LGPD – What You Need to Know About Brazil’s New Data Protection Law
The Brazilian privacy law, LGPD, will begin to be enforced on Aug. 1, 2021. As of today, no specific regulations have been issued and no national authority is in place and we are awaiting much of the details about what will ultimately be the regulations. LGPD maps closely with GDPR with a couple of exceptions as of today:
- GDPR gives specific guidance on DPO, LGPD only states the need for one.
- LGPD has 10 legal bases for processing vs. GDPR which has six.
- Fines for violations under LGPD are less severe than GDPR.
- GDPR requires data breach notification within 72 hours, LGPD only states that it needs to happen in a reasonable timeframe.
On August 15, 2018 Brazil enacted the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados in Portuguese), commonly referred to as LGPD. LGPD closely follows the constructs of the European General Data Protection Regulation (GDPR) on the rules for collecting, handling, storing and sharing of personal data. The new law brings a more comprehensive approach to the existing Brazilian data privacy regulations under the Brazilian Internet Act.
Originally, the LGPD was supposed to come into force on August 16, 2020 but was postponed to May 2021. On August 18, 2020, it was changed to December 31, 2020. Then on August 19, in an unexpected move, the Brazilian Senate approved an amendment allowing the law to go into effect immediately, reversing the prior day’s vote on the December 31 implementation date. Enforcement of the LGPD will not go into effect until Aug. 1, 2021. If all this sounds confusing or unconventional to you, you’re not alone.
The Brazilian government is aware that the law cannot be fully complied with today as no specific regulations have been issued and no national authority is place. Clarification on international transfers, data protection officers, subject requests, and other important compliance are all awaiting further definition.
Who Does LGPD Appy to?
LGPD applies to all companies that offer services or handle data in Brazil. There are a few exemptions that include companies processing personal data that are:
- Carried out by a person exclusively for private and non-economic purpose
- Performed for journalistic, artistic or academic purposes
- Carried out for purposes of public safety, national security and defense or activities of investigation and prosecution of criminal offenses
Violations of the new law are subject to warnings, fines, embargoes, suspensions and partial or total bans to performing their activities. Fines can reach up to 2% of the organization’s revenue, with a limit of $50 million reals (~$10 million) per violation.
GDPR vs. LGPD
If you are GDPR compliant today, you are probably in good shape for LGPD compliance. There are however a few similarities and difference between them.
- Definition of Personal data: The LGPD does not have a single definition for personal data. It states that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment. While this definition will likely be clarified, LGPD takes a broader view than GDPR of what data qualifies as personal data.
- Data Subject Rights: LGPD looks familiar to GDPR having nine fundamental rights for data subjects:
- The right to confirmation of the existence of the processing
- The right to access the data
- The right to correct incomplete, inaccurate or out-of-date data
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
- The right to the portability of data to another service or product provider
- The right to delete personal data processed with the consent of the data subject
- The right to information about public and private entities with which the controller has shared data
- The right to information about the possibility of denying consent and the consequences of such denial
- The right to revoke consent
These align with GDPR’s eight fundamental rights. LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit.
- Data Protection Officers: Both laws require businesses and organizations to hire a DPO. The GDPR outlines when a DPO is required. The LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” suggesting that any organization that processes the data of people in Brazil will need to hire a DPO. This is another area that will likely receive further clarification, but as written, it is one of the few areas where the LGPD is more stringent than the GDPR.
- Legal Basis for Processing Data: The most significant difference between the LGPD and the GDPR is what qualifies as a legal basis for processing data.GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject’s information. The LGPD lists 10:
- With the consent of the data subject
- To comply with a legal or regulatory obligation of the controller
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject
- To exercise rights in judicial, administrative or arbitration procedures
- To protect the life or physical safety of the data subject or a third party
- To protect health, in a procedure carried out by health professionals or by health entities
- To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail
- To protect credit (referring to a credit score). Having the protection of credit as a legal basis for the processing of data is indeed a substantial departure from the GDPR.
- Reporting Data Breaches: GDPR and the LGPD require organizations to report data breaches to the local data protection authority, the level of specificity varies widely between the two laws.GDPR is explicitly states that an organization must report a data breach within 72 hours of its discovery.
LGPD does not give any firm deadline it merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects…in a reasonable time period, as defined by the national authority.” Since the national data protection agency has not yet, been established, there is no guidance for what constitutes a “reasonable time period.”
- Fines: The maximum GDPR fines are substantial, requiring organizations that commit grave GDPR violations to pay to up to €20 million ($24 million) or 4% of annual global revenue, whichever is higher.The fines under the LGPD are much less severe. The maximum fine for a violation is 2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals. This is roughly €11 million ($13 million).
While much is still not defined about the implementation of the Brazilian privacy law, its alignment with GDPR makes it familiar. We will create updates on how to comply with the law, based on the guidance we receive from National Data Protection Authority (ANPD) as it becomes available.