawful basis, to protect credit, is a substantial departure from GDPR.
Data breach notification requirements are another part where the two laws differ. While both require that data breaches be reported to the local data protection authority, the level of specificity varies. GDPR is explicit, organizations must report a data breach within 72 hours.
The LGPD does not give a firm deadline, stating that "the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.”
Finally, the maximum fines for infractions under GDPR are far higher than under the LGPD. GDPR violations pay up to €20 million or 4% of annual global revenue, whichever is higher.
The maximum fine under the LGPD is "2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reais (~$12.8 million USD)."