What is the Brazil General Data Protection Law (LGPD)?
On August 14, 2018, after eight years of debates and drafting, the Brazilian president sanctioned the Brazilian General Data Protection Law (LGPD). Therefore, given the 18 months of vacatio legis, the LGPD will become effective in February 2020.
The LGPD was not sanctioned as a whole. The president vetoed several sections. The main vetoed section concerns the establishment of a new regulatory body, the National Data Protection Authority (ANPD). Similar to the EU Member State Data Protection Authorities, the ANPD was meant to provide complementary norms, guidance and regulatory oversight. Furthermore, the establishment of National Council for the Protection of Personal Data and Privacy (Brazilian equivalent of the EU Data Protection Board) was vetoed from the law as well. The president justified his veto by reference to a formal legal obstacle allowing for establishment of new regulatory bodies only through Executive Power initiative (and not by means of Parliament-approved law).
Finally, the president also vetoed some of the LGPD’s sanctions (citing a risk of them creating legal uncertainty), including the suspension of database/processing operation, and certain provisions dealing with sharing of data between public authorities and their use by the government. While the circumstances of future data protection supervisory authorities remain unclear, it is certain that Brazil finally has an omnibus data protection law.
Read our white paper: Privacy Rights Under the Brazilian LGPD vs. the GDPR Guide
Although it is much leaner than GDPR (approx. 30 pages as compared to the GDPR’s over 80 pages), the LGPD is very reminiscent of the EU regulation, but it also has some interesting national specifics.
Key elements of the Bill include:
- Cross-Border Jurisdiction. Similar to the GDPR, the Bill is applicable not only to the organizations headquartered in Brazil and to companies processing personal data in Brazil, but also to cross-border processing of personal data of Brazilian residents.
- Familiar privacy principles and risk-based approach. The new legislation’s clear inspiration by the GDPR is apparent when it states some of its core principles for data processing – including lawfulness, fairness, accountability, non-discrimination, purpose limitation and transparency on the use of personal data. It also sets forth the need for data minimization, accuracy, storage limitation, and security including integrity and confidentiality – all of these principles being already familiar to the GDPR readers.
- New rights for individuals. LGPD has introduced new rights to its residents, including the right of data portability (much discussed in the EU context), along with rights of erasure and a right of access to personal data, which in Brazilian context imposes shorter deadlines for the controllers to comply with data subject requests (15 days instead of the GDPR-imposed 30 days).
- More legal bases for processing of personal data. The Brazilian Bill introduces a sum of 10 bases enabling the controllers to lawfully process individuals’ personal data. In comparison, the GDPR only offers 6 legal bases. Among the Brazil-specific bases are included for example the protection of credit or the protection of health in process carried out by medical institutions. Most of the additional legal bases would fall under the GDPR’s legitimate processing.
- Data-mapping and DPIAs. For organizations that have already undergone the data-mapping and DPIA-drafting exercise, these newly imposed LGPD requirements will not be overly burdensome. For the rest, the rules seem to be fairly similar to the GDPR requirements: both the controller and processor are obliged to maintain data processing records and conduct privacy impact analysis for processing activities which may render higher risk to individuals’ personal data.
- Mandatory breach notification and DPO. The data controllers will be newly obliged to notify personal data breaches to the National Data Protection Authority and to the affected individuals. Furthermore, the controllers will now have to appoint a data protection official, whose responsibilities entail oversight on organization’s data processing activities and facilitation of data subject requests – the similarities with GDPR’s DPO role being apparent. The notable difference is, that so far the obligation to appoint a DPO falls to all the data controllers. the LGPD does not provide any exceptions for small businesses or small-scale processing, however it is expected that the Data Protection Authority (once appointed) may lay down certain exceptions to this very wide-reaching and potentially onerous obligation.
- International Data Transfers. The new Bill imposes restrictions to the cross-border transfer of personal data. Such transfers are allowed (i) to countries to countries deemed by the data protection authority to provide an adequate level of data protection, or (2) where effectuated using standard contractual clauses or other mechanisms approved by the data protection authority.
The Brazilian legislation drew inspiration from the GDPR also when detailing the administrative sanctions. Non-compliance with the requirements of the LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million reais) per infringement, approximately USD 12.9 million.