Brazil’s General Data Protection Law (LGPD)
In their latest bid for order and progress, Brazil passed the Lei Geral de Proteção de Dados (LGPD) or the General Law for the Protection of Personal Data. The legislation is a way to protect Brazillian citizens' personal information and privacy by providing guidelines on how that data can be processed and collected by organizations. (Hint: Only with permission.) It helps standardize and clarify over 40 different previous, (sometimes conflicting) statutes that regulated personal data, and applies to both Brazillian and international businesses and organizations.
- Personal Data: Any information that identifies or is specific to an individual, like their name, last name, nickname, ID number, etc.
- Data Holder or Data Subject: The individual the personal data is about.
- Data Processing: Any operation carried out using personal data, like collecting, storing, using, or disclosing information.
- Data Controller: The person responsible for decisions about how personal data is used or processed. They are ultimately liable for their company's fulfillment or failure to meet LGPD standards.
- Consent: free, informed permission or agreement. In this case, the data holder’s permission for their information to be processed for a given purpose.
- Autoridade Nacional de Proteção de Dados (ANPD) or National Data Protection Authority: Branch of the Brazillian federal government tasked with overseeing the regulation, compliance, and enforcement of LGPD.
- Data Protection Officers: Person representing the organization that processes personal data, who is responsible for communication between their business, the ANPD, and data holders. They typically have a background in law or IT.
The LGPD requires Data Controllers to adopt technical and administrative practices that regulate how and why personal data can be processed (electronically or physically,) and to protect the personal data they process from unauthorized access, loss, alteration, and/or exposure.
It outlines ten rights of data subjects, which are the foundation for all the processing requirements made of businesses or organizations:
- The right to confirm that their data was processed;
- The right to access their data;
- The right to correct incomplete, inaccurate or out-of-date data;
- The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
- The right to move their data to another service or product provider;
- The right to delete personal data processed with their consent;
- The right to information about public and private third parties with which the controller has shared their data;
- The right to information about what happens if they deny consent;
- The right to revoke their consent.
- The right to data portability, allowing the holder to request a complete copy of their data in a format usable by competitors.
LGPD requires data controllers/organizations to:
- Appoint a Data Protection Officer to manage requests or complaints from customers whose identity and contact information is public and clear, preferably on their website;
- Keep a record of the processing operations they carry out;
- Inform, correct, delete, anonymize, or move personal data as the data subject requests;
- Remove data once the relationship ends;
- Put administrative and security measures in places to protect data security from theft, unauthorized access, accidents, or other issues;
- Deliver any data breaches to data subjects, local authorities, and the ANPD.
There are ten bases under which companies can legally process personal data. Data can be processed:
- For legitimate, specific, and explicit purposes that the data subject has agreed to;
- To comply with a legal or regulatory obligation;
- To execute public policies based on legal contracts, agreements, or similar;
- To execute a contract at the request of the data subject (like a purchase or transaction);
- For carrying out research, and ensuring whenever possible that personal data has been anonymized;
- For the exercise of rights in judicial, administrative, or arbitration procedures;
- For the protection of life or physical safety of the data subject or a third party;
- To protect health, as carried out by health professionals or health entities;
- When necessary to fulfill the legitimate interests of the controller or a third party;
- For the protection of credit.
The Autoridade Nacional de Proteção de Dados (ANPD) or National Data Protection Authority is the to-be-formed branch of the Brazillian federal government tasked with overseeing the regulation, compliance, and enforcement of LGPD. While under the direction of the president, the ANPD does have decision-making powers. It will consist of a 28 member advisory board broken into several groups: the Board of Directors, the National Council, an Internal Affairs Office, and other specialized units for legal and enforcement tasks.
They will be responsible for:
- Providing interpretation and practical guidelines for how to implement LGPD;
- Investigate and audit complaints or breaches reported and work with the Data Protection Officer on a resolution;
- Issue sanctions for data processing violations;
- Conduct studies, public debates, and hearings about the protection of personal data.
The law will become effective on January 1, 2021.
LGPD compliance violation sanctions have been postponed until August 1, 2021.
- First and foremost, waiting until the last minute to get compliant could be a costly mistake. Non-compliance could result in fines upwards of 2% of their revenue in Brazil, for the prior fiscal year, to a max of 50 million Brazilian reais per infraction (roughly 12.9 million USD or 11.2 million EUR.)
- Appoint a Data Protection Officer to monitor data processing and security, and clearly publish their name and contact information on your website.
- Always ask for consent. Be clear and transparent with how and why customer data is being processed, and make it easy to opt-in or out.
- Only store data as long as is needed to process a transaction, and no longer.
- Be sure to document your entire processing pipeline: how are you collecting, storing, using, and sharing personal data? You could be called upon to present that documentation, so better to have it prepared.
- Schedule regular audits. Data leaks are enormously costly in resources and reputation. Being on the lookout will enable you to catch errors or predators faster, and being proactive always looks better than getting caught.
How is BR’s LGPD different than the EU’s GDPR?
- GDPR is applied to natural persons regardless of their residence or nationality; LGPD does not specify.
- Data Protection Officers: LGPD’s broad guideline states any organization that processes the data of Brazillian residents will need a DPO. Conversely, GDPR has specific requirements for when a DPO is needed.
- Legal basis for data processing: In both laws, a data controller must have a legal justification for processing a data subject’s information. While GDPR has six criteria, LGPD has ten.
- GDPR.EU - What is the LGPD? Brazil’s version of the GDPR
- Labs News- LGPD: What the New Brazillian Data Protection Law Looks Like for Global Businesses
- National Data Protection Authority - Data Protection Laws of the World
- Morrison Foerster - Clarity at Last? We Will Soon Know When the Brazillian LGPD Comes into Effect