What is the Brazil General Data Protection Law (LGPD)?

On August 14, 2018, after eight years of debates and drafting, the Brazilian president sanctioned the Brazilian General Data Protection Law (LGPD). Therefore, given the 18 months of vacatio legis, the LGPD will become effective in February 2020.

The LGPD was not sanctioned as a whole. The president vetoed several sections. The main vetoed section concerns the establishment of a new regulatory body, the National Data Protection Authority (ANPD). Similar to the EU Member State Data Protection Authorities, the ANPD was meant to provide complementary norms, guidance and regulatory oversight. Furthermore, the establishment of National Council for the Protection of Personal Data and Privacy (Brazilian equivalent of the EU Data Protection Board) was vetoed from the law as well. The president justified his veto by reference to a formal legal obstacle allowing for establishment of new regulatory bodies only through Executive Power initiative (and not by means of Parliament-approved law).

Finally, the president also vetoed some of the LGPD’s sanctions (citing a risk of them creating legal uncertainty), including the suspension of database/processing operation, and certain provisions dealing with sharing of data between public authorities and their use by the government. While the circumstances of future data protection supervisory authorities remain unclear, it is certain that Brazil finally has an omnibus data protection law.

Read our white paper: Privacy Rights Under the Brazilian LGPD vs. the GDPR Guide

Although it is much leaner than GDPR (approx. 30 pages as compared to the GDPR’s over 80 pages), the LGPD is very reminiscent of the EU regulation, but it also has some interesting national specifics.

[Related: The new Brazilian General Data Protection Law—A detailed analysis]

Key elements of the Bill include:

The Brazilian legislation drew inspiration from the GDPR also when detailing the administrative sanctions. Non-compliance with the requirements of the LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million reais) per infringement, approximately USD 12.9 million.